diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 37056a1ce..ec1b4a10f 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -47,10 +47,11 @@ _Any other detail that may help to understand/debug the problem_ ### Environment -- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") -- Firejail version (`firejail --version`). +- Name/version/arch of the Linux kernel (`uname -srm`): +- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): +- Version of Firejail (`firejail --version`): - If you use a development version of firejail, also the commit from which it - was compiled (`git rev-parse HEAD`). + was compiled (`git rev-parse HEAD`): ### Checklist diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md new file mode 100644 index 000000000..e9a0b2410 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/build_issue.md @@ -0,0 +1,73 @@ +--- +name: Build issue +about: There is an issue when trying to build the project from source +title: 'build: ' +labels: '' +assignees: '' + +--- + + + +### Description + +_Describe the bug_ + +### Steps to Reproduce + + + +_Post the commands used to reproduce the issue and their output_ + +Example: + +```console +$ ./configure --prefix=/usr --enable-apparmor +checking for gcc... gcc +checking whether the C compiler works... yes +[...] +$ make +make -C src/lib +gcc [...] +[...] +``` + +_If ./configure fails, include the output of config.log_ + +Example: + +```console +$ cat config.log +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. +[...] +``` + +### Additional context + +_(Optional) Any other detail that may help to understand/debug the problem_ + +### Environment + +- Name/version/arch of the Linux kernel (`uname -srm`): +- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): +- Name/version of the C compiler (e.g. "gcc 14.1.1-1"): +- Name/version of the libc (e.g. "glibc 2.40-1"): +- Name/version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on + Arch Linux): +- Version of the source code being built (`git rev-parse HEAD`): diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index ce1b70e39..08a5678e2 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -22,3 +22,11 @@ _A clear and concise description of any alternative solutions or features you've ### Additional context _Add any other context or screenshots about the feature request here._ + +### Environment + +- Name/version/arch of the Linux kernel (`uname -srm`): +- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): +- Version of Firejail (`firejail --version`): +- If you use a development version of firejail, also the commit from which it: + was compiled (`git rev-parse HEAD`): diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index ccc5c9bf7..8fb22b334 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -44,7 +44,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -52,7 +52,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7752f3d3..ccfa06531 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -68,7 +68,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index a0b7245e5..ed05e2147 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -46,7 +46,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -56,7 +56,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install clang-tools-14 and dependencies @@ -79,7 +79,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -89,7 +89,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install cppcheck @@ -109,7 +109,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -120,7 +120,7 @@ jobs: ppa.launchpad.net:80 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install cppcheck @@ -143,7 +143,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true egress-policy: block @@ -154,14 +154,14 @@ jobs: uploads.github.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: print env run: ./ci/printenv.sh # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd with: languages: cpp @@ -172,4 +172,4 @@ jobs: run: make -j "$(nproc)" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 38cb1f29b..1674e76b7 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -33,14 +33,14 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true egress-policy: block allowed-endpoints: > github.com:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: print env run: ./ci/printenv.sh - run: python3 --version diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 838414498..c014ab652 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true egress-policy: block @@ -44,16 +44,16 @@ jobs: uploads.github.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: print env run: ./ci/printenv.sh # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd with: languages: python - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 6e0fe73d2..8975aa394 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -24,7 +24,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -34,7 +34,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c1ee00934..46d966ad7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -62,7 +62,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -103,7 +103,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -111,7 +111,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -143,7 +143,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -151,7 +151,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -183,7 +183,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -194,7 +194,7 @@ jobs: ppa.launchpadcontent.net:443 www.debian.org:443 www.debian.org:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -225,7 +225,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -240,7 +240,7 @@ jobs: www.debian.org:443 www.debian.org:80 yahoo.com:1025 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/README b/README index d64554f9a..8b7b64cb9 100644 --- a/README +++ b/README @@ -28,13 +28,17 @@ Compile and install the mainline version from GitHub: cd firejail ./configure && make && sudo make install-strip -On Debian/Ubuntu you will need to install git and gcc. AppArmor development -libraries and pkg-config are required when using the --enable-apparmor -./configure option: +On Debian/Ubuntu you will need to install git and gcc. + +To build with AppArmor support (which is usually used on Debian, Ubuntu, +openSUSE and derivatives), install the AppArmor development libraries and +pkg-config and use the `--enable-apparmor` ./configure option: sudo apt-get install git build-essential libapparmor-dev pkg-config gawk -For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). +To build with SELinux support (which is usually used on Fedora, RHEL and +derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the +`--enable-selinux` ./configure option. We build our release firejail.tar.xz and firejail.deb packages using the following commands: @@ -199,6 +203,8 @@ avoidr (https://github.com/avoidr) - added mcabber profile - fixed mpv profile - various other fixes +ayham (https://github.com/ayham-1) + - allow custom homedir support for gpgagent Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) - add support for custom AppArmor profiles (--apparmor=) - add Landlock support @@ -257,6 +263,8 @@ bymoz089 (https://github.com/bymoz089) - add timezone access to make libical functional BytesTuner (https://github.com/BytesTuner) - provided keepassxc profile +Caleb McCombs (https://github.com/squatched) + - Zoom profile fixes caoliver (https://github.com/caoliver) - network system fixes Carlo Abelli (https://github.com/carloabelli) @@ -270,6 +278,8 @@ Cat (https://github.com/ecat3) cayday (https://github.com/caydey) - added ~/Private blacklist in disable-common.inc - added quiet to some CLI profiles +celenityy (https://github.com/celenityy) + - Thunderbird profile fix Christian Pinedo (https://github.com/chrpinedo) - added nicotine profile - allow python3 in totem profile @@ -414,6 +424,7 @@ Felipe Barriga Richards (https://github.com/fbarriga) - --private-etc fix Felix Pehla (https://github.com/FelixPehla) - fix fractal profile + - blacklist sway IPC socket globally fenuks (https://github.com/fenuks) - fix sound in games using FMOD - allow /opt/tor-browser for Tor Browser profile @@ -433,6 +444,8 @@ floxo (https://github.com/floxo) - fixed qml disk cache issue Foemass (https://github.com/Foemass) - documentation +Foxreef (https://github.com/Foxreef) + - steam profile fixes Franco (nextime) Lanza (https://github.com/nextime) - added --private-template/--private-home František Polášek (https://github.com/fandaa) @@ -497,6 +510,8 @@ G4JC (https://sourceforge.net/u/gaming4jc/profile/) - profile fixes Gaman Gabriel (https://github.com/stelariusinfinitek) - inox profile +Gabriel (https://github.com/gcb) + - okular profile fix geg2048 (https://github.com/geg2048) - kwallet profile fixes glitsj16 (https://github.com/glitsj16) @@ -1226,6 +1241,7 @@ Ted Robertson (https://github.com/tredondo) - various documentation fixes - blacklist Exodus wallet - blacklist monero-project directory + - several README file fixes tools200ms (https://github.com/tools200ms) - fixed allow-ssh.inc Tus1688 (https://github.com/Tus1688) @@ -1321,6 +1337,8 @@ ydididodat (https://github.com/ydididodat) yumkam (https://github.com/yumkam) - add compile-time option to restrict --net= to root only - man page fixes +Yves-Alexis Perez (https://github.com/corsac-s) + - signal-desktop profile fix Zack Weinberg (https://github.com/zackw) - added support for joining a persistent, named network namespace - removed libconnect diff --git a/README.md b/README.md index 33bd6bfb3..4491b5835 100644 --- a/README.md +++ b/README.md @@ -10,13 +10,16 @@ [![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) -Firejail is a SUID sandbox program that reduces the risk of security breaches -by restricting the running environment of untrusted applications using Linux -namespaces, seccomp-bpf and Linux capabilities. It allows a process and all -its descendants to have their own private view of the globally shared kernel -resources, such as the network stack, process table, mount table. Firejail can -work in a SELinux or AppArmor environment, and it is integrated with Linux -Control Groups. +Firejail is a lightweight security tool intended to protect a Linux system by +setting up a restricted environment for running (potentially untrusted) +applications. + +More specifically, it is an SUID sandbox program that reduces the risk of +security breaches by using Linux namespaces, seccomp-bpf and Linux +capabilities. It allows a process and all its descendants to have their own +private view of the globally shared kernel resources, such as the network +stack, process table and mount table. Firejail can work in an SELinux or +AppArmor environment, and it is integrated with Linux Control Groups. