[-]
[+]
|
Changed |
_service:tar_git:firejail.changes
|
|
[-]
[+]
|
Changed |
_service:tar_git:firejail.spec
^
|
|
[-]
[+]
|
Changed |
_service:tar_git:0001-Preserve-process-effective-group-for-privileged-grou.patch
^
|
@@ -8,7 +8,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
-index 8d8dd95f..94ae8d24 100644
+index f40cbb9de..63352dfaa 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -53,7 +53,7 @@ static inline void EUID_PRINT(void) {
@@ -20,6 +20,3 @@
}
#endif
---
-2.31.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0002-Implement-Sailfish-OS-specific-privileged-data-optio.patch
^
|
@@ -30,22 +30,22 @@
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
---
- src/firejail/firejail.h | 5 +-
+ src/firejail/firejail.h | 4 +
src/firejail/macros.c | 9 +++
- src/firejail/main.c | 112 +++++++++++++++++++++-----------------
- src/firejail/profile.c | 31 +++++++++++
- src/firejail/sandbox.c | 76 ++++++++++++++++++++++++++
+ src/firejail/main.c | 161 +++++++++++++++-----------------------
+ src/firejail/profile.c | 31 ++++++++
+ src/firejail/sandbox.c | 76 ++++++++++++++++++
src/firejail/usage.c | 1 +
- src/firejail/util.c | 23 +++++---
- src/include/euid_common.h | 86 ++++++++++++++++++++++-------
+ src/firejail/util.c | 27 ++++++-
+ src/include/euid_common.h | 86 +++++++++++++++-----
src/include/rundefs.h | 1 +
- 9 files changed, 266 insertions(+), 78 deletions(-)
+ 9 files changed, 277 insertions(+), 119 deletions(-)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
-index 9971d30b..1ea82329 100644
+index 13ee573ad..e922e9593 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
-@@ -163,6 +163,7 @@ typedef struct config_t {
+@@ -168,6 +168,7 @@ typedef struct config_t {
char *home_private_keep; // keep list for private home directory
char *etc_private_keep; // keep list for private etc directory
char *opt_private_keep; // keep list for private opt directory
@@ -53,7 +53,7 @@
char *srv_private_keep; // keep list for private srv directory
char *bin_private_keep; // keep list for private bin directory
char *bin_private_lib; // executable list sent by private-bin to private-lib
-@@ -455,6 +456,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname);
+@@ -466,6 +467,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname);
// add a profile entry in cfg.profile list; use str to populate the list
void profile_add(char *str);
void profile_add_ignore(const char *str);
@@ -61,21 +61,19 @@
char *profile_list_normalize(char *list);
char *profile_list_compress(char *list);
void profile_list_augment(char **list, const char *items);
-@@ -527,7 +529,8 @@ void update_map(char *mapping, char *map_file);
- void wait_for_other(int fd);
+@@ -560,6 +562,7 @@ void wait_for_other(int fd);
void notify_other(int fd);
uid_t pid_get_uid(pid_t pid);
--uid_t get_group_id(const char *group);
-+gid_t get_group_id(const char *group);
+ gid_t get_group_id(const char *groupname);
+uid_t get_user_id(const char *user);
- int remove_overlay_directory(void);
void flush_stdin(void);
int create_empty_dir_as_user(const char *dir, mode_t mode);
+ void create_empty_dir_as_root(const char *dir, mode_t mode);
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
-index cd29d8f8..895ec93a 100644
+index 3f9460041..ac42a77ed 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
-@@ -241,6 +241,13 @@ char *expand_macros(const char *path) {
+@@ -243,6 +243,13 @@ char *expand_macros(const char *path) {
EUID_ROOT();
return new_name;
}
@@ -89,7 +87,7 @@
else {
char *directory = resolve_macro(path);
if (directory) {
-@@ -296,6 +303,8 @@ void invalid_filename(const char *fname, int globbing) {
+@@ -276,6 +283,8 @@ void invalid_filename(const char *fname, int globbing) {
ptr = fname + 7;
else if (strncmp(ptr, "${RUNUSER}", 10) == 0)
ptr = fname + 10;
@@ -99,10 +97,10 @@
int id = macro_id(fname);
if (id != -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
-index 7a0d5283..d42791fc 100644
+index 18e9ae651..129fa9d72 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
-@@ -54,8 +54,7 @@ int __clone2(int (*fn)(void *),
+@@ -55,8 +55,7 @@ int __clone2(int (*fn)(void *),
/* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ );
#endif
@@ -112,16 +110,16 @@
#define STACK_SIZE (1024 * 1024)
#define STACK_ALIGNMENT 16
-@@ -1000,7 +999,7 @@ int main(int argc, char **argv, char **envp) {
- fix_std_streams();
+@@ -1061,7 +1060,7 @@ int main(int argc, char **argv, char **envp) {
+ orig_umask = umask(022);
// drop permissions by default and rise them when required
- EUID_INIT();
+ EUID_INIT(*argv);
EUID_USER();
- // argument count should be larger than 0
-@@ -2006,6 +2005,12 @@ int main(int argc, char **argv, char **envp) {
+ // check standard streams before opening any file
+@@ -2083,6 +2082,12 @@ int main(int argc, char **argv, char **envp) {
else
exit_err_feature("private-opt");
}
@@ -134,14 +132,14 @@
else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
if (checkcfg(CFG_PRIVATE_SRV)) {
// extract private srv list
-@@ -3061,71 +3066,76 @@ int main(int argc, char **argv, char **envp) {
+@@ -3143,124 +3148,88 @@ int main(int argc, char **argv, char **envp) {
- if (arg_noroot) {
- // update the UID and GID maps in the new child user namespace
+ if (arg_noroot) {
+ // update the UID and GID maps in the new child user namespace
- // uid
-- char *map_path;
-- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
-- errExit("asprintf");
+- char *map_path;
+- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
+- errExit("asprintf");
+ /* NB: In Linux 4.14 and earlier, id mapping data can have at
+ * maximum 5 lines - see user_namespaces (7) for details. */
+ const int id_max = 5;
@@ -166,10 +164,7 @@
+ }
+ }
+ }
-
-- char *map;
-- uid_t uid = getuid();
-- if (asprintf(&map, "%d %d 1", uid, uid) == -1)
++
+ auto char *id_map(void) {
+ char *ptr = map_data;
+ for (int i = 0; i < id_cnt; ++i) {
@@ -180,90 +175,151 @@
+ id_cnt = 0;
+ return map_data;
+ }
-+
+
+- char *map;
+- uid_t uid = getuid();
+- if (asprintf(&map, "%d %d 1", uid, uid) == -1)
+ // UIDs
+ if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
- errExit("asprintf");
-- EUID_ROOT();
-- update_map(map, map_path);
+ errExit("asprintf");
+ id_add(0);
+ id_add(euid_data.uid);
+ id_add(euid_data.privileged_uid);
-+ EUID_ROOT();
+ EUID_ROOT();
+- update_map(map, map_path);
+ update_map(id_map(), map_path);
- EUID_USER();
-- free(map);
- free(map_path);
+ EUID_USER();
+- free(map);
+ free(map_path);
-- // gid file
+- // gid file
+ // GIDs
if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
errExit("asprintf");
-- char gidmap[1024];
-- char *ptr = gidmap;
-- *ptr = '\0';
+- char gidmap[1024];
+- char *ptr = gidmap;
+- *ptr = '\0';
-
-- // add user group
-- gid_t gid = getgid();
-- sprintf(ptr, "%d %d 1\n", gid, gid);
-- ptr += strlen(ptr);
+- // add user group
+- gid_t gid = getgid();
+- sprintf(ptr, "%d %d 1\n", gid, gid);
+- ptr += strlen(ptr);
+- gid_t g;
+ id_add(0);
+ id_add(euid_data.gid);
+ id_add(euid_data.primary_gid);
+ id_add(euid_data.privileged_gid);
- if (!arg_nogroups) {
- // add firejail group
-- gid_t g = get_group_id("firejail");
-- if (g) {
-- sprintf(ptr, "%d %d 1\n", g, g);
-- ptr += strlen(ptr);
-- }
+ if (!arg_nogroups || !check_can_drop_all_groups()) {
+ // add audio group
+ if (!arg_nosound) {
+- g = get_group_id("audio");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
++ id_add(get_group_id("audio"));
+ }
-
-+ id_add(get_group_id("firejail"));
- // add tty group
-- g = get_group_id("tty");
-- if (g) {
-- sprintf(ptr, "%d %d 1\n", g, g);
-- ptr += strlen(ptr);
-- }
+ // add video group
+ if (!arg_novideo) {
+- g = get_group_id("video");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
++ id_add(get_group_id("video"));
+ }
++ // We don't use the groups render/vglusers, cdrom/optical
++ // or lp (printers). See JB#59121 for details.
-
-+ id_add(get_group_id("tty"));
- // add audio group
-- g = get_group_id("audio");
-- if (g) {
-- sprintf(ptr, "%d %d 1\n", g, g);
-- ptr += strlen(ptr);
-- }
+- // add render/vglusers group
+- if (!arg_no3d) {
+- g = get_group_id("render");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
+- g = get_group_id("vglusers");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
+- }
+-
+- // add lp group
+- if (!arg_noprinters) {
+- g = get_group_id("lp");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
+- }
+-
+- // add cdrom/optical groups
+- if (!arg_nodvd) {
+- g = get_group_id("cdrom");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
+- g = get_group_id("optical");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
+- }
+-
+ // add input group
+ if (!arg_noinput) {
+- g = get_group_id("input");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
++ id_add(get_group_id("input"));
+ }
+ }
+-
+ if (!arg_nogroups) {
+- // add firejail group
+- g = get_group_id("firejail");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
-
-+ id_add(get_group_id("audio"));
- // add video group
-- g = get_group_id("video");
-- if (g) {
-- sprintf(ptr, "%d %d 1\n", g, g);
-- ptr += strlen(ptr);
-- }
+- // add tty group
+- g = get_group_id("tty");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- ptr += strlen(ptr);
+- }
-
-+ id_add(get_group_id("video"));
- // add games group
-- g = get_group_id("games");
-- if (g) {
-- sprintf(ptr, "%d %d 1\n", g, g);
-- }
+- // add games group
+- g = get_group_id("games");
+- if (g) {
+- sprintf(ptr, "%d %d 1\n", g, g);
+- }
++ // add firejail group
++ id_add(get_group_id("firejail"));
++ // add tty group
++ id_add(get_group_id("tty"));
++ // add games group
+ id_add(get_group_id("games"));
- }
+ }
- EUID_ROOT();
-- update_map(gidmap, map_path);
+ EUID_ROOT();
+- update_map(gidmap, map_path);
+ update_map(id_map(), map_path);
- EUID_USER();
- free(map_path);
- }
+ EUID_USER();
+ free(map_path);
+ }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
-index e52bdc6e..2c226168 100644
+index acf206da6..c5dd43521 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
-@@ -1311,6 +1311,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
+@@ -1382,6 +1382,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
return 0;
}
@@ -279,7 +335,7 @@
// private /srv list of files and directories
if (strncmp(ptr, "private-srv ", 12) == 0) {
if (checkcfg(CFG_PRIVATE_SRV)) {
-@@ -1808,6 +1817,28 @@ void profile_read(const char *fname) {
+@@ -1864,6 +1873,28 @@ void profile_read(const char *fname) {
fclose(fp);
}
@@ -309,10 +365,10 @@
{
/* Remove redundant commas.
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
-index fd359c39..5c1676dc 100644
+index 77fe73174..0377293de 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
-@@ -860,6 +860,82 @@ int sandbox(void* sandbox_arg) {
+@@ -912,6 +912,82 @@ int sandbox(void* sandbox_arg) {
if (arg_private_dev)
fs_private_dev();
@@ -396,31 +452,31 @@
if (cfg.chrootdir)
fwarning("private-opt feature is disabled in chroot\n");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
-index 888a6ffe..098bf696 100644
+index 0a4c8a483..5b376dc3c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
-@@ -195,6 +195,7 @@ static char *usage_str =
+@@ -210,6 +210,7 @@ static char *usage_str =
" --private-cwd=directory - set working directory inside jail.\n"
" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
" --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
+ " --privileged-data=directory - whitelist privileged user data directory.\n"
" --profile=filename|profile_name - use a custom profile.\n"
" --profile.print=name|pid - print the name of profile file.\n"
- " --profile-path=directory - use this directory to look for profile files.\n"
+ " --protocol=protocol,protocol,protocol - enable protocol filter.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
-index de31ebdd..110a61da 100644
+index a01290cf2..147e5d22d 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
-@@ -132,7 +132,7 @@ static void clean_supplementary_groups(gid_t gid) {
- int i = 0;
- while (allowed[i]) {
- gid_t g = get_group_id(allowed[i]);
-- if (g) {
-+ if (g != -1) {
- int j;
- for (j = 0; j < ngroups; j++) {
- if (g == groups[j]) {
-@@ -188,9 +188,9 @@ void drop_privs(int nogroups) {
+@@ -160,7 +160,7 @@
+ }
+
+ gid_t g = get_group_id(groupname);
+- if (g && find_group(g, groups, ngroups) >= 0) {
++ if (g != INVALID_GID && find_group(g, groups, ngroups) >= 0) {
+ new_groups[*new_ngroups] = g;
+ (*new_ngroups)++;
+ }
+@@ -281,9 +292,9 @@ void drop_privs(int force_nogroups) {
clean_supplementary_groups(gid);
// set uid/gid
@@ -432,7 +488,7 @@
errExit("setresuid");
}
-@@ -851,6 +851,9 @@ void update_map(char *mapping, char *map_file) {
+@@ -871,6 +882,9 @@ void update_map(char *mapping, char *map_file) {
if (mapping[j] == ',')
mapping[j] = '\n';
@@ -442,16 +498,10 @@
fd = open(map_file, O_RDWR|O_CLOEXEC);
if (fd == -1) {
fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno));
-@@ -976,16 +979,22 @@ uid_t pid_get_uid(pid_t pid) {
-
-
-
--uid_t get_group_id(const char *group) {
-- // find tty group id
+@@ -955,11 +969,18 @@ gid_t get_group_id(const char *groupname) {
- gid_t gid = 0;
-+gid_t get_group_id(const char *group) {
+ gid_t gid = INVALID_GID;
- struct group *g = getgrnam(group);
+ struct group *g = getgrnam(groupname);
if (g)
gid = g->gr_gid;
-
@@ -467,10 +517,10 @@
+}
+
- static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
- (void) sb;
+ // flush stdin if it is connected to a tty and has input
+ void flush_stdin(void) {
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
-index 94ae8d24..7e966be5 100644
+index 63352dfaa..29ceaa1bb 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -24,36 +24,84 @@
@@ -578,7 +628,7 @@
#endif
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
-index 3db750da..59530eb1 100644
+index 079670f10..5aedcb32b 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -45,6 +45,7 @@
@@ -589,6 +639,3 @@
#define RUN_SRV_DIR RUN_MNT_DIR "/srv"
#define RUN_BIN_DIR RUN_MNT_DIR "/bin"
#define RUN_PULSE_DIR RUN_MNT_DIR "/pulse"
---
-2.31.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0003-Add-profile-files-to-a-list-when-processing-argument.patch
^
|
@@ -16,10 +16,10 @@
3 files changed, 85 insertions(+)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
-index 1ea82329..28c1d81e 100644
+index e922e9593..4848c3516 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
-@@ -460,6 +460,7 @@ char *profile_list_slice(char *pos, char **ppos);
+@@ -471,6 +471,7 @@ char *profile_list_slice(char *pos, char **ppos);
char *profile_list_normalize(char *list);
char *profile_list_compress(char *list);
void profile_list_augment(char **list, const char *items);
@@ -28,10 +28,10 @@
// list.c
void list(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
-index d42791fc..5d92df2d 100644
+index 129fa9d72..6bebf3143 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
-@@ -2761,6 +2761,9 @@ int main(int argc, char **argv, char **envp) {
+@@ -2846,6 +2846,9 @@ int main(int argc, char **argv, char **envp) {
break;
}
}
@@ -42,12 +42,12 @@
// exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
-index 2c226168..2c172ad1 100644
+index c5dd43521..4ca9bc2cd 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
-@@ -28,6 +28,18 @@ extern char *xephyr_screen;
-
- #define MAX_READ 8192 // line buffer for profile files
+@@ -29,6 +29,18 @@ extern char *xephyr_screen;
+ #define MAX_READ 8192 // line buffer for profile files
+ #define MAX_LIST 16384 // size limit for argument lists
+typedef struct profile_file_name_t {
+ char *fname;
@@ -64,7 +64,7 @@
// find and read the profile specified by name from dir directory
// return 1 if a profile was found
static int profile_find(const char *name, const char *dir, int add_ext) {
-@@ -1678,6 +1690,27 @@ void profile_add(char *str) {
+@@ -1722,6 +1734,27 @@ void profile_add(char *str) {
ptr->next = prf;
}
@@ -92,7 +92,7 @@
// read a profile file
static int include_level = 0;
void profile_read(const char *fname) {
-@@ -1726,6 +1759,11 @@ void profile_read(const char *fname) {
+@@ -1770,6 +1803,11 @@ void profile_read(const char *fname) {
}
}
@@ -104,7 +104,7 @@
// open profile file:
FILE *fp = fopen(fname, "re");
if (fp == NULL) {
-@@ -1817,6 +1855,49 @@ void profile_read(const char *fname) {
+@@ -1873,6 +1911,49 @@ void profile_read(const char *fname) {
fclose(fp);
}
@@ -154,6 +154,3 @@
char *profile_list_slice(char *pos, char **ppos)
{
/* Extract token from comma separated list.
