github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

disable by default some of the systemd tools, more cleanup, and more testing

Browse source
This commit is contained in:
netblue30 2026-02-04 07:34:07 -05:00
parent 6f164f415e
commit ca934a2ccd
8 changed files with 194 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
etc/inc/disable-common.inc
View file

@ -188,6 +188,14 @@ blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
blacklist ${PATH}/systemctl
blacklist ${PATH}/systemd*
blacklist ${PATH}/hostnamectl
blacklist ${PATH}/journalctl
blacklist ${PATH}/busctl
blacklist ${PATH}/localectl
blacklist ${PATH}/loginctl
blacklist ${PATH}/networkctl
blacklist ${PATH}/timedatectl
blacklist ${PATH}/varlinkctl
blacklist ${RUNUSER}/systemd
blacklist /etc/credstore*
blacklist /etc/systemd/network

3
src/firejail/usage.c
View file

@ -273,8 +273,7 @@ static const char *const usage_str =
" --tracelog - add a syslog message for every access to files or\n"
"\tdirectories blacklisted by the security profile.\n"
" --tree - print a tree of all sandboxed processes.\n"
" --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
"\tfiretunnel utility.\n"
" --unhide-pid1 - make pid 1 process visible to tools such as ps\n"
" --version - print program version and exit.\n"
#ifdef HAVE_NETWORK
" --veth-name=name - use this name for the interface connected to the bridge.\n"

4
src/man/firemon.1.in
View file

@ -47,7 +47,9 @@ Print route table for each sandbox.
#endif
.TP
\fB\-\-seccomp
Print seccomp configuration for each sandbox.
Print seccomp configuration for each sandbox. Several other firejail features such
as memory\-deny\-write\-execute, protocol and restrict\-namespaces are implemented
as seccomp filters. This option will show the global seccomp setting inside the kernel.
.TP
\fB\-\-top
Monitor the most CPU-intensive sandboxes. This command is similar to

1
test/apps/apps.sh
View file

@ -37,6 +37,7 @@ echo "TESTING: pid 1 functionality (test/apps/pid1.exp)"
# X11 apps
x11apps=(firefox qbittorrent firefox-xephyr galculator libreoffice firefox-xorg \
lowriter gimp inkscape emacs okular kdiff3 gpicview audacity \
pauvcontrol mpv dosbox gnome-screenshot \
xterm x11-none xterm-xorg xterm-xephyr xterm-xpra firefox-xpra)
for app in "${x11apps[@]}"; do

45
test/apps/dosbox.exp Executable file
View file

@ -0,0 +1,45 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2026 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --private dosbox\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Reading profile /etc/firejail/dosbox.profile"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
spawn $env(SHELL)
send -- "firejail --list\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"firejail"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"dosbox"
}
after 100
spawn $env(SHELL)
send -- "firemon --seccomp\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"dosbox"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Seccomp: 2"
}
after 100
puts "\nall done\n"

46
test/apps/gnome-screenshot.exp Executable file
View file

@ -0,0 +1,46 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2026 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --timeout=00:00:03 --private gnome-screenshot --interactive\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Reading profile /etc/firejail/gnome-screenshot.profile"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --list\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"firejail"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"gnome-screenshot"
}
after 100
spawn $env(SHELL)
send -- "firemon --seccomp\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"gnome-screenshot"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Seccomp: 2"
}
sleep 3
puts "\nall done\n"

45
test/apps/mpv.exp Executable file
View file

@ -0,0 +1,45 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2026 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --ignore=quiet --private mpv --player-operation-mode=pseudo-gui\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Reading profile /etc/firejail/mpv.profile"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
spawn $env(SHELL)
send -- "firejail --list\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"firejail"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"mpv"
}
after 100
spawn $env(SHELL)
send -- "firemon --seccomp\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"mpv"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Seccomp: 2"
}
after 100
puts "\nall done\n"

45
test/apps/pavucontrol.exp Executable file
View file

@ -0,0 +1,45 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2026 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --private pavucontrol\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Reading profile /etc/firejail/pavucontrol.profile"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
spawn $env(SHELL)
send -- "firejail --list\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"firejail"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"pavucontrol"
}
after 100
spawn $env(SHELL)
send -- "firemon --seccomp\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"pavucontrol"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Seccomp: 2"
}
after 100
puts "\nall done\n"