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of @@ -148,7 +151,9 @@ The version can be checked with `firejail --version` after installing. You can also install one of the [released packages](https://github.com/netblue30/firejail/releases). -Or clone the source code from our git repository and build manually: +## Building + +You can clone the source code from this git repository and build manually: ```sh git clone https://github.com/netblue30/firejail.git @@ -156,15 +161,19 @@ cd firejail ./configure && make && sudo make install-strip ``` -On Debian/Ubuntu you will need to install git and gcc. AppArmor development -libraries and pkg-config are required when using the `--enable-apparmor` -./configure option: +On Debian/Ubuntu you will need to install git and gcc. + +To build with AppArmor support (which is usually used on Debian, Ubuntu, +openSUSE and derivatives), install the AppArmor development libraries and +pkg-config and use the `--enable-apparmor` ./configure option: ```sh sudo apt-get install git build-essential libapparmor-dev pkg-config gawk ``` -For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). +To build with SELinux support (which is usually used on Fedora, RHEL and +derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the +`--enable-selinux` ./configure option. Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). diff --git a/RELNOTES b/RELNOTES index df3152cf5..77f0cceb3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,7 +1,9 @@ firejail (0.9.73) baseline; urgency=low * work in progress * security: fix sscanf rv checks (CodeQL) (#6184) - * feature: added noptm and keep-tpm commands to private-dev (#6390) + * feature: private-etc rework: improve handling of /etc/resolv.conf and add + private-etc groups (#6400 #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643 + #5650 #5681 #5737 #5844 #5989 #6016 #6104 #5655 #6435 #6514 #6515) * feature: Add "keep-shell-rc" command and option (#1127 #5634) * feature: Print the argument when failing with "too long arguments" (#5677) * feature: a random hostname is assigned to each sandbox unless @@ -18,26 +20,27 @@ firejail (0.9.73) baseline; urgency=low * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 #6228 #6260 #6302 #6305) * feature: add support for comm, coredump, and prctl procevents in firemon + (#6414 #6415) * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) + * feature: fshaper.sh: support tc on NixOS (#6426 #6431) * modif: Stop forwarding own double-dash to the shell (#5599 #5600) * modif: Prevent sandbox name (--name=) and host name (--hostname=) from containing only digits (#5578 #5741) * modif: Escape control characters of the command line (#5613) * modif: Allow mostly only ASCII letters and digits for sandbox name (--name=) and host name (--hostname=) (#5708 #5856) - * modif: remove firemon --interface option (duplicating --net.print option) * modif: make private-lib a configure-time option, disabled by default (see --enable-private-lib) (#5727 #5732) * modif: Improve --version/--help & print version on startup (#5829 #6172) * modif: improve errExit error messages (#5871) * modif: drop deprecated 'shell' option references (#5894) * modif: keep pipewire group unless nosound is used (#5992 #5993) - * modif: fcopy: Use lstat when copying directory (#5957) - * modif: populate /run/firejail while holding flock (#6307) + * modif: fcopy: use lstat when copying directory (#5378 #5957) * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) - * removal: LTS and FIRETUNNEL support - * bugfix: fix startup race condition for /run/firejail directory (#6307, #6307) + * removal: firemon: remove --interface option (it duplicates the firejail + --net.print= option) (0e48f9933) + * removal: remove support for LTS and firetunnel (db09546f2) * bugfix: fix --hostname and --hosts-file commands * bugfix: fix examples in firejail-local AppArmor profile (#5717) * bugfix: arp.c: ensure positive timeout on select(2) (#5806) @@ -45,20 +48,23 @@ firejail (0.9.73) baseline; urgency=low (#5965 #5976) * bugfix: firejail --ls reports wrong file sizes for large files (#5982 #6086) + * bugfix: fix startup race condition for /run/firejail directory (#6307) * bugfix: fix various resource leaks (#6367) * bugfix: profstats: fix restrict-namespaces max count (#6369) + * bugfix: remove --noautopulse from --help and zsh comp (#6401) * build: auto-generate syntax files (#5627) * build: mark all phony targets as such (#5637) * build: mkdeb.sh: pass all arguments to ./configure (#5654) * build: deb: enable apparmor by default & remove deb-apparmor (#5668) * build: Fix whitespace and add .editorconfig (#5674) + * build: remove for loop initial declarations to fix building with old + compilers (#5778) * build: enable compiler warnings by default (#5842) * build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859) * build: disable all built-in implicit make rules (#5864) * build: organize and standardize make vars and targets (#5866) * build: fix seccomp filters and man pages always being rebuilt when running - make - * build: simplify code related to man pages (#5898) + make (#5156 #5898) * build: fix hardcoded make & remove unnecessary distclean targets (#5911) * build: dist and asc improvements (#5916) * build: fix some shellcheck issues & use config.sh in more scripts (#5927) @@ -82,6 +88,7 @@ firejail (0.9.73) baseline; urgency=low * build: remove clean dependency from cppcheck targets (#6343) * build: allow overriding common tools (#6354) * build: standardize install commands (#6366) + * build: improve reliability/portability of date command usage (#6403 #6404) * ci: always update the package db before installing packages (#5742) * ci: fix codeql unable to download its own bundle (#5783) * ci: split configure/build/install commands on gitlab (#5784) @@ -94,7 +101,6 @@ firejail (0.9.73) baseline; urgency=low * ci: whitelist paths, reorganize workflows & speed-up tests (#5960) * ci: fix dependabot duplicated workflow runs (#5984) * ci: allow running workflows manually (#6026) - * ci: re-enable sort.py (#6104) * ci: add timeout limits (#6178) * ci: make dependabot updates monthly and bump PR limit (#6338) * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057 @@ -111,6 +117,14 @@ firejail (0.9.73) baseline; urgency=low #6359) * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382) * docs: man: format and sort some private- items (#6398) + * docs: man: improve blacklist/whitelist examples with spaces (#6425) + * docs: add build_issue.md issue template (#6423) + * docs: man: sort commands (firejail.1) (#6451) + * docs: man: fix bold in command TPs (#6472) + * docs: man: fix wrong escapes (#6474) + * docs: github: streamline environment in issue templates (#6471) + * docs: fix typos of --enable-selinux configure option (#6526) + * docs: clarify intro and build section in README (#6524) * legal: selinux.c: Split Copyright notice & use same license as upstream (#5667) * profiles: qutebrowser: fix links not opening in the existing instance @@ -121,6 +135,7 @@ firejail (0.9.73) baseline; urgency=low * profiles: drop hostname option from all profiles (#5702) * profiles: move read-only config entries to disable-common.inc (#5763) * profiles: standardize on just "GTK" on comments (#5794) + * profiles: bleachbit: allow erasing Trash contents (#5337 #5902) * profiles: improvements to profiles using private (#5946) * profiles: standardize commented code and eol comments (#5987) * profiles: disable-common: add more suid programs (#6049 #6051 #6052) @@ -137,6 +152,17 @@ firejail (0.9.73) baseline; urgency=low * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) * profiles: libreoffice: support signing documents with GPG (#6352 #6353) * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) + * profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473) + * profiles: nextcloud: fix access to ~/Nextcloud (#5877 #6478) + * profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#5816 #6479) + * profiles: firecfg: disable text editors (#6002 #6477) + * profiles: browsers: centralize/sync/improve comments (#6486) + * profiles: keepassxc: add new socket location (#5447 #6391) + * profiles: signal-desktop: allow org.freedesktop.secrets (#6498) + * profiles: firefox-common: allow org.freedesktop.portal.Documents (#6444 #6499) + * profiles: keepassxc: allow access to ssh-agent socket (#3314 #6531) + * profiles: firecfg.config: disable dnsmasq (#6533) + * profiles: game-launchers: disable nou2f (#6534) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 14f7d8cf7..faae99543 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -171,6 +171,10 @@ blacklist ${RUNUSER}/gsconnect blacklist ${RUNUSER}/i3/ipc-socket.* blacklist /tmp/i3-*/ipc-socket.* +# sway IPC socket (allows arbitrary shell script execution) +blacklist ${RUNUSER}/sway-ipc.* +blacklist /tmp/sway-ipc.* + # systemd blacklist ${HOME}/.config/systemd blacklist ${HOME}/.local/share/systemd diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 49ca3836f..0f8a2e7e3 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -359,6 +359,7 @@ blacklist ${HOME}/.config/SubDownloader blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/TinyRDM blacklist ${HOME}/.config/Twitch +blacklist ${HOME}/.config/UNDERTALE blacklist ${HOME}/.config/Unknown Organization blacklist ${HOME}/.config/VSCodium blacklist ${HOME}/.config/Whalebird @@ -728,6 +729,7 @@ blacklist ${HOME}/.dillo blacklist ${HOME}/.dooble blacklist ${HOME}/.dosbox blacklist ${HOME}/.dropbox* +blacklist ${HOME}/.dvdcss blacklist ${HOME}/.easystroke blacklist ${HOME}/.electron-cache blacklist ${HOME}/.electron-cash @@ -1261,6 +1263,7 @@ blacklist ${RUNUSER}/qutebrowser blacklist /etc/ssmtp blacklist /tmp/.wine-* blacklist /tmp/akonadi-* +blacklist /tmp/evolution-* blacklist /tmp/i3-* blacklist /tmp/lwjgl_* blacklist /var/games/nethack diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile index 8b70756ba..6217af780 100644 --- a/etc/profile-a-l/abrowser.profile +++ b/etc/profile-a-l/abrowser.profile @@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser whitelist ${HOME}/.mozilla whitelist /usr/share/abrowser -# private-etc must first be enabled in firefox-common.profile -#private-etc abrowser +private-etc abrowser # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile index 7d2fe143c..f5595274e 100644 --- a/etc/profile-a-l/basilisk.profile +++ b/etc/profile-a-l/basilisk.profile @@ -19,8 +19,7 @@ seccomp ignore seccomp #private-bin basilisk -# private-etc must first be enabled in firefox-common.profile -#private-etc basilisk +private-etc basilisk #private-opt basilisk restrict-namespaces diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index e596ec9d2..7afccf5cd 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile @@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf dbus-user.talk org.freedesktop.Tracker1 dbus-system none -env WEBKIT_FORCE_SANDBOX=0 +# Warning: Disabling the webkit sandbox may be needed to make firejail work +# with webkit2gtk, but this is not recommended (see #2995). +# Add the following line to bijiben.local at your own risk: +#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 restrict-namespaces diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile new file mode 100644 index 000000000..4c1994c50 --- /dev/null +++ b/etc/profile-a-l/bitwarden-desktop.profile @@ -0,0 +1,11 @@ +# Firejail profile for bitwarden-desktop +# Description: A secure and free password manager for all of your devices +# This file is overwritten after every install/update. +# Persistent local customisations +include bitwarden-desktop.