Merge tag 'upstream/0.9.44'
Upstream version 0.9.44
# gpg: Signature made Sun 23 Oct 2016 12:08:58 PM CEST
# gpg: using RSA key CCF04928DB0EEAA7
# gpg: issuer "reiner@reiner-h.de"
# gpg: Good signature from "Reiner Herrmann <reiner@reiner-h.de>" [ultimate]
# Primary key fingerprint: 2F5D AF3F C1F7 93D9 4F3D 900C A721 DA05 5374 AA4F
# Subkey fingerprint: D8F6 FA7D EA24 D90D 6EAC 733B CCF0 4928 DB0E EAA7
Reiner Herrmann
7 years ago
140 | 140 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
141 | 141 | |
142 | 142 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" |
143 | DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" | |
143 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" | |
144 | 144 | |
145 | 145 | dist: |
146 | 146 | mv config.status config.status.old |
76 | 76 | - added gnome-chess profile |
77 | 77 | - added DOSBox profile |
78 | 78 | - evince profile enhancement |
79 | valoq (https://github.com/valoq) | |
80 | - LibreOffice profile fixes | |
81 | - cherrytree profile fixes | |
82 | - added support for /srv in --whitelist feature | |
83 | - Eye of GNOME and Evolution profiles | |
84 | Rafael Cavalcanti (https://github.com/rccavalcanti) | |
85 | - chromium profile fixes for Arch Linux | |
79 | 86 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
80 | 87 | - added xpdf profile |
81 | 88 | vismir2 (https://github.com/vismir2) |
83 | 90 | Dara Adib (https://github.com/daradib) |
84 | 91 | - ssh profile fix |
85 | 92 | - evince profile fix |
86 | valoq (https://github.com/valoq) | |
87 | - LibreOffice profile fixes | |
88 | - cherrytree profile fixes | |
89 | 93 | vismir2 (https://github.com/vismir2) |
90 | 94 | - feh, ranger, 7z, keepass, keepassx and zathura profiles |
91 | 95 | - lots of profile fixes |
0 | firejail (0.9.43) baseline; urgency=low | |
0 | firejail (0.9.44) baseline; urgency=low | |
1 | 1 | * CVE-2016-7545 submitted by Aleksey Manevich |
2 | * development version | |
3 | 2 | * modifs: removed man firejail-config |
4 | 3 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory |
5 | 4 | * modifs: Nvidia drivers added to --private-dev |
5 | * modifs: /srv supported by --whitelist | |
6 | * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) | |
6 | 7 | * feature: support starting/joining sandbox is a single command |
7 | 8 | (--join-or-start) |
8 | 9 | * feature: X11 detection support for --audit |
14 | 15 | * feature: X11 security extension (--x11=xorg) |
15 | 16 | * feature: disable 3D hardware acceleration (--no3d) |
16 | 17 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands |
18 | * feature: move files in sandbox (--put) | |
19 | * feature: accept wildcard patterns in user name field of restricted | |
20 | shell login feature | |
17 | 21 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape |
18 | 22 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, |
19 | * new profiles: claws-mail, mutt, git, emacs, vim, xpdf | |
20 | * bugfixes | |
21 | -- netblue30 <netblue30@yahoo.com> Fri, 9 Sept 2016 08:00:00 -0500 | |
23 | * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot | |
24 | * new profiles: Flowblade, Eye of GNOME (eog), Evolution | |
25 | * bugfixes | |
26 | -- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500 | |
22 | 27 | |
23 | 28 | firejail (0.9.42) baseline; urgency=low |
24 | 29 | * security: --whitelist deleted files, submitted by Vasya Novikov |
0 | 0 | #! /bin/sh |
1 | 1 | # Guess values for system-dependent variables and create Makefiles. |
2 | # Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1. | |
2 | # Generated by GNU Autoconf 2.69 for firejail 0.9.44. | |
3 | 3 | # |
4 | 4 | # Report bugs to <netblue30@yahoo.com>. |
5 | 5 | # |
579 | 579 | # Identity of this package. |
580 | 580 | PACKAGE_NAME='firejail' |
581 | 581 | PACKAGE_TARNAME='firejail' |
582 | PACKAGE_VERSION='0.9.44~rc1' | |
583 | PACKAGE_STRING='firejail 0.9.44~rc1' | |
582 | PACKAGE_VERSION='0.9.44' | |
583 | PACKAGE_STRING='firejail 0.9.44' | |
584 | 584 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
585 | 585 | PACKAGE_URL='http://firejail.wordpress.com' |
586 | 586 | |
1258 | 1258 | # Omit some internal or obsolete options to make the list less imposing. |
1259 | 1259 | # This message is too long to be a string in the A/UX 3.1 sh. |
1260 | 1260 | cat <<_ACEOF |
1261 | \`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems. | |
1261 | \`configure' configures firejail 0.9.44 to adapt to many kinds of systems. | |
1262 | 1262 | |
1263 | 1263 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1264 | 1264 | |
1319 | 1319 | |
1320 | 1320 | if test -n "$ac_init_help"; then |
1321 | 1321 | case $ac_init_help in |
1322 | short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";; | |
1322 | short | recursive ) echo "Configuration of firejail 0.9.44:";; | |
1323 | 1323 | esac |
1324 | 1324 | cat <<\_ACEOF |
1325 | 1325 | |
1423 | 1423 | test -n "$ac_init_help" && exit $ac_status |
1424 | 1424 | if $ac_init_version; then |
1425 | 1425 | cat <<\_ACEOF |
1426 | firejail configure 0.9.44~rc1 | |
1426 | firejail configure 0.9.44 | |
1427 | 1427 | generated by GNU Autoconf 2.69 |
1428 | 1428 | |
1429 | 1429 | Copyright (C) 2012 Free Software Foundation, Inc. |
1725 | 1725 | This file contains any messages produced by compilers while |
1726 | 1726 | running configure, to aid debugging if configure makes a mistake. |
1727 | 1727 | |
1728 | It was created by firejail $as_me 0.9.44~rc1, which was | |
1728 | It was created by firejail $as_me 0.9.44, which was | |
1729 | 1729 | generated by GNU Autoconf 2.69. Invocation command line was |
1730 | 1730 | |
1731 | 1731 | $ $0 $@ |
4302 | 4302 | # report actual input values of CONFIG_FILES etc. instead of their |
4303 | 4303 | # values after options handling. |
4304 | 4304 | ac_log=" |
4305 | This file was extended by firejail $as_me 0.9.44~rc1, which was | |
4305 | This file was extended by firejail $as_me 0.9.44, which was | |
4306 | 4306 | generated by GNU Autoconf 2.69. Invocation command line was |
4307 | 4307 | |
4308 | 4308 | CONFIG_FILES = $CONFIG_FILES |
4356 | 4356 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4357 | 4357 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4358 | 4358 | ac_cs_version="\\ |
4359 | firejail config.status 0.9.44~rc1 | |
4359 | firejail config.status 0.9.44 | |
4360 | 4360 | configured by $0, generated by GNU Autoconf 2.69, |
4361 | 4361 | with options \\"\$ac_cs_config\\" |
4362 | 4362 |
0 | 0 | AC_PREREQ([2.68]) |
1 | AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) | |
1 | AC_INIT(firejail, 0.9.44, netblue30@yahoo.com, , http://firejail.wordpress.com) | |
2 | 2 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
3 | 3 | #AC_CONFIG_HEADERS([config.h]) |
4 | 4 |
24 | 24 | whitelist ~/.lastpass |
25 | 25 | whitelist ~/.config/lastpass |
26 | 26 | |
27 | # specific to Arch | |
28 | whitelist ~/.config/chromium-flags.conf | |
29 | ||
27 | 30 | include /etc/firejail/whitelist-common.inc |
19 | 19 | # clang/llvm |
20 | 20 | blacklist /usr/bin/clang* |
21 | 21 | blacklist /usr/bin/llvm* |
22 | blacklist /usb/bin/lldb* | |
22 | blacklist /usr/bin/lldb* | |
23 | 23 | blacklist /usr/lib/llvm* |
24 | 24 | |
25 | 25 | # tcc - Tiny C Compiler |
34 | 34 | blacklist ${HOME}/.config/zathura |
35 | 35 | blacklist ${HOME}/.config/cherrytree |
36 | 36 | blacklist ${HOME}/.xpdfrc |
37 | blacklist ${HOME}/.openshot | |
38 | blacklist ${HOME}/.openshot_qt | |
39 | blacklist ${HOME}/.flowblade | |
40 | blacklist ${HOME}/.config/flowblade | |
41 | blacklist ${HOME}/.config/eog | |
37 | 42 | |
38 | 43 | |
39 | 44 | # Media players |
71 | 76 | blacklist ${HOME}/.config/brave |
72 | 77 | blacklist ${HOME}/.config/inox |
73 | 78 | blacklist ${HOME}/.muttrc |
79 | blacklist ${HOME}/.mutt | |
74 | 80 | blacklist ${HOME}/.mutt/muttrc |
75 | 81 | blacklist ${HOME}/.msmtprc |
82 | blacklist ${HOME}/.config/evolution | |
83 | blacklist ${HOME}/.local/share/evolution | |
84 | blacklist ${HOME}/.cache/evolution | |
76 | 85 | |
77 | 86 | # Instant Messaging |
78 | 87 | blacklist ${HOME}/.config/hexchat |
0 | # eog (gnome image viewer) profile | |
1 | ||
2 | noblacklist ~/.config/eog | |
3 | ||
4 | include /etc/firejail/disable-common.inc | |
5 | include /etc/firejail/disable-programs.inc | |
6 | include /etc/firejail/disable-devel.inc | |
7 | include /etc/firejail/disable-passwdmgr.inc | |
8 | ||
9 | caps.drop all | |
10 | netfilter | |
11 | nonewprivs | |
12 | noroot | |
13 | nogroups | |
14 | protocol unix | |
15 | seccomp | |
16 | shell none | |
17 | ||
18 | private-bin eog | |
19 | private-dev | |
20 | private-etc fonts | |
21 | private-tmp | |
22 |
0 | # evolution profile | |
1 | ||
2 | noblacklist ~/.config/evolution | |
3 | noblacklist ~/.local/share/evolution | |
4 | noblacklist ~/.cache/evolution | |
5 | noblacklist ~/.pki | |
6 | noblacklist ~/.pki/nssdb | |
