github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

Merge branch 'netblue30:master' into gcb-patch-1

Browse source
This commit is contained in:
Gabriel 2024-11-18 17:06:38 +00:00 committed by GitHub
commit b3a2b2e4d1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
69 changed files with 754 additions and 601 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -47,10 +47,11 @@ _Any other detail that may help to understand/debug the problem_
### Environment
- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
- Firejail version (`firejail --version`).
- Name/version/arch of the Linux kernel (`uname -srm`):
- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
- Version of Firejail (`firejail --version`):
- If you use a development version of firejail, also the commit from which it
was compiled (`git rev-parse HEAD`).
was compiled (`git rev-parse HEAD`):
### Checklist

73
.github/ISSUE_TEMPLATE/build_issue.md vendored Normal file
View file

@ -0,0 +1,73 @@
---
name: Build issue
about: There is an issue when trying to build the project from source
title: 'build: '
labels: ''
assignees: ''
---
<!--
See the following links for help with formatting:
https://guides.github.com/features/mastering-markdown/
https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
-->
### Description
_Describe the bug_
### Steps to Reproduce
<!--
Note: If the output is too long to embed it into the comment, you can post it
in a gist at <https://gist.github.com/> and link it here or upload the build
log as a file.
Note: Make sure to include the exact command-line used for all commands and to
include the full output of ./configure.
Feel free to include only the errors in the make output if they are
self-explanatory (for example, with `make >/dev/null`).
-->
_Post the commands used to reproduce the issue and their output_
Example:
```console
$ ./configure --prefix=/usr --enable-apparmor
checking for gcc... gcc
checking whether the C compiler works... yes
[...]
$ make
make -C src/lib
gcc [...]
[...]
```
_If ./configure fails, include the output of config.log_
Example:
```console
$ cat config.log
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
[...]
```
### Additional context
_(Optional) Any other detail that may help to understand/debug the problem_
### Environment
- Name/version/arch of the Linux kernel (`uname -srm`):
- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
- Name/version of the C compiler (e.g. "gcc 14.1.1-1"):
- Name/version of the libc (e.g. "glibc 2.40-1"):
- Name/version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on
Arch Linux):
- Version of the source code being built (`git rev-parse HEAD`):

8
.github/ISSUE_TEMPLATE/feature_request.md vendored
View file

@ -22,3 +22,11 @@ _A clear and concise description of any alternative solutions or features you've
### Additional context
_Add any other context or screenshots about the feature request here._
### Environment
- Name/version/arch of the Linux kernel (`uname -srm`):
- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
- Version of Firejail (`firejail --version`):
- If you use a development version of firejail, also the commit from which it:
was compiled (`git rev-parse HEAD`):

4
.github/workflows/build-extra.yml vendored
View file

@ -44,7 +44,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -52,7 +52,7 @@ jobs:
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies

4
.github/workflows/build.yml vendored
View file

@ -60,7 +60,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -68,7 +68,7 @@ jobs:
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies

20
.github/workflows/check-c.yml vendored
View file

@ -46,7 +46,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -56,7 +56,7 @@ jobs:
packages.microsoft.com:443
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install clang-tools-14 and dependencies
@ -79,7 +79,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -89,7 +89,7 @@ jobs:
packages.microsoft.com:443
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install cppcheck
@ -109,7 +109,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -120,7 +120,7 @@ jobs:
ppa.launchpad.net:80
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install cppcheck
@ -143,7 +143,7 @@ jobs:
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
disable-sudo: true
egress-policy: block
@ -154,14 +154,14 @@ jobs:
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: print env
run: ./ci/printenv.sh
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd
with:
languages: cpp
@ -172,4 +172,4 @@ jobs:
run: make -j "$(nproc)"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd

4
.github/workflows/check-profiles.yml vendored
View file

@ -33,14 +33,14 @@ jobs:
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: print env
run: ./ci/printenv.sh
- run: python3 --version

8
.github/workflows/check-python.yml vendored
View file

@ -31,7 +31,7 @@ jobs:
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
disable-sudo: true
egress-policy: block
@ -44,16 +44,16 @@ jobs:
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: print env
run: ./ci/printenv.sh
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd
with:
languages: python
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd

4
.github/workflows/codespell.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
timeout-minutes: 5
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -34,7 +34,7 @@ jobs:
packages.microsoft.com:443
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies

20
.github/workflows/test.yml vendored
View file

@ -54,7 +54,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -62,7 +62,7 @@ jobs:
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
@ -103,7 +103,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -111,7 +111,7 @@ jobs:
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
@ -143,7 +143,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -151,7 +151,7 @@ jobs:
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
@ -183,7 +183,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -194,7 +194,7 @@ jobs:
ppa.launchpadcontent.net:443
www.debian.org:443
www.debian.org:80
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
@ -225,7 +225,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
@ -240,7 +240,7 @@ jobs:
www.debian.org:443
www.debian.org:80
yahoo.com:1025
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies

26
README
View file

@ -28,13 +28,17 @@ Compile and install the mainline version from GitHub:
cd firejail
./configure && make && sudo make install-strip
On Debian/Ubuntu you will need to install git and gcc. AppArmor development
libraries and pkg-config are required when using the --enable-apparmor
./configure option:
On Debian/Ubuntu you will need to install git and gcc.
To build with AppArmor support (which is usually used on Debian, Ubuntu,
openSUSE and derivatives), install the AppArmor development libraries and
pkg-config and use the `--enable-apparmor` ./configure option:
sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
To build with SELinux support (which is usually used on Fedora, RHEL and
derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the
`--enable-selinux` ./configure option.
We build our release firejail.tar.xz and firejail.deb packages using the
following commands:
@ -199,6 +203,8 @@ avoidr (https://github.com/avoidr)
- added mcabber profile
- fixed mpv profile
- various other fixes
ayham (https://github.com/ayham-1)
- allow custom homedir support for gpgagent
Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- add support for custom AppArmor profiles (--apparmor=)
- add Landlock support
@ -257,6 +263,8 @@ bymoz089 (https://github.com/bymoz089)
- add timezone access to make libical functional
BytesTuner (https://github.com/BytesTuner)
- provided keepassxc profile
Caleb McCombs (https://github.com/squatched)
- Zoom profile fixes
caoliver (https://github.com/caoliver)
- network system fixes
Carlo Abelli (https://github.com/carloabelli)
@ -270,6 +278,8 @@ Cat (https://github.com/ecat3)
cayday (https://github.com/caydey)
- added ~/Private blacklist in disable-common.inc
- added quiet to some CLI profiles
celenityy (https://github.com/celenityy)
- Thunderbird profile fix
Christian Pinedo (https://github.com/chrpinedo)
- added nicotine profile
- allow python3 in totem profile
@ -414,6 +424,7 @@ Felipe Barriga Richards (https://github.com/fbarriga)
- --private-etc fix
Felix Pehla (https://github.com/FelixPehla)
- fix fractal profile
- blacklist sway IPC socket globally
fenuks (https://github.com/fenuks)
- fix sound in games using FMOD
- allow /opt/tor-browser for Tor Browser profile
@ -433,6 +444,8 @@ floxo (https://github.com/floxo)
- fixed qml disk cache issue
Foemass (https://github.com/Foemass)
- documentation
Foxreef (https://github.com/Foxreef)
- steam profile fixes
Franco (nextime) Lanza (https://github.com/nextime)
- added --private-template/--private-home
František Polášek (https://github.com/fandaa)
@ -497,6 +510,8 @@ G4JC (https://sourceforge.net/u/gaming4jc/profile/)
- profile fixes
Gaman Gabriel (https://github.com/stelariusinfinitek)
- inox profile
Gabriel (https://github.com/gcb)
- okular profile fix
geg2048 (https://github.com/geg2048)
- kwallet profile fixes
glitsj16 (https://github.com/glitsj16)
@ -1226,6 +1241,7 @@ Ted Robertson (https://github.com/tredondo)
- various documentation fixes
- blacklist Exodus wallet
- blacklist monero-project directory
- several README file fixes
tools200ms (https://github.com/tools200ms)
- fixed allow-ssh.inc
Tus1688 (https://github.com/Tus1688)
@ -1321,6 +1337,8 @@ ydididodat (https://github.com/ydididodat)
yumkam (https://github.com/yumkam)
- add compile-time option to restrict --net= to root only
- man page fixes
Yves-Alexis Perez (https://github.com/corsac-s)
- signal-desktop profile fix
Zack Weinberg (https://github.com/zackw)
- added support for joining a persistent, named network namespace
- removed libconnect

33
README.md
View file

@ -10,13 +10,16 @@
[![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell)
[![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
Firejail is a SUID sandbox program that reduces the risk of security breaches
by restricting the running environment of untrusted applications using Linux
namespaces, seccomp-bpf and Linux capabilities. It allows a process and all
its descendants to have their own private view of the globally shared kernel
resources, such as the network stack, process table, mount table. Firejail can
work in a SELinux or AppArmor environment, and it is integrated with Linux
Control Groups.
Firejail is a lightweight security tool intended to protect a Linux system by
setting up a restricted environment for running (potentially untrusted)
applications.
More specifically, it is an SUID sandbox program that reduces the risk of
security breaches by using Linux namespaces, seccomp-bpf and Linux
capabilities. It allows a process and all its descendants to have their own
private view of the globally shared kernel resources, such as the network
stack, process table and mount table. Firejail can work in an SELinux or
AppArmor environment, and it is integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software runs on any Linux
computer with a 3.x kernel version or newer. It can sandbox any type of
@ -148,7 +151,9 @@ The version can be checked with `firejail --version` after installing.
You can also install one of the [released
packages](https://github.com/netblue30/firejail/releases).
Or clone the source code from our git repository and build manually:
## Building
You can clone the source code from this git repository and build manually:
```sh
git clone https://github.com/netblue30/firejail.git
@ -156,15 +161,19 @@ cd firejail
./configure && make && sudo make install-strip
```
On Debian/Ubuntu you will need to install git and gcc. AppArmor development
libraries and pkg-config are required when using the `--enable-apparmor`
./configure option:
On Debian/Ubuntu you will need to install git and gcc.
To build with AppArmor support (which is usually used on Debian, Ubuntu,
openSUSE and derivatives), install the AppArmor development libraries and
pkg-config and use the `--enable-apparmor` ./configure option:
```sh
sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
```
For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
To build with SELinux support (which is usually used on Fedora, RHEL and
derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the
`--enable-selinux` ./configure option.
Detailed information on using firejail from git is available on the
[wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).