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include bitwarden.profile diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 1572ca572..9ed48b02d 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile @@ -6,13 +6,13 @@ include bitwarden.local # Persistent global definitions include globals.local -# Disabled until someone reported positive feedback -ignore include whitelist-usr-share-common.inc - ignore noexec /tmp noblacklist ${HOME}/.config/Bitwarden +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + include disable-shell.inc mkdir ${HOME}/.config/Bitwarden diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 05e1a69f1..6bebbf7b0 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -1,5 +1,5 @@ -# Firejail profile for Cachy-Browser -# Description: Librewolf fork based on enhanced privacy with gentoo patchset +# Firejail profile for cachy-browser +# Description: Librewolf fork based on enhanced privacy with Gentoo patchset # This file is overwritten after every install/update # Persistent local customizations include cachy-browser.local @@ -15,36 +15,12 @@ whitelist ${HOME}/.cache/cachy whitelist ${HOME}/.cachy whitelist /usr/share/cachy-browser -# Add the next lines to your cachy-browser.local if you want to use the migration wizard. -#noblacklist ${HOME}/.mozilla -#whitelist ${HOME}/.mozilla - -# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. -# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - -# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). +# Add the next line to cachy-browser.local to enable private-bin. #private-bin dbus-launch,dbus-send,cachy-browser,sh -# Add the next line to your cachy-browser.local to enable private-etc. -# Note: private-etc must first be enabled in firefox-common.local. -#private-etc cachy-browser +private-etc cachy-browser dbus-user filter dbus-user.own org.mozilla.cachybrowser.* -# Add the next line to your cachy-browser.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your cachy-browser.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your cachy-browser.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver -# Add the next line to your cachy-browser.local to allow screensharing under Wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Also add the next line to your cachy-browser.local if screensharing does not work with -# the above lines (depends on the portal implementation). -#ignore noroot ignore dbus-user none # Redirect diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 37bfa0bfe..8d4f3fc9a 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -9,14 +9,28 @@ include chromium-common.local # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} +# To enable support for the KeePassXC extension, add the following lines to +# chromium-common.local. +# Note: Start KeePassXC before the web browser and keep it open to allow +# communication between them. +#noblacklist ${RUNUSER}/app +#whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki noblacklist /usr/lib/chromium/chrome-sandbox -# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser -# to have access to Gnome extensions (extensions.gnome.org) via browser connector +# Add the next line to chromium-common.local if you want the web browser to +# have access to Gnome extensions (extensions.gnome.org) via the browser +# connector. #include allow-python3.inc +blacklist ${PATH}/curl +blacklist ${PATH}/wget +blacklist ${PATH}/wget2 + mkdir ${HOME}/.local/share/pki mkdir ${HOME}/.pki whitelist ${HOME}/.local/share/pki @@ -27,7 +41,7 @@ include whitelist-run-common.inc # If your kernel allows the creation of user namespaces by unprivileged users # (for example, if running `unshare -U echo enabled` prints "enabled"), you -# can add the next line to your chromium-common.local. +# can add the next line to chromium-common.local. #include chromium-common-hardened.inc.profile ?BROWSER_DISABLE_U2F: nou2f @@ -35,12 +49,8 @@ include whitelist-run-common.inc ?BROWSER_DISABLE_U2F: private-dev #private-tmp # issues when using multiple browser sessions -blacklist ${PATH}/curl -blacklist ${PATH}/wget -blacklist ${PATH}/wget2 - -# This prevents access to passwords saved in GNOME Keyring and KWallet, also -# breaks Gnome connector. +# Note: This prevents access to passwords saved in GNOME Keyring and KWallet +# and breaks Gnome connector. #dbus-user none # The file dialog needs to work without d-bus. diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile index d0bf9797e..bded735a9 100644 --- a/etc/profile-a-l/cliqz.profile +++ b/etc/profile-a-l/cliqz.profile @@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz whitelist ${HOME}/.config/cliqz whitelist /usr/share/cliqz -# private-etc must first be enabled in firefox-common.profile -#private-etc cliqz +private-etc cliqz # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile index c7a42e0eb..173c5b4a5 100644 --- a/etc/profile-a-l/cyberfox.profile +++ b/etc/profile-a-l/cyberfox.profile @@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios whitelist /usr/share/cyberfox #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which -# private-etc must first be enabled in firefox-common.profile -#private-etc cyberfox +private-etc cyberfox # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 75338eb6d..e11134616 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile @@ -12,45 +12,16 @@ noblacklist ${HOME}/.config/d-feet include allow-python2.inc include allow-python3.inc -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - mkdir ${HOME}/.config/d-feet whitelist ${HOME}/.config/d-feet whitelist /usr/share/d-feet -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc -apparmor -caps.drop all -ipc-namespace -#net none # breaks on Ubuntu -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp +# breaks on Ubuntu +ignore net none -disable-mnt private-bin d-feet,python* -private-cache -private-dev -private-etc dbus-1 -private-tmp #memory-deny-write-execute # breaks on Arch (see issue #1803) -restrict-namespaces + +# Redirect +include dbus-debug-common.profile diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile index 9ff429ecb..2c9ef52cb 100644 --- a/etc/profile-a-l/d-spy.profile +++ b/etc/profile-a-l/d-spy.profile @@ -6,43 +6,7 @@ include d-spy.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-proc.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -ipc-namespace -net none -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp - -disable-mnt private-bin d-spy -private-cache -private-dev -private-etc dbus-1 -private-tmp -read-only ${HOME} -restrict-namespaces +# Redirect +include dbus-debug-common.profile diff --git a/etc/profile-a-l/dbus-debug-common.profile b/etc/profile-a-l/dbus-debug-common.profile new file mode 100644 index 000000000..0ef060f3a --- /dev/null +++ b/etc/profile-a-l/dbus-debug-common.profile @@ -0,0 +1,49 @@ +# Firejail profile for dbus-debug-common +# This file is overwritten after every install/update +# Persistent local customizations +include dbus-debug-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-cache +private-dev +private-etc dbus-1 +private-tmp + +read-only ${HOME} +restrict-namespaces diff --git a/etc/profile-a-l/dtui.profile b/etc/profile-a-l/dtui.profile new file mode 100644 index 000000000..b85ae451b --- /dev/null +++ b/etc/profile-a-l/dtui.profile @@ -0,0 +1,15 @@ +# Firejail profile for dtui +# Description: TUI D-Bus debugger +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include dtui.local +# Persistent global definitions +include globals.local + +private-bin dtui + +memory-deny-write-execute + +# Redirect +include dbus-debug-common.profile diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 1af2884b6..52a439c48 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/Element mkdir ${HOME}/.config/Element whitelist ${HOME}/.config/Element whitelist /opt/Element +whitelist /usr/share/element dbus-user filter dbus-user.talk org.freedesktop.Notifications diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 517bb6206..e703938eb 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile @@ -6,6 +6,7 @@ include evolution.local # Persistent global definitions include globals.local +noblacklist /tmp/evolution-* noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.bogofilter @@ -41,7 +42,7 @@ protocol unix,inet,inet6 seccomp private-dev -private-tmp +#private-tmp writable-var restrict-namespaces diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index af9d556db..895a7dbfb 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${MUSIC} noblacklist ${VIDEOS} +noblacklist ${HOME}/.dvdcss include disable-common.inc include disable-devel.inc diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index ccc2dc7f6..bf811cb2d 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -4,6 +4,7 @@ include firefox-common-addons.local # Prevent whitelisting in ${RUNUSER} ignore whitelist ${RUNUSER}/*firefox* +ignore whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC ignore whitelist ${RUNUSER}/psd/*firefox* ignore whitelist ${RUNUSER}/kpxc_server ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer @@ -79,7 +80,7 @@ whitelist ${HOME}/dwhelper whitelist /usr/share/lua* whitelist /usr/share/mpv -# GNOME Shell integration (chrome-gnome-shell) needs dbus and python +# GNOME Shell integration (chrome-gnome-shell) needs dbus and python. noblacklist ${HOME}/.local/share/gnome-shell whitelist ${HOME}/.local/share/gnome-shell dbus-user.talk ca.desrt.dconf @@ -92,8 +93,7 @@ include allow-python3.inc #private-bin keepassxc-proxy # Flash plugin -# private-etc must first be enabled in firefox-common.profile and in profiles including it. -#private-etc adobe +private-etc adobe # ff2mpv #ignore noexec ${HOME} diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 9c8601e7b..953012954 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -11,12 +11,31 @@ include firefox-common.local # noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon. ?