Commit 018ee3d10bfc71b4f5b38dd44c555b361052addd - firejail

Merge tag 'upstream/0.9.44' Upstream version 0.9.44 # gpg: Signature made Sun 23 Oct 2016 12:08:58 PM CEST # gpg: using RSA key CCF04928DB0EEAA7 # gpg: issuer "reiner@reiner-h.de" # gpg: Good signature from "Reiner Herrmann <reiner@reiner-h.de>" [ultimate] # Primary key fingerprint: 2F5D AF3F C1F7 93D9 4F3D 900C A721 DA05 5374 AA4F # Subkey fingerprint: D8F6 FA7D EA24 D90D 6EAC 733B CCF0 4928 DB0E EAA7 Reiner Herrmann 7 years ago

42 changed file(s) with 1152 addition(s) and 72 deletion(s). Raw diff Collapse all Expand all

-1

Makefile.in less more

140	140	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
141	141
142	142	DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
143		DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils"
	143	DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils"
144	144
145	145	dist:
146	146	mv config.status config.status.old

-3

README less more

76	76	- added gnome-chess profile
77	77	- added DOSBox profile
78	78	- evince profile enhancement
	79	valoq (https://github.com/valoq)
	80	- LibreOffice profile fixes
	81	- cherrytree profile fixes
	82	- added support for /srv in --whitelist feature
	83	- Eye of GNOME and Evolution profiles
	84	Rafael Cavalcanti (https://github.com/rccavalcanti)
	85	- chromium profile fixes for Arch Linux
79	86	Deelvesh Bunjun (https://github.com/DeelveshBunjun)
80	87	- added xpdf profile
81	88	vismir2 (https://github.com/vismir2)

83	90	Dara Adib (https://github.com/daradib)
84	91	- ssh profile fix
85	92	- evince profile fix
86		valoq (https://github.com/valoq)
87		- LibreOffice profile fixes
88		- cherrytree profile fixes
89	93	vismir2 (https://github.com/vismir2)
90	94	- feh, ranger, 7z, keepass, keepassx and zathura profiles
91	95	- lots of profile fixes

+10

-5

RELNOTES less more

0		firejail (0.9.43) baseline; urgency=low
	0	firejail (0.9.44) baseline; urgency=low
1	1	* CVE-2016-7545 submitted by Aleksey Manevich
2		* development version
3	2	* modifs: removed man firejail-config
4	3	* modifs: --private-tmp whitelists /tmp/.X11-unix directory
5	4	* modifs: Nvidia drivers added to --private-dev
	5	* modifs: /srv supported by --whitelist
	6	* feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
6	7	* feature: support starting/joining sandbox is a single command
7	8	(--join-or-start)
8	9	* feature: X11 detection support for --audit

14	15	* feature: X11 security extension (--x11=xorg)
15	16	* feature: disable 3D hardware acceleration (--no3d)
16	17	* feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
	18	* feature: move files in sandbox (--put)
	19	* feature: accept wildcard patterns in user name field of restricted
	20	shell login feature
17	21	* new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
18	22	* new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
19		* new profiles: claws-mail, mutt, git, emacs, vim, xpdf
20		* bugfixes
21		-- netblue30 <netblue30@yahoo.com> Fri, 9 Sept 2016 08:00:00 -0500
	23	* new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
	24	* new profiles: Flowblade, Eye of GNOME (eog), Evolution
	25	* bugfixes
	26	-- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500
22	27
23	28	firejail (0.9.42) baseline; urgency=low
24	29	* security: --whitelist deleted files, submitted by Vasya Novikov

-9

configure less more

0	0	#! /bin/sh
1	1	# Guess values for system-dependent variables and create Makefiles.
2		# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1.
	2	# Generated by GNU Autoconf 2.69 for firejail 0.9.44.
3	3	#
4	4	# Report bugs to <netblue30@yahoo.com>.
5	5	#

579	579	# Identity of this package.
580	580	PACKAGE_NAME='firejail'
581	581	PACKAGE_TARNAME='firejail'
582		PACKAGE_VERSION='0.9.44~rc1'
583		PACKAGE_STRING='firejail 0.9.44~rc1'
	582	PACKAGE_VERSION='0.9.44'
	583	PACKAGE_STRING='firejail 0.9.44'
584	584	PACKAGE_BUGREPORT='netblue30@yahoo.com'
585	585	PACKAGE_URL='http://firejail.wordpress.com'
586	586

1258	1258	# Omit some internal or obsolete options to make the list less imposing.
1259	1259	# This message is too long to be a string in the A/UX 3.1 sh.
1260	1260	cat <<_ACEOF
1261		\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems.
	1261	\`configure' configures firejail 0.9.44 to adapt to many kinds of systems.
1262	1262
1263	1263	Usage: $0 [OPTION]... [VAR=VALUE]...
1264	1264

1319	1319
1320	1320	if test -n "$ac_init_help"; then
1321	1321	case $ac_init_help in
1322		short \| recursive ) echo "Configuration of firejail 0.9.44~rc1:";;
	1322	short \| recursive ) echo "Configuration of firejail 0.9.44:";;
1323	1323	esac
1324	1324	cat <<\_ACEOF
1325	1325

1423	1423	test -n "$ac_init_help" && exit $ac_status
1424	1424	if $ac_init_version; then
1425	1425	cat <<\_ACEOF
1426		firejail configure 0.9.44~rc1
	1426	firejail configure 0.9.44
1427	1427	generated by GNU Autoconf 2.69
1428	1428
1429	1429	Copyright (C) 2012 Free Software Foundation, Inc.

1725	1725	This file contains any messages produced by compilers while
1726	1726	running configure, to aid debugging if configure makes a mistake.
1727	1727
1728		It was created by firejail $as_me 0.9.44~rc1, which was
	1728	It was created by firejail $as_me 0.9.44, which was
1729	1729	generated by GNU Autoconf 2.69. Invocation command line was
1730	1730
1731	1731	$ $0 $@

4302	4302	# report actual input values of CONFIG_FILES etc. instead of their
4303	4303	# values after options handling.
4304	4304	ac_log="
4305		This file was extended by firejail $as_me 0.9.44~rc1, which was
	4305	This file was extended by firejail $as_me 0.9.44, which was
4306	4306	generated by GNU Autoconf 2.69. Invocation command line was
4307	4307
4308	4308	CONFIG_FILES = $CONFIG_FILES

4356	4356	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1
4357	4357	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
4358	4358	ac_cs_version="\\
4359		firejail config.status 0.9.44~rc1
	4359	firejail config.status 0.9.44
4360	4360	configured by $0, generated by GNU Autoconf 2.69,
4361	4361	with options \\"\$ac_cs_config\\"
4362	4362

-1

configure.ac less more

0	0	AC_PREREQ([2.68])
1		AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com)
	1	AC_INIT(firejail, 0.9.44, netblue30@yahoo.com, , http://firejail.wordpress.com)
2	2	AC_CONFIG_SRCDIR([src/firejail/main.c])
3	3	#AC_CONFIG_HEADERS([config.h])
4	4

-0

etc/chromium.profile less more

24	24	whitelist ~/.lastpass
25	25	whitelist ~/.config/lastpass
26	26
	27	# specific to Arch
	28	whitelist ~/.config/chromium-flags.conf
	29
27	30	include /etc/firejail/whitelist-common.inc