44
RELNOTES
View file

@ -1,7 +1,9 @@
firejail (0.9.73) baseline; urgency=low
* work in progress
* security: fix sscanf rv checks (CodeQL) (#6184)
* feature: added noptm and keep-tpm commands to private-dev (#6390)
* feature: private-etc rework: improve handling of /etc/resolv.conf and add
private-etc groups (#6400 #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643
#5650 #5681 #5737 #5844 #5989 #6016 #6104 #5655 #6435 #6514 #6515)
* feature: Add "keep-shell-rc" command and option (#1127 #5634)
* feature: Print the argument when failing with "too long arguments" (#5677)
* feature: a random hostname is assigned to each sandbox unless
@ -18,26 +20,27 @@ firejail (0.9.73) baseline; urgency=low
* feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200
#6228 #6260 #6302 #6305)
* feature: add support for comm, coredump, and prctl procevents in firemon
(#6414 #6415)
* feature: add notpm command & keep tpm devices in private-dev (#6379 #6390)
* feature: fshaper.sh: support tc on NixOS (#6426 #6431)
* modif: Stop forwarding own double-dash to the shell (#5599 #5600)
* modif: Prevent sandbox name (--name=) and host name (--hostname=)
from containing only digits (#5578 #5741)
* modif: Escape control characters of the command line (#5613)
* modif: Allow mostly only ASCII letters and digits for sandbox name
(--name=) and host name (--hostname=) (#5708 #5856)
* modif: remove firemon --interface option (duplicating --net.print option)
* modif: make private-lib a configure-time option, disabled by default (see
--enable-private-lib) (#5727 #5732)
* modif: Improve --version/--help & print version on startup (#5829 #6172)
* modif: improve errExit error messages (#5871)
* modif: drop deprecated 'shell' option references (#5894)
* modif: keep pipewire group unless nosound is used (#5992 #5993)
* modif: fcopy: Use lstat when copying directory (#5957)
* modif: populate /run/firejail while holding flock (#6307)
* modif: fcopy: use lstat when copying directory (#5378 #5957)
* modif: private-dev: keep /dev/kfd unless no3d is used (#6380)
* modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387)
* removal: LTS and FIRETUNNEL support
* bugfix: fix startup race condition for /run/firejail directory (#6307, #6307)
* removal: firemon: remove --interface option (it duplicates the firejail
--net.print= option) (0e48f9933)
* removal: remove support for LTS and firetunnel (db09546f2)
* bugfix: fix --hostname and --hosts-file commands
* bugfix: fix examples in firejail-local AppArmor profile (#5717)
* bugfix: arp.c: ensure positive timeout on select(2) (#5806)
@ -45,20 +48,23 @@ firejail (0.9.73) baseline; urgency=low
(#5965 #5976)
* bugfix: firejail --ls reports wrong file sizes for large files (#5982
#6086)
* bugfix: fix startup race condition for /run/firejail directory (#6307)
* bugfix: fix various resource leaks (#6367)
* bugfix: profstats: fix restrict-namespaces max count (#6369)
* bugfix: remove --noautopulse from --help and zsh comp (#6401)
* build: auto-generate syntax files (#5627)
* build: mark all phony targets as such (#5637)
* build: mkdeb.sh: pass all arguments to ./configure (#5654)
* build: deb: enable apparmor by default & remove deb-apparmor (#5668)
* build: Fix whitespace and add .editorconfig (#5674)
* build: remove for loop initial declarations to fix building with old
compilers (#5778)
* build: enable compiler warnings by default (#5842)
* build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859)
* build: disable all built-in implicit make rules (#5864)
* build: organize and standardize make vars and targets (#5866)
* build: fix seccomp filters and man pages always being rebuilt when running
make
* build: simplify code related to man pages (#5898)
make (#5156 #5898)
* build: fix hardcoded make & remove unnecessary distclean targets (#5911)
* build: dist and asc improvements (#5916)
* build: fix some shellcheck issues & use config.sh in more scripts (#5927)
@ -82,6 +88,7 @@ firejail (0.9.73) baseline; urgency=low
* build: remove clean dependency from cppcheck targets (#6343)
* build: allow overriding common tools (#6354)
* build: standardize install commands (#6366)
* build: improve reliability/portability of date command usage (#6403 #6404)
* ci: always update the package db before installing packages (#5742)
* ci: fix codeql unable to download its own bundle (#5783)
* ci: split configure/build/install commands on gitlab (#5784)
@ -94,7 +101,6 @@ firejail (0.9.73) baseline; urgency=low
* ci: whitelist paths, reorganize workflows & speed-up tests (#5960)
* ci: fix dependabot duplicated workflow runs (#5984)
* ci: allow running workflows manually (#6026)
* ci: re-enable sort.py (#6104)
* ci: add timeout limits (#6178)
* ci: make dependabot updates monthly and bump PR limit (#6338)
* contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057
@ -111,6 +117,14 @@ firejail (0.9.73) baseline; urgency=low
#6359)
* docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382)
* docs: man: format and sort some private- items (#6398)
* docs: man: improve blacklist/whitelist examples with spaces (#6425)
* docs: add build_issue.md issue template (#6423)
* docs: man: sort commands (firejail.1) (#6451)
* docs: man: fix bold in command TPs (#6472)
* docs: man: fix wrong escapes (#6474)
* docs: github: streamline environment in issue templates (#6471)
* docs: fix typos of --enable-selinux configure option (#6526)
* docs: clarify intro and build section in README (#6524)
* legal: selinux.c: Split Copyright notice & use same license as upstream
(#5667)
* profiles: qutebrowser: fix links not opening in the existing instance
@ -121,6 +135,7 @@ firejail (0.9.73) baseline; urgency=low
* profiles: drop hostname option from all profiles (#5702)
* profiles: move read-only config entries to disable-common.inc (#5763)
* profiles: standardize on just "GTK" on comments (#5794)
* profiles: bleachbit: allow erasing Trash contents (#5337 #5902)
* profiles: improvements to profiles using private (#5946)
* profiles: standardize commented code and eol comments (#5987)
* profiles: disable-common: add more suid programs (#6049 #6051 #6052)
@ -137,6 +152,17 @@ firejail (0.9.73) baseline; urgency=low
* profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309)
* profiles: libreoffice: support signing documents with GPG (#6352 #6353)
* profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
* profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473)
* profiles: nextcloud: fix access to ~/Nextcloud (#5877 #6478)
* profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#5816 #6479)
* profiles: firecfg: disable text editors (#6002 #6477)
* profiles: browsers: centralize/sync/improve comments (#6486)
* profiles: keepassxc: add new socket location (#5447 #6391)
* profiles: signal-desktop: allow org.freedesktop.secrets (#6498)
* profiles: firefox-common: allow org.freedesktop.portal.Documents (#6444 #6499)
* profiles: keepassxc: allow access to ssh-agent socket (#3314 #6531)
* profiles: firecfg.config: disable dnsmasq (#6533)
* profiles: game-launchers: disable nou2f (#6534)
* new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
-- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500

4
etc/inc/disable-common.inc
View file

@ -171,6 +171,10 @@ blacklist ${RUNUSER}/gsconnect
blacklist ${RUNUSER}/i3/ipc-socket.*
blacklist /tmp/i3-*/ipc-socket.*
# sway IPC socket (allows arbitrary shell script execution)
blacklist ${RUNUSER}/sway-ipc.*
blacklist /tmp/sway-ipc.*
# systemd
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd

3
etc/inc/disable-programs.inc
View file

@ -359,6 +359,7 @@ blacklist ${HOME}/.config/SubDownloader
blacklist ${HOME}/.config/Thunar
blacklist ${HOME}/.config/TinyRDM
blacklist ${HOME}/.config/Twitch
blacklist ${HOME}/.config/UNDERTALE
blacklist ${HOME}/.config/Unknown Organization
blacklist ${HOME}/.config/VSCodium
blacklist ${HOME}/.config/Whalebird
@ -728,6 +729,7 @@ blacklist ${HOME}/.dillo
blacklist ${HOME}/.dooble
blacklist ${HOME}/.dosbox
blacklist ${HOME}/.dropbox*
blacklist ${HOME}/.dvdcss
blacklist ${HOME}/.easystroke
blacklist ${HOME}/.electron-cache
blacklist ${HOME}/.electron-cash
@ -1261,6 +1263,7 @@ blacklist ${RUNUSER}/qutebrowser
blacklist /etc/ssmtp
blacklist /tmp/.wine-*
blacklist /tmp/akonadi-*
blacklist /tmp/evolution-*
blacklist /tmp/i3-*
blacklist /tmp/lwjgl_*
blacklist /var/games/nethack