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER} -# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. +# Add the next lines to firefox-common.local if you want to use the migration +# wizard. +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.mozilla + +# To enable support for the KeePassXC extension, add the following lines to +# firefox-common.local. +# Note: Start KeePassXC before the web browser and keep it open to allow +# communication between them. +#noblacklist ${RUNUSER}/app +#whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + +# Add the next line to firefox-common.local to allow access to common +# programs/addons/plugins. #include firefox-common-addons.profile noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki +blacklist ${PATH}/curl +blacklist ${PATH}/wget +blacklist ${PATH}/wget2 + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -43,36 +62,56 @@ apparmor # Fixme! apparmor-replace caps.drop all -# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. +# Note: machine-id breaks pulseaudio; add it to firefox-common.local if sound +# is not required. #machine-id netfilter nodvd nogroups noinput nonewprivs -# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. +# Note: noroot breaks GTK_USE_PORTAL=1 usage; see +# https://github.com/netblue30/firejail/issues/2506. noroot notv ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink -# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. +# Note: The seccomp line below still permits the chroot syscall; see +# https://github.com/netblue30/firejail/issues/2506 for possible workarounds. seccomp !chroot -# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. +# Note: tracelog may break or cause major issues with many Firefox-based +# browsers; see https://github.com/netblue30/firejail/issues/1930. #tracelog disable-mnt ?BROWSER_DISABLE_U2F: private-dev -# private-etc below works fine on most distributions. There could be some problems on CentOS. +# Note: The private-etc line below works fine on most distributions but it +# could cause problems on CentOS. private-etc @tls-ca,@x11,mailcap,mime.types,os-release private-tmp -blacklist ${PATH}/curl -blacklist ${PATH}/wget -blacklist ${PATH}/wget2 - -# 'dbus-user none' breaks various desktop integration features like global menus, native notifications, -# Gnome connector, KDE connect and power management on KDE Plasma. +# Note: `dbus-user none` breaks various desktop integration features like +# global menus, native notifications, Gnome connector, KDE Connect and power +# management on KDE Plasma. dbus-user none dbus-system none +# Allow drag and drop +dbus-user.talk org.freedesktop.portal.Documents +# Add the next line to firefox-common.local to enable native notifications. +#dbus-user.talk org.freedesktop.Notifications +# Add the next line to firefox-common.local to allow inhibiting screensavers. +#dbus-user.talk org.freedesktop.ScreenSaver +# Add the next lines to firefox-common.local for plasma browser integration. +#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration +#dbus-user.talk org.kde.JobViewServer +#dbus-user.talk org.kde.kdeconnect +#dbus-user.talk org.kde.kuiserver +# Add the next line to firefox-common.local to allow screensharing under +# Wayland. +#dbus-user.talk org.freedesktop.portal.Desktop +# Also add the next line to firefox-common.local if screensharing does not work +# with the above lines (depends on the portal implementation). +#ignore noroot + #restrict-namespaces diff --git a/etc/profile-a-l/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile index 5e69fdb51..05fe0c344 100644 --- a/etc/profile-a-l/firefox-esr.profile +++ b/etc/profile-a-l/firefox-esr.profile @@ -8,5 +8,7 @@ include firefox-esr.local whitelist /usr/share/firefox-esr +private-etc firefox-esr + # Redirect include firefox.profile diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 009a0d119..92b7eb1c7 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -6,10 +6,10 @@ include firefox.local # Persistent global definitions include globals.local -# Note: Sandboxing web browsers is as important as it is complex. Users might be -# interested in creating custom profiles depending on use case (e.g. one for -# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more -# info. Here are a few links to get you going. +# Note: Sandboxing web browsers is as important as it is complex. Users might +# be interested in creating custom profiles depending on the use case (e.g. one +# for general browsing, another for banking, ...). Consult our FAQ/issue +# tracker for more information. Here are a few links to get you going: # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 @@ -29,39 +29,20 @@ mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla -# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. -# Note: Start KeePassXC before Firefox and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - whitelist /usr/share/firefox whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini whitelist ${RUNUSER}/*firefox* whitelist ${RUNUSER}/psd/*firefox* -# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. +# Note: Firefox requires a shell to launch on Arch and Fedora. +# Add the next lines to firefox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname private-etc firefox dbus-user filter dbus-user.own org.mozilla.* dbus-user.own org.mpris.MediaPlayer2.firefox.* -# Add the next line to your firefox.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your firefox.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your firefox.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kdeconnect -#dbus-user.talk org.kde.kuiserver -# Add the next line to your firefox.local to allow screen sharing under wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Add the next line to your firefox.local if screen sharing sharing still does not work -# with the above lines (might depend on the portal implementation). -#ignore noroot ignore dbus-user none # Redirect diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile index 49caed107..8a5932876 100644 --- a/etc/profile-a-l/floorp.profile +++ b/etc/profile-a-l/floorp.profile @@ -14,30 +14,8 @@ mkdir ${HOME}/.floorp whitelist ${HOME}/.cache/floorp whitelist ${HOME}/.floorp -# Add the next lines to your floorp.local if you want to use the migration wizard. -#noblacklist ${HOME}/.mozilla -#whitelist ${HOME}/.mozilla - -# To enable KeePassXC Plugin add one of the following lines to your floorp.local. -# Note: Start KeePassXC before floorp and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - dbus-user filter dbus-user.own org.mozilla.floorp.* -# Add the next line to your floorp.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your floorp.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your floorp.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver -# Add the next line to your floorp.local to allow screensharing under Wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Also add the next line to your floorp.local if screensharing does not work with -# the above lines (depends on the portal implementation). -#ignore noroot ignore apparmor ignore dbus-user none diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index e0ef23cce..0853a8d77 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile @@ -7,6 +7,7 @@ include handbrake.local include globals.local noblacklist ${HOME}/.config/ghb +noblacklist ${HOME}/.dvdcss noblacklist ${MUSIC} noblacklist ${VIDEOS} diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile index b0a42fb77..19bda5454 100644 --- a/etc/profile-a-l/icecat.profile +++ b/etc/profile-a-l/icecat.profile @@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat whitelist ${HOME}/.mozilla whitelist /usr/share/icecat -# private-etc must first be enabled in firefox-common.profile -#private-etc icecat +private-etc icecat # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile index badd2648a..d6a925a77 100644 --- a/etc/profile-a-l/iceweasel.profile +++ b/etc/profile-a-l/iceweasel.profile @@ -6,8 +6,7 @@ include iceweasel.local # added by included profile #include globals.local -# private-etc must first be enabled in firefox-common.profile -#private-etc iceweasel +private-etc iceweasel # Redirect include firefox.profile diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 4e8c8e449..1ba4f0eba 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -13,6 +13,8 @@ noblacklist ${HOME}/.config/keepassxc noblacklist ${HOME}/.config/KeePassXCrc noblacklist ${HOME}/.keepassxc noblacklist ${DOCUMENTS} +noblacklist ${RUNUSER}/app +noblacklist /tmp/ssh-* # Allow browser profiles, required for browser integration. noblacklist ${HOME}/.config/BraveSoftware @@ -62,8 +64,12 @@ include disable-xdg.inc #whitelist ${HOME}/.config/KeePassXCrc #include whitelist-common.inc +mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC +whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC +whitelist /tmp/ssh-* whitelist /usr/share/keepassxc include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 79b286e58..67ff64954 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile @@ -79,8 +79,8 @@ writable-run-user dbus-user filter dbus-user.talk ca.desrt.dconf -dbus-user.talk org.freedesktop.secrets dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets # Allow D-Bus communication with Firefox for opening links dbus-user.talk org.mozilla.* dbus-system none diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 65a4a3787..23d2f78c2 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -1,4 +1,4 @@ -# Firejail profile for Librewolf +# Firejail profile for librewolf # Description: Firefox fork based on privacy # This file is overwritten after every install/update # Persistent local customizations @@ -14,39 +14,16 @@ mkdir ${HOME}/.librewolf whitelist ${HOME}/.cache/librewolf whitelist ${HOME}/.librewolf -# Add the next lines to your librewolf.local if you want to use the migration wizard. -#noblacklist ${HOME}/.mozilla -#whitelist ${HOME}/.mozilla - -# To enable KeePassXC Plugin add one of the following lines to your librewolf.local. -# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - whitelist /usr/share/librewolf -# Add the next line to your librewolf.local to enable private-bin (Arch Linux). +# Add the next line to librewolf.local to enable private-bin. #private-bin dbus-launch,dbus-send,librewolf,sh -# Add the next line to your librewolf.local to enable private-etc. -# Note: private-etc must first be enabled in firefox-common.local. -#private-etc librewolf +private-etc librewolf dbus-user filter +dbus-user.own io.gitlab.firefox.