7 | noblacklist ~/.gnupg | |
8 | ||
9 | include /etc/firejail/disable-common.inc | |
10 | include /etc/firejail/disable-programs.inc | |
11 | include /etc/firejail/disable-devel.inc | |
12 | include /etc/firejail/disable-passwdmgr.inc | |
13 | ||
14 | caps.drop all | |
15 | netfilter | |
16 | nonewprivs | |
17 | noroot | |
18 | nogroups | |
19 | protocol unix,inet,inet6 | |
20 | seccomp | |
21 | shell none | |
22 | ||
23 | private-dev | |
24 | private-tmp |
0 | # OpenShot profile | |
1 | noblacklist ${HOME}/.flowblade | |
2 | noblacklist ${HOME}/.config/flowblade | |
3 | include /etc/firejail/disable-common.inc | |
4 | include /etc/firejail/disable-programs.inc | |
5 | include /etc/firejail/disable-passwdmgr.inc | |
6 | ||
7 | caps.drop all | |
8 | netfilter | |
9 | nonewprivs | |
10 | noroot | |
11 | protocol unix,inet,inet6,netlink | |
12 | seccomp |
1 | 1 | |
2 | 2 | noblacklist ~/.muttrc |
3 | 3 | noblacklist ~/.mutt |
4 | noblacklist ~/.mutt/muttrc | |
4 | 5 | noblacklist ~/.mailcap |
5 | 6 | noblacklist ~/.gnupg |
6 | 7 | noblacklist ~/.mail |
0 | # OpenShot profile | |
1 | noblacklist ${HOME}/.openshot | |
2 | noblacklist ${HOME}/.openshot_qt | |
3 | include /etc/firejail/disable-common.inc | |
4 | include /etc/firejail/disable-programs.inc | |
5 | include /etc/firejail/disable-passwdmgr.inc | |
6 | ||
7 | caps.drop all | |
8 | netfilter | |
9 | nonewprivs | |
10 | noroot | |
11 | protocol unix,inet,inet6,netlink | |
12 | seccomp |
0 | # VirtualBox profile | |
1 | ||
2 | noblacklist ${HOME}/.VirtualBox | |
3 | noblacklist ${HOME}/VirtualBox VMs | |
4 | noblacklist ${HOME}/.config/VirtualBox | |
5 | include /etc/firejail/disable-common.inc | |
6 | include /etc/firejail/disable-programs.inc | |
7 | include /etc/firejail/disable-passwdmgr.inc | |
8 | ||
9 | caps.drop all | |
10 | ||
11 |
0 | #!/bin/bash | |
0 | #!/bin/sh | |
1 | 1 | |
2 | 2 | echo "extracting UID_MIN and GID_MIN" |
3 | 3 | echo "#ifndef FIREJAIL_UIDS_H" > uids.h |
160 | 160 | /etc/firejail/emacs.profile |
161 | 161 | /etc/firejail/vim.profile |
162 | 162 | /etc/firejail/xpdf.profile |
163 | /etc/firejail/virtualbox.profile | |
164 | /etc/firejail/openshot.profile | |
165 | /etc/firejail/flowblade.profile | |
166 | /etc/firejail/eog.profile | |
167 | /etc/firejail/evolution.profile |
0 | #!/bin/bash | |
1 | VERSION="0.9.44" | |
2 | rm -fr ~/rpmbuild | |
3 | rm -f firejail-$VERSION-1.x86_64.rpm | |
4 | ||
5 | mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} | |
6 | cat <<EOF >~/.rpmmacros | |
7 | %_topdir %(echo $HOME)/rpmbuild | |
8 | %_tmppath %{_topdir}/tmp | |
9 | EOF | |
10 | ||
11 | cd ~/rpmbuild | |
12 | echo "building directory tree" | |
13 | ||
14 | mkdir -p firejail-$VERSION/usr/bin | |
15 | install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. | |
16 | install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. | |
17 | install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/. | |
18 | ||
19 | mkdir -p firejail-$VERSION/usr/lib/firejail | |
20 | install -m 755 /usr/lib/firejail/faudit firejail-$VERSION/usr/lib/firejail/. | |
21 | install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firejail/. | |
22 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | |
23 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | |
24 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | |
25 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | |
26 | install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. | |
27 | ||
28 | mkdir -p firejail-$VERSION/usr/share/man/man1 | |
29 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | |
30 | install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. | |
31 | install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/. | |
32 | ||
33 | mkdir -p firejail-$VERSION/usr/share/man/man5 | |
34 | install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. | |
35 | install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. | |
36 | ||
37 | mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail | |
38 | install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. | |
39 | install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. | |
40 | install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. | |
41 | ||
42 | mkdir -p firejail-$VERSION/etc/firejail | |
43 | install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/. | |
44 | install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/. | |
45 | install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/. | |
46 | install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/. | |
47 | install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/. | |
48 | install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/. | |
49 | install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/. | |
50 | install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/. | |
51 | install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/. | |
52 | install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/. | |
53 | install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/. | |
54 | install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/. | |
55 | install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/. | |
56 | install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/. | |
57 | install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/. | |
58 | install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/. | |
59 | install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/. | |
60 | install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/. | |
61 | install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/. | |
62 | install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/. | |
63 | install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/. | |
64 | install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/. | |
65 | install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/. | |
66 | install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/. | |
67 | install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/. | |
68 | install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/. | |
69 | install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/. | |
70 | install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/. | |
71 | install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/. | |
72 | install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/. | |
73 | install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/. | |
74 | install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/. | |
75 | install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/. | |
76 | install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/. | |
77 | install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/. | |
78 | install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/. | |
79 | install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/. | |
80 | install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/. | |
81 | install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/. | |
82 | install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/. | |
83 | install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/. | |
84 | install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/. | |
85 | install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/. | |
86 | install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/. | |
87 | install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/. | |
88 | install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/. | |
89 | install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/. | |
90 | install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/. | |
91 | install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/. | |
92 | install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/. | |
93 | install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/. | |
94 | install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/. | |
95 | install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/. | |
96 | install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/. | |
97 | install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/. | |
98 | install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/. | |
99 | install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/. | |
100 | install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/. | |
101 | install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/. | |
102 | install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/. | |
103 | install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/. | |
104 | install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/. | |
105 | install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/. | |
