From 43be683782300f26e036cc170073f0fd70153f21 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 15 Jul 2024 03:20:41 -0300 Subject: [PATCH 01/80] RELNOTES: remove and sort duplicate items Remove the newer #6390 item as it is already on the list, remove the older #6307 item (modif) and sort the new #6307 item (bugfix). This amends commit 9ebecd00d ("readme/relnotes update", 2024-07-13). --- RELNOTES | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/RELNOTES b/RELNOTES index df3152cf5..5b759b4e8 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,7 +1,6 @@ firejail (0.9.73) baseline; urgency=low * work in progress * security: fix sscanf rv checks (CodeQL) (#6184) - * feature: added noptm and keep-tpm commands to private-dev (#6390) * feature: Add "keep-shell-rc" command and option (#1127 #5634) * feature: Print the argument when failing with "too long arguments" (#5677) * feature: a random hostname is assigned to each sandbox unless @@ -33,11 +32,9 @@ firejail (0.9.73) baseline; urgency=low * modif: drop deprecated 'shell' option references (#5894) * modif: keep pipewire group unless nosound is used (#5992 #5993) * modif: fcopy: Use lstat when copying directory (#5957) - * modif: populate /run/firejail while holding flock (#6307) * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) * removal: LTS and FIRETUNNEL support - * bugfix: fix startup race condition for /run/firejail directory (#6307, #6307) * bugfix: fix --hostname and --hosts-file commands * bugfix: fix examples in firejail-local AppArmor profile (#5717) * bugfix: arp.c: ensure positive timeout on select(2) (#5806) @@ -45,6 +42,7 @@ firejail (0.9.73) baseline; urgency=low (#5965 #5976) * bugfix: firejail --ls reports wrong file sizes for large files (#5982 #6086) + * bugfix: fix startup race condition for /run/firejail directory (#6307) * bugfix: fix various resource leaks (#6367) * bugfix: profstats: fix restrict-namespaces max count (#6369) * build: auto-generate syntax files (#5627) From 8a5e53efa764719b39cd034712c18854f16112c3 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Sat, 20 Jul 2024 06:58:15 -0700 Subject: [PATCH 02/80] profiles: okular: fix "Print to PDF" (#6408) Add `ps2pdf` to private-bin. Fixes #6402. --- etc/profile-m-z/okular.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 9f4990246..645510124 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile @@ -58,7 +58,7 @@ protocol unix seccomp tracelog -private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar +private-bin kbuildsycoca4,kdeinit4,lpr,okular,ps2pdf,unar,unrar private-dev private-etc @x11,cups # on KDE we need access to the real /tmp for data exchange with email clients From 969e29b756e91e00b1b0b5f86f9f4d8801ad987b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 20 Jul 2024 14:11:21 +0000 Subject: [PATCH 03/80] build: improve reliability/portability of date command usage (#6404) Changes: * Use the exact same source date string for all `date` invocations * Use `-d` instead of `--date=` * Fallback to `-r` and then to no argument Some `date` implementations only support BSD `-r` instead of GNU `-d` / `--date=` and others may not support any of them since neither option is in POSIX. For example, if zoneinfo is installed by chromebrew on ChromeOS, it provides a date program that only supports `-r` and overrides the system one (which supports `-d`) [1]: ./mkman.sh 0.9.72 src/man/firejail.man firejail.1 date: invalid option -- '-' date: usage: date [-u] [-c] [-r seconds] [+format] make: *** [Makefile:42: firejail.1] Error 1 Environment: zoneinfo 2024a on ChromeOS M125. Note: The changes are based on what is suggested by reproducible-builds.org [2]. Relates to #193. Fixes #6403. [1] https://github.com/netblue30/firejail/issues/6403#issue-2402292506 [2] https://reproducible-builds.org/docs/source-date-epoch/ Reported-by: @Zopolis4 --- src/man/mkman.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/man/mkman.sh b/src/man/mkman.sh index 00c4ffe72..d854b6537 100755 --- a/src/man/mkman.sh +++ b/src/man/mkman.sh @@ -5,8 +5,15 @@ set -e -MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" -YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" +test -z "$SOURCE_DATE_EPOCH" && SOURCE_DATE_EPOCH="$(date +%s)" + +format='+%b %Y' +date="$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "$format" 2>/dev/null || + LC_ALL=C date -u -r "$SOURCE_DATE_EPOCH" "$format" 2>/dev/null || + LC_ALL=C date -u "$format")" + +MONTH="$(printf '%s\n' "$date" | cut -f 1 -d ' ')" +YEAR="$(printf '%s\n' "$date" | cut -f 2 -d ' ')" sed \ -e "s/VERSION/$1/g" \ From 60ea22080a36c66c3e90b75e016ad6324575c7a0 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 25 Jul 2024 21:41:23 +0000 Subject: [PATCH 04/80] bugfix: firemon: skip coredump if unsupported (#6415) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The coredump-related code fails to build on Linux kernel version 3.8 as apparently it only exists on Linux since version 3.10: docker run --platform linux/386 --rm -it satmandu/crewbuild:386 [...] ./configure && make [...] gcc -ggdb -O2 -DVERSION='"0.9.73"' [...] -march=i686 -c ../../src/firemon/procevent.c -o ../../src/firemon/procevent.o ../../src/firemon/procevent.c: In function ‘procevent_monitor’: ../../src/firemon/procevent.c:399:38: error: ‘PROC_EVENT_COREDUMP’ undeclared (first use in this function); did you mean ‘PROC_EVENT_COMM’? 399 | case PROC_EVENT_COREDUMP: | ^~~~~~~~~~~~~~~~~~~ | PROC_EVENT_COMM ../../src/firemon/procevent.c:399:38: note: each undeclared identifier is reported only once for each function it appears in ../../src/firemon/procevent.c:400:66: error: ‘union ’ has no member named ‘coredump’ 400 | pid = proc_ev->event_data.coredump.process_tgid; | ^ make[1]: *** [../../src/prog.mk:25: ../../src/firemon/procevent.o] Error 1 make[1]: Leaving directory '/home/chronos/user/firejail/src/firemon' make: *** [Makefile:72: src/firemon/firemon] Error 2 Environment: gcc 14.1.0, glibc 2.23 and linuxheaders 3.8 on ChromeOS M58. Misc: @Zopolis4 also reports that "All i686 chromebooks have a kernel version of 3.8". This amends commit e11949a71 ("add support for comm, coredump, and prctl procevents in firemon", 2024-04-30). Fixes #6414. Reported-by: @Zopolis4 --- src/firemon/procevent.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 430730374..1a6f23919 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -396,6 +396,8 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my sprintf(lineptr, " sid "); break; +// Note: PROC_EVENT_COREDUMP only exists since Linux 3.10 (see #6414). +#ifdef PROC_EVENT_COREDUMP case PROC_EVENT_COREDUMP: pid = proc_ev->event_data.coredump.process_tgid; #ifdef DEBUG_PRCTL @@ -403,6 +405,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my #endif sprintf(lineptr, " coredump "); break; +#endif /* PROC_EVENT_COREDUMP */ case PROC_EVENT_COMM: pid = proc_ev->event_data.comm.process_tgid; From 4ad26b3fcb91f79959cf51e04d24cc6788df6f13 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 26 Jul 2024 13:18:11 +0000 Subject: [PATCH 05/80] profiles: firecfg.config: disable spectacle (#6412) There are various reports in #5127 that the current profile is broken on wayland (and at least one report that it is broken on xorg as well). Relates to #6268. --- src/firecfg/firecfg.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8d0a30521..9572045b3 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -824,7 +824,7 @@ soffice sol sound-juicer soundconverter -spectacle +#spectacle # may be broken on wayland (see #5127) spectral spotify sqlitebrowser From 6da6817f534a547be379949529c4d24a4bc30b3a Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 26 Jul 2024 19:29:15 -0300 Subject: [PATCH 06/80] RELNOTES: add feature, bugfix and build items Relates to #6401 #6403 #6404 #6414 #6415. --- RELNOTES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/RELNOTES b/RELNOTES index 5b759b4e8..3181f79c5 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,6 +17,7 @@ firejail (0.9.73) baseline; urgency=low * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 #6228 #6260 #6302 #6305) * feature: add support for comm, coredump, and prctl procevents in firemon + (#6414 #6415) * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) * modif: Stop forwarding own double-dash to the shell (#5599 #5600) * modif: Prevent sandbox name (--name=) and host name (--hostname=) @@ -45,6 +46,7 @@ firejail (0.9.73) baseline; urgency=low * bugfix: fix startup race condition for /run/firejail directory (#6307) * bugfix: fix various resource leaks (#6367) * bugfix: profstats: fix restrict-namespaces max count (#6369) + * bugfix: remove --noautopulse from --help and zsh comp (#6401) * build: auto-generate syntax files (#5627) * build: mark all phony targets as such (#5637) * build: mkdeb.sh: pass all arguments to ./configure (#5654) @@ -80,6 +82,7 @@ firejail (0.9.73) baseline; urgency=low * build: remove clean dependency from cppcheck targets (#6343) * build: allow overriding common tools (#6354) * build: standardize install commands (#6366) + * build: improve reliability/portability of date command usage (#6403 #6404) * ci: always update the package db before installing packages (#5742) * ci: fix codeql unable to download its own bundle (#5783) * ci: split configure/build/install commands on gitlab (#5784) From 601aa5c6aac777c34f24f6fd9613bb6278a8338b Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 27 Jul 2024 22:36:46 +0000 Subject: [PATCH 07/80] profiles: bijiben: update webkit var and disable in firecfg (#6418) The current `bijiben.profile` sets an environment variable to disable its internal webkit/bubblewrap sandbox but now a different variable needs to be set[1]: WEBKIT_FORCE_SANDBOX no longer allows disabling the sandbox. Use WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 instead. This may be needed to make the profile work, but disabling the sandbox affects the security in webkit[2], so update the variable and disable bijiben by default in firecfg.config. Note: Upstream replaced bijiben by gnome-notes[3] [4]. Relates to #2995. [1] https://github.com/WebKit/WebKit/blob/0678a98c864ee36f0114ea4e7d303fd07788a822/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp#L117 [2] https://github.com/netblue30/firejail/issues/2995 [3] https://archlinux.org/packages/extra/x86_64/gnome-notes/ [4] https://wiki.gnome.org/Apps/Notes --- etc/profile-a-l/bijiben.profile | 5 ++++- src/firecfg/firecfg.config | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index e596ec9d2..7afccf5cd 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile @@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf dbus-user.talk org.freedesktop.Tracker1 dbus-system none -env WEBKIT_FORCE_SANDBOX=0 +# Warning: Disabling the webkit sandbox may be needed to make firejail work +# with webkit2gtk, but this is not recommended (see #2995). +# Add the following line to bijiben.local at your own risk: +#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 9572045b3..2586db84d 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -97,7 +97,7 @@ basilisk bcompare beaker bibletime -bijiben +#bijiben # webkit2gtk-4.x requires bwrap (see #3647) bitcoin-qt bitlbee bitwarden From 86bc5bd6029a6aa06393802560180c86f9a349b9 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 27 Jul 2024 22:38:07 +0000 Subject: [PATCH 08/80] profiles: refactor dbus debugger profiles (#6420) There are a lot of common options in the `d-feet` and `d-spy` profiles. Create a new common include file and refactor the existing profiles as redirects. Relates to #2492 #6328. --- etc/profile-a-l/d-feet.profile | 39 +++--------------- etc/profile-a-l/d-spy.profile | 40 +----------------- etc/profile-a-l/dbus-debug-common.profile | 49 +++++++++++++++++++++++ 3 files changed, 56 insertions(+), 72 deletions(-) create mode 100644 etc/profile-a-l/dbus-debug-common.profile diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 75338eb6d..e11134616 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile @@ -12,45 +12,16 @@ noblacklist ${HOME}/.config/d-feet include allow-python2.inc include allow-python3.inc -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - mkdir ${HOME}/.config/d-feet whitelist ${HOME}/.config/d-feet whitelist /usr/share/d-feet -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc -apparmor -caps.drop all -ipc-namespace -#net none # breaks on Ubuntu -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp +# breaks on Ubuntu +ignore net none -disable-mnt private-bin d-feet,python* -private-cache -private-dev -private-etc dbus-1 -private-tmp #memory-deny-write-execute # breaks on Arch (see issue #1803) -restrict-namespaces + +# Redirect +include dbus-debug-common.profile diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile index 9ff429ecb..2c9ef52cb 100644 --- a/etc/profile-a-l/d-spy.profile +++ b/etc/profile-a-l/d-spy.profile @@ -6,43 +6,7 @@ include d-spy.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-proc.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -ipc-namespace -net none -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp - -disable-mnt private-bin d-spy -private-cache -private-dev -private-etc dbus-1 -private-tmp -read-only ${HOME} -restrict-namespaces +# Redirect +include dbus-debug-common.profile diff --git a/etc/profile-a-l/dbus-debug-common.profile b/etc/profile-a-l/dbus-debug-common.profile new file mode 100644 index 000000000..0ef060f3a --- /dev/null +++ b/etc/profile-a-l/dbus-debug-common.profile @@ -0,0 +1,49 @@ +# Firejail profile for dbus-debug-common +# This file is overwritten after every install/update +# Persistent local customizations +include dbus-debug-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-cache +private-dev +private-etc dbus-1 +private-tmp + +read-only ${HOME} +restrict-namespaces From cf89d0cd9441c1805188f52a08676be07703775a Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 28 Jul 2024 01:01:24 +0000 Subject: [PATCH 09/80] New profile: dtui (#6422) Description: TUI for introspecting the state of the system/session dbus. https://github.com/Troels51/dtui https://aur.archlinux.org/packages/dtui Relates to #6420. --- etc/profile-a-l/dtui.profile | 15 +++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 16 insertions(+) create mode 100644 etc/profile-a-l/dtui.profile diff --git a/etc/profile-a-l/dtui.profile b/etc/profile-a-l/dtui.profile new file mode 100644 index 000000000..b85ae451b --- /dev/null +++ b/etc/profile-a-l/dtui.profile @@ -0,0 +1,15 @@ +# Firejail profile for dtui +# Description: TUI D-Bus debugger +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include dtui.local +# Persistent global definitions +include globals.local + +private-bin dtui + +memory-deny-write-execute + +# Redirect +include dbus-debug-common.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2586db84d..84bf32625 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -227,6 +227,7 @@ dragon drawio drill dropbox +dtui easystroke ebook-convert ebook-edit From c9eb10b5d1a1544c0f2a6b943ebfa31be941e5ff Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 29 Jul 2024 21:35:46 +0000 Subject: [PATCH 10/80] profiles: element-desktop: allow /usr/share/element (#6424) This path is apparently needed on openSUSE Tumbleweed[1]: $ LC_ALL=C firejail /usr/bin/element-desktop [...] Error launching app Unable to find Electron app at /usr/share/element/app Cannot find module '/usr/share/element/app' Parent is shutting down, bye... Fixes #6421. [1] https://software.opensuse.org/package/element-desktop Reported-by: @leukimi --- etc/profile-a-l/element-desktop.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 1af2884b6..52a439c48 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/Element mkdir ${HOME}/.config/Element whitelist ${HOME}/.config/Element whitelist /opt/Element +whitelist /usr/share/element dbus-user filter dbus-user.talk org.freedesktop.Notifications From 886fb7d00db1075c77e1b75c03eab10377f39d76 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 30 Jul 2024 18:22:59 +0000 Subject: [PATCH 11/80] docs: man: improve blacklist/whitelist examples with spaces (#6425) Use the same examples with spaces and make the quotes more consistent with the other examples. --- src/man/firejail.1.in | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index f14eb6ec0..4edb0902e 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -207,7 +207,7 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin .br $ firejail \-\-blacklist=~/.mozilla .br -$ firejail "\-\-blacklist=/home/username/My Virtual Machines" +$ firejail \-\-blacklist="/home/username/My Virtual Machines" .br $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines .TP @@ -3143,7 +3143,9 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla .br $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null .br -$ firejail "\-\-whitelist=/home/username/My Virtual Machines" +$ firejail \-\-whitelist="/home/username/My Virtual Machines" +.br +$ firejail \-\-whitelist=/home/username/My\\ Virtual\\ Machines .br $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* From a9491c16a86f1f3a70596815799898ddaf4dee43 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 06:08:40 +0000 Subject: [PATCH 12/80] build(deps): bump github/codeql-action from 3.25.11 to 3.25.15 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.11 to 3.25.15. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b611370bb5703a7efb587f9d136a52ea24c5c38c...afb54ba388a7dca6ecae48f608c4ff05ff4cc77a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/check-c.yml | 4 ++-- .github/workflows/check-python.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index a0b7245e5..f213baf88 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -161,7 +161,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a with: languages: cpp @@ -172,4 +172,4 @@ jobs: run: make -j "$(nproc)" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 838414498..04fee9804 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -51,9 +51,9 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a with: languages: python - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c + uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a From 7031de4f547fef86da16c2f9c12b0792d652639f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 06:08:30 +0000 Subject: [PATCH 13/80] build(deps): bump step-security/harden-runner from 2.8.1 to 2.9.0 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.1 to 2.9.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6...0d381219ddf674d61a7572ddd19d7941e271515c) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build-extra.