---
-2.31.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0004-Implement-template-addition-for-replacing-keys-in-pr.patch
^
|
@@ -1,8 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jussi Laakkonen <jussi.laakkonen@jolla.com>
Date: Fri, 7 May 2021 18:29:29 +0300
-Subject: [PATCH] Implement template addition for replacing keys in profile
- files
+Subject: [PATCH] Implement template addition for replacing keys in profile files
Implement template addition to pass templates as key value pairs as cmd
line parameters to replace the keys in read profile file lines to allow
@@ -78,7 +77,7 @@
create mode 100644 src/firejail/template.c
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
-index 9a4cb2e6..80385376 100644
+index 66738bd4b..8160bc6be 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -41,7 +41,7 @@
@@ -91,11 +90,11 @@
static pid_t dbus_proxy_pid = 0;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
-index 28c1d81e..77e5a830 100644
+index 4848c3516..c245e40e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
-@@ -888,6 +888,8 @@ void set_x11_run_file(pid_t pid, int display);
- void set_profile_run_file(pid_t pid, const char *fname);
+@@ -922,6 +922,8 @@ void set_sandbox_run_file(pid_t pid, pid_t child);
+ void release_sandbox_lock(void);
// dbus.c
+#define DBUS_MAX_NAME_LENGTH 255
@@ -103,9 +102,9 @@
int dbus_check_name(const char *name);
int dbus_check_call_rule(const char *name);
void dbus_check_profile(void);
-@@ -906,4 +908,10 @@ void dhcp_start(void);
- // selinux.c
- void selinux_relabel_path(const char *path, const char *inside_path);
+@@ -946,4 +948,10 @@ void run_ids(int argc, char **argv);
+ // oom.c
+ void oom_set(const char *oom_string);
+// template.c
+void check_template(char *arg);
@@ -115,10 +114,10 @@
+void template_cleanup();
#endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
-index 5d92df2d..252371be 100644
+index 6bebf3143..3edfbb09a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
-@@ -2649,6 +2649,11 @@ int main(int argc, char **argv, char **envp) {
+@@ -2764,6 +2764,11 @@ int main(int argc, char **argv, char **envp) {
exit_err_feature("networking");
}
#endif
@@ -130,7 +129,7 @@
//*************************************
// command
//*************************************
-@@ -2762,6 +2767,9 @@ int main(int argc, char **argv, char **envp) {
+@@ -2847,6 +2852,9 @@ int main(int argc, char **argv, char **envp) {
}
}
@@ -140,7 +139,7 @@
profile_read_file_list();
EUID_ASSERT();
-@@ -2893,6 +2901,9 @@ int main(int argc, char **argv, char **envp) {
+@@ -2972,6 +2980,9 @@ int main(int argc, char **argv, char **envp) {
}
EUID_ASSERT();
@@ -151,10 +150,10 @@
if (arg_x11_block)
x11_block();
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
-index 2c172ad1..9f0e5baf 100644
+index 4ca9bc2cd..55b11eb50 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
-@@ -1812,6 +1812,40 @@ void profile_read(const char *fname) {
+@@ -1868,6 +1868,40 @@ void profile_read(const char *fname) {
msg_printed = 1;
}
@@ -197,7 +196,7 @@
include_level++;
diff --git a/src/firejail/template.c b/src/firejail/template.c
new file mode 100644
-index 00000000..64bcef5e
+index 000000000..64bcef5e4
--- /dev/null
+++ b/src/firejail/template.c
@@ -0,0 +1,504 @@
@@ -706,22 +705,22 @@
+ return new_string;
+}
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
-index 098bf696..4598f3c7 100644
+index 5b376dc3c..00af44687 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
-@@ -239,6 +239,7 @@ static char *usage_str =
- " --shell=none - run the program directly without a user shell.\n"
- " --shell=program - set default user shell.\n"
+@@ -256,6 +256,7 @@ static char *usage_str =
" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
+ " --tab - enable shell tab completion in sandboxes using private or\n"
+ "\twhitelisted home directories.\n"
+ " --template=KEY:VALUE - set a template KEY with VALUE usable as ${KEY} in profiles\n"
" --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"
"\thas elapsed.\n"
" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
-index db58e091..b0ff631b 100644
+index 5b16179ac..5544b471f 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
-@@ -965,6 +965,20 @@ Always exit firejail with the first child's exit status. The default behavior is
+@@ -1013,6 +1013,20 @@ Always shut down the sandbox after the first child has terminated. The default b
Join the sandbox identified by name or start a new one.
Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
@@ -743,12 +742,12 @@
.TP
\fB/etc/firejail/appname.profile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
-index 0462705c..d6036605 100644
+index e5020e37e..1d9e9b16a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
-@@ -2573,6 +2573,23 @@ $ firejail \-\-list
+@@ -2870,6 +2870,23 @@ Enable shell tab completion in sandboxes using private or whitelisted home direc
.br
- $ firejail \-\-shutdown=3272
+ $ firejail \-\-private --tab
.TP
+\fB\-\-template=KEY:VALUE
+Define a template \fBKEY\fR with \fBVALUE\fR to have application specific \fB${KEY}\fRs in the profile files replaced with the given value. This is useful, for example, with D-Bus name ownership to make a generic ownership rule to be application specific. See \fB\&\flfirejail-profile\fR\|(5)\fR for information on how to use the template keys in profile files. Internal macros cannot be overridden with this, in such case firejail quits with an error message.
@@ -770,6 +769,3 @@
\fB\-\-timeout=hh:mm:ss
Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
.br
---
-2.31.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0005-Retain-symlink-chains.patch
^
|
@@ -1,4 +1,4 @@
-From 8ad599674872d433f8410e3ebd5f2d6793f431fd Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Simo Piiroinen <simo.piiroinen@jolla.com>
Date: Tue, 19 Oct 2021 11:43:31 +0300
Subject: [PATCH] Retain symlink chains
@@ -25,11 +25,11 @@
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
---
- src/fcopy/main.c | 136 +++++++++++++++++++----------------------------
- 1 file changed, 56 insertions(+), 80 deletions(-)
+ src/fcopy/main.c | 125 +++++++++++++++++++----------------------------
+ 1 file changed, 50 insertions(+), 75 deletions(-)
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
-index 31810de9..a5421500 100644
+index b0b7f7024..c99b56b7e 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -22,6 +22,7 @@
@@ -40,7 +40,7 @@
#include <fcntl.h>
#ifndef O_PATH
-@@ -180,77 +181,58 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
+@@ -181,78 +182,58 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
}
}
@@ -48,7 +48,10 @@
- assert(target);
- char *use_target = 0;
- char *proc_pid = 0;
--
++void copy_link(const char *target, const char *linkpath) {
++ int failed = 1;
++ char *linkdata = NULL;
+
- if (!(use_target = realpath(target, NULL)))
- goto done;
-
@@ -56,53 +59,82 @@
- static const char proc[] = "/proc/";
- if (strncmp(use_target, proc, sizeof(proc) - 1))
- goto done;
--
++ // if the link is already there, don't create it
++ struct stat s;
++ if (lstat(linkpath, &s) == 0)
++ goto success;
+
- int digit = use_target[sizeof(proc) - 1];
- if (digit < '1' || digit > '9')
- goto done;
--
++ // read source symlink
++ if (lstat(target, &s) == -1)
++ goto failure;
+
- // check where /proc/self points to
- static const char proc_self[] = "/proc/self";
-- if (!(proc_pid = realpath(proc_self, NULL)))
+- proc_pid = realpath(proc_self, NULL);
+- if (proc_pid == NULL)
- goto done;
--
++ if (!S_ISLNK(s.st_mode))
++ goto failure;
+
- // redirect /proc/PID/xxx -> /proc/self/XXX
- size_t pfix = strlen(proc_pid);
- if (strncmp(use_target, proc_pid, pfix))
- goto done;
--
++ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX;
++ if (!(linkdata = malloc(linksize)))
++ goto failure;
+
- if (use_target[pfix] != 0 && use_target[pfix] != '/')
- goto done;
--
++ ssize_t rc = readlink(target, linkdata, linksize);
++ if (rc < 0) {
++ if (!arg_quiet)
++ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target);
++ goto failure;
++ }
+
- char *tmp;
- if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) {
- if (arg_debug)
- fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp);
- free(use_target);
- use_target = tmp;
-- }
++ if (rc >= linksize) {
++ if (!arg_quiet)
++ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target);
++ goto failure;
+ }
- else
- errExit("asprintf");
--
+
-done:
- if (proc_pid)
- free(proc_pid);
- return use_target;
-}
--
++ linkdata[rc] = 0;
+
-void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) {
- (void) mode;
- (void) uid;
- (void) gid;
-+void copy_link(const char *target, const char *linkpath) {
-+ int failed = 1;
-+ char *linkdata = NULL;
++ // duplicate at the given path
++ if (symlink(linkdata, linkpath) == -1) {
++ if (!arg_quiet)
++ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath);
++ goto failure;
++ }
- // if the link is already there, don't create it
- struct stat s;
- if (lstat(linkpath, &s) == 0)
+- // if the link is already there, don't create it
+- struct stat s;
+- if (lstat(linkpath, &s) == 0)
- return;
--
++ if (arg_debug)
++ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata);
+
- char *rp = proc_pid_to_self(target);
- if (rp) {
- if (symlink(rp, linkpath) == -1) {
@@ -110,61 +142,24 @@
- goto errout;
- }
- free(rp);
-+ goto success;
-+
-+ // read source symlink
-+ if (lstat(target, &s) == -1)
-+ goto failure;
-+
-+ if (!S_ISLNK(s.st_mode))
-+ goto failure;
-+
-+ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX;
-+ if (!(linkdata = malloc(linksize)))
-+ goto failure;
-+
-+ ssize_t rc = readlink(target, linkdata, linksize);
-+ if (rc < 0) {
-+ if (!arg_quiet)
-+ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target);
-+ goto failure;
-+ }
-+
-+ if (rc >= linksize) {
-+ if (!arg_quiet)
-+ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target);
-+ goto failure;
- }
+- }
- else
- goto errout;
-
-- return;
--errout:
-- if (!arg_quiet)
-- fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target);
-+ linkdata[rc] = 0;
-+
-+ // duplicate at the given path
-+ if (symlink(linkdata, linkpath) == -1) {
-+ if (!arg_quiet)
-+ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath);
-+ goto failure;
-+ }
-+
-+ if (arg_debug)
-+ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata);
-+
+success:
+ failed = 0;
+failure:
+ if (failed && !arg_quiet)
+ fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", linkpath);
-+
+
+- return;
+-errout:
+- if (!arg_quiet)
+- fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target);
+ free(linkdata);
}
-@@ -310,7 +292,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
+@@ -310,7 +291,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
mkdir_attr(outfname, mode, uid, gid);
}
else if (ftype == FTW_SL) {
@@ -173,7 +168,7 @@
}
out:
free(outfname);
-@@ -396,22 +378,16 @@ static void duplicate_file(const char *src, const char *dest, struct stat *s) {
+@@ -396,22 +377,16 @@ static void duplicate_file(const char *src, const char *dest, struct stat *s) {
static void duplicate_link(const char *src, const char *dest, struct stat *s) {
char *rsrc = check(src); // we drop the result and use the original name
char *rdest = check(dest);
@@ -188,6 +183,9 @@
- ptr++;
- if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
- errExit("asprintf");
+-
+- // copy
+- copy_link(rsrc, name, mode, uid, gid);
+ const char *linkname = strrchr(src, '/');
+ if (linkname++) {
+ char *linkpath = NULL;
@@ -197,13 +195,7 @@
+ free(linkpath);
+ }
-- // copy
-- copy_link(rsrc, name, mode, uid, gid);
--
- free(name);
free(rsrc);
free(rdest);
}
---
-2.17.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0006-Add-xstat-tracing-and-optionally-log-only-failing-ca.patch
^
|
@@ -1,4 +1,4 @@
-From 9a868fc4de943a4ce25d137a56357ca365cfd234 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Simo Piiroinen <simo.piiroinen@jolla.com>
Date: Tue, 9 Nov 2021 16:08:37 +0200
Subject: [PATCH] Add xstat() tracing and optionally log only failing calls
@@ -22,15 +22,15 @@
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
---
- src/libtrace/libtrace.c | 860 ++++++++++++++++++++++++----------------
- 1 file changed, 509 insertions(+), 351 deletions(-)
+ src/libtrace/libtrace.c | 863 ++++++++++++++++++++++++----------------
+ 1 file changed, 524 insertions(+), 339 deletions(-)
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
-index d88512b0..d78c6d76 100644
+index aa37bb758..bce5460fa 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
-@@ -20,6 +20,8 @@
- #define _GNU_SOURCE
+@@ -21,6 +21,8 @@
+ #include <errno.h>
#include <stdio.h>
#include <stdlib.h>
+#include <stdarg.h>
@@ -38,7 +38,7 @@
#include <string.h>
#include <dlfcn.h>
#include <sys/types.h>
-@@ -30,90 +32,79 @@
+@@ -30,6 +32,9 @@
#include <arpa/inet.h>
#include <sys/un.h>
#include <sys/stat.h>
@@ -48,26 +48,10 @@
#include <syslog.h>
#include <dirent.h>
#include "../include/rundefs.h"
-
--#define tprintf(fp, args...) \
-- do { \
-- if (!fp)\
-- init(); \
-- fprintf(fp, args); \
-- } while(0)
--
--// break recursivity on fopen call
--typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
--static orig_fopen_t orig_fopen = NULL;
--typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
--static orig_fopen64_t orig_fopen64 = NULL;
--typedef int (*orig_access_t)(const char *pathname, int mode);
--static orig_access_t orig_access = NULL;
--
--//
--// library constructor/destructor
--//
--// Using fprintf to /dev/tty instead of printf in order to fix #561
+@@ -51,67 +56,72 @@ static orig_access_t orig_access = NULL;
+ // library constructor/destructor
+ //
+ // Using fprintf to /dev/tty instead of printf in order to fix #561
+static bool verbose = true;
static FILE *ftty = NULL;
static pid_t mypid = 0;
@@ -78,16 +62,10 @@
-void init(void) {
- if (ftty)
- return;
-+static FILE *output(void);
-
+-
- orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
- orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
-+__attribute__((format(printf, 1, 2))) static void message(const char *fmt, ...) {
-+ // We need to ensure that trace logging does not
-+ // interfere with errno that application code gets
-+ // to see
-+ int saved = errno;
-
+-
- // allow environment variable to override defaults
- char *logfile = getenv("FIREJAIL_TRACEFILE");
- if (!logfile) {
@@ -97,57 +75,38 @@
- // else log to associated tty
- logfile = "/dev/tty";
- }
-+ char *text = NULL;
-+ va_list va;
-+ va_start(va, fmt);
-+ if (vasprintf(&text, fmt, va) < 0)
-+ text = NULL;
-+ va_end(va);
-
+-
- // logfile
- unsigned cnt = 0;
- while ((ftty = orig_fopen(logfile, "a")) == NULL) {
- if (++cnt > 10) { // 10 sec
- perror("Cannot open trace log file");
- exit(1);
-- }
-- sleep(1);
-- }
-- // line buffered stream
-- setvbuf(ftty, NULL, _IOLBF, BUFSIZ);
++static FILE *output(void);
++
++__attribute__((format(printf, 1, 2))) static void message(const char *fmt, ...) {
++ // We need to ensure that trace logging does not
++ // interfere with errno that application code gets
++ // to see
++ int saved = errno;
++
++ char *text = NULL;
++ va_list va;
++ va_start(va, fmt);
++ if (vasprintf(&text, fmt, va) < 0)
++ text = NULL;
++ va_end(va);
++
+ // As the 1st output() call evaluates mypid & myname,
+ // it needs to be done before using those variables
+ FILE *file = output() ?: stderr;
-
-- // pid
-- mypid = getpid();
++
+ fprintf(file, "%u:%s:%s\n", mypid, myname, text ?: fmt);
+ free(text);
-
-- // process name
-- char *fname;
-- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) {
-- FILE *fp = orig_fopen(fname, "r");
-- free(fname);
-- if (fp) {
-- if (fgets(myname, MAXNAME, fp) == NULL)
-- strcpy(myname, "unknown");
-- fclose(fp);
-- }
-- }
--
-- // clean '\n'
-- char *ptr = strchr(myname, '\n');
-- if (ptr)
-- *ptr = '\0';
--
--// tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
++
+ errno = saved;
- }
-
--static void fini(void) __attribute__((destructor));
--void fini(void) {
-- fclose(ftty);
++}
++
+static void *lookup(const char *name) {
+ // Map internally used "silent" wrappers to actual
+ // functions, for example: silent_fopen() -> fopen()
@@ -164,7 +123,24 @@
+ if (write(STDERR_FILENO, txt, strlen(txt)) < 0) {
+ // dontcare
+ }
-+ }
+ }
+- sleep(1);
+- }
+- // line buffered stream
+- setvbuf(ftty, NULL, _IOLBF, BUFSIZ);
+-
+- // pid
+- mypid = getpid();
+-
+- // process name
+- char *fname;
+- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) {
+- FILE *fp = orig_fopen(fname, "r");
+- free(fname);
+- if (fp) {
+- if (fgets(myname, MAXNAME, fp) == NULL)
+- strcpy(myname, "unknown");
+- fclose(fp);
+ auto void dump_num(unsigned num) {
+ char stk[16];
+ size_t sp = sizeof stk;
@@ -173,7 +149,7 @@
+ stk[--sp] = '0' + num % 10u;
+ } while ((num /= 10u) && sp > 0);
+ dump_str(stk + sp);
-+ }
+ }
+ dump_num(mypid);
+ dump_str(":");
+ dump_str(myname);
@@ -181,12 +157,24 @@
+ dump_str(name);
+ dump_str("'\n");
+ abort();
-+ }
+ }
+-
+- // clean '\n'
+- char *ptr = strchr(myname, '\n');
+- if (ptr)
+- *ptr = '\0';
+-
+-// tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
+-}
+-
+-static void fini(void) __attribute__((destructor));