-1

etc/disable-devel.inc less more

19	19	# clang/llvm
20	20	blacklist /usr/bin/clang*
21	21	blacklist /usr/bin/llvm*
22		blacklist /usb/bin/lldb*
	22	blacklist /usr/bin/lldb*
23	23	blacklist /usr/lib/llvm*
24	24
25	25	# tcc - Tiny C Compiler

-0

etc/disable-programs.inc less more

34	34	blacklist ${HOME}/.config/zathura
35	35	blacklist ${HOME}/.config/cherrytree
36	36	blacklist ${HOME}/.xpdfrc
	37	blacklist ${HOME}/.openshot
	38	blacklist ${HOME}/.openshot_qt
	39	blacklist ${HOME}/.flowblade
	40	blacklist ${HOME}/.config/flowblade
	41	blacklist ${HOME}/.config/eog
37	42
38	43
39	44	# Media players

71	76	blacklist ${HOME}/.config/brave
72	77	blacklist ${HOME}/.config/inox
73	78	blacklist ${HOME}/.muttrc
	79	blacklist ${HOME}/.mutt
74	80	blacklist ${HOME}/.mutt/muttrc
75	81	blacklist ${HOME}/.msmtprc
	82	blacklist ${HOME}/.config/evolution
	83	blacklist ${HOME}/.local/share/evolution
	84	blacklist ${HOME}/.cache/evolution
76	85
77	86	# Instant Messaging
78	87	blacklist ${HOME}/.config/hexchat

+23

-0

etc/eog.profile less more

	0	# eog (gnome image viewer) profile
	1
	2	noblacklist ~/.config/eog
	3
	4	include /etc/firejail/disable-common.inc
	5	include /etc/firejail/disable-programs.inc
	6	include /etc/firejail/disable-devel.inc
	7	include /etc/firejail/disable-passwdmgr.inc
	8
	9	caps.drop all
	10	netfilter
	11	nonewprivs
	12	noroot
	13	nogroups
	14	protocol unix
	15	seccomp
	16	shell none
	17
	18	private-bin eog
	19	private-dev
	20	private-etc fonts
	21	private-tmp
	22

+25

-0

etc/evolution.profile less more

	0	# evolution profile
	1
	2	noblacklist ~/.config/evolution
	3	noblacklist ~/.local/share/evolution
	4	noblacklist ~/.cache/evolution
	5	noblacklist ~/.pki
	6	noblacklist ~/.pki/nssdb
	7	noblacklist ~/.gnupg
	8
	9	include /etc/firejail/disable-common.inc
	10	include /etc/firejail/disable-programs.inc
	11	include /etc/firejail/disable-devel.inc
	12	include /etc/firejail/disable-passwdmgr.inc
	13
	14	caps.drop all
	15	netfilter
	16	nonewprivs
	17	noroot
	18	nogroups
	19	protocol unix,inet,inet6
	20	seccomp
	21	shell none
	22
	23	private-dev
	24	private-tmp

+13

-0

etc/flowblade.profile less more

	0	# OpenShot profile
	1	noblacklist ${HOME}/.flowblade
	2	noblacklist ${HOME}/.config/flowblade
	3	include /etc/firejail/disable-common.inc
	4	include /etc/firejail/disable-programs.inc
	5	include /etc/firejail/disable-passwdmgr.inc
	6
	7	caps.drop all
	8	netfilter
	9	nonewprivs
	10	noroot
	11	protocol unix,inet,inet6,netlink
	12	seccomp

-0

etc/mutt.profile less more

1	1
2	2	noblacklist ~/.muttrc
3	3	noblacklist ~/.mutt
	4	noblacklist ~/.mutt/muttrc
4	5	noblacklist ~/.mailcap
5	6	noblacklist ~/.gnupg
6	7	noblacklist ~/.mail

+13

-0

etc/openshot.profile less more

	0	# OpenShot profile
	1	noblacklist ${HOME}/.openshot
	2	noblacklist ${HOME}/.openshot_qt
	3	include /etc/firejail/disable-common.inc
	4	include /etc/firejail/disable-programs.inc
	5	include /etc/firejail/disable-passwdmgr.inc
	6
	7	caps.drop all
	8	netfilter
	9	nonewprivs
	10	noroot
	11	protocol unix,inet,inet6,netlink
	12	seccomp

+12

-0

etc/virtualbox.profile less more

	0	# VirtualBox profile
	1
	2	noblacklist ${HOME}/.VirtualBox
	3	noblacklist ${HOME}/VirtualBox VMs
	4	noblacklist ${HOME}/.config/VirtualBox
	5	include /etc/firejail/disable-common.inc
	6	include /etc/firejail/disable-programs.inc
	7	include /etc/firejail/disable-passwdmgr.inc
	8
	9	caps.drop all
	10
	11

-1

mkuid.sh less more

0		#!/bin/bash
	0	#!/bin/sh
1	1
2	2	echo "extracting UID_MIN and GID_MIN"
3	3	echo "#ifndef FIREJAIL_UIDS_H" > uids.h

-0

platform/debian/conffiles less more

160	160	/etc/firejail/emacs.profile
161	161	/etc/firejail/vim.profile
162	162	/etc/firejail/xpdf.profile
	163	/etc/firejail/virtualbox.profile
	164	/etc/firejail/openshot.profile
	165	/etc/firejail/flowblade.profile
	166	/etc/firejail/eog.profile
	167	/etc/firejail/evolution.profile