3
etc/profile-a-l/abrowser.profile
View file

@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser
whitelist ${HOME}/.mozilla
whitelist /usr/share/abrowser
# private-etc must first be enabled in firefox-common.profile
#private-etc abrowser
private-etc abrowser
# Redirect
include firefox-common.profile

3
etc/profile-a-l/basilisk.profile
View file

@ -19,8 +19,7 @@ seccomp
ignore seccomp
#private-bin basilisk
# private-etc must first be enabled in firefox-common.profile
#private-etc basilisk
private-etc basilisk
#private-opt basilisk
restrict-namespaces

5
etc/profile-a-l/bijiben.profile
View file

@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.Tracker1
dbus-system none
env WEBKIT_FORCE_SANDBOX=0
# Warning: Disabling the webkit sandbox may be needed to make firejail work
# with webkit2gtk, but this is not recommended (see #2995).
# Add the following line to bijiben.local at your own risk:
#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
restrict-namespaces

11
etc/profile-a-l/bitwarden-desktop.profile Normal file
View file

@ -0,0 +1,11 @@
# Firejail profile for bitwarden-desktop
# Description: A secure and free password manager for all of your devices
# This file is overwritten after every install/update.
# Persistent local customisations
include bitwarden-desktop.local
# Persistent global definitions
# added by included profile
#include globals.local
# Redirect
include bitwarden.profile

6
etc/profile-a-l/bitwarden.profile
View file

@ -6,13 +6,13 @@ include bitwarden.local
# Persistent global definitions
include globals.local
# Disabled until someone reported positive feedback
ignore include whitelist-usr-share-common.inc
ignore noexec /tmp
noblacklist ${HOME}/.config/Bitwarden
# Allow /bin/sh (blacklisted by disable-shell.inc)
include allow-bin-sh.inc
include disable-shell.inc
mkdir ${HOME}/.config/Bitwarden

32
etc/profile-a-l/cachy-browser.profile
View file

@ -1,5 +1,5 @@
# Firejail profile for Cachy-Browser
# Description: Librewolf fork based on enhanced privacy with gentoo patchset
# Firejail profile for cachy-browser
# Description: Librewolf fork based on enhanced privacy with Gentoo patchset
# This file is overwritten after every install/update
# Persistent local customizations
include cachy-browser.local
@ -15,36 +15,12 @@ whitelist ${HOME}/.cache/cachy
whitelist ${HOME}/.cachy
whitelist /usr/share/cachy-browser
# Add the next lines to your cachy-browser.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla
# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
# Add the next line to cachy-browser.local to enable private-bin.
#private-bin dbus-launch,dbus-send,cachy-browser,sh
# Add the next line to your cachy-browser.local to enable private-etc.
# Note: private-etc must first be enabled in firefox-common.local.
#private-etc cachy-browser
private-etc cachy-browser
dbus-user filter
dbus-user.own org.mozilla.cachybrowser.*
# Add the next line to your cachy-browser.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your cachy-browser.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your cachy-browser.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your cachy-browser.local to allow screensharing under Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your cachy-browser.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
ignore dbus-user none
# Redirect

28
etc/profile-a-l/chromium-common.profile
View file

@ -9,14 +9,28 @@ include chromium-common.local
# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
# To enable support for the KeePassXC extension, add the following lines to
# chromium-common.local.
# Note: Start KeePassXC before the web browser and keep it open to allow
# communication between them.
#noblacklist ${RUNUSER}/app
#whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.pki
noblacklist /usr/lib/chromium/chrome-sandbox
# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
# to have access to Gnome extensions (extensions.gnome.org) via browser connector
# Add the next line to chromium-common.local if you want the web browser to
# have access to Gnome extensions (extensions.gnome.org) via the browser
# connector.
#include allow-python3.inc
blacklist ${PATH}/curl
blacklist ${PATH}/wget
blacklist ${PATH}/wget2
mkdir ${HOME}/.local/share/pki
mkdir ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
@ -27,7 +41,7 @@ include whitelist-run-common.inc
# If your kernel allows the creation of user namespaces by unprivileged users
# (for example, if running `unshare -U echo enabled` prints "enabled"), you
# can add the next line to your chromium-common.local.
# can add the next line to chromium-common.local.
#include chromium-common-hardened.inc.profile
?BROWSER_DISABLE_U2F: nou2f
@ -35,12 +49,8 @@ include whitelist-run-common.inc
?BROWSER_DISABLE_U2F: private-dev
#private-tmp # issues when using multiple browser sessions
blacklist ${PATH}/curl
blacklist ${PATH}/wget
blacklist ${PATH}/wget2
# This prevents access to passwords saved in GNOME Keyring and KWallet, also
# breaks Gnome connector.
# Note: This prevents access to passwords saved in GNOME Keyring and KWallet
# and breaks Gnome connector.
#dbus-user none
# The file dialog needs to work without d-bus.

3
etc/profile-a-l/cliqz.profile
View file

@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz
whitelist ${HOME}/.config/cliqz
whitelist /usr/share/cliqz
# private-etc must first be enabled in firefox-common.profile
#private-etc cliqz
private-etc cliqz
# Redirect
include firefox-common.profile

3
etc/profile-a-l/cyberfox.profile
View file

@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios
whitelist /usr/share/cyberfox
#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
# private-etc must first be enabled in firefox-common.profile
#private-etc cyberfox
private-etc cyberfox
# Redirect
include firefox-common.profile

39
etc/profile-a-l/d-feet.profile
View file

@ -12,45 +12,16 @@ noblacklist ${HOME}/.config/d-feet
include allow-python2.inc
include allow-python3.inc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.config/d-feet
whitelist ${HOME}/.config/d-feet
whitelist /usr/share/d-feet
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
#net none # breaks on Ubuntu
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
# breaks on Ubuntu
ignore net none
disable-mnt
private-bin d-feet,python*
private-cache
private-dev
private-etc dbus-1
private-tmp
#memory-deny-write-execute # breaks on Arch (see issue #1803)
restrict-namespaces
# Redirect
include dbus-debug-common.profile

40
etc/profile-a-l/d-spy.profile
View file

@ -6,43 +6,7 @@ include d-spy.local
# Persistent global definitions
include globals.local
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
net none
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
disable-mnt
private-bin d-spy
private-cache
private-dev
private-etc dbus-1
private-tmp
read-only ${HOME}
restrict-namespaces
# Redirect
include dbus-debug-common.profile

49
etc/profile-a-l/dbus-debug-common.profile Normal file
View file

@ -0,0 +1,49 @@
# Firejail profile for dbus-debug-common
# This file is overwritten after every install/update
# Persistent local customizations
include dbus-debug-common.local
# Persistent global definitions
# added by caller profile
#include globals.local
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
net none
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
seccomp.block-secondary
tracelog
disable-mnt
private-cache
private-dev
private-etc dbus-1
private-tmp
read-only ${HOME}
restrict-namespaces

15
etc/profile-a-l/dtui.profile Normal file
View file

@ -0,0 +1,15 @@
# Firejail profile for dtui
# Description: TUI D-Bus debugger
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include dtui.local
# Persistent global definitions
include globals.local
private-bin dtui
memory-deny-write-execute
# Redirect
include dbus-debug-common.profile

1
etc/profile-a-l/element-desktop.profile
View file

@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/Element
mkdir ${HOME}/.config/Element
whitelist ${HOME}/.config/Element
whitelist /opt/Element
whitelist /usr/share/element
dbus-user filter
dbus-user.talk org.freedesktop.Notifications

3
etc/profile-a-l/evolution.profile
View file

@ -6,6 +6,7 @@ include evolution.local
# Persistent global definitions
include globals.local
noblacklist /tmp/evolution-*
noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.bogofilter
@ -41,7 +42,7 @@ protocol unix,inet,inet6
seccomp
private-dev
private-tmp
#private-tmp
writable-var
restrict-namespaces

1
etc/profile-a-l/ffmpeg.profile
View file

@ -9,6 +9,7 @@ include globals.local
noblacklist ${MUSIC}
noblacklist ${VIDEOS}
noblacklist ${HOME}/.dvdcss
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/firefox-common-addons.profile
View file

@ -4,6 +4,7 @@ include firefox-common-addons.local
# Prevent whitelisting in ${RUNUSER}
ignore whitelist ${RUNUSER}/*firefox*
ignore whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
ignore whitelist ${RUNUSER}/psd/*firefox*
ignore whitelist ${RUNUSER}/kpxc_server
ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
@ -79,7 +80,7 @@ whitelist ${HOME}/dwhelper
whitelist /usr/share/lua*
whitelist /usr/share/mpv
# GNOME Shell integration (chrome-gnome-shell) needs dbus and python
# GNOME Shell integration (chrome-gnome-shell) needs dbus and python.
noblacklist ${HOME}/.local/share/gnome-shell
whitelist ${HOME}/.local/share/gnome-shell
dbus-user.talk ca.desrt.dconf
@ -92,8 +93,7 @@ include allow-python3.inc
#private-bin keepassxc-proxy
# Flash plugin
# private-etc must first be enabled in firefox-common.profile and in profiles including it.
#private-etc adobe
private-etc adobe
# ff2mpv
#ignore noexec ${HOME}

