Update upstream source from tag 'upstream/0.9.72'
Update to upstream version '0.9.72'
with Debian dir eb72d0ca38db05f00ea2d4ad235c0c35e8ad79b7
Reiner Herrmann
1 year, 3 months ago
| 241 | 241 | asc: config.mk |
| 242 | 242 | ./mkasc.sh $(VERSION) |
| 243 | 243 | |
| 244 | deb: dist config.sh | |
| 245 | ./mkdeb.sh | |
| 246 | ||
| 244 | 247 | deb-apparmor: dist config.sh |
| 245 | 248 | ./mkdeb.sh -apparmor --enable-apparmor |
| 246 | 249 | |
| 264 | 267 | # make test |
| 265 | 268 | # |
| 266 | 269 | |
| 267 | TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter | |
| 270 | TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter | |
| 268 | 271 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) |
| 269 | 272 | |
| 270 | 273 | $(TEST_TARGETS): |
| 271 | 274 | $(MAKE) -C test $(subst test-,,$@) |
| 272 | 275 | |
| 273 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | |
| 276 | test: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | |
| 274 | 277 | echo "TEST COMPLETE" |
| 275 | 278 | |
| 276 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | |
| 279 | test-noprofiles: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | |
| 277 | 280 | echo "TEST COMPLETE" |
| 278 | 281 | |
| 279 | 282 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment |
| 284 | 287 | # The tests are very intrusive, by the time you are done |
| 285 | 288 | # with them you will need to restart your computer. |
| 286 | 289 | ########################################## |
| 290 | # private-lib is disabled by default in /etc/firejail/firejail.config | |
| 291 | test-private-lib: | |
| 292 | $(MAKE) -C test $(subst test-,,$@) | |
| 287 | 293 | |
| 288 | 294 | # a firejail-test account is required, public/private key setup |
| 289 | 295 | test-ssh: |
| 207 | 207 | - email clients whitelisting and fixes |
| 208 | 208 | Benjamin Kampmann (https://github.com/ligthyear) |
| 209 | 209 | - Forward exit code from child process |
| 210 | BeautyYuYanli (https://github.com/BeautyYuYanli) | |
| 211 | - add linuxqq and qq profiles | |
| 210 | 212 | bitfreak25 (https://github.com/bitfreak25) |
| 211 | 213 | - added PlayOnLinux profile |
| 212 | 214 | - minetest profile fix |
| 213 | 215 | - added sylpheed profile |
| 214 | ||
| 215 | 216 | bn0785ac (https://github.com/bn0785ac) |
| 216 | 217 | - fixed bnox, dnox profiles |
| 217 | 218 | - support all tor-browser langpacks |
| 236 | 237 | - update virtualbox.profile |
| 237 | 238 | - Quodlibet profile |
| 238 | 239 | - update apparmor firejail-local for Brave + ipfs |
| 240 | bymoz089 (https://github.com/bymoz089) | |
| 241 | - add timezone access to make libical functional | |
| 239 | 242 | BytesTuner (https://github.com/BytesTuner) |
| 240 | 243 | - provided keepassxc profile |
| 241 | 244 | caoliver (https://github.com/caoliver) |
| 282 | 285 | - fix dino profile |
| 283 | 286 | - fix wireshark profile |
| 284 | 287 | - prevent emptty /usr/share in google-chrome profiles |
| 288 | cubercsl (https://github.com/cubercsl) | |
| 289 | - add linuxqq and qq profiles | |
| 285 | 290 | curiosity-seeker (https://github.com/curiosity-seeker - old) |
| 286 | 291 | curiosityseeker (https://github.com/curiosityseeker - new) |
| 287 | 292 | - tightening unbound and dnscrypt-proxy profiles |
| 348 | 353 | - handle malloc() failures; use gnu_basename() instead of basenaem() |
| 349 | 354 | Dmitriy Chestnykh (https://github.com/chestnykh) |
| 350 | 355 | - add ability to disable user profiles at compile time |
| 356 | Dpeta (https://github.com/Dpeta) | |
| 357 | - add Chatterino profile | |
| 351 | 358 | dshmgh (https://github.com/dshmgh) |
| 352 | 359 | - overlayfs fix for systems with /home mounted on a separate partition |
| 353 | 360 | Duncan Overbruck (https://github.com/Duncaen) |
| 647 | 654 | - added symlink fixer fix_private-bin.py in contrib section |
| 648 | 655 | - update fix_private-bin.py |
| 649 | 656 | - fix meld |
| 657 | - temporary fix to the bug caused by apparmor profiles stacking | |
| 650 | 658 | kortewegdevries (https://github.com/kortewegdevries) |
| 651 | 659 | - a whole bunch of new profiles and fixes |
| 652 | 660 | - whitelisting evolution, kmail |
| 971 | 979 | - allow resolution of .local names with avahi-daemon in the apparmor profile |
| 972 | 980 | - allow access to avahi-daemon in apparmor/firejail-default |
| 973 | 981 | - make appimage examples consistent with --appimage option short description |
| 982 | - blacklist google-drive-ocamlfuse config | |
| 974 | 983 | smitsohu (https://github.com/smitsohu) |
| 975 | 984 | - read-only kde4 services directory |
| 976 | 985 | - enhanced mediathekview profile |
| 0 | firejail (0.9.72rc1) baseline; urgency=low | |
| 1 | * work in progress | |
| 0 | firejail (0.9.72) baseline; urgency=low | |
| 2 | 1 | * feature: On failing to remount a fuse filesystem, give warning instead of |
| 3 | 2 | erroring out (#5240 #5242) |
| 4 | 3 | * feature: Update syscall tables and seccomp groups (#5188) |
| 5 | 4 | * feature: improve force-nonewprivs security guarantees (#5217 #5271) |
| 6 | * feature: restrict namespaces (--restrict-namespaces) implemented as | |
| 7 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) | |
| 8 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 | |
| 9 | #5317) | |
| 10 | * feature: added support for ICMP in nettrace | |
| 11 | * feature: --dnstrace, --icmptrace, and --snitrace | |
| 5 | * feature: add support for restricting the creation of Linux namespaces | |
| 6 | (--restrict-namespaces, --restrict-namespaces=), implemented as a seccomp | |
| 7 | filter for both 64 and 32 bit architectures (#4939 #5259) | |
| 8 | * feature: add support for custom AppArmor profiles (--apparmor=) (#5274 | |
| 9 | #5316 #5317 #5475) | |
| 10 | * feature: add support for ICMP in nettrace | |
| 11 | * feature: add --dnstrace, --icmptrace, and --snitrace commands | |
| 12 | * feature: Add basic gtksourceview language-spec (file type detection/syntax | |
| 13 | highlighting for profiles) (#5502) | |
| 14 | * feature: add restrict-namespaces to (almost) all applicable profiles (#5440 | |
| 15 | #5537) | |
| 16 | * feature: add support for netlock in profile files | |
| 12 | 17 | * modif: removed --cgroup= command (#5190 #5200) |
| 13 | 18 | * modif: set --shell=none as the default (#5190) |
| 14 | 19 | * modif: removed --shell= command (#5190 #5196 #5209) |
| 19 | 24 | * modif: disabled tracelog by default in /etc/firejail/firejail.config |
| 20 | 25 | (#5190) |
| 21 | 26 | * modif: removed grsecurity support |
| 27 | * modif: stop hiding blacklisted files in /etc by default and add a new | |
| 28 | etc-hide-blacklisted option to firejail.config that enables the previous | |
| 29 | behavior (disabled by default) (#5010 #5230 #5591 #5595) | |
| 22 | 30 | * bugfix: Flood of seccomp audit log entries (#5207) |
| 31 | * bugfix: --netlock does not work (Error: no valid sandbox) (#5312) | |
| 23 | 32 | * build: deduplicate configure-time vars into new config files (#5140 #5284) |
| 24 | 33 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
| 25 | 34 | * build: reduce autoconf input files from 32 to 2 (#5219) |
| 32 | 41 | * build: Fix musl warnings (#5421 #5431) |
| 33 | 42 | * build: sort.py improvements (#5429) |
| 34 | 43 | * build: deduplicate makefiles (#5478) |
| 44 | * build: fix formatting and misc in configure (#5488) | |
| 45 | * build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504) | |
| 46 | * build: make shell commands more portable in firejail.vim (#5577) | |
| 35 | 47 | * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) |
| 36 | 48 | * ci: ignore git-related paths and the project license (#5249) |
| 37 | 49 | * ci: Harden GitHub Actions (StepSecurity) (#5439) |
| 47 | 59 | (#5366) |
| 48 | 60 | * docs: Add gist note to bug_report.md (#5398) |
| 49 | 61 | * docs: clarify that --appimage should appear before --profile (#5402 #5451) |
| 50 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | |
| 62 | * docs: add more Firefox examples to the firejail-local AppArmor profile | |
| 63 | (#5493) | |
| 64 | * docs: Fix broken Restrict-DBus wiki link on profile.template (#5554) | |
| 65 | * docs: Remove invalid --profile-path from --help (#5585 #5586) | |
| 66 | * several new profiles | |
| 67 | -- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500 | |
| 51 | 68 | |
| 52 | 69 | firejail (0.9.70) baseline; urgency=low |
| 53 | 70 | * security: CVE-2022-31214 - root escalation in --join logic |
| 0 | 0 | #! /bin/sh |
| 1 | 1 | # Guess values for system-dependent variables and create Makefiles. |
| 2 | # Generated by GNU Autoconf 2.69 for firejail 0.9.72rc1. | |
| 2 | # Generated by GNU Autoconf 2.69 for firejail 0.9.72. | |
| 3 | 3 | # |
| 4 | 4 | # Report bugs to <netblue30@protonmail.com>. |
| 5 | 5 | # |
| 579 | 579 | # Identity of this package. |
| 580 | 580 | PACKAGE_NAME='firejail' |
| 581 | 581 | PACKAGE_TARNAME='firejail' |
| 582 | PACKAGE_VERSION='0.9.72rc1' | |
| 583 | PACKAGE_STRING='firejail 0.9.72rc1' | |
| 582 | PACKAGE_VERSION='0.9.72' | |
| 583 | PACKAGE_STRING='firejail 0.9.72' | |
| 584 | 584 | PACKAGE_BUGREPORT='netblue30@protonmail.com' |
| 585 | 585 | PACKAGE_URL='https://firejail.wordpress.com' |
| 586 | 586 | |
| 1297 | 1297 | # Omit some internal or obsolete options to make the list less imposing. |
| 1298 | 1298 | # This message is too long to be a string in the A/UX 3.1 sh. |
| 1299 | 1299 | cat <<_ACEOF |
| 1300 | \`configure' configures firejail 0.9.72rc1 to adapt to many kinds of systems. | |
| 1300 | \`configure' configures firejail 0.9.72 to adapt to many kinds of systems. | |
| 1301 | 1301 | |
| 1302 | 1302 | Usage: $0 [OPTION]... [VAR=VALUE]... |
| 1303 | 1303 | |
| 1359 | 1359 | |
| 1360 | 1360 | if test -n "$ac_init_help"; then |
| 1361 | 1361 | case $ac_init_help in |
| 1362 | short | recursive ) echo "Configuration of firejail 0.9.72rc1:";; | |
| 1362 | short | recursive ) echo "Configuration of firejail 0.9.72:";; | |
| 1363 | 1363 | esac |
| 1364 | 1364 | cat <<\_ACEOF |
| 1365 | 1365 | |
| 1483 | 1483 | test -n "$ac_init_help" && exit $ac_status |
| 1484 | 1484 | if $ac_init_version; then |
| 1485 | 1485 | cat <<\_ACEOF |
| 1486 | firejail configure 0.9.72rc1 | |
| 1486 | firejail configure 0.9.72 | |
| 1487 | 1487 | generated by GNU Autoconf 2.69 |
| 1488 | 1488 | |
| 1489 | 1489 | Copyright (C) 2012 Free Software Foundation, Inc. |
| 1739 | 1739 | This file contains any messages produced by compilers while |
| 1740 | 1740 | running configure, to aid debugging if configure makes a mistake. |
| 1741 | 1741 | |
| 1742 | It was created by firejail $as_me 0.9.72rc1, which was | |
| 1742 | It was created by firejail $as_me 0.9.72, which was | |
| 1743 | 1743 | generated by GNU Autoconf 2.69. Invocation command line was |
| 1744 | 1744 | |
| 1745 | 1745 | $ $0 $@ |
| 4639 | 4639 | # report actual input values of CONFIG_FILES etc. instead of their |
| 4640 | 4640 | # values after options handling. |
| 4641 | 4641 | ac_log=" |
| 4642 | This file was extended by firejail $as_me 0.9.72rc1, which was | |
| 4642 | This file was extended by firejail $as_me 0.9.72, which was | |
| 4643 | 4643 | generated by GNU Autoconf 2.69. Invocation command line was |
| 4644 | 4644 | |
| 4645 | 4645 | CONFIG_FILES = $CONFIG_FILES |
| 4693 | 4693 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
| 4694 | 4694 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
| 4695 | 4695 | ac_cs_version="\\ |
| 4696 | firejail config.status 0.9.72rc1 | |
| 4696 | firejail config.status 0.9.72 | |
| 4697 | 4697 | configured by $0, generated by GNU Autoconf 2.69, |
| 4698 | 4698 | with options \\"\$ac_cs_config\\" |
| 4699 | 4699 | |
| 11 | 11 | # |
| 12 | 12 | |
| 13 | 13 | AC_PREREQ([2.68]) |
| 14 | AC_INIT([firejail], [0.9.72rc1], [netblue30@protonmail.com], [], | |
| 14 | AC_INIT([firejail], [0.9.72], [netblue30@protonmail.com], [], | |
| 15 | 15 | [https://firejail.wordpress.com]) |
| 16 | 16 | |
| 17 | 17 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
| 23 | 23 | syn match fjProtocolList /,/ nextgroup=fjProtocol contained |
| 24 | 24 | |
| 25 | 25 | " Syscalls grabbed from: src/include/syscall*.h |
| 26 | " Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' ' | |
| 26 | " Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' ' | |
| 27 | 27 | syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained |
| 28 | 28 | " Syscall groups grabbed from: src/fseccomp/syscall.c |
| 29 | " Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|' | |
| 29 | " Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|' | |
| 30 | 30 | syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained |
| 31 | 31 | syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained |
| 32 | 32 | " Errnos grabbed from: src/fseccomp/errno.c |
| 33 | " Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|' | |
| 33 | " Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|' | |
| 34 | 34 | syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained |
| 35 | 35 | syn match fjSyscallList /,/ nextgroup=fjSyscall contained |
| 36 | 36 | |
| 46 | 46 | syn keyword fjFilter filter contained |
| 47 | 47 | |
| 48 | 48 | " Variable names grabbed from: src/firejail/macros.c |
| 49 | " Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|' | |
| 49 | " Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|' | |
| 50 | 50 | syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/ |
| 51 | 51 | |
| 52 | 52 | " Commands grabbed from: src/firejail/profile.c |
| 53 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | |
| 53 | " Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | |
| 54 | 54 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
| 55 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | |
| 55 | " Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below | |
| 56 | 56 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
| 57 | 57 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
| 58 | 58 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
| 74 | 74 | syn match fjCommandNoCond /quiet$/ contained |
| 75 | 75 | |
| 76 | 76 | " Conditionals grabbed from: src/firejail/profile.c |
| 77 | " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' | |
| 77 | " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|' | |
| 78 | 78 | syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained |
| 79 | 79 | |
| 80 | 80 | " A line is either a command, a conditional or a comment |
| 76 | 76 | |
| 77 | 77 | # Enable or disable overlayfs features, default enabled. |
| 78 | 78 | # overlayfs yes |
| 79 | ||
| 80 | # Hide blacklisted files in /etc directory (enabling this may break | |
| 81 | # /etc/resolv.conf; see #5010), default disabled. | |
| 82 | # etc-hide-blacklisted no | |
| 79 | 83 | |
| 80 | 84 | # Set the limit for file copy in several --private-* options. The size is set |
| 81 | 85 | # in megabytes. By default we allow up to 500MB. |
| 557 | 557 | # disable terminals running as server resulting in sandbox escape |
| 558 | 558 | blacklist ${PATH}/gnome-terminal |
| 559 | 559 | blacklist ${PATH}/gnome-terminal.wrapper |
| 560 | blacklist ${PATH}/kgx | |
| 560 | 561 | # blacklist ${PATH}/konsole |
| 561 | 562 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
| 562 | 563 | blacklist ${PATH}/lilyterm |
| 618 | 619 | blacklist ${HOME}/postponed |
| 619 | 620 | blacklist ${HOME}/sent |
| 620 | 621 | |
| 621 | # kernel configuration | |
| 622 | # kernel configuration - keep this here although it's also in disable-proc.inc | |
| 622 | 623 | blacklist /proc/config.gz |
| 623 | 624 | |
| 624 | 625 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
| 7 | 7 | blacklist /proc/buddyinfo |
| 8 | 8 | blacklist /proc/cgroups |
| 9 | 9 | blacklist /proc/cmdline |
| 10 | blacklist /proc/config.gz | |
| 10 | blacklist /proc/config.gz # keep this here even though it's also in disable-common.inc | |
| 11 | 11 | blacklist /proc/consoles |
| 12 | 12 | #blacklist /proc/cpuinfo |