+542

-0

platform/rpm/old-mkrpm.sh less more

	0	#!/bin/bash
	1	VERSION="0.9.44"
	2	rm -fr ~/rpmbuild
	3	rm -f firejail-$VERSION-1.x86_64.rpm
	4
	5	mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
	6	cat <<EOF >~/.rpmmacros
	7	%_topdir %(echo $HOME)/rpmbuild
	8	%_tmppath %{_topdir}/tmp
	9	EOF
	10
	11	cd ~/rpmbuild
	12	echo "building directory tree"
	13
	14	mkdir -p firejail-$VERSION/usr/bin
	15	install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
	16	install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
	17	install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/.
	18
	19	mkdir -p firejail-$VERSION/usr/lib/firejail
	20	install -m 755 /usr/lib/firejail/faudit firejail-$VERSION/usr/lib/firejail/.
	21	install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firejail/.
	22	install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/.
	23	install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/.
	24	install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/.
	25	install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/.
	26	install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/.
	27
	28	mkdir -p firejail-$VERSION/usr/share/man/man1
	29	install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
	30	install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
	31	install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/.
	32
	33	mkdir -p firejail-$VERSION/usr/share/man/man5
	34	install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
	35	install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
	36
	37	mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
	38	install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
	39	install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
	40	install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
	41
	42	mkdir -p firejail-$VERSION/etc/firejail
	43	install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/.
	44	install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/.
	45	install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/.
	46	install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/.
	47	install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/.
	48	install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/.
	49	install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/.
	50	install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/.
	51	install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/.
	52	install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/.
	53	install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/.
	54	install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/.
	55	install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/.
	56	install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/.
	57	install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/.
	58	install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/.
	59	install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/.
	60	install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/.
	61	install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/.
	62	install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/.
	63	install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/.
	64	install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/.
	65	install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/.
	66	install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/.
	67	install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/.
	68	install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/.
	69	install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/.
	70	install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/.
	71	install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/.
	72	install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/.
	73	install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/.
	74	install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/.
	75	install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/.
	76	install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/.
	77	install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/.
	78	install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/.
	79	install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/.
	80	install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/.
	81	install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/.
	82	install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/.
	83	install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/.
	84	install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/.
	85	install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/.
	86	install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/.
	87	install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/.
	88	install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/.
	89	install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/.
	90	install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/.
	91	install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/.
	92	install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/.
	93	install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/.
	94	install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/.
	95	install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/.
	96	install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/.
	97	install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/.
	98	install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/.
	99	install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/.
	100	install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/.
	101	install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/.
	102	install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/.
	103	install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/.
	104	install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/.
	105	install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/.
	106	install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/.
	107	install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/.
	108	install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/.
	109	install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/.
	110	install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/.
	111	install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/.
	112	install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/.
	113	install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/.
	114	install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/.
	115	install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/.
	116	install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/.
	117	install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/.
	118	install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/.
	119	install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/.
	120	install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/.
	121	install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/.
	122	install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/.
	123	install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/.
	124	install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/.
	125	install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/.
	126	install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/.
	127	install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/.
	128	install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/.
	129	install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/.
	130	install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/.
	131	install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/.
	132	install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/.
	133	install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/.
	134	install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/.
	135	install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/.
	136	install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/.
	137	install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/.
	138	install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/.
	139	install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/.
	140	install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/.
	141	install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/.
	142	install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/.
	143	install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/.
	144	install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/.
	145	install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/.
	146	install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/.
	147	install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/.
	148	install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/.
	149	install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/.
	150	install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/.
	151	install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/.
	152	install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/.
	153	install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/.
	154	install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/.
	155	install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/.
	156	install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/.
	157	install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/.
	158	install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/.
	159	install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/.
	160	install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/.
	161	install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/.
	162	install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/.
	163	install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/.
	164	install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/.
	165	install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/.
	166	install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/.
	167	install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/.
	168	install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/.
	169	install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/.
	170	install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/.
	171	install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/.
	172	install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/.
	173	install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/.
	174	install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/.
	175	install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/.
	176	install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/.
	177	install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/.
	178	install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/.
	179	install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/.
	180	install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/.
	181	install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/.
	182	install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/.
	183	install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/.
	184	install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/.
	185	install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/.
	186	install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/.
	187	install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/.
	188	install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/.
	189	install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/.
	190	install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/.
	191	install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/.
	192	install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/.
	193	install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/.
	194	install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/.
	195	install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/.
	196	install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/.
	197	install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/.
	198	install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/.
	199	install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/.
	200	install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/.
	201	install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/.
	202	install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/.
	203	install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/.
	204	install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/.
	205	install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/.
	206	install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/.
	207	install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/.
	208	install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/.
	209	install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/.
	210	install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/.
	211
	212
	213	mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
	214	install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/.
	215	install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/.
	216	install -m 644 /usr/share/bash-completion/completions/firecfg firejail-$VERSION/usr/share/bash-completion/completions/.
	217
	218	echo "building tar.gz archive"
	219	tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
	220
	221	cp firejail-$VERSION.tar.gz SOURCES/.
	222
	223	echo "building config spec"
	224	cat <<EOF > SPECS/firejail.spec
	225	%define __spec_install_post %{nil}
	226	%define debug_package %{nil}
	227	%define __os_install_post %{_dbpath}/brp-compress
	228
	229	Summary: Linux namepaces sandbox program
	230	Name: firejail
	231	Version: $VERSION
	232	Release: 1
	233	License: GPL+
	234	Group: Development/Tools
	235	SOURCE0 : %{name}-%{version}.tar.gz
	236	URL: http://firejail.wordpress.com
	237
	238	BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
	239
	240	%description
	241	Firejail is a SUID sandbox program that reduces the risk of security
	242	breaches by restricting the running environment of untrusted applications
	243	using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
	244
	245	%prep
	246	%setup -q
	247
	248	%build
	249
	250	%install
	251	rm -rf %{buildroot}
	252	mkdir -p %{buildroot}
	253
	254	cp -a * %{buildroot}
	255
	256
	257	%clean
	258	rm -rf %{buildroot}
	259
	260
	261	%files
	262	%defattr(-,root,root,-)
	263	%config(noreplace) %{_sysconfdir}/%{name}/0ad.profile
	264	%config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile
	265	%config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile
	266	%config(noreplace) %{_sysconfdir}/%{name}/atom.profile
	267	%config(noreplace) %{_sysconfdir}/%{name}/atril.profile
	268	%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
	269	%config(noreplace) %{_sysconfdir}/%{name}/audacity.profile
	270	%config(noreplace) %{_sysconfdir}/%{name}/aweather.profile