+-void fini(void) {
+- fclose(ftty);
+ return addr;
}
//
-@@ -257,459 +248,626 @@ static char *translate(XTable *table, int val) {
+@@ -255,87 +265,164 @@ static char *translate(XTable *table, int val) {
return NULL;
}
@@ -218,8 +206,11 @@
+ snprintf(buff, size, "family %d", addr->sa_family);
}
+ return buff;
-+}
-+
+ }
+
+-//
+-// syscalls
+-//
+static char *socket_repr(int domain, int type, int protocol, char *buff, size_t size) {
+ char domain_buf[16];
+ char type_buf[16];
@@ -227,12 +218,21 @@
+ const char *domain_str;
+ const char *type_str;
+ const char *protocol_str;
-+
+
+-// open
+-typedef int (*orig_open_t)(const char *pathname, int flags, mode_t mode);
+-static orig_open_t orig_open = NULL;
+-int open(const char *pathname, int flags, mode_t mode) {
+- if (!orig_open)
+- orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
+ if (!(domain_str = translate(socket_domain, domain))) {
+ snprintf(domain_buf, sizeof domain_buf, "%d", domain);
+ domain_str = domain_buf;
+ }
-+
+
+- int rv = orig_open(pathname, flags, mode);
+- tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv);
+- return rv;
+ // glibc uses higher bits for various other purposes
+# ifdef SOCK_CLOEXEC
+ type &= ~SOCK_CLOEXEC;
@@ -257,10 +257,17 @@
+ return buff;
}
- //
- // syscalls
- //
+-typedef int (*orig_open64_t)(const char *pathname, int flags, mode_t mode);
+-static orig_open64_t orig_open64 = NULL;
+-int open64(const char *pathname, int flags, mode_t mode) {
+- if (!orig_open64)
+- orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
++//
++// syscalls
++//
+- int rv = orig_open64(pathname, flags, mode);
+- tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv);
+#define REAL(TYPE, ARGS...)\
+ static TYPE (*real)(ARGS) = NULL;\
+ do {\
@@ -269,15 +276,7 @@
+ }\
+ } while (0)
+
- // open
--typedef int (*orig_open_t)(const char *pathname, int flags, mode_t mode);
--static orig_open_t orig_open = NULL;
--int open(const char *pathname, int flags, mode_t mode) {
-- if (!orig_open)
-- orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
--
-- int rv = orig_open(pathname, flags, mode);
-- tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv);
++// open
+int open(const char *pathname, int flags, ...) {
+ REAL(int, const char *pathname, int flags, mode_t mode);
+ mode_t mode = 0;
@@ -292,17 +291,9 @@
+ message("%s %s %d %#3o:%d (errno=%d)", __func__, pathname, flags, mode, rv, errno);
+ else if (verbose)
+ message("%s %s %d %#3o:%d", __func__, pathname, flags, mode, rv);
- return rv;
- }
-
--typedef int (*orig_open64_t)(const char *pathname, int flags, mode_t mode);
--static orig_open64_t orig_open64 = NULL;
--int open64(const char *pathname, int flags, mode_t mode) {
-- if (!orig_open64)
-- orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
--
-- int rv = orig_open64(pathname, flags, mode);
-- tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv);
++ return rv;
++}
++
+int open64(const char *pathname, int flags, ...) {
+ REAL(int, const char *pathname, int flags, mode_t mode);
+ mode_t mode = 0;
@@ -345,17 +336,9 @@
+ message("%s %d %s %d %#3o:%d (errno=%d)", __func__, dirfd, pathname, flags, mode, rv, errno);
+ else if (verbose)
+ message("%s %d %s %d %#3o:%d", __func__, dirfd, pathname, flags, mode, rv);
- return rv;
- }
-
--typedef int (*orig_openat64_t)(int dirfd, const char *pathname, int flags, mode_t mode);
--static orig_openat64_t orig_openat64 = NULL;
--int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
-- if (!orig_openat64)
-- orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
--
-- int rv = orig_openat64(dirfd, pathname, flags, mode);
-- tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv);
++ return rv;
++}
++
+int openat64(int dirfd, const char *pathname, int flags, ...) {
+ REAL(int, int dirfd, const char *pathname, int flags, mode_t mode);
+ mode_t mode = 0;
@@ -373,14 +356,23 @@
return rv;
}
+-typedef int (*orig_openat64_t)(int dirfd, const char *pathname, int flags, mode_t mode);
+-static orig_openat64_t orig_openat64 = NULL;
+-int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
+- if (!orig_openat64)
+- orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
-
- // fopen
+- int rv = orig_openat64(dirfd, pathname, flags, mode);
+- tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv);
++// fopen
+static FILE *silent_fopen(const char *pathname, const char *mode) {
+ REAL(FILE *, const char *pathname, const char *mode);
+ FILE *rv = real(pathname, mode);
-+ return rv;
-+}
-+
+ return rv;
+ }
+
+-
+-// fopen
FILE *fopen(const char *pathname, const char *mode) {
- if (!orig_fopen)
- orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
@@ -395,7 +387,9 @@
return rv;
}
- #ifdef __GLIBC__
+@@ -343,377 +430,475 @@ FILE *fopen(const char *pathname, const char *mode) {
+ typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
+ static orig_fopen64_t orig_fopen64 = NULL;
FILE *fopen64(const char *pathname, const char *mode) {
- if (!orig_fopen64)
- orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
@@ -410,7 +404,7 @@
+ message("%s %s %s:%p", __func__, pathname, mode, rv);
return rv;
}
- #endif /* __GLIBC__ */
+ #endif
-
// freopen
@@ -431,9 +425,11 @@
return rv;
}
- #ifdef __GLIBC__
--typedef FILE *(*orig_freopen64_t)(const char *pathname, const char *mode, FILE *stream);
--static orig_freopen64_t orig_freopen64 = NULL;
+ #ifndef freopen64
+ typedef FILE *(*orig_freopen64_t)(const char *pathname, const char *mode, FILE *stream);
+ static orig_freopen64_t orig_freopen64 = NULL;
++#endif
++#ifdef __GLIBC__
FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
- if (!orig_freopen64)
- orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64");
@@ -448,7 +444,7 @@
+ message("%s %s %s %p:%p", __func__, pathname, mode, stream, rv);
return rv;
}
- #endif /* __GLIBC__ */
+ #endif
// unlink
-typedef int (*orig_unlink_t)(const char *pathname);
@@ -555,9 +551,11 @@
return rv;
}
- #ifdef __GLIBC__
--typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf);
--static orig_stat64_t orig_stat64 = NULL;
+ #ifndef stat64
+ typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf);
+ static orig_stat64_t orig_stat64 = NULL;
++#endif
++#ifdef __GLIBC__
int stat64(const char *pathname, struct stat64 *statbuf) {
- if (!orig_stat64)
- orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
@@ -572,7 +570,7 @@
+ message("%s %s %p:%d", __func__, pathname, statbuf, rv);
return rv;
}
- #endif /* __GLIBC__ */
+ #endif
// lstat
-typedef int (*orig_lstat_t)(const char *pathname, struct stat *statbuf);
@@ -592,9 +590,11 @@
return rv;
}
- #ifdef __GLIBC__
--typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf);
--static orig_lstat64_t orig_lstat64 = NULL;
+ #ifndef lstat64
+ typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf);
+ static orig_lstat64_t orig_lstat64 = NULL;
++#endif
++#ifdef __GLIBC__
int lstat64(const char *pathname, struct stat64 *statbuf) {
- if (!orig_lstat64)
- orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
@@ -607,9 +607,7 @@
+ return rv;
+}
+#endif /* __GLIBC__ */
-
-- int rv = orig_lstat64(pathname, statbuf);
-- tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv);
++
+int fstatat(int dirfd, const char *pathname, struct stat *statbuf, int flags) {
+ REAL(int, int dirfd, const char *pathname, struct stat *statbuf, int flags);
+ int rv = real(dirfd, pathname, statbuf, flags);
@@ -660,7 +658,9 @@
+ message("%s %d %s %p:%d", __func__, vers, pathname, statbuf, rv);
+ return rv;
+}
-+
+
+- int rv = orig_lstat64(pathname, statbuf);
+- tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv);
+int __lxstat64(int vers, const char *pathname, struct stat64 *statbuf) {
+ REAL(int, int vers, const char *pathname, struct stat64 *statbuf);
+ int rv = real(vers, pathname, statbuf);
@@ -690,7 +690,7 @@
+ message("%s %d %d %s %p %d:%d", __func__, vers, dirfd, pathname, statbuf, flags, rv);
return rv;
}
- #endif /* __GLIBC__ */
+ #endif
// opendir
-typedef DIR *(*orig_opendir_t)(const char *pathname);
@@ -711,27 +711,27 @@
}
// access
-+static int silent_access(const char *pathname, int mode) {
-+ REAL(int, const char *pathname, int mode);
-+ int rv = real(pathname, mode);
-+ return rv;
-+}
-+
- int access(const char *pathname, int mode) {
+-int access(const char *pathname, int mode) {
- if (!orig_access)
- orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
-
- int rv = orig_access(pathname, mode);
- tprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv);
++static int silent_access(const char *pathname, int mode) {
++ REAL(int, const char *pathname, int mode);
++ int rv = real(pathname, mode);
+ return rv;
+ }
+
++int access(const char *pathname, int mode) {
+ int rv = silent_access(pathname, mode);
+ if (rv == -1)
+ message("%s %s %d:%d (errno=%d)", __func__, pathname, mode, rv, errno);
+ else if (verbose)
+ message("%s %s %d:%d", __func__, pathname, mode, rv);
- return rv;
- }
++ return rv;
++}
--
// connect
-typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
-static orig_connect_t orig_connect = NULL;
@@ -994,19 +994,17 @@
int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
- if (!orig_setresgid)
- orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid");
--
-- int rv = orig_setresgid(rgid, egid, sgid);
-- tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv);
--
+ REAL(int, gid_t rgid, gid_t egid, gid_t sgid);
+ int rv = real(rgid, egid, sgid);
+ if (rv == -1)
+ message("%s %d %d %d:%d (errno=%d)", __func__, rgid, egid, sgid, rv, errno);
+ else if (verbose)
+ message("%s %d %d %d:%d", __func__, rgid, egid, sgid, rv);
- return rv;
- }
++ return rv;
++}
+- int rv = orig_setresgid(rgid, egid, sgid);
+- tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv);
+//
+// library constructor/destructor
+//
@@ -1016,31 +1014,35 @@
+ exit(EXIT_FAILURE);
+ message("=== tracelib init() === ");
+}
-+
+
+- return rv;
+__attribute__((destructor)) static void fini(void) {
+ message("=== tracelib fini() === ");
+ if (ftty) {
+ fclose(ftty);
+ ftty = NULL;
+ }
-+}
-+
+ }
+
// every time a new process is started, this gets called
// it can be used to build things like private-bin
-__attribute__((constructor))
-static void log_exec(int argc, char** argv) {
- (void) argc;
- (void) argv;
+- char *buf = realpath("/proc/self/exe", NULL);
+- if (buf == NULL) {
+- if (errno == ENOMEM) {
+- tprintf(ftty, "realpath: %s\n", strerror(errno));
+- exit(1);
+__attribute__((constructor)) static void log_exec(void) {
- static char buf[PATH_MAX + 1];
- int rv = readlink("/proc/self/exe", buf, PATH_MAX);
- if (rv != -1) {
-- buf[rv] = '\0'; // readlink does not add a '\0' at the end
-- tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
++ static char buf[PATH_MAX + 1];
++ int rv = readlink("/proc/self/exe", buf, PATH_MAX);
++ if (rv != -1) {
+ buf[rv] = '\0'; // readlink does not add a '\0' at the end
+ message("exec %s:0", buf);
- }
- }
++ }
++}
+
+//
+// Determining output file
@@ -1092,10 +1094,10 @@
+ else {
+ // line buffered stream
+ setvbuf(ftty, NULL, _IOLBF, BUFSIZ);
-+ }
-+ }
+ }
+- } else {
+- tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
+- free(buf);
+ }
+ return ftty;
-+}
---
-2.17.1
-
+ }
|
[-]
[+]
|
Added |
_service:tar_git:0007-Revert-deprecating-shell-3-5196.patch
^
|
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Suni <daniel.suni@jolla.com>
+Date: Fri, 17 Feb 2023 11:48:56 +0200
+Subject: [PATCH] Revert "deprecating --shell (3) (#5196)"
+
+This reverts commit 7ad735deafa80114a17b20790de63f7e973b1bb4.
+
+This commit makes firejail attempt to use /bin/bash to launch every process
+that uses a "--" argument. Sailjail uses this, but we do *not* want shell
+execution, since it will fail.
+
+There are a number of bug reports in firejail upstream with regards to this
+very odd feature - see e.g. https://github.com/netblue30/firejail/issues/5659
+so for now we will revert the offending commit until the dust settles upstream.
+---
+ src/firejail/sandbox.c | 6 +++---
+ test/filters/noroot.exp | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
+index 0377293de..2a3934807 100644
+--- a/src/firejail/sandbox.c
++++ b/src/firejail/sandbox.c
+@@ -537,7 +537,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
+ //****************************************
+ // start the program without using a shell
+ //****************************************
+- else if (!arg_appimage && !arg_doubledash) {
++ else if (!arg_appimage) {
+ if (arg_debug) {
+ int i;
+ for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
+@@ -569,9 +569,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
+ execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+ }
+ //****************************************
+- // start the program using a shell
++ // start the program using a shell (appimages)
+ //****************************************
+- else { // appimage or double-dash
++ else { // appimage
+ char *arg[5];
+ int index = 0;
+ assert(cfg.usershell);
+diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
+index 942aedbcb..66e1e4e27 100755
+--- a/test/filters/noroot.exp
++++ b/test/filters/noroot.exp
+@@ -81,11 +81,11 @@ spawn $env(SHELL)
+ send -- "firejail --debug --join=test\r"
+ expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+- "Joining user namespace"
++ "User namespace detected"
+ }
+ expect {
+ timeout {puts "TESTING ERROR 14\n";exit}
+- "Child process initialized"
++ "Joining user namespace"
+ }
+ sleep 1
+
|
[-]
[+]
|
Changed |
_service
^
|
@@ -6,7 +6,7 @@
<service name="tar_git">
<param name="url">https://github.com/sailfishos/firejail.git</param>
<param name="branch">master</param>
- <param name="revision"/>
+ <param name="revision">45dc642442355edece4d629a01e7d28df20f6e17</param>
<param name="token"/>
<param name="debian">N</param>
<param name="dumb">N</param>
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/.github/workflows/sort.yml
^
|
@@ -1,22 +0,0 @@
-name: sort.py
-
-on:
- push:
- branches: [ master ]
- paths:
- - 'etc/**'
- - 'contrib/sort.py'
- pull_request:
- branches: [ master ]
- paths:
- - 'etc/**'
- - 'contrib/sort.py'
-
-jobs:
- profile-sort:
- runs-on: ubuntu-20.04
- steps:
- - uses: actions/checkout@v2
- - name: check profiles
- run: ./contrib/sort.py etc/*/{*.inc,*.profile}
-
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/Makefile.in
^
|
@@ -1,295 +0,0 @@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-bindir=@bindir@
-libdir=@libdir@
-datarootdir=@datarootdir@
-mandir=@mandir@
-sysconfdir=@sysconfdir@
-
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-PACKAGE_TARNAME=@PACKAGE_TARNAME@
-DOCDIR=@docdir@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
-BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
-HAVE_SUID=@HAVE_SUID@
-HAVE_MAN=@HAVE_MAN@
-
-ifneq ($(HAVE_MAN),no)
-MAN_TARGET = man
-MAN_SRC = src/man
-endif
-
-COMPLETIONDIRS = src/zsh_completion src/bash_completion
-
-.PHONY: all
-all: all_items mydirs $(MAN_TARGET) filters
-APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
-SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
-SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
-MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
-MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
-COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
-SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
-ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
-
-.PHONY: all_items $(ALL_ITEMS)
-all_items: $(ALL_ITEMS)
-$(ALL_ITEMS): $(MYDIRS)
- $(MAKE) -C $(dir $@)
-
-.PHONY: mydirs $(MYDIRS)
-mydirs: $(MYDIRS)
-$(MYDIRS):
- $(MAKE) -C $@
-
-$(MANPAGES): src/man
- ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
-
-man: $(MANPAGES)
-
-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
-seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
- src/fseccomp/fseccomp default seccomp
- src/fsec-optimize/fsec-optimize seccomp
-
-seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
- src/fseccomp/fseccomp default seccomp.debug allow-debuggers
- src/fsec-optimize/fsec-optimize seccomp.debug
-
-seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
- src/fseccomp/fseccomp secondary 32 seccomp.32
- src/fsec-optimize/fsec-optimize seccomp.32
-
-seccomp.block_secondary: src/fseccomp/fseccomp
- src/fseccomp/fseccomp secondary block seccomp.block_secondary
-
-seccomp.mdwx: src/fseccomp/fseccomp
- src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
-
-seccomp.mdwx.32: src/fseccomp/fseccomp
- src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
-
-.PHONY: clean
-clean:
- for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
- $(MAKE) -C $$dir clean; \
- done
- $(MAKE) -C test clean
- rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
- rm -f $(SECCOMP_FILTERS)
- rm -f test/utils/index.html*
- rm -f test/utils/wget-log
- rm -f test/utils/lstesting
- rm -f test/environment/index.html*
- rm -f test/environment/wget-log*
- rm -fr test/environment/-testdir
- rm -f test/environment/logfile*
- rm -f test/environment/index.html
- rm -f test/environment/wget-log
- rm -f test/sysutils/firejail_t*
- cd test/compile; ./compile.sh --clean; cd ../..