| 13 | 13 | blacklist /proc/crypto |
| 84 | 84 | blacklist ${HOME}/.cache/akonadi* |
| 85 | 85 | blacklist ${HOME}/.cache/atril |
| 86 | 86 | blacklist ${HOME}/.cache/attic |
| 87 | blacklist ${HOME}/.cache/audacity | |
| 87 | 88 | blacklist ${HOME}/.cache/babl |
| 88 | 89 | blacklist ${HOME}/.cache/bnox |
| 89 | 90 | blacklist ${HOME}/.cache/borg |
| 114 | 115 | blacklist ${HOME}/.cache/fractal |
| 115 | 116 | blacklist ${HOME}/.cache/freecol |
| 116 | 117 | blacklist ${HOME}/.cache/gajim |
| 118 | blacklist ${HOME}/.cache/gdfuse | |
| 117 | 119 | blacklist ${HOME}/.cache/geary |
| 118 | 120 | blacklist ${HOME}/.cache/geeqie |
| 119 | 121 | blacklist ${HOME}/.cache/gegl-0.4 |
| 317 | 319 | blacklist ${HOME}/.config/Pinta |
| 318 | 320 | blacklist ${HOME}/.config/QGIS |
| 319 | 321 | blacklist ${HOME}/.config/QMediathekView |
| 322 | blacklist ${HOME}/.config/QQ | |
| 320 | 323 | blacklist ${HOME}/.config/Qlipper |
| 321 | 324 | blacklist ${HOME}/.config/QuiteRss |
| 322 | 325 | blacklist ${HOME}/.config/QuiteRssrc |
| 358 | 361 | blacklist ${HOME}/.config/asunder |
| 359 | 362 | blacklist ${HOME}/.config/atril |
| 360 | 363 | blacklist ${HOME}/.config/audacious |
| 364 | blacklist ${HOME}/.config/audacity | |
| 361 | 365 | blacklist ${HOME}/.config/autokey |
| 362 | 366 | blacklist ${HOME}/.config/avidemux3_qt5rc |
| 363 | 367 | blacklist ${HOME}/.config/aweather |
| 433 | 437 | blacklist ${HOME}/.config/galculator |
| 434 | 438 | blacklist ${HOME}/.config/gallery-dl |
| 435 | 439 | blacklist ${HOME}/.config/gconf |
| 440 | blacklist ${HOME}/.config/gdfuse | |
| 436 | 441 | blacklist ${HOME}/.config/geany |
| 437 | 442 | blacklist ${HOME}/.config/geary |
| 438 | 443 | blacklist ${HOME}/.config/gedit |
| 705 | 710 | blacklist ${HOME}/.funnyboat |
| 706 | 711 | blacklist ${HOME}/.g8 |
| 707 | 712 | blacklist ${HOME}/.gallery-dl.conf |
| 713 | blacklist ${HOME}/.gdfuse | |
| 708 | 714 | blacklist ${HOME}/.geekbench5 |
| 709 | 715 | blacklist ${HOME}/.gimp* |
| 710 | 716 | blacklist ${HOME}/.gist |
| 860 | 866 | blacklist ${HOME}/.local/share/akregator |
| 861 | 867 | blacklist ${HOME}/.local/share/apps/korganizer |
| 862 | 868 | blacklist ${HOME}/.local/share/aspyr-media |
| 869 | blacklist ${HOME}/.local/share/audacity | |
| 863 | 870 | blacklist ${HOME}/.local/share/authenticator-rs |
| 864 | 871 | blacklist ${HOME}/.local/share/autokey |
| 865 | 872 | blacklist ${HOME}/.local/share/backintime |
| 872 | 879 | blacklist ${HOME}/.local/share/calligragemini |
| 873 | 880 | blacklist ${HOME}/.local/share/cantata |
| 874 | 881 | blacklist ${HOME}/.local/share/cdprojektred |
| 882 | blacklist ${HOME}/.local/share/chatterino | |
| 875 | 883 | blacklist ${HOME}/.local/share/clipit |
| 876 | 884 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate |
| 877 | 885 | blacklist ${HOME}/.local/share/contacts |
| 893 | 901 | blacklist ${HOME}/.local/share/five-or-more |
| 894 | 902 | blacklist ${HOME}/.local/share/freecol |
| 895 | 903 | blacklist ${HOME}/.local/share/gajim |
| 904 | blacklist ${HOME}/.local/share/gdfuse | |
| 896 | 905 | blacklist ${HOME}/.local/share/geary |
| 897 | 906 | blacklist ${HOME}/.local/share/geeqie |
| 898 | 907 | blacklist ${HOME}/.local/share/ghostwriter |
| 1014 | 1023 | blacklist ${HOME}/.local/share/xplayer |
| 1015 | 1024 | blacklist ${HOME}/.local/share/xreader |
| 1016 | 1025 | blacklist ${HOME}/.local/share/zathura |
| 1026 | blacklist ${HOME}/.local/state/audacity | |
| 1017 | 1027 | blacklist ${HOME}/.local/state/pipewire |
| 1018 | 1028 | blacklist ${HOME}/.lv2 |
| 1019 | 1029 | blacklist ${HOME}/.lyx |
| 1176 | 1186 | blacklist ${RUNUSER}/*firefox* |
| 1177 | 1187 | blacklist ${RUNUSER}/akonadi |
| 1178 | 1188 | blacklist ${RUNUSER}/psd/*firefox* |
| 1189 | blacklist /etc/ssmtp | |
| 1179 | 1190 | blacklist /tmp/.wine-* |
| 1180 | 1191 | blacklist /tmp/akonadi-* |
| 1181 | 1192 | blacklist /var/games/nethack |
| 2 | 2 | include whitelist-run-common.local |
| 3 | 3 | |
| 4 | 4 | whitelist /run/NetworkManager/resolv.conf |
| 5 | whitelist /run/avahi-daemon/socket | |
| 5 | 6 | whitelist /run/cups/cups.sock |
| 6 | 7 | whitelist /run/dbus/system_bus_socket |
| 7 | 8 | whitelist /run/media |
| 54 | 54 | private-dev |
| 55 | 55 | # private-tmp - breaks programs that depend on akonadi |
| 56 | 56 | |
| 57 | # restrict-namespaces |
| 61 | 61 | read-write ${HOME}/.gnome/apps |
| 62 | 62 | read-write ${HOME}/.local/share/applications |
| 63 | 63 | read-write ${HOME}/.local/share/flatpak/exports |
| 64 | restrict-namespaces |
| 43 | 43 | #dbus-user.own org.kde.klauncher |
| 44 | 44 | #dbus-user.talk org.kde.knotify |
| 45 | 45 | dbus-system none |
| 46 | ||
| 47 | # restrict-namespaces |
| 68 | 68 | dbus-user.own org.gnome.gitlab.somas.Apostrophe |
| 69 | 69 | dbus-user.talk ca.desrt.dconf |
| 70 | 70 | dbus-system none |
| 71 | ||
| 72 | restrict-namespaces |
| 44 | 44 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
| 45 | 45 | private-tmp |
| 46 | 46 | |
| 47 | restrict-namespaces |
| 50 | 50 | |
| 51 | 51 | memory-deny-write-execute |
| 52 | 52 | read-write ${HOME}/.local/share/mime |
| 53 | restrict-namespaces |
| 44 | 44 | |
| 45 | 45 | # mdwe is disabled due to breaking hardware accelerated decoding |
| 46 | 46 | # memory-deny-write-execute |
| 47 | restrict-namespaces |
| 48 | 48 | |
| 49 | 49 | # webkit gtk killed by memory-deny-write-execute |
| 50 | 50 | #memory-deny-write-execute |
| 51 | restrict-namespaces |
| 41 | 41 | # dbus needed for MPRIS |
| 42 | 42 | # dbus-user none |
| 43 | 43 | # dbus-system none |
| 44 | ||
| 45 | restrict-namespaces |
| 5 | 5 | # Persistent global definitions |
| 6 | 6 | include globals.local |
| 7 | 7 | |
| 8 | # Add the below lines to your audacity.local if you need online plugins. | |
| 9 | #ignore net none | |
| 10 | #netfilter | |
| 11 | #protocol inet6 | |
| 12 | ||
| 8 | 13 | noblacklist ${HOME}/.audacity-data |
| 14 | noblacklist ${HOME}/.cache/audacity | |
| 15 | noblacklist ${HOME}/.config/audacity | |
| 16 | noblacklist ${HOME}/.local/share/audacity | |
| 17 | noblacklist ${HOME}/.local/state/audacity | |
| 9 | 18 | noblacklist ${DOCUMENTS} |
| 10 | 19 | noblacklist ${MUSIC} |
| 11 | 20 | |
| 19 | 28 | |
| 20 | 29 | include whitelist-var-common.inc |
| 21 | 30 | |
| 31 | # Silence blacklist violation. See #5539. | |
| 32 | allow-debuggers | |
| 22 | 33 | ## Enabling App Armor appears to break some Fedora / Arch installs |
| 23 | 34 | #apparmor |
| 24 | 35 | caps.drop all |
| 43 | 54 | # problems on Fedora 27 |
| 44 | 55 | # dbus-user none |
| 45 | 56 | # dbus-system none |
| 57 | ||
| 58 | restrict-namespaces | |
| 51 | 51 | dbus-user filter |
| 52 | 52 | dbus-user.talk ca.desrt.dconf |
| 53 | 53 | dbus-system none |
| 54 | ||
| 55 | restrict-namespaces |
| 45 | 45 | # dbus-system none |
| 46 | 46 | |
| 47 | 47 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 48 | restrict-namespaces |
| 38 | 38 | private-tmp |
| 39 | 39 | |
| 40 | 40 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 41 | restrict-namespaces |
| 13 | 13 | netfilter |
| 14 | 14 | noroot |
| 15 | 15 | protocol unix,inet,inet6 |
| 16 | seccomp | |
| 16 | seccomp !chroot | |
| 17 | 17 | |
| 18 | 18 | read-only ${HOME}/.config/awesome/autorun.sh |
| 19 | #restrict-namespaces |
| 6 | 6 | include globals.local |
| 7 | 7 | |
| 8 | 8 | noblacklist ${HOME}/.balsa |
| 9 | noblacklist ${HOME}/.gnupg | |
| 10 | noblacklist ${HOME}/.mozilla | |
| 11 | noblacklist ${HOME}/.signature | |
| 12 | 9 | noblacklist ${HOME}/mail |
| 13 | noblacklist /var/mail | |
| 14 | noblacklist /var/spool/mail | |
| 15 | 10 | |
| 16 | include disable-common.inc | |
| 17 | include disable-devel.inc | |
| 18 | include disable-exec.inc | |
| 19 | include disable-interpreters.inc | |
| 20 | include disable-programs.inc | |
| 21 | 11 | include disable-shell.inc |
| 22 | include disable-xdg.inc | |
| 23 | 12 | |
| 24 | 13 | mkdir ${HOME}/.balsa |
| 25 | mkdir ${HOME}/.gnupg | |
| 26 | mkfile ${HOME}/.signature | |
| 27 | 14 | mkdir ${HOME}/mail |
| 28 | 15 | whitelist ${HOME}/.balsa |
| 29 | whitelist ${HOME}/.gnupg | |
| 30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | |
| 31 | whitelist ${HOME}/.signature | |
| 32 | 16 | whitelist ${HOME}/mail |
| 33 | whitelist ${RUNUSER}/gnupg | |
| 34 | 17 | whitelist /usr/share/balsa |
| 35 | whitelist /usr/share/gnupg | |
| 36 | whitelist /usr/share/gnupg2 | |
| 37 | whitelist /var/mail | |
| 38 | whitelist /var/spool/mail | |
| 39 | include whitelist-common.inc | |
| 40 | include whitelist-runuser-common.inc | |
| 41 | include whitelist-usr-share-common.inc | |
| 42 | include whitelist-var-common.inc | |
| 43 | 18 | |
| 44 | apparmor | |
| 45 | caps.drop all | |
| 46 | netfilter | |
| 47 | no3d | |
| 48 | nodvd | |
| 49 | nogroups | |
| 50 | noinput | |
| 51 | nonewprivs | |
| 52 | noroot | |
| 53 | nosound | |
| 54 | notv | |
| 55 | nou2f | |
| 56 | novideo | |
| 57 | protocol unix,inet,inet6 | |
| 58 | seccomp | |
| 59 | tracelog | |
| 19 | # Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg. | |
| 20 | #private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm | |
| 60 | 21 | |
| 61 | # disable-mnt | |
| 62 | # Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | |
| 63 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | |
| 64 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm | |
| 65 | private-cache | |
| 66 | private-dev | |
| 67 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | |
| 68 | private-tmp | |
| 69 | writable-run-user | |
| 70 | writable-var | |
| 22 | dbus-user.own org.desktop.Balsa | |
| 71 | 23 | |
| 72 | dbus-user filter | |
| 73 | dbus-user.own org.desktop.Balsa | |
| 74 | dbus-user.talk ca.desrt.dconf | |
| 75 | dbus-user.talk org.freedesktop.Notifications | |
| 76 | dbus-user.talk org.freedesktop.secrets | |
| 77 | dbus-user.talk org.gnome.keyring.SystemPrompter | |
| 78 | dbus-system none | |
| 79 | ||
| 80 | read-only ${HOME}/.mozilla/firefox/profiles.ini | |
| 24 | # Redirect | |
| 25 | include email-common.profile |
| 21 | 21 | #private-etc basilisk |
| 22 | 22 | #private-opt basilisk |
| 23 | 23 | |
| 24 | restrict-namespaces | |
| 25 | ignore restrict-namespaces | |
| 26 | ||
| 24 | 27 | # Redirect |
| 25 | 28 | include firefox-common.profile |
| 13 | 13 | netfilter |
| 14 | 14 | noroot |
| 15 | 15 | protocol unix,inet,inet6 |
| 16 | seccomp | |
| 16 | seccomp !chroot | |
| 17 | 17 | |
| 18 | #restrict-namespaces |
| 39 | 39 | |
| 40 | 40 | # memory-deny-write-execute breaks some systems, see issue #1850 |
| 41 | 41 | # memory-deny-write-execute |
| 42 | restrict-namespaces |
| 51 | 51 | # dbus-system none |
| 52 | 52 | |
| 53 | 53 | # memory-deny-write-execute - breaks on Arch |
| 54 | restrict-namespaces |
| 36 | 36 | # private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg |
| 37 | 37 | private-bin cantata,mpd,perl |
| 38 | 38 | private-dev |
| 39 | ||
| 40 | restrict-namespaces |
| 0 | # Firejail profile for Chatterino | |
| 1 | # Description: Chat client for https://twitch.tv | |
| 2 | # This file is overwritten after every install/update | |
| 3 | # Persistent local customizations | |
| 4 | include chatterino.local | |
| 5 | # Persistent global definitions | |
| 6 | include globals.local | |
| 7 | ||
| 8 | # To upload images, whitelist/noblacklist their path in chatterino.local. | |
| 9 | #whitelist ${PICTURES} | |
| 10 | # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. | |
| 11 | #whitelist ${MUSIC} | |
| 12 | ||
| 13 | # Also allow access to mpv/vlc, they're usable via streamlink. | |
| 14 | noblacklist ${HOME}/.config/mpv | |
| 15 | noblacklist ${HOME}/.config/pulse | |
| 16 | noblacklist ${HOME}/.config/vlc | |
| 17 | noblacklist ${HOME}/.local/share/chatterino | |
| 18 | noblacklist ${HOME}/.local/share/vlc | |
| 19 | ||
| 20 | # Allow Lua for mpv (blacklisted by disable-interpreters.inc) | |
| 21 | include allow-lua.inc | |
| 22 | ||
| 23 | # Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) | |
| 24 | include allow-python3.inc | |
| 25 | ||
| 26 | include disable-common.inc | |
| 27 | include disable-devel.inc | |
| 28 | include disable-exec.inc | |
| 29 | include disable-interpreters.inc | |
| 30 | include disable-proc.inc | |
| 31 | include disable-programs.inc | |
| 32 | include disable-xdg.inc | |
| 33 | ||
| 34 | # Also allow read-only access to mpv/VLC, they're usable via streamlink. | |
| 35 | mkdir ${HOME}/.local/share/chatterino | |
| 36 | # VLC preferences will fail to save with read-only set. | |
| 37 | whitelist ${HOME}/.local/share/chatterino | |
| 38 | whitelist-ro ${HOME}/.config/mpv | |
| 39 | whitelist-ro ${HOME}/.config/pulse | |
| 40 | whitelist-ro ${HOME}/.config/vlc | |
| 41 | whitelist-ro ${HOME}/.local/share/vlc | |
| 42 | include whitelist-common.inc | |
| 43 | include whitelist-run-common.inc | |
| 44 | include whitelist-runuser-common.inc | |
| 45 | include whitelist-usr-share-common.inc | |
| 46 | include whitelist-var-common.inc | |
| 47 | ||
| 48 | # Streamlink+VLC doesn't seem to close properly with apparmor enabled. | |
| 49 | #apparmor | |
| 50 | caps.drop all | |
| 51 | netfilter | |
| 52 | nodvd | |
| 53 | nogroups | |
| 54 | nonewprivs | |
| 55 | noprinters | |
| 56 | noroot | |
| 57 | notv | |
| 58 | nou2f | |
| 59 | # Netlink is required for streamlink integration. | |
| 60 | protocol unix,inet,inet6,netlink | |
| 61 | # Seccomp may break browser integration. | |
| 62 | seccomp | |
| 63 | seccomp.block-secondary | |
| 64 | tracelog | |
| 65 | ||
| 66 | disable-mnt | |
| 67 | # Add more private-bin lines for browsers or video players to chatterino.local if wanted. | |
| 68 | private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc | |
| 69 | # private-cache may cause issues with mpv (see #2838) | |
| 70 | private-cache | |
| 71 | private-dev | |
| 72 | private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 | |
| 73 | private-srv none | |
| 74 | private-tmp | |
| 75 | ||
| 76 | dbus-user filter | |
| 77 | dbus-user.own com.chatterino.* | |
| 78 | # Allow notifications. | |
| 79 | dbus-user.talk org.freedesktop.Notifications | |
| 80 | # For media player integration. | |
| 81 | dbus-user.talk org.freedesktop.ScreenSaver | |
| 82 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | |
| 83 | dbus-user.own org.mpris.MediaPlayer2.chatterino | |
| 84 | dbus-user.talk org.mpris.MediaPlayer2.Player | |
| 85 | dbus-system none | |
| 86 | ||
| 87 | # Prevents browsers/players from lingering after Chatterino is closed. | |
| 88 | #deterministic-shutdown | |
| 89 | # memory-deny-write-execute may break streamlink and browser integration. | |
| 90 | #memory-deny-write-execute | |
| 91 | restrict-namespaces |
| 57 | 57 | dbus-user.own org.gnome.Cheese |
| 58 | 58 | dbus-user.talk ca.desrt.dconf |
| 59 | 59 | dbus-system none |
| 60 | ||
| 61 | restrict-namespaces |
| 0 | # Firejail profile alias for cin | |
| 1 | # This file is overwritten after every install/update | |
| 2 | # Persistent local customizations | |
| 3 | include cinelerra-gg.local | |
| 4 | # Persistent global definitions | |
| 5 | # added by included profile | |
| 6 | #include globals.local | |
| 7 | ||
| 8 | # Redirect | |
| 9 | include cin.profile |
| 0 | # Firejail profile alias for cin | |
| 1 | # This file is overwritten after every install/update | |
| 2 | # Persistent local customizations | |
| 3 | include cinelerra-gg.local | |
| 4 | # Persistent global definitions | |
| 5 | # added by included profile | |
| 6 | #include globals.local | |
| 7 | ||
| 8 | # Redirect | |
| 9 | include cin.profile |
| 0 | 0 | # Firejail profile for claws-mail |
| 1 | # Description: Fast, lightweight and user-friendly GTK+2 based email client | |
| 1 | # Description: Fast, lightweight and user-friendly GTK based email client | |
| 2 | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations |
| 4 | 4 | include claws-mail.local |
| 19 | 19 | |
| 20 | 20 | # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 |
| 21 | 21 | |