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/check-c.yml | 8 ++++---- .github/workflows/check-profiles.yml | 2 +- .github/workflows/check-python.yml | 2 +- .github/workflows/codespell.yml | 2 +- .github/workflows/test.yml | 10 +++++----- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index ccc5c9bf7..775a3c947 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -44,7 +44,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7752f3d3..0c1317ed8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index f213baf88..d3c9a8abf 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -46,7 +46,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > @@ -79,7 +79,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > @@ -109,7 +109,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > @@ -143,7 +143,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 38cb1f29b..040d3ab1c 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 04fee9804..3d233bc02 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 6e0fe73d2..1bf714d65 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -24,7 +24,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c1ee00934..0cc1eea3e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > @@ -103,7 +103,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > @@ -143,7 +143,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > @@ -183,7 +183,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > @@ -225,7 +225,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: block allowed-endpoints: > From de855222487b9633c3833a4d0ef77558c52b8e5b Mon Sep 17 00:00:00 2001 From: Felix Pehla <74104874+FelixPehla@users.noreply.github.com> Date: Wed, 7 Aug 2024 03:26:04 +0200 Subject: [PATCH 14/80] profiles: blacklist sway IPC socket (#6429) Much like the i3 IPC socket (#6361), the sway IPC socket also allows arbitrary code execution via the `exec` subcommand. Access should only be permitted to sway itself by default. The location of the IPC socket is set in sway/ipc-server.c: https://github.com/swaywm/sway/blob/7e74a4914261cf32c45017521960adf7ff6dac8f/sway/ipc-server.c#L126 --- etc/inc/disable-common.inc | 4 ++++ etc/profile-m-z/sway.profile | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 14f7d8cf7..faae99543 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -171,6 +171,10 @@ blacklist ${RUNUSER}/gsconnect blacklist ${RUNUSER}/i3/ipc-socket.* blacklist /tmp/i3-*/ipc-socket.* +# sway IPC socket (allows arbitrary shell script execution) +blacklist ${RUNUSER}/sway-ipc.* +blacklist /tmp/sway-ipc.* + # systemd blacklist ${HOME}/.config/systemd blacklist ${HOME}/.local/share/systemd diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile index f71905150..b7f90f6ad 100644 --- a/etc/profile-m-z/sway.profile +++ b/etc/profile-m-z/sway.profile @@ -10,6 +10,10 @@ include globals.local noblacklist ${HOME}/.config/sway # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway noblacklist ${HOME}/.config/i3 +# allow creation of IPC socket +noblacklist ${RUNUSER}/sway-ipc.* +noblacklist /tmp/sway-ipc.* + include disable-common.inc caps.drop all From 5d68062f12fdcd7ee61a98ad74b6c366c491d1c5 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 7 Aug 2024 02:56:46 +0000 Subject: [PATCH 15/80] feature: fshaper.sh: support tc on NixOS (#6431) Fixes #6426. --- src/fshaper/fshaper.sh | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index cd2bf79bf..16a2485bf 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh @@ -3,13 +3,9 @@ # Copyright (C) 2014-2024 Firejail Authors # License GPL v2 -TCFILE="" -if [ -x "/usr/sbin/tc" ]; then - TCFILE="/usr/sbin/tc" -elif [ -x "/sbin/tc" ]; then - TCFILE="/sbin/tc"; -else - echo "Error: traffic control utility (tc) not found"; +TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)" +if [ -z "$TCFILE" ]; then + echo "Error: traffic control utility (tc) not found" exit 1 fi From 7299f832fb8a643a392b069c0980335bea84751e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 7 Aug 2024 16:24:09 +0000 Subject: [PATCH 16/80] docs: add build_issue.md issue template (#6423) Based on `.github/ISSUE_TEMPLATE/bug_report.md`. Relates to #6417. --- .github/ISSUE_TEMPLATE/build_issue.md | 72 +++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/build_issue.md diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md new file mode 100644 index 000000000..7e0b822bb --- /dev/null +++ b/.github/ISSUE_TEMPLATE/build_issue.md @@ -0,0 +1,72 @@ +--- +name: Build issue +about: There is an issue when trying to build the project from source +title: 'build: ' +labels: '' +assignees: '' + +--- + + + +### Description + +_Describe the bug_ + +### Steps to Reproduce + + + +_Post the commands used to reproduce the issue and their output_ + +Example: + +```console +$ ./configure --prefix=/usr --enable-apparmor +checking for gcc... gcc +checking whether the C compiler works... yes +[...] +$ make +make -C src/lib +gcc [...] +[...] +``` + +_If ./configure fails, include the output of config.log_ + +Example: + +```console +$ cat config.log +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. +[...] +``` + +### Additional context + +_(Optional) Any other detail that may help to understand/debug the problem_ + +### Environment + +- Name/version/arch of the Linux kernel (e.g. the output of `uname -srm`) +- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux") +- Name/version of the C compiler (e.g. "gcc 14.1.1-1") +- Name/version of the libc (e.g. "glibc 2.40-1") +- Version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on Arch Linux) +- Version of the source code being built (e.g. the output of `git rev-parse HEAD`) From ebd4b3eea68c097ee30ca03e02c07dd3f354d07e Mon Sep 17 00:00:00 2001 From: ayham Date: Wed, 7 Aug 2024 21:10:05 +0000 Subject: [PATCH 17/80] profiles: ssh: allow gpgagent socket for custom homedir (#6419) If a custom GPG homedir is used, a hash of its path is used in the path of the gpg agent socket[1]. For example, when running: gpgconf --list-dirs agent-ssh-socket With a custom homedir it returns: /run/user/1000/gnupg//S.gpg-agent.ssh Environment: gnupg 2.4.5-4 on Arch Linux. [1] https://github.com/gpg/gnupg/blob/91532dc3f40599b74fff489cb021c0cd3344ae60/common/homedir.c#L1342 --- etc/profile-m-z/ssh.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 62efa28db..1c4d85ea0 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -19,7 +19,8 @@ include disable-exec.inc include disable-programs.inc whitelist ${RUNUSER}/gcr/ssh -whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh +whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup +whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup whitelist ${RUNUSER}/keyring/ssh include whitelist-usr-share-common.inc include whitelist-runuser-common.inc From 16eefd9db8b8fe9e28ff57b41177f62d84c11125 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 11 Aug 2024 08:12:41 -0300 Subject: [PATCH 18/80] RELNOTES: add feature and docs items Relates to #6423 #6425 #6426 #6431. --- RELNOTES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/RELNOTES b/RELNOTES index 3181f79c5..62433ff75 100644 --- a/RELNOTES +++ b/RELNOTES @@ -19,6 +19,7 @@ firejail (0.9.73) baseline; urgency=low * feature: add support for comm, coredump, and prctl procevents in firemon (#6414 #6415) * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) + * feature: fshaper.sh: support tc on NixOS (#6426 #6431) * modif: Stop forwarding own double-dash to the shell (#5599 #5600) * modif: Prevent sandbox name (--name=) and host name (--hostname=) from containing only digits (#5578 #5741) @@ -112,6 +113,8 @@ firejail (0.9.73) baseline; urgency=low #6359) * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382) * docs: man: format and sort some private- items (#6398) + * docs: man: improve blacklist/whitelist examples with spaces (#6425) + * docs: add build_issue.md issue template (#6423) * legal: selinux.c: Split Copyright notice & use same license as upstream (#5667) * profiles: qutebrowser: fix links not opening in the existing instance From e8b693c814a4e157bcae6f5c60d1624d185d8837 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 19 Aug 2024 02:49:17 +0000 Subject: [PATCH 19/80] profiles: firefox-common: fix private-etc in includers (#6435) It was enabled in firefox-common.inc on commit 34d004892 ("private-etc: corss-distro test for curl, gimp, inkscape, firefox, warzone2100", 2023-01-28), but not in the profiles that include it. Enable it in the including profiles as well. Note: This was already done for firefox.profile on commit 76249284f ("firefox: fix private-etc firefox", 2023-06-02) / PR #5844. Relates to #6400. --- etc/profile-a-l/abrowser.profile | 3 +-- etc/profile-a-l/basilisk.profile | 3 +-- etc/profile-a-l/cachy-browser.profile | 4 +--- etc/profile-a-l/cliqz.profile | 3 +-- etc/profile-a-l/cyberfox.profile | 3 +-- etc/profile-a-l/firefox-common-addons.profile | 3 +-- etc/profile-a-l/icecat.profile | 3 +-- etc/profile-a-l/iceweasel.profile | 3 +-- etc/profile-a-l/librewolf.profile | 4 +--- etc/profile-m-z/palemoon.profile | 3 +-- etc/profile-m-z/waterfox.profile | 4 +--- 11 files changed, 11 insertions(+), 25 deletions(-) diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile index 8b70756ba..6217af780 100644 --- a/etc/profile-a-l/abrowser.profile +++ b/etc/profile-a-l/abrowser.profile @@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser whitelist ${HOME}/.mozilla whitelist /usr/share/abrowser -# private-etc must first be enabled in firefox-common.profile -#private-etc abrowser +private-etc abrowser # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile index 7d2fe143c..f5595274e 100644 --- a/etc/profile-a-l/basilisk.profile +++ b/etc/profile-a-l/basilisk.profile @@ -19,8 +19,7 @@ seccomp ignore seccomp #private-bin basilisk -# private-etc must first be enabled in firefox-common.profile -#private-etc basilisk +private-etc basilisk #private-opt basilisk restrict-namespaces diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 05e1a69f1..6218dbbe8 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -26,9 +26,7 @@ whitelist /usr/share/cachy-browser # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). #private-bin dbus-launch,dbus-send,cachy-browser,sh -# Add the next line to your cachy-browser.local to enable private-etc. -# Note: private-etc must first be enabled in firefox-common.local. -#private-etc cachy-browser +private-etc cachy-browser dbus-user filter dbus-user.own org.mozilla.cachybrowser.* diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile index d0bf9797e..bded735a9 100644 --- a/etc/profile-a-l/cliqz.profile +++ b/etc/profile-a-l/cliqz.profile @@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz whitelist ${HOME}/.config/cliqz whitelist /usr/share/cliqz -# private-etc must first be enabled in firefox-common.profile -#private-etc cliqz +private-etc cliqz # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile index c7a42e0eb..173c5b4a5 100644 --- a/etc/profile-a-l/cyberfox.profile +++ b/etc/profile-a-l/cyberfox.profile @@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios whitelist /usr/share/cyberfox #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which -# private-etc must first be enabled in firefox-common.profile -#private-etc cyberfox +private-etc cyberfox # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index ccc2dc7f6..5e3d0983d 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -92,8 +92,7 @@ include allow-python3.inc #private-bin keepassxc-proxy # Flash plugin -# private-etc must first be enabled in firefox-common.profile and in profiles including it. -#private-etc adobe +private-etc adobe # ff2mpv #ignore noexec ${HOME} diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile index b0a42fb77..19bda5454 100644 --- a/etc/profile-a-l/icecat.profile +++ b/etc/profile-a-l/icecat.profile @@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat whitelist ${HOME}/.mozilla whitelist /usr/share/icecat -# private-etc must first be enabled in firefox-common.profile -#private-etc icecat +private-etc icecat # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile index badd2648a..d6a925a77 100644 --- a/etc/profile-a-l/iceweasel.profile +++ b/etc/profile-a-l/iceweasel.profile @@ -6,8 +6,7 @@ include iceweasel.local # added by included profile #include globals.local -# private-etc must first be enabled in firefox-common.profile -#private-etc iceweasel +private-etc iceweasel # Redirect include firefox.profile diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 65a4a3787..8db82d364 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -27,9 +27,7 @@ whitelist /usr/share/librewolf # Add the next line to your librewolf.local to enable private-bin (Arch Linux). #private-bin dbus-launch,dbus-send,librewolf,sh -# Add the next line to your librewolf.local to enable private-etc. -# Note: private-etc must first be enabled in firefox-common.local. -#private-etc librewolf +private-etc librewolf dbus-user filter dbus-user.own io.gitlab.librewolf.* diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index 8917a9bc5..8e1a5daf5 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile @@ -21,8 +21,7 @@ seccomp ignore seccomp #private-bin palemoon -# private-etc must first be enabled in firefox-common.profile -#private-etc palemoon +private-etc palemoon restrict-namespaces ignore restrict-namespaces diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index bf6f45e41..cf2fced64 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile @@ -21,9 +21,7 @@ whitelist /usr/share/waterfox # waterfox requires a shell to launch on Arch. We can possibly remove sh though. # Add the next line to your waterfox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which -# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be -# enabled in your firefox-common.local. -#private-etc waterfox +private-etc waterfox # Redirect include firefox-common.profile From 4465df5dc3f3d60e5ce6131c3cb86b7bcb4d7dac Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 24 Aug 2024 05:47:39 -0300 Subject: [PATCH 20/80] RELNOTES: improve and merge build items (seccomp filters/man pages) Related commits: * 9e206b7f2 ("rework src/man Makefile", 2023-07-07) * 2b34747db ("generate seccomp filters at install time", 2023-07-07) * 1d5fff903 ("Makefile fix", 2023-07-10) * 6fa19aab9 ("feature: use seccomp filters build at install time for --restrict-namespaces", 2023-07-12) * a6172b725 ("build: remove extraneous blank lines in makefiles", 2023-07-12) * 80eb28483 ("build: restore seccomp filter targets", 2023-07-13) / PR #5898 * 76bd5ad0f ("build: simplify code related to man pages", 2023-07-12) / PR #5898 * 8e79f18cf ("build: add missing makefile dep", 2023-08-12) / PR #5956 Note: The issue with seccomp filters specifically was fixed on commit 80eb28483 ("build: restore seccomp filter targets", 2023-07-13) / PR #5898. Relates to #5156 #5898 #5956. --- RELNOTES | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 62433ff75..4e55f9447 100644 --- a/RELNOTES +++ b/RELNOTES @@ -58,8 +58,7 @@ firejail (0.9.73) baseline; urgency=low * build: disable all built-in implicit make rules (#5864) * build: organize and standardize make vars and targets (#5866) * build: fix seccomp filters and man pages always being rebuilt when running - make - * build: simplify code related to man pages (#5898) + make (#5156 #5898) * build: fix hardcoded make & remove unnecessary distclean targets (#5911) * build: dist and asc improvements (#5916) * build: fix some shellcheck issues & use config.sh in more scripts (#5927) From fecd25d699b91c16f26d313bb783950c9f706fcd Mon Sep 17 00:00:00 2001 From: Caleb McCombs Date: Sun, 25 Aug 2024 11:53:41 -0500 Subject: [PATCH 21/80] profiles: zoom: allow ~/Documents/Zoom (#4290) By default, Zoom records meetings to ~/Documents/Zoom. Add that folder to the whitelist so that future users don't lose their meeting recordings upon shutting Zoom down. Fixes #4006. --- etc/profile-m-z/zoom.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 306212f85..430934df2 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile @@ -19,6 +19,7 @@ ignore dbus-system none noblacklist ${HOME}/.config/zoom.conf noblacklist ${HOME}/.config/zoomus.conf noblacklist ${HOME}/.zoom +noblacklist ${DOCUMENTS} nowhitelist ${DOWNLOADS} @@ -26,10 +27,12 @@ mkdir ${HOME}/.cache/zoom mkfile ${HOME}/.config/zoom.conf mkfile ${HOME}/.config/zoomus.conf mkdir ${HOME}/.zoom +mkdir ${HOME}/Documents/Zoom whitelist ${HOME}/.cache/zoom whitelist ${HOME}/.config/zoom.conf whitelist ${HOME}/.config/zoomus.conf whitelist ${HOME}/.zoom +whitelist ${HOME}/Documents/Zoom # Disable for now, see https://github.com/netblue30/firejail/issues/3726 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl From 5edddc918ecbeddcc9c9fff9374e6d51ae4c286b Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 27 Aug 2024 05:25:08 +0000 Subject: [PATCH 22/80] profiles: bitwarden: improvements and new bitwarden-desktop redirect (#6443) Changes: - Allow shell access (bitwarden-desktop may be a shell script) - Enable whitelist-usr-share-common.inc - Introduce a new redirect for bitwarden-desktop - Add the new redirect to firecfg Relates to #6442. --- etc/profile-a-l/bitwarden-desktop.profile | 11 +++++++++++ etc/profile-a-l/bitwarden.profile | 6 +++--- src/firecfg/firecfg.config | 1 + 3 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 etc/profile-a-l/bitwarden-desktop.profile diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile new file mode 100644 index 000000000..4c1994c50 --- /dev/null +++ b/etc/profile-a-l/bitwarden-desktop.profile @@ -0,0 +1,11 @@ +# Firejail profile for bitwarden-desktop +# Description: A secure and free password manager for all of your devices +# This file is overwritten after every install/update. +# Persistent local customisations +include bitwarden-desktop.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include bitwarden.profile diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 1572ca572..9ed48b02d 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile @@ -6,13 +6,13 @@ include bitwarden.local # Persistent global definitions include globals.local -# Disabled until someone reported positive feedback -ignore include whitelist-usr-share-common.inc - ignore noexec /tmp noblacklist ${HOME}/.config/Bitwarden +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + include disable-shell.inc mkdir ${HOME}/.config/Bitwarden diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 84bf32625..08170bee6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -101,6 +101,7 @@ bibletime bitcoin-qt bitlbee bitwarden +bitwarden-desktop bleachbit blender blender-2.8 From 00fe9ce335e15d1fed2b90966466b69ce2042da9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Sep 2024 06:42:33 +0000 Subject: [PATCH 23/80] build(deps): bump github/codeql-action from 3.25.15 to 3.26.6 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/afb54ba388a7dca6ecae48f608c4ff05ff4cc77a...4dd16135b69a43b6c8efb853346f8437d92d3c93) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/check-c.yml | 4 ++-- .github/workflows/check-python.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index d3c9a8abf..86adacef0 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -161,7 +161,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a + uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 with: languages: cpp @@ -172,4 +172,4 @@ jobs: run: make -j "$(nproc)" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a + uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 3d233bc02..489a2ac2f 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -51,9 +51,9 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a + uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 with: languages: python - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a + uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 From 897f12dd88c1add667ecb211b61b6126a49c7065 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Sep 2024 06:42:36 +0000 Subject: [PATCH 24/80] build(deps): bump step-security/harden-runner from 2.9.0 to 2.9.1 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.9.0 to 2.9.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/0d381219ddf674d61a7572ddd19d7941e271515c...5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build-extra.