-
-.PHONY: distclean
-distclean: clean
- for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
- $(MAKE) -C $$dir distclean; \
- done
- $(MAKE) -C test distclean
- rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
-
-realinstall:
- # firejail executable
- install -m 0755 -d $(DESTDIR)$(bindir)
- install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
-ifeq ($(HAVE_SUID),yes)
- chmod u+s $(DESTDIR)$(bindir)/firejail
-endif
- # firemon executable
- install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
- # firecfg executable
- install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
- # jailcheck executable
- install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
- # libraries and plugins
- install -m 0755 -d $(DESTDIR)$(libdir)/firejail
- install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
- install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
- # plugins w/o read permission (non-dumpable)
- install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
- install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
-ifeq ($(HAVE_CONTRIB_INSTALL),yes)
- # contrib scripts
- install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
- # vim syntax
- install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
- install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
- install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
- install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
-endif
- # documents
- install -m 0755 -d $(DESTDIR)$(DOCDIR)
- install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
- # profiles and settings
- install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
- install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
- sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-ifeq ($(BUSYBOX_WORKAROUND),yes)
- ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
-endif
-ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
- # install apparmor profile
- sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
- install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
- sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
- # install apparmor profile customization file
- sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
-endif
-ifneq ($(HAVE_MAN),no)
- # man pages
- install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
- for man in $(MANPAGES); do \
- rm -f $$man.gz; \
- gzip -9n $$man; \
- case "$$man" in \
- *.1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \
- *.5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \
- esac; \
- done
- rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
-endif
- # bash completion
- install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
- install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
- install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
- install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
- # zsh completion
- install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
- install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/
-
-install: all
- $(MAKE) realinstall
-
-install-strip: all
- strip $(ALL_ITEMS)
- $(MAKE) realinstall
-
-uninstall:
- rm -f $(DESTDIR)$(bindir)/firejail
- rm -f $(DESTDIR)$(bindir)/firemon
- rm -f $(DESTDIR)$(bindir)/firecfg
- rm -fr $(DESTDIR)$(libdir)/firejail
- rm -fr $(DESTDIR)$(libdir)/jailcheck
- rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
- for man in $(MANPAGES); do \
- rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
- rm -f $(DESTDIR)$(mandir)/man1/$$man*; \
- done
- rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
- rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
- rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
- @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
-
-DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
-DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot"
-
-dist:
- mv config.status config.status.old
- mv mkdeb.sh mkdeb.sh.old
- make distclean
- mv mkdeb.sh.old mkdeb.sh
- mv config.status.old config.status
- rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
- mkdir -p $(NAME)-$(VERSION)/test
- cp -a "$(DISTFILES)" $(NAME)-$(VERSION)
- cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test
- rm -rf $(NAME)-$(VERSION)/src/tools
- find $(NAME)-$(VERSION) -name .svn -delete
- tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION)
- rm -fr $(NAME)-$(VERSION)
-
-asc:; ./mkasc.sh $(VERSION)
-
-deb: dist
- ./mkdeb.sh
-
-deb-apparmor: dist
- ./mkdeb.sh -apparmor
-
-test-compile: dist
- cd test/compile; ./compile.sh $(NAME)-$(VERSION)
-
-.PHONY: rpms
-rpms: src/man
- ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
-
-extras: all
- $(MAKE) -C extras/firetools
-
-cppcheck: clean
- cppcheck --force --error-exitcode=1 --enable=warning,performance .
-
-scan-build: clean
- NO_EXTRA_CFLAGS="yes" scan-build make
-
-#
-# make test
-#
-
-TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter
-TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
-
-$(TEST_TARGETS):
- $(MAKE) -C test $(subst test-,,$@)
-
-test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
- echo "TEST COMPLETE"
-
-test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
- echo "TEST COMPLETE"
-
-test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment
- echo "TEST COMPLETE"
-
-##########################################
-# Individual tests, some of them require root access
-# The tests are very intrusive, by the time you are done
-# with them you will need to restart your computer.
-##########################################
-
-# a firejail-test account is required, public/private key setup
-test-ssh:
- $(MAKE) -C test $(subst test-,,$@)
-
-# requires root access
-test-chroot:
- $(MAKE) -C test $(subst test-,,$@)
-
-# Huge appimage files, not included in "make dist" archive
-test-appimage:
- $(MAKE) -C test $(subst test-,,$@)
-
-# Root access, network devices are created before the test
-# restart your computer to get rid of these devices
-test-network:
- $(MAKE) -C test $(subst test-,,$@)
-
-# requires the same setup as test-network
-test-stress:
- $(MAKE) -C test $(subst test-,,$@)
-
-# Tests running a root user
-test-root:
- $(MAKE) -C test $(subst test-,,$@)
-
-# OverlayFS is not available on all platforms
-test-overlay:
- $(MAKE) -C test $(subst test-,,$@)
-
-# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
-
-test-all: test-root test-chroot test-network test-appimage test-overlay
- echo "TEST COMPLETE"
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/contrib/firejail-welcome.sh
^
|
@@ -1,128 +0,0 @@
-#!/bin/bash
-
-# This file is part of Firejail project
-# Copyright (C) 2020-2021 Firejail Authors
-# License GPL v2
-
-if ! command -v zenity >/dev/null; then
- echo "Please install zenity."
- exit 1
-fi
-if ! command -v sudo >/dev/null; then
- echo "Please install sudo."
- exit 1
-fi
-
-export LANG=en_US.UTF8
-
-zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
-Welcome to firejail!
-
-This is a quick setup guide for newbies.
-
-Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
-<profile-name>.local in ~/.config/firejal.
-
-Firejail's own configuration can be found at /etc/firejail/firejail.config.
-
-Please note that running this script a second time can set new options, but does not unset options
-set in a previous run.
-
-Website: https://firejail.wordpress.com
-Bug-Tracker: https://github.com/netblue30/firejail/issues
-Documentation:
-- https://github.com/netblue30/firejail/wiki
-- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
-- https://firejail.wordpress.com/documentation-2
-- man:firejail(1) and man:firejail-profile(5)
-
-PS: If you have any improvements for this script, open an issue or pull request.
-EOM
-[[ $? -eq 1 ]] && exit 0
-
-sed_scripts=()
-
-read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
-<big><b>Should browsers be allowed to access u2f hardware?</b></big>
-EOM
-
-read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
-<big><b>Should browsers be able to play DRM content?</b></big>
-
-\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
-is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
-DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
-allow their execution. Clearly, this may help an attacker to start malicious code.
-
-NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
-
-HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
-EOM
-
-read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
-You maybe want to set some of these advanced options.
-EOM
-
-read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
-<big><b>Should most programs be started in firejail by default?</b></big>
-EOM
-
-read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
-In order to apply these changes, root privileges are required.
-You will now be asked to enter your password.
-EOM
-
-read -r -d $'\0' MSG_I_FINISH <<EOM
-🥳
-EOM
-
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
- sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
-fi
-
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
- sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
-fi
-
-advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
- --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
- --column="" --column=Option --column=Description <<EOM
-
-force-nonewprivs
-Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
-
-restricted-network
-Restrict all network related commands except 'net none' to root only.
-
-seccomp-error-action=kill
-Kill programs which violate seccomp rules (default: return a error).
-EOM
-)
-
-if [[ $advanced_options == *force-nonewprivs* ]]; then
- sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
-fi
-if [[ $advanced_options == *restricted-network* ]]; then
- sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
-fi
-if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
- sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
-fi
-
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
- run_firecfg=true
-fi
-
-zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
-
-passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
-if [[ -n "${sed_scripts[*]}" ]]; then
- sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
-fi
-if [[ "$run_firecfg" == "true" ]]; then
- sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
-fi
-sudo -k
-unset passwd
-
-zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/inc/disable-passwdmgr.inc
^
|
@@ -1,19 +0,0 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include disable-passwdmgr.local
-
-blacklist ${HOME}/.config/Bitwarden
-blacklist ${HOME}/.config/KeePass
-blacklist ${HOME}/.config/keepass
-blacklist ${HOME}/.config/keepassx
-blacklist ${HOME}/.config/keepassxc
-blacklist ${HOME}/.config/KeePassXCrc
-blacklist ${HOME}/.config/Sinew Software Systems
-blacklist ${HOME}/.fpm
-blacklist ${HOME}/.keepass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.keepassxc
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.local/share/KeePass
-blacklist ${HOME}/.local/share/keepass
-blacklist ${HOME}/.password-store
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/profile-a-l/sway.profile
^
|
@@ -1,19 +0,0 @@
-# Firejail profile for Sway
-# Description: i3-compatible Wayland compositor
-# This file is overwritten after every install/update
-# Persistent local customizations
-include sway.local
-# Persistent global definitions
-include globals.local
-
-# all applications started in sway will run in this profile
-noblacklist ${HOME}/.config/sway
-# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
-noblacklist ${HOME}/.config/i3
-include disable-common.inc
-
-caps.drop all
-netfilter
-noroot
-protocol unix,inet,inet6
-seccomp
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/profile-m-z/nvm.profile
^
|
@@ -1,13 +0,0 @@
-# Firejail profile for nvm
-# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
-quiet
-# This file is overwritten after every install/update
-# Persistent local customizations
-include nvm.local
-# Persistent global definitions
-include globals.local
-
-ignore noroot
-
-# Redirect
-include nodejs-common.profile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/profile-m-z/xlinks2
^
|
@@ -1,20 +0,0 @@
-# Firejail profile for xlinks2
-# Description: Text WWW browser (X11)
-# This file is overwritten after every install/update
-# Persistent local customizations
-include xlinks2.local
-# Persistent global definitions
-# added by included profile
-#include globals.local
-
-noblacklist /tmp/.X11-unix
-
-include whitelist-common.inc
-
-# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
-# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
-private-bin xlinks2
-private-etc fonts
-
-# Redirect
-include links2.profile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/mkdeb.sh.in
^
|
@@ -1,70 +0,0 @@
-#!/bin/sh
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-# based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/
-# a code archive should already be available
-
-set -e
-NAME=@PACKAGE_NAME@
-VERSION=@PACKAGE_VERSION@
-PACKAGE_TARNAME=@PACKAGE_TARNAME@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_SELINUX=@HAVE_SELINUX@
-EXTRA_VERSION=$1
-
-CONFIG_ARGS="--prefix=/usr"
-if [ -n "$HAVE_APPARMOR" ]; then
- CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor"
-fi
-if [ -n "$HAVE_SELINUX" ]; then
- CONFIG_ARGS="$CONFIG_ARGS --enable-selinux"
-fi
-
-TOP=`pwd`
-CODE_ARCHIVE="$NAME-$VERSION.tar.xz"
-CODE_DIR="$NAME-$VERSION"
-INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
-DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
-
-echo "*****************************************"
-echo "code archive: $CODE_ARCHIVE"
-echo "code directory: $CODE_DIR"
-echo "install directory: $INSTALL_DIR"
-echo "debian control directory: $DEBIAN_CTRL_DIR"
-echo "*****************************************"
-
-tar -xJvf $CODE_ARCHIVE
-#mkdir -p $INSTALL_DIR
-cd $CODE_DIR
-./configure $CONFIG_ARGS
-make -j2
-mkdir debian
-DESTDIR=debian make install-strip
-
-cd ..
-echo "*****************************************"
-SIZE=`du -s $INSTALL_DIR`
-echo "install size $SIZE"
-echo "*****************************************"
-
-mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
-mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$VERSION/g" $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
-
-mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
-
-find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
-chmod 644 $DEBIAN_CTRL_DIR/conffiles
-find $INSTALL_DIR -type d | xargs chmod 755
-cd $CODE_DIR
-fakeroot dpkg-deb --build debian
-lintian --no-tag-display-limit debian.deb
-mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
-cd ..
-rm -fr $CODE_DIR
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/bash_completion/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: firejail.bash_completion
-
-include ../common.mk
-
-firejail.bash_completion: firejail.bash_completion.in
- gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
- sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
- rm $@.tmp
-
-.PHONY: clean
-clean:
- rm -fr firejail.bash_completion
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/common.mk.in
^
|
@@ -1,54 +0,0 @@
-# common definitions for all makefiles
-
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-bindir=@bindir@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
-
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
-HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
-HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
-HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
-HAVE_GCOV=@HAVE_GCOV@
-HAVE_SELINUX=@HAVE_SELINUX@
-ifeq (@HAVE_SUID@, yes)
-HAVE_SUID=-DHAVE_SUID
-else
-HAVE_SUID=
-endif
-HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
-HAVE_USERTMPFS=@HAVE_USERTMPFS@
-HAVE_OUTPUT=@HAVE_OUTPUT@
-HAVE_LTS=@HAVE_LTS@
-HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
-
-H_FILE_LIST = $(sort $(wildcard *.h))
-C_FILE_LIST = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS = $(foreach file, $(OBJS), $file)
-
-CFLAGS = @CFLAGS@
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
-CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
-CFLAGS += $(MANFLAGS)
-CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-ifdef NO_EXTRA_CFLAGS
-else
-EXTRA_CFLAGS +=@EXTRA_CFLAGS@
-endif
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fbuilder/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fbuilder
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fbuilder: $(OBJS)
- $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fcopy/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fcopy
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fcopy: $(OBJS) ../lib/common.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fgit/fgit-install.sh
^
|
@@ -1,24 +0,0 @@
-#!/bin/sh
-# This file is part of Firejail project
-# Copyright (C) 2014-2020 Firejail Authors
-# License GPL v2
-#
-# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
-#
-
-set -e # exit immediately if one of the commands fails
-cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp
-git clone --depth=1 https://www.github.com/netblue30/firejail.git
-cd firejail
-./configure --enable-git-install
-make
-sudo make install-strip
-echo "**********************************************************************"
-echo "Mainline git Firejail version was installed in /usr/local."
-echo "If you want to remove it, run"
-echo
-echo " firejail --git-uninstall"
-echo
-echo "**********************************************************************"
-cd ..
-rm -rf firejail
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fgit/fgit-uninstall.sh
^
|
@@ -1,20 +0,0 @@
-#!/bin/sh
-# This file is part of Firejail project
-# Copyright (C) 2014-2020 Firejail Authors
-# License GPL v2
-#
-# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
-#
-
-set -e # exit immediately if one of the commands fails
-cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp
-git clone --depth=1 https://www.github.com/netblue30/firejail.git
-cd firejail
-./configure --enable-git-install
-sudo make uninstall
-echo "**********************************************************************"
-echo "Firejail mainline git version uninstalled from /usr/local"
-echo
-echo "**********************************************************************"
-cd ..