| 22 | dbus-user filter | |
| 23 | dbus-user.talk ca.desrt.dconf | |
| 24 | dbus-user.talk org.gnome.keyring.SystemPrompter | |
| 25 | # Add the next line to your claws-mail.local if you use the notification plugin. | |
| 26 | # dbus-user.talk org.freedesktop.Notifications | |
| 27 | ||
| 28 | 22 | # Redirect |
| 29 | 23 | include email-common.profile |
| 50 | 50 | dbus-system none |
| 51 | 51 | |
| 52 | 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 53 | restrict-namespaces |
| 47 | 47 | # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. |
| 48 | 48 | # dbus-user none |
| 49 | 49 | # dbus-system none |
| 50 | ||
| 51 | # restrict-namespaces |
| 58 | 58 | dbus-system none |
| 59 | 59 | |
| 60 | 60 | #memory-deny-write-execute |
| 61 | read-only ${HOME} | |
| 61 | 62 | restrict-namespaces |
| 62 | read-only ${HOME} |
| 26 | 26 | |
| 27 | 27 | private-bin cmus |
| 28 | 28 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
| 29 | ||
| 30 | restrict-namespaces |
| 51 | 51 | # dbus-user.own com.github.bleakgrey.tootle |
| 52 | 52 | # dbus-user.talk ca.desrt.dconf |
| 53 | 53 | dbus-system none |
| 54 | ||
| 55 | restrict-namespaces |
| 62 | 62 | read-write ${HOME}/.cache/agenda |
| 63 | 63 | read-write ${HOME}/.config/agenda |
| 64 | 64 | read-write ${HOME}/.local/share/agenda |
| 65 | restrict-namespaces |
| 59 | 59 | read-only ${HOME} |
| 60 | 60 | read-write ${HOME}/.cache/com.github.johnfactotum.Foliate |
| 61 | 61 | read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate |
| 62 | restrict-namespaces |
| 57 | 57 | dbus-user.own com.github.phase1geo.minder |
| 58 | 58 | dbus-user.talk ca.desrt.dconf |
| 59 | 59 | dbus-system none |
| 60 | ||
| 61 | restrict-namespaces |
| 61 | 61 | dbus-system none |
| 62 | 62 | |
| 63 | 63 | read-write ${HOME}/.local/share/flatpak/overrides |
| 64 | restrict-namespaces |
| 45 | 45 | |
| 46 | 46 | memory-deny-write-execute |
| 47 | 47 | read-only ${HOME}/.config/cower/config |
| 48 | restrict-namespaces |
| 52 | 52 | private-tmp |
| 53 | 53 | |
| 54 | 54 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 55 | restrict-namespaces |
| 49 | 49 | dbus-user.own ca.desrt.dconf-editor |
| 50 | 50 | dbus-user.talk ca.desrt.dconf |
| 51 | 51 | dbus-system none |
| 52 | ||
| 53 | restrict-namespaces |
| 59 | 59 | # deterministic-shutdown |
| 60 | 60 | # memory-deny-write-execute |
| 61 | 61 | # read-only ${HOME} |
| 62 | # restrict-namespaces | |
| 62 | restrict-namespaces |
| 42 | 42 | private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname |
| 43 | 43 | private-dev |
| 44 | 44 | private-tmp |
| 45 | ||
| 46 | restrict-namespaces |
| 49 | 49 | |
| 50 | 50 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 51 | 51 | read-only ${HOME} |
| 52 | restrict-namespaces |
| 52 | 52 | dbus-system filter |
| 53 | 53 | # Integration with systemd-logind or elogind |
| 54 | 54 | dbus-system.talk org.freedesktop.login1 |
| 55 | ||
| 56 | restrict-namespaces |
| 50 | 50 | dbus-system none |
| 51 | 51 | |
| 52 | 52 | # memory-deny-write-execute - breaks on Arch |
| 53 | # restrict-namespaces |
| 0 | # Firejail profile alias for chrome-common-hardened.inc | |
| 1 | # This file is overwritten after every install/update | |
| 2 | # Persistent local customizations | |
| 3 | include electron-hardened.inc.local | |
| 4 | # Persistent global definitions | |
| 5 | # added by caller profile | |
| 6 | #include globals.local | |
| 7 | ||
| 8 | # Redirect | |
| 9 | include chrome-common-hardened.inc.profile |
| 21 | 21 | include whitelist-usr-share-common.inc |
| 22 | 22 | include whitelist-var-common.inc |
| 23 | 23 | |
| 24 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. | |
| 25 | #include chromium-common-hardened.inc.profile | |
| 24 | # Add the next line to your electron.local if your kernel allows unprivileged userns clone. | |
| 25 | #include electron-hardened.inc.profile | |
| 26 | 26 | |
| 27 | 27 | apparmor |
| 28 | 28 | caps.keep sys_admin,sys_chroot |
| 0 | 0 | # Firejail profile for email-common |
| 1 | # Description: Common profile for claws-mail and sylpheed email clients | |
| 1 | # Description: Common profile for GUI mail clients | |
| 2 | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations |
| 4 | 4 | include email-common.local |
| 13 | 13 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local |
| 14 | 14 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications |
| 15 | 15 | noblacklist ${HOME}/Mail |
| 16 | noblacklist /var/mail | |
| 17 | noblacklist /var/spool/mail | |
| 16 | 18 | |
| 17 | 19 | noblacklist ${DOCUMENTS} |
| 18 | 20 | |
| 37 | 39 | whitelist ${RUNUSER}/gnupg |
| 38 | 40 | whitelist /usr/share/gnupg |
| 39 | 41 | whitelist /usr/share/gnupg2 |
| 42 | whitelist /var/mail | |
| 43 | whitelist /var/spool/mail | |
| 40 | 44 | include whitelist-common.inc |
| 41 | 45 | include whitelist-runuser-common.inc |
| 42 | 46 | include whitelist-usr-share-common.inc |
| 64 | 68 | # disable-mnt |
| 65 | 69 | private-cache |
| 66 | 70 | private-dev |
| 67 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | |
| 71 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,timezone,xdg | |
| 68 | 72 | private-tmp |
| 69 | 73 | # encrypting and signing email |
| 70 | 74 | writable-run-user |
| 75 | writable-var | |
| 71 | 76 | |
| 77 | dbus-user filter | |
| 78 | dbus-user.talk ca.desrt.dconf | |
| 79 | dbus-user.talk org.freedesktop.Notifications | |
| 80 | dbus-user.talk org.freedesktop.secrets | |
| 81 | dbus-user.talk org.gnome.keyring.* | |
| 82 | dbus-user.talk org.gnome.seahorse.* | |
| 83 | dbus-user.talk org.mozilla.* | |
| 72 | 84 | dbus-system none |
| 73 | ||
| 74 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: | |
| 75 | #noblacklist /var/mail | |
| 76 | #noblacklist /var/spool/mail | |
| 77 | #whitelist /var/mail | |
| 78 | #whitelist /var/spool/mail | |
| 79 | #writable-var | |
| 80 | 85 | |
| 81 | 86 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 82 | 87 | read-only ${HOME}/.signature |
| 88 | restrict-namespaces | |
| 37 | 37 | dbus-user filter |
| 38 | 38 | dbus-user.talk ca.desrt.dconf |
| 39 | 39 | dbus-system none |
| 40 | ||
| 41 | restrict-namespaces |
| 58 | 58 | private-tmp |
| 59 | 59 | |
| 60 | 60 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 61 | restrict-namespaces |
| 48 | 48 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
| 49 | 49 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
| 50 | 50 | private-tmp |
| 51 | ||
| 52 | restrict-namespaces |
| 63 | 63 | dbus-user.talk org.gtk.vfs.Daemon |
| 64 | 64 | dbus-user.talk org.gtk.vfs.Metadata |
| 65 | 65 | dbus-system none |
| 66 | ||
| 67 | restrict-namespaces |
| 52 | 52 | # dbus-user filter |
| 53 | 53 | # dbus-user.own org.kde.Falkon |
| 54 | 54 | dbus-system none |
| 55 | ||
| 56 | # restrict-namespaces |
| 55 | 55 | #dbus-user.talk org.freedesktop.Notifications |
| 56 | 56 | #dbus-user.talk org.gnome.OnlineAccounts |
| 57 | 57 | dbus-system none |
| 58 | ||
| 59 | restrict-namespaces |
| 53 | 53 | dbus-system none |
| 54 | 54 | |
| 55 | 55 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
| 56 | restrict-namespaces |
| 40 | 40 | private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh |
| 41 | 41 | private-dev |
| 42 | 42 | private-tmp |
| 43 | ||
| 44 | restrict-namespaces |
| 34 | 34 | include whitelist-var-common.inc |
| 35 | 35 | |
| 36 | 36 | apparmor |
| 37 | # Fixme! | |
| 38 | apparmor-replace | |
| 37 | 39 | caps.drop all |
| 38 | 40 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
| 39 | 41 | #machine-id |
| 67 | 69 | # Gnome connector, KDE connect and power management on KDE Plasma. |
| 68 | 70 | dbus-user none |
| 69 | 71 | dbus-system none |
| 72 | ||
| 73 | #restrict-namespaces | |
| 64 | 64 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 65 | 65 | ?ALLOW_TRAY: dbus-user.own org.kde.* |
| 66 | 66 | dbus-system none |
| 67 | ||
| 68 | restrict-namespaces |
| 13 | 13 | netfilter |
| 14 | 14 | noroot |
| 15 | 15 | protocol unix,inet,inet6 |
| 16 | seccomp | |
| 16 | seccomp !chroot | |
| 17 | 17 | |
| 18 | #restrict-namespaces |
| 53 | 53 | private-tmp |
| 54 | 54 | |
| 55 | 55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 56 | restrict-namespaces |
| 54 | 54 | dbus-user.talk org.freedesktop.Notifications |
| 55 | 55 | dbus-user.talk org.freedesktop.secrets |
| 56 | 56 | dbus-system none |
| 57 | ||
| 58 | restrict-namespaces |
| 74 | 74 | # Add the next line to your gajim.local to enable location plugin support. |
| 75 | 75 | #dbus-system.talk org.freedesktop.GeoClue2 |
| 76 | 76 | |
| 77 | restrict-namespaces | |
| 77 | 78 | join-or-start gajim |
| 49 | 49 | dbus-system none |
| 50 | 50 | |
| 51 | 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 52 | restrict-namespaces |
| 36 | 36 | dbus-system none |
| 37 | 37 | |
| 38 | 38 | memory-deny-write-execute |
| 39 | restrict-namespaces | |
| 39 | 40 | |
| 40 | 41 | # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. |
| 41 | 42 | # Depending on workflow and use case the sandbox can be hardened by adding the |
| 87 | 87 | dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 |
| 88 | 88 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 |
| 89 | 89 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 90 | dbus-user.talk org.mozilla.* | |
| 90 | 91 | dbus-system none |
| 91 | 92 | |
| 92 | 93 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 94 | restrict-namespaces |
| 48 | 48 | # makes settings immutable |
| 49 | 49 | # dbus-user none |
| 50 | 50 | # dbus-system none |
| 51 | ||
| 52 | restrict-namespaces |
| 66 | 66 | dbus-user.own org.gabmus.gfeeds |
| 67 | 67 | dbus-user.talk ca.desrt.dconf |
| 68 | 68 | dbus-system none |
| 69 | ||
| 70 | restrict-namespaces |
| 83 | 83 | |
| 84 | 84 | # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. |
| 85 | 85 | read-only ${HOME}/.ssh |
| 86 | ||
| 87 | restrict-namespaces |
| 60 | 60 | # Add the next line to your gitg.local if you need keyring access. |
| 61 | 61 | #dbus-user.talk org.freedesktop.secrets |
| 62 | 62 | dbus-system none |
| 63 | ||
| 64 | restrict-namespaces |
| 41 | 41 | private-dev |
| 42 | 42 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
| 43 | 43 | private-tmp |
| 44 | ||
| 45 | restrict-namespaces |
| 50 | 50 | # dbus-system none |
| 51 | 51 | |
| 52 | 52 | # memory-deny-write-execute - breaks on Arch |
| 53 | restrict-namespaces |
| 51 | 51 | dbus-user.own org.gnome.Calculator |
| 52 | 52 | dbus-user.talk ca.desrt.dconf |
| 53 | 53 | dbus-system none |
| 54 | ||
| 55 | restrict-namespaces |
| 50 | 50 | private-dev |
| 51 | 51 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload |
| 52 | 52 | private-tmp |
| 53 | ||
| 54 | restrict-namespaces |
| 43 | 43 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl |
| 44 | 44 | private-tmp |
| 45 | 45 | |
| 46 | restrict-namespaces |
| 49 | 49 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive |
| 50 | 50 | |
| 51 | 51 | dbus-system none |
| 52 | ||
| 53 | restrict-namespaces |
| 50 | 50 | |
| 51 | 51 | # Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. |
| 52 | 52 | read-only ${HOME} |
| 53 | restrict-namespaces |
| 72 | 72 | dbus-system filter |
| 73 | 73 | #dbus-system.talk org.freedesktop.NetworkManager |
| 74 | 74 | dbus-system.talk org.freedesktop.GeoClue2 |
| 75 | ||
| 76 | restrict-namespaces |
| 43 | 43 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg |
| 44 | 44 | private-tmp |
| 45 | 45 | |
| 46 | restrict-namespaces |
| 58 | 58 | dbus-user.own org.gnome.PasswordSafe |
| 59 | 59 | dbus-user.talk ca.desrt.dconf |
| 60 | 60 | dbus-system none |
| 61 | ||
| 62 | restrict-namespaces |
| 55 | 55 | |
| 56 | 56 | read-only ${HOME} |
| 57 | 57 | read-write ${HOME}/.local/share/gnome-pomodoro |
| 58 | restrict-namespaces |
| 49 | 49 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* |
| 50 | 50 | private-tmp |
| 51 | 51 | |
| 52 | restrict-namespaces |
| 47 | 47 | dbus-user.own org.gnome.Screenshot |
| 48 | 48 | dbus-user.talk org.gnome.Shell.Screenshot |
| 49 | 49 | dbus-system none |
| 50 | ||
| 51 | restrict-namespaces |
| 40 | 40 | private-dev |
| 41 | 41 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg |
| 42 | 42 | private-tmp |
| 43 | ||
| 44 | restrict-namespaces |
| 52 | 52 | memory-deny-write-execute |
| 53 | 53 | # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. |
| 54 | 54 | read-only ${HOME} |
| 55 | restrict-namespaces |
| 45 | 45 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
| 46 | 46 | private-tmp |
| 47 | 47 | |
| 48 | restrict-namespaces |
| 45 | 45 | dbus-user filter |
| 46 | 46 | dbus-user.talk ca.desrt.dconf |
| 47 | 47 | dbus-system none |
| 48 | ||
| 49 | restrict-namespaces |
| 56 | 56 | dbus-user.own org.gnome.Gnote |
| 57 | 57 | dbus-user.talk ca.desrt.dconf |
| 58 | 58 | dbus-system none |
| 59 | ||
| 60 | restrict-namespaces |
| 31 | 31 | private-dev |
| 32 | 32 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
| 33 | 33 | # private-tmp |
| 34 | ||
| 35 | restrict-namespaces |
| 45 | 45 | seccomp |
| 46 | 46 | tracelog |
| 47 | 47 | |
| 48 | # private-bin gpg-agent,gpg | |
| 48 | # private-bin gpg-agent | |
| 49 | 49 | private-cache |
| 50 | 50 | private-dev |
| 51 | ||
| 52 | restrict-namespaces |
| 41 | 41 | seccomp |
| 42 | 42 | tracelog |
| 43 | 43 | |
| 44 | # private-bin gpg,gpg-agent | |
| 44 | # private-bin gpg | |
| 45 | 45 | private-cache |
| 46 | 46 | private-dev |
| 47 | 47 | |
| 50 | 50 | # installing/upgrading archlinux-keyring extremely slow. |
| 51 | 51 | read-write /etc/pacman.d/gnupg |
| 52 | 52 | read-write /usr/share/pacman/keyrings |
| 53 | restrict-namespaces | |
| 37 | 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
| 38 | 38 | private-tmp |
| 39 | 39 | |
| 40 | restrict-namespaces |
| 51 | 51 | dbus-user.own org.mpris.MediaPlayer2.gradio |
| 52 | 52 | dbus-user.talk ca.desrt.dconf |
| 53 | 53 | dbus-system none |
| 54 | ||
| 55 | restrict-namespaces |
| 68 | 68 | private-dev |
| 69 | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
| 70 | 70 | private-tmp |
| 71 | ||
| 72 | restrict-namespaces |
| 13 | 13 | netfilter |
| 14 | 14 | noroot |
| 15 | 15 | protocol unix,inet,inet6 |
| 16 | seccomp | |
| 16 | seccomp !chroot | |
| 17 | 17 | |
| 18 | #restrict-namespaces |
| 56 | 56 | dbus-user.own io.github.lainsce.Notejot |
| 57 | 57 | dbus-user.talk ca.desrt.dconf |
| 58 | 58 | dbus-system none |
| 59 | ||
| 60 | restrict-namespaces |
| 105 | 105 | dbus-system filter |
| 106 | 106 | dbus-system.talk org.freedesktop.login1 |
| 107 | 107 | |
| 108 | restrict-namespaces | |
| 109 | ||
| 108 | 110 | # Mutex is stored in /tmp by default, which is broken by private-tmp. |
| 109 | 111 | join-or-start keepassxc |
| 61 | 61 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
| 62 | 62 | # writable-run-user is needed for signing and encrypting emails |
| 63 | 63 | writable-run-user |
| 64 | ||
| 65 | # restrict-namespaces |
| 77 | 77 | dbus-system none |
| 78 | 78 | |
| 79 | 79 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 80 | restrict-namespaces |
| 43 | 43 | private-dev |
| 44 | 44 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg |
| 45 | 45 | private-tmp |
| 46 | ||
| 47 | restrict-namespaces |
| 47 | 47 | memory-deny-write-execute |
| 48 | 48 | read-only ${HOME} |
| 49 | 49 | read-write ${HOME}/.lesshst |
| 50 | restrict-namespaces |
| 53 | 53 | dbus-user filter |
| 54 | 54 | dbus-user.talk ca.desrt.dconf |
| 55 | 55 | dbus-system none |
| 56 | ||
| 57 | restrict-namespaces |
| 58 | 58 | # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. |
| 59 | 59 | #dbus-user.talk org.freedesktop.secrets |
| 60 | 60 | dbus-system none |
| 61 | ||
| 62 | restrict-namespaces |
| 0 | # Firejail profile for linuxqq | |
| 1 | # Description: IM client based on Electron | |
| 2 | # This file is overwritten after every install/update | |
| 3 | # Persistent local customizations | |
| 4 | include linuxqq.local | |
| 5 | # Persistent global definitions | |