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/check-c.yml | 8 ++++---- .github/workflows/check-profiles.yml | 2 +- .github/workflows/check-python.yml | 2 +- .github/workflows/codespell.yml | 2 +- .github/workflows/test.yml | 10 +++++----- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 775a3c947..8ad73bb45 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -44,7 +44,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0c1317ed8..e8bfd0c16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 86adacef0..1b35f684f 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -46,7 +46,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > @@ -79,7 +79,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > @@ -109,7 +109,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > @@ -143,7 +143,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 040d3ab1c..cb9d9ce87 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 489a2ac2f..ed317a86f 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 1bf714d65..27c6ab125 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -24,7 +24,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0cc1eea3e..92eb212e4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > @@ -103,7 +103,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > @@ -143,7 +143,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > @@ -183,7 +183,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > @@ -225,7 +225,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: block allowed-endpoints: > From a04bf5ae8ddbac980656c628b9f2ff1ebbf07b47 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 25 Aug 2024 19:39:29 +0000 Subject: [PATCH 25/80] docs: man: sort LANDLOCK section (firejail.1) Added on commit 13b2c566d ("feature: add Landlock support", 2023-10-24) / PR #6078. Relates to #6451. --- src/man/firejail.1.in | 117 +++++++++++++++++++++--------------------- 1 file changed, 59 insertions(+), 58 deletions(-) diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 4edb0902e..f024b19da 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -3408,64 +3408,6 @@ To enable AppArmor confinement on top of your current Firejail security features $ firejail --apparmor firefox #endif -#ifdef HAVE_LANDLOCK -.SH LANDLOCK -Warning: Landlock support in firejail is considered experimental and unstable. -The contents of landlock-common.inc are likely to change and the feature is -still being expanded upon in the Linux kernel. -Also, note that its functionality overlaps with existing firejail features, -such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. -Its filesystem access rules can currently only restrict direct access to paths; -it is not able to make only select paths appear in the sandbox such as with the -\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). -Lastly, note that depending on the Linux kernel version, Landlock may not -protect all of the relevant syscalls (see the kernel's Landlock documentation -for details). -Therefore, it is recommended to treat Landlock as an extra layer of protection, -to be used together with other firejail features (rather than as a bulletproof -mechanism by itself). -.PP -Landlock is a Linux security module first introduced in version 5.13 of the -Linux kernel. -It allows unprivileged processes to restrict their access to the filesystem. -Once imposed, these restrictions can never be removed, and all child processes -created by a Landlock-restricted processes inherit these restrictions. -Firejail supports Landlock as an additional sandboxing feature. -It can be used to ensure that a sandboxed application can only access files and -directories that it was explicitly allowed to access. -Firejail supports populating the ruleset with both a basic set of rules (see -landlock-common.inc) and with a custom set of rules. -.TP -Important notes: -.PP -.RS -- Currently only Landlock ABI version 1 is supported. -.PP -- If "lsm=" is used in the kernel command line, it should contain "landlock" -(such as "lsm=apparmor,landlock"), or else it will be disabled. -.PP -- A process can install a Landlock ruleset only if it has either -\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New -Privileges" restriction enabled. -Because of this, enabling the Landlock feature will also cause Firejail to -enable the "No New Privileges" restriction, regardless of the profile or the -\fB\-\-nonewprivs\fR command line option. -.PP -- Access to the /etc directory is automatically allowed. -To override this, use the \fB\-\-writable\-etc\fR command line option. -You can also use the \fB\-\-private\-etc\fR option to restrict access to the -/etc directory. -.RE -.PP -To enable Landlock self-restriction on top of your current Firejail security -features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. -Without it, the other Landlock commands have no effect. -Example: -.PP -$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc -.PP -To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. -#endif .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place @@ -3713,6 +3655,65 @@ Currently while scanning the file system, symbolic links are not followed, and f The program can also be run as root (sudo firejail --ids-init/--ids-check). #endif +#ifdef HAVE_LANDLOCK +.SH LANDLOCK +Warning: Landlock support in firejail is considered experimental and unstable. +The contents of landlock-common.inc are likely to change and the feature is +still being expanded upon in the Linux kernel. +Also, note that its functionality overlaps with existing firejail features, +such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. +Its filesystem access rules can currently only restrict direct access to paths; +it is not able to make only select paths appear in the sandbox such as with the +\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). +Lastly, note that depending on the Linux kernel version, Landlock may not +protect all of the relevant syscalls (see the kernel's Landlock documentation +for details). +Therefore, it is recommended to treat Landlock as an extra layer of protection, +to be used together with other firejail features (rather than as a bulletproof +mechanism by itself). +.PP +Landlock is a Linux security module first introduced in version 5.13 of the +Linux kernel. +It allows unprivileged processes to restrict their access to the filesystem. +Once imposed, these restrictions can never be removed, and all child processes +created by a Landlock-restricted processes inherit these restrictions. +Firejail supports Landlock as an additional sandboxing feature. +It can be used to ensure that a sandboxed application can only access files and +directories that it was explicitly allowed to access. +Firejail supports populating the ruleset with both a basic set of rules (see +landlock-common.inc) and with a custom set of rules. +.TP +Important notes: +.PP +.RS +- Currently only Landlock ABI version 1 is supported. +.PP +- If "lsm=" is used in the kernel command line, it should contain "landlock" +(such as "lsm=apparmor,landlock"), or else it will be disabled. +.PP +- A process can install a Landlock ruleset only if it has either +\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New +Privileges" restriction enabled. +Because of this, enabling the Landlock feature will also cause Firejail to +enable the "No New Privileges" restriction, regardless of the profile or the +\fB\-\-nonewprivs\fR command line option. +.PP +- Access to the /etc directory is automatically allowed. +To override this, use the \fB\-\-writable\-etc\fR command line option. +You can also use the \fB\-\-private\-etc\fR option to restrict access to the +/etc directory. +.RE +.PP +To enable Landlock self-restriction on top of your current Firejail security +features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. +Without it, the other Landlock commands have no effect. +Example: +.PP +$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc +.PP +To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. +#endif + .SH MONITORING Option \-\-list prints a list of all sandboxes. The format for each process entry is as follows: From 4268a3130bfb45dc4f3a53355c38983c75f9a3c3 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 25 Aug 2024 19:39:29 +0000 Subject: [PATCH 26/80] docs: man: sort NAME VALIDATION section (firejail.1) This amends commit 6489138a5 ("docs: document NAME VALIDATION in firejail.txt", 2023-06-13) / PR #5856. Relates to #6451. --- src/man/firejail.1.in | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index f024b19da..16ea26288 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -3353,16 +3353,6 @@ $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox .br #endif .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c. -.SH NAME VALIDATION -For simplicity, the same name validation is used for multiple options. -Rules: -.PP -The name must be 1-253 characters long. -The name can only contain ASCII letters, digits and the special characters -"-._" (that is, the name cannot contain spaces or control characters). -The name cannot contain only digits. -The first and last characters must be an ASCII letter or digit and the name -may contain special characters in the middle. #ifdef HAVE_APPARMOR .SH APPARMOR .TP @@ -3771,6 +3761,17 @@ Sandbox running time in hours:minutes:seconds format. USER The owner of the sandbox. +.SH NAME VALIDATION +For simplicity, the same name validation is used for multiple options. +Rules: +.PP +The name must be 1-253 characters long. +The name can only contain ASCII letters, digits and the special characters +"-._" (that is, the name cannot contain spaces or control characters). +The name cannot contain only digits. +The first and last characters must be an ASCII letter or digit and the name +may contain special characters in the middle. + .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in /etc/passwd file for each user that needs to be restricted. Alternatively, From 05d7aaadc8feaf387aa2e98825750e21ac6d17de Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 1 Sep 2024 13:23:10 -0300 Subject: [PATCH 27/80] docs: man: sort FILE section (firecfg.1) Move the "FILES" section to right before the "LICENSE" section in firecfg.1.in, to match what is done in the other man pages. This amends commit ef6cfb8a2 ("firecfg: add ignore command and docs", 2023-06-29) / PR #5876. Relates to #6451. --- src/man/firecfg.1.in | 46 ++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a50ed765e..e47014702 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in @@ -139,29 +139,6 @@ $ sudo firecfg --clean /usr/local/bin/vlc removed .br [...] -.SH FILES -.PP -Configuration files are searched for and parsed in the following paths: -.PP -.RS -1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) -.br -2. /etc/firejail/firecfg.config -.RE -.PP -The programs that are supported by default are listed in -/etc/firejail/firecfg.config. -It is recommended to leave it as is and put all customizations inside -/etc/firejail/firecfg.d/. -.PP -Profile files are also searched in the user configuration directory: -.PP -.RS -3. ~/.config/firejail/*.profile -.RE -.PP -For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a -symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. .SH SYNTAX Configuration file syntax: .PP @@ -200,6 +177,29 @@ following lines can to be used to ignore both: .br !spectacle .RE +.SH FILES +.PP +Configuration files are searched for and parsed in the following paths: +.PP +.RS +1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) +.br +2. /etc/firejail/firecfg.config +.RE +.PP +The programs that are supported by default are listed in +/etc/firejail/firecfg.config. +It is recommended to leave it as is and put all customizations inside +/etc/firejail/firecfg.d/. +.PP +Profile files are also searched in the user configuration directory: +.PP +.RS +3. ~/.config/firejail/*.profile +.RE +.PP +For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a +symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. .SH LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP From 780aea342a6b707453f0b4c29397671f972030de Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 10 Sep 2024 11:03:23 +0000 Subject: [PATCH 28/80] docs: man: sort commands (firejail.1) (#6451) Sort commands in firejail.1.in and sync the result with firejail-profile.5.in. * Commands: `--dbus-system.*`, `--dbus-user.*`, `--icmptrace`, `--ip=none`, `memory-deny-write-execute`, `--noinput` Relates to #3190 #3406 #4209. --- src/man/firejail-profile.5.in | 68 +++++++------- src/man/firejail.1.in | 164 +++++++++++++++++----------------- 2 files changed, 117 insertions(+), 115 deletions(-) diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 89784a984..4d725ed99 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu \fBdbus-system none Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. .TP -\fBdbus-system.own org.gnome.ghex.* -Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. -.TP -\fBdbus-system.talk org.freedesktop.Notifications -Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. -.TP -\fBdbus-system.see org.freedesktop.Notifications -Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. +\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. .TP \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. .TP -\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications -Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. +\fBdbus-system.own org.gnome.ghex.* +Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. +.TP +\fBdbus-system.see org.freedesktop.Notifications +Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. +.TP +\fBdbus-system.talk org.freedesktop.Notifications +Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. .TP \fBdbus-user filter Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. @@ -689,20 +689,20 @@ Enable filtered access to the session DBus. Filters can be specified with the db \fBdbus-user none Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. .TP -\fBdbus-user.own org.gnome.ghex.* -Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. -.TP -\fBdbus-user.talk org.freedesktop.Notifications -Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. -.TP -\fBdbus-user.see org.freedesktop.Notifications -Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. +\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. .TP \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. .TP -\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications -Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. +\fBdbus-user.own org.gnome.ghex.* +Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. +.TP +\fBdbus-user.see org.freedesktop.Notifications +Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. +.TP +\fBdbus-user.talk org.freedesktop.Notifications +Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. .TP \fBnodbus \fR(deprecated) Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. @@ -866,20 +866,6 @@ net eth0 .br ip 10.10.20.56 -.TP -\fBip none -No IP address and no default gateway are configured for the last interface -defined by a net command. Use this option -in case you intend to start an external DHCP client in the sandbox. -.br - -.br -Example: -.br -net eth0 -.br -ip none - .TP \fBip dhcp Acquire an IP address and default gateway for the last interface defined by a @@ -907,6 +893,20 @@ If your DHCP server requires leases to be explicitly released, consider running a DHCP client and releasing the lease manually in conjunction with the net none command. +.TP +\fBip none +No IP address and no default gateway are configured for the last interface +defined by a net command. Use this option +in case you intend to start an external DHCP client in the sandbox. +.br + +.br +Example: +.br +net eth0 +.br +ip none + .TP \fBip6 address Assign IPv6 addresses to the last network interface defined by a net command. diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 16ea26288..bf447be93 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -610,21 +610,6 @@ Example: .br $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* -.TP -\fB\-\-dbus-user.talk=name -Allows the application to talk to the specified well-known name on the session DBus. -The name may have a .* suffix to match all names underneath it, including itself -(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but -not "foobar"). -.br - -.br -Example: -.br -$ firejail --dbus-user=filter --dbus-user.talk=\\ -.br -org.freedesktop.Notifications - .TP \fB\-\-dbus-user.see=name Allows the application to see, but not talk to the specified well-known name on @@ -640,6 +625,21 @@ Example: $ firejail --dbus-user=filter --dbus-user.see=\\ .br org.freedesktop.Notifications + +.TP +\fB\-\-dbus-user.talk=name +Allows the application to talk to the specified well-known name on the session DBus. +The name may have a .