* dbus-user.own io.gitlab.librewolf.* dbus-user.own org.mozilla.librewolf.* -# Add the next line to your librewolf.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your librewolf.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your librewolf.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver -# Add the next line to your librewolf.local to allow screensharing under Wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Also add the next line to your librewolf.local if screensharing does not work with -# the above lines (depends on the portal implementation). -#ignore noroot ignore apparmor ignore dbus-user none diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 0462cb503..c6bfbc233 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile @@ -68,7 +68,7 @@ nogroups nonewprivs noroot notv -nou2f +#nou2f # may break gamepads in certain games (see #6523) novideo protocol unix,inet,inet6,netlink seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index e7dba9cd5..023071f68 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile @@ -7,9 +7,10 @@ include QOwnNotes.local include globals.local noblacklist ${DOCUMENTS} -noblacklist ${HOME}/Nextcloud/Notes noblacklist ${HOME}/.config/PBE noblacklist ${HOME}/.local/share/PBE +noblacklist ${HOME}/Nextcloud +noblacklist ${HOME}/Nextcloud/Notes include disable-common.inc include disable-devel.inc @@ -19,13 +20,13 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -mkdir ${HOME}/Nextcloud/Notes mkdir ${HOME}/.config/PBE mkdir ${HOME}/.local/share/PBE +mkdir ${HOME}/Nextcloud/Notes whitelist ${DOCUMENTS} -whitelist ${HOME}/Nextcloud/Notes whitelist ${HOME}/.config/PBE whitelist ${HOME}/.local/share/PBE +whitelist ${HOME}/Nextcloud/Notes include whitelist-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index bdb9fa51d..c4f989a77 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile @@ -6,6 +6,7 @@ include mplayer.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.mplayer include disable-common.inc @@ -16,6 +17,7 @@ include disable-programs.inc read-only ${DESKTOP} mkdir ${HOME}/.mplayer +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.mplayer include whitelist-common.inc include whitelist-player-common.inc diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index b85002b00..1d03e894c 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -29,6 +29,7 @@ noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.config/yt-dlp noblacklist ${HOME}/.config/yt-dlp.conf +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.netrc noblacklist ${HOME}/yt-dlp.conf @@ -60,6 +61,7 @@ whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/youtube-dl whitelist ${HOME}/.config/yt-dlp whitelist ${HOME}/.config/yt-dlp.conf +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.local/state/mpv whitelist ${HOME}/.netrc whitelist ${HOME}/yt-dlp.conf diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 960c494db..b6453f6a9 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile @@ -6,9 +6,10 @@ include nextcloud.local # Persistent global definitions include globals.local -noblacklist ${HOME}/Nextcloud noblacklist ${HOME}/.config/Nextcloud noblacklist ${HOME}/.local/share/Nextcloud +noblacklist ${HOME}/Nextcloud +noblacklist ${HOME}/Nextcloud/Notes # Add the next lines to your nextcloud.local to allow sync in more directories. #noblacklist ${DOCUMENTS} #noblacklist ${MUSIC} @@ -23,12 +24,12 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -mkdir ${HOME}/Nextcloud mkdir ${HOME}/.config/Nextcloud mkdir ${HOME}/.local/share/Nextcloud -whitelist ${HOME}/Nextcloud +mkdir ${HOME}/Nextcloud whitelist ${HOME}/.config/Nextcloud whitelist ${HOME}/.local/share/Nextcloud +whitelist ${HOME}/Nextcloud whitelist /usr/share/nextcloud # Add the next lines to your nextcloud.local to allow sync in more directories. #whitelist ${DOCUMENTS} @@ -61,15 +62,15 @@ tracelog disable-mnt private-bin nextcloud,nextcloud-desktop private-cache -private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release private-dev +private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release private-tmp # IMPORTANT: create ~/.local/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service # referencing the firejailed /usr/local/bin/nextcloud to keep nextcloud running sandboxed # even when its dbus name gets activated # see https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-sandbox-applications-started-via-systemd-or-d-bus-services -dbus-user filter +dbus-user filter dbus-user.own com.nextcloudgmbh.Nextcloud dbus-user.talk org.freedesktop.secrets ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 9f4990246..645510124 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile @@ -58,7 +58,7 @@ protocol unix seccomp tracelog -private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar +private-bin kbuildsycoca4,kdeinit4,lpr,okular,ps2pdf,unar,unrar private-dev private-etc @x11,cups # on KDE we need access to the real /tmp for data exchange with email clients diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index 8917a9bc5..8e1a5daf5 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile @@ -21,8 +21,7 @@ seccomp ignore seccomp #private-bin palemoon -# private-etc must first be enabled in firefox-common.profile -#private-etc palemoon +private-etc palemoon restrict-namespaces ignore restrict-namespaces diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index d1db0ba86..c8d908aa8 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile @@ -28,6 +28,8 @@ private-etc @tls-ca dbus-user filter # allow D-Bus notifications dbus-user.talk org.freedesktop.Notifications +# Allow D-Bus communication with Freedesktop.org secrets API to decrypt local key +dbus-user.talk org.freedesktop.secrets # Allow D-Bus communication with Firefox for opening links dbus-user.talk org.mozilla.* diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index ece191b73..d2e872c5c 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile @@ -8,6 +8,7 @@ include globals.local noblacklist ${HOME}/.config/smplayer noblacklist ${HOME}/.config/youtube-dl +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.mplayer # Allow lua (blacklisted by disable-interpreters.inc) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 62efa28db..96839d082 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -19,10 +19,12 @@ include disable-exec.inc include disable-programs.inc whitelist ${RUNUSER}/gcr/ssh -whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh +whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup +whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup +whitelist ${RUNUSER}/gvfsd-sftp whitelist ${RUNUSER}/keyring/ssh -include whitelist-usr-share-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index d44da9f71..6f71cf684 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/MangoHud noblacklist ${HOME}/.config/ModTheSpire noblacklist ${HOME}/.config/RogueLegacy noblacklist ${HOME}/.config/RogueLegacyStorageContainer +noblacklist ${HOME}/.config/UNDERTALE noblacklist ${HOME}/.factorio noblacklist ${HOME}/.killingfloor noblacklist ${HOME}/.klei @@ -66,6 +67,7 @@ mkdir ${HOME}/.config/Loop_Hero mkdir ${HOME}/.config/MangoHud mkdir ${HOME}/.config/ModTheSpire mkdir ${HOME}/.config/RogueLegacy +mkdir ${HOME}/.config/UNDERTALE mkdir ${HOME}/.config/unity3d mkdir ${HOME}/.factorio mkdir ${HOME}/.killingfloor @@ -105,6 +107,7 @@ whitelist ${HOME}/.config/MangoHud whitelist ${HOME}/.config/ModTheSpire whitelist ${HOME}/.config/RogueLegacy whitelist ${HOME}/.config/RogueLegacyStorageContainer +whitelist ${HOME}/.config/UNDERTALE whitelist ${HOME}/.config/unity3d whitelist ${HOME}/.factorio whitelist ${HOME}/.killingfloor @@ -158,7 +161,7 @@ nogroups nonewprivs noroot notv -nou2f +#nou2f # may break gamepads in certain games (see #6523) # To allow VR and camera-based motion tracking, add 'ignore novideo' to your # steam.local. novideo diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile index f71905150..b7f90f6ad 100644 --- a/etc/profile-m-z/sway.profile +++ b/etc/profile-m-z/sway.profile @@ -10,6 +10,10 @@ include globals.local noblacklist ${HOME}/.config/sway # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway noblacklist ${HOME}/.config/i3 +# allow creation of IPC socket +noblacklist ${RUNUSER}/sway-ipc.* +noblacklist /tmp/sway-ipc.* + include disable-common.inc caps.drop all diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index fda32d038..50c724d73 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile @@ -61,6 +61,8 @@ whitelist /usr/share/thunderbird #machine-id novideo +private-etc thunderbird + # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE ignore private-tmp diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 73d3b0b6f..4d5f4a1f0 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile @@ -14,6 +14,7 @@ include allow-lua.inc include allow-python3.inc noblacklist ${HOME}/.config/totem +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.local/share/totem include disable-common.inc @@ -27,6 +28,7 @@ read-only ${DESKTOP} mkdir ${HOME}/.config/totem mkdir ${HOME}/.local/share/totem whitelist ${HOME}/.config/totem +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.local/share/totem whitelist /usr/share/totem include whitelist-common.inc diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 34e580085..3fc36a625 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${HOME}/.cache/vlc noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.config/aacs +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.local/share/vlc include disable-common.inc @@ -24,6 +25,7 @@ mkdir ${HOME}/.local/share/vlc whitelist ${HOME}/.cache/vlc whitelist ${HOME}/.config/vlc whitelist ${HOME}/.config/aacs +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.local/share/vlc include whitelist-common.inc include whitelist-player-common.inc diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index bf6f45e41..cf2fced64 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile @@ -21,9 +21,7 @@ whitelist /usr/share/waterfox # waterfox requires a shell to launch on Arch. We can possibly remove