| 6 | include globals.local | |
| 7 | ||
| 8 | noblacklist ${HOME}/.config/QQ | |
| 9 | noblacklist ${HOME}/.mozilla | |
| 10 | ||
| 11 | include allow-bin-sh.inc | |
| 12 | ||
| 13 | include disable-shell.inc | |
| 14 | ||
| 15 | mkdir ${HOME}/.config/QQ | |
| 16 | whitelist ${HOME}/.config/QQ | |
| 17 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | |
| 18 | whitelist ${DESKTOP} | |
| 19 | ||
| 20 | ignore apparmor | |
| 21 | noprinters | |
| 22 | ||
| 23 | # If you don't need/want to save anything to disk you can add `private` to your linuxqq.local. | |
| 24 | #private | |
| 25 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | |
| 26 | private-opt QQ | |
| 27 | ||
| 28 | dbus-user filter | |
| 29 | dbus-user.talk org.freedesktop.Notifications | |
| 30 | dbus-user.talk org.freedesktop.portal.Desktop | |
| 31 | dbus-user.talk org.freedesktop.portal.Fcitx | |
| 32 | dbus-user.talk org.freedesktop.portal.IBus | |
| 33 | dbus-user.talk org.freedesktop.ScreenSaver | |
| 34 | dbus-user.talk org.gnome.Mutter.IdleMonitor | |
| 35 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | |
| 36 | dbus-user.talk org.mozilla.* | |
| 37 | ignore dbus-user none | |
| 38 | ||
| 39 | read-only ${HOME}/.mozilla/firefox/profiles.ini | |
| 40 | ||
| 41 | # Redirect | |
| 42 | include electron.profile |
| 38 | 38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
| 39 | 39 | private-tmp |
| 40 | 40 | |
| 41 | restrict-namespaces |
| 79 | 79 | dbus-user.own net.lutris.Lutris |
| 80 | 80 | dbus-user.talk com.feralinteractive.GameMode |
| 81 | 81 | dbus-system none |
| 82 | ||
| 83 | restrict-namespaces |
| 38 | 38 | private-dev |
| 39 | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
| 40 | 40 | private-tmp |
| 41 | ||
| 42 | restrict-namespaces |
| 26 | 26 | include disable-shell.inc |
| 27 | 27 | include disable-xdg.inc |
| 28 | 28 | |
| 29 | mkdir ${HOME}/.config/QMediathekView | |
| 30 | mkdir ${HOME}/.local/share/QMediathekView | |
| 31 | whitelist ${HOME}/.config/QMediathekView | |
| 32 | whitelist ${HOME}/.local/share/QMediathekView | |
| 33 | ||
| 34 | whitelist ${DOWNLOADS} | |
| 35 | whitelist ${VIDEOS} | |
| 36 | ||
| 37 | whitelist ${HOME}/.config/mpv | |
| 38 | whitelist ${HOME}/.config/smplayer | |
| 39 | whitelist ${HOME}/.config/totem | |
| 40 | whitelist ${HOME}/.config/vlc | |
| 41 | whitelist ${HOME}/.config/xplayer | |
| 42 | whitelist ${HOME}/.local/share/totem | |
| 43 | whitelist ${HOME}/.local/share/xplayer | |
| 44 | whitelist ${HOME}/.mplayer | |
| 29 | 45 | whitelist /usr/share/qtchooser |
| 46 | include whitelist-common.inc | |
| 47 | include whitelist-run-common.inc | |
| 48 | include whitelist-runuser-common.inc | |
| 30 | 49 | include whitelist-usr-share-common.inc |
| 31 | 50 | include whitelist-var-common.inc |
| 32 | 51 | |
| 52 | apparmor | |
| 33 | 53 | caps.drop all |
| 34 | 54 | netfilter |
| 35 | 55 | # no3d |
| 37 | 57 | nogroups |
| 38 | 58 | noinput |
| 39 | 59 | nonewprivs |
| 60 | noprinters | |
| 40 | 61 | noroot |
| 41 | 62 | notv |
| 42 | 63 | nou2f |
| 43 | 64 | novideo |
| 44 | protocol unix,inet,inet6,netlink | |
| 65 | protocol unix,inet,inet6 | |
| 45 | 66 | seccomp |
| 46 | 67 | tracelog |
| 47 | 68 | |
| 49 | 70 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer |
| 50 | 71 | private-cache |
| 51 | 72 | private-dev |
| 73 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,login.defs,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | |
| 52 | 74 | private-tmp |
| 53 | 75 | |
| 54 | 76 | dbus-user none |
| 55 | 77 | dbus-system none |
| 56 | 78 | |
| 57 | 79 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 80 | restrict-namespaces | |
| 51 | 51 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
| 52 | 52 | private-tmp |
| 53 | 53 | |
| 54 | restrict-namespaces |
| 33 | 33 | private-bin awk,bash,dig,sh,Viber |
| 34 | 34 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
| 35 | 35 | private-tmp |
| 36 | ||
| 37 | # restrict-namespaces |
| 39 | 39 | private-dev |
| 40 | 40 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
| 41 | 41 | #private-tmp |
| 42 | ||
| 43 | restrict-namespaces |
| 43 | 43 | private-dev |
| 44 | 44 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf |
| 45 | 45 | private-tmp |
| 46 | ||
| 47 | restrict-namespaces |
| 64 | 64 | memory-deny-write-execute |
| 65 | 65 | read-only ${HOME} |
| 66 | 66 | #read-only /tmp # breaks mandoc (see #4927) |
| 67 | restrict-namespaces |
| 59 | 59 | dbus-user.own com.github.fabiocolacio.marker |
| 60 | 60 | dbus-user.talk ca.desrt.dconf |
| 61 | 61 | dbus-system none |
| 62 | ||
| 63 | restrict-namespaces |
| 37 | 37 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
| 38 | 38 | private-tmp |
| 39 | 39 | |
| 40 | restrict-namespaces |
| 30 | 30 | private-bin mcabber |
| 31 | 31 | private-dev |
| 32 | 32 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl |
| 33 | ||
| 34 | restrict-namespaces |
| 69 | 69 | read-write ${HOME}/.local/share |
| 70 | 70 | # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails |
| 71 | 71 | read-write ${HOME}/.thumbnails |
| 72 | restrict-namespaces |
| 60 | 60 | read-write ${HOME}/.gnome/apps |
| 61 | 61 | read-write ${HOME}/.local/share/applications |
| 62 | 62 | read-write ${HOME}/.local/share/flatpak/exports |
| 63 | restrict-namespaces |
| 49 | 49 | memory-deny-write-execute |
| 50 | 50 | read-only ${HOME} |
| 51 | 51 | read-write ${HOME}/.moc |
| 52 | restrict-namespaces |
| 45 | 45 | private-etc alternatives,ld.so.cache,ld.so.preload |
| 46 | 46 | private-tmp |
| 47 | 47 | |
| 48 | memory-deny-write-execute | |
| 49 | ||
| 50 | 48 | dbus-user none |
| 51 | 49 | dbus-system none |
| 50 | ||
| 51 | memory-deny-write-execute | |
| 52 | restrict-namespaces |
| 54 | 54 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 55 | 55 | |
| 56 | 56 | read-only ${HOME} |
| 57 | restrict-namespaces |
| 41 | 41 | private-tmp |
| 42 | 42 | |
| 43 | 43 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 44 | restrict-namespaces |
| 34 | 34 | private-dev |
| 35 | 35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl |
| 36 | 36 | |
| 37 | # restrict-namespaces |
| 145 | 145 | read-only ${HOME}/.nanorc |
| 146 | 146 | read-only ${HOME}/.signature |
| 147 | 147 | read-only ${HOME}/.w3m |
| 148 | restrict-namespaces |
| 61 | 61 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 62 | 62 | dbus-user.talk org.kde.kwalletd5 |
| 63 | 63 | dbus-system none |
| 64 | ||
| 65 | restrict-namespaces |
| 128 | 128 | read-only ${HOME}/.nanorc |
| 129 | 129 | read-only ${HOME}/.signature |
| 130 | 130 | read-only ${HOME}/.w3m |
| 131 | restrict-namespaces |
| 56 | 56 | #dbus-user.own com.gitlab.newsflash |
| 57 | 57 | #dbus-user.talk org.freedesktop.Notifications |
| 58 | 58 | dbus-system none |
| 59 | ||
| 60 | restrict-namespaces |
| 68 | 68 | dbus-user.talk org.freedesktop.secrets |
| 69 | 69 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 70 | 70 | dbus-system none |
| 71 | ||
| 72 | restrict-namespaces |
| 55 | 55 | # Add the next line to your nheko.local to enable notification support. |
| 56 | 56 | #dbus-user.talk org.freedesktop.Notifications |
| 57 | 57 | dbus-system none |
| 58 | ||
| 59 | restrict-namespaces |
| 99 | 99 | |
| 100 | 100 | # Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. |
| 101 | 101 | #env GATSBY_TELEMETRY_DISABLED=1 |
| 102 | restrict-namespaces |
| 41 | 41 | private-dev |
| 42 | 42 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl |
| 43 | 43 | private-tmp |
| 44 | ||
| 45 | restrict-namespaces |
| 50 | 50 | read-write ${HOME}/.local/state/nvim |
| 51 | 51 | read-write ${HOME}/.vim |
| 52 | 52 | read-write ${HOME}/.vimrc |
| 53 | restrict-namespaces |
| 13 | 13 | netfilter |
| 14 | 14 | noroot |
| 15 | 15 | protocol unix,inet,inet6 |
| 16 | seccomp | |
| 16 | seccomp !chroot | |
| 17 | 17 | |
| 18 | 18 | read-only ${HOME}/.config/openbox/autostart |
| 19 | 19 | read-only ${HOME}/.config/openbox/environment |
| 20 | #restrict-namespaces |
| 21 | 21 | #private-etc palemoon |
| 22 | 22 | #private-opt palemoon |
| 23 | 23 | |
| 24 | restrict-namespaces | |
| 25 | ignore restrict-namespaces | |
| 26 | ||
| 24 | 27 | # Redirect |
| 25 | 28 | include firefox-common.profile |
| 26 | 26 | private-bin dbus-launch,parole |
| 27 | 27 | private-cache |
| 28 | 28 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl |
| 29 | ||
| 30 | restrict-namespaces |
| 52 | 52 | |
| 53 | 53 | # mdwe is broken under Wayland, but works under Xorg. |
| 54 | 54 | #memory-deny-write-execute |
| 55 | restrict-namespaces |
| 55 | 55 | read-only /var/log/apt/history.log |
| 56 | 56 | read-only /var/log/dnf.rpm.log |
| 57 | 57 | read-only /var/log/pacman.log |
| 58 | restrict-namespaces |
| 56 | 56 | read-only ${HOME} |
| 57 | 57 | read-write ${HOME}/.config/PacmanLogViewer |
| 58 | 58 | read-only /var/log/pacman.log |
| 59 | restrict-namespaces |
| 34 | 34 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
| 35 | 35 | private-tmp |
| 36 | 36 | |
| 37 | restrict-namespaces |
| 42 | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg |
| 43 | 43 | private-tmp |
| 44 | 44 | |
| 45 | restrict-namespaces |
| 62 | 62 | dbus-system none |
| 63 | 63 | |
| 64 | 64 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
| 65 | restrict-namespaces |
| 63 | 63 | read-write ${HOME}/.local/share/PawelStolowski |
| 64 | 64 | #to allow ${HOME}/.local/share/recently-used.xbel |
| 65 | 65 | read-write ${HOME}/.local/share |
| 66 | restrict-namespaces |
| 42 | 42 | # needs D-Bus when started from a file manager |
| 43 | 43 | # dbus-user none |
| 44 | 44 | # dbus-system none |
| 45 | ||
| 46 | restrict-namespaces |
| 0 | # Firejail profile for qq | |
| 1 | # Description: IM client based on Electron | |
| 2 | # This file is overwritten after every install/update | |
| 3 | # Persistent local customizations | |
| 4 | include qq.local | |
| 5 | # Persistent global definitions | |
| 6 | # added by included profile | |
| 7 | #include globals.local | |
| 8 | ||
| 9 | # Redirect | |
| 10 | include linuxqq.profile |
| 48 | 48 | dbus-system none |
| 49 | 49 | |
| 50 | 50 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 51 | restrict-namespaces |
| 51 | 51 | private-dev |
| 52 | 52 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 |
| 53 | 53 | |
| 54 | restrict-namespaces |
| 47 | 47 | protocol unix,inet,inet6,netlink |
| 48 | 48 | # blacklisting of chroot system calls breaks qt webengine |
| 49 | 49 | seccomp !chroot,!name_to_handle_at |
| 50 | # tracelog | |
| 50 | #tracelog | |
| 51 | 51 | |
| 52 | 52 | disable-mnt |
| 53 | 53 | private-cache |
| 64 | 64 | # with the above lines (might depend on the portal implementation). |
| 65 | 65 | #ignore noroot |
| 66 | 66 | dbus-system none |
| 67 | ||
| 68 | #restrict-namespaces | |
| 34 | 34 | # electron-based application, needing chroot |
| 35 | 35 | #seccomp |
| 36 | 36 | seccomp !chroot |
| 37 | # tracelog | |
| 37 | #tracelog | |
| 38 | ||
| 39 | #restrict-namespaces |
| 62 | 62 | dbus-user.talk org.gnome.SettingsDaemon.MediaKeys |
| 63 | 63 | dbus-system filter |
| 64 | 64 | dbus-system.talk org.freedesktop.Avahi |
| 65 | ||
| 66 | restrict-namespaces |
| 38 | 38 | private-dev |
| 39 | 39 | #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 |
| 40 | 40 | |
| 41 | restrict-namespaces |
| 7 | 7 | # added by included profile |
| 8 | 8 | #include globals.local |
| 9 | 9 | |
| 10 | blacklist ${RUNUSER}/wayland-* | |
| 11 | include disable-X11.inc | |
| 12 | ||
| 10 | 13 | memory-deny-write-execute |
| 11 | 14 | |
| 12 | 15 | # Redirect |
| 6 | 6 | # added by included profile |
| 7 | 7 | #include globals.local |
| 8 | 8 | |
| 9 | # private-etc workaround for: #2877 | |
| 10 | private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd | |
| 11 | private-tmp | |
| 12 | ||
| 13 | 9 | # Redirect |
| 14 | 10 | include seahorse.profile |
| 4 | 4 | include seahorse.local |
| 5 | 5 | # Persistent global definitions |
| 6 | 6 | include globals.local |
| 7 | ||
| 8 | blacklist /tmp/.X11-unix | |
| 9 | 7 | |
| 10 | 8 | noblacklist ${HOME}/.gnupg |
| 11 | 9 | |
| 58 | 56 | disable-mnt |
| 59 | 57 | private-cache |
| 60 | 58 | private-dev |
| 61 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | |
| 59 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg | |
| 60 | private-tmp | |
| 62 | 61 | writable-run-user |
| 63 | 62 | |
| 64 | 63 | dbus-user filter |
| 65 | 64 | dbus-user.own org.gnome.seahorse |
| 66 | 65 | dbus-user.own org.gnome.seahorse.Application |
| 66 | dbus-user.talk ca.desrt.dconf | |
| 67 | 67 | dbus-user.talk org.freedesktop.secrets |
| 68 | 68 | dbus-system none |
| 69 | ||
| 70 | restrict-namespaces | |
| 56 | 56 | disable-mnt |
| 57 | 57 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl |
| 58 | 58 | writable-run-user |
| 59 | ||
| 60 | restrict-namespaces |
| 82 | 82 | # private-lib |
| 83 | 83 | # private-opt none |
| 84 | 84 | private-tmp |
| 85 | # writable-run-user | |
| 86 | # writable-var | |
| 87 | # writable-var-log | |
| 85 | 88 | |
| 86 | 89 | dbus-user none |
| 87 | 90 | # dbus-system none |
| 89 | 92 | # deterministic-shutdown |
| 90 | 93 | # memory-deny-write-execute |
| 91 | 94 | # read-only ${HOME} |
| 92 | # restrict-namespaces | |
| 93 | # writable-run-user | |
| 94 | # writable-var | |
| 95 | # writable-var-log | |
| 95 | restrict-namespaces | |
| 46 | 46 | private-dev |
| 47 | 47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
| 48 | 48 | private-tmp |
| 49 | ||
| 50 | restrict-namespaces |
| 56 | 56 | dbus-user.talk ca.desrt.dconf |
| 57 | 57 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor |
| 58 | 58 | dbus-system none |
| 59 | ||
| 60 | restrict-namespaces |
| 47 | 47 | # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try |
| 48 | 48 | #private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl |
| 49 | 49 | private-tmp |
| 50 | ||
| 51 | restrict-namespaces |
| 37 | 37 | # private-dev |
| 38 | 38 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
| 39 | 39 | # private-tmp |
| 40 | ||
| 41 | restrict-namespaces |
| 64 | 64 | #dbus-user.talk org.kde.JobViewServer |
| 65 | 65 | #dbus-user.talk org.kde.kglobalaccel |
| 66 | 66 | dbus-system none |
| 67 | ||
| 68 | restrict-namespaces |
| 52 | 52 | # Add the next line to your spectral.local to enable notification support. |
| 53 | 53 | #dbus-user.talk org.freedesktop.Notifications |
| 54 | 54 | dbus-system none |
| 55 | ||
| 56 | restrict-namespaces |
| 9 | 9 | |
| 10 | 10 | noblacklist ${PATH}/mount |
| 11 | 11 | noblacklist ${PATH}/umount |
| 12 | noblacklist /proc/config.gz | |
| 12 | 13 | |
| 13 | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
| 14 | 15 | include allow-perl.inc |
| 40 | 41 | |
| 41 | 42 | disable-mnt |
| 42 | 43 | private |
| 43 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils | |
| 44 | private-bin awk,basename,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,ps,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,unzstd,which,xz-utils | |
| 44 | 45 | private-cache |
| 45 | 46 | private-tmp |
| 46 | 47 | |
| 48 | 49 | dbus-system none |
| 49 | 50 | |
| 50 | 51 | memory-deny-write-execute |
| 52 | restrict-namespaces | |
| 52 | 52 | # dbus needed for MPRIS |
| 53 | 53 | # dbus-user none |
| 54 | 54 | # dbus-system none |
| 55 | ||
| 56 | restrict-namespaces |
| 48 | 48 | # dbus-system none |
| 49 | 49 | |
| 50 | 50 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 51 | restrict-namespaces |
| 0 | # Firejail profile for ssmtp | |
| 1 | # Description: Extremely simple MTA to get mail off the system to a mailhub | |
| 2 | # This file is overwritten after every install/update | |
| 3 | quiet | |
| 4 | # Persistent local customizations | |
| 5 | include ssmtp.local | |
| 6 | # Persistent global definitions | |
| 7 | include globals.local | |
| 8 | ||
| 9 | blacklist ${RUNUSER} | |
| 10 | blacklist /usr/libexec | |
| 11 | ||
| 12 | noblacklist /etc/logcheck | |
| 13 | noblacklist /etc/ssmtp | |