* suffix to match all names underneath it, including itself +(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but +not "foobar"). +.br + +.br +Example: +.br +$ firejail --dbus-user=filter --dbus-user.talk=\\ +.br +org.freedesktop.Notifications #endif .TP \fB\-\-debug\fR @@ -888,6 +888,32 @@ Example: .br $ firejail \-\-hosts-file=~/myhosts firefox +.TP +\fB\-\-icmptrace[=name|pid] +Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. +.br + +.br +Example +.br +$ sudo firejail --icmptrace +.br +20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 +.br +20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 +.br +20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 +.br +20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 +.br +20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable +.br + #ifdef HAVE_IDS .TP \fB\-\-ids-check @@ -924,32 +950,6 @@ $ firejail --ignore=seccomp --ignore=caps firefox $ firejail \-\-ignore="net eth0" firefox #endif -.TP -\fB\-\-icmptrace[=name|pid] -Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes -created with \-\-net are supported. This option is only available when running the sandbox as root. -.br - -.br -Without a name/pid, Firejail will monitor the main system network namespace. -.br - -.br -Example -.br -$ sudo firejail --icmptrace -.br -20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 -.br -20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 -.br -20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 -.br -20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 -.br -20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable -.br - .TP \fB\-\-\include=file.profile Include a profile file before the regular profiles are used. @@ -983,23 +983,6 @@ Example: .br $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox -.TP -\fB\-\-ip=none -No IP address and no default gateway are configured for the last interface -defined by a \-\-net option. Use this option -in case you intend to start an external DHCP client in the sandbox. -.br - -.br -Example: -.br -$ firejail \-\-net=eth0 \-\-\ip=none -.br - -.br -If the corresponding interface doesn't have an IP address configured, this -option is enabled by default. - .TP \fB\-\-ip=dhcp Acquire an IP address and default gateway for the last interface defined by a @@ -1025,6 +1008,23 @@ If your DHCP server requires leases to be explicitly released, consider running a DHCP client and releasing the lease manually in conjunction with the \-\-net=none option. +.TP +\fB\-\-ip=none +No IP address and no default gateway are configured for the last interface +defined by a \-\-net option. Use this option +in case you intend to start an external DHCP client in the sandbox. +.br + +.br +Example: +.br +$ firejail \-\-net=eth0 \-\-\ip=none +.br + +.br +If the corresponding interface doesn't have an IP address configured, this +option is enabled by default. + .TP \fB\-\-ip6=address Assign IPv6 addresses to the last network interface defined by a \-\-net option. @@ -1323,6 +1323,21 @@ Example: .br $ firejail \-\-machine-id +.TP +\fB\-\-memory-deny-write-execute +Install a seccomp filter to block attempts to create memory mappings +that are both writable and executable, to change mappings to be +executable, or to create executable shared memory. The filter examines +the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create +and shmat system calls and returns error EPERM to the process (or +kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. +.br + +.br +Note: shmat is not implemented +as a system call on some platforms including i386, and it cannot be +handled by seccomp-bpf. + .TP \fB\-\-mkdir=dirname Create a directory in user home. Parent directories are created as needed. @@ -1343,20 +1358,6 @@ Example: .br $ firejail --mkfile=~/work/project/readme -.TP -\fB\-\-memory-deny-write-execute -Install a seccomp filter to block attempts to create memory mappings -that are both writable and executable, to change mappings to be -executable, or to create executable shared memory. The filter examines -the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create -and shmat system calls and returns error EPERM to the process (or -kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. -.br - -.br -Note: shmat is not implemented -as a system call on some platforms including i386, and it cannot be -handled by seccomp-bpf. #ifdef HAVE_NETWORK .TP \fB\-\-mtu=number @@ -1792,15 +1793,6 @@ Example: .br $ firejail \-\-nodvd .TP -\fB\-\-noinput -Disable input devices. -.br - -.br -Example: -.br -$ firejail \-\-noinput -.TP \fB\-\-noexec=dirname_or_filename Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br @@ -1844,6 +1836,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) .br $ +.TP +\fB\-\-noinput +Disable input devices. +.br + +.br +Example: +.br +$ firejail \-\-noinput + .TP \fB\-\-nonewprivs Sets the NO_NEW_PRIVS prctl. This ensures that child processes From b3d693063a6e5a4ed4c5020567f224f2be3d9803 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 12 Sep 2024 05:21:12 +0000 Subject: [PATCH 29/80] docs: man: fix bold in command TPs (#6472) Reset the bold right after each command/argument. Command used to check for issues: git grep -E ' \\fR' -- src/man/*.in Related commits: * e91b9ff0f ("Deprecate --nodbus option", 2020-04-07) / PR #3265 * 5a612029b ("rename noautopulse to keep-config-pulse", 2021-05-13) / PR #4278 * d79547ca9 ("docs: warn about limitations of landlock", 2024-03-31) / PR #6302 This is a follow-up to #6451. Relates to #6078. --- src/man/firejail-profile.5.in | 16 ++++++++-------- src/man/firejail.1.in | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 4d725ed99..79144b9fd 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -511,30 +511,30 @@ Blacklist all Linux capabilities. Whitelist given Linux capabilities. #ifdef HAVE_LANDLOCK .TP -\fBlandlock.enforce (experimental) +\fBlandlock.enforce\fR (experimental) Enforce the Landlock ruleset. .PP Without it, the other Landlock commands have no effect. .TP -\fBlandlock.fs.read path (experimental) +\fBlandlock.fs.read path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. .TP -\fBlandlock.fs.write path (experimental) +\fBlandlock.fs.write path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. .TP -\fBlandlock.fs.makeipc path (experimental) +\fBlandlock.fs.makeipc path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of named pipes (FIFOs) and Unix domain sockets beneath the given path. .TP -\fBlandlock.fs.makedev path (experimental) +\fBlandlock.fs.makedev path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of block devices and character devices beneath the given path. .TP -\fBlandlock.fs.execute path (experimental) +\fBlandlock.fs.execute path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. #endif @@ -704,7 +704,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati \fBdbus-user.talk org.freedesktop.Notifications Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. .TP -\fBnodbus \fR(deprecated) +\fBnodbus\fR (deprecated) Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. .TP .br @@ -804,7 +804,7 @@ name browser \fBno3d Disable 3D hardware acceleration. .TP -\fBnoautopulse \fR(deprecated) +\fBnoautopulse\fR (deprecated) See keep-config-pulse. .TP \fBnodvd diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index bf447be93..d6949133d 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -1241,30 +1241,30 @@ $ firejail --keep-var-tmp #ifdef HAVE_LANDLOCK .TP -\fB\-\-landlock.enforce (experimental) +\fB\-\-landlock.enforce\fR (experimental) Enforce the Landlock ruleset. Without it, the other Landlock commands have no effect. See the \fBLANDLOCK\fR section for more information. .TP -\fB\-\-landlock.fs.read=path (experimental) +\fB\-\-landlock.fs.read=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. .TP -\fB\-\-landlock.fs.write=path (experimental) +\fB\-\-landlock.fs.write=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. .TP -\fB\-\-landlock.fs.makeipc=path (experimental) +\fB\-\-landlock.fs.makeipc=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of named pipes (FIFOs) and Unix domain sockets beneath the given path. .TP -\fB\-\-landlock.fs.makedev=path (experimental) +\fB\-\-landlock.fs.makedev=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of block devices and character devices beneath the given path. .TP -\fB\-\-landlock.fs.execute=path (experimental) +\fB\-\-landlock.fs.execute=path\fR (experimental) Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. .br @@ -1727,7 +1727,7 @@ Example: $ firejail --no3d firefox .TP -\fB\-\-noautopulse \fR(deprecated) +\fB\-\-noautopulse\fR (deprecated) See --keep-config-pulse. .TP @@ -1773,7 +1773,7 @@ $ nc dict.org 2628 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 .br .TP -\fB\-\-nodbus \fR(deprecated) +\fB\-\-nodbus\fR (deprecated) #ifdef HAVE_DBUSPROXY Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. .br From ef5ca496c6a5424b44dfbeea9b94cd7ff5694dd5 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 07:10:16 +0000 Subject: [PATCH 30/80] docs: man: fix wrong escapes (#6474) Remove extranous escape characters and fix bold escaping. Command used to check for unusual escape sequences: $ git grep -E -e '\\f[^BR]' -e '\\[^ "\f-]' -- src/man/*.in With this, the only escape sequences used are: $ git grep -E -ho -e '\\-' -e '\\[^-][^ ]?' -- src/man/*.in | LC_ALL=C sort | uniq -c 9 \" 1 \&. 1194 \- 23 \\ 507 \fB 127 \fR Related commits: * 137985136 ("Baseline firejail 0.9.28", 2015-08-08) * 1684c9ea7 ("Fixes for man firejail (#2628)", 2019-03-29) * 73525015e ("Clarify that file globbing occurs only at start", 2020-04-11) / PR #3347 * f54ee53b1 ("man text for --include command", 2021-03-05). This is a follow-up to #6472. Kind of relates to #5903. --- src/man/firejail-profile.5.in | 2 +- src/man/firejail.1.in | 24 ++++++++++++------------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 79144b9fd..a6856212e 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -243,7 +243,7 @@ host filesystem. Each line describes a file/directory that is inaccessible a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), or mount-bind a directory or file on top of another directory or file (\fBbind\fR). Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and -HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section +HOME directories are searched, see the \fBfirejail\fR(1) \fBFILE GLOBBING\fR section for more details. Examples: .TP diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index d6949133d..47cb7ccde 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -951,7 +951,7 @@ $ firejail \-\-ignore="net eth0" firefox #endif .TP -\fB\-\-\include=file.profile +\fB\-\-include=file.profile Include a profile file before the regular profiles are used. .br @@ -1018,7 +1018,7 @@ in case you intend to start an external DHCP client in the sandbox. .br Example: .br -$ firejail \-\-net=eth0 \-\-\ip=none +$ firejail \-\-net=eth0 \-\-ip=none .br .br @@ -1070,7 +1070,7 @@ default gateway is assigned by default. .br Example: .br -$ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 +$ firejail \-\-net=eth0 \-\-iprange=192.168.1.100,192.168.1.150 .TP \fB\-\-ipc-namespace @@ -3453,37 +3453,37 @@ $ firejail --tree 1221:netblue:/usr/lib/firefox/firefox .RE -We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details. +We provide a tool that automates all this integration, please see \fBfirecfg\fR(1) for more details. .SH EXAMPLES .TP -\f\firejail +\fBfirejail Sandbox a regular shell session. .TP -\f\firejail firefox +\fBfirejail firefox Start Mozilla Firefox. .TP -\f\firejail \-\-debug firefox +\fBfirejail \-\-debug firefox Debug Firefox sandbox. .TP -\f\firejail \-\-private firefox +\fBfirejail \-\-private firefox Start Firefox with a new, empty home directory. .TP -\f\firejail --net=none vlc +\fBfirejail --net=none vlc Start VLC in an unconnected network namespace. #ifdef HAVE_NETWORK .TP -\f\firejail \-\-net=eth0 firefox +\fBfirejail \-\-net=eth0 firefox Start Firefox in a new network namespace. An IP address is assigned automatically. .TP -\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 +\fBfirejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 Start a shell session in a new network namespace and connect it to br0, br1, and br2 host bridge devices. IP addresses are assigned automatically for the interfaces connected to br1 and b2 #endif .TP -\f\firejail \-\-list +\fBfirejail \-\-list List all sandboxed processes. .SH FILE GLOBBING From 9bccccfa77a7a8fe1b201ce107d4ae2e9b2c019a Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 08:16:09 +0000 Subject: [PATCH 31/80] docs: github: streamline environment in issue templates (#6471) Changes: * Sync bug_report.md with build_issue.md (reword items and add Linux kernel item) * Add a colon to the end of every item (to clarify where to add the information) * Add the Environment section to feature_request.md The last item is intended as a basic sanity check, as users using an outdated version of firejail may request something that was already implemented (for example, see #6461). Relates to #4515 #6423. --- .github/ISSUE_TEMPLATE/bug_report.md | 7 ++++--- .github/ISSUE_TEMPLATE/build_issue.md | 12 ++++++------ .github/ISSUE_TEMPLATE/feature_request.md | 8 ++++++++ 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 37056a1ce..ec1b4a10f 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -47,10 +47,11 @@ _Any other detail that may help to understand/debug the problem_ ### Environment -- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") -- Firejail version (`firejail --version`). +- Name/version/arch of the Linux kernel (`uname -srm`): +- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): +- Version of Firejail (`firejail --version`): - If you use a development version of firejail, also the commit from which it - was compiled (`git rev-parse HEAD`). + was compiled (`git rev-parse HEAD`): ### Checklist diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md index 7e0b822bb..11be8fbdf 100644 --- a/.github/ISSUE_TEMPLATE/build_issue.md +++ b/.github/ISSUE_TEMPLATE/build_issue.md @@ -64,9 +64,9 @@ _(Optional) Any other detail that may help to understand/debug the problem_ ### Environment -- Name/version/arch of the Linux kernel (e.g. the output of `uname -srm`) -- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux") -- Name/version of the C compiler (e.g. "gcc 14.1.1-1") -- Name/version of the libc (e.g. "glibc 2.40-1") -- Version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on Arch Linux) -- Version of the source code being built (e.g. the output of `git rev-parse HEAD`) +- Name/version/arch of the Linux kernel (`uname -srm`): +- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): +- Name/version of the C compiler (e.g. "gcc 14.1.1-1"): +- Name/version of the libc (e.g. "glibc 2.40-1"): +- Version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on Arch Linux): +- Version of the source code being built (`git rev-parse HEAD`): diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index ce1b70e39..08a5678e2 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -22,3 +22,11 @@ _A clear and concise description of any alternative solutions or features you've ### Additional context _Add any other context or screenshots about the feature request here._ + +### Environment + +- Name/version/arch of the Linux kernel (`uname -srm`): +- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): +- Version of Firejail (`firejail --version`): +- If you use a development version of firejail, also the commit from which it: + was compiled (`git rev-parse HEAD`): From 508394fbd89320a36af23c982c9676884cfa5fa1 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 05:14:56 -0300 Subject: [PATCH 32/80] docs: github: improve kernel headers item in build_issue.md Relates to #6423 #6471. --- .github/ISSUE_TEMPLATE/build_issue.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md index 11be8fbdf..e9a0b2410 100644 --- a/.github/ISSUE_TEMPLATE/build_issue.md +++ b/.github/ISSUE_TEMPLATE/build_issue.md @@ -68,5 +68,6 @@ _(Optional) Any other detail that may help to understand/debug the problem_ - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): - Name/version of the C compiler (e.g. "gcc 14.1.1-1"): - Name/version of the libc (e.g. "glibc 2.40-1"): -- Version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on Arch Linux): +- Name/version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on + Arch Linux): - Version of the source code being built (`git rev-parse HEAD`): From 26f3e9bf5da63ac7eab3955e8df3a8f939c56bfd Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 08:50:02 +0000 Subject: [PATCH 33/80] profiles: video: add ~/.dvdcss (#6468) It's used by libdvdcss (which is used to play copy-restricted dvds). It seems to be just a cache directory, so just allow without mkdir. Relates to #5391. Suggested-by: @reinerh --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/ffmpeg.profile | 1 + etc/profile-a-l/handbrake.profile | 1 + etc/profile-m-z/mplayer.profile | 2 ++ etc/profile-m-z/mpv.profile | 2 ++ etc/profile-m-z/smplayer.profile | 1 + etc/profile-m-z/totem.profile | 2 ++ etc/profile-m-z/vlc.profile | 2 ++ 8 files changed, 12 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 49ca3836f..a233eaca1 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -728,6 +728,7 @@ blacklist ${HOME}/.dillo blacklist ${HOME}/.dooble blacklist ${HOME}/.dosbox blacklist ${HOME}/.dropbox* +blacklist ${HOME}/.dvdcss blacklist ${HOME}/.easystroke blacklist ${HOME}/.electron-cache blacklist ${HOME}/.electron-cash diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index af9d556db..895a7dbfb 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${MUSIC} noblacklist ${VIDEOS} +noblacklist ${HOME}/.dvdcss include disable-common.inc include disable-devel.inc diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index e0ef23cce..0853a8d77 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile @@ -7,6 +7,7 @@ include handbrake.local include globals.local noblacklist ${HOME}/.config/ghb +noblacklist ${HOME}/.dvdcss noblacklist ${MUSIC} noblacklist ${VIDEOS} diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index bdb9fa51d..c4f989a77 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile @@ -6,6 +6,7 @@ include mplayer.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.mplayer include disable-common.inc @@ -16,6 +17,7 @@ include disable-programs.inc read-only ${DESKTOP} mkdir ${HOME}/.mplayer +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.mplayer include whitelist-common.inc include whitelist-player-common.inc diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index b85002b00..1d03e894c 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -29,6 +29,7 @@ noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.config/yt-dlp noblacklist ${HOME}/.config/yt-dlp.conf +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.netrc noblacklist ${HOME}/yt-dlp.conf @@ -60,6 +61,7 @@ whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/youtube-dl whitelist ${HOME}/.config/yt-dlp whitelist ${HOME}/.config/yt-dlp.conf +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.local/state/mpv whitelist ${HOME}/.netrc whitelist ${HOME}/yt-dlp.conf diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index ece191b73..d2e872c5c 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile @@ -8,6 +8,7 @@ include globals.local noblacklist ${HOME}/.config/smplayer noblacklist ${HOME}/.config/youtube-dl +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.mplayer # Allow lua (blacklisted by disable-interpreters.inc) diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 73d3b0b6f..4d5f4a1f0 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile @@ -14,6 +14,7 @@ include allow-lua.inc include allow-python3.inc noblacklist ${HOME}/.config/totem +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.local/share/totem include disable-common.inc @@ -27,6 +28,7 @@ read-only ${DESKTOP} mkdir ${HOME}/.config/totem mkdir ${HOME}/.local/share/totem whitelist ${HOME}/.config/totem +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.local/share/totem whitelist /usr/share/totem include whitelist-common.inc diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 34e580085..3fc36a625 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${HOME}/.cache/vlc noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.config/aacs +noblacklist ${HOME}/.dvdcss noblacklist ${HOME}/.local/share/vlc include disable-common.inc @@ -24,6 +25,7 @@ mkdir ${HOME}/.local/share/vlc whitelist ${HOME}/.cache/vlc whitelist ${HOME}/.config/vlc whitelist ${HOME}/.config/aacs +whitelist ${HOME}/.dvdcss whitelist ${HOME}/.local/share/vlc include whitelist-common.inc include whitelist-player-common.inc From 1c059149c3cbab2b679065dcc96ea261634b4360 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 08:50:32 +0000 Subject: [PATCH 34/80] profiles: evolution: add /tmp/evolution-* & disable private-tmp (#6469) These paths are apparently used for attachments. Disable private-tmp to make it easier to open attachments with external programs. Relates to #5101. Reported-by: @githlp Suggested-by: @rusty-snake --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/evolution.profile | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index a233eaca1..371680b7b 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -1262,6 +1262,7 @@ blacklist ${RUNUSER}/qutebrowser blacklist /etc/ssmtp blacklist /tmp/.wine-* blacklist /tmp/akonadi-* +blacklist /tmp/evolution-* blacklist /tmp/i3-* blacklist /tmp/lwjgl_* blacklist /var/games/nethack diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 517bb6206..e703938eb 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile @@ -6,6 +6,7 @@ include evolution.local # Persistent global definitions include globals.local +noblacklist /tmp/evolution-* noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.bogofilter @@ -41,7 +42,7 @@ protocol unix,inet,inet6 seccomp private-dev -private-tmp +#private-tmp writable-var restrict-namespaces From 4280cf487361abe2c981a2283875e8bcebc8c5cb Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 08:56:04 +0000 Subject: [PATCH 35/80] profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6473) It appears that LibreWolf 129 uses `io.gitlab.firefox.