	271	%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile
	272	%config(noreplace) %{_sysconfdir}/%{name}/brave.profile
	273	%config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile
	274	%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
	275	%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
	276	%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
	277	%config(noreplace) %{_sysconfdir}/%{name}/cmus.profile
	278	%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile
	279	%config(noreplace) %{_sysconfdir}/%{name}/corebird.profile
	280	%config(noreplace) %{_sysconfdir}/%{name}/cpio.profile
	281	%config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile
	282	%config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile
	283	%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
	284	%config(noreplace) %{_sysconfdir}/%{name}/default.profile
	285	%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
	286	%config(noreplace) %{_sysconfdir}/%{name}/dillo.profile
	287	%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
	288	%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc
	289	%config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc
	290	%config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc
	291	%config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile
	292	%config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile
	293	%config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile
	294	%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
	295	%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
	296	%config(noreplace) %{_sysconfdir}/%{name}/eom.profile
	297	%config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile
	298	%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
	299	%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile
	300	%config(noreplace) %{_sysconfdir}/%{name}/file.profile
	301	%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
	302	%config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile
	303	%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
	304	%config(noreplace) %{_sysconfdir}/%{name}/firejail.config
	305	%config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile
	306	%config(noreplace) %{_sysconfdir}/%{name}/franz.profile
	307	%config(noreplace) %{_sysconfdir}/%{name}/gajim.profile
	308	%config(noreplace) %{_sysconfdir}/%{name}/gitter.profile
	309	%config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile
	310	%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
	311	%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile
	312	%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile
	313	%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile
	314	%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile
	315	%config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile
	316	%config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile
	317	%config(noreplace) %{_sysconfdir}/%{name}/gtar.profile
	318	%config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile
	319	%config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile
	320	%config(noreplace) %{_sysconfdir}/%{name}/gzip.profile
	321	%config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile
	322	%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile
	323	%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
	324	%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
	325	%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
	326	%config(noreplace) %{_sysconfdir}/%{name}/inox.profile
	327	%config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile
	328	%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile
	329	%config(noreplace) %{_sysconfdir}/%{name}/konversation.profile
	330	%config(noreplace) %{_sysconfdir}/%{name}/less.profile
	331	%config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile
	332	%config(noreplace) %{_sysconfdir}/%{name}/localc.profile
	333	%config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile
	334	%config(noreplace) %{_sysconfdir}/%{name}/loffice.profile
	335	%config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile
	336	%config(noreplace) %{_sysconfdir}/%{name}/login.users
	337	%config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile
	338	%config(noreplace) %{_sysconfdir}/%{name}/lomath.profile
	339	%config(noreplace) %{_sysconfdir}/%{name}/loweb.profile
	340	%config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile
	341	%config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile
	342	%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile
	343	%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile
	344	%config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile
	345	%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
	346	%config(noreplace) %{_sysconfdir}/%{name}/mpv.profile
	347	%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile
	348	%config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile
	349	%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net
	350	%config(noreplace) %{_sysconfdir}/%{name}/okular.profile
	351	%config(noreplace) %{_sysconfdir}/%{name}/openbox.profile
	352	%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile
	353	%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
	354	%config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile
	355	%config(noreplace) %{_sysconfdir}/%{name}/parole.profile
	356	%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
	357	%config(noreplace) %{_sysconfdir}/%{name}/pix.profile
	358	%config(noreplace) %{_sysconfdir}/%{name}/polari.profile
	359	%config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile
	360	%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
	361	%config(noreplace) %{_sysconfdir}/%{name}/qtox.profile
	362	%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
	363	%config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile
	364	%config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile
	365	%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
	366	%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile
	367	%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile
	368	%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile
	369	%config(noreplace) %{_sysconfdir}/%{name}/server.profile
	370	%config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile
	371	%config(noreplace) %{_sysconfdir}/%{name}/skype.profile
	372	%config(noreplace) %{_sysconfdir}/%{name}/slack.profile
	373	%config(noreplace) %{_sysconfdir}/%{name}/snap.profile
	374	%config(noreplace) %{_sysconfdir}/%{name}/soffice.profile
	375	%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile
	376	%config(noreplace) %{_sysconfdir}/%{name}/ssh.profile
	377	%config(noreplace) %{_sysconfdir}/%{name}/steam.profile
	378	%config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile
	379	%config(noreplace) %{_sysconfdir}/%{name}/strings.profile
	380	%config(noreplace) %{_sysconfdir}/%{name}/tar.profile
	381	%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile
	382	%config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile
	383	%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
	384	%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
	385	%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
	386	%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
	387	%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile
	388	%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile
	389	%config(noreplace) %{_sysconfdir}/%{name}/unrar.profile
	390	%config(noreplace) %{_sysconfdir}/%{name}/unzip.profile
	391	%config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile
	392	%config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile
	393	%config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile
	394	%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
	395	%config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile
	396	%config(noreplace) %{_sysconfdir}/%{name}/webserver.net
	397	%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile
	398	%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile
	399	%config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile
	400	%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc
	401	%config(noreplace) %{_sysconfdir}/%{name}/wine.profile
	402	%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
	403	%config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile
	404	%config(noreplace) %{_sysconfdir}/%{name}/xreader.profile
	405	%config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile
	406	%config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile
	407	%config(noreplace) %{_sysconfdir}/%{name}/xz.profile
	408	%config(noreplace) %{_sysconfdir}/%{name}/zathura.profile
	409	%config(noreplace) %{_sysconfdir}/%{name}/7z.profile
	410	%config(noreplace) %{_sysconfdir}/%{name}/keepass.profile
	411	%config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile
	412	%config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile
	413	%config(noreplace) %{_sysconfdir}/%{name}/mutt.profile
	414	%config(noreplace) %{_sysconfdir}/%{name}/git.profile
	415	%config(noreplace) %{_sysconfdir}/%{name}/emacs.profile
	416	%config(noreplace) %{_sysconfdir}/%{name}/vim.profile
	417	%config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile
	418	%config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile
	419	%config(noreplace) %{_sysconfdir}/%{name}/openshot.profile
	420	%config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile
	421	%config(noreplace) %{_sysconfdir}/%{name}/eog.profile
	422	%config(noreplace) %{_sysconfdir}/%{name}/evolution.profile
	423	%config(noreplace) %{_sysconfdir}/%{name}/feh.profile
	424	%config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile
	425	%config(noreplace) %{_sysconfdir}/%{name}/gimp.profile
	426	%config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile
	427	%config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile
	428	%config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile
	429	%config(noreplace) %{_sysconfdir}/%{name}/ranger.profile
	430	%config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile
	431
	432	/usr/bin/firejail
	433	/usr/bin/firemon
	434	/usr/bin/firecfg
	435
	436	/usr/lib/firejail/libtrace.so
	437	/usr/lib/firejail/libtracelog.so
	438	/usr/lib/firejail/libconnect.so
	439	/usr/lib/firejail/faudit
	440	/usr/lib/firejail/ftee
	441	/usr/lib/firejail/firecfg.config
	442	/usr/lib/firejail/fshaper.sh
	443
	444	/usr/share/doc/packages/firejail/COPYING
	445	/usr/share/doc/packages/firejail/README
	446	/usr/share/doc/packages/firejail/RELNOTES
	447	/usr/share/man/man1/firejail.1.gz
	448	/usr/share/man/man1/firemon.1.gz
	449	/usr/share/man/man1/firecfg.1.gz
	450	/usr/share/man/man5/firejail-profile.5.gz
	451	/usr/share/man/man5/firejail-login.5.gz
	452	/usr/share/bash-completion/completions/firejail
	453	/usr/share/bash-completion/completions/firemon
	454	/usr/share/bash-completion/completions/firecfg
	455
	456	%post
	457	chmod u+s /usr/bin/firejail
	458
	459	%changelog
	460	* Fri Oct 21 2016 netblue30 <netblue30@yahoo.com> 0.9.44-1
	461	- CVE-2016-7545 submitted by Aleksey Manevich
	462	- modifs: removed man firejail-config
	463	- modifs: --private-tmp whitelists /tmp/.X11-unix directory
	464	- modifs: Nvidia drivers added to --private-dev
	465	- modifs: /srv supported by --whitelist
	466	- feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
	467	- feature: support starting/joining sandbox is a single command
	468	(--join-or-start)
	469	- feature: X11 detection support for --audit
	470	- feature: assign a name to the interface connected to the bridge
	471	(--veth-name)
	472	- feature: all user home directories are visible (--allusers)
	473	- feature: add files to sandbox container (--put)
	474	- feature: blocking x11 (--x11=block)
	475	- feature: X11 security extension (--x11=xorg)
	476	- feature: disable 3D hardware acceleration (--no3d)
	477	- feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
	478	- feature: move files in sandbox (--put)
	479	- feature: accept wildcard patterns in user name field of restricted
	480	shell login feature
	481	- new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
	482	- new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
	483	- new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
	484	- new profiles: Flowblade, Eye of GNOME (eog), Evolution
	485	- bugfixes
	486
	487	* Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1
	488	- security: --whitelist deleted files, submitted by Vasya Novikov
	489	- security: disable x32 ABI in seccomp, submitted by Jann Horn
	490	- security: tighten --chroot, submitted by Jann Horn
	491	- security: terminal sandbox escape, submitted by Stephan Sokolow
	492	- security: several TOCTOU fixes submitted by Aleksey Manevich
	493	- modifs: bringing back --private-home option
	494	- modifs: deprecated --user option, please use "sudo -u username firejail"
	495	- modifs: allow symlinks in home directory for --whitelist option
	496	- modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
	497	- modifs: recursive mkdir
	498	- modifs: include /dev/snd in --private-dev
	499	- modifs: seccomp filter update
	500	- modifs: release archives moved to .xz format
	501	- feature: AppImage support (--appimage)
	502	- feature: AppArmor support (--apparmor)
	503	- feature: Ubuntu snap support (/etc/firejail/snap.profile)
	504	- feature: Sandbox auditing support (--audit)
	505	- feature: remove environment variable (--rmenv)
	506	- feature: noexec support (--noexec)
	507	- feature: clean local overlay storage directory (--overlay-clean)
	508	- feature: store and reuse overlay (--overlay-named)
	509	- feature: allow debugging inside the sandbox with gdb and strace
	510	(--allow-debuggers)
	511	- feature: mkfile profile command
	512	- feature: quiet profile command
	513	- feature: x11 profile command
	514	- feature: option to fix desktop files (firecfg --fix)
	515	- compile time: Busybox support (--enable-busybox-workaround)
	516	- compile time: disable overlayfs (--disable-overlayfs)
	517	- compile time: disable whitlisting (--disable-whitelist)
	518	- compile time: disable global config (--disable-globalcfg)
	519	- run time: enable/disable overlayfs (overlayfs yes/no)
	520	- run time: enable/disable quiet as default (quiet-by-default yes/no)
	521	- run time: user-defined network filter (netfilter-default)
	522	- run time: enable/disable whitelisting (whitelist yes/no)
	523	- run time: enable/disable remounting of /proc and /sys
	524	(remount-proc-sys yes/no)
	525	- run time: enable/disable chroot desktop features (chroot-desktop yes/no)
	526	- profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
	527	- profiles: pix, audacity, xz, xzdec, gzip, cpio, less
	528	- profiles: Atom Beta, Atom, jitsi, eom, uudeview
	529	- profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
	530	- profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
	531	- bugfixes
	532
	533	EOF
	534
	535	echo "building rpm"
	536	rpmbuild -ba SPECS/firejail.spec
	537	rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
	538	cd ..
	539	rm -f firejail-$VERSION-1.x86_64.rpm
	540	cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
	541