106 | install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/. | |
107 | install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/. | |
108 | install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/. | |
109 | install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/. | |
110 | install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/. | |
111 | install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/. | |
112 | install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/. | |
113 | install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/. | |
114 | install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/. | |
115 | install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/. | |
116 | install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/. | |
117 | install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/. | |
118 | install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/. | |
119 | install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/. | |
120 | install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/. | |
121 | install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/. | |
122 | install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/. | |
123 | install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/. | |
124 | install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/. | |
125 | install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/. | |
126 | install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/. | |
127 | install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/. | |
128 | install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/. | |
129 | install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/. | |
130 | install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/. | |
131 | install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/. | |
132 | install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/. | |
133 | install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/. | |
134 | install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/. | |
135 | install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/. | |
136 | install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/. | |
137 | install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/. | |
138 | install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/. | |
139 | install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/. | |
140 | install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/. | |
141 | install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/. | |
142 | install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/. | |
143 | install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/. | |
144 | install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/. | |
145 | install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/. | |
146 | install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/. | |
147 | install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/. | |
148 | install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/. | |
149 | install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/. | |
150 | install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/. | |
151 | install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/. | |
152 | install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/. | |
153 | install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/. | |
154 | install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/. | |
155 | install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/. | |
156 | install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/. | |
157 | install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/. | |
158 | install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/. | |
159 | install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/. | |
160 | install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/. | |
161 | install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/. | |
162 | install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/. | |
163 | install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/. | |
164 | install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/. | |
165 | install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/. | |
166 | install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/. | |
167 | install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/. | |
168 | install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/. | |
169 | install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/. | |
170 | install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/. | |
171 | install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/. | |
172 | install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/. | |
173 | install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/. | |
174 | install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/. | |
175 | install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/. | |
176 | install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/. | |
177 | install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/. | |
178 | install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/. | |
179 | install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/. | |
180 | install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/. | |
181 | install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/. | |
182 | install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/. | |
183 | install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/. | |
184 | install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/. | |
185 | install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/. | |
186 | install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/. | |
187 | install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/. | |
188 | install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/. | |
189 | install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/. | |
190 | install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/. | |
191 | install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/. | |
192 | install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/. | |
193 | install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/. | |
194 | install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/. | |
195 | install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/. | |
196 | install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/. | |
197 | install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/. | |
198 | install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/. | |
199 | install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/. | |
200 | install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/. | |
201 | install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/. | |
202 | install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/. | |
203 | install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/. | |
204 | install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/. | |
205 | install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/. | |
206 | install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/. | |
207 | install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/. | |
208 | install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/. | |
209 | install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/. | |
210 | install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/. | |
211 | ||
212 | ||
213 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | |
214 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. | |
215 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. | |
216 | install -m 644 /usr/share/bash-completion/completions/firecfg firejail-$VERSION/usr/share/bash-completion/completions/. | |
217 | ||
218 | echo "building tar.gz archive" | |
219 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | |
220 | ||
221 | cp firejail-$VERSION.tar.gz SOURCES/. | |
222 | ||
223 | echo "building config spec" | |
224 | cat <<EOF > SPECS/firejail.spec | |
225 | %define __spec_install_post %{nil} | |
226 | %define debug_package %{nil} | |
227 | %define __os_install_post %{_dbpath}/brp-compress | |
228 | ||
229 | Summary: Linux namepaces sandbox program | |
230 | Name: firejail | |
231 | Version: $VERSION | |
232 | Release: 1 | |
233 | License: GPL+ | |
234 | Group: Development/Tools | |
235 | SOURCE0 : %{name}-%{version}.tar.gz | |
236 | URL: http://firejail.wordpress.com | |
237 | ||
238 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | |
239 | ||
240 | %description | |
241 | Firejail is a SUID sandbox program that reduces the risk of security | |