| 14 | noblacklist /sbin | |
| 15 | noblacklist /usr/sbin | |
| 16 | ||
| 17 | noblacklist ${DOCUMENTS} | |
| 18 | include disable-common.inc | |
| 19 | include disable-devel.inc | |
| 20 | include disable-exec.inc | |
| 21 | include disable-interpreters.inc | |
| 22 | include disable-proc.inc | |
| 23 | include disable-programs.inc | |
| 24 | include disable-shell.inc | |
| 25 | include disable-xdg.inc | |
| 26 | include disable-X11.inc | |
| 27 | ||
| 28 | mkfile ${HOME}/dead.letter | |
| 29 | whitelist ${HOME}/dead.letter | |
| 30 | whitelist ${DOCUMENTS} | |
| 31 | whitelist ${DOWNLOADS} | |
| 32 | include whitelist-common.inc | |
| 33 | include whitelist-run-common.inc | |
| 34 | include whitelist-runuser-common.inc | |
| 35 | include whitelist-usr-share-common.inc | |
| 36 | include whitelist-var-common.inc | |
| 37 | ||
| 38 | apparmor | |
| 39 | caps.drop all | |
| 40 | ipc-namespace | |
| 41 | machine-id | |
| 42 | netfilter | |
| 43 | no3d | |
| 44 | nodvd | |
| 45 | #nogroups breaks app | |
| 46 | noinput | |
| 47 | nonewprivs | |
| 48 | noprinters | |
| 49 | #noroot breaks app | |
| 50 | nosound | |
| 51 | notv | |
| 52 | nou2f | |
| 53 | novideo | |
| 54 | protocol unix,inet,inet6 | |
| 55 | seccomp | |
| 56 | seccomp.block-secondary | |
| 57 | tracelog | |
| 58 | ||
| 59 | disable-mnt | |
| 60 | # private works but then we lose ${HOME}/dead.letter | |
| 61 | # which is useful to get notified on mail issues | |
| 62 | #private | |
| 63 | private-bin mailq,newaliases,sendmail,ssmtp | |
| 64 | private-cache | |
| 65 | private-dev | |
| 66 | private-tmp | |
| 67 | ||
| 68 | dbus-user none | |
| 69 | dbus-system none | |
| 70 | ||
| 71 | memory-deny-write-execute | |
| 72 | restrict-namespaces | |
| 73 | read-only ${HOME} | |
| 74 | read-write ${HOME}/dead.letter |
| 177 | 177 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan |
| 178 | 178 | private-tmp |
| 179 | 179 | |
| 180 | # dbus-user none | |
| 181 | # dbus-system none | |
| 180 | #dbus-user none | |
| 181 | #dbus-system none | |
| 182 | 182 | |
| 183 | 183 | read-only ${HOME}/.config/MangoHud |
| 184 | #restrict-namespaces |
| 49 | 49 | dbus-system none |
| 50 | 50 | |
| 51 | 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 52 | restrict-namespaces |
| 35 | 35 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl |
| 36 | 36 | private-tmp |
| 37 | 37 | |
| 38 | restrict-namespaces |
| 14 | 14 | |
| 15 | 15 | # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed |
| 16 | 16 | |
| 17 | dbus-user filter | |
| 18 | dbus-user.talk ca.desrt.dconf | |
| 19 | dbus-user.talk org.freedesktop.secrets | |
| 20 | dbus-user.talk org.gnome.keyring.SystemPrompter | |
| 21 | # Add the next line to your sylpheed.local to enable notifications. | |
| 22 | # dbus-user.talk org.freedesktop.Notifications | |
| 23 | ||
| 24 | 17 | # Redirect |
| 25 | 18 | include email-common.profile |
| 73 | 73 | dbus-user.talk ca.desrt.dconf |
| 74 | 74 | |
| 75 | 75 | # memory-deny-write-execute - breaks on Arch |
| 76 | restrict-namespaces |
| 55 | 55 | dbus-user.talk org.gnome.Mutter.IdleMonitor |
| 56 | 56 | dbus-user.talk org.freedesktop.ScreenSaver |
| 57 | 57 | dbus-system none |
| 58 | ||
| 59 | restrict-namespaces |
| 31 | 31 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
| 32 | 32 | private-tmp |
| 33 | 33 | |
| 34 | restrict-namespaces |
| 47 | 47 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
| 48 | 48 | private-tmp |
| 49 | 49 | writable-var |
| 50 | ||
| 51 | restrict-namespaces |
| 56 | 56 | # makes settings immutable |
| 57 | 57 | # dbus-user none |
| 58 | 58 | dbus-system none |
| 59 | ||
| 60 | restrict-namespaces |
| 60 | 60 | dbus-system none |
| 61 | 61 | |
| 62 | 62 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 63 | restrict-namespaces |
| 41 | 41 | private-dev |
| 42 | 42 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
| 43 | 43 | private-tmp |
| 44 | ||
| 45 | restrict-namespaces |
| 40 | 40 | |
| 41 | 41 | # doesn't work - maybe all Tcl/Tk programs have this problem |
| 42 | 42 | # memory-deny-write-execute |
| 43 | restrict-namespaces |
| 49 | 49 | dbus-system none |
| 50 | 50 | |
| 51 | 51 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) |
| 52 | restrict-namespaces |
| 52 | 52 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 53 | 53 | dbus-user.talk org.mpris.MediaPlayer2.Player |
| 54 | 54 | dbus-system none |
| 55 | ||
| 56 | restrict-namespaces |
| 46 | 46 | private-bin bash,dash,sh,warzone2100,which |
| 47 | 47 | private-dev |
| 48 | 48 | private-tmp |
| 49 | ||
| 50 | restrict-namespaces |
| 27 | 27 | # no private-bin support for various reasons: |
| 28 | 28 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, |
| 29 | 29 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins |
| 30 | ||
| 31 | restrict-namespaces |
| 50 | 50 | |
| 51 | 51 | # xed uses python plugins, memory-deny-write-execute breaks python |
| 52 | 52 | # memory-deny-write-execute |
| 53 | restrict-namespaces |
| 47 | 47 | private-dev |
| 48 | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf |
| 49 | 49 | private-tmp |
| 50 | ||
| 51 | restrict-namespaces |
| 0 | # Firejail profile for xlinks2 | |
| 1 | # Description: Text WWW browser (X11) | |
| 2 | # This file is overwritten after every install/update | |
| 3 | # Persistent local customizations | |
| 4 | include xlinks2.local | |
| 5 | # Persistent global definitions | |
| 6 | # added by included profile | |
| 7 | #include globals.local | |
| 8 | ||
| 9 | noblacklist /tmp/.X11-unix | |
| 10 | ||
| 11 | include whitelist-common.inc | |
| 12 | ||
| 13 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | |
| 14 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | |
| 15 | private-bin xlinks2 | |
| 16 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload | |
| 17 | ||
| 18 | # Redirect | |
| 19 | include links2.profile |
| 0 | # Firejail profile for xlinks2 | |
| 1 | # Description: Text WWW browser (X11) | |
| 2 | # This file is overwritten after every install/update | |
| 3 | # Persistent local customizations | |
| 4 | include xlinks2.local | |
| 5 | # Persistent global definitions | |
| 6 | # added by included profile | |
| 7 | #include globals.local | |
| 8 | ||
| 9 | noblacklist /tmp/.X11-unix | |
| 10 | ||
| 11 | include whitelist-common.inc | |
| 12 | ||
| 13 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | |
| 14 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | |
| 15 | private-bin xlinks2 | |
| 16 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload | |
| 17 | ||
| 18 | # Redirect | |
| 19 | include links2.profile |
| 46 | 46 | # makes settings immutable |
| 47 | 47 | # dbus-user none |
| 48 | 48 | # dbus-system none |
| 49 | ||
| 50 | restrict-namespaces |
| 50 | 50 | private-dev |
| 51 | 51 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra |
| 52 | 52 | private-tmp |
| 53 | ||
| 54 | restrict-namespaces |
| 73 | 73 | # your yelp.local if you need PDF printing support. |
| 74 | 74 | #noblacklist ${DOCUMENTS} |
| 75 | 75 | #whitelist ${DOCUMENTS} |
| 76 | ||
| 77 | restrict-namespaces |
| 63 | 63 | dbus-system none |
| 64 | 64 | |
| 65 | 65 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 66 | restrict-namespaces |
| 0 | 0 | # Firejail profile for ytmdesktop |
| 1 | # Description: Unofficial electron based desktop warpper for YouTube Music | |
| 1 | # Description: Unofficial electron based desktop wrapper for YouTube Music | |
| 2 | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations |
| 4 | 4 | include youtube.local |
| 58 | 58 | read-only ${HOME} |
| 59 | 59 | read-write ${HOME}/.config/zathura |
| 60 | 60 | read-write ${HOME}/.local/share/zathura |
| 61 | restrict-namespaces |
| 44 | 44 | private-dev |
| 45 | 45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id |
| 46 | 46 | private-tmp |
| 47 | ||
| 48 | restrict-namespaces |
| 213 | 213 | # - In order to make dconf work (when used by the app) you need to allow |
| 214 | 214 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
| 215 | 215 | # Notes and policies about addresses can be found at |
| 216 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | |
| 216 | # <https://github.com/netblue30/firejail/wiki/Restrict-DBus> | |
| 217 | 217 | #dbus-user filter |
| 218 | 218 | #dbus-user.own com.github.netblue30.firejail |
| 219 | 219 | #dbus-user.talk ca.desrt.dconf |
| 129 | 129 | cawbird |
| 130 | 130 | celluloid |
| 131 | 131 | chafa |
| 132 | chatterino | |
| 132 | 133 | checkbashisms |
| 133 | 134 | cheese |
| 134 | 135 | cherrytree |
| 477 | 478 | links |
| 478 | 479 | links2 |
| 479 | 480 | linphone |
| 481 | linuxqq | |
| 480 | 482 | lmms |
| 481 | 483 | lobase |
| 482 | 484 | localc |
| 691 | 693 | qmmp |
| 692 | 694 | qnapi |
| 693 | 695 | qpdfview |
| 696 | ||
| 694 | 697 | qt-faststart |
| 695 | 698 | qtox |
| 696 | 699 | quadrapassel |
| 50 | 50 | cfg_val[i] = 1; // most of them are enabled by default |
| 51 | 51 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
| 52 | 52 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
| 53 | cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0; | |
| 53 | 54 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
| 54 | 55 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
| 55 | 56 | cfg_val[CFG_DISABLE_MNT] = 0; |
| 114 | 115 | PARSE_YESNO(CFG_TRACELOG, "tracelog") |
| 115 | 116 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
| 116 | 117 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
| 118 | PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted") | |
| 117 | 119 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
| 118 | 120 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") |
| 119 | 121 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") |
| 118 | 118 | int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
| 119 | 119 | if (parentfd == -1) |
| 120 | 120 | errExit("safer_openat"); |
| 121 | ||
| 122 | if (faccessat(parentfd, ".", X_OK, 0) != 0) { | |
| 123 | fprintf(stderr, "Error: no search permission on chroot directory\n"); | |
| 124 | exit(1); | |
| 125 | } | |
| 121 | 126 | // rootdir has to be owned by root and is not allowed to be generally writable, |
| 122 | 127 | // this also excludes /tmp and friends |
| 123 | 128 | struct stat s; |
| 338 | 338 | extern int arg_appimage; // appimage |
| 339 | 339 | extern int arg_apparmor; // apparmor |
| 340 | 340 | extern char *apparmor_profile; // apparmor profile |
| 341 | extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) | |
| 341 | 342 | extern int arg_allow_debuggers; // allow debuggers |
| 342 | 343 | extern int arg_x11_block; // block X11 |
| 343 | 344 | extern int arg_x11_xorg; // use X11 security extension |
| 353 | 354 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
| 354 | 355 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
| 355 | 356 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox |
| 357 | extern int arg_netlock; // netlocker | |
| 356 | 358 | |
| 357 | 359 | typedef enum { |
| 358 | 360 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
| 808 | 810 | CFG_FORCE_NONEWPRIVS, |
| 809 | 811 | CFG_XEPHYR_WINDOW_TITLE, |
| 810 | 812 | CFG_OVERLAYFS, |
| 813 | CFG_ETC_HIDE_BLACKLISTED, | |
| 811 | 814 | CFG_PRIVATE_BIN, |
| 812 | 815 | CFG_PRIVATE_BIN_NO_LOCAL, |
| 813 | 816 | CFG_PRIVATE_CACHE, |
| 161 | 161 | fs_logger2("blacklist-nolog", fname); |
| 162 | 162 | |
| 163 | 163 | // files in /etc will be reprocessed during /etc rebuild |
| 164 | if (strncmp(fname, "/etc/", 5) == 0) { | |
| 164 | if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { | |
| 165 | 165 | ProfileEntry *prf = malloc(sizeof(ProfileEntry)); |
| 166 | 166 | if (!prf) |
| 167 | 167 | errExit("malloc"); |
| 263 | 263 | |
| 264 | 264 | void fs_rebuild_etc(void) { |
| 265 | 265 | int have_dhcp = 1; |
| 266 | if (cfg.dns1 == NULL && !any_dhcp()) | |
| 266 | if (cfg.dns1 == NULL && !any_dhcp()) { | |
| 267 | // Disabling this option ensures that updates to files using | |
| 268 | // rename(2) propagate into the sandbox, in order to avoid | |
| 269 | // breaking /etc/resolv.conf (issue #5010). | |
| 270 | if (!checkcfg(CFG_ETC_HIDE_BLACKLISTED)) | |
| 271 | return; | |
| 267 | 272 | have_dhcp = 0; |
| 273 | } | |
| 268 | 274 | |
| 269 | 275 | if (arg_debug) |
| 270 | 276 | printf("rebuilding /etc directory\n"); |
| 133 | 133 | int arg_appimage = 0; // appimage |
| 134 | 134 | int arg_apparmor = 0; // apparmor |
| 135 | 135 | char *apparmor_profile = NULL; // apparmor profile |
| 136 | bool apparmor_replace = false; // apparmor profile | |
| 136 | 137 | int arg_allow_debuggers = 0; // allow debuggers |
| 137 | 138 | int arg_x11_block = 0; // block X11 |
| 138 | 139 | int arg_x11_xorg = 0; // use X11 security extension |
| 157 | 158 | int arg_tab = 0; |
| 158 | 159 | int login_shell = 0; |
| 159 | 160 | int just_run_the_shell = 0; |
| 161 | int arg_netlock = 0; | |
| 160 | 162 | |
| 161 | 163 | int parent_to_child_fds[2]; |
| 162 | 164 | int child_to_parent_fds[2]; |
| 1051 | 1053 | int lockfd_directory = -1; |
| 1052 | 1054 | int custom_profile = 0; // custom profile loaded |
| 1053 | 1055 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
| 1054 | int arg_netlock = 0; | |
| 1055 | 1056 | char **ptr; |
| 1056 | 1057 | |
| 1057 | 1058 | |
| 1381 | 1382 | else if (strncmp(argv[i], "--apparmor=", 11) == 0) { |
| 1382 | 1383 | arg_apparmor = 1; |
| 1383 | 1384 | apparmor_profile = argv[i] + 11; |
| 1385 | } | |
| 1386 | else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { | |
| 1387 | arg_apparmor = 1; | |
| 1388 | apparmor_replace = true; | |
| 1384 | 1389 | } |
| 1385 | 1390 | #endif |
| 1386 | 1391 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
| 654 | 654 | #endif |
| 655 | 655 | return 0; |
| 656 | 656 | } |
| 657 | else if (strcmp(ptr, "netlock") == 0) { | |
| 658 | #ifdef HAVE_NETWORK | |
| 659 | if (checkcfg(CFG_NETWORK)) { | |
| 660 | arg_netlock = 1; | |
| 661 | } | |
| 662 | else | |
| 663 | warning_feature_disabled("networking"); | |
| 664 | #endif | |
| 665 | return 0; | |
| 666 | } | |
| 657 | 667 | else if (strncmp(ptr, "netns ", 6) == 0) { |
| 658 | 668 | #ifdef HAVE_NETWORK |
| 659 | 669 | if (checkcfg(CFG_NETWORK)) { |
| 951 | 961 | apparmor_profile = strdup(ptr + 9); |
| 952 | 962 | if (!apparmor_profile) |
| 953 | 963 | errExit("strdup"); |
| 964 | #endif | |
| 965 | return 0; | |
| 966 | } | |
| 967 | ||
| 968 | if (strcmp(ptr, "apparmor-replace") == 0) { | |
| 969 | #ifdef HAVE_APPARMOR | |
| 970 | arg_apparmor = 1; | |
| 971 | apparmor_replace = true; | |
| 972 | #endif | |
| 973 | return 0; | |
| 974 | } | |
| 975 | ||
| 976 | if (strcmp(ptr, "apparmor-stack") == 0) { | |
| 977 | #ifdef HAVE_APPARMOR | |
| 978 | arg_apparmor = 1; | |
| 979 | apparmor_replace = false; | |
| 954 | 980 | #endif |
| 955 | 981 | return 0; |
| 956 | 982 | } |
| 129 | 129 | static void set_apparmor(void) { |
| 130 | 130 | EUID_ASSERT(); |
| 131 | 131 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
| 132 | if (aa_stack_onexec(apparmor_profile)) { | |
| 132 | int res = 0; | |
| 133 | if(apparmor_replace){ | |
| 134 | fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); | |
| 135 | res = aa_change_onexec(apparmor_profile); | |
| 136 | } else { | |
| 137 | res = aa_stack_onexec(apparmor_profile); | |
| 138 | } | |
| 139 | if (res) { | |
| 133 | 140 | fwarning("Cannot confine the application using AppArmor.\n" |
| 134 | 141 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
| 135 | 142 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
| 211 | 211 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" |
| 212 | 212 | " --profile=filename|profile_name - use a custom profile.\n" |
| 213 | 213 | " --profile.print=name|pid - print the name of profile file.\n" |
| 214 | " --profile-path=directory - use this directory to look for profile files.\n" | |
| 215 | 214 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