sh though. # Add the next line to your waterfox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which -# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be -# enabled in your firefox-common.local. -#private-etc waterfox +private-etc waterfox # Redirect include firefox-common.profile diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile index b6f29cfbf..90de16bdb 100644 --- a/etc/profile-m-z/wesnoth.profile +++ b/etc/profile-m-z/wesnoth.profile @@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/wesnoth noblacklist ${HOME}/.config/wesnoth noblacklist ${HOME}/.local/share/wesnoth +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 306212f85..430934df2 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile @@ -19,6 +19,7 @@ ignore dbus-system none noblacklist ${HOME}/.config/zoom.conf noblacklist ${HOME}/.config/zoomus.conf noblacklist ${HOME}/.zoom +noblacklist ${DOCUMENTS} nowhitelist ${DOWNLOADS} @@ -26,10 +27,12 @@ mkdir ${HOME}/.cache/zoom mkfile ${HOME}/.config/zoom.conf mkfile ${HOME}/.config/zoomus.conf mkdir ${HOME}/.zoom +mkdir ${HOME}/Documents/Zoom whitelist ${HOME}/.cache/zoom whitelist ${HOME}/.config/zoom.conf whitelist ${HOME}/.config/zoomus.conf whitelist ${HOME}/.zoom +whitelist ${HOME}/Documents/Zoom # Disable for now, see https://github.com/netblue30/firejail/issues/3726 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8d0a30521..e0c6256b5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -97,10 +97,11 @@ basilisk bcompare beaker bibletime -bijiben +#bijiben # webkit2gtk-4.x requires bwrap (see #3647) bitcoin-qt bitlbee bitwarden +bitwarden-desktop bleachbit blender blender-2.8 @@ -218,7 +219,7 @@ display display-im6.q16 dnox dnscrypt-proxy -dnsmasq +#dnsmasq # server; problems with libvirt on Arch (see #6121) dolphin-emu dooble dooble-qt4 @@ -227,6 +228,7 @@ dragon drawio drill dropbox +dtui easystroke ebook-convert ebook-edit @@ -318,9 +320,9 @@ gcalccmd gcloud gconf-editor gdu -geany +#geany # text editor (see #6002) #geary # webkit2gtk-4.x requires bwrap (see #3647) -gedit +#gedit # text editor (see #6002) geekbench geeqie geki2 @@ -461,7 +463,7 @@ kaffeine kalgebra kalgebramobile karbon -kate +#kate # text editor (see #6002) kazam kcalc #kdeinit4 @@ -497,11 +499,11 @@ ktorrent ktouch kube #kwin_x11 -kwrite +#kwrite # text editor (see #6002) lbreakouthd lbry-viewer lbry-viewer-gtk -leafpad +#leafpad # text editor (see #6002) #less # breaks man lettura librecad @@ -586,7 +588,7 @@ minitube mirage mirrormagic mocp -mousepad +#mousepad # text editor (see #6002) mov-cli mp3splt mp3splt-gtk @@ -720,7 +722,7 @@ pix planmaker18 planmaker18free playonlinux -pluma +#pluma # text editor (see #6002) plv pngquant polari @@ -824,7 +826,7 @@ soffice sol sound-juicer soundconverter -spectacle +#spectacle # may be broken on wayland (see #5127) spectral spotify sqlitebrowser @@ -990,7 +992,7 @@ x2goclient xbill xcalc xchat -xed +#xed # text editor (see #6002) xfburn xfce4-dict xfce4-mixer diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 430730374..1a6f23919 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -396,6 +396,8 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my sprintf(lineptr, " sid "); break; +// Note: PROC_EVENT_COREDUMP only exists since Linux 3.10 (see #6414). +#ifdef PROC_EVENT_COREDUMP case PROC_EVENT_COREDUMP: pid = proc_ev->event_data.coredump.process_tgid; #ifdef DEBUG_PRCTL @@ -403,6 +405,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my #endif sprintf(lineptr, " coredump "); break; +#endif /* PROC_EVENT_COREDUMP */ case PROC_EVENT_COMM: pid = proc_ev->event_data.comm.process_tgid; diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt index 2faf5a49c..f0427ab0c 100644 --- a/src/fnettrace/static-ip-map.txt +++ b/src/fnettrace/static-ip-map.txt @@ -245,6 +245,7 @@ 205.196.6.0/24 Steam 207.45.72.0/22 Netflix 207.241.224.0/20 Internet Archive +207.5.192.0/19 Rumble 208.82.236.0/22 Creiglist 208.64.200.0/22 Steam 208.75.76.0/22 Netflix @@ -577,6 +578,8 @@ 108.44.64.0/18 MCI 108.45.0.0/16 MCI 108.46.0.0/16 MCI +152.176.0.0/12 MCI +152.192.0.0/13 MCI 192.229.128.0/17 MCI # Microsoft @@ -5176,22 +5179,7 @@ 164.92.208.0/20 Digital Ocean 164.92.224.0/20 Digital Ocean 164.92.240.0/20 Digital Ocean -165.22.0.0/20 Digital Ocean -165.22.16.0/20 Digital Ocean -165.22.32.0/20 Digital Ocean -165.22.48.0/20 Digital Ocean -165.22.64.0/20 Digital Ocean -165.22.80.0/20 Digital Ocean -165.22.96.0/20 Digital Ocean -165.22.112.0/20 Digital Ocean -165.22.128.0/20 Digital Ocean -165.22.144.0/20 Digital Ocean -165.22.160.0/20 Digital Ocean -165.22.176.0/20 Digital Ocean -165.22.192.0/20 Digital Ocean -165.22.208.0/20 Digital Ocean -165.22.224.0/20 Digital Ocean -165.22.240.0/20 Digital Ocean +165.22.0.0/16 Digital Ocean 165.227.0.0/20 Digital Ocean 165.227.16.0/20 Digital Ocean 165.227.32.0/20 Digital Ocean @@ -6029,6 +6017,28 @@ 96.30.0.0/18 Liquid Web # OVH +15.204.0.0/17 OVH +15.204.128.0/17 OVH +15.235.0.0/17 OVH +15.235.128.0/17 OVH +23.92.224.0/19 OVH +37.187.0.0/16 OVH +37.59.0.0/16 OVH +40.160.0.0/17 OVH +46.105.0.0/16 OVH +46.105.198.0/24 OVH +46.105.199.0/24 OVH +46.105.200.0/24 OVH +46.105.201.0/24 OVH +46.105.202.0/24 OVH +46.105.203.0/24 OVH +46.105.204.0/24 OVH +46.105.206.0/24 OVH +46.105.207.0/24 OVH +46.244.32.0/20 OVH +51.161.0.0/17 OVH +51.161.128.0/17 OVH +51.210.0.0/24 OVH 107.189.64.0/18 OVH 135.125.0.0/17 OVH 135.125.128.0/17 OVH @@ -6053,11 +6063,7 @@ 149.202.0.0/16 OVH 149.56.0.0/16 OVH 151.80.0.0/16 OVH -15.204.0.0/17 OVH -15.204.128.0/17 OVH 152.228.128.0/17 OVH -15.235.0.0/17 OVH -15.235.128.0/17 OVH 158.69.0.0/16 OVH 162.19.0.0/17 OVH 162.19.128.0/17 OVH @@ -6084,23 +6090,6 @@ 213.251.128.0/18 OVH 213.32.0.0/17 OVH 217.182.0.0/16 OVH -23.92.224.0/19 OVH -37.187.0.0/16 OVH -37.59.0.0/16 OVH -40.160.0.0/17 OVH -46.105.0.0/16 OVH -46.105.198.0/24 OVH -46.105.199.0/24 OVH -46.105.200.0/24 OVH -46.105.201.0/24 OVH -46.105.202.0/24 OVH -46.105.203.0/24 OVH -46.105.204.0/24 OVH -46.105.206.0/24 OVH -46.105.207.0/24 OVH -46.244.32.0/20 OVH -51.161.0.0/17 OVH -51.161.128.0/17 OVH # Ionos 74.208.0.0/16 Ionos diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index cd2bf79bf..16a2485bf 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh @@ -3,13 +3,9 @@ # Copyright (C) 2014-2024 Firejail Authors # License GPL v2 -TCFILE="" -if [ -x "/usr/sbin/tc" ]; then - TCFILE="/usr/sbin/tc" -elif [ -x "/sbin/tc" ]; then - TCFILE="/sbin/tc"; -else - echo "Error: traffic control utility (tc) not found"; +TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)" +if [ -z "$TCFILE" ]; then + echo "Error: traffic control utility (tc) not found" exit 1 fi diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a50ed765e..e47014702 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in @@ -139,29 +139,6 @@ $ sudo firecfg --clean /usr/local/bin/vlc removed .br [...] -.SH FILES -.PP -Configuration files are searched for and parsed in the following paths: -.PP -.RS -1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) -.br -2. /etc/firejail/firecfg.config -.RE -.PP -The programs that are supported by default are listed in -/etc/firejail/firecfg.config. -It is recommended to leave it as is and put all customizations inside -/etc/firejail/firecfg.d/. -.PP -Profile files are also searched in the user configuration directory: -.PP -.RS -3. ~/.config/firejail/*.profile -.RE -.PP -For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a -symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. .SH SYNTAX Configuration file syntax: .PP @@ -200,6 +177,29 @@ following lines can to be used to ignore both: .br !spectacle .RE +.SH FILES +.PP +Configuration files are searched for and parsed in the following paths: +.PP +.RS +1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) +.br +2. /etc/firejail/firecfg.config +.RE +.PP +The programs that are supported by default are listed in +/etc/firejail/firecfg.config. +It is recommended to leave it as is and put all customizations inside +/etc/firejail/firecfg.d/. +.PP +Profile files are also searched in the user configuration directory: +.PP +.RS +3. ~/.config/firejail/*.profile +.RE +.PP +For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a +symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. .SH LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 89784a984..a6856212e 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -243,7 +243,7 @@ host filesystem. Each line describes a file/directory that is inaccessible a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), or mount-bind a directory or file on top of another directory or file (\fBbind\fR). Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and -HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section +HOME directories are searched, see the \fBfirejail\fR(1) \fBFILE GLOBBING\fR section for more details. Examples: .TP @@ -511,30 +511,30 @@ Blacklist all Linux capabilities. Whitelist given Linux capabilities. #ifdef HAVE_LANDLOCK .TP -\fBlandlock.enforce (experimental) +\fBlandlock.enforce\fR (experimental) Enforce the Landlock ruleset. .PP Without it, the other Landlock commands have no effect. .TP -\fBlandlock.fs.read path (experimental) +\fBlandlock.fs.read path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. .TP -\fBlandlock.fs.write path (experimental) +\fBlandlock.fs.write path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. .TP -\fBlandlock.fs.makeipc path (experimental) +\fBlandlock.fs.makeipc path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of named pipes (FIFOs) and Unix domain sockets beneath the given path. .TP -\fBlandlock.fs.makedev path (experimental) +\fBlandlock.fs.makedev path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of block devices and character devices beneath the given path. .TP -\fBlandlock.fs.execute path (experimental) +\fBlandlock.fs.execute path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. #endif @@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu \fBdbus-system none Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. .TP -\fBdbus-system.own org.gnome.ghex.* -Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. -.TP -\fBdbus-system.talk org.freedesktop.Notifications -Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. -.TP -\fBdbus-system.see org.freedesktop.Notifications -Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. +\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. .TP \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. .TP -\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications -Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. +\fBdbus-system.own org.gnome.ghex.