63
etc/profile-a-l/firefox-common.profile
View file

@ -11,12 +11,31 @@ include firefox-common.local
# noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon.
?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER}
# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
# Add the next lines to firefox-common.local if you want to use the migration
# wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla
# To enable support for the KeePassXC extension, add the following lines to
# firefox-common.local.
# Note: Start KeePassXC before the web browser and keep it open to allow
# communication between them.
#noblacklist ${RUNUSER}/app
#whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
# Add the next line to firefox-common.local to allow access to common
# programs/addons/plugins.
#include firefox-common-addons.profile
noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.pki
blacklist ${PATH}/curl
blacklist ${PATH}/wget
blacklist ${PATH}/wget2
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
@ -43,36 +62,56 @@ apparmor
# Fixme!
apparmor-replace
caps.drop all
# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
# Note: machine-id breaks pulseaudio; add it to firefox-common.local if sound
# is not required.
#machine-id
netfilter
nodvd
nogroups
noinput
nonewprivs
# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
# Note: noroot breaks GTK_USE_PORTAL=1 usage; see
# https://github.com/netblue30/firejail/issues/2506.
noroot
notv
?BROWSER_DISABLE_U2F: nou2f
protocol unix,inet,inet6,netlink
# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
# Note: The seccomp line below still permits the chroot syscall; see
# https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
seccomp !chroot
# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
# Note: tracelog may break or cause major issues with many Firefox-based
# browsers; see https://github.com/netblue30/firejail/issues/1930.
#tracelog
disable-mnt
?BROWSER_DISABLE_U2F: private-dev
# private-etc below works fine on most distributions. There could be some problems on CentOS.
# Note: The private-etc line below works fine on most distributions but it
# could cause problems on CentOS.
private-etc @tls-ca,@x11,mailcap,mime.types,os-release
private-tmp
blacklist ${PATH}/curl
blacklist ${PATH}/wget
blacklist ${PATH}/wget2
# 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
# Gnome connector, KDE connect and power management on KDE Plasma.
# Note: `dbus-user none` breaks various desktop integration features like
# global menus, native notifications, Gnome connector, KDE Connect and power
# management on KDE Plasma.
dbus-user none
dbus-system none
# Allow drag and drop
dbus-user.talk org.freedesktop.portal.Documents
# Add the next line to firefox-common.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to firefox-common.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to firefox-common.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kdeconnect
#dbus-user.talk org.kde.kuiserver
# Add the next line to firefox-common.local to allow screensharing under
# Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to firefox-common.local if screensharing does not work
# with the above lines (depends on the portal implementation).
#ignore noroot
#restrict-namespaces

2
etc/profile-a-l/firefox-esr.profile
View file

@ -8,5 +8,7 @@ include firefox-esr.local
whitelist /usr/share/firefox-esr
private-etc firefox-esr
# Redirect
include firefox.profile

31
etc/profile-a-l/firefox.profile
View file

@ -6,10 +6,10 @@ include firefox.local
# Persistent global definitions
include globals.local
# Note: Sandboxing web browsers is as important as it is complex. Users might be
# interested in creating custom profiles depending on use case (e.g. one for
# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
# info. Here are a few links to get you going.
# Note: Sandboxing web browsers is as important as it is complex. Users might
# be interested in creating custom profiles depending on the use case (e.g. one
# for general browsing, another for banking, ...). Consult our FAQ/issue
# tracker for more information. Here are a few links to get you going:
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
@ -29,39 +29,20 @@ mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla
# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
# Note: Start KeePassXC before Firefox and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist /usr/share/firefox
whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist ${RUNUSER}/*firefox*
whitelist ${RUNUSER}/psd/*firefox*
# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
# Note: Firefox requires a shell to launch on Arch and Fedora.
# Add the next lines to firefox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
private-etc firefox
dbus-user filter
dbus-user.own org.mozilla.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
# Add the next line to your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your firefox.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your firefox.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kdeconnect
#dbus-user.talk org.kde.kuiserver
# Add the next line to your firefox.local to allow screen sharing under wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
ignore dbus-user none
# Redirect

22
etc/profile-a-l/floorp.profile
View file

@ -14,30 +14,8 @@ mkdir ${HOME}/.floorp
whitelist ${HOME}/.cache/floorp
whitelist ${HOME}/.floorp
# Add the next lines to your floorp.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla
# To enable KeePassXC Plugin add one of the following lines to your floorp.local.
# Note: Start KeePassXC before floorp and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
dbus-user filter
dbus-user.own org.mozilla.floorp.*
# Add the next line to your floorp.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your floorp.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your floorp.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your floorp.local to allow screensharing under Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your floorp.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
ignore apparmor
ignore dbus-user none

1
etc/profile-a-l/handbrake.profile
View file

@ -7,6 +7,7 @@ include handbrake.local
include globals.local
noblacklist ${HOME}/.config/ghb
noblacklist ${HOME}/.dvdcss
noblacklist ${MUSIC}
noblacklist ${VIDEOS}

3
etc/profile-a-l/icecat.profile
View file

@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat
whitelist ${HOME}/.mozilla
whitelist /usr/share/icecat
# private-etc must first be enabled in firefox-common.profile
#private-etc icecat
private-etc icecat
# Redirect
include firefox-common.profile

3
etc/profile-a-l/iceweasel.profile
View file

@ -6,8 +6,7 @@ include iceweasel.local
# added by included profile
#include globals.local
# private-etc must first be enabled in firefox-common.profile
#private-etc iceweasel
private-etc iceweasel
# Redirect
include firefox.profile

6
etc/profile-a-l/keepassxc.profile
View file

@ -13,6 +13,8 @@ noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.config/KeePassXCrc
noblacklist ${HOME}/.keepassxc
noblacklist ${DOCUMENTS}
noblacklist ${RUNUSER}/app
noblacklist /tmp/ssh-*
# Allow browser profiles, required for browser integration.
noblacklist ${HOME}/.config/BraveSoftware
@ -62,8 +64,12 @@ include disable-xdg.inc
#whitelist ${HOME}/.config/KeePassXCrc
#include whitelist-common.inc
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist /tmp/ssh-*
whitelist /usr/share/keepassxc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

2
etc/profile-a-l/kube.profile
View file

@ -79,8 +79,8 @@ writable-run-user
dbus-user filter
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.secrets
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.secrets
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
dbus-system none

31
etc/profile-a-l/librewolf.profile
View file

@ -1,4 +1,4 @@
# Firejail profile for Librewolf
# Firejail profile for librewolf
# Description: Firefox fork based on privacy
# This file is overwritten after every install/update
# Persistent local customizations
@ -14,39 +14,16 @@ mkdir ${HOME}/.librewolf
whitelist ${HOME}/.cache/librewolf
whitelist ${HOME}/.librewolf
# Add the next lines to your librewolf.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla
# To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist /usr/share/librewolf
# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
# Add the next line to librewolf.local to enable private-bin.
#private-bin dbus-launch,dbus-send,librewolf,sh
# Add the next line to your librewolf.local to enable private-etc.
# Note: private-etc must first be enabled in firefox-common.local.
#private-etc librewolf
private-etc librewolf
dbus-user filter
dbus-user.own io.gitlab.firefox.*
dbus-user.own io.gitlab.librewolf.*
dbus-user.own org.mozilla.librewolf.*
# Add the next line to your librewolf.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your librewolf.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your librewolf.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your librewolf.local to allow screensharing under Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your librewolf.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
ignore apparmor
ignore dbus-user none

2
etc/profile-a-l/lutris.profile
View file

@ -68,7 +68,7 @@ nogroups
nonewprivs
noroot
notv
nou2f
#nou2f # may break gamepads in certain games (see #6523)
novideo
protocol unix,inet,inet6,netlink
seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace

7
etc/profile-m-z/QOwnNotes.profile
View file

@ -7,9 +7,10 @@ include QOwnNotes.local
include globals.local
noblacklist ${DOCUMENTS}
noblacklist ${HOME}/Nextcloud/Notes
noblacklist ${HOME}/.config/PBE
noblacklist ${HOME}/.local/share/PBE
noblacklist ${HOME}/Nextcloud
noblacklist ${HOME}/Nextcloud/Notes
include disable-common.inc
include disable-devel.inc
@ -19,13 +20,13 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/Nextcloud/Notes
mkdir ${HOME}/.config/PBE
mkdir ${HOME}/.local/share/PBE
mkdir ${HOME}/Nextcloud/Notes
whitelist ${DOCUMENTS}
whitelist ${HOME}/Nextcloud/Notes
whitelist ${HOME}/.config/PBE
whitelist ${HOME}/.local/share/PBE
whitelist ${HOME}/Nextcloud/Notes
include whitelist-common.inc
include whitelist-var-common.inc

2
etc/profile-m-z/mplayer.profile
View file

@ -6,6 +6,7 @@ include mplayer.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.dvdcss
noblacklist ${HOME}/.mplayer
include disable-common.inc
@ -16,6 +17,7 @@ include disable-programs.inc
read-only ${DESKTOP}
mkdir ${HOME}/.mplayer
whitelist ${HOME}/.dvdcss
whitelist ${HOME}/.mplayer
include whitelist-common.inc
include whitelist-player-common.inc