| 216 | 215 | " --protocol.print=name|pid - print the protocol filter.\n" |
| 217 | 216 | #ifdef HAVE_FILE_TRANSFER |
| 1585 | 1585 | 16.162.0.0/15 Amazon |
| 1586 | 1586 | 16.168.0.0/15 Amazon |
| 1587 | 1587 | 16.170.0.0/15 Amazon |
| 1588 | 18.32.0.0/11 Amazon | |
| 1588 | 1589 | 18.60.0.0/15 Amazon |
| 1589 | 18.64.0.0/14 Amazon | |
| 1590 | 18.64.0.0/10 Amazon | |
| 1590 | 1591 | 18.100.0.0/15 Amazon |
| 1591 | 1592 | 18.102.0.0/16 Amazon |
| 1592 | 1593 | 18.116.0.0/14 Amazon |
| 1594 | 18.128.0.0/9 Amazon | |
| 1593 | 1595 | 18.130.0.0/16 Amazon |
| 1594 | 1596 | 18.132.0.0/14 Amazon |
| 1595 | 1597 | 18.136.0.0/16 Amazon |
| 132 | 132 | RETURN_ALLOW |
| 133 | 133 | #endif |
| 134 | 134 | }; |
| 135 | write_to_file(fd, filter, sizeof(filter)); | |
| 135 | if (sizeof(filter)) | |
| 136 | write_to_file(fd, filter, sizeof(filter)); | |
| 136 | 137 | |
| 137 | 138 | filter_end_blacklist(fd); |
| 138 | 139 | |
| 187 | 188 | RETURN_ALLOW |
| 188 | 189 | #endif |
| 189 | 190 | }; |
| 190 | write_to_file(fd, filter, sizeof(filter)); | |
| 191 | ||
| 192 | // For Debian 10 and older, the size of the filter[] array will be 0. | |
| 193 | // The following filter will end up being generated: | |
| 194 | // | |
| 195 | // FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32 | |
| 196 | // line OP JT JF K | |
| 197 | // ================================= | |
| 198 | // 0000: 20 00 00 00000004 ld data.architecture | |
| 199 | // 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) | |
| 200 | // 0002: 06 00 00 7fff0000 ret ALLOW | |
| 201 | // 0003: 20 00 00 00000000 ld data.syscall-number | |
| 202 | // 0004: 06 00 00 7fff0000 ret ALLOW | |
| 203 | // | |
| 204 | if (sizeof(filter)) | |
| 205 | write_to_file(fd, filter, sizeof(filter)); | |
| 191 | 206 | |
| 192 | 207 | filter_end_blacklist(fd); |
| 193 | 208 | |
| 976 | 976 | \fBnetfilter filename |
| 977 | 977 | If a new network namespace is created, enabled the network filter in filename. |
| 978 | 978 | |
| 979 | .TP | |
| 980 | \fBnetlock | |
| 981 | Generate a custom network filter and enable it. | |
| 982 | ||
| 979 | 983 | |
| 980 | 984 | .TP |
| 981 | 985 | \fBnetmask address |
| 3063 | 3063 | .br |
| 3064 | 3064 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
| 3065 | 3065 | .br |
| 3066 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | |
| 3066 | $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null | |
| 3067 | 3067 | .br |
| 3068 | 3068 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
| 3069 | 3069 | .br |
| 24 | 24 | static int cnt_profiles = 0; |
| 25 | 25 | static int cnt_apparmor = 0; |
| 26 | 26 | static int cnt_seccomp = 0; |
| 27 | static int cnt_restrict_namespaces = 0; | |
| 27 | 28 | static int cnt_caps = 0; |
| 28 | 29 | static int cnt_dbus_system_none = 0; |
| 29 | 30 | static int cnt_dbus_user_none = 0; |
| 68 | 69 | static int arg_noroot = 0; |
| 69 | 70 | static int arg_print_blacklist = 0; |
| 70 | 71 | static int arg_print_whitelist = 0; |
| 72 | static int arg_restrict_namespaces = 0; | |
| 71 | 73 | |
| 72 | 74 | static char *profile = NULL; |
| 73 | 75 | |
| 90 | 92 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); |
| 91 | 93 | printf(" --seccomp - print profiles without seccomp\n"); |
| 92 | 94 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); |
| 95 | printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); | |
| 93 | 96 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); |
| 94 | 97 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
| 95 | 98 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); |
| 151 | 154 | |
| 152 | 155 | if (strncmp(ptr, "seccomp", 7) == 0) |
| 153 | 156 | cnt_seccomp++; |
| 157 | if (strncmp(ptr, "restrict-namespaces", 19) == 0) | |
| 158 | cnt_restrict_namespaces++; | |
| 154 | 159 | else if (strncmp(ptr, "caps", 4) == 0) |
| 155 | 160 | cnt_caps++; |
| 156 | 161 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) |
| 241 | 246 | arg_caps = 1; |
| 242 | 247 | else if (strcmp(argv[i], "--seccomp") == 0) |
| 243 | 248 | arg_seccomp = 1; |
| 249 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) | |
| 250 | arg_restrict_namespaces = 1; | |
| 244 | 251 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) |
| 245 | 252 | arg_mdwx = 1; |
| 246 | 253 | else if (strcmp(argv[i], "--noexec") == 0) |
| 290 | 297 | for (i = start; i < argc; i++) { |
| 291 | 298 | cnt_profiles++; |
| 292 | 299 | |
| 293 | // watch seccomp | |
| 300 | int restrict_namespaces = cnt_restrict_namespaces; | |
| 294 | 301 | int seccomp = cnt_seccomp; |
| 295 | 302 | int caps = cnt_caps; |
| 296 | 303 | int apparmor = cnt_apparmor; |
| 333 | 340 | cnt_whitelistrunuser = whitelistrunuser + 1; |
| 334 | 341 | if (cnt_seccomp > (seccomp + 1)) |
| 335 | 342 | cnt_seccomp = seccomp + 1; |
| 343 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) | |
| 344 | cnt_seccomp = restrict_namespaces + 1; | |
| 336 | 345 | if (cnt_dbus_user_none > (dbususernone + 1)) |
| 337 | 346 | cnt_dbus_user_none = dbususernone + 1; |
| 338 | 347 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) |
| 352 | 361 | printf("No caps found in %s\n", argv[i]); |
| 353 | 362 | if (arg_seccomp && seccomp == cnt_seccomp) |
| 354 | 363 | printf("No seccomp found in %s\n", argv[i]); |
| 364 | if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces) | |
| 365 | printf("No restrict-namespaces found in %s\n", argv[i]); | |
| 355 | 366 | if (arg_noexec && noexec == cnt_noexec) |
| 356 | 367 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
| 357 | 368 | if (arg_noroot && noroot == cnt_noroot) |
| 396 | 407 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
| 397 | 408 | printf(" noroot\t\t\t%d\n", cnt_noroot); |
| 398 | 409 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
| 410 | printf(" restrict-namespaces\t\t%d\n", cnt_restrict_namespaces); | |
| 399 | 411 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
| 400 | 412 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |
| 401 | 413 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
| 29 | 29 | } |
| 30 | 30 | expect { |
| 31 | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
| 32 | "AppArmor: firejail-default enforce" | |
| 32 | "AppArmor: firejail-default//&unconfined enforce" | |
| 33 | 33 | } |
| 34 | 34 | expect { |
| 35 | 35 | timeout {puts "TESTING ERROR 4\n";exit} |
| 37 | 37 | } |
| 38 | 38 | expect { |
| 39 | 39 | timeout {puts "TESTING ERROR 5\n";exit} |
| 40 | "AppArmor: firejail-default enforce" | |
| 40 | "AppArmor: firejail-default//&unconfined enforce" | |
| 41 | 41 | } |
| 42 | 42 | after 100 |
| 43 | 43 | |
| 44 | 44 | send -- "firejail --apparmor.print=test1\r" |
| 45 | 45 | expect { |
| 46 | 46 | timeout {puts "TESTING ERROR 6\n";exit} |
| 47 | "AppArmor: firejail-default enforce" | |
| 47 | "AppArmor: firejail-default//&unconfined enforce" | |
| 48 | 48 | } |
| 49 | 49 | after 100 |
| 50 | 50 | |
| 51 | 51 | send -- "firejail --apparmor.print=test2\r" |
| 52 | 52 | expect { |
| 53 | 53 | timeout {puts "TESTING ERROR 7\n";exit} |
| 54 | "AppArmor: firejail-default enforce" | |
| 54 | "AppArmor: firejail-default//&unconfined enforce" | |
| 55 | 55 | } |
| 56 | 56 | after 100 |
| 57 | 57 | |
| 27 | 27 | ./memwrexe-32.exp |
| 28 | 28 | else |
| 29 | 29 | echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." |
| 30 | fi | |
| 31 | ||
| 32 | if [[ $(uname -m) == "x86_64" ]]; then | |
| 33 | echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)" | |
| 34 | ./namespaces.exp | |
| 35 | elif [[ $(uname -m) == "i686" ]]; then | |
| 36 | echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)" | |
| 37 | ./namespaces-32.exp | |
| 38 | else | |
| 39 | echo "TESTING SKIP: namespaces binary only running on x86_64 and i686." | |
| 30 | 40 | fi |
| 31 | 41 | |
| 32 | 42 | echo "TESTING: debug options (test/filters/debug.exp)" |
Binary diff not shown
Binary diff not shown
| 0 | #!/usr/bin/expect -f | |
| 1 | # This file is part of Firejail project | |
| 2 | # Copyright (C) 2014-2022 Firejail Authors | |
| 3 | # License GPL v2 | |
| 4 | ||
| 5 | set timeout 10 | |
| 6 | spawn $env(SHELL) | |
| 7 | match_max 100000 | |
| 8 | ||
| 9 | # | |
| 10 | # clone | |
| 11 | # | |
| 12 | ||
| 13 | send -- "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 14 | expect { | |
| 15 | timeout {puts "TESTING ERROR 0\n";exit} | |
| 16 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 17 | } | |
| 18 | expect { | |
| 19 | timeout {puts "TESTING ERROR 1\n";exit} | |
| 20 | "clone successful" | |
| 21 | } | |
| 22 | after 100 | |
| 23 | ||
| 24 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" | |
| 25 | expect { | |
| 26 | timeout {puts "TESTING ERROR 2\n";exit} | |
| 27 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 28 | } | |
| 29 | expect { | |
| 30 | timeout {puts "TESTING ERROR 3\n";exit} | |
| 31 | "Error: clone: Operation not permitted" | |
| 32 | } | |
| 33 | after 100 | |
| 34 | ||
| 35 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" | |
| 36 | expect { | |
| 37 | timeout {puts "TESTING ERROR 4\n";exit} | |
| 38 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 39 | } | |
| 40 | expect { | |
| 41 | timeout {puts "TESTING ERROR 5\n";exit} | |
| 42 | "Error: clone: Operation not permitted" | |
| 43 | } | |
| 44 | after 100 | |
| 45 | ||
| 46 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 47 | expect { | |
| 48 | timeout {puts "TESTING ERROR 6\n";exit} | |
| 49 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 50 | } | |
| 51 | expect { | |
| 52 | timeout {puts "TESTING ERROR 7\n";exit} | |
| 53 | "Error: clone: Operation not permitted" | |
| 54 | } | |
| 55 | after 100 | |
| 56 | ||
| 57 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" | |
| 58 | expect { | |
| 59 | timeout {puts "TESTING ERROR 8\n";exit} | |
| 60 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 61 | } | |
| 62 | expect { | |
| 63 | timeout {puts "TESTING ERROR 9\n";exit} | |
| 64 | "Error: clone: Operation not permitted" | |
| 65 | } | |
| 66 | after 100 | |
| 67 | ||
| 68 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" | |
| 69 | expect { | |
| 70 | timeout {puts "TESTING ERROR 10\n";exit} | |
| 71 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 72 | } | |
| 73 | expect { | |
| 74 | timeout {puts "TESTING ERROR 11\n";exit} | |
| 75 | "Error: clone: Operation not permitted" | |
| 76 | } | |
| 77 | after 100 | |
| 78 | ||
| 79 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" | |
| 80 | expect { | |
| 81 | timeout {puts "TESTING ERROR 12\n";exit} | |
| 82 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 83 | } | |
| 84 | expect { | |
| 85 | timeout {puts "TESTING ERROR 13\n";exit} | |
| 86 | "clone successful" | |
| 87 | } | |
| 88 | after 100 | |
| 89 | ||
| 90 | # | |
| 91 | # unshare | |
| 92 | # | |
| 93 | ||
| 94 | send -- "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 95 | expect { | |
| 96 | timeout {puts "TESTING ERROR 14\n";exit} | |
| 97 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 98 | } | |
| 99 | expect { | |
| 100 | timeout {puts "TESTING ERROR 15\n";exit} | |
| 101 | "unshare successful" | |
| 102 | } | |
| 103 | after 100 | |
| 104 | ||
| 105 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" | |
| 106 | expect { | |
| 107 | timeout {puts "TESTING ERROR 16\n";exit} | |
| 108 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 109 | } | |
| 110 | expect { | |
| 111 | timeout {puts "TESTING ERROR 17\n";exit} | |
| 112 | "Error: unshare: Operation not permitted" | |
| 113 | } | |
| 114 | after 100 | |
| 115 | ||
| 116 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" | |
| 117 | expect { | |
| 118 | timeout {puts "TESTING ERROR 18\n";exit} | |
| 119 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 120 | } | |
| 121 | expect { | |
| 122 | timeout {puts "TESTING ERROR 19\n";exit} | |
| 123 | "Error: unshare: Operation not permitted" | |
| 124 | } | |
| 125 | after 100 | |
| 126 | ||
| 127 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 128 | expect { | |
| 129 | timeout {puts "TESTING ERROR 20\n";exit} | |
| 130 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 131 | } | |
| 132 | expect { | |
| 133 | timeout {puts "TESTING ERROR 21\n";exit} | |
| 134 | "Error: unshare: Operation not permitted" | |
| 135 | } | |
| 136 | after 100 | |
| 137 | ||
| 138 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" | |
| 139 | expect { | |
| 140 | timeout {puts "TESTING ERROR 22\n";exit} | |
| 141 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 142 | } | |
| 143 | expect { | |
| 144 | timeout {puts "TESTING ERROR 23\n";exit} | |
| 145 | "Error: unshare: Operation not permitted" | |
| 146 | } | |
| 147 | after 100 | |
| 148 | ||
| 149 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" | |
| 150 | expect { | |
| 151 | timeout {puts "TESTING ERROR 24\n";exit} | |
| 152 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 153 | } | |
| 154 | expect { | |
| 155 | timeout {puts "TESTING ERROR 25\n";exit} | |
| 156 | "Error: unshare: Operation not permitted" | |
| 157 | } | |
| 158 | after 100 | |
| 159 | ||
| 160 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" | |
| 161 | expect { | |
| 162 | timeout {puts "TESTING ERROR 26\n";exit} | |
| 163 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 164 | } | |
| 165 | expect { | |
| 166 | timeout {puts "TESTING ERROR 27\n";exit} | |
| 167 | "unshare successful" | |
| 168 | } | |
| 169 | ||
| 170 | ||
| 171 | after 100 | |
| 172 | puts "\nall done\n" |
| 0 | #define _GNU_SOURCE | |
| 1 | #include <errno.h> | |
| 2 | #include <sched.h> | |
| 3 | #include <signal.h> | |
| 4 | #include <stdio.h> | |
| 5 | #include <stdlib.h> | |
| 6 | #include <string.h> | |
| 7 | #include <sys/mman.h> | |
| 8 | #include <unistd.h> | |
| 9 | ||
| 10 | #ifndef CLONE_NEWTIME | |
| 11 | #define CLONE_NEWTIME 0x00000080 | |
| 12 | #endif | |
| 13 | ||
| 14 | #define STACK_SIZE 1024 * 1024 | |
| 15 | ||
| 16 | static int usage() { | |
| 17 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | |
| 18 | exit(1); | |
| 19 | } | |
| 20 | ||
| 21 | static void die(const char *msg) { | |
| 22 | fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); | |
| 23 | exit(1); | |
| 24 | } | |
| 25 | ||
| 26 | static int ns_flags(const char *list) { | |
| 27 | int flags = 0; | |
| 28 | ||
| 29 | char *dup = strdup(list); | |
| 30 | if (!dup) | |
| 31 | die("cannot allocate memory"); | |
| 32 | ||
| 33 | char *token = strtok(dup, ","); | |
| 34 | while (token) { | |
| 35 | if (strcmp(token, "cgroup") == 0) | |
| 36 | flags |= CLONE_NEWCGROUP; | |
| 37 | else if (strcmp(token, "ipc") == 0) | |
| 38 | flags |= CLONE_NEWIPC; | |
| 39 | else if (strcmp(token, "net") == 0) | |
| 40 | flags |= CLONE_NEWNET; | |
| 41 | else if (strcmp(token, "mnt") == 0) | |
| 42 | flags |= CLONE_NEWNS; | |
| 43 | else if (strcmp(token, "pid") == 0) | |
| 44 | flags |= CLONE_NEWPID; | |
| 45 | else if (strcmp(token, "time") == 0) | |
| 46 | flags |= CLONE_NEWTIME; | |
| 47 | else if (strcmp(token, "user") == 0) | |
| 48 | flags |= CLONE_NEWUSER; | |
| 49 | else if (strcmp(token, "uts") == 0) | |
| 50 | flags |= CLONE_NEWUTS; | |
| 51 | else | |
| 52 | usage(); | |
| 53 | ||
| 54 | token = strtok(NULL, ","); | |
| 55 | } | |
| 56 | ||
| 57 | free(dup); | |
| 58 | return flags; | |
| 59 | } | |
| 60 | ||
| 61 | static int child(void *arg) { | |
| 62 | (void) arg; | |
| 63 | ||
| 64 | fprintf(stderr, "clone successful\n"); | |
| 65 | return 0; | |
| 66 | } | |
| 67 | ||
| 68 | int main (int argc, char **argv) { | |
| 69 | if (argc != 3) | |
| 70 | usage(); | |
| 71 | ||
| 72 | int flags = ns_flags(argv[2]); | |
| 73 | if (getuid() != 0) | |
| 74 | flags |= CLONE_NEWUSER; | |
| 75 | ||
| 76 | if (strcmp(argv[1], "clone") == 0) { | |
| 77 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | |
| 78 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | |
| 79 | if (stack == MAP_FAILED) | |
| 80 | die("mmap"); | |
| 81 | ||