* +Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. +.TP +\fBdbus-system.see org.freedesktop.Notifications +Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. +.TP +\fBdbus-system.talk org.freedesktop.Notifications +Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. .TP \fBdbus-user filter Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. @@ -689,22 +689,22 @@ Enable filtered access to the session DBus. Filters can be specified with the db \fBdbus-user none Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. .TP -\fBdbus-user.own org.gnome.ghex.* -Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. -.TP -\fBdbus-user.talk org.freedesktop.Notifications -Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. -.TP -\fBdbus-user.see org.freedesktop.Notifications -Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. +\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. .TP \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. .TP -\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications -Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. +\fBdbus-user.own org.gnome.ghex.* +Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. .TP -\fBnodbus \fR(deprecated) +\fBdbus-user.see org.freedesktop.Notifications +Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. +.TP +\fBdbus-user.talk org.freedesktop.Notifications +Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. +.TP +\fBnodbus\fR (deprecated) Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. .TP .br @@ -804,7 +804,7 @@ name browser \fBno3d Disable 3D hardware acceleration. .TP -\fBnoautopulse \fR(deprecated) +\fBnoautopulse\fR (deprecated) See keep-config-pulse. .TP \fBnodvd @@ -866,20 +866,6 @@ net eth0 .br ip 10.10.20.56 -.TP -\fBip none -No IP address and no default gateway are configured for the last interface -defined by a net command. Use this option -in case you intend to start an external DHCP client in the sandbox. -.br - -.br -Example: -.br -net eth0 -.br -ip none - .TP \fBip dhcp Acquire an IP address and default gateway for the last interface defined by a @@ -907,6 +893,20 @@ If your DHCP server requires leases to be explicitly released, consider running a DHCP client and releasing the lease manually in conjunction with the net none command. +.TP +\fBip none +No IP address and no default gateway are configured for the last interface +defined by a net command. Use this option +in case you intend to start an external DHCP client in the sandbox. +.br + +.br +Example: +.br +net eth0 +.br +ip none + .TP \fBip6 address Assign IPv6 addresses to the last network interface defined by a net command. diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index f14eb6ec0..47cb7ccde 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -207,7 +207,7 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin .br $ firejail \-\-blacklist=~/.mozilla .br -$ firejail "\-\-blacklist=/home/username/My Virtual Machines" +$ firejail \-\-blacklist="/home/username/My Virtual Machines" .br $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines .TP @@ -610,21 +610,6 @@ Example: .br $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* -.TP -\fB\-\-dbus-user.talk=name -Allows the application to talk to the specified well-known name on the session DBus. -The name may have a .* suffix to match all names underneath it, including itself -(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but -not "foobar"). -.br - -.br -Example: -.br -$ firejail --dbus-user=filter --dbus-user.talk=\\ -.br -org.freedesktop.Notifications - .TP \fB\-\-dbus-user.see=name Allows the application to see, but not talk to the specified well-known name on @@ -640,6 +625,21 @@ Example: $ firejail --dbus-user=filter --dbus-user.see=\\ .br org.freedesktop.Notifications + +.TP +\fB\-\-dbus-user.talk=name +Allows the application to talk to the specified well-known name on the session DBus. +The name may have a .* suffix to match all names underneath it, including itself +(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but +not "foobar"). +.br + +.br +Example: +.br +$ firejail --dbus-user=filter --dbus-user.talk=\\ +.br +org.freedesktop.Notifications #endif .TP \fB\-\-debug\fR @@ -888,6 +888,32 @@ Example: .br $ firejail \-\-hosts-file=~/myhosts firefox +.TP +\fB\-\-icmptrace[=name|pid] +Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. +.br + +.br +Example +.br +$ sudo firejail --icmptrace +.br +20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 +.br +20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 +.br +20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 +.br +20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 +.br +20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable +.br + #ifdef HAVE_IDS .TP \fB\-\-ids-check @@ -925,33 +951,7 @@ $ firejail \-\-ignore="net eth0" firefox #endif .TP -\fB\-\-icmptrace[=name|pid] -Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes -created with \-\-net are supported. This option is only available when running the sandbox as root. -.br - -.br -Without a name/pid, Firejail will monitor the main system network namespace. -.br - -.br -Example -.br -$ sudo firejail --icmptrace -.br -20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 -.br -20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 -.br -20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 -.br -20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 -.br -20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable -.br - -.TP -\fB\-\-\include=file.profile +\fB\-\-include=file.profile Include a profile file before the regular profiles are used. .br @@ -983,23 +983,6 @@ Example: .br $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox -.TP -\fB\-\-ip=none -No IP address and no default gateway are configured for the last interface -defined by a \-\-net option. Use this option -in case you intend to start an external DHCP client in the sandbox. -.br - -.br -Example: -.br -$ firejail \-\-net=eth0 \-\-\ip=none -.br - -.br -If the corresponding interface doesn't have an IP address configured, this -option is enabled by default. - .TP \fB\-\-ip=dhcp Acquire an IP address and default gateway for the last interface defined by a @@ -1025,6 +1008,23 @@ If your DHCP server requires leases to be explicitly released, consider running a DHCP client and releasing the lease manually in conjunction with the \-\-net=none option. +.TP +\fB\-\-ip=none +No IP address and no default gateway are configured for the last interface +defined by a \-\-net option. Use this option +in case you intend to start an external DHCP client in the sandbox. +.br + +.br +Example: +.br +$ firejail \-\-net=eth0 \-\-ip=none +.br + +.br +If the corresponding interface doesn't have an IP address configured, this +option is enabled by default. + .TP \fB\-\-ip6=address Assign IPv6 addresses to the last network interface defined by a \-\-net option. @@ -1070,7 +1070,7 @@ default gateway is assigned by default. .br Example: .br -$ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 +$ firejail \-\-net=eth0 \-\-iprange=192.168.1.100,192.168.1.150 .TP \fB\-\-ipc-namespace @@ -1241,30 +1241,30 @@ $ firejail --keep-var-tmp #ifdef HAVE_LANDLOCK .TP -\fB\-\-landlock.enforce (experimental) +\fB\-\-landlock.enforce\fR (experimental) Enforce the Landlock ruleset. Without it, the other Landlock commands have no effect. See the \fBLANDLOCK\fR section for more information. .TP -\fB\-\-landlock.fs.read=path (experimental) +\fB\-\-landlock.fs.read=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. .TP -\fB\-\-landlock.fs.write=path (experimental) +\fB\-\-landlock.fs.write=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. .TP -\fB\-\-landlock.fs.makeipc=path (experimental) +\fB\-\-landlock.fs.makeipc=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of named pipes (FIFOs) and Unix domain sockets beneath the given path. .TP -\fB\-\-landlock.fs.makedev=path (experimental) +\fB\-\-landlock.fs.makedev=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of block devices and character devices beneath the given path. .TP -\fB\-\-landlock.fs.execute=path (experimental) +\fB\-\-landlock.fs.execute=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. .br @@ -1323,6 +1323,21 @@ Example: .br $ firejail \-\-machine-id +.TP +\fB\-\-memory-deny-write-execute +Install a seccomp filter to block attempts to create memory mappings +that are both writable and executable, to change mappings to be +executable, or to create executable shared memory. The filter examines +the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create +and shmat system calls and returns error EPERM to the process (or +kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. +.br + +.br +Note: shmat is not implemented +as a system call on some platforms including i386, and it cannot be +handled by seccomp-bpf. + .TP \fB\-\-mkdir=dirname Create a directory in user home. Parent directories are created as needed. @@ -1343,20 +1358,6 @@ Example: .br $ firejail --mkfile=~/work/project/readme -.TP -\fB\-\-memory-deny-write-execute -Install a seccomp filter to block attempts to create memory mappings -that are both writable and executable, to change mappings to be -executable, or to create executable shared memory. The filter examines -the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create -and shmat system calls and returns error EPERM to the process (or -kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. -.br - -.br -Note: shmat is not implemented -as a system call on some platforms including i386, and it cannot be -handled by seccomp-bpf. #ifdef HAVE_NETWORK .TP \fB\-\-mtu=number @@ -1726,7 +1727,7 @@ Example: $ firejail --no3d firefox .TP -\fB\-\-noautopulse \fR(deprecated) +\fB\-\-noautopulse\fR (deprecated) See --keep-config-pulse. .TP @@ -1772,7 +1773,7 @@ $ nc dict.org 2628 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 .br .TP -\fB\-\-nodbus \fR(deprecated) +\fB\-\-nodbus\fR (deprecated) #ifdef HAVE_DBUSPROXY Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. .br @@ -1792,15 +1793,6 @@ Example: .br $ firejail \-\-nodvd .TP -\fB\-\-noinput -Disable input devices. -.br - -.br -Example: -.br -$ firejail \-\-noinput -.TP \fB\-\-noexec=dirname_or_filename Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br @@ -1844,6 +1836,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) .br $ +.TP +\fB\-\-noinput +Disable input devices. +.br + +.br +Example: +.br +$ firejail \-\-noinput + .TP \fB\-\-nonewprivs Sets the NO_NEW_PRIVS prctl. This ensures that child processes @@ -3143,7 +3145,9 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla .br $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null .br -$ firejail "\-\-whitelist=/home/username/My Virtual Machines" +$ firejail \-\-whitelist="/home/username/My Virtual Machines" +.br +$ firejail \-\-whitelist=/home/username/My\\ Virtual\\ Machines .br $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* @@ -3351,16 +3355,6 @@ $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox .br #endif .