2
etc/profile-m-z/mpv.profile
View file

@ -29,6 +29,7 @@ noblacklist ${HOME}/.config/mpv
noblacklist ${HOME}/.config/youtube-dl
noblacklist ${HOME}/.config/yt-dlp
noblacklist ${HOME}/.config/yt-dlp.conf
noblacklist ${HOME}/.dvdcss
noblacklist ${HOME}/.local/state/mpv
noblacklist ${HOME}/.netrc
noblacklist ${HOME}/yt-dlp.conf
@ -60,6 +61,7 @@ whitelist ${HOME}/.config/mpv
whitelist ${HOME}/.config/youtube-dl
whitelist ${HOME}/.config/yt-dlp
whitelist ${HOME}/.config/yt-dlp.conf
whitelist ${HOME}/.dvdcss
whitelist ${HOME}/.local/state/mpv
whitelist ${HOME}/.netrc
whitelist ${HOME}/yt-dlp.conf

11
etc/profile-m-z/nextcloud.profile
View file

@ -6,9 +6,10 @@ include nextcloud.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/Nextcloud
noblacklist ${HOME}/.config/Nextcloud
noblacklist ${HOME}/.local/share/Nextcloud
noblacklist ${HOME}/Nextcloud
noblacklist ${HOME}/Nextcloud/Notes
# Add the next lines to your nextcloud.local to allow sync in more directories.
#noblacklist ${DOCUMENTS}
#noblacklist ${MUSIC}
@ -23,12 +24,12 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/Nextcloud
mkdir ${HOME}/.config/Nextcloud
mkdir ${HOME}/.local/share/Nextcloud
whitelist ${HOME}/Nextcloud
mkdir ${HOME}/Nextcloud
whitelist ${HOME}/.config/Nextcloud
whitelist ${HOME}/.local/share/Nextcloud
whitelist ${HOME}/Nextcloud
whitelist /usr/share/nextcloud
# Add the next lines to your nextcloud.local to allow sync in more directories.
#whitelist ${DOCUMENTS}
@ -61,15 +62,15 @@ tracelog
disable-mnt
private-bin nextcloud,nextcloud-desktop
private-cache
private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release
private-dev
private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release
private-tmp
# IMPORTANT: create ~/.local/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
# referencing the firejailed /usr/local/bin/nextcloud to keep nextcloud running sandboxed
# even when its dbus name gets activated
# see https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-sandbox-applications-started-via-systemd-or-d-bus-services
dbus-user filter
dbus-user filter
dbus-user.own com.nextcloudgmbh.Nextcloud
dbus-user.talk org.freedesktop.secrets
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher

2
etc/profile-m-z/okular.profile
View file

@ -58,7 +58,7 @@ protocol unix
seccomp
tracelog
private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
private-bin kbuildsycoca4,kdeinit4,lpr,okular,ps2pdf,unar,unrar
private-dev
private-etc @x11,cups
# on KDE we need access to the real /tmp for data exchange with email clients

3
etc/profile-m-z/palemoon.profile
View file

@ -21,8 +21,7 @@ seccomp
ignore seccomp
#private-bin palemoon
# private-etc must first be enabled in firefox-common.profile
#private-etc palemoon
private-etc palemoon
restrict-namespaces
ignore restrict-namespaces

2
etc/profile-m-z/signal-desktop.profile
View file

@ -28,6 +28,8 @@ private-etc @tls-ca
dbus-user filter
# allow D-Bus notifications
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Freedesktop.org secrets API to decrypt local key
dbus-user.talk org.freedesktop.secrets
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*

1
etc/profile-m-z/smplayer.profile
View file

@ -8,6 +8,7 @@ include globals.local
noblacklist ${HOME}/.config/smplayer
noblacklist ${HOME}/.config/youtube-dl
noblacklist ${HOME}/.dvdcss
noblacklist ${HOME}/.mplayer
# Allow lua (blacklisted by disable-interpreters.inc)

6
etc/profile-m-z/ssh.profile
View file

@ -19,10 +19,12 @@ include disable-exec.inc
include disable-programs.inc
whitelist ${RUNUSER}/gcr/ssh
whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup
whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup
whitelist ${RUNUSER}/gvfsd-sftp
whitelist ${RUNUSER}/keyring/ssh
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
apparmor
caps.drop all

5
etc/profile-m-z/steam.profile
View file

@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/MangoHud
noblacklist ${HOME}/.config/ModTheSpire
noblacklist ${HOME}/.config/RogueLegacy
noblacklist ${HOME}/.config/RogueLegacyStorageContainer
noblacklist ${HOME}/.config/UNDERTALE
noblacklist ${HOME}/.factorio
noblacklist ${HOME}/.killingfloor
noblacklist ${HOME}/.klei
@ -66,6 +67,7 @@ mkdir ${HOME}/.config/Loop_Hero
mkdir ${HOME}/.config/MangoHud
mkdir ${HOME}/.config/ModTheSpire
mkdir ${HOME}/.config/RogueLegacy
mkdir ${HOME}/.config/UNDERTALE
mkdir ${HOME}/.config/unity3d
mkdir ${HOME}/.factorio
mkdir ${HOME}/.killingfloor
@ -105,6 +107,7 @@ whitelist ${HOME}/.config/MangoHud
whitelist ${HOME}/.config/ModTheSpire
whitelist ${HOME}/.config/RogueLegacy
whitelist ${HOME}/.config/RogueLegacyStorageContainer
whitelist ${HOME}/.config/UNDERTALE
whitelist ${HOME}/.config/unity3d
whitelist ${HOME}/.factorio
whitelist ${HOME}/.killingfloor
@ -158,7 +161,7 @@ nogroups
nonewprivs
noroot
notv
nou2f
#nou2f # may break gamepads in certain games (see #6523)
# To allow VR and camera-based motion tracking, add 'ignore novideo' to your
# steam.local.
novideo

4
etc/profile-m-z/sway.profile
View file

@ -10,6 +10,10 @@ include globals.local
noblacklist ${HOME}/.config/sway
# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
noblacklist ${HOME}/.config/i3
# allow creation of IPC socket
noblacklist ${RUNUSER}/sway-ipc.*
noblacklist /tmp/sway-ipc.*
include disable-common.inc
caps.drop all

2
etc/profile-m-z/thunderbird.profile
View file

@ -61,6 +61,8 @@ whitelist /usr/share/thunderbird
#machine-id
novideo
private-etc thunderbird
# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
ignore private-tmp

2
etc/profile-m-z/totem.profile
View file

@ -14,6 +14,7 @@ include allow-lua.inc
include allow-python3.inc
noblacklist ${HOME}/.config/totem
noblacklist ${HOME}/.dvdcss
noblacklist ${HOME}/.local/share/totem
include disable-common.inc
@ -27,6 +28,7 @@ read-only ${DESKTOP}
mkdir ${HOME}/.config/totem
mkdir ${HOME}/.local/share/totem
whitelist ${HOME}/.config/totem
whitelist ${HOME}/.dvdcss
whitelist ${HOME}/.local/share/totem
whitelist /usr/share/totem
include whitelist-common.inc

2
etc/profile-m-z/vlc.profile
View file

@ -9,6 +9,7 @@ include globals.local
noblacklist ${HOME}/.cache/vlc
noblacklist ${HOME}/.config/vlc
noblacklist ${HOME}/.config/aacs
noblacklist ${HOME}/.dvdcss
noblacklist ${HOME}/.local/share/vlc
include disable-common.inc
@ -24,6 +25,7 @@ mkdir ${HOME}/.local/share/vlc
whitelist ${HOME}/.cache/vlc
whitelist ${HOME}/.config/vlc
whitelist ${HOME}/.config/aacs
whitelist ${HOME}/.dvdcss
whitelist ${HOME}/.local/share/vlc
include whitelist-common.inc
include whitelist-player-common.inc

4
etc/profile-m-z/waterfox.profile
View file

@ -21,9 +21,7 @@ whitelist /usr/share/waterfox
# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
# Add the next line to your waterfox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be
# enabled in your firefox-common.local.
#private-etc waterfox
private-etc waterfox
# Redirect
include firefox-common.profile

3
etc/profile-m-z/wesnoth.profile
View file

@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/wesnoth
noblacklist ${HOME}/.config/wesnoth
noblacklist ${HOME}/.local/share/wesnoth
# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc

3
etc/profile-m-z/zoom.profile
View file

@ -19,6 +19,7 @@ ignore dbus-system none
noblacklist ${HOME}/.config/zoom.conf
noblacklist ${HOME}/.config/zoomus.conf
noblacklist ${HOME}/.zoom
noblacklist ${DOCUMENTS}
nowhitelist ${DOWNLOADS}
@ -26,10 +27,12 @@ mkdir ${HOME}/.cache/zoom
mkfile ${HOME}/.config/zoom.conf
mkfile ${HOME}/.config/zoomus.conf
mkdir ${HOME}/.zoom
mkdir ${HOME}/Documents/Zoom
whitelist ${HOME}/.cache/zoom
whitelist ${HOME}/.config/zoom.conf
whitelist ${HOME}/.config/zoomus.conf
whitelist ${HOME}/.zoom
whitelist ${HOME}/Documents/Zoom
# Disable for now, see https://github.com/netblue30/firejail/issues/3726
#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl

24
src/firecfg/firecfg.config
View file

@ -97,10 +97,11 @@ basilisk
bcompare
beaker
bibletime
bijiben
#bijiben # webkit2gtk-4.x requires bwrap (see #3647)
bitcoin-qt
bitlbee
bitwarden
bitwarden-desktop
bleachbit
blender
blender-2.8
@ -218,7 +219,7 @@ display
display-im6.q16
dnox
dnscrypt-proxy
dnsmasq
#dnsmasq # server; problems with libvirt on Arch (see #6121)
dolphin-emu
dooble
dooble-qt4
@ -227,6 +228,7 @@ dragon
drawio
drill
dropbox
dtui
easystroke
ebook-convert
ebook-edit
@ -318,9 +320,9 @@ gcalccmd
gcloud
gconf-editor
gdu
geany
#geany # text editor (see #6002)
#geary # webkit2gtk-4.x requires bwrap (see #3647)
gedit
#gedit # text editor (see #6002)
geekbench
geeqie
geki2
@ -461,7 +463,7 @@ kaffeine
kalgebra
kalgebramobile
karbon
kate
#kate # text editor (see #6002)
kazam
kcalc
#kdeinit4
@ -497,11 +499,11 @@ ktorrent
ktouch
kube
#kwin_x11
kwrite
#kwrite # text editor (see #6002)
lbreakouthd
lbry-viewer
lbry-viewer-gtk
leafpad
#leafpad # text editor (see #6002)
#less # breaks man
lettura
librecad
@ -586,7 +588,7 @@ minitube
mirage
mirrormagic
mocp
mousepad
#mousepad # text editor (see #6002)
mov-cli
mp3splt
mp3splt-gtk
@ -720,7 +722,7 @@ pix
planmaker18
planmaker18free
playonlinux
pluma
#pluma # text editor (see #6002)
plv
pngquant
polari
@ -824,7 +826,7 @@ soffice
sol
sound-juicer
soundconverter
spectacle
#spectacle # may be broken on wayland (see #5127)
spectral
spotify
sqlitebrowser
@ -990,7 +992,7 @@ x2goclient
xbill
xcalc
xchat
xed
#xed # text editor (see #6002)
xfburn
xfce4-dict
xfce4-mixer

3
src/firemon/procevent.c
View file

@ -396,6 +396,8 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
sprintf(lineptr, " sid ");
break;
// Note: PROC_EVENT_COREDUMP only exists since Linux 3.10 (see #6414).
#ifdef PROC_EVENT_COREDUMP
case PROC_EVENT_COREDUMP:
pid = proc_ev->event_data.coredump.process_tgid;
#ifdef DEBUG_PRCTL
@ -403,6 +405,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
#endif
sprintf(lineptr, " coredump ");
break;
#endif /* PROC_EVENT_COREDUMP */
case PROC_EVENT_COMM:
pid = proc_ev->event_data.comm.process_tgid;

63
src/fnettrace/static-ip-map.txt
View file

@ -245,6 +245,7 @@
205.196.6.0/24 Steam
207.45.72.0/22 Netflix
207.241.224.0/20 Internet Archive
207.5.192.0/19 Rumble
208.82.236.0/22 Creiglist
208.64.200.0/22 Steam
208.75.76.0/22 Netflix
@ -577,6 +578,8 @@
108.44.64.0/18 MCI
108.45.0.0/16 MCI
108.46.0.0/16 MCI
152.176.0.0/12 MCI
152.192.0.0/13 MCI
192.229.128.0/17 MCI
# Microsoft
@ -5176,22 +5179,7 @@
164.92.208.0/20 Digital Ocean
164.92.224.0/20 Digital Ocean
164.92.240.0/20 Digital Ocean
165.22.0.0/20 Digital Ocean
165.22.16.0/20 Digital Ocean
165.22.32.0/20 Digital Ocean
165.22.48.0/20 Digital Ocean
165.22.64.0/20 Digital Ocean
165.22.80.0/20 Digital Ocean
165.22.96.0/20 Digital Ocean
165.22.112.0/20 Digital Ocean
165.22.128.0/20 Digital Ocean
165.22.144.0/20 Digital Ocean
165.22.160.0/20 Digital Ocean
165.22.176.0/20 Digital Ocean
165.22.192.0/20 Digital Ocean
165.22.208.0/20 Digital Ocean
165.22.224.0/20 Digital Ocean
165.22.240.0/20 Digital Ocean
165.22.0.0/16 Digital Ocean
165.227.0.0/20 Digital Ocean
165.227.16.0/20 Digital Ocean
165.227.32.0/20 Digital Ocean
@ -6029,6 +6017,28 @@
96.30.0.0/18 Liquid Web
# OVH
15.204.0.0/17 OVH
15.204.128.0/17 OVH
15.235.0.0/17 OVH
15.235.128.0/17 OVH
23.92.224.0/19 OVH
37.187.0.0/16 OVH
37.59.0.0/16 OVH
40.160.0.0/17 OVH
46.105.0.0/16 OVH
46.105.198.0/24 OVH
46.105.199.0/24 OVH
46.105.200.0/24 OVH
46.105.201.0/24 OVH
46.105.202.0/24 OVH
46.105.203.0/24 OVH
46.105.204.0/24 OVH
46.105.206.0/24 OVH
46.105.207.0/24 OVH
46.244.32.0/20 OVH
51.161.0.0/17 OVH
51.161.128.0/17 OVH
51.210.0.0/24 OVH
107.189.64.0/18 OVH
135.125.0.0/17 OVH
135.125.128.0/17 OVH
@ -6053,11 +6063,7 @@
149.202.0.0/16 OVH
149.56.0.0/16 OVH
151.80.0.0/16 OVH
15.204.0.0/17 OVH
15.204.128.0/17 OVH
152.228.128.0/17 OVH
15.235.0.0/17 OVH
15.235.128.0/17 OVH
158.69.0.0/16 OVH
162.19.0.0/17 OVH
162.19.128.0/17 OVH
@ -6084,23 +6090,6 @@
213.251.128.0/18 OVH
213.32.0.0/17 OVH
217.182.0.0/16 OVH
23.92.224.0/19 OVH
37.187.0.0/16 OVH
37.59.0.0/16 OVH
40.160.0.0/17 OVH
46.105.0.0/16 OVH
46.105.198.0/24 OVH
46.105.199.0/24 OVH
46.105.200.0/24 OVH
46.105.201.0/24 OVH
46.105.202.0/24 OVH
46.105.203.0/24 OVH
46.105.204.0/24 OVH
46.105.206.0/24 OVH
46.105.207.0/24 OVH
46.244.32.0/20 OVH
51.161.0.0/17 OVH
51.161.128.0/17 OVH
# Ionos
74.208.0.0/16 Ionos

10
src/fshaper/fshaper.sh
View file

@ -3,13 +3,9 @@
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
TCFILE=""
if [ -x "/usr/sbin/tc" ]; then
TCFILE="/usr/sbin/tc"
elif [ -x "/sbin/tc" ]; then
TCFILE="/sbin/tc";
else
echo "Error: traffic control utility (tc) not found";
TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)"
if [ -z "$TCFILE" ]; then
echo "Error: traffic control utility (tc) not found"
exit 1
fi

46
src/man/firecfg.1.in
View file

@ -139,29 +139,6 @@ $ sudo firecfg --clean
/usr/local/bin/vlc removed
.br
[...]
.SH FILES
.PP
Configuration files are searched for and parsed in the following paths:
.PP
.RS
1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
.br
2. /etc/firejail/firecfg.config
.RE
.PP
The programs that are supported by default are listed in
/etc/firejail/firecfg.config.
It is recommended to leave it as is and put all customizations inside
/etc/firejail/firecfg.d/.
.PP
Profile files are also searched in the user configuration directory:
.PP
.RS
3. ~/.config/firejail/*.profile
.RE
.PP
For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
.SH SYNTAX
Configuration file syntax:
.PP
@ -200,6 +177,29 @@ following lines can to be used to ignore both:
.br
!spectacle
.RE
.SH FILES
.PP
Configuration files are searched for and parsed in the following paths:
.PP
.RS
1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
.br
2. /etc/firejail/firecfg.config
.RE
.PP
The programs that are supported by default are listed in
/etc/firejail/firecfg.config.
It is recommended to leave it as is and put all customizations inside
/etc/firejail/firecfg.d/.
.PP
Profile files are also searched in the user configuration directory:
.PP
.RS
3. ~/.config/firejail/*.profile
.RE
.PP
For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
.SH LICENSE
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
.PP