242 | breaches by restricting the running environment of untrusted applications | |
243 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | |
244 | ||
245 | %prep | |
246 | %setup -q | |
247 | ||
248 | %build | |
249 | ||
250 | %install | |
251 | rm -rf %{buildroot} | |
252 | mkdir -p %{buildroot} | |
253 | ||
254 | cp -a * %{buildroot} | |
255 | ||
256 | ||
257 | %clean | |
258 | rm -rf %{buildroot} | |
259 | ||
260 | ||
261 | %files | |
262 | %defattr(-,root,root,-) | |
263 | %config(noreplace) %{_sysconfdir}/%{name}/0ad.profile | |
264 | %config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile | |
265 | %config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile | |
266 | %config(noreplace) %{_sysconfdir}/%{name}/atom.profile | |
267 | %config(noreplace) %{_sysconfdir}/%{name}/atril.profile | |
268 | %config(noreplace) %{_sysconfdir}/%{name}/audacious.profile | |
269 | %config(noreplace) %{_sysconfdir}/%{name}/audacity.profile | |
270 | %config(noreplace) %{_sysconfdir}/%{name}/aweather.profile | |
271 | %config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile | |
272 | %config(noreplace) %{_sysconfdir}/%{name}/brave.profile | |
273 | %config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile | |
274 | %config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile | |
275 | %config(noreplace) %{_sysconfdir}/%{name}/chromium.profile | |
276 | %config(noreplace) %{_sysconfdir}/%{name}/clementine.profile | |
277 | %config(noreplace) %{_sysconfdir}/%{name}/cmus.profile | |
278 | %config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile | |
279 | %config(noreplace) %{_sysconfdir}/%{name}/corebird.profile | |
280 | %config(noreplace) %{_sysconfdir}/%{name}/cpio.profile | |
281 | %config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile | |
282 | %config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile | |
283 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile | |
284 | %config(noreplace) %{_sysconfdir}/%{name}/default.profile | |
285 | %config(noreplace) %{_sysconfdir}/%{name}/deluge.profile | |
286 | %config(noreplace) %{_sysconfdir}/%{name}/dillo.profile | |
287 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc | |
288 | %config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc | |
289 | %config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc | |
290 | %config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc | |
291 | %config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile | |
292 | %config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile | |
293 | %config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile | |
294 | %config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile | |
295 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile | |
296 | %config(noreplace) %{_sysconfdir}/%{name}/eom.profile | |
297 | %config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile | |
298 | %config(noreplace) %{_sysconfdir}/%{name}/evince.profile | |
299 | %config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile | |
300 | %config(noreplace) %{_sysconfdir}/%{name}/file.profile | |
301 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile | |
302 | %config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile | |
303 | %config(noreplace) %{_sysconfdir}/%{name}/firefox.profile | |
304 | %config(noreplace) %{_sysconfdir}/%{name}/firejail.config | |
305 | %config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile | |
306 | %config(noreplace) %{_sysconfdir}/%{name}/franz.profile | |
307 | %config(noreplace) %{_sysconfdir}/%{name}/gajim.profile | |
308 | %config(noreplace) %{_sysconfdir}/%{name}/gitter.profile | |
309 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile | |
310 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile | |
311 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile | |
312 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile | |
313 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile | |
314 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile | |
315 | %config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile | |
316 | %config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile | |
317 | %config(noreplace) %{_sysconfdir}/%{name}/gtar.profile | |
318 | %config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile | |
319 | %config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile | |
320 | %config(noreplace) %{_sysconfdir}/%{name}/gzip.profile | |
321 | %config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile | |
322 | %config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile | |
323 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile | |
324 | %config(noreplace) %{_sysconfdir}/%{name}/icedove.profile | |
325 | %config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile | |
326 | %config(noreplace) %{_sysconfdir}/%{name}/inox.profile | |
327 | %config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile | |
328 | %config(noreplace) %{_sysconfdir}/%{name}/kmail.profile | |
329 | %config(noreplace) %{_sysconfdir}/%{name}/konversation.profile | |
330 | %config(noreplace) %{_sysconfdir}/%{name}/less.profile | |
331 | %config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile | |
332 | %config(noreplace) %{_sysconfdir}/%{name}/localc.profile | |
333 | %config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile | |
334 | %config(noreplace) %{_sysconfdir}/%{name}/loffice.profile | |
335 | %config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile | |
336 | %config(noreplace) %{_sysconfdir}/%{name}/login.users | |
337 | %config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile | |
338 | %config(noreplace) %{_sysconfdir}/%{name}/lomath.profile | |
339 | %config(noreplace) %{_sysconfdir}/%{name}/loweb.profile | |
340 | %config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile | |
341 | %config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile | |
342 | %config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile | |
343 | %config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile | |
344 | %config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile | |
345 | %config(noreplace) %{_sysconfdir}/%{name}/midori.profile | |
346 | %config(noreplace) %{_sysconfdir}/%{name}/mpv.profile | |
347 | %config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile | |
348 | %config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile | |
349 | %config(noreplace) %{_sysconfdir}/%{name}/nolocal.net | |
350 | %config(noreplace) %{_sysconfdir}/%{name}/okular.profile | |
351 | %config(noreplace) %{_sysconfdir}/%{name}/openbox.profile | |
352 | %config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile | |
353 | %config(noreplace) %{_sysconfdir}/%{name}/opera.profile | |
354 | %config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile | |
355 | %config(noreplace) %{_sysconfdir}/%{name}/parole.profile | |
356 | %config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile | |
357 | %config(noreplace) %{_sysconfdir}/%{name}/pix.profile | |
358 | %config(noreplace) %{_sysconfdir}/%{name}/polari.profile | |
359 | %config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile | |
360 | %config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile | |
361 | %config(noreplace) %{_sysconfdir}/%{name}/qtox.profile | |
362 | %config(noreplace) %{_sysconfdir}/%{name}/quassel.profile | |
363 | %config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile | |
364 | %config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile | |
365 | %config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile | |
366 | %config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile | |
367 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile | |
368 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile | |
369 | %config(noreplace) %{_sysconfdir}/%{name}/server.profile | |
370 | %config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile | |
371 | %config(noreplace) %{_sysconfdir}/%{name}/skype.profile | |
372 | %config(noreplace) %{_sysconfdir}/%{name}/slack.profile | |
373 | %config(noreplace) %{_sysconfdir}/%{name}/snap.profile | |
374 | %config(noreplace) %{_sysconfdir}/%{name}/soffice.profile | |
375 | %config(noreplace) %{_sysconfdir}/%{name}/spotify.profile | |
376 | %config(noreplace) %{_sysconfdir}/%{name}/ssh.profile | |
377 | %config(noreplace) %{_sysconfdir}/%{name}/steam.profile | |
378 | %config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile | |
379 | %config(noreplace) %{_sysconfdir}/%{name}/strings.profile | |
380 | %config(noreplace) %{_sysconfdir}/%{name}/tar.profile | |
381 | %config(noreplace) %{_sysconfdir}/%{name}/telegram.profile | |
382 | %config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile | |
383 | %config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile | |
384 | %config(noreplace) %{_sysconfdir}/%{name}/totem.profile | |
385 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile | |
386 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile | |
387 | %config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile | |
388 | %config(noreplace) %{_sysconfdir}/%{name}/unbound.profile | |
389 | %config(noreplace) %{_sysconfdir}/%{name}/unrar.profile | |
390 | %config(noreplace) %{_sysconfdir}/%{name}/unzip.profile | |
391 | %config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile | |
392 | %config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile | |
393 | %config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile | |
394 | %config(noreplace) %{_sysconfdir}/%{name}/vlc.profile | |
395 | %config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile | |
396 | %config(noreplace) %{_sysconfdir}/%{name}/webserver.net | |
397 | %config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile | |
398 | %config(noreplace) %{_sysconfdir}/%{name}/weechat.profile | |
399 | %config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile | |
400 | %config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc | |
401 | %config(noreplace) %{_sysconfdir}/%{name}/wine.profile | |
402 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile | |
403 | %config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile | |
404 | %config(noreplace) %{_sysconfdir}/%{name}/xreader.profile | |
405 | %config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile | |
406 | %config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile | |
407 | %config(noreplace) %{_sysconfdir}/%{name}/xz.profile | |
408 | %config(noreplace) %{_sysconfdir}/%{name}/zathura.profile | |
409 | %config(noreplace) %{_sysconfdir}/%{name}/7z.profile | |
410 | %config(noreplace) %{_sysconfdir}/%{name}/keepass.profile | |
411 | %config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile | |
412 | %config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile | |
413 | %config(noreplace) %{_sysconfdir}/%{name}/mutt.profile | |
414 | %config(noreplace) %{_sysconfdir}/%{name}/git.profile | |
415 | %config(noreplace) %{_sysconfdir}/%{name}/emacs.profile | |
416 | %config(noreplace) %{_sysconfdir}/%{name}/vim.profile | |
417 | %config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile | |
418 | %config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile | |
419 | %config(noreplace) %{_sysconfdir}/%{name}/openshot.profile | |
420 | %config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile | |
421 | %config(noreplace) %{_sysconfdir}/%{name}/eog.profile | |
422 | %config(noreplace) %{_sysconfdir}/%{name}/evolution.profile | |
423 | %config(noreplace) %{_sysconfdir}/%{name}/feh.profile | |
424 | %config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile | |
425 | %config(noreplace) %{_sysconfdir}/%{name}/gimp.profile | |
426 | %config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile | |
427 | %config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile | |
428 | %config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile | |
429 | %config(noreplace) %{_sysconfdir}/%{name}/ranger.profile | |
430 | %config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile | |
431 | ||
432 | /usr/bin/firejail | |
433 | /usr/bin/firemon | |
434 | /usr/bin/firecfg | |
435 | ||
436 | /usr/lib/firejail/libtrace.so | |
437 | /usr/lib/firejail/libtracelog.so | |
438 | /usr/lib/firejail/libconnect.so | |
439 | /usr/lib/firejail/faudit | |
440 | /usr/lib/firejail/ftee | |
441 | /usr/lib/firejail/firecfg.config | |
442 | /usr/lib/firejail/fshaper.sh | |
443 | ||
444 | /usr/share/doc/packages/firejail/COPYING | |
445 | /usr/share/doc/packages/firejail/README | |
446 | /usr/share/doc/packages/firejail/RELNOTES | |
447 | /usr/share/man/man1/firejail.1.gz | |
448 | /usr/share/man/man1/firemon.1.gz | |
449 | /usr/share/man/man1/firecfg.1.gz | |
450 | /usr/share/man/man5/firejail-profile.5.gz | |
451 | /usr/share/man/man5/firejail-login.5.gz | |
452 | /usr/share/bash-completion/completions/firejail | |
453 | /usr/share/bash-completion/completions/firemon | |
454 | /usr/share/bash-completion/completions/firecfg | |
455 | ||
456 | %post | |
457 | chmod u+s /usr/bin/firejail | |
458 | ||
459 | %changelog | |
460 | * Fri Oct 21 2016 netblue30 <netblue30@yahoo.com> 0.9.44-1 | |
461 | - CVE-2016-7545 submitted by Aleksey Manevich | |
462 | - modifs: removed man firejail-config | |
463 | - modifs: --private-tmp whitelists /tmp/.X11-unix directory | |
464 | - modifs: Nvidia drivers added to --private-dev | |
465 | - modifs: /srv supported by --whitelist | |
466 | - feature: allow user access to /sys/fs (--noblacklist=/sys/fs) | |
467 | - feature: support starting/joining sandbox is a single command | |
468 | (--join-or-start) | |
469 | - feature: X11 detection support for --audit | |
470 | - feature: assign a name to the interface connected to the bridge | |
471 | (--veth-name) | |
472 | - feature: all user home directories are visible (--allusers) | |
473 | - feature: add files to sandbox container (--put) | |
474 | - feature: blocking x11 (--x11=block) | |
475 | - feature: X11 security extension (--x11=xorg) | |
476 | - feature: disable 3D hardware acceleration (--no3d) | |
477 | - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | |
478 | - feature: move files in sandbox (--put) | |
479 | - feature: accept wildcard patterns in user name field of restricted | |
480 | shell login feature | |
481 | - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | |
482 | - new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | |
483 | - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot | |
484 | - new profiles: Flowblade, Eye of GNOME (eog), Evolution | |
485 | - bugfixes | |
486 | ||
487 | * Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1 | |
488 | - security: --whitelist deleted files, submitted by Vasya Novikov | |
489 | - security: disable x32 ABI in seccomp, submitted by Jann Horn | |
490 | - security: tighten --chroot, submitted by Jann Horn | |
491 | - security: terminal sandbox escape, submitted by Stephan Sokolow | |
492 | - security: several TOCTOU fixes submitted by Aleksey Manevich | |
493 | - modifs: bringing back --private-home option | |
494 | - modifs: deprecated --user option, please use "sudo -u username firejail" | |
495 | - modifs: allow symlinks in home directory for --whitelist option | |
496 | - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" | |
497 | - modifs: recursive mkdir | |
498 | - modifs: include /dev/snd in --private-dev | |
499 | - modifs: seccomp filter update | |
500 | - modifs: release archives moved to .xz format | |
501 | - feature: AppImage support (--appimage) | |
502 | - feature: AppArmor support (--apparmor) | |
503 | - feature: Ubuntu snap support (/etc/firejail/snap.profile) | |
504 | - feature: Sandbox auditing support (--audit) | |
505 | - feature: remove environment variable (--rmenv) | |
506 | - feature: noexec support (--noexec) | |
507 | - feature: clean local overlay storage directory (--overlay-clean) | |
508 | - feature: store and reuse overlay (--overlay-named) | |
509 | - feature: allow debugging inside the sandbox with gdb and strace | |
510 | (--allow-debuggers) | |
511 | - feature: mkfile profile command | |
512 | - feature: quiet profile command | |
513 | - feature: x11 profile command | |
514 | - feature: option to fix desktop files (firecfg --fix) | |
515 | - compile time: Busybox support (--enable-busybox-workaround) | |
516 | - compile time: disable overlayfs (--disable-overlayfs) | |
517 | - compile time: disable whitlisting (--disable-whitelist) | |
518 | - compile time: disable global config (--disable-globalcfg) | |
519 | - run time: enable/disable overlayfs (overlayfs yes/no) | |
520 | - run time: enable/disable quiet as default (quiet-by-default yes/no) | |
521 | - run time: user-defined network filter (netfilter-default) | |
522 | - run time: enable/disable whitelisting (whitelist yes/no) | |
523 | - run time: enable/disable remounting of /proc and /sys | |
524 | (remount-proc-sys yes/no) | |
525 | - run time: enable/disable chroot desktop features (chroot-desktop yes/no) | |
526 | - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | |
527 | - profiles: pix, audacity, xz, xzdec, gzip, cpio, less | |
528 | - profiles: Atom Beta, Atom, jitsi, eom, uudeview | |
529 | - profiles: tar (gtar), unzip, unrar, file, skypeforlinux, | |
530 | - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox | |
531 | - bugfixes | |
532 | ||
533 | EOF | |
534 | ||
535 | echo "building rpm" | |
536 | rpmbuild -ba SPECS/firejail.spec | |
537 | rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | |
538 | cd .. | |
539 | rm -f firejail-$VERSION-1.x86_64.rpm | |