-rm -rf firejail
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firecfg/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: firecfg
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firejail/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: firejail
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall_i386.h ../include/syscall_x86_64.h ../include/firejail_user.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firejail/cgroup.c
^
|
@@ -1,119 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include <sys/stat.h>
-
-#define MAXBUF 4096
-
-void save_cgroup(void) {
- if (cfg.cgroup == NULL)
- return;
-
- FILE *fp = fopen(RUN_CGROUP_CFG, "wxe");
- if (fp) {
- fprintf(fp, "%s", cfg.cgroup);
- fflush(0);
- SET_PERMS_STREAM(fp, 0, 0, 0644);
- if (fclose(fp))
- goto errout;
- }
- else
- goto errout;
-
- return;
-
-errout:
- fprintf(stderr, "Error: cannot save cgroup\n");
- exit(1);
-}
-
-void load_cgroup(const char *fname) {
- if (!fname)
- return;
-
- FILE *fp = fopen(fname, "re");
- if (fp) {
- char buf[MAXBUF];
- if (fgets(buf, MAXBUF, fp)) {
- cfg.cgroup = strdup(buf);
- if (!cfg.cgroup)
- errExit("strdup");
- }
- else
- goto errout;
-
- fclose(fp);
- return;
- }
-errout:
- fwarning("cannot load control group\n");
- if (fp)
- fclose(fp);
-}
-
-
-void set_cgroup(const char *path) {
- EUID_ASSERT();
-
- invalid_filename(path, 0); // no globbing
-
- // path starts with /sys/fs/cgroup
- if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
- goto errout;
-
- // path ends in tasks
- char *ptr = strstr(path, "tasks");
- if (!ptr)
- goto errout;
- if (*(ptr + 5) != '\0')
- goto errout;
-
- // no .. traversal
- ptr = strstr(path, "..");
- if (ptr)
- goto errout;
-
- // tasks file exists
- FILE *fp = fopen(path, "ae");
- if (!fp)
- goto errout;
- // task file belongs to the user running the sandbox
- int fd = fileno(fp);
- if (fd == -1)
- errExit("fileno");
- struct stat s;
- if (fstat(fd, &s) == -1)
- errExit("fstat");
- if (s.st_uid != getuid() && s.st_gid != getgid())
- goto errout2;
- // add the task to cgroup
- pid_t pid = getpid();
- int rv = fprintf(fp, "%d\n", pid);
- (void) rv;
- fclose(fp);
- return;
-
-errout:
- fprintf(stderr, "Error: invalid cgroup\n");
- exit(1);
-errout2:
- fprintf(stderr, "Error: you don't have permissions to use this control group\n");
- exit(1);
-}
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firemon/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: firemon
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-firemon: $(OBJS) ../lib/common.o ../lib/pid.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firemon/cgroup.c
^
|
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firemon.h"
-#define MAXBUF 4098
-
-static void print_cgroup(int pid) {
- char *file;
- if (asprintf(&file, "/proc/%d/cgroup", pid) == -1) {
- errExit("asprintf");
- exit(1);
- }
-
- FILE *fp = fopen(file, "r");
- if (!fp) {
- printf(" Error: cannot open %s\n", file);
- free(file);
- return;
- }
-
- char buf[MAXBUF];
- if (fgets(buf, MAXBUF, fp)) {
- printf(" %s", buf);
- fflush(0);
- }
-
- fclose(fp);
- free(file);
-}
-
-void cgroup(pid_t pid, int print_procs) {
- pid_read(pid);
-
- // print processes
- printf(" cgroup: ");
- int i;
- for (i = 0; i < max_pids; i++) {
- if (pids[i].level == 1) {
- if (print_procs || pid == 0)
- pid_print_list(i, arg_wrap);
- int child = find_child(i);
- if (child != -1)
- print_cgroup(child);
- }
- }
- printf("\n");
-}
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fldd/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fldd
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fnet/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fnet
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fnetfilter/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fnetfilter
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fnetfilter: $(OBJS) ../lib/common.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fsec-optimize/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fsec-optimize
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fsec-print/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fsec-print
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fseccomp/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: fseccomp
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/ftee/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: ftee
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST)
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-ftee: $(OBJS)
- $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/jailcheck/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: jailcheck
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-jailcheck: $(OBJS)
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/lib/Makefile.in
^
|
@@ -1,14 +0,0 @@
-include ../common.mk
-
-.PHONY: all
-all: $(OBJS)
-
-%.o : %.c $(H_FILE_LIST)
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-.PHONY: clean
-clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/libpostexecseccomp/Makefile.in
^
|
@@ -1,28 +0,0 @@
-CC=@CC@
-PREFIX=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-
-H_FILE_LIST = $(sort $(wildcard *.h))
-C_FILE_LIST = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS = $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
-
-.PHONY: all
-all: libpostexecseccomp.so
-
-%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
- $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-libpostexecseccomp.so: $(OBJS)
- $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
-
-.PHONY: clean
-clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/libtrace/Makefile.in
^
|
@@ -1,28 +0,0 @@
-CC=@CC@
-PREFIX=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-
-H_FILE_LIST = $(sort $(wildcard *.h))
-C_FILE_LIST = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS = $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
-
-.PHONY: all
-all: libtrace.so
-
-%.o : %.c $(H_FILE_LIST)
- $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-libtrace.so: $(OBJS)
- $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
-
-.PHONY: clean
-clean:; rm -fr $(OBJS) libtrace.so *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/libtracelog/Makefile.in
^
|
@@ -1,28 +0,0 @@
-CC=@CC@
-PREFIX=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-
-H_FILE_LIST = $(sort $(wildcard *.h))
-C_FILE_LIST = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS = $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
-
-.PHONY: all
-all: libtracelog.so
-
-%.o : %.c $(H_FILE_LIST) ../include/rundefs.h
- $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-libtracelog.so: $(OBJS)
- $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
-
-.PHONY: clean
-clean:; rm -fr $(OBJS) libtracelog.so *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/man/Makefile.in
^
|
@@ -1,14 +0,0 @@
-.PHONY: all
-all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
-
-include ../common.mk
-
-%.man: %.txt
- gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
-
-.PHONY: clean
-clean:; rm -fr *.man
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/profstats/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: profstats
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST)
- $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-profstats: $(OBJS)
- $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
-
-.PHONY: clean
-clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/zsh_completion/Makefile.in
^
|
@@ -1,17 +0,0 @@
-.PHONY: all
-all: _firejail
-
-include ../common.mk
-
-_firejail: _firejail.in
- gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
- sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
- rm $@.tmp
-
-.PHONY: clean
-clean:
- rm -fr _firejail
-
-.PHONY: distclean
-distclean: clean
- rm -fr Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/Makefile.in
^
|
@@ -1,14 +0,0 @@
-TESTS=$(patsubst %/,%,$(wildcard */))
-
-.PHONY: $(TESTS)
-$(TESTS):
- cd $@ && ./$@.sh 2>&1 | tee $@.log
- cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
-
-.PHONY: clean
-clean:
- for test in $(TESTS); do rm -f "$$test/$$test.log"; done
-
-.PHONY: distclean
-distclean: clean
- rm -f Makefile
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/csh.exp
^
|
@@ -1,34 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 10
-cd /home
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --private --shell=/bin/csh\r"
-expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
-}
-sleep 1
-
-send -- "env | grep SHELL;pwd\r"
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "SHELL"
-}
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "/bin/csh"
-}
-expect {
- timeout {puts "TESTING ERROR 3\n";exit}
- "home"
-}
-send -- "exit\r"
-after 100
-
-puts "\nall done\n"
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/dash.exp
^
|
@@ -1,44 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 10
-cd /home
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --private --tracelog --shell=/bin/dash\r"
-expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
-}
-sleep 1
-
-#send -- "ls -al;pwd\r"
-#expect {
-# timeout {puts "TESTING ERROR 1\n";exit}
-# ".zshrc"
-#}
-#expect {
-# timeout {puts "TESTING ERROR 1.1\n";exit}
-# "home"
-#}
-
-send -- "env | grep SHELL;pwd\r"
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "SHELL"
-}
-expect {
- timeout {puts "TESTING ERROR 2.1\n";exit}
- "/bin/dash"
-}
-expect {
- timeout {puts "TESTING ERROR 2.2\n";exit}
- "home"
-}
-send -- "exit\r"
-after 100
-
-puts "\n"
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/shell-none.exp
^
|
@@ -1,47 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --shell=none\r"
-expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "shell=none configured, but no program specified"
-}
-sleep 1
-
-send -- "firejail --profile=shell-none.profile\r"
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "shell=none configured, but no program specified"
-}
-after 100
-
-send -- "firejail --shell=none ls\r"
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
-}
-expect {
- timeout {puts "TESTING ERROR 3\n";exit}
- "environment.sh"
-}
-after 100
-
-send -- "firejail --profile=shell-none.profile ls\r"
-expect {
- timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
-}
-expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "environment.sh"
-}
-after 100
-
-
-puts "\nall done\n"
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/zsh.exp
^
|
@@ -1,34 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 10
-cd /home
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --private --shell=/bin/zsh\r"
-expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
-}
-sleep 1
-
-send -- "env | grep SHELL;pwd\r"
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "SHELL"
-}
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "/bin/zsh"
-}
-expect {
- timeout {puts "TESTING ERROR 3\n";exit}
- "home"
-}
-send -- "exit\r"
-after 100
-
-puts "\nall done\n"
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fcopy/src/dircopy.exp
^
|
-(symlink to ../dircopy.exp)
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/seccomp-dualfilter.exp
^
|
@@ -1,55 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 1
-spawn $env(SHELL)
-match_max 100000
-
-send -- "./syscall_test\r"
-expect {
- timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit}
- "Usage"
-}
-
-send -- "./syscall_test32\r"
-expect {
- timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit}
- "Usage"
-}
-
-set timeout 10
-send -- "firejail ./syscall_test mount\r"
-expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
-}
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "before mount"
-}
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "after mount" {puts "TESTING ERROR 3\n";exit}
- "Parent is shutting down"
-}
-sleep 1
-
-send -- "firejail ./syscall_test32 mount\r"
-expect {
- timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
-}
-expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "before mount"
-}
-expect {
- timeout {puts "TESTING ERROR 6\n";exit}
- "after mount" {puts "TESTING ERROR 7\n";exit}
- "Parent is shutting down"
-}
-
-after 100
-puts "\nall done\n"
|
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/syscall_test
^
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/syscall_test.c
^
|
@@ -1,82 +0,0 @@
-// This file is part of Firejail project
-// Copyright (C) 2014-2021 Firejail Authors
-// License GPL v2
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <net/ethernet.h>
-#include <sys/mount.h>
-
-int main(int argc, char **argv) {
- if (argc != 2) {
- printf("Usage: test [sleep|socket|mkdir|mount]\n");
- return 1;
- }
-
- if (strcmp(argv[1], "sleep") == 0) {
- printf("before sleep\n");
- sleep(1);
- printf("after sleep\n");
- }
- else if (strcmp(argv[1], "socket") == 0) {
- int sock;
-
- printf("testing socket AF_INET\n");
- if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
- perror("socket");
- }
- else
- close(sock);
-
- printf("testing socket AF_INET6\n");
- if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) {
- perror("socket");
- }
- else
- close(sock);
-
- printf("testing socket AF_NETLINK\n");
- if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) {
- perror("socket");
- }
- else
- close(sock);
-
- printf("testing socket AF_UNIX\n");
- if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
- perror("socket");
- }
- else
- close(sock);
-
- // root needed to be able to handle this
- printf("testing socket AF_PACKETX\n");
- if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) {
- perror("socket");
- }
- else
- close(sock);
- printf("after socket\n");
- }
- else if (strcmp(argv[1], "mkdir") == 0) {
- printf("before mkdir\n");
- mkdir("tmp", 0777);
- printf("after mkdir\n");
- }
- else if (strcmp(argv[1], "mount") == 0) {
- printf("before mount\n");
- if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) {
- perror("mount");
- }
- printf("after mount\n");
- }
- else {
- fprintf(stderr, "Error: invalid argument\n");
- return 1;
- }
- return 0;
-}
|
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/syscall_test32
^
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/private-lib.exp
^
|
@@ -1,48 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r"
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
-}
-after 100
-send -- "stty -echo\r"
-after 100
-
-send -- "cd /bin; find .\; echo done\r"
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
-# "grep" {puts "TESTING ERROR 3\n";exit}
- "rm" {puts "TESTING ERROR 3\n";exit}
- "cp" {puts "TESTING ERROR 4\n";exit}
- "done"
-}
-after 100
-
-send -- "cd /lib; find .\r"
-expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "./modules" {puts "TESTING ERROR 6\n";exit}
- "./firmware" {puts "TESTING ERROR 7\n";exit}
- "libc.so"
-}
-after 100
-
-send -- "cd /usr/lib; find .\r"
-expect {
- timeout {puts "TESTING ERROR 8\n";exit}
- "grub" {puts "TESTING ERROR 9\n";exit}
- "mozilla" {puts "TESTING ERROR 10\n";exit}
- "libdl.so"
-}
-after 100
-
-puts "\nall done\n"
|
|
Changed |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/testdir1/.directory/file
^
|
|
Changed |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/testdir1/.file
^
|
|
Changed |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/testfile1
^
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/root/cgroup.exp
^
|
@@ -1,61 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 10
-cd /home
-spawn $env(SHELL)
-match_max 100000
-
-
-send -- "mkdir /sys/fs/cgroup/systemd/firejail\r"
-sleep 1
-send -- "ls /sys/fs/cgroup/systemd/firejail\r"
-expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "tasks"
-}
-
-send -- "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
-}
-sleep 2
-
-spawn $env(SHELL)
-send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "3"
-}
-
-spawn $env(SHELL)
-send -- "firejail --join=\"join testing\"\r"
-expect {
- timeout {puts "TESTING ERROR 3\n";exit}
- "Switching to pid"
-}
-sleep 1
-send -- "ps aux\r"
-expect {
- timeout {puts "TESTING ERROR 4\n";exit}
- "/bin/bash"
-}
-expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "/bin/bash"
-}
-
-after 100
-
-spawn $env(SHELL)
-send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
- timeout {puts "TESTING ERROR 6\n";exit}
- "3"
-}
-after 100
-
-puts "\nall done\n"
|
[-]
[+]
|
Deleted |
_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/utils/firemon-cgroup.exp
^
|
@@ -1,40 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --name=test1\r"
-expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
-}
-sleep 1
-
-spawn $env(SHELL)
-send -- "firejail --name=test2\r"
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
-}
-sleep 1
-
-spawn $env(SHELL)
-send -- "firemon --cgroup\r"
-sleep 4
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
- "name=test1"
-}
-expect {
- timeout {puts "TESTING ERROR 3\n";exit}
- "name=test2"
-}
-
-after 100
-
-puts "\nall done\n"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.git-blame-ignore-revs
^
|
@@ -0,0 +1,35 @@
+# Note: Entries (and sections) should be listed in topological order (that is,
+# in the same order that is shown by `git log --oneline`) and they can be
+# generated with one of the following commands:
+#
+# TZ=UTC0 git show --date='format-local:%Y-%m-%d' --pretty='%H # %cd | %s' -s
+# [<commit>...]
+#
+# TZ=UTC0 git log --date='format-local:%Y-%m-%d' --pretty='%H # %cd | %s'
+# [<revision-range>]
+
+# Landlock v1
+97874c3bf923798b0e3ab119d169aaa9b1314221 # 2022-09-05 | Revert "Merge pull request #5315 from ChrysoliteAzalea/landlock"
+b900bdc87463d79568aef46cb7e3b373fbff84b1 # 2022-09-05 | Revert "compile fix"
+bfcacff665b750ae7b9fc984496df26fcd7cc53d # 2022-09-05 | Revert "tracelog disabled by default in /etc/firejail/firejail.config file"
+2a79f3a2689711e6151187063bb55a6af3160b6f # 2022-09-05 | Revert "README/README.md"
+67348ac9c2cdf9d30efbf9fd13eaf0a4adc3be00 # 2022-09-05 | Revert "typos"
+0cd20b7e81a7815f57055b38f0746ef14fed2cd0 # 2022-09-05 | Revert "fix syntax in configure.ac"
+26c74796f3c76b8f0ea0b95a863eb707ecced195 # 2022-09-05 | Revert "landlock: check for landlock support in glibc"
+5b206611c01e42a6d63c596be45bcf085832b035 # 2022-09-05 | Revert "landlock: support in firejail --version"
+2f3c19a87dd49b220f69f27f8c14c627277355d6 # 2022-09-04 | landlock: support in firejail --version
+c5a052ffa4e2ccaf240635db116a49986808a2b6 # 2022-09-04 | landlock: check for landlock support in glibc
+2d885e5a091f847d7c2128506947b0f67dd2edab # 2022-09-04 | fix syntax in configure.ac
+0594c5d3d0f1ddc4049cf2ed38676a1cdc8d6843 # 2022-08-30 | typos
+796fa09636195d8751a7bbc1e1bc88bf8c3ac95a # 2022-08-30 | README/README.md
+6e687c30110a52f267c1779c4eeab82bded9cb77 # 2022-08-29 | tracelog disabled by default in /etc/firejail/firejail.config file
+836ffe37ff891886f15243eacc70963368d57a3f # 2022-08-29 | compile fix
+c6d7474c138f92b3cb3992b5c57750af89eb3b77 # 2022-08-16 | tinyLL has been removed as it's no longer needed
+460fa7a6f98cc1e7aec2953e6523f32677d546c7 # 2022-08-16 | Proposed fixes.
+877fc99d541af83a9486dfff43580e33dedd8b4c # 2022-08-15 | Update quotation marks in src/zsh_completion/_firejail.in
+ba828befe06b99b7dc2d504085cb40aa2d710998 # 2022-08-15 | Landlock functions are added to the code of Firejail, removing the dependency on tinyLL
+61b15442898eeb1db2d23b6b2eb72a705ceb368a # 2022-08-15 | Landlock support has been added.
+
+# "move whitelist/blacklist to allow/deny"
+f43382f1e9707b4fd5e63c7bfe881912aa4ee994 # 2021-07-18 | Revert "move whitelist/blacklist to allow/deny"
+fe0f975f447d59977d90c3226cc8c623b31b20b3 # 2021-07-05 | move whitelist/blacklist to allow/deny
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.gitattributes
^
|
@@ -0,0 +1 @@
+/etc/inc/*.inc linguist-language=text
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/ISSUE_TEMPLATE/bug_report.md
^
|
@@ -6,44 +6,88 @@
assignees: ''
---
-Write clear, concise and in textual form.
-**Bug and expected behavior**
-- Describe the bug.
-- What did you expect to happen?
-
-**No profile and disabling firejail**
-- What changed calling `firejail --noprofile /path/to/program` in a terminal?
-- What changed calling the program by path (e.g. `/usr/bin/vlc`)?
-
-**Reproduce**
-Steps to reproduce the behavior:
-1. Run in bash `firejail PROGRAM`
-2. See error `ERROR`
-3. Click on '....'
-4. Scroll down to '....'
-
-**Environment**
- - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
- - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
-
-**Additional context**
-Other context about the problem like related errors to understand the problem.
-
-**Checklist**
- - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
- - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
- - [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
- - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
- - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.
- - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
- - [ ] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
+<!--
+See the following links for help with formatting:
+https://guides.github.com/features/mastering-markdown/
+https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
+-->
-<details><summary> debug output </summary>
+### Description
+
+_Describe the bug_
+
+### Steps to Reproduce
+
+_Steps to reproduce the behavior_
+
+1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody)
+2. Click on '....'
+3. Scroll down to '....'
+4. See error `ERROR`
+
+### Expected behavior
+
+_What you expected to happen_
+
+### Actual behavior
+
+_What actually happened_
+
+### Behavior without a profile
+
+_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_
+
+### Additional context
+
+_Any other detail that may help to understand/debug the problem_
+
+### Environment
+
+- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
+- Firejail version (`firejail --version`).
+- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`).
+
+### Checklist
+
+<!--
+Note: Items are checked with an "x", like so:
+
+- [x] This is a checked item.
+-->
+
+- [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
+- [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
+- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
+- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
+- [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
+ - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
+- [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)
+
+### Log
+
+<details>
+<summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary>
+<p>
+
+```
+output goes here
+```
+
+</p>
+</details>
+
+<details>
+<summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary>
+<p>
+
+<!-- If the output is too long to embed it into the comment,
+ create a secret gist at https://gist.github.com/ and link it here. -->
```
-OUTPUT OF `firejail --debug PROGRAM`
+output goes here
```
+</p>
</details>
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/ISSUE_TEMPLATE/config.yml
^
|
@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+ - name: Question
+ url: https://github.com/netblue30/firejail/discussions
+ about: For questions you should use GitHub Discussions.