-1

src/faudit/syscall.c less more

91	91	errExit("fork");
92	92	if (child == 0) {
93	93	execl(prog, prog, "syscall", name, NULL);
94		exit(1);
	94	perror("execl");
	95	_exit(1);
95	96	}
96	97
97	98	// wait for the child to finish

-0

src/firecfg/firecfg.config less more

46	46	thunderbird
47	47	vivaldi-beta
48	48	vivaldi
	49	evolution
49	50
50	51	# chat/messaging
51	52	bitlbee

75	76	mupen64plus
76	77	wine
77	78	dosbox
	79	virtualbox
78	80
79	81	# games
80	82	0ad

136	138	xpdf
137	139	xreader
138	140	zathura
	141	openshot
	142	flowblade
	143	eog
139	144
140	145	# other
141	146	ssh

-0

src/firejail/firejail.h less more

59	59	#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"
60	60	#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev"
61	61	#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt"
	62	#define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv"
62	63
63	64	#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority"
64	65	#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"

172	173	unsigned var_dir:1; // whitelist in /var directory
173	174	unsigned dev_dir:1; // whitelist in /dev directory
174	175	unsigned opt_dir:1; // whitelist in /opt directory
	176	unsigned srv_dir:1; // whitelist in /srv directory
175	177	}ProfileEntry;
176	178
177	179	typedef struct config_t {

-1

src/firejail/fs.c less more

648	648
649	649	disable_file(BLACKLIST_FILE, "/sys/firmware");
650	650	disable_file(BLACKLIST_FILE, "/sys/hypervisor");
651		disable_file(BLACKLIST_FILE, "/sys/fs");
	651	{ // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
	652	EUID_USER();
	653	profile_add("blacklist /sys/fs");
	654	EUID_ROOT();
	655	}
652	656	disable_file(BLACKLIST_FILE, "/sys/module");
653	657	disable_file(BLACKLIST_FILE, "/sys/power");
654	658	disable_file(BLACKLIST_FILE, "/sys/kernel/debug");

-1

src/firejail/fs_bin.c less more

191	191	if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1)
192	192	errExit("asprintf");
193	193	execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL);
	194	perror("execlp");
	195	_exit(1);
194	196	}
195	197	// wait for the child to finish
196	198	waitpid(child, NULL, 0);

244	246	duplicate(ptr);
245	247	free(dlist);
246	248	fs_logger_print();
247		exit(0);
	249	_exit(0);
248	250	}
249	251	// wait for the child to finish
250	252	waitpid(child, NULL, 0);

-1

src/firejail/fs_etc.c less more

105	105	if (asprintf(&f, "/etc/%s", fname) == -1)
106	106	errExit("asprintf");
107	107	execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL);
	108	perror("execlp");
	109	_exit(1);
108	110	}
109	111	// wait for the child to finish
110	112	waitpid(child, NULL, 0);

168	170	duplicate(ptr);
169	171	free(dlist);
170	172	fs_logger_print();
171		exit(0);
	173	_exit(0);
172	174	}
173	175	// wait for the child to finish
174	176	waitpid(child, NULL, 0);

-1

src/firejail/fs_home.c less more

640	640
641	641	fs_logger_print(); // save the current log
642	642	free(dlist);
643		exit(0);
	643	_exit(0);
644	644	}
645	645	// wait for the child to finish
646	646	waitpid(child, NULL, 0);

-2

src/firejail/fs_mkdir.c less more

80	80
81	81	// create directory
82	82	mkdir_recursive(expanded);
83		exit(0);
	83	_exit(0);
84	84	}
85	85	// wait for the child to finish
86	86	waitpid(child, NULL, 0);

125	125	(void) rv;
126	126	fclose(fp);
127	127	}
128		exit(0);
	128	_exit(0);
129	129	}
130	130	// wait for the child to finish
131	131	waitpid(child, NULL, 0);

+61

-3

src/firejail/fs_whitelist.c less more

253	253	if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
254	254	errExit("asprintf");
255	255	}
256
	256	else if (entry->srv_dir) {
	257	fname = path + 4; // strlen("/srv")
	258	if (*fname == '\0') {
	259	fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path);
	260	exit(1);
	261	}
	262
	263	if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
	264	errExit("asprintf");
	265	}
257	266	// check if the file exists
258	267	struct stat s;
259	268	if (wfile && stat(wfile, &s) == 0) {

316	325	int var_dir = 0; // /var directory flag
317	326	int dev_dir = 0; // /dev directory flag
318	327	int opt_dir = 0; // /opt directory flag
319
	328	int srv_dir = 0; // /srv directory flag
320	329	// verify whitelist files, extract symbolic links, etc.
321	330	while (entry) {
322	331	// handle only whitelist commands

386	395	dev_dir = 1;
387	396	else if (strncmp(new_name, "/opt/", 5) == 0)
388	397	opt_dir = 1;
389
	398	else if (strncmp(new_name, "/srv/", 5) == 0)
	399	opt_dir = 1;
	400
390	401	continue;
391	402	}
392	403

480	491	goto errexit;
481	492	}
482	493	}
	494	else if (strncmp(new_name, "/srv/", 5) == 0) {
	495	entry->srv_dir = 1;
	496	srv_dir = 1;
	497	// both path and absolute path are under /srv
	498	if (strncmp(fname, "/srv/", 5) != 0) {
	499	if (arg_debug)
	500	fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
	501	goto errexit;
	502	}
	503	}
483	504	else {
484	505	if (arg_debug)
485	506	fprintf(stderr, "Debug %d: \n", __LINE__);