*` as the dbus name. Commands used to check the dbus name: $ busctl --user --no-legend | grep -v '^:' | grep librewolf | sed -E 's/(^[^ ]+\.)[^. ]+ .*/\1/' io.gitlab.firefox. Commands used to test dbus communication: # Open a new browser instance: $ firejail --name=lwtest --ignore=name --ignore='dbus-user none' \ --dbus-user=filter --dbus-user.own='io.gitlab.firefox.*' \ --private --net=none --ignore=net /usr/bin/librewolf # In another shell, try to open a new tab: $ firejail --join=lwtest /usr/bin/librewolf --new-tab about:blank # Check that the new tab was opened Related commits: * c3f299620 ("Let programs outside librewolf sandbox open new tabs in librewolf (#4546)", 2021-09-19) * a8ad9cad1 ("Update librewolf.profile: use new message bus", 2022-02-03) / PR #4897 * 4211ee323 ("merges", 2022-02-04) Fixes #6413. Misc: This was noticed on #6444. Reported-by: @Lonniebiz --- etc/profile-a-l/librewolf.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 8db82d364..650048807 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -30,6 +30,7 @@ whitelist /usr/share/librewolf private-etc librewolf dbus-user filter +dbus-user.own io.gitlab.firefox.* dbus-user.own io.gitlab.librewolf.* dbus-user.own org.mozilla.librewolf.* # Add the next line to your librewolf.local to enable native notifications. From 0e5ec2ce46f807d767be5c6cfb260f0f715a2c9b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 06:00:48 -0300 Subject: [PATCH 36/80] RELNOTES: add docs and profile items Relates to #6413 #6451 #6471 #6472 #6473 #6474. --- RELNOTES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/RELNOTES b/RELNOTES index 4e55f9447..167627d54 100644 --- a/RELNOTES +++ b/RELNOTES @@ -114,6 +114,10 @@ firejail (0.9.73) baseline; urgency=low * docs: man: format and sort some private- items (#6398) * docs: man: improve blacklist/whitelist examples with spaces (#6425) * docs: add build_issue.md issue template (#6423) + * docs: man: sort commands (firejail.1) (#6451) + * docs: man: fix bold in command TPs (#6472) + * docs: man: fix wrong escapes (#6474) + * docs: github: streamline environment in issue templates (#6471) * legal: selinux.c: Split Copyright notice & use same license as upstream (#5667) * profiles: qutebrowser: fix links not opening in the existing instance @@ -140,6 +144,7 @@ firejail (0.9.73) baseline; urgency=low * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) * profiles: libreoffice: support signing documents with GPG (#6352 #6353) * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) + * profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 From 3acf9be6d0172d574035200d35b9bdc8144645c2 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 07:42:40 -0300 Subject: [PATCH 37/80] RELNOTES: change modif item to removal Added on commit 0e48f9933 ("remove firemon --interface option - it is a duplication of firejail --net.print", 2023-03-08). --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 167627d54..0e029c7af 100644 --- a/RELNOTES +++ b/RELNOTES @@ -26,7 +26,6 @@ firejail (0.9.73) baseline; urgency=low * modif: Escape control characters of the command line (#5613) * modif: Allow mostly only ASCII letters and digits for sandbox name (--name=) and host name (--hostname=) (#5708 #5856) - * modif: remove firemon --interface option (duplicating --net.print option) * modif: make private-lib a configure-time option, disabled by default (see --enable-private-lib) (#5727 #5732) * modif: Improve --version/--help & print version on startup (#5829 #6172) @@ -36,6 +35,7 @@ firejail (0.9.73) baseline; urgency=low * modif: fcopy: Use lstat when copying directory (#5957) * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) + * removal: remove firemon --interface option (duplicating --net.print option) * removal: LTS and FIRETUNNEL support * bugfix: fix --hostname and --hosts-file commands * bugfix: fix examples in firejail-local AppArmor profile (#5717) From 009110a9718362016fb4f2f86506bbd148877e46 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 Sep 2024 07:45:10 -0300 Subject: [PATCH 38/80] RELNOTES: improve removal items Reword and add commit references. Related commits: * 0e48f9933 ("remove firemon --interface option - it is a duplication of firejail --net.print", 2023-03-08) * db09546f2 ("remove LTS and FIRETUNNEL support", 2023-12-23) --- RELNOTES | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 0e029c7af..4965ae392 100644 --- a/RELNOTES +++ b/RELNOTES @@ -35,8 +35,9 @@ firejail (0.9.73) baseline; urgency=low * modif: fcopy: Use lstat when copying directory (#5957) * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) - * removal: remove firemon --interface option (duplicating --net.print option) - * removal: LTS and FIRETUNNEL support + * removal: firemon: remove --interface option (it duplicates the firejail + --net.print= option) (0e48f9933) + * removal: remove support for LTS and firetunnel (db09546f2) * bugfix: fix --hostname and --hosts-file commands * bugfix: fix examples in firejail-local AppArmor profile (#5717) * bugfix: arp.c: ensure positive timeout on select(2) (#5806) From eba4a1c090b321d3d23e163323e8b27d682ff169 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 14 Sep 2024 09:36:12 +0000 Subject: [PATCH 39/80] profiles: wesnoth: allow lua (#6476) Fixes the following error: $ LC_ALL=C firejail /usr/bin/wesnoth [...] /usr/bin/wesnoth: error while loading shared libraries: liblua++.so.5.4: cannot open shared object file: Permission denied Environment: lua 5.4.7-1, wesnoth 1:1.18.2-2 on Arch Linux. Fixes #6475. Reported-by: @marek22k --- etc/profile-m-z/wesnoth.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile index b6f29cfbf..90de16bdb 100644 --- a/etc/profile-m-z/wesnoth.profile +++ b/etc/profile-m-z/wesnoth.profile @@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/wesnoth noblacklist ${HOME}/.config/wesnoth noblacklist ${HOME}/.local/share/wesnoth +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc From f9ddf2f0373c0a857c32dd05f965a36f31a1283b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 14 Sep 2024 07:35:17 -0300 Subject: [PATCH 40/80] profiles: nextcloud: sort entries Relates to #3997. --- etc/profile-m-z/QOwnNotes.profile | 6 +++--- etc/profile-m-z/nextcloud.profile | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index e7dba9cd5..6e8d39912 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile @@ -7,9 +7,9 @@ include QOwnNotes.local include globals.local noblacklist ${DOCUMENTS} -noblacklist ${HOME}/Nextcloud/Notes noblacklist ${HOME}/.config/PBE noblacklist ${HOME}/.local/share/PBE +noblacklist ${HOME}/Nextcloud/Notes include disable-common.inc include disable-devel.inc @@ -19,13 +19,13 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -mkdir ${HOME}/Nextcloud/Notes mkdir ${HOME}/.config/PBE mkdir ${HOME}/.local/share/PBE +mkdir ${HOME}/Nextcloud/Notes whitelist ${DOCUMENTS} -whitelist ${HOME}/Nextcloud/Notes whitelist ${HOME}/.config/PBE whitelist ${HOME}/.local/share/PBE +whitelist ${HOME}/Nextcloud/Notes include whitelist-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 960c494db..091d47728 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile @@ -6,9 +6,9 @@ include nextcloud.local # Persistent global definitions include globals.local -noblacklist ${HOME}/Nextcloud noblacklist ${HOME}/.config/Nextcloud noblacklist ${HOME}/.local/share/Nextcloud +noblacklist ${HOME}/Nextcloud # Add the next lines to your nextcloud.local to allow sync in more directories. #noblacklist ${DOCUMENTS} #noblacklist ${MUSIC} @@ -23,12 +23,12 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -mkdir ${HOME}/Nextcloud mkdir ${HOME}/.config/Nextcloud mkdir ${HOME}/.local/share/Nextcloud -whitelist ${HOME}/Nextcloud +mkdir ${HOME}/Nextcloud whitelist ${HOME}/.config/Nextcloud whitelist ${HOME}/.local/share/Nextcloud +whitelist ${HOME}/Nextcloud whitelist /usr/share/nextcloud # Add the next lines to your nextcloud.local to allow sync in more directories. #whitelist ${DOCUMENTS} @@ -61,15 +61,15 @@ tracelog disable-mnt private-bin nextcloud,nextcloud-desktop private-cache -private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release private-dev +private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release private-tmp # IMPORTANT: create ~/.local/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service # referencing the firejailed /usr/local/bin/nextcloud to keep nextcloud running sandboxed # even when its dbus name gets activated # see https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-sandbox-applications-started-via-systemd-or-d-bus-services -dbus-user filter +dbus-user filter dbus-user.own com.nextcloudgmbh.Nextcloud dbus-user.talk org.freedesktop.secrets ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher From 4f7cc368f85c84f06af016371b5f73bc5eae3b02 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 16 Sep 2024 13:22:57 +0000 Subject: [PATCH 41/80] profiles: nextcloud: fix access to ~/Nextcloud (#6478) Related commits: * 7c481eb43 ("Add QOwnNotes profile", 2018-10-20) * 49a381c70 ("Add nextcloud-desktop", 2021-02-20) / PR #3997 Fixes #5877. Reported-by: @Sadoon-AlBader --- etc/profile-m-z/QOwnNotes.profile | 1 + etc/profile-m-z/nextcloud.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index 6e8d39912..023071f68 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${DOCUMENTS} noblacklist ${HOME}/.config/PBE noblacklist ${HOME}/.local/share/PBE +noblacklist ${HOME}/Nextcloud noblacklist ${HOME}/Nextcloud/Notes include disable-common.inc diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 091d47728..b6453f6a9 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${HOME}/.config/Nextcloud noblacklist ${HOME}/.local/share/Nextcloud noblacklist ${HOME}/Nextcloud +noblacklist ${HOME}/Nextcloud/Notes # Add the next lines to your nextcloud.local to allow sync in more directories. #noblacklist ${DOCUMENTS} #noblacklist ${MUSIC} From 3bbc6b59e10451018f84d6ba85a99b9142ddfb8e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 15 Sep 2024 14:36:01 -0300 Subject: [PATCH 42/80] profiles: ssh: sort entries Related commits: * 4747e0ed7 ("Whitelist runuser common (#3286)", 2020-03-31) * ebd4b3eea ("profiles: ssh: allow gpgagent socket for custom homedir (#6419)", 2024-08-07) --- etc/profile-m-z/ssh.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 1c4d85ea0..018e05230 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -19,11 +19,11 @@ include disable-exec.inc include disable-programs.inc whitelist ${RUNUSER}/gcr/ssh -whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup +whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup whitelist ${RUNUSER}/keyring/ssh -include whitelist-usr-share-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all From 271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 19 Sep 2024 10:55:35 +0000 Subject: [PATCH 43/80] profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#6479) Based on the report by @Saren-Arterius[1]: Since GNOME gvfs 1.53+, the ssh client options `ControlMaster=auto` and `ControlPath=/run/user/$UID/gvfsd-sftp/%C` are used to mount sftp. Since `/run/user/$UID/gvfsd-sftp` is not whitelisted, gvfs sftp mount with nautilus will fail with a meaningless error message shown in the UI. Steps to reproduce[1]: Prepare ssh server or localhost, then run: ssh -o"ForwardX11 no" -o"ForwardAgent no" \ -o"PermitLocalCommand no" -o"ClearAllForwardings yes" \ -o"NoHostAuthenticationForLocalhost yes" \ -o"ControlMaster auto" \ -o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" \ -s {SSH_HOST} sftp stderr shows: unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory And ssh exits with error code 255. Fixes #5816. [1] https://github.com/netblue30/firejail/issues/5816#issue-1695295931 Reported-by: @Saren-Arterius Suggested-by: @Saren-Arterius Reported-by: @Alex-Farol Reported-by: @mirko --- etc/profile-m-z/ssh.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 018e05230..96839d082 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -21,6 +21,7 @@ include disable-programs.inc whitelist ${RUNUSER}/gcr/ssh whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup +whitelist ${RUNUSER}/gvfsd-sftp whitelist ${RUNUSER}/keyring/ssh include whitelist-runuser-common.inc include whitelist-usr-share-common.inc From f833a492cdf2de86ed0b533a095d0986bfb2cdd5 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 19 Sep 2024 10:15:34 -0300 Subject: [PATCH 44/80] tests: partially disable private-home.exp to fix ci This test started failing today with "TESTING ERROR 3". Log from a CI re-run of test-fs on commit 897f12dd8 ("build(deps): bump step-security/harden-runner from 2.9.0 to 2.9.1", 2024-09-01) / PR #6455[1]: 2024-09-19T13:39:04.5681290Z TESTING: private home (test/fs/private-home.exp) 2024-09-19T13:39:04.5713434Z spawn /bin/bash 2024-09-19T13:39:05.2772248Z touch ~/_firejail_test_file1 2024-09-19T13:39:05.2773779Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2774475Z Date: Thu, 19 Sep 2024 14:37:11 +0000 Subject: [PATCH 45/80] profiles: firecfg: disable text editors (#6477) Disable common general-purpose text editors. They are likely to be the default OS text editor and users may want to use them for editing most/all files, which could include common sensitive files such as ~/.bashrc and profiles in ~/.config/firejail. Fixes #6002. Relates to #924 #941 #1154. Reported-by: @ilikenwf --- src/firecfg/firecfg.config | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 08170bee6..1265254aa 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -320,9 +320,9 @@ gcalccmd gcloud gconf-editor gdu -geany +#geany # text editor (see #6002) #geary # webkit2gtk-4.x requires bwrap (see #3647) -gedit +#gedit # text editor (see #6002) geekbench geeqie geki2 @@ -463,7 +463,7 @@ kaffeine kalgebra kalgebramobile karbon -kate +#kate # text editor (see #6002) kazam kcalc #kdeinit4 @@ -499,11 +499,11 @@ ktorrent ktouch kube #kwin_x11 -kwrite +#kwrite # text editor (see #6002) lbreakouthd lbry-viewer lbry-viewer-gtk -leafpad +#leafpad # text editor (see #6002) #less # breaks man lettura librecad @@ -588,7 +588,7 @@ minitube mirage mirrormagic mocp -mousepad +#mousepad # text editor (see #6002) mov-cli mp3splt mp3splt-gtk @@ -722,7 +722,7 @@ pix planmaker18 planmaker18free playonlinux -pluma +#pluma # text editor (see #6002) plv pngquant polari @@ -992,7 +992,7 @@ x2goclient xbill xcalc xchat -xed +#xed # text editor (see #6002) xfburn xfce4-dict xfce4-mixer From 1b2d18e7f41a52cb699295d5919b1243f01c548c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 19 Sep 2024 11:40:16 -0300 Subject: [PATCH 46/80] RELNOTES: add profile items Relates to #5816 #5877 #6002 #6477 #6478 #6479. --- RELNOTES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/RELNOTES b/RELNOTES index 4965ae392..6fcee8360 100644 --- a/RELNOTES +++ b/RELNOTES @@ -146,6 +146,9 @@ firejail (0.9.73) baseline; urgency=low * profiles: libreoffice: support signing documents with GPG (#6352 #6353) * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) * profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473) + * profiles: nextcloud: fix access to ~/Nextcloud (#5877 #6478) + * profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#5816 #6479) + * profiles: firecfg: disable text editors (#6002 #6477) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 From 98e81eab8fc3ae39a2563f3431f402c0a63d8616 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 14 Jul 2024 01:24:45 -0300 Subject: [PATCH 47/80] profiles: browsers: sort blacklist entries See etc/templates/profile.template. Added on commit f3d126bf1 ("disable curl and wget in browsers based on firefox and chromium", 2021-12-18). Relates to #4852. --- etc/profile-a-l/chromium-common.profile | 8 ++++---- etc/profile-a-l/firefox-common.profile | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 37bfa0bfe..3397cc20d 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -17,6 +17,10 @@ noblacklist /usr/lib/chromium/chrome-sandbox # to have access to Gnome extensions (extensions.gnome.org) via browser connector #include allow-python3.inc +blacklist ${PATH}/curl +blacklist ${PATH}/wget +blacklist ${PATH}/wget2 + mkdir ${HOME}/.local/share/pki mkdir ${HOME}/.pki whitelist ${HOME}/.local/share/pki @@ -35,10 +39,6 @@ include whitelist-run-common.inc ?BROWSER_DISABLE_U2F: private-dev #private-tmp # issues when using multiple browser sessions -blacklist ${PATH}/curl -blacklist ${PATH}/wget -blacklist ${PATH}/wget2 - # This prevents access to passwords saved in GNOME Keyring and KWallet, also # breaks Gnome connector. #dbus-user none diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 9c8601e7b..b3e38698f 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -17,6 +17,10 @@ include firefox-common.local noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki +blacklist ${PATH}/curl +blacklist ${PATH}/wget +blacklist ${PATH}/wget2 + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -66,10 +70,6 @@ disable-mnt private-etc @tls-ca,@x11,mailcap,mime.types,os-release private-tmp -blacklist ${PATH}/curl -blacklist ${PATH}/wget -blacklist ${PATH}/wget2 - # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, # Gnome connector, KDE connect and power management on KDE Plasma. dbus-user none From b787548b1d004e1e055e4c9c5033687ccd9c3754 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 14 Jul 2024 01:06:53 -0300 Subject: [PATCH 48/80] profiles: browsers: centralize/sync keepassxc extension comment Centralize it on firefox-common and copy it to chromium-common. Relates to #3984 #6391. --- etc/profile-a-l/cachy-browser.profile | 5 ----- etc/profile-a-l/chromium-common.profile | 7 +++++++ etc/profile-a-l/firefox-common.profile | 7 +++++++ etc/profile-a-l/firefox.profile | 5 ----- etc/profile-a-l/floorp.profile | 5 ----- etc/profile-a-l/librewolf.profile | 5 ----- 6 files changed, 14 insertions(+), 20 deletions(-) diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 6218dbbe8..f415deaad 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -19,11 +19,6 @@ whitelist /usr/share/cachy-browser #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla -# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. -# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). #private-bin dbus-launch,dbus-send,cachy-browser,sh private-etc cachy-browser diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 3397cc20d..3a368dafb 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -9,6 +9,13 @@ include chromium-common.local # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} +# To enable support for the KeePassXC extension, add the following lines to +# chromium-common.local. +# Note: Start KeePassXC before the web browser and keep it open to allow +# communication between them. +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki noblacklist /usr/lib/chromium/chrome-sandbox diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index b3e38698f..4c1d0cf06 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -11,6 +11,13 @@ include firefox-common.local # noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon. ?