86
src/man/firejail-profile.5.in
View file

@ -243,7 +243,7 @@ host filesystem. Each line describes a file/directory that is inaccessible
a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and
HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section
HOME directories are searched, see the \fBfirejail\fR(1) \fBFILE GLOBBING\fR section
for more details.
Examples:
.TP
@ -511,30 +511,30 @@ Blacklist all Linux capabilities.
Whitelist given Linux capabilities.
#ifdef HAVE_LANDLOCK
.TP
\fBlandlock.enforce (experimental)
\fBlandlock.enforce\fR (experimental)
Enforce the Landlock ruleset.
.PP
Without it, the other Landlock commands have no effect.
.TP
\fBlandlock.fs.read path (experimental)
\fBlandlock.fs.read path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a read access
rule for path.
.TP
\fBlandlock.fs.write path (experimental)
\fBlandlock.fs.write path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a write access
rule for path.
.TP
\fBlandlock.fs.makeipc path (experimental)
\fBlandlock.fs.makeipc path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
the given path.
.TP
\fBlandlock.fs.makedev path (experimental)
\fBlandlock.fs.makedev path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of block devices and character devices beneath the given
path.
.TP
\fBlandlock.fs.execute path (experimental)
\fBlandlock.fs.execute path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add an execution
permission rule for path.
#endif
@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu
\fBdbus-system none
Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
.TP
\fBdbus-system.own org.gnome.ghex.*
Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
.TP
\fBdbus-system.talk org.freedesktop.Notifications
Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
.TP
\fBdbus-system.see org.freedesktop.Notifications
Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.
\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
.TP
\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
.TP
\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
\fBdbus-system.own org.gnome.ghex.*
Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
.TP
\fBdbus-system.see org.freedesktop.Notifications
Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.
.TP
\fBdbus-system.talk org.freedesktop.Notifications
Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
.TP
\fBdbus-user filter
Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@ -689,22 +689,22 @@ Enable filtered access to the session DBus. Filters can be specified with the db
\fBdbus-user none
Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
.TP
\fBdbus-user.own org.gnome.ghex.*
Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
.TP
\fBdbus-user.talk org.freedesktop.Notifications
Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
.TP
\fBdbus-user.see org.freedesktop.Notifications
Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.
\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
.TP
\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
.TP
\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
\fBdbus-user.own org.gnome.ghex.*
Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
.TP
\fBnodbus \fR(deprecated)
\fBdbus-user.see org.freedesktop.Notifications
Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.
.TP
\fBdbus-user.talk org.freedesktop.Notifications
Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
.TP
\fBnodbus\fR (deprecated)
Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
.TP
.br
@ -804,7 +804,7 @@ name browser
\fBno3d
Disable 3D hardware acceleration.
.TP
\fBnoautopulse \fR(deprecated)
\fBnoautopulse\fR (deprecated)
See keep-config-pulse.
.TP
\fBnodvd
@ -866,20 +866,6 @@ net eth0
.br
ip 10.10.20.56
.TP
\fBip none
No IP address and no default gateway are configured for the last interface
defined by a net command. Use this option
in case you intend to start an external DHCP client in the sandbox.
.br
.br
Example:
.br
net eth0
.br
ip none
.TP
\fBip dhcp
Acquire an IP address and default gateway for the last interface defined by a
@ -907,6 +893,20 @@ If your DHCP server requires leases to be explicitly released, consider running
a DHCP client and releasing the lease manually in conjunction with the
net none command.
.TP
\fBip none
No IP address and no default gateway are configured for the last interface
defined by a net command. Use this option
in case you intend to start an external DHCP client in the sandbox.
.br
.br
Example:
.br
net eth0
.br
ip none
.TP
\fBip6 address
Assign IPv6 addresses to the last network interface defined by a net command.