| 82 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | |
| 83 | die("clone"); | |
| 84 | } | |
| 85 | else if (strcmp(argv[1], "unshare") == 0) { | |
| 86 | if (unshare(flags)) | |
| 87 | die("unshare"); | |
| 88 | ||
| 89 | fprintf(stderr, "unshare successful\n"); | |
| 90 | } | |
| 91 | else | |
| 92 | usage(); | |
| 93 | ||
| 94 | return 0; | |
| 95 | } |
| 0 | #!/usr/bin/expect -f | |
| 1 | # This file is part of Firejail project | |
| 2 | # Copyright (C) 2014-2022 Firejail Authors | |
| 3 | # License GPL v2 | |
| 4 | ||
| 5 | set timeout 10 | |
| 6 | spawn $env(SHELL) | |
| 7 | match_max 100000 | |
| 8 | ||
| 9 | # | |
| 10 | # clone | |
| 11 | # | |
| 12 | ||
| 13 | send -- "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 14 | expect { | |
| 15 | timeout {puts "TESTING ERROR 0\n";exit} | |
| 16 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 17 | } | |
| 18 | expect { | |
| 19 | timeout {puts "TESTING ERROR 1\n";exit} | |
| 20 | "clone successful" | |
| 21 | } | |
| 22 | after 100 | |
| 23 | ||
| 24 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" | |
| 25 | expect { | |
| 26 | timeout {puts "TESTING ERROR 2\n";exit} | |
| 27 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 28 | } | |
| 29 | expect { | |
| 30 | timeout {puts "TESTING ERROR 3\n";exit} | |
| 31 | "Error: clone: Operation not permitted" | |
| 32 | } | |
| 33 | after 100 | |
| 34 | ||
| 35 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" | |
| 36 | expect { | |
| 37 | timeout {puts "TESTING ERROR 4\n";exit} | |
| 38 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 39 | } | |
| 40 | expect { | |
| 41 | timeout {puts "TESTING ERROR 5\n";exit} | |
| 42 | "Error: clone: Operation not permitted" | |
| 43 | } | |
| 44 | after 100 | |
| 45 | ||
| 46 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 47 | expect { | |
| 48 | timeout {puts "TESTING ERROR 6\n";exit} | |
| 49 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 50 | } | |
| 51 | expect { | |
| 52 | timeout {puts "TESTING ERROR 7\n";exit} | |
| 53 | "Error: clone: Operation not permitted" | |
| 54 | } | |
| 55 | after 100 | |
| 56 | ||
| 57 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" | |
| 58 | expect { | |
| 59 | timeout {puts "TESTING ERROR 8\n";exit} | |
| 60 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 61 | } | |
| 62 | expect { | |
| 63 | timeout {puts "TESTING ERROR 9\n";exit} | |
| 64 | "Error: clone: Operation not permitted" | |
| 65 | } | |
| 66 | after 100 | |
| 67 | ||
| 68 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" | |
| 69 | expect { | |
| 70 | timeout {puts "TESTING ERROR 10\n";exit} | |
| 71 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 72 | } | |
| 73 | expect { | |
| 74 | timeout {puts "TESTING ERROR 11\n";exit} | |
| 75 | "Error: clone: Operation not permitted" | |
| 76 | } | |
| 77 | after 100 | |
| 78 | ||
| 79 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" | |
| 80 | expect { | |
| 81 | timeout {puts "TESTING ERROR 12\n";exit} | |
| 82 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 83 | } | |
| 84 | expect { | |
| 85 | timeout {puts "TESTING ERROR 13\n";exit} | |
| 86 | "clone successful" | |
| 87 | } | |
| 88 | after 100 | |
| 89 | ||
| 90 | # | |
| 91 | # unshare | |
| 92 | # | |
| 93 | ||
| 94 | send -- "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 95 | expect { | |
| 96 | timeout {puts "TESTING ERROR 14\n";exit} | |
| 97 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 98 | } | |
| 99 | expect { | |
| 100 | timeout {puts "TESTING ERROR 15\n";exit} | |
| 101 | "unshare successful" | |
| 102 | } | |
| 103 | after 100 | |
| 104 | ||
| 105 | send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" | |
| 106 | expect { | |
| 107 | timeout {puts "TESTING ERROR 16\n";exit} | |
| 108 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 109 | } | |
| 110 | expect { | |
| 111 | timeout {puts "TESTING ERROR 17\n";exit} | |
| 112 | "Error: unshare: Operation not permitted" | |
| 113 | } | |
| 114 | after 100 | |
| 115 | ||
| 116 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" | |
| 117 | expect { | |
| 118 | timeout {puts "TESTING ERROR 18\n";exit} | |
| 119 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 120 | } | |
| 121 | expect { | |
| 122 | timeout {puts "TESTING ERROR 19\n";exit} | |
| 123 | "Error: unshare: Operation not permitted" | |
| 124 | } | |
| 125 | after 100 | |
| 126 | ||
| 127 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | |
| 128 | expect { | |
| 129 | timeout {puts "TESTING ERROR 20\n";exit} | |
| 130 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 131 | } | |
| 132 | expect { | |
| 133 | timeout {puts "TESTING ERROR 21\n";exit} | |
| 134 | "Error: unshare: Operation not permitted" | |
| 135 | } | |
| 136 | after 100 | |
| 137 | ||
| 138 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" | |
| 139 | expect { | |
| 140 | timeout {puts "TESTING ERROR 22\n";exit} | |
| 141 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 142 | } | |
| 143 | expect { | |
| 144 | timeout {puts "TESTING ERROR 23\n";exit} | |
| 145 | "Error: unshare: Operation not permitted" | |
| 146 | } | |
| 147 | after 100 | |
| 148 | ||
| 149 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" | |
| 150 | expect { | |
| 151 | timeout {puts "TESTING ERROR 24\n";exit} | |
| 152 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 153 | } | |
| 154 | expect { | |
| 155 | timeout {puts "TESTING ERROR 25\n";exit} | |
| 156 | "Error: unshare: Operation not permitted" | |
| 157 | } | |
| 158 | after 100 | |
| 159 | ||
| 160 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" | |
| 161 | expect { | |
| 162 | timeout {puts "TESTING ERROR 26\n";exit} | |
| 163 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 164 | } | |
| 165 | expect { | |
| 166 | timeout {puts "TESTING ERROR 27\n";exit} | |
| 167 | "unshare successful" | |
| 168 | } | |
| 169 | ||
| 170 | ||
| 171 | after 100 | |
| 172 | puts "\nall done\n" |
| 9 | 9 | send -- "firejail --noprofile --protocol=unix --debug\r" |
| 10 | 10 | expect { |
| 11 | 11 | timeout {puts "TESTING ERROR 1\n";exit} |
| 12 | "0009: 20 00 00 00000000 ld data.syscall-number" | |
| 12 | "0009: 20 00 00 00000000" | |
| 13 | 13 | } |
| 14 | 14 | expect { |
| 15 | 15 | timeout {puts "TESTING ERROR 2\n";exit} |
| 16 | "000a: 15 01 00 00000029 jeq socket 000c (false 000b)" | |
| 16 | "000f: 20 00 00 00000010" | |
| 17 | 17 | } |
| 18 | 18 | expect { |
| 19 | 19 | timeout {puts "TESTING ERROR 3\n";exit} |
| 20 | "000b: 06 00 00 7fff0000 ret ALLOW" | |
| 20 | "0010: 15 00 01 00000001" | |
| 21 | 21 | } |
| 22 | 22 | expect { |
| 23 | 23 | timeout {puts "TESTING ERROR 4\n";exit} |
| 24 | "000c: 20 00 00 00000010 ld data.args" | |
| 24 | "0011: 06 00 00 7fff0000" | |
| 25 | 25 | } |
| 26 | 26 | expect { |
| 27 | 27 | timeout {puts "TESTING ERROR 5\n";exit} |
| 28 | "000d: 15 00 01 00000001 jeq 1 000e (false 000f)" | |
| 29 | } | |
| 30 | expect { | |
| 31 | timeout {puts "TESTING ERROR 6\n";exit} | |
| 32 | "000e: 06 00 00 7fff0000 ret ALLOW" | |
| 33 | "" | |
| 34 | } | |
| 35 | expect { | |
| 36 | timeout {puts "TESTING ERROR 7\n";exit} | |
| 37 | "000f: 06 00 00 0005005f ret ERRNO(95)" | |
| 28 | "0012: 06 00 00 0005005f" | |
| 38 | 29 | } |
| 39 | 30 | |
| 40 | 31 | after 100 |
| 41 | 32 | send -- "exit\r" |
| 33 | sleep 1 | |
| 34 | ||
| 35 | send -- "firejail --noprofile --protocol=bluetooth --debug\r" | |
| 36 | expect { | |
| 37 | timeout {puts "TESTING ERROR 11\n";exit} | |
| 38 | "0009: 20 00 00 00000000" | |
| 39 | } | |
| 40 | expect { | |
| 41 | timeout {puts "TESTING ERROR 12\n";exit} | |
| 42 | "000f: 20 00 00 00000010" | |
| 43 | } | |
| 44 | expect { | |
| 45 | timeout {puts "TESTING ERROR 13\n";exit} | |
| 46 | "0010: 15 00 01 0000001f" | |
| 47 | } | |
| 48 | expect { | |
| 49 | timeout {puts "TESTING ERROR 14\n";exit} | |
| 50 | "0011: 06 00 00 7fff0000" | |
| 51 | } | |
| 52 | expect { | |
| 53 | timeout {puts "TESTING ERROR1 5\n";exit} | |
| 54 | "0012: 06 00 00 0005005f" | |
| 55 | } | |
| 56 | ||
| 57 | after 100 | |
| 58 | send -- "exit\r" | |
| 59 | sleep 1 | |
| 60 | ||
| 61 | send -- "firejail --noprofile --protocol=inet,inet6 --debug\r" | |
| 62 | expect { | |
| 63 | timeout {puts "TESTING ERROR 31\n";exit} | |
| 64 | "0009: 20 00 00 00000000" | |
| 65 | } | |
| 66 | expect { | |
| 67 | timeout {puts "TESTING ERROR 32\n";exit} | |
| 68 | "000f: 20 00 00 00000010" | |
| 69 | } | |
| 70 | expect { | |
| 71 | timeout {puts "TESTING ERROR 33\n";exit} | |
| 72 | "0010: 15 00 01 00000002" | |
| 73 | } | |
| 74 | expect { | |
| 75 | timeout {puts "TESTING ERROR 34\n";exit} | |
| 76 | "0011: 06 00 00 7fff0000" | |
| 77 | } | |
| 78 | expect { | |
| 79 | timeout {puts "TESTING ERROR1 35\n";exit} | |
| 80 | "0012: 15 00 01 0000000a" | |
| 81 | } | |
| 82 | expect { | |
| 83 | timeout {puts "TESTING ERROR 36\n";exit} | |
| 84 | "0013: 06 00 00 7fff0000" | |
| 85 | } | |
| 86 | expect { | |
| 87 | timeout {puts "TESTING ERROR 37\n";exit} | |
| 88 | "0014: 06 00 00 0005005f" | |
| 89 | } | |
| 90 | ||
| 91 | after 100 | |
| 92 | send -- "exit\r" | |
| 93 | ||
| 94 | ||
| 42 | 95 | after 100 |
| 43 | 96 | puts "\nall done\n" |
| 23 | 23 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
| 24 | 24 | expect { |
| 25 | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
| 26 | "6" | |
| 26 | "8" | |
| 27 | 27 | } |
| 28 | 28 | send -- "exit\r" |
| 29 | 29 | sleep 1 |
| 89 | 89 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
| 90 | 90 | expect { |
| 91 | 91 | timeout {puts "TESTING ERROR 18\n";exit} |
| 92 | "8" | |
| 92 | "10" | |
| 93 | 93 | } |
| 94 | 94 | send -- "exit\r" |
| 95 | 95 | sleep 1 |
| 43 | 43 | echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" |
| 44 | 44 | ./fs_var_tmp.exp |
| 45 | 45 | rm -f /var/tmp/_firejail_test_file |
| 46 | ||
| 47 | if [[ $(uname -m) == "x86_64" ]]; then | |
| 48 | fjconfig=/etc/firejail/firejail.config | |
| 49 | printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null | |
| 50 | echo "TESTING: private-lib (test/fs/private-lib.exp)" | |
| 51 | ./private-lib.exp | |
| 52 | printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" | | |
| 53 | sudo tee "$fjconfig" >/dev/null | |
| 54 | else | |
| 55 | echo "TESTING SKIP: private-lib test implemented only for x86_64." | |
| 56 | fi | |
| 57 | 46 | |
| 58 | 47 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" |
| 59 | 48 | ./fs_var_lock.exp |
| 152 | 141 | ./whitelist.exp |
| 153 | 142 | rm -fr ~/_firejail_test_* |
| 154 | 143 | |
| 155 | echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" | |
| 156 | ./whitelist-dev.exp | |
| 144 | # TODO: whitelist /dev broken in 0.9.72 | |
| 145 | #echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" | |
| 146 | #./whitelist-dev.exp | |
| 157 | 147 | |
| 158 | 148 | echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)" |
| 159 | 149 | ./whitelist-noexec.exp |
| 21 | 21 | send -- "cat /etc/passwd;echo done\r" |
| 22 | 22 | expect { |
| 23 | 23 | timeout {puts "TESTING ERROR 1\n";exit} |
| 24 | "No such file or directory" | |
| 24 | "Permission denied" | |
| 25 | 25 | } |
| 26 | 26 | expect { |
| 27 | 27 | timeout {puts "TESTING ERROR 2\n";exit} |
| 0 | #!/usr/bin/expect -f | |
| 1 | # This file is part of Firejail project | |
| 2 | # Copyright (C) 2014-2022 Firejail Authors | |
| 3 | # License GPL v2 | |
| 4 | ||
| 5 | ||
| 6 | set timeout 10 | |
| 7 | spawn $env(SHELL) | |
| 8 | match_max 100000 | |
| 9 | ||
| 10 | send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r" | |
| 11 | expect { | |
| 12 | timeout {puts "TESTING ERROR 1\n";exit} | |
| 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 14 | } | |
| 15 | after 100 | |
| 16 | send -- "stty -echo\r" | |
| 17 | after 100 | |
| 18 | ||
| 19 | send -- "cd /bin; find .\; echo done\r" | |
| 20 | expect { | |
| 21 | timeout {puts "TESTING ERROR 2\n";exit} | |
| 22 | # "grep" {puts "TESTING ERROR 3\n";exit} | |
| 23 | "rm" {puts "TESTING ERROR 3\n";exit} | |
| 24 | "cp" {puts "TESTING ERROR 4\n";exit} | |
| 25 | "done" | |
| 26 | } | |
| 27 | after 100 | |
| 28 | ||
| 29 | send -- "cd /lib; find .\r" | |
| 30 | expect { | |
| 31 | timeout {puts "TESTING ERROR 5\n";exit} | |
| 32 | "./modules" {puts "TESTING ERROR 6\n";exit} | |
| 33 | "./firmware" {puts "TESTING ERROR 7\n";exit} | |
| 34 | "libc.so" | |
| 35 | } | |
| 36 | after 100 | |
| 37 | ||
| 38 | send -- "cd /usr/lib; find .\r" | |
| 39 | expect { | |
| 40 | timeout {puts "TESTING ERROR 8\n";exit} | |
| 41 | "grub" {puts "TESTING ERROR 9\n";exit} | |
| 42 | "mozilla" {puts "TESTING ERROR 10\n";exit} | |
| 43 | "libdl.so" | |
| 44 | } | |
| 45 | after 100 | |
| 46 | ||
| 47 | puts "\nall done\n" |
| 6 | 6 | spawn $env(SHELL) |
| 7 | 7 | match_max 100000 |
| 8 | 8 | |
| 9 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" | |
| 9 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/opt/blablabla\r" | |
| 10 | 10 | expect { |
| 11 | 11 | timeout {puts "TESTING ERROR 0\n";exit} |
| 12 | 12 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
| 0 | #!/usr/bin/expect -f | |
| 1 | # This file is part of Firejail project | |
| 2 | # Copyright (C) 2014-2022 Firejail Authors | |
| 3 | # License GPL v2 | |
| 4 | ||
| 5 | ||
| 6 | set timeout 10 | |
| 7 | spawn $env(SHELL) | |
| 8 | match_max 100000 | |
| 9 | ||
| 10 | send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r" | |
| 11 | expect { | |
| 12 | timeout {puts "TESTING ERROR 1\n";exit} | |
| 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | |
| 14 | } | |
| 15 | after 100 | |
| 16 | send -- "stty -echo\r" | |
| 17 | after 100 | |
| 18 | ||
| 19 | send -- "cd /bin; find .\; echo done\r" | |
| 20 | expect { | |
| 21 | timeout {puts "TESTING ERROR 2\n";exit} | |
| 22 | # "grep" {puts "TESTING ERROR 3\n";exit} | |
| 23 | "rm" {puts "TESTING ERROR 3\n";exit} | |
| 24 | "cp" {puts "TESTING ERROR 4\n";exit} | |
| 25 | "done" | |
| 26 | } | |
| 27 | after 100 | |
| 28 | ||
| 29 | send -- "cd /lib; find .\r" | |
| 30 | expect { | |
| 31 | timeout {puts "TESTING ERROR 5\n";exit} | |
| 32 | "./modules" {puts "TESTING ERROR 6\n";exit} | |
| 33 | "./firmware" {puts "TESTING ERROR 7\n";exit} | |
| 34 | "libc.so" | |
| 35 | } | |
| 36 | after 100 | |
| 37 | ||
| 38 | send -- "cd /usr/lib; find .\r" | |
| 39 | expect { | |
| 40 | timeout {puts "TESTING ERROR 8\n";exit} | |
| 41 | "grub" {puts "TESTING ERROR 9\n";exit} | |
| 42 | "mozilla" {puts "TESTING ERROR 10\n";exit} | |
| 43 | "libdl.so" | |
| 44 | } | |
| 45 | after 100 | |
| 46 | ||
| 47 | puts "\nall done\n" |
| 17 | 17 | echo "TESTING SKIP: $app not found" |
| 18 | 18 | fi |
| 19 | 19 | done |
| 20 | ||
| 21 | if [[ $(uname -m) == "x86_64" ]]; then | |
| 22 | fjconfig=/etc/firejail/firejail.config | |
| 23 | printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null | |
| 24 | echo "TESTING: private-lib (test/fs/private-lib.exp)" | |
| 25 | ./private-lib.exp | |
| 26 | printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" | | |
| 27 | sudo tee "$fjconfig" >/dev/null | |
| 28 | else | |
| 29 | echo "TESTING SKIP: private-lib test implemented only for x86_64." | |
| 30 | fi | |
| 31 |
| 0 | <!DOCTYPE html> | |
| 1 | <html lang="en"> | |
| 2 | <head> | |
| 3 | <meta charset="utf-8"> | |
| 4 | <title>Debian -- The Universal Operating System </title> | |
| 5 | <link rel="author" href="mailto:webmaster@debian.org"> | |
| 6 | <meta name="Description" content="Debian is an operating system and a distribution of Free Software. It is maintained and updated through the work of many users who volunteer their time and effort."> | |
| 7 | <meta name="Generator" content="WML 2.32.0"> | |
| 8 | <meta name="Modified" content="2022-12-25 23:27:38"> | |
| 9 | <meta name="viewport" content="width=device-width"> | |
| 10 | <meta name="mobileoptimized" content="300"> | |
| 11 | <meta name="HandheldFriendly" content="true"> | |
| 12 | <link rel="alternate" type="application/rss+xml" | |