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER} +# To enable support for the KeePassXC extension, add the following lines to +# firefox-common.local. +# Note: Start KeePassXC before the web browser and keep it open to allow +# communication between them. +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. #include firefox-common-addons.profile diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 009a0d119..7d1cdef2d 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -29,11 +29,6 @@ mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla -# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. -# Note: Start KeePassXC before Firefox and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - whitelist /usr/share/firefox whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini whitelist ${RUNUSER}/*firefox* diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile index 49caed107..20c551d1c 100644 --- a/etc/profile-a-l/floorp.profile +++ b/etc/profile-a-l/floorp.profile @@ -18,11 +18,6 @@ whitelist ${HOME}/.floorp #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla -# To enable KeePassXC Plugin add one of the following lines to your floorp.local. -# Note: Start KeePassXC before floorp and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - dbus-user filter dbus-user.own org.mozilla.floorp.* # Add the next line to your floorp.local to enable native notifications. diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 650048807..1c7990121 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -18,11 +18,6 @@ whitelist ${HOME}/.librewolf #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla -# To enable KeePassXC Plugin add one of the following lines to your librewolf.local. -# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them. -#whitelist ${RUNUSER}/kpxc_server -#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer - whitelist /usr/share/librewolf # Add the next line to your librewolf.local to enable private-bin (Arch Linux). From 4fb5189a0d765cca965bc394c27d1fa69514fa02 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 14 Jul 2024 01:14:44 -0300 Subject: [PATCH 49/80] profiles: firefox-common: centralize migration wizard comment Relates to #3014. --- etc/profile-a-l/cachy-browser.profile | 4 ---- etc/profile-a-l/firefox-common.profile | 5 +++++ etc/profile-a-l/floorp.profile | 4 ---- etc/profile-a-l/librewolf.profile | 4 ---- 4 files changed, 5 insertions(+), 12 deletions(-) diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index f415deaad..879eafebc 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -15,10 +15,6 @@ whitelist ${HOME}/.cache/cachy whitelist ${HOME}/.cachy whitelist /usr/share/cachy-browser -# Add the next lines to your cachy-browser.local if you want to use the migration wizard. -#noblacklist ${HOME}/.mozilla -#whitelist ${HOME}/.mozilla - # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). #private-bin dbus-launch,dbus-send,cachy-browser,sh private-etc cachy-browser diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 4c1d0cf06..1de2fb254 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -11,6 +11,11 @@ include firefox-common.local # noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon. ?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER} +# Add the next lines to firefox-common.local if you want to use the migration +# wizard. +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.mozilla + # To enable support for the KeePassXC extension, add the following lines to # firefox-common.local. # Note: Start KeePassXC before the web browser and keep it open to allow diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile index 20c551d1c..ebfa6d1f8 100644 --- a/etc/profile-a-l/floorp.profile +++ b/etc/profile-a-l/floorp.profile @@ -14,10 +14,6 @@ mkdir ${HOME}/.floorp whitelist ${HOME}/.cache/floorp whitelist ${HOME}/.floorp -# Add the next lines to your floorp.local if you want to use the migration wizard. -#noblacklist ${HOME}/.mozilla -#whitelist ${HOME}/.mozilla - dbus-user filter dbus-user.own org.mozilla.floorp.* # Add the next line to your floorp.local to enable native notifications. diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 1c7990121..11693a0d8 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -14,10 +14,6 @@ mkdir ${HOME}/.librewolf whitelist ${HOME}/.cache/librewolf whitelist ${HOME}/.librewolf -# Add the next lines to your librewolf.local if you want to use the migration wizard. -#noblacklist ${HOME}/.mozilla -#whitelist ${HOME}/.mozilla - whitelist /usr/share/librewolf # Add the next line to your librewolf.local to enable private-bin (Arch Linux). From 21a5775b30c4a14bbaab3088b4e3a5a3e293303e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 14 Jul 2024 01:20:39 -0300 Subject: [PATCH 50/80] profiles: firefox-common: centralize dbus comments Relates to #3326 #6285 #6444. --- etc/profile-a-l/cachy-browser.profile | 13 ------------- etc/profile-a-l/firefox-common.profile | 16 ++++++++++++++++ etc/profile-a-l/firefox.profile | 14 -------------- etc/profile-a-l/floorp.profile | 13 ------------- etc/profile-a-l/librewolf.profile | 13 ------------- 5 files changed, 16 insertions(+), 53 deletions(-) diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 879eafebc..4500d41bf 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -21,19 +21,6 @@ private-etc cachy-browser dbus-user filter dbus-user.own org.mozilla.cachybrowser.* -# Add the next line to your cachy-browser.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your cachy-browser.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your cachy-browser.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver -# Add the next line to your cachy-browser.local to allow screensharing under Wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Also add the next line to your cachy-browser.local if screensharing does not work with -# the above lines (depends on the portal implementation). -#ignore noroot ignore dbus-user none # Redirect diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 1de2fb254..2467d5dc9 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -87,4 +87,20 @@ private-tmp dbus-user none dbus-system none +# Add the next line to firefox-common.local to enable native notifications. +#dbus-user.talk org.freedesktop.Notifications +# Add the next line to firefox-common.local to allow inhibiting screensavers. +#dbus-user.talk org.freedesktop.ScreenSaver +# Add the next lines to firefox-common.local for plasma browser integration. +#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration +#dbus-user.talk org.kde.JobViewServer +#dbus-user.talk org.kde.kdeconnect +#dbus-user.talk org.kde.kuiserver +# Add the next line to firefox-common.local to allow screensharing under +# Wayland. +#dbus-user.talk org.freedesktop.portal.Desktop +# Also add the next line to firefox-common.local if screensharing does not work +# with the above lines (depends on the portal implementation). +#ignore noroot + #restrict-namespaces diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 7d1cdef2d..92a44c209 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -43,20 +43,6 @@ private-etc firefox dbus-user filter dbus-user.own org.mozilla.* dbus-user.own org.mpris.MediaPlayer2.firefox.* -# Add the next line to your firefox.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your firefox.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your firefox.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kdeconnect -#dbus-user.talk org.kde.kuiserver -# Add the next line to your firefox.local to allow screen sharing under wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Add the next line to your firefox.local if screen sharing sharing still does not work -# with the above lines (might depend on the portal implementation). -#ignore noroot ignore dbus-user none # Redirect diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile index ebfa6d1f8..8a5932876 100644 --- a/etc/profile-a-l/floorp.profile +++ b/etc/profile-a-l/floorp.profile @@ -16,19 +16,6 @@ whitelist ${HOME}/.floorp dbus-user filter dbus-user.own org.mozilla.floorp.* -# Add the next line to your floorp.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your floorp.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your floorp.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver -# Add the next line to your floorp.local to allow screensharing under Wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Also add the next line to your floorp.local if screensharing does not work with -# the above lines (depends on the portal implementation). -#ignore noroot ignore apparmor ignore dbus-user none diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 11693a0d8..da41ca781 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -24,19 +24,6 @@ dbus-user filter dbus-user.own io.gitlab.firefox.* dbus-user.own io.gitlab.librewolf.* dbus-user.own org.mozilla.librewolf.* -# Add the next line to your librewolf.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Add the next line to your librewolf.local to allow inhibiting screensavers. -#dbus-user.talk org.freedesktop.ScreenSaver -# Add the next lines to your librewolf.local for plasma browser integration. -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver -# Add the next line to your librewolf.local to allow screensharing under Wayland. -#dbus-user.talk org.freedesktop.portal.Desktop -# Also add the next line to your librewolf.local if screensharing does not work with -# the above lines (depends on the portal implementation). -#ignore noroot ignore apparmor ignore dbus-user none From 49d21b074042020054cfe17fb22ca580b92bd20b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 14 Jul 2024 01:41:27 -0300 Subject: [PATCH 51/80] profiles: browsers: format and improve comments --- etc/profile-a-l/cachy-browser.profile | 6 ++--- etc/profile-a-l/chromium-common.profile | 11 +++++---- etc/profile-a-l/firefox-common-addons.profile | 2 +- etc/profile-a-l/firefox-common.profile | 23 ++++++++++++------- etc/profile-a-l/firefox.profile | 12 +++++----- etc/profile-a-l/librewolf.profile | 4 ++-- 6 files changed, 33 insertions(+), 25 deletions(-) diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 4500d41bf..6bebbf7b0 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -1,5 +1,5 @@ -# Firejail profile for Cachy-Browser -# Description: Librewolf fork based on enhanced privacy with gentoo patchset +# Firejail profile for cachy-browser +# Description: Librewolf fork based on enhanced privacy with Gentoo patchset # This file is overwritten after every install/update # Persistent local customizations include cachy-browser.local @@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/cachy whitelist ${HOME}/.cachy whitelist /usr/share/cachy-browser -# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). +# Add the next line to cachy-browser.local to enable private-bin. #private-bin dbus-launch,dbus-send,cachy-browser,sh private-etc cachy-browser diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 3a368dafb..928514ebc 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -20,8 +20,9 @@ noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki noblacklist /usr/lib/chromium/chrome-sandbox -# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser -# to have access to Gnome extensions (extensions.gnome.org) via browser connector +# Add the next line to chromium-common.local if you want the web browser to +# have access to Gnome extensions (extensions.gnome.org) via the browser +# connector. #include allow-python3.inc blacklist ${PATH}/curl @@ -38,7 +39,7 @@ include whitelist-run-common.inc # If your kernel allows the creation of user namespaces by unprivileged users # (for example, if running `unshare -U echo enabled` prints "enabled"), you -# can add the next line to your chromium-common.local. +# can add the next line to chromium-common.local. #include chromium-common-hardened.inc.profile ?BROWSER_DISABLE_U2F: nou2f @@ -46,8 +47,8 @@ include whitelist-run-common.inc ?BROWSER_DISABLE_U2F: private-dev #private-tmp # issues when using multiple browser sessions -# This prevents access to passwords saved in GNOME Keyring and KWallet, also -# breaks Gnome connector. +# Note: This prevents access to passwords saved in GNOME Keyring and KWallet +# and breaks Gnome connector. #dbus-user none # The file dialog needs to work without d-bus. diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index 5e3d0983d..932e18ccc 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -79,7 +79,7 @@ whitelist ${HOME}/dwhelper whitelist /usr/share/lua* whitelist /usr/share/mpv -# GNOME Shell integration (chrome-gnome-shell) needs dbus and python +# GNOME Shell integration (chrome-gnome-shell) needs dbus and python. noblacklist ${HOME}/.local/share/gnome-shell whitelist ${HOME}/.local/share/gnome-shell dbus-user.talk ca.desrt.dconf diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 2467d5dc9..3284821eb 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -23,7 +23,8 @@ include firefox-common.local #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer -# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. +# Add the next line to firefox-common.local to allow access to common +# programs/addons/plugins. #include firefox-common-addons.profile noblacklist ${HOME}/.local/share/pki @@ -59,31 +60,37 @@ apparmor # Fixme! apparmor-replace caps.drop all -# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. +# Note: machine-id breaks pulseaudio; add it to firefox-common.local if sound +# is not required. #machine-id netfilter nodvd nogroups noinput nonewprivs -# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. +# Note: noroot breaks GTK_USE_PORTAL=1 usage; see +# https://github.com/netblue30/firejail/issues/2506. noroot notv ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink -# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. +# Note: The seccomp line below still permits the chroot syscall; see +# https://github.com/netblue30/firejail/issues/2506 for possible workarounds. seccomp !chroot -# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. +# Note: tracelog may break or cause major issues with many Firefox-based +# browsers; see https://github.com/netblue30/firejail/issues/1930. #tracelog disable-mnt ?BROWSER_DISABLE_U2F: private-dev -# private-etc below works fine on most distributions. There could be some problems on CentOS. +# Note: The private-etc line below works fine on most distributions but it +# could cause problems on CentOS. private-etc @tls-ca,@x11,mailcap,mime.types,os-release private-tmp -# 'dbus-user none' breaks various desktop integration features like global menus, native notifications, -# Gnome connector, KDE connect and power management on KDE Plasma. +# Note: `dbus-user none` breaks various desktop integration features like +# global menus, native notifications, Gnome connector, KDE Connect and power +# management on KDE Plasma. dbus-user none dbus-system none diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 92a44c209..92b7eb1c7 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -6,10 +6,10 @@ include firefox.local # Persistent global definitions include globals.local -# Note: Sandboxing web browsers is as important as it is complex. Users might be -# interested in creating custom profiles depending on use case (e.g. one for -# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more -# info. Here are a few links to get you going. +# Note: Sandboxing web browsers is as important as it is complex. Users might +# be interested in creating custom profiles depending on the use case (e.g. one +# for general browsing, another for banking, ...). Consult our FAQ/issue +# tracker for more information. Here are a few links to get you going: # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 @@ -34,9 +34,9 @@ whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini whitelist ${RUNUSER}/*firefox* whitelist ${RUNUSER}/psd/*firefox* -# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. +# Note: Firefox requires a shell to launch on Arch and Fedora. +# Add the next lines to firefox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname private-etc firefox diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index da41ca781..23d2f78c2 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -1,4 +1,4 @@ -# Firejail profile for Librewolf +# Firejail profile for librewolf # Description: Firefox fork based on privacy # This file is overwritten after every install/update # Persistent local customizations @@ -16,7 +16,7 @@ whitelist ${HOME}/.librewolf whitelist /usr/share/librewolf -# Add the next line to your librewolf.local to enable private-bin (Arch Linux). +# Add the next line to librewolf.local to enable private-bin. #private-bin dbus-launch,dbus-send,librewolf,sh private-etc librewolf From c2cd8b72c6d07c5f3e84cc347580884c4710badd Mon Sep 17 00:00:00 2001 From: qdii Date: Sat, 28 Sep 2024 14:54:24 +0200 Subject: [PATCH 52/80] profiles: keepassxc: add new socket location (#6391) The KeePassXC browser extension looks for the KeePassXC socket at `${RUNUSER}/app/org.keepassxc.KeePassXC`[1]. But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the flatpak section[2], so the KeePassXC extension cannot connect to it. Fixes #5447. Relates to #3984. [1] https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41 [2] https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc#L667 --- etc/profile-a-l/chromium-common.profile | 2 ++ etc/profile-a-l/firefox-common-addons.profile | 1 + etc/profile-a-l/firefox-common.profile | 2 ++ etc/profile-a-l/keepassxc.profile | 4 ++++ 4 files changed, 9 insertions(+) diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 928514ebc..8d4f3fc9a 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -13,6 +13,8 @@ include chromium-common.local # chromium-common.local. # Note: Start KeePassXC before the web browser and keep it open to allow # communication between them. +#noblacklist ${RUNUSER}/app +#whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index 932e18ccc..bf811cb2d 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -4,6 +4,7 @@ include firefox-common-addons.local # Prevent whitelisting in ${RUNUSER} ignore whitelist ${RUNUSER}/*firefox* +ignore whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC ignore whitelist ${RUNUSER}/psd/*firefox* ignore whitelist ${RUNUSER}/kpxc_server ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 3284821eb..289bdc406 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -20,6 +20,8 @@ include firefox-common.local # firefox-common.local. # Note: Start KeePassXC before the web browser and keep it open to allow # communication between them. +#noblacklist ${RUNUSER}/app +#whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 4e8c8e449..7a1227442 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.config/keepassxc noblacklist ${HOME}/.config/KeePassXCrc noblacklist ${HOME}/.keepassxc noblacklist ${DOCUMENTS} +noblacklist ${RUNUSER}/app # Allow browser profiles, required for browser integration. noblacklist ${HOME}/.config/BraveSoftware @@ -62,8 +63,11 @@ include disable-xdg.inc #whitelist ${HOME}/.config/KeePassXCrc #include whitelist-common.inc +mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC +whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist /usr/share/keepassxc include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc From fd915d6c8fbc07ba8cb4e052c64b66db1e70712f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 28 Sep 2024 09:56:49 -0300 Subject: [PATCH 53/80] RELNOTES: add profile items Relates to #5337 #5447 #5902 #6391 #6486. --- RELNOTES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/RELNOTES b/RELNOTES index 6fcee8360..7dc4451de 100644 --- a/RELNOTES +++ b/RELNOTES @@ -129,6 +129,7 @@ firejail (0.9.73) baseline; urgency=low * profiles: drop hostname option from all profiles (#5702) * profiles: move read-only config entries to disable-common.inc (#5763) * profiles: standardize on just "GTK" on comments (#5794) + * profiles: bleachbit: allow erasing Trash contents (#5337 #5902) * profiles: improvements to profiles using private (#5946) * profiles: standardize commented code and eol comments (#5987) * profiles: disable-common: add more suid programs (#6049 #6051 #6052) @@ -149,6 +150,8 @@ firejail (0.9.73) baseline; urgency=low * profiles: nextcloud: fix access to ~/Nextcloud (#5877 #6478) * profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#5816 #6479) * profiles: firecfg: disable text editors (#6002 #6477) + * profiles: browsers: centralize/sync/improve comments (#6486) + * profiles: keepassxc: add new socket location (#5447 #6391) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 From 0e7296bef3388ea475ded293b5bd3a9967c98cc3 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 28 Sep 2024 10:11:18 -0300 Subject: [PATCH 54/80] RELNOTES: add build item Added on commit ba00d135f ("fix for old compilers", 2023-04-06). Relates to #5778. --- RELNOTES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/RELNOTES b/RELNOTES index 7dc4451de..0579eeaf6 100644 --- a/RELNOTES +++ b/RELNOTES @@ -54,6 +54,8 @@ firejail (0.9.73) baseline; urgency=low * build: mkdeb.sh: pass all arguments to ./configure (#5654) * build: deb: enable apparmor by default & remove deb-apparmor (#5668) * build: Fix whitespace and add .editorconfig (#5674) + * build: remove for loop initial declarations to fix building with old + compilers (#5778) * build: enable compiler warnings by default (#5842) * build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859) * build: disable all built-in implicit make rules (#5864) From 6a6d4932606a186ed02f08520438c6e294673e23 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 06:51:33 +0000 Subject: [PATCH 55/80] build(deps): bump github/codeql-action from 3.26.6 to 3.26.10 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.6 to 3.26.