346
src/man/firejail.1.in
View file

@ -207,7 +207,7 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
.br
$ firejail \-\-blacklist=~/.mozilla
.br
$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
$ firejail \-\-blacklist="/home/username/My Virtual Machines"
.br
$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
.TP
@ -610,21 +610,6 @@ Example:
.br
$ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
.TP
\fB\-\-dbus-user.talk=name
Allows the application to talk to the specified well-known name on the session DBus.
The name may have a .* suffix to match all names underneath it, including itself
(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
not "foobar").
.br
.br
Example:
.br
$ firejail --dbus-user=filter --dbus-user.talk=\\
.br
org.freedesktop.Notifications
.TP
\fB\-\-dbus-user.see=name
Allows the application to see, but not talk to the specified well-known name on
@ -640,6 +625,21 @@ Example:
$ firejail --dbus-user=filter --dbus-user.see=\\
.br
org.freedesktop.Notifications
.TP
\fB\-\-dbus-user.talk=name
Allows the application to talk to the specified well-known name on the session DBus.
The name may have a .* suffix to match all names underneath it, including itself
(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
not "foobar").
.br
.br
Example:
.br
$ firejail --dbus-user=filter --dbus-user.talk=\\
.br
org.freedesktop.Notifications
#endif
.TP
\fB\-\-debug\fR
@ -888,6 +888,32 @@ Example:
.br
$ firejail \-\-hosts-file=~/myhosts firefox
.TP
\fB\-\-icmptrace[=name|pid]
Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
created with \-\-net are supported. This option is only available when running the sandbox as root.
.br
.br
Without a name/pid, Firejail will monitor the main system network namespace.
.br
.br
Example
.br
$ sudo firejail --icmptrace
.br
20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
.br
20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
.br
20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
.br
20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
.br
20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
.br
#ifdef HAVE_IDS
.TP
\fB\-\-ids-check
@ -925,33 +951,7 @@ $ firejail \-\-ignore="net eth0" firefox
#endif
.TP
\fB\-\-icmptrace[=name|pid]
Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
created with \-\-net are supported. This option is only available when running the sandbox as root.
.br
.br
Without a name/pid, Firejail will monitor the main system network namespace.
.br
.br
Example
.br
$ sudo firejail --icmptrace
.br
20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
.br
20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
.br
20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
.br
20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
.br
20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
.br
.TP
\fB\-\-\include=file.profile
\fB\-\-include=file.profile
Include a profile file before the regular profiles are used.
.br
@ -983,23 +983,6 @@ Example:
.br
$ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox
.TP
\fB\-\-ip=none
No IP address and no default gateway are configured for the last interface
defined by a \-\-net option. Use this option
in case you intend to start an external DHCP client in the sandbox.
.br
.br
Example:
.br
$ firejail \-\-net=eth0 \-\-\ip=none
.br
.br
If the corresponding interface doesn't have an IP address configured, this
option is enabled by default.
.TP
\fB\-\-ip=dhcp
Acquire an IP address and default gateway for the last interface defined by a
@ -1025,6 +1008,23 @@ If your DHCP server requires leases to be explicitly released, consider running
a DHCP client and releasing the lease manually in conjunction with the
\-\-net=none option.
.TP
\fB\-\-ip=none
No IP address and no default gateway are configured for the last interface
defined by a \-\-net option. Use this option
in case you intend to start an external DHCP client in the sandbox.
.br
.br
Example:
.br
$ firejail \-\-net=eth0 \-\-ip=none
.br
.br
If the corresponding interface doesn't have an IP address configured, this
option is enabled by default.
.TP
\fB\-\-ip6=address
Assign IPv6 addresses to the last network interface defined by a \-\-net option.
@ -1070,7 +1070,7 @@ default gateway is assigned by default.
.br
Example:
.br
$ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
$ firejail \-\-net=eth0 \-\-iprange=192.168.1.100,192.168.1.150
.TP
\fB\-\-ipc-namespace
@ -1241,30 +1241,30 @@ $ firejail --keep-var-tmp
#ifdef HAVE_LANDLOCK
.TP
\fB\-\-landlock.enforce (experimental)
\fB\-\-landlock.enforce\fR (experimental)
Enforce the Landlock ruleset.
Without it, the other Landlock commands have no effect.
See the \fBLANDLOCK\fR section for more information.
.TP
\fB\-\-landlock.fs.read=path (experimental)
\fB\-\-landlock.fs.read=path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a read access
rule for path.
.TP
\fB\-\-landlock.fs.write=path (experimental)
\fB\-\-landlock.fs.write=path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a write access
rule for path.
.TP
\fB\-\-landlock.fs.makeipc=path (experimental)
\fB\-\-landlock.fs.makeipc=path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
the given path.
.TP
\fB\-\-landlock.fs.makedev=path (experimental)
\fB\-\-landlock.fs.makedev=path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of block devices and character devices beneath the given
path.
.TP
\fB\-\-landlock.fs.execute=path (experimental)
\fB\-\-landlock.fs.execute=path\fR (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add an execution
permission rule for path.
.br
@ -1323,6 +1323,21 @@ Example:
.br
$ firejail \-\-machine-id
.TP
\fB\-\-memory-deny-write-execute
Install a seccomp filter to block attempts to create memory mappings
that are both writable and executable, to change mappings to be
executable, or to create executable shared memory. The filter examines
the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
and shmat system calls and returns error EPERM to the process (or
kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
.br
.br
Note: shmat is not implemented
as a system call on some platforms including i386, and it cannot be
handled by seccomp-bpf.
.TP
\fB\-\-mkdir=dirname
Create a directory in user home. Parent directories are created as needed.
@ -1343,20 +1358,6 @@ Example:
.br
$ firejail --mkfile=~/work/project/readme
.TP
\fB\-\-memory-deny-write-execute
Install a seccomp filter to block attempts to create memory mappings
that are both writable and executable, to change mappings to be
executable, or to create executable shared memory. The filter examines
the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
and shmat system calls and returns error EPERM to the process (or
kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
.br
.br
Note: shmat is not implemented
as a system call on some platforms including i386, and it cannot be
handled by seccomp-bpf.
#ifdef HAVE_NETWORK
.TP
\fB\-\-mtu=number
@ -1726,7 +1727,7 @@ Example:
$ firejail --no3d firefox
.TP
\fB\-\-noautopulse \fR(deprecated)
\fB\-\-noautopulse\fR (deprecated)
See --keep-config-pulse.
.TP
@ -1772,7 +1773,7 @@ $ nc dict.org 2628
220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
.br
.TP
\fB\-\-nodbus \fR(deprecated)
\fB\-\-nodbus\fR (deprecated)
#ifdef HAVE_DBUSPROXY
Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
.br
@ -1792,15 +1793,6 @@ Example:
.br
$ firejail \-\-nodvd
.TP
\fB\-\-noinput
Disable input devices.
.br
.br
Example:
.br
$ firejail \-\-noinput
.TP
\fB\-\-noexec=dirname_or_filename
Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
.br
@ -1844,6 +1836,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
.br
$
.TP
\fB\-\-noinput
Disable input devices.
.br
.br
Example:
.br
$ firejail \-\-noinput
.TP
\fB\-\-nonewprivs
Sets the NO_NEW_PRIVS prctl. This ensures that child processes
@ -3143,7 +3145,9 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
.br
$ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null
.br
$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
$ firejail \-\-whitelist="/home/username/My Virtual Machines"
.br
$ firejail \-\-whitelist=/home/username/My\\ Virtual\\ Machines
.br
$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
@ -3351,16 +3355,6 @@ $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
.br
#endif
.\" Note: Keep this in sync with invalid_name() in src/firejail/util.c.
.SH NAME VALIDATION
For simplicity, the same name validation is used for multiple options.
Rules:
.PP
The name must be 1-253 characters long.
The name can only contain ASCII letters, digits and the special characters
"-._" (that is, the name cannot contain spaces or control characters).
The name cannot contain only digits.
The first and last characters must be an ASCII letter or digit and the name
may contain special characters in the middle.
#ifdef HAVE_APPARMOR
.SH APPARMOR
.TP
@ -3406,64 +3400,6 @@ To enable AppArmor confinement on top of your current Firejail security features
$ firejail --apparmor firefox
#endif
#ifdef HAVE_LANDLOCK
.SH LANDLOCK
Warning: Landlock support in firejail is considered experimental and unstable.
The contents of landlock-common.inc are likely to change and the feature is
still being expanded upon in the Linux kernel.
Also, note that its functionality overlaps with existing firejail features,
such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
Its filesystem access rules can currently only restrict direct access to paths;
it is not able to make only select paths appear in the sandbox such as with the
\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
Lastly, note that depending on the Linux kernel version, Landlock may not
protect all of the relevant syscalls (see the kernel's Landlock documentation
for details).
Therefore, it is recommended to treat Landlock as an extra layer of protection,
to be used together with other firejail features (rather than as a bulletproof
mechanism by itself).
.PP
Landlock is a Linux security module first introduced in version 5.13 of the
Linux kernel.
It allows unprivileged processes to restrict their access to the filesystem.
Once imposed, these restrictions can never be removed, and all child processes
created by a Landlock-restricted processes inherit these restrictions.
Firejail supports Landlock as an additional sandboxing feature.
It can be used to ensure that a sandboxed application can only access files and
directories that it was explicitly allowed to access.
Firejail supports populating the ruleset with both a basic set of rules (see
landlock-common.inc) and with a custom set of rules.
.TP
Important notes:
.PP
.RS
- Currently only Landlock ABI version 1 is supported.
.PP
- If "lsm=" is used in the kernel command line, it should contain "landlock"
(such as "lsm=apparmor,landlock"), or else it will be disabled.
.PP
- A process can install a Landlock ruleset only if it has either
\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
Privileges" restriction enabled.
Because of this, enabling the Landlock feature will also cause Firejail to
enable the "No New Privileges" restriction, regardless of the profile or the
\fB\-\-nonewprivs\fR command line option.
.PP
- Access to the /etc directory is automatically allowed.
To override this, use the \fB\-\-writable\-etc\fR command line option.
You can also use the \fB\-\-private\-etc\fR option to restrict access to the
/etc directory.
.RE
.PP
To enable Landlock self-restriction on top of your current Firejail security
features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
Without it, the other Landlock commands have no effect.
Example:
.PP
$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
.PP
To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
#endif
.SH DESKTOP INTEGRATION
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
The symbolic link should be placed in the first $PATH position. On most systems, a good place
@ -3517,37 +3453,37 @@ $ firejail --tree
1221:netblue:/usr/lib/firefox/firefox
.RE
We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details.
We provide a tool that automates all this integration, please see \fBfirecfg\fR(1) for more details.
.SH EXAMPLES
.TP
\f\firejail
\fBfirejail
Sandbox a regular shell session.
.TP
\f\firejail firefox
\fBfirejail firefox
Start Mozilla Firefox.
.TP
\f\firejail \-\-debug firefox
\fBfirejail \-\-debug firefox
Debug Firefox sandbox.
.TP
\f\firejail \-\-private firefox
\fBfirejail \-\-private firefox
Start Firefox with a new, empty home directory.
.TP
\f\firejail --net=none vlc
\fBfirejail --net=none vlc
Start VLC in an unconnected network namespace.
#ifdef HAVE_NETWORK
.TP
\f\firejail \-\-net=eth0 firefox
\fBfirejail \-\-net=eth0 firefox
Start Firefox in a new network namespace. An IP address is
assigned automatically.
.TP
\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
\fBfirejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
Start a shell session in a new network namespace and connect it
to br0, br1, and br2 host bridge devices. IP addresses are assigned
automatically for the interfaces connected to br1 and b2
#endif
.TP
\f\firejail \-\-list
\fBfirejail \-\-list
List all sandboxed processes.
.SH FILE GLOBBING
@ -3711,6 +3647,65 @@ Currently while scanning the file system, symbolic links are not followed, and f
The program can also be run as root (sudo firejail --ids-init/--ids-check).
#endif
#ifdef HAVE_LANDLOCK
.SH LANDLOCK
Warning: Landlock support in firejail is considered experimental and unstable.
The contents of landlock-common.inc are likely to change and the feature is
still being expanded upon in the Linux kernel.
Also, note that its functionality overlaps with existing firejail features,
such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
Its filesystem access rules can currently only restrict direct access to paths;
it is not able to make only select paths appear in the sandbox such as with the
\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
Lastly, note that depending on the Linux kernel version, Landlock may not
protect all of the relevant syscalls (see the kernel's Landlock documentation
for details).
Therefore, it is recommended to treat Landlock as an extra layer of protection,
to be used together with other firejail features (rather than as a bulletproof
mechanism by itself).
.PP
Landlock is a Linux security module first introduced in version 5.13 of the
Linux kernel.
It allows unprivileged processes to restrict their access to the filesystem.
Once imposed, these restrictions can never be removed, and all child processes
created by a Landlock-restricted processes inherit these restrictions.
Firejail supports Landlock as an additional sandboxing feature.
It can be used to ensure that a sandboxed application can only access files and
directories that it was explicitly allowed to access.
Firejail supports populating the ruleset with both a basic set of rules (see
landlock-common.inc) and with a custom set of rules.
.TP
Important notes:
.PP
.RS
- Currently only Landlock ABI version 1 is supported.
.PP
- If "lsm=" is used in the kernel command line, it should contain "landlock"
(such as "lsm=apparmor,landlock"), or else it will be disabled.
.PP
- A process can install a Landlock ruleset only if it has either
\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
Privileges" restriction enabled.
Because of this, enabling the Landlock feature will also cause Firejail to
enable the "No New Privileges" restriction, regardless of the profile or the
\fB\-\-nonewprivs\fR command line option.
.PP
- Access to the /etc directory is automatically allowed.
To override this, use the \fB\-\-writable\-etc\fR command line option.
You can also use the \fB\-\-private\-etc\fR option to restrict access to the
/etc directory.
.RE
.PP
To enable Landlock self-restriction on top of your current Firejail security
features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
Without it, the other Landlock commands have no effect.
Example:
.PP
$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
.PP
To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
#endif
.SH MONITORING
Option \-\-list prints a list of all sandboxes. The format
for each process entry is as follows:
@ -3768,6 +3763,17 @@ Sandbox running time in hours:minutes:seconds format.
USER
The owner of the sandbox.
.SH NAME VALIDATION
For simplicity, the same name validation is used for multiple options.
Rules:
.PP
The name must be 1-253 characters long.
The name can only contain ASCII letters, digits and the special characters
"-._" (that is, the name cannot contain spaces or control characters).
The name cannot contain only digits.
The first and last characters must be an ASCII letter or digit and the name
may contain special characters in the middle.
.SH RESTRICTED SHELL
To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
/etc/passwd file for each user that needs to be restricted. Alternatively,

11
src/man/mkman.sh
View file

@ -5,8 +5,15 @@
set -e
MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
test -z "$SOURCE_DATE_EPOCH" && SOURCE_DATE_EPOCH="$(date +%s)"
format='+%b %Y'
date="$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "$format" 2>/dev/null ||
LC_ALL=C date -u -r "$SOURCE_DATE_EPOCH" "$format" 2>/dev/null ||
LC_ALL=C date -u "$format")"
MONTH="$(printf '%s\n' "$date" | cut -f 1 -d ' ')"
YEAR="$(printf '%s\n' "$date" | cut -f 2 -d ' ')"
sed \
-e "s/VERSION/$1/g" \

29
test/fs/private-home.exp
View file

@ -30,20 +30,21 @@ expect {
}
after 100
send -- "find ~\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"_firejail_test_file3"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"_firejail_test_file2"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"_firejail_test_file1"
}
after 100
# FIXME: Prints "TESTING ERROR 3" in CI since 2024-09-19.
#send -- "find ~\r"
#expect {
# timeout {puts "TESTING ERROR 2\n";exit}
# "_firejail_test_file3"
#}
#expect {
# timeout {puts "TESTING ERROR 3\n";exit}
# "_firejail_test_file2"
#}
#expect {
# timeout {puts "TESTING ERROR 4\n";exit}
# "_firejail_test_file1"
#}
#after 100
send -- "exit\r"
sleep 1