674	695	fs_logger("tmpfs /opt");
675	696	}
676	697
	698	// /srv mountpoint
	699	if (srv_dir) {
	700	// check if /srv directory exists
	701	struct stat s;
	702	if (stat("/srv", &s) == 0) {
	703	// keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
	704	int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755);
	705	if (rv == -1)
	706	errExit("mkdir");
	707	if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0)
	708	errExit("chown");
	709	if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0)
	710	errExit("chmod");
	711
	712	if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
	713	errExit("mount bind");
	714
	715	// mount tmpfs on /srv
	716	if (arg_debug \|\| arg_debug_whitelists)
	717	printf("Mounting tmpfs on /srv directory\n");
	718	if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
	719	errExit("mounting tmpfs on /srv");
	720	fs_logger("tmpfs /srv");
	721	}
	722	else
	723	srv_dir = 0;
	724	}
	725
	726
	727
677	728	// go through profile rules again, and interpret whitelist commands
678	729	entry = cfg.profile;
679	730	while (entry) {

765	816	fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
766	817	}
767	818
	819	// mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
	820	if (srv_dir) {
	821	if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
	822	errExit("mount tmpfs");
	823	fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
	824	}
	825
768	826	if (new_name)
769	827	free(new_name);
770	828

-4

src/firejail/ls.c less more

357	357	fprintf(stderr, "Error: Cannot read %s\n", fname1);
358	358	exit(1);
359	359	}
360		exit(0);
	360	_exit(0);
361	361	}
362	362
363	363	// wait for the child to finish

390	390	exit(1);
391	391	}
392	392	fclose(fp);
393		exit(0);
	393	_exit(0);
394	394	}
395	395
396	396	// wait for the child to finish

444	444	fprintf(stderr, "Error: Cannot read %s\n", src_fname);
445	445	exit(1);
446	446	}
447		exit(0);
	447	_exit(0);
448	448	}
449	449
450	450	// wait for the child to finish

493	493	}
494	494	}
495	495
496		exit(0);
	496	_exit(0);
497	497	}
498	498
499	499	// wait for the child to finish

-2

src/firejail/main.c less more

2505	2505	network_main(child);
2506	2506	if (arg_debug)
2507	2507	printf("Host network configured\n");
2508		exit(0);
	2508	_exit(0);
2509	2509	}
2510	2510
2511	2511	// wait for the child to finish

2578	2578	g = get_group_id("games");
2579	2579	if (g) {
2580	2580	sprintf(ptr, "%d %d 1\n", g, g);
2581		ptr += strlen(ptr);
2582	2581	}
2583	2582
2584	2583	EUID_ROOT();

-4

src/firejail/netfilter.c less more

144	144	// wipe out environment variables
145	145	environ = NULL;
146	146	execl(iptables_restore, iptables_restore, NULL);
147		// it will never get here!!!
	147	perror("execl");
	148	_exit(1);
148	149	}
149	150	// wait for the child to finish
150	151	waitpid(child, NULL, 0);

162	163	errExit("setregid");
163	164	environ = NULL;
164	165	execl(iptables, iptables, "-vL", NULL);
165		// it will never get here!!!
	166	perror("execl");
	167	_exit(1);
166	168	}
167	169	// wait for the child to finish
168	170	waitpid(child, NULL, 0);

255	257	// wipe out environment variables
256	258	environ = NULL;
257	259	execl(ip6tables_restore, ip6tables_restore, NULL);
258		// it will never get here!!!
	260	perror("execl");
	261	_exit(1);
259	262	}
260	263	// wait for the child to finish
261	264	waitpid(child, NULL, 0);

268	271	if (child == 0) {
269	272	environ = NULL;
270	273	execl(ip6tables, ip6tables, "-vL", NULL);
271		// it will never get here!!!
	274	perror("execl");
	275	_exit(1);
272	276	}
273	277	// wait for the child to finish
274	278	waitpid(child, NULL, 0);

-6

src/firejail/x11.c less more

313	313
314	314	execvp(server_argv[0], server_argv);
315	315	perror("execvp");
316		exit(1);
	316	_exit(1);
317	317	}
318	318
319	319	if (arg_debug)

354	354
355	355	execvp(jail_argv[0], jail_argv);
356	356	perror("execvp");
357		exit(1);
	357	_exit(1);
358	358	}
359	359
360	360	// cleanup

433	433
434	434	execvp(server_argv[0], server_argv);
435	435	perror("execvp");
436		exit(1);
	436	_exit(1);
437	437	}
438	438
439	439	// check X11 socket

479	479
480	480	execvp(attach_argv[0], attach_argv);
481	481	perror("execvp");
482		exit(1);
	482	_exit(1);
483	483	}
484	484
485	485	setenv("DISPLAY", display_str, 1);

535	535	}
536	536	execvp(stop_argv[0], stop_argv);
537	537	perror("execvp");
538		exit(1);
	538	_exit(1);
539	539	}
540	540
541	541	// wait for xpra server to stop, 10 seconds limit

671	671	execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE,
672	672	"generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
673	673
674		exit(0);
	674	_exit(0);
675	675	}
676	676	// wait for the child to finish
677	677	waitpid(child, NULL, 0);

-1

src/firemon/interface.c less more

145	145	return;
146	146	net_ifprint();
147	147	printf("\n");
148		exit(0);
	148	_exit(0);
149	149	}
150	150
151	151	// wait for the child to finish

-0

src/firemon/procevent.c less more

27	27	#include <arpa/inet.h>
28	28	#include <time.h>
29	29	#include <fcntl.h>
	30	#include <sys/uio.h>
	31
30	32	#define PIDS_BUFLEN 4096
31	33	#define SERVER_PORT 889 // 889-899 is left unassigned by IANA
32	34

-0

src/man/firejail-login.txt less more

11	11	Example:
12	12
13	13	netblue:--net=none --protocol=unix
	14
	15	Wildcard patterns are accepted in the user name field:
	16
	17	user*: --private
14	18
15	19	.SH RESTRICTED SHELL
16	20	To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in

-1

src/man/firejail-profile.txt less more

217	217	Whitelist directory or file. A temporary file system is mounted on the top directory, and the
218	218	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
219	219	everything else is discarded when the sandbox is closed. The top directory could be
220		user home, /dev, /media, /mnt, /opt, /var, and /tmp.
	220	user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
221	221	.br
222	222
223	223	.br

-1

src/man/firejail.txt less more

1621	1621	Whitelist directory or file. A temporary file system is mounted on the top directory, and the
1622	1622	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
1623	1623	everything else is discarded when the sandbox is closed. The top directory could be
1624		user home, /dev, /media, /mnt, /opt, /var, and /tmp.
	1624	user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
1625	1625	.br
1626	1626
1627	1627	.br

+35

-0

test/apps-x11-xorg/apps-x11-xorg.sh less more

	0	#!/bin/bash
	1	# This file is part of Firejail project
	2	# Copyright (C) 2014-2016 Firejail Authors
	3	# License GPL v2
	4
	5	export MALLOC_CHECK_=3
	6	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
	7
	8	which firefox
	9	if [ "$?" -eq 0 ];
	10	then
	11	echo "TESTING: firefox x11 xorg"
	12	./firefox.exp
	13	else
	14	echo "TESTING SKIP: firefox not found"
	15	fi
	16
	17	which transmission-gtk
	18	if [ "$?" -eq 0 ];
	19	then
	20	echo "TESTING: transmission-gtk x11 xorg"
	21	./transmission-gtk.exp
	22	else
	23	echo "TESTING SKIP: transmission-gtk not found"
	24	fi
	25
	26	which icedove
	27	if [ "$?" -eq 0 ];
	28	then
	29	echo "TESTING: icedove x11 xorg"
	30	./icedove.exp
	31	else
	32	echo "TESTING SKIP: icedove not found"
	33	fi
	34