540 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | |
541 |
91 | 91 | errExit("fork"); |
92 | 92 | if (child == 0) { |
93 | 93 | execl(prog, prog, "syscall", name, NULL); |
94 | exit(1); | |
94 | perror("execl"); | |
95 | _exit(1); | |
95 | 96 | } |
96 | 97 | |
97 | 98 | // wait for the child to finish |
46 | 46 | thunderbird |
47 | 47 | vivaldi-beta |
48 | 48 | vivaldi |
49 | evolution | |
49 | 50 | |
50 | 51 | # chat/messaging |
51 | 52 | bitlbee |
75 | 76 | mupen64plus |
76 | 77 | wine |
77 | 78 | dosbox |
79 | virtualbox | |
78 | 80 | |
79 | 81 | # games |
80 | 82 | 0ad |
136 | 138 | xpdf |
137 | 139 | xreader |
138 | 140 | zathura |
141 | openshot | |
142 | flowblade | |
143 | eog | |
139 | 144 | |
140 | 145 | # other |
141 | 146 | ssh |
59 | 59 | #define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" |
60 | 60 | #define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" |
61 | 61 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" |
62 | #define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv" | |
62 | 63 | |
63 | 64 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" |
64 | 65 | #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" |
172 | 173 | unsigned var_dir:1; // whitelist in /var directory |
173 | 174 | unsigned dev_dir:1; // whitelist in /dev directory |
174 | 175 | unsigned opt_dir:1; // whitelist in /opt directory |
176 | unsigned srv_dir:1; // whitelist in /srv directory | |
175 | 177 | }ProfileEntry; |
176 | 178 | |
177 | 179 | typedef struct config_t { |
648 | 648 | |
649 | 649 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
650 | 650 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
651 | disable_file(BLACKLIST_FILE, "/sys/fs"); | |
651 | { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line | |
652 | EUID_USER(); | |
653 | profile_add("blacklist /sys/fs"); | |
654 | EUID_ROOT(); | |
655 | } | |
652 | 656 | disable_file(BLACKLIST_FILE, "/sys/module"); |
653 | 657 | disable_file(BLACKLIST_FILE, "/sys/power"); |
654 | 658 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
191 | 191 | if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) |
192 | 192 | errExit("asprintf"); |
193 | 193 | execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); |
194 | perror("execlp"); | |
195 | _exit(1); | |
194 | 196 | } |
195 | 197 | // wait for the child to finish |
196 | 198 | waitpid(child, NULL, 0); |
244 | 246 | duplicate(ptr); |
245 | 247 | free(dlist); |
246 | 248 | fs_logger_print(); |
247 | exit(0); | |
249 | _exit(0); | |
248 | 250 | } |
249 | 251 | // wait for the child to finish |
250 | 252 | waitpid(child, NULL, 0); |
105 | 105 | if (asprintf(&f, "/etc/%s", fname) == -1) |
106 | 106 | errExit("asprintf"); |
107 | 107 | execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); |
108 | perror("execlp"); | |
109 | _exit(1); | |
108 | 110 | } |
109 | 111 | // wait for the child to finish |
110 | 112 | waitpid(child, NULL, 0); |
168 | 170 | duplicate(ptr); |
169 | 171 | free(dlist); |
170 | 172 | fs_logger_print(); |
171 | exit(0); | |
173 | _exit(0); | |
172 | 174 | } |
173 | 175 | // wait for the child to finish |
174 | 176 | waitpid(child, NULL, 0); |
640 | 640 | |
641 | 641 | fs_logger_print(); // save the current log |
642 | 642 | free(dlist); |
643 | exit(0); | |
643 | _exit(0); | |
644 | 644 | } |
645 | 645 | // wait for the child to finish |
646 | 646 | waitpid(child, NULL, 0); |
80 | 80 | |
81 | 81 | // create directory |
82 | 82 | mkdir_recursive(expanded); |
83 | exit(0); | |
83 | _exit(0); | |
84 | 84 | } |
85 | 85 | // wait for the child to finish |
86 | 86 | waitpid(child, NULL, 0); |
125 | 125 | (void) rv; |
126 | 126 | fclose(fp); |
127 | 127 | } |
128 | exit(0); | |
128 | _exit(0); | |
129 | 129 | } |
130 | 130 | // wait for the child to finish |
131 | 131 | waitpid(child, NULL, 0); |
253 | 253 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) |
254 | 254 | errExit("asprintf"); |
255 | 255 | } |
256 | ||
256 | else if (entry->srv_dir) { | |
257 | fname = path + 4; // strlen("/srv") | |
258 | if (*fname == '\0') { | |
259 | fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path); | |
260 | exit(1); | |
261 | } | |
262 | ||
263 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) | |
264 | errExit("asprintf"); | |
265 | } | |
257 | 266 | // check if the file exists |
258 | 267 | struct stat s; |
259 | 268 | if (wfile && stat(wfile, &s) == 0) { |
316 | 325 | int var_dir = 0; // /var directory flag |
317 | 326 | int dev_dir = 0; // /dev directory flag |
318 | 327 | int opt_dir = 0; // /opt directory flag |
319 | ||
328 | int srv_dir = 0; // /srv directory flag | |
320 | 329 | // verify whitelist files, extract symbolic links, etc. |
321 | 330 | while (entry) { |
322 | 331 | // handle only whitelist commands |
386 | 395 | dev_dir = 1; |
387 | 396 | else if (strncmp(new_name, "/opt/", 5) == 0) |
388 | 397 | opt_dir = 1; |
389 | ||
398 | else if (strncmp(new_name, "/srv/", 5) == 0) | |
399 | opt_dir = 1; | |
400 | ||
390 | 401 | continue; |
391 | 402 | } |
392 | 403 | |
480 | 491 | goto errexit; |
481 | 492 | } |
482 | 493 | } |
494 | else if (strncmp(new_name, "/srv/", 5) == 0) { | |
495 | entry->srv_dir = 1; | |
496 | srv_dir = 1; | |
497 | // both path and absolute path are under /srv | |
498 | if (strncmp(fname, "/srv/", 5) != 0) { | |
499 | if (arg_debug) | |
500 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | |
501 | goto errexit; | |
502 | } | |
503 | } | |
483 | 504 | else { |
484 | 505 | if (arg_debug) |
485 | 506 | fprintf(stderr, "Debug %d: \n", __LINE__); |
674 | 695 | fs_logger("tmpfs /opt"); |
675 | 696 | } |
676 | 697 | |
698 | // /srv mountpoint | |
699 | if (srv_dir) { | |
700 | // check if /srv directory exists | |
701 | struct stat s; | |
702 | if (stat("/srv", &s) == 0) { | |
703 | // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR | |
704 | int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); | |
705 | if (rv == -1) | |
706 | errExit("mkdir"); | |
707 | if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0) | |
708 | errExit("chown"); | |
709 | if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0) | |
710 | errExit("chmod"); | |
711 | ||
712 | if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | |
713 | errExit("mount bind"); | |
714 | ||
715 | // mount tmpfs on /srv | |
716 | if (arg_debug || arg_debug_whitelists) | |
717 | printf("Mounting tmpfs on /srv directory\n"); | |
718 | if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | |
719 | errExit("mounting tmpfs on /srv"); | |
720 | fs_logger("tmpfs /srv"); | |
721 | } | |
722 | else | |
723 | srv_dir = 0; | |
724 | } | |
725 | ||
726 | ||
727 | ||
677 | 728 | // go through profile rules again, and interpret whitelist commands |
678 | 729 | entry = cfg.profile; |
679 | 730 | while (entry) { |
765 | 816 | fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); |
766 | 817 | } |
767 | 818 | |
819 | // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR | |
820 | if (srv_dir) { | |
821 | if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | |
822 | errExit("mount tmpfs"); | |
823 | fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); | |
824 | } | |
825 | ||
768 | 826 | if (new_name) |
769 | 827 | free(new_name); |
770 | 828 |
357 | 357 | fprintf(stderr, "Error: Cannot read %s\n", fname1); |
358 | 358 | exit(1); |
359 | 359 | } |
360 | exit(0); | |
360 | _exit(0); | |
361 | 361 | } |
362 | 362 | |
363 | 363 | // wait for the child to finish |
390 | 390 | exit(1); |
391 | 391 | } |
392 | 392 | fclose(fp); |
393 | exit(0); | |
393 | _exit(0); | |
394 | 394 | } |
395 | 395 | |
396 | 396 | // wait for the child to finish |
444 | 444 | fprintf(stderr, "Error: Cannot read %s\n", src_fname); |
445 | 445 | exit(1); |
446 | 446 | } |
447 | exit(0); | |
447 | _exit(0); | |
448 | 448 | } |
449 | 449 | |
450 | 450 | // wait for the child to finish |
493 | 493 | } |
494 | 494 | } |
495 | 495 | |
496 | exit(0); | |
496 | _exit(0); | |
497 | 497 | } |
498 | 498 | |
499 | 499 | // wait for the child to finish |
2505 | 2505 | network_main(child); |
2506 | 2506 | if (arg_debug) |
2507 | 2507 | printf("Host network configured\n"); |
2508 | exit(0); | |
2508 | _exit(0); | |
2509 | 2509 | } |
2510 | 2510 | |
2511 | 2511 | // wait for the child to finish |
2578 | 2578 | g = get_group_id("games"); |
2579 | 2579 | if (g) { |
2580 | 2580 | sprintf(ptr, "%d %d 1\n", g, g); |
2581 | ptr += strlen(ptr); | |
2582 | 2581 | } |
2583 | 2582 | |
2584 | 2583 | EUID_ROOT(); |
144 | 144 | // wipe out environment variables |
145 | 145 | environ = NULL; |
146 | 146 | execl(iptables_restore, iptables_restore, NULL); |
147 | // it will never get here!!! | |
147 | perror("execl"); | |
148 | _exit(1); | |
148 | 149 | } |
149 | 150 | // wait for the child to finish |
150 | 151 | waitpid(child, NULL, 0); |
162 | 163 | errExit("setregid"); |