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/ISSUE_TEMPLATE/feature_request.md
^
|
@@ -0,0 +1,23 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+---
+
+### Is your feature request related to a problem? Please describe.
+
+_A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_
+
+### Describe the solution you'd like
+
+_A clear and concise description of what you want to happen._
+
+### Describe alternatives you've considered
+
+_A clear and concise description of any alternative solutions or features you've considered._
+
+### Additional context
+
+_Add any other context or screenshots about the feature request here._
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/dependabot.yml
^
|
@@ -0,0 +1,7 @@
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
+ open-pull-requests-limit: 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/pull_request_template.md
^
|
@@ -1,4 +1,3 @@
-
If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
If you submit a PR for new profiles or changing profiles, please do the following:
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/workflows/build.yml
^
|
@@ -4,7 +4,16 @@
push:
branches: [ master ]
paths-ignore:
+ - '.github/ISSUE_TEMPLATE/*'
+ - .git-blame-ignore-revs
+ - .github/dependabot.yml
+ - .github/pull_request_template.md
+ - .github/workflows/codeql-analysis.yml
+ - .github/workflows/profile-checks.yml
+ - .gitignore
+ - .gitlab-ci.yml
- CONTRIBUTING.md
+ - COPYING
- README
- README.md
- RELNOTES
@@ -12,24 +21,53 @@
pull_request:
branches: [ master ]
paths-ignore:
+ - '.github/ISSUE_TEMPLATE/*'
+ - .git-blame-ignore-revs
+ - .github/dependabot.yml
+ - .github/pull_request_template.md
+ - .github/workflows/codeql-analysis.yml
+ - .github/workflows/profile-checks.yml
+ - .gitignore
+ - .gitlab-ci.yml
- CONTRIBUTING.md
+ - COPYING
- README
- README.md
- RELNOTES
- SECURITY.md
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
build_and_test:
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-22.04
steps:
- - uses: actions/checkout@v2
+ - name: Harden Runner
+ uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+ with:
+ egress-policy: block
+ allowed-endpoints: >
+ azure.archive.ubuntu.com:80
+ debian.org:80
+ github.com:443
+ packages.microsoft.com:443
+ ppa.launchpadcontent.net:443
+ www.debian.org:443
+ www.debian.org:80
+ yahoo.com:1025
+ - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+ - name: update package information
+ run: sudo apt-get update
- name: install dependencies
- run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
+ run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec
- name: configure
- run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+ run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
- name: make
run: make
- name: make install
run: sudo make install
+ - name: print version
+ run: command -V firejail && firejail --version
- name: run tests
run: SHELL=/bin/bash make test-github
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/workflows/codeql-analysis.yml
^
|
@@ -9,27 +9,58 @@
push:
branches: [ master ]
paths-ignore:
+ - '.github/ISSUE_TEMPLATE/*'
+ - 'etc/**'
+ - 'contrib/gtksourceview-5/**'
+ - 'contrib/vim/**'
+ - 'src/man/*.txt'
+ - .git-blame-ignore-revs
+ - .github/dependabot.yml
+ - .github/pull_request_template.md
+ - .github/workflows/profile-checks.yml
+ - .gitignore
+ - .gitlab-ci.yml
- CONTRIBUTING.md
+ - COPYING
- README
- README.md
- RELNOTES
- SECURITY.md
- - 'etc/**'
+ - src/firecfg/firecfg.config
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
paths-ignore:
+ - '.github/ISSUE_TEMPLATE/*'
+ - 'etc/**'
+ - 'contrib/gtksourceview-5/**'
+ - 'contrib/vim/**'
+ - 'src/man/*.txt'
+ - .git-blame-ignore-revs
+ - .github/dependabot.yml
+ - .github/pull_request_template.md
+ - .github/workflows/profile-checks.yml
+ - .gitignore
+ - .gitlab-ci.yml
- CONTRIBUTING.md
+ - COPYING
- README
- README.md
- RELNOTES
- SECURITY.md
- - 'etc/**'
+ - src/firecfg/firecfg.config
schedule:
- cron: '0 7 * * 2'
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
analyze:
+ permissions:
+ actions: read # for github/codeql-action/init to get workflow details
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/autobuild to send a status report
name: Analyze
runs-on: ubuntu-latest
@@ -42,12 +73,22 @@
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ api.github.com:443
+ github.com:443
+ uploads.github.com:443
+
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v1
+ uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +99,7 @@
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
- uses: github/codeql-action/autobuild@v1
+ uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@@ -72,4 +113,4 @@
# make release
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/workflows/profile-checks.yml
^
|
@@ -0,0 +1,44 @@
+name: Profile Checks
+
+on:
+ push:
+ branches: [ master ]
+ paths:
+ - 'ci/check/profiles/**'
+ - 'etc/**'
+ - .github/workflows/profile-checks.yml
+ - contrib/sort.py
+ - src/firecfg/firecfg.config
+ pull_request:
+ branches: [ master ]
+ paths:
+ - 'ci/check/profiles/**'
+ - 'etc/**'
+ - .github/workflows/profile-checks.yml
+ - contrib/sort.py
+ - src/firecfg/firecfg.config
+
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
+jobs:
+ profile-checks:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ github.com:443
+
+ - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+ - name: sort.py
+ run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+ - name: private-etc-always-required.sh
+ run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+ - name: sort-disable-programs.sh
+ run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+ - name: sort-firecfg.config.sh
+ run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.gitignore
^
|
@@ -10,9 +10,11 @@
.directory
*.man
.vscode
-Makefile
+/firejail-*/
autom4te.cache/
config.log
+config.mk
+config.sh
config.status
firejail-*.tar.xz
firejail-login.5
@@ -22,12 +24,15 @@
firejail.1
firemon.1
firecfg.1
-jailcheck.5
-mkdeb.sh
+jailcheck.1
+src/fnettrace-dns/fnettrace-dns
+src/fnettrace-sni/fnettrace-sni
+src/fnettrace-icmp/fnettrace-icmp
src/firejail/firejail
src/firemon/firemon
src/firecfg/firecfg
src/ftee/ftee
+src/fids/fids
src/tags
src/faudit/faudit
src/fnet/fnet
@@ -42,6 +47,8 @@
src/bash_completion/firejail.bash_completion
src/zsh_completion/_firejail
src/jailcheck/jailcheck
+src/fnettrace/fnettrace
+src/fzenity/fzenity
uids.h
seccomp
seccomp.debug
@@ -50,7 +57,6 @@
seccomp.block_secondary
seccomp.mdwx
seccomp.mdwx.32
-src/common.mk
aclocal.m4
__pycache__
*.pyc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.gitlab-ci.yml
^
|
@@ -11,6 +11,7 @@
- apt-get update -qq
- DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 gawk
- ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
+ - command -V firejail && firejail --version
- python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
build_debian_package:
@@ -19,13 +20,15 @@
- apt-get update -qq
- apt-get install -y -qq build-essential lintian pkg-config gawk
- ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
+ - command -V firejail && firejail --version
build_redhat_package:
- image: centos:latest
+ image: almalinux:latest
script:
- dnf update -y
- dnf install -y rpm-build gcc make
- ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
+ - command -V firejail && firejail --version
build_fedora_package:
image: fedora:latest
@@ -33,6 +36,7 @@
- dnf update -y
- dnf install -y rpm-build gcc make
- ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
+ - command -V firejail && firejail --version
- python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
build_src_package:
@@ -42,6 +46,7 @@
- apk upgrade
- apk add build-base linux-headers python3 gawk
- ./configure --prefix=/usr && make && make install-strip
+ - command -V firejail && firejail --version
# - python3 contrib/sort.py etc/*.{profile,inc}
build_apparmor:
@@ -49,7 +54,9 @@
script:
- apt-get update -qq
- DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk
- - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb
+ - ./configure && make deb-apparmor && dpkg -i firejail*.deb
+ - command -V firejail && firejail --version
+ - firejail --version | grep -F 'AppArmor support is enabled'
debian_ci:
image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/CONTRIBUTING.md
^
|
@@ -34,6 +34,14 @@
[profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
If you have already written a profile, please make sure it follows the rules described in the template.
+If you add a new command, here's the checklist:
+
+ - [ ] Update manpages: firejail(1) and firejail-profile(5)
+ - [ ] Update shell completions
+ - [ ] Update vim syntax files
+ - [ ] Update gtksourceview language specs
+ - [ ] Update --help
+
# Editing the wiki
You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/COPYING
^
|
@@ -1,12 +1,12 @@
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
- Preamble
+ Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
@@ -15,7 +15,7 @@
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.) You can apply it to
+the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@
The precise terms and conditions for copying, distribution and
modification follow.
-
- GNU GENERAL PUBLIC LICENSE
+
+ GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
-
+
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
-
+
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
-
+
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
- NO WARRANTY
+ NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
@@ -277,4 +277,63 @@
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
- END OF TERMS AND CONDITIONS
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/Makefile
^
|
@@ -0,0 +1,327 @@
+ROOT = .
+-include config.mk
+
+ifneq ($(HAVE_MAN),no)
+MAN_TARGET = man
+MAN_SRC = src/man
+endif
+
+COMPLETIONDIRS = src/zsh_completion src/bash_completion
+
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
+SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity
+SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni
+SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
+MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
+MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
+COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
+
+.PHONY: all
+all: all_items mydirs $(MAN_TARGET) filters
+
+config.mk config.sh:
+ printf 'run ./configure to generate %s\n' "$@" >&2
+ false
+
+.PHONY: all_items $(ALL_ITEMS)
+all_items: $(ALL_ITEMS)
+$(ALL_ITEMS): $(MYDIRS)
+ $(MAKE) -C $(dir $@)
+
+.PHONY: mydirs $(MYDIRS)
+mydirs: $(MYDIRS)
+$(MYDIRS):
+ $(MAKE) -C $@
+
+$(MANPAGES): src/man config.mk
+ ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
+
+man: $(MANPAGES)
+
+filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
+seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+ src/fseccomp/fseccomp default seccomp
+ src/fsec-optimize/fsec-optimize seccomp
+
+seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+ src/fseccomp/fseccomp default seccomp.debug allow-debuggers
+ src/fsec-optimize/fsec-optimize seccomp.debug
+
+seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+ src/fseccomp/fseccomp secondary 32 seccomp.32
+ src/fsec-optimize/fsec-optimize seccomp.32
+
+seccomp.block_secondary: src/fseccomp/fseccomp
+ src/fseccomp/fseccomp secondary block seccomp.block_secondary
+
+seccomp.mdwx: src/fseccomp/fseccomp
+ src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
+
+seccomp.mdwx.32: src/fseccomp/fseccomp
+ src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
+
+.PHONY: clean
+clean:
+ for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
+ $(MAKE) -C $$dir clean; \
+ done
+ $(MAKE) -C test clean
+ rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+ rm -f $(SECCOMP_FILTERS)
+ rm -f test/utils/index.html*
+ rm -f test/utils/wget-log
+ rm -f test/utils/firejail-test-file*
+ rm -f test/utils/lstesting
+ rm -f test/environment/index.html*
+ rm -f test/environment/wget-log*
+ rm -fr test/environment/-testdir
+ rm -f test/environment/logfile*
+ rm -f test/environment/index.html
+ rm -f test/environment/wget-log
+ rm -f test/sysutils/firejail_t*
+ cd test/compile; ./compile.sh --clean; cd ../..
+
+.PHONY: distclean
+distclean: clean
+ for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
+ $(MAKE) -C $$dir distclean; \
+ done
+ $(MAKE) -C test distclean
+ rm -fr autom4te.cache config.log config.mk config.sh config.status
+
+realinstall: config.mk
+ # firejail executable
+ install -m 0755 -d $(DESTDIR)$(bindir)
+ install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
+ifeq ($(HAVE_SUID),-DHAVE_SUID)
+ chmod u+s $(DESTDIR)$(bindir)/firejail
+endif
+ # firemon executable
+ install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
+ # firecfg executable
+ install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
+ # jailcheck executable
+ install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
+ # libraries and plugins
+ install -m 0755 -d $(DESTDIR)$(libdir)/firejail
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
+ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+ # plugins w/o read permission (non-dumpable)
+ install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+ install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+ install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
+ifeq ($(HAVE_CONTRIB_INSTALL),yes)
+ # contrib scripts
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
+ # vim syntax
+ install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+ install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+ install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+ install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+ # gtksourceview-5 language-specs
+ install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+ install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+endif
+ # documents
+ install -m 0755 -d $(DESTDIR)$(docdir)
+ install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
+ # profiles and settings
+ install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
+ install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
+ install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
+ sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
+ifeq ($(HAVE_IDS),-DHAVE_IDS)
+ install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
+endif
+ifeq ($(BUSYBOX_WORKAROUND),yes)
+ ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
+endif
+ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
+ # install apparmor profile
+ sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
+ install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
+ # install apparmor profile customization file
+ sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
+ sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
+ # install apparmor base abstraction drop-in
+ sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
+ sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
+ install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
+endif
+ifneq ($(HAVE_MAN),no)
+ # man pages
+ install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
+ for man in $(MANPAGES); do \
+ rm -f $$man.gz; \
+ gzip -9n $$man; \
+ case "$$man" in \
+ *.1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \
+ *.5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \
+ esac; \
+ done
+ rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
+endif
+ # bash completion
+ install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
+ install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+ install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+ install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+ # zsh completion
+ install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
+ install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/
+
+install: all
+ $(MAKE) realinstall
+
+install-strip: all
+ strip $(ALL_ITEMS)
+ $(MAKE) realinstall
+
+uninstall: config.mk
+ rm -f $(DESTDIR)$(bindir)/firejail
+ rm -f $(DESTDIR)$(bindir)/firemon
+ rm -f $(DESTDIR)$(bindir)/firecfg
+ rm -f $(DESTDIR)$(bindir)/jailcheck
+ rm -fr $(DESTDIR)$(libdir)/firejail
+ rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
+ for man in $(MANPAGES); do \
+ rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
+ rm -f $(DESTDIR)$(mandir)/man1/$$man*; \
+ done
+ rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+ rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+ rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+ rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
+ rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
+ rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
+ @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
+
+DISTFILES = \
+COPYING \
+Makefile \
+README \
+RELNOTES \
+config.mk.in \
+config.sh.in \
+configure \
+configure.ac \
+contrib \
+etc \
+install.sh \
+m4 \
+mkdeb.sh \
+mketc.sh \
+mkman.sh \
+platform \
+src
+
+DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot
+
+dist: config.mk
+ mv config.sh config.sh.old
+ mv config.status config.status.old
+ make distclean
+ mv config.status.old config.status
+ mv config.sh.old config.sh
+ rm -fr $(TARNAME)-$(VERSION) $(TARNAME)-$(VERSION).tar.xz
+ mkdir -p $(TARNAME)-$(VERSION)/test
+ cp -a $(DISTFILES) $(TARNAME)-$(VERSION)
+ cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test
+ rm -rf $(TARNAME)-$(VERSION)/src/tools
+ find $(TARNAME)-$(VERSION) -name .svn -delete
+ tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
+ rm -fr $(TARNAME)-$(VERSION)
+
+asc: config.mk
+ ./mkasc.sh $(VERSION)
+
+deb: dist config.sh
+ ./mkdeb.sh
+
+deb-apparmor: dist config.sh
+ ./mkdeb.sh -apparmor --enable-apparmor
+
+test-compile: dist config.mk
+ cd test/compile; ./compile.sh $(TARNAME)-$(VERSION)
+
+.PHONY: rpms
+rpms: src/man config.mk
+ ./platform/rpm/mkrpm.sh $(TARNAME) $(VERSION)
+
+extras: all
+ $(MAKE) -C extras/firetools
+
+cppcheck: clean
+ cppcheck --force --error-exitcode=1 --enable=warning,performance .
+
+scan-build: clean
+ NO_EXTRA_CFLAGS="yes" scan-build make
+
+#
+# make test
+#
+
+TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter
+TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
+
+$(TEST_TARGETS):
+ $(MAKE) -C test $(subst test-,,$@)
+
+test: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
+ echo "TEST COMPLETE"
+
+test-noprofiles: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
+ echo "TEST COMPLETE"
+
+test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment
+ echo "TEST COMPLETE"
+
+##########################################
+# Individual tests, some of them require root access
+# The tests are very intrusive, by the time you are done
+# with them you will need to restart your computer.
+##########################################
+# private-lib is disabled by default in /etc/firejail/firejail.config
+test-private-lib:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# a firejail-test account is required, public/private key setup
+test-ssh:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# requires root access
+test-chroot:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# Huge appimage files, not included in "make dist" archive
+test-appimage:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# Root access, network devices are created before the test
+# restart your computer to get rid of these devices
+test-network:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# requires the same setup as test-network
+test-stress:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# Tests running a root user
+test-root:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# OverlayFS is not available on all platforms
+test-overlay:
+ $(MAKE) -C test $(subst test-,,$@)
+
+# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
+
+test-all: test-root test-chroot test-network test-appimage test-overlay
+ echo "TEST COMPLETE"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/README
^
|
@@ -1,18 +1,18 @@
-Firejail is a SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
+Firejail is a SUID sandbox program that reduces the risk of security
+breaches by restricting the running environment of untrusted applications
using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
Pidgin, Quassel, and XChat.
-Firejail also expands the restricted shell facility found in bash by adding
-Linux namespace support. It supports sandboxing specific users upon login.
+Firejail also expands the restricted shell facility found in bash by adding
+Linux namespace support. It supports sandboxing specific users upon login.