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4dd16135b69a43b6c8efb853346f8437d92d3c93...e2b3eafc8d227b0241d48be5f425d47c2d750a13) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/check-c.yml | 4 ++-- .github/workflows/check-python.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 1b35f684f..3169b9c01 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -161,7 +161,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 with: languages: cpp @@ -172,4 +172,4 @@ jobs: run: make -j "$(nproc)" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index ed317a86f..530b3b2c2 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -51,9 +51,9 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 with: languages: python - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 From 65fd5bbaaa13ab139b22434fa6c2aa449963cba6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 06:51:37 +0000 Subject: [PATCH 56/80] build(deps): bump actions/checkout from 4.1.7 to 4.2.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build-extra.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/check-c.yml | 8 ++++---- .github/workflows/check-profiles.yml | 2 +- .github/workflows/check-python.yml | 2 +- .github/workflows/codespell.yml | 2 +- .github/workflows/test.yml | 10 +++++----- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 8ad73bb45..b9afc3245 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -52,7 +52,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e8bfd0c16..dce748427 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,7 +68,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 1b35f684f..ad84370d9 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -56,7 +56,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install clang-tools-14 and dependencies @@ -89,7 +89,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install cppcheck @@ -120,7 +120,7 @@ jobs: ppa.launchpad.net:80 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install cppcheck @@ -154,7 +154,7 @@ jobs: uploads.github.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: print env run: ./ci/printenv.sh diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index cb9d9ce87..9fe3b63cd 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -40,7 +40,7 @@ jobs: allowed-endpoints: > github.com:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: print env run: ./ci/printenv.sh - run: python3 --version diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index ed317a86f..a8f88eac6 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -44,7 +44,7 @@ jobs: uploads.github.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: print env run: ./ci/printenv.sh diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 27c6ab125..0429d7b00 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -34,7 +34,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 92eb212e4..ce431155b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -62,7 +62,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -111,7 +111,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -151,7 +151,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -194,7 +194,7 @@ jobs: ppa.launchpadcontent.net:443 www.debian.org:443 www.debian.org:80 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -240,7 +240,7 @@ jobs: www.debian.org:443 www.debian.org:80 yahoo.com:1025 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: update package information run: sudo apt-get update -qy - name: install dependencies From a7918b0575ed11665ffac3ec8918d89aab6141cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 06:51:41 +0000 Subject: [PATCH 57/80] build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.9.1 to 2.10.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde...91182cccc01eb5e619899d80e4e971d6181294a7) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build-extra.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/check-c.yml | 8 ++++---- .github/workflows/check-profiles.yml | 2 +- .github/workflows/check-python.yml | 2 +- .github/workflows/codespell.yml | 2 +- .github/workflows/test.yml | 10 +++++----- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 8ad73bb45..4651c41a5 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -44,7 +44,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e8bfd0c16..553499972 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 1b35f684f..c860c1d6b 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -46,7 +46,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -79,7 +79,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -109,7 +109,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -143,7 +143,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index cb9d9ce87..c9685c089 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index ed317a86f..d6117101e 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 27c6ab125..fdd5acdc5 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -24,7 +24,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 92eb212e4..8507ac3b2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -103,7 +103,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -143,7 +143,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -183,7 +183,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > @@ -225,7 +225,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: block allowed-endpoints: > From 047d86f46ec3793fa3a06d9544c5e2e5aad1e8a2 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 1 Oct 2024 12:08:06 +0200 Subject: [PATCH 58/80] Add access to D-Bus freedesktop.org secret API Signal recently started storing a local key in the freedesktop.org secret API so allow access in the profile --- etc/profile-m-z/signal-desktop.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index d1db0ba86..0aa958f74 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile @@ -30,6 +30,8 @@ dbus-user filter dbus-user.talk org.freedesktop.Notifications # Allow D-Bus communication with Firefox for opening links dbus-user.talk org.mozilla.* +# Allow D-Bus communication with Freedesktop.org secrets API to decrypt local key +dbus-user.talk org.freedesktop.secrets ignore dbus-user none From 3470a3721e3c88e04888aada5c818b88c7321d78 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 1 Oct 2024 11:54:42 -0300 Subject: [PATCH 59/80] profiles: signal-desktop: sort dbus entries This amends commit 047d86f46 ("Add access to D-Bus freedesktop.org secret API", 2024-10-01) / PR #6498. --- etc/profile-m-z/signal-desktop.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 0aa958f74..c8d908aa8 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile @@ -28,10 +28,10 @@ private-etc @tls-ca dbus-user filter # allow D-Bus notifications dbus-user.talk org.freedesktop.Notifications -# Allow D-Bus communication with Firefox for opening links -dbus-user.talk org.mozilla.* # Allow D-Bus communication with Freedesktop.org secrets API to decrypt local key dbus-user.talk org.freedesktop.secrets +# Allow D-Bus communication with Firefox for opening links +dbus-user.talk org.mozilla.* ignore dbus-user none From ff2c7bd10d8a8266d118c1120e714d0bcd951160 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 1 Oct 2024 12:06:48 -0300 Subject: [PATCH 60/80] profiles: kube: sort dbus entries This amends commit 7df28c1ed ("New profiles for balsa,trojita,kube (#3603)", 2020-09-03). --- etc/profile-a-l/kube.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 79b286e58..67ff64954 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile @@ -79,8 +79,8 @@ writable-run-user dbus-user filter dbus-user.talk ca.desrt.dconf -dbus-user.talk org.freedesktop.secrets dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets # Allow D-Bus communication with Firefox for opening links dbus-user.talk org.mozilla.* dbus-system none From aa6b08ffd097b78d7744a90dee62846412651f4c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 4 Oct 2024 21:11:04 +0000 Subject: [PATCH 61/80] profiles: firefox-common: allow org.freedesktop.portal.Documents (#6499) This fixes drag and drop for at least Dolphin. Fixes #6444. Reported-by: @Utini2000 Suggested-by: @rusty-snake --- etc/profile-a-l/firefox-common.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 289bdc406..953012954 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -96,6 +96,8 @@ private-tmp dbus-user none dbus-system none +# Allow drag and drop +dbus-user.talk org.freedesktop.portal.Documents # Add the next line to firefox-common.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications # Add the next line to firefox-common.local to allow inhibiting screensavers. From f2b0d91ae9ff10f98f32c9e4886bfdaf264130b4 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 4 Oct 2024 18:12:17 -0300 Subject: [PATCH 62/80] RELNOTES: add profile items Relates to #6444 #6498 #6499. --- RELNOTES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/RELNOTES b/RELNOTES index 0579eeaf6..7541e733f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -154,6 +154,8 @@ firejail (0.9.73) baseline; urgency=low * profiles: firecfg: disable text editors (#6002 #6477) * profiles: browsers: centralize/sync/improve comments (#6486) * profiles: keepassxc: add new socket location (#5447 #6391) + * profiles: signal-desktop: allow org.freedesktop.secrets (#6498) + * profiles: firefox-common: allow org.freedesktop.portal.Documents (#6444 #6499) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 From 116f7bf833b1dd73391f10884f66ad1670608f23 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 4 Oct 2024 20:55:46 -0300 Subject: [PATCH 63/80] RELNOTES: add private-etc rework feature item And move the #6104 item into it. Relates to #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643 #5650 #5655. Relates to #5681 #5737 #5844 #5989 #6016 #6104 #6400. --- RELNOTES | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 7541e733f..cafade763 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,9 @@ firejail (0.9.73) baseline; urgency=low * work in progress * security: fix sscanf rv checks (CodeQL) (#6184) + * feature: private-etc rework: improve handling of /etc/resolv.conf and add + private-etc groups (#6400 #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643 + #5650 #5681 #5737 #5844 #5989 #6016 #6104 #5655) * feature: Add "keep-shell-rc" command and option (#1127 #5634) * feature: Print the argument when failing with "too long arguments" (#5677) * feature: a random hostname is assigned to each sandbox unless @@ -98,7 +101,6 @@ firejail (0.9.73) baseline; urgency=low * ci: whitelist paths, reorganize workflows & speed-up tests (#5960) * ci: fix dependabot duplicated workflow runs (#5984) * ci: allow running workflows manually (#6026) - * ci: re-enable sort.py (#6104) * ci: add timeout limits (#6178) * ci: make dependabot updates monthly and bump PR limit (#6338) * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057 From 07ff98385f43ff787cd05222cd9c23f646bf0e5c Mon Sep 17 00:00:00 2001 From: Foxreef <110787380+Foxreef@users.noreply.github.com> Date: Fri, 11 Oct 2024 08:55:13 +0200 Subject: [PATCH 64/80] profiles: steam: add ~/.config/UNDERTALE (#6503) Whitelist ~/.config/UNDERTALE to allow the game to save. --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/steam.profile | 3 +++ 2 files changed, 4 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 371680b7b..0f8a2e7e3 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -359,6 +359,7 @@ blacklist ${HOME}/.config/SubDownloader blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/TinyRDM blacklist ${HOME}/.config/Twitch +blacklist ${HOME}/.config/UNDERTALE blacklist ${HOME}/.config/Unknown Organization blacklist ${HOME}/.config/VSCodium blacklist ${HOME}/.config/Whalebird diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index d44da9f71..ce01301dd 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/MangoHud noblacklist ${HOME}/.config/ModTheSpire noblacklist ${HOME}/.config/RogueLegacy noblacklist ${HOME}/.config/RogueLegacyStorageContainer +noblacklist ${HOME}/.config/UNDERTALE noblacklist ${HOME}/.factorio noblacklist ${HOME}/.killingfloor noblacklist ${HOME}/.klei @@ -66,6 +67,7 @@ mkdir ${HOME}/.config/Loop_Hero mkdir ${HOME}/.config/MangoHud mkdir ${HOME}/.config/ModTheSpire mkdir ${HOME}/.config/RogueLegacy +mkdir ${HOME}/.config/UNDERTALE mkdir ${HOME}/.config/unity3d mkdir ${HOME}/.factorio mkdir ${HOME}/.killingfloor @@ -105,6 +107,7 @@ whitelist ${HOME}/.config/MangoHud whitelist ${HOME}/.config/ModTheSpire whitelist ${HOME}/.config/RogueLegacy whitelist ${HOME}/.config/RogueLegacyStorageContainer +whitelist ${HOME}/.config/UNDERTALE whitelist ${HOME}/.config/unity3d whitelist ${HOME}/.factorio whitelist ${HOME}/.killingfloor From bfa00e385e073da628e2e72c01f882e101a9d51e Mon Sep 17 00:00:00 2001 From: celenityy <132830388+celenityy@users.noreply.github.com> Date: Wed, 23 Oct 2024 17:05:58 -0400 Subject: [PATCH 65/80] profiles: thunderbird: allow /etc/thunderbird (#6514) This fixes access to Thunderbird system policies, which can be set system-wide via `/etc/thunderbird/policies/policies.json`. Users can also use this directory to set different default preferences. Relates to #6400 #6435. --- etc/profile-m-z/thunderbird.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index fda32d038..50c724d73 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile @@ -61,6 +61,8 @@ whitelist /usr/share/thunderbird #machine-id novideo +private-etc thunderbird + # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE ignore private-tmp From 040c42c54c9a3009fd952b32aaa05f84da1fe20a Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 25 Oct 2024 14:20:27 +0000 Subject: [PATCH 66/80] profiles: firefox-esr: allow /etc/firefox-esr (#6515) This path is apparently used on Debian. Relates to #5518 #6400 #6435. Reported-by: @Boruch-Baum --- etc/profile-a-l/firefox-esr.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-a-l/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile index 5e69fdb51..05fe0c344 100644 --- a/etc/profile-a-l/firefox-esr.profile +++ b/etc/profile-a-l/firefox-esr.profile @@ -8,5 +8,7 @@ include firefox-esr.local whitelist /usr/share/firefox-esr +private-etc firefox-esr + # Redirect include firefox.profile From b2be4870d1eb8e9297753aaf22cb44a293ca9b08 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 25 Oct 2024 11:19:02 -0300 Subject: [PATCH 67/80] RELNOTES: add feature items Relates to #6435 #6514 #6515. --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index cafade763..1702dd352 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,7 +3,7 @@ firejail (0.9.73) baseline; urgency=low * security: fix sscanf rv checks (CodeQL) (#6184) * feature: private-etc rework: improve handling of /etc/resolv.conf and add private-etc groups (#6400 #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643 - #5650 #5681 #5737 #5844 #5989 #6016 #6104 #5655) + #5650 #5681 #5737 #5844 #5989 #6016 #6104 #5655 #6435 #6514 #6515) * feature: Add "keep-shell-rc" command and option (#1127 #5634) * feature: Print the argument when failing with "too long arguments" (#5677) * feature: a random hostname is assigned to each sandbox unless From cf02e8dd4f92d9c200286bb8d8546c22adace5cb Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Fri, 1 Nov 2024 02:48:37 +0800 Subject: [PATCH 68/80] docs: fix typos of --enable-selinux configure option (#6526) --- README | 3 ++- README.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README b/README index d64554f9a..6b9a10ba1 100644 --- a/README +++ b/README @@ -34,7 +34,8 @@ libraries and pkg-config are required when using the --enable-apparmor sudo apt-get install git build-essential libapparmor-dev pkg-config gawk -For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). +For the --enable-selinux option, add libselinux1-dev (libselinux-devel for +Fedora). We build our release firejail.tar.xz and firejail.deb packages using the following commands: diff --git a/README.md b/README.md index 33bd6bfb3..0803a16c8 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,8 @@ libraries and pkg-config are required when using the `--enable-apparmor` sudo apt-get install git build-essential libapparmor-dev pkg-config gawk ``` -For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). +For the `--enable-selinux` option, add libselinux1-dev (libselinux-devel for +Fedora). Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). From d1ffe4532a73ad2245e7b5911ea4d3ffdae31e5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 06:36:23 +0000 Subject: [PATCH 69/80] build(deps): bump actions/checkout from 4.2.0 to 4.2.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/d632683dd7b4114ad314bca15554477dd762a938...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build-extra.