163 | 164 | environ = NULL; |
164 | 165 | execl(iptables, iptables, "-vL", NULL); |
165 | // it will never get here!!! | |
166 | perror("execl"); | |
167 | _exit(1); | |
166 | 168 | } |
167 | 169 | // wait for the child to finish |
168 | 170 | waitpid(child, NULL, 0); |
255 | 257 | // wipe out environment variables |
256 | 258 | environ = NULL; |
257 | 259 | execl(ip6tables_restore, ip6tables_restore, NULL); |
258 | // it will never get here!!! | |
260 | perror("execl"); | |
261 | _exit(1); | |
259 | 262 | } |
260 | 263 | // wait for the child to finish |
261 | 264 | waitpid(child, NULL, 0); |
268 | 271 | if (child == 0) { |
269 | 272 | environ = NULL; |
270 | 273 | execl(ip6tables, ip6tables, "-vL", NULL); |
271 | // it will never get here!!! | |
274 | perror("execl"); | |
275 | _exit(1); | |
272 | 276 | } |
273 | 277 | // wait for the child to finish |
274 | 278 | waitpid(child, NULL, 0); |
313 | 313 | |
314 | 314 | execvp(server_argv[0], server_argv); |
315 | 315 | perror("execvp"); |
316 | exit(1); | |
316 | _exit(1); | |
317 | 317 | } |
318 | 318 | |
319 | 319 | if (arg_debug) |
354 | 354 | |
355 | 355 | execvp(jail_argv[0], jail_argv); |
356 | 356 | perror("execvp"); |
357 | exit(1); | |
357 | _exit(1); | |
358 | 358 | } |
359 | 359 | |
360 | 360 | // cleanup |
433 | 433 | |
434 | 434 | execvp(server_argv[0], server_argv); |
435 | 435 | perror("execvp"); |
436 | exit(1); | |
436 | _exit(1); | |
437 | 437 | } |
438 | 438 | |
439 | 439 | // check X11 socket |
479 | 479 | |
480 | 480 | execvp(attach_argv[0], attach_argv); |
481 | 481 | perror("execvp"); |
482 | exit(1); | |
482 | _exit(1); | |
483 | 483 | } |
484 | 484 | |
485 | 485 | setenv("DISPLAY", display_str, 1); |
535 | 535 | } |
536 | 536 | execvp(stop_argv[0], stop_argv); |
537 | 537 | perror("execvp"); |
538 | exit(1); | |
538 | _exit(1); | |
539 | 539 | } |
540 | 540 | |
541 | 541 | // wait for xpra server to stop, 10 seconds limit |
671 | 671 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, |
672 | 672 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); |
673 | 673 | |
674 | exit(0); | |
674 | _exit(0); | |
675 | 675 | } |
676 | 676 | // wait for the child to finish |
677 | 677 | waitpid(child, NULL, 0); |
145 | 145 | return; |
146 | 146 | net_ifprint(); |
147 | 147 | printf("\n"); |
148 | exit(0); | |
148 | _exit(0); | |
149 | 149 | } |
150 | 150 | |
151 | 151 | // wait for the child to finish |
27 | 27 | #include <arpa/inet.h> |
28 | 28 | #include <time.h> |
29 | 29 | #include <fcntl.h> |
30 | #include <sys/uio.h> | |
31 | ||
30 | 32 | #define PIDS_BUFLEN 4096 |
31 | 33 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA |
32 | 34 |
11 | 11 | Example: |
12 | 12 | |
13 | 13 | netblue:--net=none --protocol=unix |
14 | ||
15 | Wildcard patterns are accepted in the user name field: | |
16 | ||
17 | user*: --private | |
14 | 18 | |
15 | 19 | .SH RESTRICTED SHELL |
16 | 20 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
217 | 217 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
218 | 218 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
219 | 219 | everything else is discarded when the sandbox is closed. The top directory could be |
220 | user home, /dev, /media, /mnt, /opt, /var, and /tmp. | |
220 | user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. | |
221 | 221 | .br |
222 | 222 | |
223 | 223 | .br |
1621 | 1621 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
1622 | 1622 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
1623 | 1623 | everything else is discarded when the sandbox is closed. The top directory could be |
1624 | user home, /dev, /media, /mnt, /opt, /var, and /tmp. | |
1624 | user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. | |
1625 | 1625 | .br |
1626 | 1626 | |
1627 | 1627 | .br |
0 | #!/bin/bash | |
1 | # This file is part of Firejail project | |
2 | # Copyright (C) 2014-2016 Firejail Authors | |
3 | # License GPL v2 | |
4 | ||
5 | export MALLOC_CHECK_=3 | |
6 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | |
7 | ||
8 | which firefox | |
9 | if [ "$?" -eq 0 ]; | |
10 | then | |
11 | echo "TESTING: firefox x11 xorg" | |
12 | ./firefox.exp | |
13 | else | |
14 | echo "TESTING SKIP: firefox not found" | |
15 | fi | |
16 | ||
17 | which transmission-gtk | |
18 | if [ "$?" -eq 0 ]; | |
19 | then | |
20 | echo "TESTING: transmission-gtk x11 xorg" | |
21 | ./transmission-gtk.exp | |
22 | else | |
23 | echo "TESTING SKIP: transmission-gtk not found" | |
24 | fi | |
25 | ||
26 | which icedove | |
27 | if [ "$?" -eq 0 ]; | |
28 | then | |
29 | echo "TESTING: icedove x11 xorg" | |
30 | ./icedove.exp | |
31 | else | |
32 | echo "TESTING SKIP: icedove not found" | |
33 | fi | |
34 |
0 | #!/usr/bin/expect -f | |
1 | # This file is part of Firejail project | |
2 | # Copyright (C) 2014-2016 Firejail Authors | |
3 | # License GPL v2 | |
4 | ||
5 | set timeout 10 | |
6 | spawn $env(SHELL) | |
7 | match_max 100000 | |
8 | ||
9 | send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" | |
10 | sleep 10 | |
11 | ||
12 | spawn $env(SHELL) | |
13 | send -- "firejail --list\r" | |
14 | expect { | |
15 | timeout {puts "TESTING ERROR 3\n";exit} | |
16 | ":firejail" | |
17 | } | |
18 | expect { | |
19 | timeout {puts "TESTING ERROR 3.1\n";exit} | |
20 | "firefox" {puts "firefox detected\n";} | |
21 | "iceweasel" {puts "iceweasel detected\n";} | |
22 | } | |
23 | expect { | |
24 | timeout {puts "TESTING ERROR 3.2\n";exit} | |
25 | "no-remote" | |
26 | } | |
27 | sleep 1 | |
28 | # grsecurity exit | |
29 | send -- "file /proc/sys/kernel/grsecurity\r" | |
30 | expect { | |
31 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | |
32 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | |
33 | "cannot open" {puts "grsecurity not present\n"} | |
34 | } | |
35 | send -- "firejail --name=blablabla\r" | |
36 | expect { | |
37 | timeout {puts "TESTING ERROR 4\n";exit} | |
38 | "Child process initialized" | |
39 | } | |
40 | sleep 2 | |
41 | ||
42 | spawn $env(SHELL) | |
43 | send -- "firemon --seccomp\r" | |
44 | expect { | |
45 | timeout {puts "TESTING ERROR 5\n";exit} | |
46 | " firefox" {puts "firefox detected\n";} | |
47 | " iceweasel" {puts "iceweasel detected\n";} | |
48 | } | |
49 | expect { | |
50 | timeout {puts "TESTING ERROR 5.0\n";exit} | |
51 | "no-remote" | |
52 | } | |
53 | expect { | |
54 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | |
55 | "Seccomp: 2" | |
56 | } | |
57 | expect { | |
58 | timeout {puts "TESTING ERROR 5.1\n";exit} | |
59 | "name=blablabla" | |
60 | } | |
61 | sleep 1 | |
62 | send -- "firemon --caps\r" | |
63 | expect { | |
64 | timeout {puts "TESTING ERROR 6\n";exit} | |
65 | " firefox" {puts "firefox detected\n";} | |
66 | " iceweasel" {puts "iceweasel detected\n";} | |
67 | } | |
68 | expect { | |
69 | timeout {puts "TESTING ERROR 6.0\n";exit} | |
70 | "no-remote" | |
71 | } | |
72 | expect { | |
73 | timeout {puts "TESTING ERROR 6.1\n";exit} | |
74 | "CapBnd:" | |
75 | } | |
76 | expect { | |
77 | timeout {puts "TESTING ERROR 6.2\n";exit} | |
78 | "0000000000000000" | |
79 | } | |
80 | expect { | |
81 | timeout {puts "TESTING ERROR 6.3\n";exit} | |
82 | "name=blablabla" | |
83 | } | |
84 | sleep 1 | |
85 | send -- "firejail --shutdown=test\r" | |
86 | sleep 3 | |
87 | ||
88 | puts "\nall done\n" | |
89 |
0 | #!/usr/bin/expect -f | |
1 | # This file is part of Firejail project | |
2 | # Copyright (C) 2014-2016 Firejail Authors | |
3 | # License GPL v2 | |
4 | ||
5 | set timeout 10 | |
6 | spawn $env(SHELL) | |
7 | match_max 100000 | |
8 | ||
9 | send -- "firejail --name=test --x11=xorg icedove\r" | |
10 | sleep 10 | |
11 | ||
12 | spawn $env(SHELL) | |
13 | send -- "firejail --list\r" | |
14 | expect { | |
15 | timeout {puts "TESTING ERROR 3\n";exit} | |
16 | ":firejail" | |
17 | } | |
18 | expect { | |
19 | timeout {puts "TESTING ERROR 3.1\n";exit} | |
20 | "icedove" | |
21 | } | |
22 | sleep 1 | |
23 | ||
24 | # grsecurity exit | |
25 | send -- "file /proc/sys/kernel/grsecurity\r" | |
26 | expect { | |
27 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | |
28 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | |
29 | "cannot open" {puts "grsecurity not present\n"} | |
30 | } | |
31 | ||
32 | send -- "firejail --name=blablabla\r" | |
33 | expect { | |
34 | timeout {puts "TESTING ERROR 4\n";exit} | |
35 | "Child process initialized" | |
36 | } | |
37 | sleep 2 | |
38 | ||
39 | spawn $env(SHELL) | |
40 | send -- "firemon --seccomp\r" | |
41 | expect { | |
42 | timeout {puts "TESTING ERROR 5\n";exit} | |
43 | ":firejail" | |
44 | } | |
45 | expect { | |
46 | timeout {puts "TESTING ERROR 5.0\n";exit} | |
47 | "icedove" | |
48 | } | |
49 | expect { | |
50 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | |
51 | "Seccomp: 2" | |
52 | } | |
53 | expect { | |
54 | timeout {puts "TESTING ERROR 5.1\n";exit} | |