Download: https://sourceforge.net/projects/firejail/files/
Build and install: ./configure && make && sudo make install
Documentation and support: https://firejail.wordpress.com/
-Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
+Video Channel: https://www.brighteon.com/channels/netblue30
Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
Development: https://github.com/netblue30/firejail
License: GPL v2
@@ -33,18 +33,24 @@
For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
+We build our release firejail.tar.xz and firejail.deb packages using the following command:
+$ make distclean && ./configure && make deb-apparmor
+
+
Maintainer:
- netblue30 (netblue30@protonmail.com)
Committers
- chiraag-nataraj (https://github.com/chiraag-nataraj)
- crass (https://github.com/crass)
+- ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- curiosityseeker (https://github.com/curiosityseeker)
- glitsj16 (https://github.com/glitsj16)
- Fred-Barclay (https://github.com/Fred-Barclay)
- Kelvin M. Klann (https://github.com/kmk3)
- Kristóf Marussy (https://github.com/kris7t)
- Neo00001 (https://github.com/Neo00001)
+- pirate486743186 (https://github.com/pirate486743186)
- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
- rusty-snake (https://github.com/rusty-snake)
- smitsohu (https://github.com/smitsohu)
@@ -62,16 +68,23 @@
0x7969 (https://github.com/0x7969)
- fix wire-desktop.profile
- add ferdi.profile
+0x9fff00 (https://github.com/0x9fff00)
+ - add Colossal Order to steam.profile
7twin (https://github.com/7twin_)
- fix typos
- fix flameshot raw screenshots
1dnrr (https://github.com/1dnrr)
- add pybitmessage profile
+a1346054 (https://github.com/a1346054)
+ - add missing final newlines in various files
+ - Remove deprecated syntax and modernize shell test scripts
Ádler Jonas Gross (https://github.com/adgross)
- AppArmor fix
Adrian L. Shaw (https://github.com/adrianlshaw)
- add profanity profile
- add barrirer profile
+ - add profile for Beyond All Reason
+ - RPCS3 profile
Aidan Gauland (https://github.com/aidalgol)
- added electron, riot-web and npm profiles
- whitelist Bohemia Interactive config dir for Steam
@@ -107,11 +120,16 @@
- profile updates
Alexander Stein (https://github.com/ajstein)
- added profile for qutebrowser
+alkim0 (https://github.com/alkim0)
+ - warn when encountering EIO during remount
+ - Add profile for chafa
Amin Vakil (https://github.com/aminvakil)
- whois profile fix
- added profile for strawberry
- w3m profile fix
- disable seccomp in wireshark profile
+Ammon Smith (https://github.com/ammongit)
+ - Add DBus filter rules specific to firefox-developer-edition
Andreas Hunkeler (https://github.com/Karneades)
- Add profile for offical Linux Teams application
Andrey Alekseenko (https://github.com/al42and)
@@ -127,6 +145,9 @@
- evince profile fix
Anton Shestakov (https://github.com/antonv6)
- add whitelist items for uim
+ - allow /etc/vulkan in steam profile
+ - allow ~/.cache/wine in lutris and wine profile
+ - support MangoHud in steam profile
Antonio Russo (https://github.com/aerusso)
- enumerate root directories in apparmor profile
- fix join-or-start
@@ -146,6 +167,9 @@
- unbound profile update
Avi Lumelsky (https://github.com/avilum)
- syscall.sh improvements
+avallach2000 (https://github.com/avallach2000(
+ - fix qbittorrent profile
+ - support for changing appearance of the Qt6 apps with qt6ct
avoidr (https://github.com/avoidr)
- whitelist fix
- recently-used.xbel fix
@@ -161,6 +185,8 @@
- added mcabber profile
- fixed mpv profile
- various other fixes
+Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
+ - add support for custom AppArmor profiles (--apparmor=)
backspac (https://github.com/backspac)
- firecfg fixes
- add steam-runtime alias
@@ -170,6 +196,8 @@
- fixed riot-desktop
Barış Ekin Yıldırım (https://github.com/circuitshaker)
- removing net none from code.profile
+Bart Bakker (https://github.com/bjpbakker)
+ - multimc5: fix exec of LWJGL libraries
bbhtt (https://github.com/bbhtt)
- improvements to balsa,fractal,gajim,trojita profiles
- improvements to nheko, spectral, feh, links, lynx, smplayer profiles
@@ -180,6 +208,8 @@
- email clients whitelisting and fixes
Benjamin Kampmann (https://github.com/ligthyear)
- Forward exit code from child process
+BeautyYuYanli (https://github.com/BeautyYuYanli)
+ - add linuxqq and qq profiles
bitfreak25 (https://github.com/bitfreak25)
- added PlayOnLinux profile
- minetest profile fix
@@ -207,6 +237,9 @@
- add gradio profile
- update virtualbox.profile
- Quodlibet profile
+ - update apparmor firejail-local for Brave + ipfs
+bymoz089 (https://github.com/bymoz089)
+ - add timezone access to make libical functional
BytesTuner (https://github.com/BytesTuner)
- provided keepassxc profile
caoliver (https://github.com/caoliver)
@@ -215,8 +248,13 @@
- fixed udiskie profile
- Allow mbind syscall for GIMP
- fixed simple-scan
+Case_Of (https://github.com/CaseOf)
+ - added Seafile profile
Cat (https://github.com/ecat3)
- prevent tmux connecting to an existing session
+cayday (https://github.com/caydey)
+ - added ~/Private blacklist in disable-common.inc
+ - added quiet to some CLI profiles
Christian Pinedo (https://github.com/chrpinedo)
- added nicotine profile
- allow python3 in totem profile
@@ -242,6 +280,14 @@
- extract_command_name fixes
- update appimage size calculation to newest code from libappimage
- firejail should look for processes with names exactly named
+croket (https://github.com/crocket)
+ - fix librewolf profile
+ - added profiles for imv, retroarch, and torbrowser
+ - fix dino profile
+ - fix wireshark profile
+ - prevent emptty /usr/share in google-chrome profiles
+cubercsl (https://github.com/cubercsl)
+ - add linuxqq and qq profiles
curiosity-seeker (https://github.com/curiosity-seeker - old)
curiosityseeker (https://github.com/curiosityseeker - new)
- tightening unbound and dnscrypt-proxy profiles
@@ -283,6 +329,8 @@
- steam.profile: correctly blacklist unneeded directories in user's home
- minetest fixes
- map /dev/input with "--private-dev", add "--no-input" option to disable it
+ - whitelist /usr/share/TelegramDesktop in telegram.profile
+ - allow access to ~/.cache/winetricks
David Hyrule (https://github.com/Svaag)
- remove nou2f in ssh profile
Deelvesh Bunjun (https://github.com/DeelveshBunjun)
@@ -299,9 +347,15 @@
- fix qt5ct colour schemes and QSS
Disconnect3d (https://github.com/disconnect3d)
- code cleanup
+dm9pZCAq (https://github.com/dm9pZCAq)
+ - fix for compilation under musl
dmfreemon (https://github.com/dmfreemon)
- add sandbox name or name of private directory to the window title when xpra is used
- handle malloc() failures; use gnu_basename() instead of basenaem()
+Dmitriy Chestnykh (https://github.com/chestnykh)
+ - add ability to disable user profiles at compile time
+Dpeta (https://github.com/Dpeta)
+ - add Chatterino profile
dshmgh (https://github.com/dshmgh)
- overlayfs fix for systems with /home mounted on a separate partition
Duncan Overbruck (https://github.com/Duncaen)
@@ -311,6 +365,8 @@
Eduard Tolosa (https://github.com/Edu4rdSHL)
- fixed and hardened qpdfview.profile
- fixed gajim.profile
+Eklektisk (https://github.com/Eklektisk)
+ - update librewolf.profile: use new d-bus message bus
emacsomancer (https://github.com/emacsomancer)
- added profile for Conkeror browser
Emil Gedda (https://github.com/EmilGedda)
@@ -326,6 +382,7 @@
- --private-etc fix
fenuks (https://github.com/fenuks)
- fix sound in games using FMOD
+ - allow /opt/tor-browser for Tor Browser profile
Florian Begusch (https://github.com/florianbegusch)
- (la)tex profiles
- fixed transmission-common.profile
@@ -333,6 +390,8 @@
- fix jailprober.py
floxo (https://github.com/floxo)
- fixed qml disk cache issue
+Foemass (https://github.com/Foemass)
+ - documentation
Franco (nextime) Lanza (https://github.com/nextime)
- added --private-template/--private-home
František Polášek (https://github.com/fandaa)
@@ -449,9 +508,16 @@
Helmut Grohne (https://github.com/helmutg)
- compiler support in the build system - Debian bug #869707
hhzek0014 (https://github.com/hhzek0014)
- - updated bibletime.profile
+ - updated bibletime.profile
+hknaack (https://github.com/hknaack)
+ - Kate profile fixes
+ - seamonkey.profile: support enigmail/gpg
+ - Avidemux tools support
hlein (https://github.com/hlein)
- strip out \r's from jail prober
+ - make env/arg sanity check failure messages more useful
+ - relocate firecfg.config to /etc/firejail/
+ - fix display profile for Gentoo distribution
Holger Heinz (https://github.com/hheinz)
- manpage work
Haowei Yu (https://github.com/sfc-gh-hyu)
@@ -485,6 +551,13 @@
- removed shell none from ssh-agent configuration, fixing the infinite loop
- added gcloud profile
- blacklist sensitive cloud provider files in disable-common
+Jan-Niclas (https://github.com/0x6a61)
+ - moved rules from firefox-common.profile to firefox.profile
+ - blacklist /*firefox* except for firefox itself
+ - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
+Jan Sonntag (https://github.com/jmetrius)
+ - added OpenStego profile
+ - allow common access to EGL External platform configuration directory
Jean Lucas (https://github.com/flacks)
- fix Discord profile
- add AnyDesk profile
@@ -521,6 +594,9 @@
Jonas Heinrich (https://github.com/onny)
- added signal-desktop profile
- fixed franz profile
+ - remove /etc/hosts is_link check for NixOS
+ - whitelist for NixOS to resolve binary paths in user environment
+ - NixOS fix OpenGL app support
Jose Riha (https://github.com/jose1711)
- added meteo-qt profile
- created qgis, links, xlinks profiles
@@ -531,6 +607,12 @@
- Add profile for udiskie
- fix udiskie.profile
- improve hints for allowing browser access to Gnome extensions connector
+ - fix warshow, jumpnbump, tremulous, blobwars profile fixes
+ - drop noinput for games with gampad/joystick support
+ - goldendict profile fix
+ - whitelist /usr/share/nextcloud to allow access to translation files
+ - fix clipgrab profile
+ - fix Hugin profile
jrabe (https://github.com/jrabe)
- disallow access to kdbx files
- Epiphany profile
@@ -541,6 +623,8 @@
- fixed Kdenlive, Shotcut profiles
- new profiles for Cinelerra, Cliqz, Bluefish
- profile hardening
+k4leg (https://github.com/k4leg)
+ - fix PyCharm profiles
Kaan Genç (https://github.com/SeriousBug)
- dynamic allocation of noblacklist buffer
Karoshi42 (https://github.com/karoshi42)
@@ -563,7 +647,7 @@
- added falkon profile
- kxmlgui fixes
- okular profile fixes
- - jitsi-meet-desktop profile
+ - jitsi-meet-desktop profile
- konversatin profile fix
- added Neochat profile
- added whitelist-1793-workaround.inc
@@ -571,6 +655,7 @@
- added symlink fixer fix_private-bin.py in contrib section
- update fix_private-bin.py
- fix meld
+ - temporary fix to the bug caused by apparmor profiles stacking
kortewegdevries (https://github.com/kortewegdevries)
- a whole bunch of new profiles and fixes
- whitelisting evolution, kmail
@@ -590,6 +675,9 @@
- fixed test for shell interpreter in chroots
LaurentGH (https://github.com/LaurentGH)
- allow private-bin parameters to be absolute paths
+lecso7 (https://github.com/lecso7)
+ - added goldendict profile
+ - allow evince to read .cbz file format
Loïc Damien (https://github.com/dzamlo)
- small fixes
Liorst4 (https://github.com/Liorst4)
@@ -603,6 +691,8 @@
- fixed parsing of --keep-var-tmp
luzpaz (https://github.com/luzpaz)
- code spelling fixes
+lxeiqr (https://github.com/lxeiqr)
+ - fix sndio support
Mace Muilman (https://github.com/mace015)
- google-chrome{,beta,unstable} flags
maces (https://github.com/maces)
@@ -620,6 +710,10 @@
Martin Dosch (spam-debian@mdosch.de)
- support for gnome-shell integration addon in Firefox
(Bug-Debian: https://bugs.debian.org/872720)
+Martin Sandsmark (https://github.com/sandsmark)
+ - songrec profile
+Martynas Janonis (https://github.com/mjanonis)
+ - update wrc for Arch Linux
Matt Parnell (https://github.com/ilikenwf)
- whitelisting for core firefox related functionality
Mattias Wadman (https://github.com/wader)
@@ -643,10 +737,16 @@
- added support for subdirs in private-etc
Mike Frysinger (vapier@gentoo.org)
- Gentoo compile patch
+minus7 (https://github.com/minus7)
+ - fix hanging arp_check
mirabellette (https://github.com/mirabellette)
- add comment to thunderbird.profile to allow Firefox to load profiles
mjudtmann (https://github.com/mjudtmann)
- lock firejail configuration in disable-mgmt.inc
+m00nwtchr (https://github.com/m00nwtchr)
+ - Whitelist electron-flags.conf for all versions of electron
+ - electron profile updates
+ - Fix glob pattern and update other profiles/includes (electron profile)
mustaqimM (https://github.com/mustaqimM)
- added profile for Nylas Mail
n1trux (https://github.com/n1trux)
@@ -663,6 +763,7 @@
- add kdiff3 profile
NetSysFire (https://github.com/NetSysFire)
- update weechat profile
+ - update megaglest profile
Nick Fox (https://github.com/njfox)
- add a profile alias for code-oss
- add code-oss config directory
@@ -690,7 +791,7 @@
OndrejMalek (https://github.com/OndrejMalek)
- various manpage fixes
Ondřej Nový (https://github.com/onovy)
- - allow video for Signal profile
+ - allow video for Signal profile
- added Mattermost desktop profile
- hardened Zoom profile
- hardened Signal desktop profile
@@ -707,7 +808,7 @@
Paul Moore <pmoore@redhat.com>
-src/fsec-print/print.c extracted from libseccomp software package
Paupiah Yash (https://github.com/CaffeinatedStud)
- - gzip profile
+ - gzip profile
Pawel (https://github.com/grimskies)
- make --join return exit code of the invoked program
Peter Millerchip (https://github.com/pmillerchip)
@@ -758,6 +859,7 @@
- added profile for torbrowser-launcher
- added profile for sayonara and qmmp
- remove tracelog from Firefox profile
+ - fix welcome.sh
polyzen (https://github.com/polyzen)
- fixed wusc issue with mpv/Vulkan
probonopd (https://github.com/probonopd)
@@ -770,11 +872,15 @@
-uGet profile
pwnage-pineapple (https://github.com/pwnage-pineapple)
- update Okular profile
+Quentin Retornaz (https://github.com/qretornaz-adapei42)
+ - microsoft-edge profiles fixes
Quentin Minster (https://github.com/laomaiweng)
- propagate --quiet to children Firejail'ed processes
- nodbus enhancements/bugfixes
- added vim syntax and ftdetect files
- Allow exec from /usr/libexec & co. with AppArmor
+ra1nb0w (https://github.com/ra1nb0w)
+ - fix vmware profile
Rafael Cavalcanti (https://github.com/rccavalcanti)
- chromium profile fixes for Arch Linux
Rahiel Kasim (https://github.com/rahiel)
@@ -792,6 +898,11 @@
- zoom profile fixes
realaltffour (https://github.com/realaltffour)
- add lynx support to newsboat profile
+Reed Riley (https://github.com/reedriley)
+ - cointop profile
+ - 1password profile
+ - blacklist rclone, 1Password, Ledger Live and cointop
+ - allow Signal to open links in Firefox
Reiner Herrmann (https://github.com/reinerh)
- a number of build patches
- man page fixes
@@ -831,6 +942,7 @@
- added sort.py to contrib
sak96 (https://github.com/sak96)
- discord profile fixes
+ - Fix Firefox 'Profile not found' for psd (v6.45)
Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
- fixed ktorrent profile
sarneaud (https://github.com/sarneaud)
@@ -842,9 +954,13 @@
Senemu (https://github.com/Senemu)
- protection for .pythonrc.py
- fixed evince
+Seonwoo Lee (https://github.com/seonwoolee)
+ - fix teams ignoring input sources e.g. microphones
Sergey Alirzaev (https://github.com/l29ah)
- firejail.h enum fix
- firefox-common-addons.inc: + tridactyl
+Serphentas (https://github.com/Serphentas)
+ - add Paradox Launcher to Steam profile
Slava Monich (https://github.com/monich)
- added configure option to disable man pages
Tobias Schmidl (https://github.com/schtobia)
@@ -861,6 +977,10 @@
- Jolla/SailfishOS patches
slowpeek (https://github.com/slowpeek)
- refine appimage example in docs
+ - allow resolution of .local names with avahi-daemon in the apparmor profile
+ - allow access to avahi-daemon in apparmor/firejail-default
+ - make appimage examples consistent with --appimage option short description
+ - blacklist google-drive-ocamlfuse config
smitsohu (https://github.com/smitsohu)
- read-only kde4 services directory
- enhanced mediathekview profile
@@ -912,6 +1032,8 @@
- hardern /var
- profile standard layout
- Spotify and itch.io profile fixes
+Spacewalker2 (https://github.com/Spacewalker2)
+ - fix MediathekView profile
sshirokov (https://sourceforge.net/u/yshirokov/profile/)
- Patch to output "Reading profile" to stderr instead of stdout
SYN-cook (https://github.com/SYN-cook)
@@ -935,7 +1057,7 @@
- gnome-calculator changes
startx2017 (https://github.com/startx2017)
- syscall list update
- - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
+ - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
- enable/disable join support in /etc/firejail/firejail.config
- firecfg fix: create ~/.local/share/applications directory if it doesn't exist
@@ -953,6 +1075,9 @@
- Fix libx265 encoding in ffmpeg profile
- Fix Firefox profile
- Profile tweaks
+TheOneric (https://github.com/TheOneric)
+ - Fix newest Steam client and Proton ≥ 5.13
+ - Fix black window in Steam client
thewisenerd (https://github.com/thewisenerd)
- allow multiple private-home commands
- use $SHELL variable if the shell is not specified
@@ -986,10 +1111,14 @@
- improve loading of seccomp filter and memory-deny-write-execute feature
- private-lib feature
- make --nodbus block also system D-Bus socket
-Ted Robertson (https://github.com/tredondo)
+Ted Robertson (https://github.com/tredondo)
- webstorm profile fixes
- added bcompare profile
- various documentation fixes
+ - blacklist Exodus wallet
+ - blacklist monero-project directory
+Tus1688 (https://github.com/Tus1688)
+ - added neovim profile
user1024 (user1024@tut.by)
- electron profile whitelisting
- fixed Rocket.Chat profile
@@ -1041,11 +1170,14 @@
- apparmor enhancements
Vincent Blillault (https://github.com/Feandil)
- fix mumble profile
+Vincent Lefèvre (https://github.com/vinc17fr)
+ - blacklist rxvt after the blacklist of Perl
+ - Noblacklist rxvt in allow-perl.inc
vismir2 (https://github.com/vismir2)
- feh, ranger, 7z, keepass, keepassx and zathura profiles
- claws-mail, mutt, git, emacs, vim profiles
- lots of profile fixes
- - support for truecrypt and zuluCrypt
+ - support for truecrypt and zuluCrypt
viq (https://github.com/viq)
- discord-canary profile
Vladimir Gorelov (https://github.com/larkvirtual)
@@ -1053,12 +1185,21 @@
Vladimir Schowalter (https://github.com/VladimirSchowalter20)
- apparmor profile enhancements
- various KDE profile enhancements
- read-only kde5 services directory
+ - read-only kde5 services directory
Vladislav Nepogodin (https://github.com/vnepogodin)
- added Librewolf profiles
- added Sway profile
+ - fix CLion profile
+ - fixes for disable-programs.inc
+ - CachyBrowser profile
+Hugo Osvaldo Barrera (https://github.com/WhyNotHugo)
+ - Skype profile tweaks
+ - whitelist-ro command
xee5ch (https://github.com/xee5ch)
- skypeforlinux profile
+York Zhao (https://github.com/YorkZ)
+ - tor browser profile fix
+ - allow telegram to open hyperlinks
Ypnose (https://github.com/Ypnose)
- disable-shell.inc: add mksh shell
yumkam (https://github.com/yumkam)
@@ -1086,4 +1227,4 @@
zupatisc (https://github.com/zupatisc)
- patch-util fix
-Copyright (C) 2014-2021 Firejail Authors
+Copyright (C) 2014-2022 Firejail Authors
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/README.md
^
|
@@ -22,47 +22,29 @@
<table><tr>
<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U
-" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg"
-alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
+<a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank">
+<img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png"
+alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a>
</td>
<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
-" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
-alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
+<a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank">
+<img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png"
+alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a>
</td>
<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
-" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
-alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
+<a href="https://odysee.com/@netblue30:9/divested:2" target="_blank">
+<img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png"
+alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
</td>
-
-</tr><tr>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
-" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
-alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
-" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
-alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
-" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
-alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
-
-</td>
</tr></table>
Project webpage: https://firejail.wordpress.com/
+IRC: https://web.libera.chat/#firejail
+
Download and Installation: https://firejail.wordpress.com/download-2/
Features: https://firejail.wordpress.com/features-3/
@@ -75,7 +57,7 @@
GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
-Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
+Video Channel: https://odysee.com/@netblue30:9?order=new
Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
@@ -83,40 +65,47 @@
We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
-`````
-Security Advisory - Feb 8, 2021
+## Installing
-Summary: A vulnerability resulting in root privilege escalation was discovered in
-Firejail's OverlayFS code,
+### Debian
-Versions affected: Firejail software versions starting with 0.9.30.
