`@default-keep` should be used for syscalls used by Firejail itself only.
We are moving some syscalls from `@default-keep` that do not meet this condition into the new group `@program-keep`.
Syscalls in `@program-keep` are not forced to whitelist (we let users decide), but should never be present in `@default` and its sub-groups.
Also move `execv` into `@obsolete` (sparc only, replaced by `execve`).
Changes:
* Keep hostname by default (same as using `--keep-hostname`)
* Add `--hostname-randomize` command to randomize the hostname
* Ignore `--keep-hostname` command and print a warning if it is used
Setting a different hostname inside of the sandbox may prevent X11
programs from authenticating to the X server and displaying windows at
all (see #7062).
To avoid breakage, keep the hostname as is by default and only set it to
a random value if a new `hostname-randomize` command is used.
This also avoids potentially surprising behavior, as the user might not
expect the hostname to be changed inside of the sandbox, considering
that usually the protections that are applied firejail involve
restricting access to resources (like file paths), rather than modifying
their values inside of the sandbox.
Fixes#7062
Relates to #7048#7069.
And use it in etc/inc/disable-X11.inc.
This allows printing a warning message from inside a profile.
Everything after the command is printed in a warning message as is (that
is, without macro expansion).
Example:
$ firejail --noprofile --include=/etc/firejail/disable-X11.inc true
Reading profile /etc/firejail/disable-X11.inc
Warning: /etc/firejail/disable-X11.inc:5: This file is deprecated; use disable-x11.inc (lowercase) instead.
Reading profile /etc/firejail/disable-x11.inc
[...]
Relates to #6294.
This is a follow-up to #6709.
Instead of having a `notpm` command and potentially adding it to almost
all profiles (as few programs should need direct access to TPM devices),
add a `keep-dev-tpm` command and use it only in profiles that need
access to TPM devices.
Changes:
* Turn `notpm` command into `keep-dev-tpm` command
* Warn and ignore if `notpm` is used
* Block `/dev/tpm*` devices by default
* Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev`
is used)
Added on commit 001320226 ("feature: add notpm command & keep tpm
devices in private-dev (#6390)", 2024-07-09).
See also commit ee1c264c5 ("feature: block /dev/ntsync & add
keep-dev-ntsync command (#6660)", 2025-03-06) and the discussion at
PR #6660.
This is a follow-up to #6687.
Changes:
* Block access to /dev/ntsync by default
* Add the `keep-dev-ntsync` command to allow access to /dev/ntsync (even
if `private-dev` is used)
* Add `keep-dev-ntsync` to wine.profile and similar profiles
Closes#6655.
Changes:
* Strip whitespace at the beginning
* Strip whitespace at the end
* Ensure exactly one newline at the end
* Strip extraneous newlines
Also, for clarity print the git diff in the sort.py ci job, since the
specific lines changed are not printed by the sort.py script in this
case (as whitespace is fixed in the entire profile at once).
Command used to search and replace:
./contrib/sort.py etc/inc/*.inc etc/profile*/*.profile
This is a follow-up to #6556.
Update contrib/sort.py
Currently whitespace is left as is within an entry.
In a `protocol` entry, if there is whitespace between the command and
its argument or around an item, the item in question is dropped from the
output.
Changes:
* `protocol`: Strip all whitespace in the argument
* Other commands: Strip leading/trailing whitespace around each item,
including any extra whitespace between a command and its argument
Note: Whitespace characters inside paths are left as is, as some paths
(such as `Foo Bar` may contain spaces.
Before:
$ printf 'private-bin a,b\nprivate-bin a,b\nprivate-bin b,a\nprivate-bin C,A B\nprotocol unix,net\nprotocol inet,unix\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile
sort.py: checking 1 profile(s)...
foo.profile:5:-protocol unix,net
foo.profile:5:+protocol
foo.profile:6:-protocol inet,unix
foo.profile:6:+protocol unix
After:
$ printf 'private-bin a,b\nprivate-bin a,b\nprivate-bin b,a\nprivate-bin C,A B\nprotocol unix,net\nprotocol inet,unix\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile
sort.py: checking 1 profile(s)...
foo.profile:2:-private-bin a,b
foo.profile:2:+private-bin a,b
foo.profile:3:-private-bin b,a
foo.profile:3:+private-bin a,b
foo.profile:4:-private-bin C,A B
foo.profile:4:+private-bin A B,C
foo.profile:5:-protocol unix,net
foo.profile:5:+protocol unix
foo.profile:6:-protocol inet,unix
foo.profile:6:+protocol unix,inet
Currently the output is mangled if the last item on the line contains
trailing whitespace and is moved when sorting.
So remove trailing whitespace in all lines (that is, not just in lines
containing supported commands).
Leave leading whitespace as is for now since it could potentially be
used for indentation.
Before:
$ printf '# hello world \nprivate-bin a,b \nprivate-bin b,a \nprivate-bin a,b\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile | tr ' ' .
sort.py:.checking.1.profile(s)...
foo.profile:3:-private-bin.b,a..
foo.profile:3:+private-bin.a..,b
After:
$ printf '# hello world \nprivate-bin a,b \nprivate-bin b,a \n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile | tr ' ' .
sort.py:.checking.1.profile(s)...
foo.profile:1:-#.hello.world..
foo.profile:1:+#.hello.world
foo.profile:2:-private-bin.a,b..
foo.profile:2:+private-bin.a,b
foo.profile:3:-private-bin.b,a..
foo.profile:3:+private-bin.a,b
Rename `line` to `original_line` to make it less likely to accidentally
read from/write to it instead of the fixed line.
Rename `fixed_line` to `line` to make the code shorter since it is now
referenced much more often (up to 3 times in the same line of code) than
the original line.
See also commit aa17ca5fc ("sort.py: rename protocols to
original_protocols", 2022-10-17) / PR #5429.
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
Overwrite in-place by default (`-i`) and add `-n` to override it.
This restores the previous default behavior (from 0.9.72), for the sake
of being consistent with all previous versions and because it's more
likely to be the desired behavior in most cases.
This amends commit aa08aa132 ("build: sort.py: add and require -i to
edit in-place (#6290)", 2024-03-25).
Similarly to `sed -i` and `perl -i`.
This allows checking if sort.py correctly sorts the relevant lines in a
profile without having to overwrite it, which makes debugging and
testing easier (for example, in #6261).
Note: If it finds items that are not sorted, it still sorts them, prints
the diff and returns an error.
Since Landlock ABI v4 it is possible to restrict actions related to the
network and potentially more areas will be added in the future.
So use `landlock.fs.` as the prefix in the current filesystem-related
commands (and later `landlock.net.` for the network-related commands) to
keep them organized and to match what is used in the kernel.
Examples of filesystem and network access flags:
* `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file.
* `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content.
* `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port.
* `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a
remote port.
Relates to #6078.
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
This adds the `shell` command. Note that it's still being parsed in
profile.c, even if it's just to return an error.
Commands used to remake them:
rm contrib/syntax/lists/*
make syntax
Relates to #5627#5894.