| 13 | title="Debian News" href="News/news"> | |
| 14 | <link rel="alternate" type="application/rss+xml" | |
| 15 | title="Debian Project News" href="News/weekly/dwn"> | |
| 16 | <link rel="alternate" type="application/rss+xml" | |
| 17 | title="Debian Security Advisories (titles only)" href="security/dsa"> | |
| 18 | <link rel="alternate" type="application/rss+xml" | |
| 19 | title="Debian Security Advisories (summaries)" href="security/dsa-long"> | |
| 20 | <link href="./debhome.css" rel="stylesheet" type="text/css"> | |
| 21 | <link href="./startpage.css" rel="stylesheet" type="text/css"> | |
| 22 | <link href="./5img-carousel-slider.css" rel="stylesheet" type="text/css"> | |
| 23 | <link href="./debian-en.css" rel="stylesheet" type="text/css" media="all"> | |
| 24 | <link rel="shortcut icon" href="favicon.ico"> | |
| 25 | <meta name="Keywords" content="debian, GNU, linux, unix, open source, free, DFSG"> | |
| 26 | <link rel="search" type="application/opensearchdescription+xml" title="Debian website search" href="./search.en.xml"> | |
| 27 | </head> | |
| 28 | <body> | |
| 29 | <div id="header"> | |
| 30 | <div id="upperheader"> | |
| 31 | <div id="logo"> | |
| 32 | <a href="./" title="Debian Home"><img src="./Pics/openlogo-50.png" alt="Debian" width="50" height="61"></a> | |
| 33 | </div> <!-- end logo --> | |
| 34 | <div id="searchbox"> | |
| 35 | <form name="p" method="get" action="https://search.debian.org/cgi-bin/omega"> | |
| 36 | <p> | |
| 37 | <input type="hidden" name="DB" value="en"> | |
| 38 | <input name="P" value="" size="14"> | |
| 39 | <input type="submit" value="Search"> | |
| 40 | </p> | |
| 41 | </form> | |
| 42 | </div> <!-- end sitetools --> | |
| 43 | </div> <!-- end upperheader --> | |
| 44 | <!--UdmComment--> | |
| 45 | <div id="navbar"> | |
| 46 | <p class="hidecss"><a href="#content">Skip Quicknav</a></p> | |
| 47 | <ul> | |
| 48 | <!-- Link to Debian's own Social Media resources --> | |
| 49 | <li><a href="https://bits.debian.org/" title="Bits from Debian">Blog</a></li> | |
| 50 | <li><a href="https://micronews.debian.org" title="Micronews from Debian">Micronews</a></li> | |
| 51 | <li><a href="https://planet.debian.org/" title="The Planet of Debian">Planet</a></li> | |
| 52 | </ul> | |
| 53 | </div> <!-- end navbar --> | |
| 54 | <p id="breadcrumbs"> </p> | |
| 55 | </div> <!-- end header --> | |
| 56 | <!--/UdmComment--> | |
| 57 | <section> | |
| 58 | <div id="splash"> | |
| 59 | <h1>Debian</h1> | |
| 60 | </div> | |
| 61 | <!-- The first row of columns on the site. --> | |
| 62 | <div class="row"> | |
| 63 | <div class="column column-left"> | |
| 64 | <div style="text-align: center"> | |
| 65 | <h1>The Community</h1> | |
| 66 | <h2>Debian is a Community of People!</h2> | |
| 67 | <!-- The following div is containing the static image carousel. | |
| 68 | Currently made of five images. --> | |
| 69 | <div class="wrapper"> | |
| 70 | <input checked type="radio" name="slider" id="slide1"> | |
| 71 | <input type="radio" name="slider" id="slide2"> | |
| 72 | <input type="radio" name="slider" id="slide3"> | |
| 73 | <input type="radio" name="slider" id="slide4"> | |
| 74 | <input type="radio" name="slider" id="slide5"> | |
| 75 | <div class="slider-wrapper"> | |
| 76 | <div class="inner"> | |
| 77 | <article> | |
| 78 | <div class="info bottom-right"> | |
| 79 | <h3>DC22 Group Photo</h3> | |
| 80 | </div> | |
| 81 | <img src="Pics/debconf22_group_photo.jpg" alt="DebConf22 Group Photo" width="851" height="575"> | |
| 82 | </article> | |
| 83 | <article> | |
| 84 | <div class="info top-left"> | |
| 85 | <h3>Mini DebConf Regensburg 2021</h3> | |
| 86 | </div> | |
| 87 | <img src="Pics//mini-dc21-regensburg.jpg" alt="Group photo of the MiniDebConf in Regensburg 2021" width="1024" height="576"> | |
| 88 | </article> | |
| 89 | <article> | |
| 90 | <div class="info top-left"> | |
| 91 | <h3>Screenshot Calamares Installer</h3> | |
| 92 | </div> | |
| 93 | <img src="Pics/calamares-bullseye.png" alt="Screenshot from the Calamares installer" width="1024" height="576"> | |
| 94 | </article> | |
| 95 | <article> | |
| 96 | <div class="info top-left"> | |
| 97 | <h3>Debian is like a Swiss Army Knife</h3> | |
| 98 | </div> | |
| 99 | <img src="Pics/debian-swiss-knife-hands-1024x576.jpg" alt="Debian is like a Swiss Army Knife" width="1024" height="576"> | |
| 100 | </article> | |
| 101 | <article> | |
| 102 | <div class="info top-left"> | |
| 103 | <h3>People have fun with Debian</h3> | |
| 104 | </div> | |
| 105 | <img src="Pics/debian-funny-people-1024x576.jpg" alt="Debian people at Debconf18 in Hsinchu really having fun" width="1024" height="576"> | |
| 106 | </article> | |
| 107 | </div> <!-- .inner --> | |
| 108 | </div> <!-- .slider-wrapper --> | |
| 109 | <div class="slider-prev-next-control"> | |
| 110 | <label for="slide1"></label> | |
| 111 | <label for="slide2"></label> | |
| 112 | <label for="slide3"></label> | |
| 113 | <label for="slide4"></label> | |
| 114 | <label for="slide5"></label> | |
| 115 | </div> <!-- .slider-prev-next-control --> | |
| 116 | <div class="slider-dot-control"> | |
| 117 | <label for="slide1"></label> | |
| 118 | <label for="slide2"></label> | |
| 119 | <label for="slide3"></label> | |
| 120 | <label for="slide4"></label> | |
| 121 | <label for="slide5"></label> | |
| 122 | </div> <!-- .slider-dot-control --> | |
| 123 | </div> | |
| 124 | </div> | |
| 125 | <div class="row"> | |
| 126 | <div class="community column"> | |
| 127 | <a href="intro/people" aria-hidden="true"> | |
| 128 | <img src="Pics/users.svg" width="512" alt=""> | |
| 129 | </a> | |
| 130 | </div> | |
| 131 | <div class="styled-href-blue column-4-parts"> | |
| 132 | <h2><a href="intro/people">People</a></h2> | |
| 133 | <p>Who we are and what we do</p> | |
| 134 | </div> | |
| 135 | </div> | |
| 136 | <div class="row"> | |
| 137 | <div class="community column"> | |
| 138 | <a href="intro/philosophy" aria-hidden="true"> | |
| 139 | <img src="Pics/heartbeat.svg" width="512" alt=""> | |
| 140 | </a> | |
| 141 | </div> | |
| 142 | <div class="styled-href-blue column-4-parts"> | |
| 143 | <h2><a href="intro/philosophy">Our Philosophy</a></h2> | |
| 144 | <p>Why we do it, and how we do it</p> | |
| 145 | </div> | |
| 146 | </div> | |
| 147 | <div class="row"> | |
| 148 | <div class="community column"> | |
| 149 | <a href="devel/join/" aria-hidden="true"> | |
| 150 | <img src="Pics/user-plus.svg" width="512" alt=""> | |
| 151 | </a> | |
| 152 | </div> | |
| 153 | <div class="styled-href-blue column-4-parts"> | |
| 154 | <h2><a href="devel/join/">Get Involved, Contribute</a></h2> | |
| 155 | <p>How you can join us!</p> | |
| 156 | </div> | |
| 157 | </div> | |
| 158 | <div class="row"> | |
| 159 | <div class="community column"> | |
| 160 | <a href="intro/index#community" aria-hidden="true"> | |
| 161 | <img src="Pics/list.svg" width="512" alt=""> | |
| 162 | </a> | |
| 163 | </div> | |
| 164 | <div class="styled-href-blue column-4-parts"> | |
| 165 | <h2><a href="intro/index#community">More...</a></h2> | |
| 166 | <p>Additional information about the Debian community</p> | |
| 167 | </div> | |
| 168 | </div> | |
| 169 | </div> | |
| 170 | <div class="column column-right"> | |
| 171 | <div style="text-align: center"> | |
| 172 | <h1>The Operating System</h1> | |
| 173 | <h2>Debian is a complete Free Operating System!</h2> | |
| 174 | <div class="os-img-container"> | |
| 175 | <img src="Pics/debian-logo-1024x576.png" alt="Debian" width="1024" height="576"> | |
| 176 | <a href="./download" class="os-dl-btn">Download</a> | |
| 177 | </div> | |
| 178 | </div> | |
| 179 | <div class="row"> | |
| 180 | <div class="community column"> | |
| 181 | <a href="intro/why_debian" aria-hidden="true"> | |
| 182 | <img src="Pics/trophy.svg" width="512" alt=""> | |
| 183 | </a> | |
| 184 | </div> | |
| 185 | <div class="styled-href-blue column-4-parts"> | |
| 186 | <h2><a href="intro/why_debian">Why Debian</a></h2> | |
| 187 | <p>What makes Debian special</p> | |
| 188 | </div> | |
| 189 | </div> | |
| 190 | <div class="row"> | |
| 191 | <div class="community column"> | |
| 192 | <a href="support" aria-hidden="true"> | |
| 193 | <img src="Pics/life-ring.svg" width="512" alt=""> | |
| 194 | </a> | |
| 195 | </div> | |
| 196 | <div class="styled-href-blue column-4-parts"> | |
| 197 | <h2><a href="support">User Support</a></h2> | |
| 198 | <p>Getting help and documentation</p> | |
| 199 | </div> | |
| 200 | </div> | |
| 201 | <div class="row"> | |
| 202 | <div class="community column"> | |
| 203 | <a href="security/" aria-hidden="true"> | |
| 204 | <img src="Pics/security.svg" width="512" alt=""> | |
| 205 | </a> | |
| 206 | </div> | |
| 207 | <div class="styled-href-blue column-4-parts"> | |
| 208 | <h2><a href="security/">Security Updates</a></h2> | |
| 209 | <p>Debian Security Advisories (DSA)</p> | |
| 210 | </div> | |
| 211 | </div> | |
| 212 | <div class="row"> | |
| 213 | <div class="community column"> | |
| 214 | <a href="intro/index#software" aria-hidden="true"> | |
| 215 | <img src="Pics/list.svg" width="512" alt=""> | |
| 216 | </a> | |
| 217 | </div> | |
| 218 | <div class="styled-href-blue column-4-parts"> | |
| 219 | <h2><a href="intro/index#software">More...</a></h2> | |
| 220 | <p>Further links to downloads and software</p> | |
| 221 | </div> | |
| 222 | </div> | |
| 223 | </div> | |
| 224 | </div> | |
| 225 | <hr> | |
| 226 | <!-- An optional row highlighting events happening now, such as releases, point releases, debconf and minidebconfs, and elections (dpl, GRs...). --> | |
| 227 | <!-- The next row of columns on the site. --> | |
| 228 | <!-- The News will be selected by the press team. --> | |
| 229 | <div class="row"> | |
| 230 | <div class="column styled-href-blue column-left"> | |
| 231 | <div style="text-align: center"> | |
| 232 | <h1>Project News</h1> | |
| 233 | <h2>News and Announcements about Debian</h2> | |
| 234 | </div> | |
| 235 | <div class="project-news"><time datetime="2022-12-17" class="date-as-calendar position-em size1_25x"><span class="day">17</span><span class="month">December</span><span class="year">2022</span></time><div class="project-news-content"><a href="News/2022/20221217">Updated Debian 11: 11.6 released</a></div></div> | |
| 236 | <div class="project-news"><time datetime="2022-09-10" class="date-as-calendar position-em size1_25x"><span class="day">10</span><span class="month">September</span><span class="year">2022</span></time><div class="project-news-content"><a href="News/2022/20220910">Updated Debian 10: 10.13 released</a></div></div> | |
| 237 | <div class="project-news"><time datetime="2022-08-07" class="date-as-calendar position-em size1_25x"><span class="day">07</span><span class="month">August</span><span class="year">2022</span></time><div class="project-news-content"><a href="News/2022/20220807">Ownership of <q>debian.community</q> domain</a></div></div> | |
| 238 | <div class="project-news"><time datetime="2022-07-24" class="date-as-calendar position-em size1_25x"><span class="day">24</span><span class="month">July</span><span class="year">2022</span></time><div class="project-news-content"><a href="News/2022/20220724">DebConf22 closes in Prizren and DebConf23 dates announced</a></div></div> | |
| 239 | <!-- No more News entries behind this line! --> | |
| 240 | <div class="project-news"> | |
| 241 | <div class="end-of-list-arrow"></div> | |
| 242 | <div class="project-news-content project-news-content-end"> | |
| 243 | <a href="News">All the news</a>    | |
| 244 | <a class="rss_logo" style="float: none" href="News/news">RSS</a> | |
| 245 | </div> | |
| 246 | </div> | |
| 247 | </div> | |
| 248 | </div> | |
| 249 | <div class="clr"></div> | |
| 250 | </section> <!-- end content --> | |
| 251 | <footer> | |
| 252 | <hr class="hidecss"> | |
| 253 | <!--UdmComment--> | |
| 254 | <div id="pageLang"> | |
| 255 | <div id="langSelector"> | |
| 256 | This page is also available in the following languages: | |
| 257 | <div id="langContainer"> | |
| 258 | <a href="index.ar.html" title="Arabic" hreflang="ar" lang="ar" rel="alternate">عربية (Arabiya)</a> | |
| 259 | <a href="index.bg.html" title="Bulgarian" hreflang="bg" lang="bg" rel="alternate">Български (Bəlgarski)</a> | |
| 260 | <a href="index.ca.html" title="Catalan" hreflang="ca" lang="ca" rel="alternate">català</a> | |
| 261 | <a href="index.da.html" title="Danish" hreflang="da" lang="da" rel="alternate">dansk</a> | |
| 262 | <a href="index.de.html" title="German" hreflang="de" lang="de" rel="alternate">Deutsch</a> | |
| 263 | <a href="index.el.html" title="Greek" hreflang="el" lang="el" rel="alternate">Ελληνικά (Ellinika)</a> | |
| 264 | <a href="index.es.html" title="Spanish" hreflang="es" lang="es" rel="alternate">español</a> | |
| 265 | <a href="index.fa.html" title="Persian" hreflang="fa" lang="fa" rel="alternate">فارسی (Farsi)</a> | |
| 266 | <a href="index.fr.html" title="French" hreflang="fr" lang="fr" rel="alternate">français</a> | |
| 267 | <a href="index.gl.html" title="Galician" hreflang="gl" lang="gl" rel="alternate">Galego</a> | |
| 268 | <a href="index.hy.html" title="Armenian" hreflang="hy" lang="hy" rel="alternate">Հայերեն (hayeren)</a> | |
| 269 | <a href="index.id.html" title="Indonesian" hreflang="id" lang="id" rel="alternate">Indonesia</a> | |
| 270 | <a href="index.it.html" title="Italian" hreflang="it" lang="it" rel="alternate">Italiano</a> | |
| 271 | <a href="index.ko.html" title="Korean" hreflang="ko" lang="ko" rel="alternate">한국어 (Korean)</a> | |
| 272 | <a href="index.hu.html" title="Hungarian" hreflang="hu" lang="hu" rel="alternate">magyar</a> | |
| 273 | <a href="index.nl.html" title="Dutch" hreflang="nl" lang="nl" rel="alternate">Nederlands</a> | |
| 274 | <a href="index.nb.html" title="Norwegian" hreflang="nb" lang="nb" rel="alternate">norsk (bokmål)</a> | |
| 275 | <a href="index.pl.html" title="Polish" hreflang="pl" lang="pl" rel="alternate">polski</a> | |
| 276 | <a href="index.pt.html" title="Portuguese" hreflang="pt" lang="pt" rel="alternate">Português</a> | |
| 277 | <a href="index.ru.html" title="Russian" hreflang="ru" lang="ru" rel="alternate">Русский (Russkij)</a> | |
| 278 | <a href="index.fi.html" title="Finnish" hreflang="fi" lang="fi" rel="alternate">suomi</a> | |
| 279 | <a href="index.sv.html" title="Swedish" hreflang="sv" lang="sv" rel="alternate">svenska</a> | |
| 280 | <a href="index.vi.html" title="Vietnamese" hreflang="vi" lang="vi" rel="alternate">Tiếng Việt</a> | |
| 281 | <a href="index.uk.html" title="Ukrainian" hreflang="uk" lang="uk" rel="alternate">українська (ukrajins'ka)</a> | |
| 282 | <a href="index.zh-cn.html" title="Chinese (China)" hreflang="zh-CN" lang="zh-CN" rel="alternate">中文(简)</a> | |
| 283 | <a href="index.zh-hk.html" title="Chinese (Hong Kong)" hreflang="zh-HK" lang="zh-HK" rel="alternate">中文(HK)</a> | |
| 284 | <a href="index.zh-tw.html" title="Chinese (Taiwan)" hreflang="zh-TW" lang="zh-TW" rel="alternate">中文(繁)</a> | |
| 285 | </div> | |
| 286 | How to set <a href="./intro/cn">the default document language</a> | |
| 287 | </div></div><!--/UdmComment--> | |
| 288 | <hr> | |
| 289 | <!--UdmComment--> | |
| 290 | <div id="fineprint"> | |
| 291 | <p>See our <a href="./contact">contact page</a> to get in touch. Web site source code is <a href="https://salsa.debian.org/webmaster-team/webwml">available</a>.</p> | |
| 292 | <p> | |
| 293 | Last Modified: Sun, Jul 24 21:07:25 UTC 2022 | |
| 294 |   | |
| 295 | Last Built: Sun, Dec 25 23:27:38 UTC 2022 | |
| 296 | <br> | |
| 297 | Copyright © 1997-2022 | |
| 298 | <a href="https://www.spi-inc.org/">SPI</a> and others; See <a href="./license" rel="copyright">license terms</a><br> | |
| 299 | Debian is a registered <a href="./trademark">trademark</a> of Software in the Public Interest, Inc. | |
| 300 | </p> | |
| 301 | </div> | |
| 302 | <!--/UdmComment--> | |
| 303 | </footer> <!-- end footer --> | |
| 304 | </body> | |
| 305 | </html> |