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c. -.SH NAME VALIDATION -For simplicity, the same name validation is used for multiple options. -Rules: -.PP -The name must be 1-253 characters long. -The name can only contain ASCII letters, digits and the special characters -"-._" (that is, the name cannot contain spaces or control characters). -The name cannot contain only digits. -The first and last characters must be an ASCII letter or digit and the name -may contain special characters in the middle. #ifdef HAVE_APPARMOR .SH APPARMOR .TP @@ -3406,64 +3400,6 @@ To enable AppArmor confinement on top of your current Firejail security features $ firejail --apparmor firefox #endif -#ifdef HAVE_LANDLOCK -.SH LANDLOCK -Warning: Landlock support in firejail is considered experimental and unstable. -The contents of landlock-common.inc are likely to change and the feature is -still being expanded upon in the Linux kernel. -Also, note that its functionality overlaps with existing firejail features, -such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. -Its filesystem access rules can currently only restrict direct access to paths; -it is not able to make only select paths appear in the sandbox such as with the -\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). -Lastly, note that depending on the Linux kernel version, Landlock may not -protect all of the relevant syscalls (see the kernel's Landlock documentation -for details). -Therefore, it is recommended to treat Landlock as an extra layer of protection, -to be used together with other firejail features (rather than as a bulletproof -mechanism by itself). -.PP -Landlock is a Linux security module first introduced in version 5.13 of the -Linux kernel. -It allows unprivileged processes to restrict their access to the filesystem. -Once imposed, these restrictions can never be removed, and all child processes -created by a Landlock-restricted processes inherit these restrictions. -Firejail supports Landlock as an additional sandboxing feature. -It can be used to ensure that a sandboxed application can only access files and -directories that it was explicitly allowed to access. -Firejail supports populating the ruleset with both a basic set of rules (see -landlock-common.inc) and with a custom set of rules. -.TP -Important notes: -.PP -.RS -- Currently only Landlock ABI version 1 is supported. -.PP -- If "lsm=" is used in the kernel command line, it should contain "landlock" -(such as "lsm=apparmor,landlock"), or else it will be disabled. -.PP -- A process can install a Landlock ruleset only if it has either -\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New -Privileges" restriction enabled. -Because of this, enabling the Landlock feature will also cause Firejail to -enable the "No New Privileges" restriction, regardless of the profile or the -\fB\-\-nonewprivs\fR command line option. -.PP -- Access to the /etc directory is automatically allowed. -To override this, use the \fB\-\-writable\-etc\fR command line option. -You can also use the \fB\-\-private\-etc\fR option to restrict access to the -/etc directory. -.RE -.PP -To enable Landlock self-restriction on top of your current Firejail security -features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. -Without it, the other Landlock commands have no effect. -Example: -.PP -$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc -.PP -To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. -#endif .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place @@ -3517,37 +3453,37 @@ $ firejail --tree 1221:netblue:/usr/lib/firefox/firefox .RE -We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details. +We provide a tool that automates all this integration, please see \fBfirecfg\fR(1) for more details. .SH EXAMPLES .TP -\f\firejail +\fBfirejail Sandbox a regular shell session. .TP -\f\firejail firefox +\fBfirejail firefox Start Mozilla Firefox. .TP -\f\firejail \-\-debug firefox +\fBfirejail \-\-debug firefox Debug Firefox sandbox. .TP -\f\firejail \-\-private firefox +\fBfirejail \-\-private firefox Start Firefox with a new, empty home directory. .TP -\f\firejail --net=none vlc +\fBfirejail --net=none vlc Start VLC in an unconnected network namespace. #ifdef HAVE_NETWORK .TP -\f\firejail \-\-net=eth0 firefox +\fBfirejail \-\-net=eth0 firefox Start Firefox in a new network namespace. An IP address is assigned automatically. .TP -\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 +\fBfirejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 Start a shell session in a new network namespace and connect it to br0, br1, and br2 host bridge devices. IP addresses are assigned automatically for the interfaces connected to br1 and b2 #endif .TP -\f\firejail \-\-list +\fBfirejail \-\-list List all sandboxed processes. .SH FILE GLOBBING @@ -3711,6 +3647,65 @@ Currently while scanning the file system, symbolic links are not followed, and f The program can also be run as root (sudo firejail --ids-init/--ids-check). #endif +#ifdef HAVE_LANDLOCK +.SH LANDLOCK +Warning: Landlock support in firejail is considered experimental and unstable. +The contents of landlock-common.inc are likely to change and the feature is +still being expanded upon in the Linux kernel. +Also, note that its functionality overlaps with existing firejail features, +such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. +Its filesystem access rules can currently only restrict direct access to paths; +it is not able to make only select paths appear in the sandbox such as with the +\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). +Lastly, note that depending on the Linux kernel version, Landlock may not +protect all of the relevant syscalls (see the kernel's Landlock documentation +for details). +Therefore, it is recommended to treat Landlock as an extra layer of protection, +to be used together with other firejail features (rather than as a bulletproof +mechanism by itself). +.PP +Landlock is a Linux security module first introduced in version 5.13 of the +Linux kernel. +It allows unprivileged processes to restrict their access to the filesystem. +Once imposed, these restrictions can never be removed, and all child processes +created by a Landlock-restricted processes inherit these restrictions. +Firejail supports Landlock as an additional sandboxing feature. +It can be used to ensure that a sandboxed application can only access files and +directories that it was explicitly allowed to access. +Firejail supports populating the ruleset with both a basic set of rules (see +landlock-common.inc) and with a custom set of rules. +.TP +Important notes: +.PP +.RS +- Currently only Landlock ABI version 1 is supported. +.PP +- If "lsm=" is used in the kernel command line, it should contain "landlock" +(such as "lsm=apparmor,landlock"), or else it will be disabled. +.PP +- A process can install a Landlock ruleset only if it has either +\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New +Privileges" restriction enabled. +Because of this, enabling the Landlock feature will also cause Firejail to +enable the "No New Privileges" restriction, regardless of the profile or the +\fB\-\-nonewprivs\fR command line option. +.PP +- Access to the /etc directory is automatically allowed. +To override this, use the \fB\-\-writable\-etc\fR command line option. +You can also use the \fB\-\-private\-etc\fR option to restrict access to the +/etc directory. +.RE +.PP +To enable Landlock self-restriction on top of your current Firejail security +features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. +Without it, the other Landlock commands have no effect. +Example: +.PP +$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc +.PP +To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. +#endif + .SH MONITORING Option \-\-list prints a list of all sandboxes. The format for each process entry is as follows: @@ -3768,6 +3763,17 @@ Sandbox running time in hours:minutes:seconds format. USER The owner of the sandbox. +.SH NAME VALIDATION +For simplicity, the same name validation is used for multiple options. +Rules: +.PP +The name must be 1-253 characters long. +The name can only contain ASCII letters, digits and the special characters +"-._" (that is, the name cannot contain spaces or control characters). +The name cannot contain only digits. +The first and last characters must be an ASCII letter or digit and the name +may contain special characters in the middle. + .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in /etc/passwd file for each user that needs to be restricted. Alternatively, diff --git a/src/man/mkman.sh b/src/man/mkman.sh index 00c4ffe72..d854b6537 100755 --- a/src/man/mkman.sh +++ b/src/man/mkman.sh @@ -5,8 +5,15 @@ set -e -MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" -YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" +test -z "$SOURCE_DATE_EPOCH" && SOURCE_DATE_EPOCH="$(date +%s)" + +format='+%b %Y' +date="$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "$format" 2>/dev/null || + LC_ALL=C date -u -r "$SOURCE_DATE_EPOCH" "$format" 2>/dev/null || + LC_ALL=C date -u "$format")" + +MONTH="$(printf '%s\n' "$date" | cut -f 1 -d ' ')" +YEAR="$(printf '%s\n' "$date" | cut -f 2 -d ' ')" sed \ -e "s/VERSION/$1/g" \ diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index d42620a12..1c7efc948 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp @@ -30,20 +30,21 @@ expect { } after 100 -send -- "find ~\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "_firejail_test_file3" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "_firejail_test_file2" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "_firejail_test_file1" -} -after 100 +# FIXME: Prints "TESTING ERROR 3" in CI since 2024-09-19. +#send -- "find ~\r" +#expect { +# timeout {puts "TESTING ERROR 2\n";exit} +# "_firejail_test_file3" +#} +#expect { +# timeout {puts "TESTING ERROR 3\n";exit} +# "_firejail_test_file2" +#} +#expect { +# timeout {puts "TESTING ERROR 4\n";exit} +# "_firejail_test_file1" +#} +#after 100 send -- "exit\r" sleep 1