+90

-0

test/apps-x11-xorg/firefox.exp less more

	0	#!/usr/bin/expect -f
	1	# This file is part of Firejail project
	2	# Copyright (C) 2014-2016 Firejail Authors
	3	# License GPL v2
	4
	5	set timeout 10
	6	spawn $env(SHELL)
	7	match_max 100000
	8
	9	send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
	10	sleep 10
	11
	12	spawn $env(SHELL)
	13	send -- "firejail --list\r"
	14	expect {
	15	timeout {puts "TESTING ERROR 3\n";exit}
	16	":firejail"
	17	}
	18	expect {
	19	timeout {puts "TESTING ERROR 3.1\n";exit}
	20	"firefox" {puts "firefox detected\n";}
	21	"iceweasel" {puts "iceweasel detected\n";}
	22	}
	23	expect {
	24	timeout {puts "TESTING ERROR 3.2\n";exit}
	25	"no-remote"
	26	}
	27	sleep 1
	28	# grsecurity exit
	29	send -- "file /proc/sys/kernel/grsecurity\r"
	30	expect {
	31	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
	32	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
	33	"cannot open" {puts "grsecurity not present\n"}
	34	}
	35	send -- "firejail --name=blablabla\r"
	36	expect {
	37	timeout {puts "TESTING ERROR 4\n";exit}
	38	"Child process initialized"
	39	}
	40	sleep 2
	41
	42	spawn $env(SHELL)
	43	send -- "firemon --seccomp\r"
	44	expect {
	45	timeout {puts "TESTING ERROR 5\n";exit}
	46	" firefox" {puts "firefox detected\n";}
	47	" iceweasel" {puts "iceweasel detected\n";}
	48	}
	49	expect {
	50	timeout {puts "TESTING ERROR 5.0\n";exit}
	51	"no-remote"
	52	}
	53	expect {
	54	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
	55	"Seccomp: 2"
	56	}
	57	expect {
	58	timeout {puts "TESTING ERROR 5.1\n";exit}
	59	"name=blablabla"
	60	}
	61	sleep 1
	62	send -- "firemon --caps\r"
	63	expect {
	64	timeout {puts "TESTING ERROR 6\n";exit}
	65	" firefox" {puts "firefox detected\n";}
	66	" iceweasel" {puts "iceweasel detected\n";}
	67	}
	68	expect {
	69	timeout {puts "TESTING ERROR 6.0\n";exit}
	70	"no-remote"
	71	}
	72	expect {
	73	timeout {puts "TESTING ERROR 6.1\n";exit}
	74	"CapBnd:"
	75	}
	76	expect {
	77	timeout {puts "TESTING ERROR 6.2\n";exit}
	78	"0000000000000000"
	79	}
	80	expect {
	81	timeout {puts "TESTING ERROR 6.3\n";exit}
	82	"name=blablabla"
	83	}
	84	sleep 1
	85	send -- "firejail --shutdown=test\r"
	86	sleep 3
	87
	88	puts "\nall done\n"
	89

+85

-0

test/apps-x11-xorg/icedove.exp less more

	0	#!/usr/bin/expect -f
	1	# This file is part of Firejail project
	2	# Copyright (C) 2014-2016 Firejail Authors
	3	# License GPL v2
	4
	5	set timeout 10
	6	spawn $env(SHELL)
	7	match_max 100000
	8
	9	send -- "firejail --name=test --x11=xorg icedove\r"
	10	sleep 10
	11
	12	spawn $env(SHELL)
	13	send -- "firejail --list\r"
	14	expect {
	15	timeout {puts "TESTING ERROR 3\n";exit}
	16	":firejail"
	17	}
	18	expect {
	19	timeout {puts "TESTING ERROR 3.1\n";exit}
	20	"icedove"
	21	}
	22	sleep 1
	23
	24	# grsecurity exit
	25	send -- "file /proc/sys/kernel/grsecurity\r"
	26	expect {
	27	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
	28	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
	29	"cannot open" {puts "grsecurity not present\n"}
	30	}
	31
	32	send -- "firejail --name=blablabla\r"
	33	expect {
	34	timeout {puts "TESTING ERROR 4\n";exit}
	35	"Child process initialized"
	36	}
	37	sleep 2
	38
	39	spawn $env(SHELL)
	40	send -- "firemon --seccomp\r"
	41	expect {
	42	timeout {puts "TESTING ERROR 5\n";exit}
	43	":firejail"
	44	}
	45	expect {
	46	timeout {puts "TESTING ERROR 5.0\n";exit}
	47	"icedove"
	48	}
	49	expect {
	50	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
	51	"Seccomp: 2"
	52	}
	53	expect {
	54	timeout {puts "TESTING ERROR 5.1\n";exit}
	55	"name=blablabla"
	56	}
	57	sleep 2
	58	send -- "firemon --caps\r"
	59	expect {
	60	timeout {puts "TESTING ERROR 6\n";exit}
	61	":firejail"
	62	}
	63	expect {
	64	timeout {puts "TESTING ERROR 6.0\n";exit}
	65	"icedove"
	66	}
	67	expect {
	68	timeout {puts "TESTING ERROR 6.1\n";exit}
	69	"CapBnd"
	70	}
	71	expect {
	72	timeout {puts "TESTING ERROR 6.2\n";exit}
	73	"0000000000000000"
	74	}
	75	expect {
	76	timeout {puts "TESTING ERROR 6.3\n";exit}
	77	"name=blablabla"
	78	}
	79	sleep 1
	80	send -- "firejail --shutdown=test\r"
	81	sleep 3
	82
	83	puts "\nall done\n"
	84

+85

-0

test/apps-x11-xorg/transmission-gtk.exp less more

	0	#!/usr/bin/expect -f
	1	# This file is part of Firejail project
	2	# Copyright (C) 2014-2016 Firejail Authors
	3	# License GPL v2
	4
	5	set timeout 10
	6	spawn $env(SHELL)
	7	match_max 100000
	8
	9	send -- "firejail --name=test --x11=xorg transmission-gtk\r"
	10	sleep 10
	11
	12	spawn $env(SHELL)
	13	send -- "firejail --list\r"
	14	expect {
	15	timeout {puts "TESTING ERROR 3\n";exit}
	16	":firejail"
	17	}
	18	expect {
	19	timeout {puts "TESTING ERROR 3.1\n";exit}
	20	"transmission-gtk"
	21	}
	22	sleep 1
	23
	24	# grsecurity exit
	25	send -- "file /proc/sys/kernel/grsecurity\r"
	26	expect {
	27	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
	28	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
	29	"cannot open" {puts "grsecurity not present\n"}
	30	}
	31
	32	send -- "firejail --name=blablabla\r"
	33	expect {
	34	timeout {puts "TESTING ERROR 4\n";exit}
	35	"Child process initialized"
	36	}
	37	sleep 2
	38
	39	spawn $env(SHELL)
	40	send -- "firemon --seccomp\r"
	41	expect {
	42	timeout {puts "TESTING ERROR 5\n";exit}
	43	":firejail"
	44	}
	45	expect {
	46	timeout {puts "TESTING ERROR 5.0\n";exit}
	47	"transmission-gtk"
	48	}
	49	expect {
	50	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
	51	"Seccomp: 2"
	52	}
	53	expect {
	54	timeout {puts "TESTING ERROR 5.1\n";exit}
	55	"name=blablabla"
	56	}
	57	sleep 1
	58	send -- "firemon --caps\r"
	59	expect {
	60	timeout {puts "TESTING ERROR 6\n";exit}
	61	":firejail"
	62	}
	63	expect {
	64	timeout {puts "TESTING ERROR 6.0\n";exit}
	65	"transmission-gtk"
	66	}
	67	expect {
	68	timeout {puts "TESTING ERROR 6.1\n";exit}
	69	"CapBnd"
	70	}
	71	expect {
	72	timeout {puts "TESTING ERROR 6.2\n";exit}
	73	"0000000000000000"
	74	}
	75	expect {
	76	timeout {puts "TESTING ERROR 6.3\n";exit}
	77	"name=blablabla"
	78	}
	79	sleep 1
	80	send -- "firejail --shutdown=test\r"
	81	sleep 3
	82
	83	puts "\nall done\n"
	84