55 | "name=blablabla" | |
56 | } | |
57 | sleep 2 | |
58 | send -- "firemon --caps\r" | |
59 | expect { | |
60 | timeout {puts "TESTING ERROR 6\n";exit} | |
61 | ":firejail" | |
62 | } | |
63 | expect { | |
64 | timeout {puts "TESTING ERROR 6.0\n";exit} | |
65 | "icedove" | |
66 | } | |
67 | expect { | |
68 | timeout {puts "TESTING ERROR 6.1\n";exit} | |
69 | "CapBnd" | |
70 | } | |
71 | expect { | |
72 | timeout {puts "TESTING ERROR 6.2\n";exit} | |
73 | "0000000000000000" | |
74 | } | |
75 | expect { | |
76 | timeout {puts "TESTING ERROR 6.3\n";exit} | |
77 | "name=blablabla" | |
78 | } | |
79 | sleep 1 | |
80 | send -- "firejail --shutdown=test\r" | |
81 | sleep 3 | |
82 | ||
83 | puts "\nall done\n" | |
84 |
0 | #!/usr/bin/expect -f | |
1 | # This file is part of Firejail project | |
2 | # Copyright (C) 2014-2016 Firejail Authors | |
3 | # License GPL v2 | |
4 | ||
5 | set timeout 10 | |
6 | spawn $env(SHELL) | |
7 | match_max 100000 | |
8 | ||
9 | send -- "firejail --name=test --x11=xorg transmission-gtk\r" | |
10 | sleep 10 | |
11 | ||
12 | spawn $env(SHELL) | |
13 | send -- "firejail --list\r" | |
14 | expect { | |
15 | timeout {puts "TESTING ERROR 3\n";exit} | |
16 | ":firejail" | |
17 | } | |
18 | expect { | |
19 | timeout {puts "TESTING ERROR 3.1\n";exit} | |
20 | "transmission-gtk" | |
21 | } | |
22 | sleep 1 | |
23 | ||
24 | # grsecurity exit | |
25 | send -- "file /proc/sys/kernel/grsecurity\r" | |
26 | expect { | |
27 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | |
28 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | |
29 | "cannot open" {puts "grsecurity not present\n"} | |
30 | } | |
31 | ||
32 | send -- "firejail --name=blablabla\r" | |
33 | expect { | |
34 | timeout {puts "TESTING ERROR 4\n";exit} | |
35 | "Child process initialized" | |
36 | } | |
37 | sleep 2 | |
38 | ||
39 | spawn $env(SHELL) | |
40 | send -- "firemon --seccomp\r" | |
41 | expect { | |
42 | timeout {puts "TESTING ERROR 5\n";exit} | |
43 | ":firejail" | |
44 | } | |
45 | expect { | |
46 | timeout {puts "TESTING ERROR 5.0\n";exit} | |
47 | "transmission-gtk" | |
48 | } | |
49 | expect { | |
50 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | |
51 | "Seccomp: 2" | |
52 | } | |
53 | expect { | |
54 | timeout {puts "TESTING ERROR 5.1\n";exit} | |
55 | "name=blablabla" | |
56 | } | |
57 | sleep 1 | |
58 | send -- "firemon --caps\r" | |
59 | expect { | |
60 | timeout {puts "TESTING ERROR 6\n";exit} | |
61 | ":firejail" | |
62 | } | |
63 | expect { | |
64 | timeout {puts "TESTING ERROR 6.0\n";exit} | |
65 | "transmission-gtk" | |
66 | } | |
67 | expect { | |
68 | timeout {puts "TESTING ERROR 6.1\n";exit} | |
69 | "CapBnd" | |
70 | } | |
71 | expect { | |
72 | timeout {puts "TESTING ERROR 6.2\n";exit} | |
73 | "0000000000000000" | |
74 | } | |
75 | expect { | |
76 | timeout {puts "TESTING ERROR 6.3\n";exit} | |
77 | "name=blablabla" | |
78 | } | |
79 | sleep 1 | |
80 | send -- "firejail --shutdown=test\r" | |
81 | sleep 3 | |
82 | ||
83 | puts "\nall done\n" | |
84 |
45 | 45 | } |
46 | 46 | send -- "sudo -s\r" |
47 | 47 | expect { |
48 | timeout {puts "TESTING ERROR 8\n";exit} | |
48 | timeout {puts "TESTING ERROR 7\n";exit} | |
49 | 49 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
50 | 50 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
51 | 51 | "Bad system call" { puts "OK\n";} |
52 | 52 | } |
53 | 53 | send -- "cat /proc/self/uid_map | wc -l\r" |
54 | 54 | expect { |
55 | timeout {puts "TESTING ERROR 7\n";exit} | |
55 | timeout {puts "TESTING ERROR 8\n";exit} | |
56 | 56 | "1" |
57 | 57 | } |
58 | 58 | send -- "cat /proc/self/gid_map | wc -l\r" |
59 | 59 | expect { |
60 | timeout {puts "TESTING ERROR 8\n";exit} | |
61 | "3" | |
60 | timeout {puts "TESTING ERROR 9\n";exit} | |
61 | "5" | |
62 | 62 | } |
63 | 63 | |
64 | 64 | puts "\n" |
69 | 69 | |
70 | 70 | send -- "firejail --name=test --noroot --noprofile\r" |
71 | 71 | expect { |
72 | timeout {puts "TESTING ERROR 9\n";exit} | |
72 | timeout {puts "TESTING ERROR 10\n";exit} | |
73 | 73 | "Child process initialized" |
74 | 74 | } |
75 | 75 | sleep 1 |
76 | 76 | |
77 | 77 | send -- "cat /proc/self/status\r" |
78 | 78 | expect { |
79 | timeout {puts "TESTING ERROR 10\n";exit} | |
79 | timeout {puts "TESTING ERROR 11\n";exit} | |
80 | 80 | "CapBnd:" |
81 | 81 | } |
82 | 82 | expect { |
83 | timeout {puts "TESTING ERROR 11\n";exit} | |
83 | timeout {puts "TESTING ERROR 12\n";exit} | |
84 | 84 | "ffffffff" |
85 | 85 | } |
86 | 86 | expect { |
87 | timeout {puts "TESTING ERROR 12\n";exit} | |
87 | timeout {puts "TESTING ERROR 13\n";exit} | |
88 | 88 | "Seccomp:" |
89 | 89 | } |
90 | 90 | expect { |
91 | timeout {puts "TESTING ERROR 13\n";exit} | |
91 | timeout {puts "TESTING ERROR 14\n";exit} | |
92 | 92 | "0" |
93 | 93 | } |
94 | 94 | expect { |
95 | timeout {puts "TESTING ERROR 14\n";exit} | |
95 | timeout {puts "TESTING ERROR 15\n";exit} | |
96 | 96 | "Cpus_allowed:" |
97 | 97 | } |
98 | 98 | puts "\n" |
99 | 99 | |
100 | 100 | send -- "whoami\r" |
101 | 101 | expect { |
102 | timeout {puts "TESTING ERROR 15\n";exit} | |
102 | timeout {puts "TESTING ERROR 16\n";exit} | |
103 | 103 | $env(USER) |
104 | 104 | } |
105 | 105 | send -- "sudo -s\r" |
106 | 106 | expect { |
107 | timeout {puts "TESTING ERROR 16\n";exit} | |
107 | timeout {puts "TESTING ERROR 17\n";exit} | |
108 | 108 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
109 | 109 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
110 | 110 | } |
111 | 111 | send -- "ping 0\r" |
112 | 112 | expect { |
113 | timeout {puts "TESTING ERROR 17\n";exit} | |
113 | timeout {puts "TESTING ERROR 18\n";exit} | |
114 | 114 | "Operation not permitted" |
115 | 115 | } |
116 | 116 | send -- "cat /proc/self/uid_map | wc -l\r" |
117 | 117 | expect { |
118 | timeout {puts "TESTING ERROR 18\n";exit} | |
118 | timeout {puts "TESTING ERROR 19\n";exit} | |
119 | 119 | "1" |
120 | 120 | } |
121 | 121 | send -- "cat /proc/self/gid_map | wc -l\r" |
122 | 122 | expect { |
123 | timeout {puts "TESTING ERROR 19\n";exit} | |
124 | "3" | |
123 | timeout {puts "TESTING ERROR 20\n";exit} | |
124 | "5" | |
125 | 125 | } |
126 | 126 | |
127 | 127 | |
129 | 129 | spawn $env(SHELL) |
130 | 130 | send -- "firejail --debug --join=test\r" |
131 | 131 | expect { |
132 | timeout {puts "TESTING ERROR 20\n";exit} | |
132 | timeout {puts "TESTING ERROR 21\n";exit} | |
133 | 133 | "User namespace detected" |
134 | 134 | } |
135 | 135 | expect { |
136 | timeout {puts "TESTING ERROR 21\n";exit} | |
136 | timeout {puts "TESTING ERROR 22\n";exit} | |
137 | 137 | "Joining user namespace" |
138 | 138 | } |
139 | 139 | sleep 1 |
140 | 140 | |
141 | 141 | send -- "sudo -s\r" |
142 | 142 | expect { |
143 | timeout {puts "TESTING ERROR 22\n";exit} | |
143 | timeout {puts "TESTING ERROR 23\n";exit} | |
144 | 144 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
145 | 145 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
146 | 146 | "Permission denied" { puts "OK\n";} |
147 | 147 | } |
148 | 148 | send -- "cat /proc/self/uid_map | wc -l\r" |
149 | 149 | expect { |
150 | timeout {puts "TESTING ERROR 23\n";exit} | |
150 | timeout {puts "TESTING ERROR 24\n";exit} | |
151 | 151 | "1" |
152 | 152 | } |
153 | 153 | send -- "cat /proc/self/gid_map | wc -l\r" |
154 | 154 | expect { |
155 | timeout {puts "TESTING ERROR 24\n";exit} | |
156 | "3" | |
155 | timeout {puts "TESTING ERROR 25\n";exit} | |
156 | "5" | |
157 | 157 | } |
158 | 158 | after 100 |
159 | 159 | puts "\nall done\n" |
4 | 4 | |
5 | 5 | export MALLOC_CHECK_=3 |
6 | 6 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
7 | ||
8 | echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" | |
9 | ./sys_fs.exp | |
7 | 10 | |
8 | 11 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" |
9 | 12 | ./kmsg.exp |
0 | #!/usr/bin/expect -f | |
1 | # This file is part of Firejail project | |
2 | # Copyright (C) 2014-2016 Firejail Authors | |
3 | # License GPL v2 | |
4 | ||
5 | set timeout 10 | |
6 | spawn $env(SHELL) | |
7 | match_max 100000 | |
8 | ||
9 | send -- "firejail\r" | |
10 | expect { | |
11 | timeout {puts "TESTING ERROR 1\n";exit} | |
12 | "Child process initialized" | |
13 | } | |
14 | sleep 1 | |
15 | ||
16 | send -- "ls /sys/fs\r" | |
17 | expect { | |
18 | timeout {puts "TESTING ERROR 2\n";exit} | |
19 | "Permission denied" | |
20 | } | |
21 | after 100 | |
22 | ||
23 | send -- "exit\r" | |
24 | sleep 1 | |
25 | ||
26 | send -- "firejail --noblacklist=/sys/fs\r" | |
27 | expect { | |
28 | timeout {puts "TESTING ERROR 1\n";exit} | |
29 | "Child process initialized" | |
30 | } | |
31 | sleep 1 | |
32 | ||
33 | send -- "ls /sys/fs\r" | |
34 | expect { | |
35 | timeout {puts "TESTING ERROR 2\n";exit} | |
36 | "cgroup" | |
37 | } | |
38 | after 100 | |
39 | send -- "exit\r" | |
40 | after 100 | |
41 | ||
42 | puts "\nall done\n" | |
43 |