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/check-c.yml | 8 ++++---- .github/workflows/check-profiles.yml | 2 +- .github/workflows/check-python.yml | 2 +- .github/workflows/codespell.yml | 2 +- .github/workflows/test.yml | 10 +++++----- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 867827210..8fb22b334 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -52,7 +52,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ba9427615..ccfa06531 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,7 +68,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 514dae9de..4144b7e9f 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -56,7 +56,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install clang-tools-14 and dependencies @@ -89,7 +89,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install cppcheck @@ -120,7 +120,7 @@ jobs: ppa.launchpad.net:80 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install cppcheck @@ -154,7 +154,7 @@ jobs: uploads.github.com:443 - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: print env run: ./ci/printenv.sh diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 28e19ae9b..1674e76b7 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -40,7 +40,7 @@ jobs: allowed-endpoints: > github.com:443 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: print env run: ./ci/printenv.sh - run: python3 --version diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index ac6f24a3f..0c0879279 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -44,7 +44,7 @@ jobs: uploads.github.com:443 - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: print env run: ./ci/printenv.sh diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 52e839607..8975aa394 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -34,7 +34,7 @@ jobs: packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c8e4c9c7b..46d966ad7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -62,7 +62,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -111,7 +111,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -151,7 +151,7 @@ jobs: github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -194,7 +194,7 @@ jobs: ppa.launchpadcontent.net:443 www.debian.org:443 www.debian.org:80 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies @@ -240,7 +240,7 @@ jobs: www.debian.org:443 www.debian.org:80 yahoo.com:1025 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: update package information run: sudo apt-get update -qy - name: install dependencies From 4ded6b77741894df3699946f3a9bb113e0ca6c84 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 06:36:32 +0000 Subject: [PATCH 70/80] build(deps): bump github/codeql-action from 3.26.10 to 3.27.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.10 to 3.27.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e2b3eafc8d227b0241d48be5f425d47c2d750a13...662472033e021d55d94146f66f6058822b0b39fd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/check-c.yml | 4 ++-- .github/workflows/check-python.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 4144b7e9f..ed05e2147 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -161,7 +161,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd with: languages: cpp @@ -172,4 +172,4 @@ jobs: run: make -j "$(nproc)" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 0c0879279..c014ab652 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -51,9 +51,9 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd with: languages: python - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd From d763fb73ca06b2c35db9025ed6c2418d63c0cb0a Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Tue, 5 Nov 2024 02:58:24 +0800 Subject: [PATCH 71/80] docs: clarify intro and build section in README (#6524) Make the introduction friendlier for non-kernel geeks and clarify the build section. Relates to #4049. --- README | 13 ++++++++----- README.md | 34 +++++++++++++++++++++------------- 2 files changed, 29 insertions(+), 18 deletions(-) diff --git a/README b/README index 6b9a10ba1..5b132b062 100644 --- a/README +++ b/README @@ -28,14 +28,17 @@ Compile and install the mainline version from GitHub: cd firejail ./configure && make && sudo make install-strip -On Debian/Ubuntu you will need to install git and gcc. AppArmor development -libraries and pkg-config are required when using the --enable-apparmor -./configure option: +On Debian/Ubuntu you will need to install git and gcc. + +To build with AppArmor support (which is usually used on Debian, Ubuntu, +openSUSE and derivatives), install the AppArmor development libraries and +pkg-config and use the `--enable-apparmor` ./configure option: sudo apt-get install git build-essential libapparmor-dev pkg-config gawk -For the --enable-selinux option, add libselinux1-dev (libselinux-devel for -Fedora). +To build with SELinux support (which is usually used on Fedora, RHEL and +derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the +`--enable-selinux` ./configure option. We build our release firejail.tar.xz and firejail.deb packages using the following commands: diff --git a/README.md b/README.md index 0803a16c8..4491b5835 100644 --- a/README.md +++ b/README.md @@ -10,13 +10,16 @@ [![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) -Firejail is a SUID sandbox program that reduces the risk of security breaches -by restricting the running environment of untrusted applications using Linux -namespaces, seccomp-bpf and Linux capabilities. It allows a process and all -its descendants to have their own private view of the globally shared kernel -resources, such as the network stack, process table, mount table. Firejail can -work in a SELinux or AppArmor environment, and it is integrated with Linux -Control Groups. +Firejail is a lightweight security tool intended to protect a Linux system by +setting up a restricted environment for running (potentially untrusted) +applications. + +More specifically, it is an SUID sandbox program that reduces the risk of +security breaches by using Linux namespaces, seccomp-bpf and Linux +capabilities. It allows a process and all its descendants to have their own +private view of the globally shared kernel resources, such as the network +stack, process table and mount table. Firejail can work in an SELinux or +AppArmor environment, and it is integrated with Linux Control Groups. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of @@ -148,7 +151,9 @@ The version can be checked with `firejail --version` after installing. You can also install one of the [released packages](https://github.com/netblue30/firejail/releases). -Or clone the source code from our git repository and build manually: +## Building + +You can clone the source code from this git repository and build manually: ```sh git clone https://github.com/netblue30/firejail.git @@ -156,16 +161,19 @@ cd firejail ./configure && make && sudo make install-strip ``` -On Debian/Ubuntu you will need to install git and gcc. AppArmor development -libraries and pkg-config are required when using the `--enable-apparmor` -./configure option: +On Debian/Ubuntu you will need to install git and gcc. + +To build with AppArmor support (which is usually used on Debian, Ubuntu, +openSUSE and derivatives), install the AppArmor development libraries and +pkg-config and use the `--enable-apparmor` ./configure option: ```sh sudo apt-get install git build-essential libapparmor-dev pkg-config gawk ``` -For the `--enable-selinux` option, add libselinux1-dev (libselinux-devel for -Fedora). +To build with SELinux support (which is usually used on Fedora, RHEL and +derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the +`--enable-selinux` ./configure option. Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). From 9a3dc2c0c39a8069bbd60fc5aa3920b0f92ce610 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 7 Nov 2024 02:30:28 +0000 Subject: [PATCH 72/80] keepassxc: allow access to ssh-agent socket (#6531) Fixes #3314. Relates to #6529. --- etc/profile-a-l/keepassxc.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 7a1227442..1ba4f0eba 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/KeePassXCrc noblacklist ${HOME}/.keepassxc noblacklist ${DOCUMENTS} noblacklist ${RUNUSER}/app +noblacklist /tmp/ssh-* # Allow browser profiles, required for browser integration. noblacklist ${HOME}/.config/BraveSoftware @@ -65,6 +66,7 @@ include disable-xdg.inc mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC +whitelist /tmp/ssh-* whitelist /usr/share/keepassxc include whitelist-run-common.inc include whitelist-runuser-common.inc From 9f1d2c7ed589ced57fecfaa669476c74f1080eb8 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 6 Nov 2024 23:33:07 -0300 Subject: [PATCH 73/80] RELNOTES: add docs and profile items Relates to #3314 #6524 #6526 #6531. --- RELNOTES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/RELNOTES b/RELNOTES index 1702dd352..0afdbddc0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -123,6 +123,8 @@ firejail (0.9.73) baseline; urgency=low * docs: man: fix bold in command TPs (#6472) * docs: man: fix wrong escapes (#6474) * docs: github: streamline environment in issue templates (#6471) + * docs: fix typos of --enable-selinux configure option (#6526) + * docs: clarify intro and build section in README (#6524) * legal: selinux.c: Split Copyright notice & use same license as upstream (#5667) * profiles: qutebrowser: fix links not opening in the existing instance @@ -158,6 +160,7 @@ firejail (0.9.73) baseline; urgency=low * profiles: keepassxc: add new socket location (#5447 #6391) * profiles: signal-desktop: allow org.freedesktop.secrets (#6498) * profiles: firefox-common: allow org.freedesktop.portal.Documents (#6444 #6499) + * profiles: keepassxc: allow access to ssh-agent socket (#3314 #6531) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 From 096d5a2a2db1b86e3312ef1d15ae8db1d679848c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 8 Nov 2024 10:33:26 +0000 Subject: [PATCH 74/80] profiles: firecfg.config: disable dnsmasq (#6533) There are multiple reports in #6121 that dnsmasq does not work when called by libvirt: $ sudo virsh net-start default error: Failed to start network default error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq [...]) unexpected exit status 1: Error: PATH environment variable not set Also, note that this is a server program, so it might be better to disable it by default anyway. Reported-by: @marek22k --- src/firecfg/firecfg.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1265254aa..e0c6256b5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -219,7 +219,7 @@ display display-im6.q16 dnox dnscrypt-proxy -dnsmasq +#dnsmasq # server; problems with libvirt on Arch (see #6121) dolphin-emu dooble dooble-qt4 From 26be7180fa1333d4c104145fd4d662482d4f4ee8 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 8 Nov 2024 10:34:00 +0000 Subject: [PATCH 75/80] profiles: game-launchers: disable nou2f (#6534) While gamepads apparently work fine in the Steam client itself, `nou2f` appears to make gamepads unresponsive inside certain games while using "Steam Input" (possibly due to `nou2f` blocking access to `/dev/hidraw*` devices). This issue reportedly affects at least the following games on Steam: "Undertale", "Persona 4 Golden" and "Persona 5 Royal". Disable nou2f to ensure that gamepads can be used. Relates to #6523. Reported-by: @opqriu --- etc/profile-a-l/lutris.profile | 2 +- etc/profile-m-z/steam.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 0462cb503..c6bfbc233 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile @@ -68,7 +68,7 @@ nogroups nonewprivs noroot notv -nou2f +#nou2f # may break gamepads in certain games (see #6523) novideo protocol unix,inet,inet6,netlink seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index ce01301dd..6f71cf684 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -161,7 +161,7 @@ nogroups nonewprivs noroot notv -nou2f +#nou2f # may break gamepads in certain games (see #6523) # To allow VR and camera-based motion tracking, add 'ignore novideo' to your # steam.local. novideo From a11d1536a6391bd89ecf3b181bfd46b604f3581b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 8 Nov 2024 07:36:54 -0300 Subject: [PATCH 76/80] RELNOTES: add profile items Relates to #6533 #6534. --- RELNOTES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/RELNOTES b/RELNOTES index 0afdbddc0..55c1a6c7b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -161,6 +161,8 @@ firejail (0.9.73) baseline; urgency=low * profiles: signal-desktop: allow org.freedesktop.secrets (#6498) * profiles: firefox-common: allow org.freedesktop.portal.Documents (#6444 #6499) * profiles: keepassxc: allow access to ssh-agent socket (#3314 #6531) + * profiles: firecfg.config: disable dnsmasq (#6533) + * profiles: game-launchers: disable nou2f (#6534) * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater -- netblue30 Mon, 17 Jan 2023 09:00:00 -0500 From d01e1779d6c100fc630c057fe6216063b0396172 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 8 Nov 2024 07:31:09 -0300 Subject: [PATCH 77/80] RELNOTES: improve modif item Format and add missing PR reference. Relates to #5378 #5957. --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 55c1a6c7b..77f0cceb3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -35,7 +35,7 @@ firejail (0.9.73) baseline; urgency=low * modif: improve errExit error messages (#5871) * modif: drop deprecated 'shell' option references (#5894) * modif: keep pipewire group unless nosound is used (#5992 #5993) - * modif: fcopy: Use lstat when copying directory (#5957) + * modif: fcopy: use lstat when copying directory (#5378 #5957) * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) * removal: firemon: remove --interface option (it duplicates the firejail From 8e7996132b883eb8e9476565f3c94454d13fdc2f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Nov 2024 18:36:09 -0500 Subject: [PATCH 78/80] README file update --- README | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README b/README index 5b132b062..6b725125c 100644 --- a/README +++ b/README @@ -203,6 +203,8 @@ avoidr (https://github.com/avoidr) - added mcabber profile - fixed mpv profile - various other fixes +ayham (https://github.com/ayham-1) + - allow custom homedir support for gpgagent Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) - add support for custom AppArmor profiles (--apparmor=) - add Landlock support @@ -261,6 +263,8 @@ bymoz089 (https://github.com/bymoz089) - add timezone access to make libical functional BytesTuner (https://github.com/BytesTuner) - provided keepassxc profile +Caleb McCombs (https://github.com/squatched) + - Zoom profile fixes caoliver (https://github.com/caoliver) - network system fixes Carlo Abelli (https://github.com/carloabelli) @@ -274,6 +278,8 @@ Cat (https://github.com/ecat3) cayday (https://github.com/caydey) - added ~/Private blacklist in disable-common.inc - added quiet to some CLI profiles +celenityy (https://github.com/celenityy) + - Thunderbird profile fix Christian Pinedo (https://github.com/chrpinedo) - added nicotine profile - allow python3 in totem profile @@ -418,6 +424,7 @@ Felipe Barriga Richards (https://github.com/fbarriga) - --private-etc fix Felix Pehla (https://github.com/FelixPehla) - fix fractal profile + - blacklist sway IPC socket globally fenuks (https://github.com/fenuks) - fix sound in games using FMOD - allow /opt/tor-browser for Tor Browser profile @@ -437,6 +444,8 @@ floxo (https://github.com/floxo) - fixed qml disk cache issue Foemass (https://github.com/Foemass) - documentation +Foxreef (https://github.com/Foxreef) + - steam profile fixes Franco (nextime) Lanza (https://github.com/nextime) - added --private-template/--private-home František Polášek (https://github.com/fandaa) @@ -501,6 +510,8 @@ G4JC (https://sourceforge.net/u/gaming4jc/profile/) - profile fixes Gaman Gabriel (https://github.com/stelariusinfinitek) - inox profile +Gabriel (https://github.com/gcb) + - okular profile fix geg2048 (https://github.com/geg2048) - kwallet profile fixes glitsj16 (https://github.com/glitsj16) @@ -1230,6 +1241,7 @@ Ted Robertson (https://github.com/tredondo) - various documentation fixes - blacklist Exodus wallet - blacklist monero-project directory + - serveral README file fixes tools200ms (https://github.com/tools200ms) - fixed allow-ssh.inc Tus1688 (https://github.com/Tus1688) @@ -1325,6 +1337,8 @@ ydididodat (https://github.com/ydididodat) yumkam (https://github.com/yumkam) - add compile-time option to restrict --net= to root only - man page fixes +Yves-Alexis Perez (https://github.com/corsac-s) + - signal-desktop profile fix Zack Weinberg (https://github.com/zackw) - added support for joining a persistent, named network namespace - removed libconnect From 559e4039bcea88b29c454189975ac1f7980c8060 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Nov 2024 18:36:34 -0500 Subject: [PATCH 79/80] static IP map update --- src/fnettrace/static-ip-map.txt | 63 ++++++++++++++------------------- 1 file changed, 26 insertions(+), 37 deletions(-) diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt index 2faf5a49c..f0427ab0c 100644 --- a/src/fnettrace/static-ip-map.txt +++ b/src/fnettrace/static-ip-map.txt @@ -245,6 +245,7 @@ 205.196.6.0/24 Steam 207.45.72.0/22 Netflix 207.241.224.0/20 Internet Archive +207.5.192.0/19 Rumble 208.82.236.0/22 Creiglist 208.64.200.0/22 Steam 208.75.76.0/22 Netflix @@ -577,6 +578,8 @@ 108.44.64.0/18 MCI 108.45.0.0/16 MCI 108.46.0.0/16 MCI +152.176.0.0/12 MCI +152.192.0.0/13 MCI 192.229.128.0/17 MCI # Microsoft @@ -5176,22 +5179,7 @@ 164.92.208.0/20 Digital Ocean 164.92.224.0/20 Digital Ocean 164.92.240.0/20 Digital Ocean -165.22.0.0/20 Digital Ocean -165.22.16.0/20 Digital Ocean -165.22.32.0/20 Digital Ocean -165.22.48.0/20 Digital Ocean -165.22.64.0/20 Digital Ocean -165.22.80.0/20 Digital Ocean -165.22.96.0/20 Digital Ocean -165.22.112.0/20 Digital Ocean -165.22.128.0/20 Digital Ocean -165.22.144.0/20 Digital Ocean -165.22.160.0/20 Digital Ocean -165.22.176.0/20 Digital Ocean -165.22.192.0/20 Digital Ocean -165.22.208.0/20 Digital Ocean -165.22.224.0/20 Digital Ocean -165.22.240.0/20 Digital Ocean +165.22.0.0/16 Digital Ocean 165.227.0.0/20 Digital Ocean 165.227.16.0/20 Digital Ocean 165.227.32.0/20 Digital Ocean @@ -6029,6 +6017,28 @@ 96.30.0.0/18 Liquid Web # OVH +15.204.0.0/17 OVH +15.204.128.0/17 OVH +15.235.0.0/17 OVH +15.235.128.0/17 OVH +23.92.224.0/19 OVH +37.187.0.0/16 OVH +37.59.0.0/16 OVH +40.160.0.0/17 OVH +46.105.0.0/16 OVH +46.105.198.0/24 OVH +46.105.199.0/24 OVH +46.105.200.0/24 OVH +46.105.201.0/24 OVH +46.105.202.0/24 OVH +46.105.203.0/24 OVH +46.105.204.0/24 OVH +46.105.206.0/24 OVH +46.105.207.0/24 OVH +46.244.32.0/20 OVH +51.161.0.0/17 OVH +51.161.128.0/17 OVH +51.210.0.0/24 OVH 107.189.64.0/18 OVH 135.125.0.0/17 OVH 135.125.128.0/17 OVH @@ -6053,11 +6063,7 @@ 149.202.0.0/16 OVH 149.56.0.0/16 OVH 151.80.0.0/16 OVH -15.204.0.0/17 OVH -15.204.128.0/17 OVH 152.228.128.0/17 OVH -15.235.0.0/17 OVH -15.235.128.0/17 OVH 158.69.0.0/16 OVH 162.19.0.0/17 OVH 162.19.128.0/17 OVH @@ -6084,23 +6090,6 @@ 213.251.128.0/18 OVH 213.32.0.0/17 OVH 217.182.0.0/16 OVH -23.92.224.0/19 OVH -37.187.0.0/16 OVH -37.59.0.0/16 OVH -40.160.0.0/17 OVH -46.105.0.0/16 OVH -46.105.198.0/24 OVH -46.105.199.0/24 OVH -46.105.200.0/24 OVH -46.105.201.0/24 OVH -46.105.202.0/24 OVH -46.105.203.0/24 OVH -46.105.204.0/24 OVH -46.105.206.0/24 OVH -46.105.207.0/24 OVH -46.244.32.0/20 OVH -51.161.0.0/17 OVH -51.161.128.0/17 OVH # Ionos 74.208.0.0/16 Ionos From ffa95cce317d7909e07adab0847dba22dceb9494 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 18 Nov 2024 11:39:27 -0300 Subject: [PATCH 80/80] README: fix typo of "several" This fixes the codespell job in CI[1]: $ make codespell Running codespell... ./README:1244: serveral ==> several make: *** [Makefile:393: codespell] Error 65 Added on commit 8e7996132 ("README file update", 2024-11-16). [1] https://github.com/netblue30/firejail/actions/runs/11874111807/job/33089673920 --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 6b725125c..8b7b64cb9 100644 --- a/README +++ b/README @@ -1241,7 +1241,7 @@ Ted Robertson (https://github.com/tredondo) - various documentation fixes - blacklist Exodus wallet - blacklist monero-project directory - - serveral README file fixes + - several README file fixes tools200ms (https://github.com/tools200ms) - fixed allow-ssh.inc Tus1688 (https://github.com/Tus1688)