+22

-22

test/filters/noroot.exp less more

45	45	}
46	46	send -- "sudo -s\r"
47	47	expect {
48		timeout {puts "TESTING ERROR 8\n";exit}
	48	timeout {puts "TESTING ERROR 7\n";exit}
49	49	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
50	50	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
51	51	"Bad system call" { puts "OK\n";}
52	52	}
53	53	send -- "cat /proc/self/uid_map \| wc -l\r"
54	54	expect {
55		timeout {puts "TESTING ERROR 7\n";exit}
	55	timeout {puts "TESTING ERROR 8\n";exit}
56	56	"1"
57	57	}
58	58	send -- "cat /proc/self/gid_map \| wc -l\r"
59	59	expect {
60		timeout {puts "TESTING ERROR 8\n";exit}
61		"3"
	60	timeout {puts "TESTING ERROR 9\n";exit}
	61	"5"
62	62	}
63	63
64	64	puts "\n"

69	69
70	70	send -- "firejail --name=test --noroot --noprofile\r"
71	71	expect {
72		timeout {puts "TESTING ERROR 9\n";exit}
	72	timeout {puts "TESTING ERROR 10\n";exit}
73	73	"Child process initialized"
74	74	}
75	75	sleep 1
76	76
77	77	send -- "cat /proc/self/status\r"
78	78	expect {
79		timeout {puts "TESTING ERROR 10\n";exit}
	79	timeout {puts "TESTING ERROR 11\n";exit}
80	80	"CapBnd:"
81	81	}
82	82	expect {
83		timeout {puts "TESTING ERROR 11\n";exit}
	83	timeout {puts "TESTING ERROR 12\n";exit}
84	84	"ffffffff"
85	85	}
86	86	expect {
87		timeout {puts "TESTING ERROR 12\n";exit}
	87	timeout {puts "TESTING ERROR 13\n";exit}
88	88	"Seccomp:"
89	89	}
90	90	expect {
91		timeout {puts "TESTING ERROR 13\n";exit}
	91	timeout {puts "TESTING ERROR 14\n";exit}
92	92	"0"
93	93	}
94	94	expect {
95		timeout {puts "TESTING ERROR 14\n";exit}
	95	timeout {puts "TESTING ERROR 15\n";exit}
96	96	"Cpus_allowed:"
97	97	}
98	98	puts "\n"
99	99
100	100	send -- "whoami\r"
101	101	expect {
102		timeout {puts "TESTING ERROR 15\n";exit}
	102	timeout {puts "TESTING ERROR 16\n";exit}
103	103	$env(USER)
104	104	}
105	105	send -- "sudo -s\r"
106	106	expect {
107		timeout {puts "TESTING ERROR 16\n";exit}
	107	timeout {puts "TESTING ERROR 17\n";exit}
108	108	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
109	109	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
110	110	}
111	111	send -- "ping 0\r"
112	112	expect {
113		timeout {puts "TESTING ERROR 17\n";exit}
	113	timeout {puts "TESTING ERROR 18\n";exit}
114	114	"Operation not permitted"
115	115	}
116	116	send -- "cat /proc/self/uid_map \| wc -l\r"
117	117	expect {
118		timeout {puts "TESTING ERROR 18\n";exit}
	118	timeout {puts "TESTING ERROR 19\n";exit}
119	119	"1"
120	120	}
121	121	send -- "cat /proc/self/gid_map \| wc -l\r"
122	122	expect {
123		timeout {puts "TESTING ERROR 19\n";exit}
124		"3"
	123	timeout {puts "TESTING ERROR 20\n";exit}
	124	"5"
125	125	}
126	126
127	127

129	129	spawn $env(SHELL)
130	130	send -- "firejail --debug --join=test\r"
131	131	expect {
132		timeout {puts "TESTING ERROR 20\n";exit}
	132	timeout {puts "TESTING ERROR 21\n";exit}
133	133	"User namespace detected"
134	134	}
135	135	expect {
136		timeout {puts "TESTING ERROR 21\n";exit}
	136	timeout {puts "TESTING ERROR 22\n";exit}
137	137	"Joining user namespace"
138	138	}
139	139	sleep 1
140	140
141	141	send -- "sudo -s\r"
142	142	expect {
143		timeout {puts "TESTING ERROR 22\n";exit}
	143	timeout {puts "TESTING ERROR 23\n";exit}
144	144	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
145	145	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
146	146	"Permission denied" { puts "OK\n";}
147	147	}
148	148	send -- "cat /proc/self/uid_map \| wc -l\r"
149	149	expect {
150		timeout {puts "TESTING ERROR 23\n";exit}
	150	timeout {puts "TESTING ERROR 24\n";exit}
151	151	"1"
152	152	}
153	153	send -- "cat /proc/self/gid_map \| wc -l\r"
154	154	expect {
155		timeout {puts "TESTING ERROR 24\n";exit}
156		"3"
	155	timeout {puts "TESTING ERROR 25\n";exit}
	156	"5"
157	157	}
158	158	after 100
159	159	puts "\nall done\n"

-0

test/fs/fs.sh less more

4	4
5	5	export MALLOC_CHECK_=3
6	6	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
	7
	8	echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
	9	./sys_fs.exp
7	10
8	11	echo "TESTING: kmsg access (test/fs/kmsg.exp)"
9	12	./kmsg.exp

+44

-0

test/fs/sys_fs.exp less more

	0	#!/usr/bin/expect -f
	1	# This file is part of Firejail project
	2	# Copyright (C) 2014-2016 Firejail Authors
	3	# License GPL v2
	4
	5	set timeout 10
	6	spawn $env(SHELL)
	7	match_max 100000
	8
	9	send -- "firejail\r"
	10	expect {
	11	timeout {puts "TESTING ERROR 1\n";exit}
	12	"Child process initialized"
	13	}
	14	sleep 1
	15
	16	send -- "ls /sys/fs\r"
	17	expect {
	18	timeout {puts "TESTING ERROR 2\n";exit}
	19	"Permission denied"
	20	}
	21	after 100
	22
	23	send -- "exit\r"
	24	sleep 1
	25
	26	send -- "firejail --noblacklist=/sys/fs\r"
	27	expect {
	28	timeout {puts "TESTING ERROR 1\n";exit}
	29	"Child process initialized"
	30	}
	31	sleep 1
	32
	33	send -- "ls /sys/fs\r"
	34	expect {
	35	timeout {puts "TESTING ERROR 2\n";exit}
	36	"cgroup"
	37	}
	38	after 100
	39	send -- "exit\r"
	40	after 100
	41
	42	puts "\nall done\n"
	43