-Long Term Support (LTS) Firejail branch is not affected by this bug.
+Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
-Workaround: Disable overlayfs feature at runtime.
-In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no".
+### Ubuntu
- $ grep overlayfs /etc/firejail/firejail.config
- # Enable or disable overlayfs features, default enabled.
- overlayfs no
+For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
-Fix: The bug is fixed in Firejail version 0.9.64.4
+How to add and install from the PPA:
-GitHub commit: (file configure.ac)
-https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
+```sh
+sudo add-apt-repository ppa:deki/firejail
+sudo apt-get update
+sudo apt-get install firejail firejail-profiles
+```
-Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
-Functional PoC exploit code was provided to Firejail development team.
-A description of the problem is here on Roman's blog:
+Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:
-https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
-https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
-`````
+* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
-## Installing
+See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
+
+> What software is supported by the Ubuntu Security team?
+>
+> Ubuntu is currently divided into four components: main, restricted, universe
+> and multiverse. All binary packages in main and restricted are supported by
+> the Ubuntu Security team for the life of an Ubuntu release, while binary
+> packages in universe and multiverse are supported by the Ubuntu community.
+
+Additionally, the PPA version is likely to be more recent and to contain more profile fixes.
+
+See the following discussions for details:
+
+* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666)
+* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663)
-Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+### Other
-The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package.
+Firejail is included in a large number of Linux distributions.
You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
@@ -170,7 +159,7 @@
Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers.
The integration applies to any program supported by default by Firejail. There are about 250 default applications
in current Firejail version, and the number goes up with every new release.
-We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
+We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
## Security profiles
@@ -189,149 +178,168 @@
We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-## Latest released version: 0.9.64
+## Latest released version: 0.9.70
-## Current development version: 0.9.65
+## Current development version: 0.9.71
Milestone page: https://github.com/netblue30/firejail/milestone/1
-Release discussion: https://github.com/netblue30/firejail/issues/3696
-
-### jailcheck
-`````
-JAILCHECK(1) JAILCHECK man page JAILCHECK(1)
-
-NAME
- jailcheck - Simple utility program to test running sandboxes
-
-SYNOPSIS
- sudo jailcheck [OPTIONS] [directory]
-
-DESCRIPTION
- jailcheck attaches itself to all sandboxes started by the user and per‐
- forms some basic tests on the sandbox filesystem:
-
- 1. Virtual directories
- jailcheck extracts a list with the main virtual directories in‐
- stalled by the sandbox. These directories are build by firejail
- at startup using --private* and --whitelist commands.
- 2. Noexec test
- jailcheck inserts executable programs in /home/username, /tmp,
- and /var/tmp directories and tries to run them from inside the
- sandbox, thus testing if the directory is executable or not.
+### Restrict namespaces
- 3. Read access test
- jailcheck creates test files in the directories specified by the
- user and tries to read them from inside the sandbox.
-
- 4. AppArmor test
-
- 5. Seccomp test
-
- The program is started as root using sudo.
-
-OPTIONS
- --debug
- Print debug messages.
-
- -?, --help
- Print options and exit.
-
- --version
- Print program version and exit.
-
- [directory]
- One or more directories in user home to test for read access.
- ~/.ssh and ~/.gnupg are tested by default.
-
-OUTPUT
- For each sandbox detected we print the following line:
-
- PID:USER:Sandbox Name:Command
-
- It is followed by relevant sandbox information, such as the virtual di‐
- rectories and various warnings.
-
-EXAMPLE
- $ sudo jailcheck
- 2014:netblue::firejail /usr/bin/gimp
- Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
- Warning: I can run programs in /home/netblue
-
- 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
- Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
- Warning: I can read ~/.ssh
-
- 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
- pimage
- Virtual dirs: /tmp, /var/tmp, /dev,
-
- 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
- Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
- /run/user/1000,
-
- 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
- Warning: AppArmor not enabled
- Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
- /usr/share, /run/user/1000,
- Warning: I can run programs in /home/netblue
-
-LICENSE
- This program is free software; you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by the
- Free Software Foundation; either version 2 of the License, or (at your
- option) any later version.
-
- Homepage: https://firejail.wordpress.com
-
-SEE ALSO
- firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
- gin(5), firejail-users(5),
-
-0.9.65 May 2021 JAILCHECK(1)
+`````
+ --restrict-namespaces
+ Install a seccomp filter that blocks attempts to create new
+ cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+
+ Example:
+ $ firejail --restrict-namespaces
+
+ --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
+ Install a seccomp filter that blocks attempts to create any of
+ the specified namespaces. The filter examines the arguments of
+ clone, unshare and setns system calls and returns error EPERM to
+ the process (or kills it or logs the attempt, see --seccomp-er‐
+ ror-action below) if necessary. Note that the filter is not able
+ to examine the arguments of clone3 system calls, and always re‐
+ sponds to these calls with error ENOSYS.
+
+ Example:
+ $ firejail --restrict-namespaces=user,net
+`````
+
+### Support for custom AppArmor profiles
+
+`````
+ --apparmor
+ Enable AppArmor confinement with the "firejail-default" AppArmor
+ profile. For more information, please see APPARMOR section be‐
+ low.
+
+ --apparmor=profile_name
+ Enable AppArmor confinement with a custom AppArmor profile.
+ Note that profile in question must already be loaded into the
+ kernel. For more information, please see APPARMOR section be‐
+`````
+
+### dnstrace
+`````
+ --dnstrace[=name|pid]
+ Monitor DNS queries. The sandbox can be specified by name or
+ pid. Only networked sandboxes created with --net are supported.
+ This option is only available when running the sandbox as root.
+
+ Without a name/pid, Firejail will monitor the main system net‐
+ work namespace.
+
+ $ sudo firejail --dnstrace=browser
+ 11:31:43 9.9.9.9 linux.com (type 1)
+ 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
+ 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
+ 11:31:45 9.9.9.9 www.linux.com (type 1)
+ 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
+ 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
+ 11:32:05 9.9.9.9 secure.gravatar.com (type 1)
+ 11:32:06 9.9.9.9 secure.gravatar.com (type 1)
+ 11:32:08 9.9.9.9 taikai.network (type 1)
+ 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1)
+ 11:32:08 9.9.9.9 taikai.azureedge.net (type 1)
+ 11:32:08 9.9.9.9 www.youtube.com (type 1)
+`````
+
+### snitrace
+`````
+ --snitrace[=name|pid]
+ Monitor Server Name Indication (TLS/SNI). The sandbox can be
+ specified by name or pid. Only networked sandboxes created with
+ --net are supported. This option is only available when running
+ the sandbox as root.
+
+ Without a name/pid, Firejail will monitor the main system net‐
+ work namespace.
+
+ $ sudo firejail --snitrace=browser
+ 07:49:51 23.185.0.3 linux.com
+ 07:49:51 23.185.0.3 www.linux.com
+ 07:50:05 192.0.73.2 secure.gravatar.com
+ 07:52:35 172.67.68.93 www.howtoforge.com
+ 07:52:37 13.225.103.59 sf.ezoiccdn.com
+ 07:52:42 142.250.176.3 www.gstatic.com
+ 07:53:03 173.236.250.32 www.linuxlinks.com
+ 07:53:05 192.0.77.37 c0.wp.com
+ 07:53:08 192.0.78.32 jetpack.wordpress.com
+ 07:53:09 192.0.77.32 s0.wp.com
+ 07:53:09 192.0.77.2 i0.wp.com
+ 07:53:10 192.0.77.2 i0.wp.com
+ 07:53:11 192.0.73.2 1.gravatar.com
+`````
+### icmptrace
+`````
+ --icmptrace[=name|pid]
+ Monitor ICMP traffic. The sandbox can be specified by name or
+ pid. Only networked sandboxes created with --net are supported.
+ This option is only available when running the sandbox as root.
+
+ Without a name/pid, Firejail will monitor the main system net‐
+ work namespace.
+
+ Example
+ $ sudo firejail --icmptrace
+ 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
+ quest/0
+ 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
+ ply/0
+ 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
+ quest/0
+ 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
+ ply/0
+ 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination un‐
+ reachable/Port unreachable
`````
### Profile Statistics
-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
```
-$ sudo cp src/profstats/profstats /etc/firejail/.
-$ cd /etc/firejail
-$ ./profstats *.profile
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
+No include .local found in /etc/firejail/noprofile.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
+
Stats:
- profiles 1135
- include local profile 1135 (include profile-name.local)
- include globals 1106 (include globals.local)
- blacklist ~/.ssh 1009 (include disable-common.inc)
- seccomp 1035
- capabilities 1130
- noexec 1011 (include disable-exec.inc)
- noroot 944
- memory-deny-write-execute 242
- apparmor 667
- private-bin 635
- private-dev 992
- private-etc 508
- private-tmp 866
- whitelist home directory 542
- whitelist var 799 (include whitelist-var-common.inc)
- whitelist run/user 597 (include whitelist-runuser-common.inc
+ profiles 1205
+ include local profile 1204 (include profile-name.local)
+ include globals 1178 (include globals.local)
+ blacklist ~/.ssh 1076 (include disable-common.inc)
+ seccomp 1095
+ capabilities 1199
+ noexec 1084 (include disable-exec.inc)
+ noroot 1002
+ memory-deny-write-execute 272
+ restrict-namespaces 962
+ apparmor 720
+ private-bin 704
+ private-dev 1055
+ private-etc 546
+ private-lib 71
+ private-tmp 929
+ whitelist home directory 581
+ whitelist var 867 (include whitelist-var-common.inc)
+ whitelist run/user 1173 (include whitelist-runuser-common.inc
or blacklist ${RUNUSER})
- whitelist usr/share 569 (include whitelist-usr-share-common.inc
- net none 389
- dbus-user none 619
- dbus-user filter 105
- dbus-system none 770
- dbus-system filter 7
+ whitelist usr/share 637 (include whitelist-usr-share-common.inc
+ net none 410
+ dbus-user none 677
+ dbus-user filter 137
+ dbus-system none 848
+ dbus-system filter 12
+
```
### New profiles:
-vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
-avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
-pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
-sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
-ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
-pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon,
-neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr,
-tin
+onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
+cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp,
+linuxqq, qq
+
+
+
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/RELNOTES
^
|
@@ -1,3 +1,176 @@
+firejail (0.9.72) baseline; urgency=low
+ * feature: On failing to remount a fuse filesystem, give warning instead of
+ erroring out (#5240 #5242)
+ * feature: Update syscall tables and seccomp groups (#5188)
+ * feature: improve force-nonewprivs security guarantees (#5217 #5271)
+ * feature: add support for restricting the creation of Linux namespaces
+ (--restrict-namespaces, --restrict-namespaces=), implemented as a seccomp
+ filter for both 64 and 32 bit architectures (#4939 #5259)
+ * feature: add support for custom AppArmor profiles (--apparmor=) (#5274
+ #5316 #5317 #5475)
+ * feature: add support for ICMP in nettrace
+ * feature: add --dnstrace, --icmptrace, and --snitrace commands
+ * feature: Add basic gtksourceview language-spec (file type detection/syntax
+ highlighting for profiles) (#5502)
+ * feature: add restrict-namespaces to (almost) all applicable profiles (#5440
+ #5537)
+ * feature: add support for netlock in profile files
+ * modif: removed --cgroup= command (#5190 #5200)
+ * modif: set --shell=none as the default (#5190)
+ * modif: removed --shell= command (#5190 #5196 #5209)
+ * modif: disabled firetunnel by default in configure.ac (#5190)
+ * modif: disabled chroot by default in /etc/firejail/firejail.config (#5190)
+ * modif: disabled private-lib by default in /etc/firejail/firejail.config
+ (#5190 #5216)
+ * modif: disabled tracelog by default in /etc/firejail/firejail.config
+ (#5190)
+ * modif: removed grsecurity support
+ * modif: stop hiding blacklisted files in /etc by default and add a new
+ etc-hide-blacklisted option to firejail.config that enables the previous
+ behavior (disabled by default) (#5010 #5230 #5591 #5595)
+ * bugfix: Flood of seccomp audit log entries (#5207)
+ * bugfix: --netlock does not work (Error: no valid sandbox) (#5312)
+ * build: deduplicate configure-time vars into new config files (#5140 #5284)
+ * build: fix file mode of shell scripts (644 -> 755) (#5206)
+ * build: reduce autoconf input files from 32 to 2 (#5219)
+ * build: add dist build directory to .gitignore (#5248)
+ * build: add autoconf auto-generation comment to input files (#5251)
+ * build: Add files make uninstall forgot to remove (#5283)
+ * build: add and use TARNAME instead of NAME for paths (#5310)
+ * build: only install ids.config when --enable-ids is set (#5356 #5357)
+ * build: Remove deprecated syntax and modernize shell test scripts (#5370)
+ * build: Fix musl warnings (#5421 #5431)
+ * build: sort.py improvements (#5429)
+ * build: deduplicate makefiles (#5478)
+ * build: fix formatting and misc in configure (#5488)
+ * build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504)
+ * build: make shell commands more portable in firejail.vim (#5577)
+ * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275)
+ * ci: ignore git-related paths and the project license (#5249)
+ * ci: Harden GitHub Actions (StepSecurity) (#5439)
+ * ci: sort and ignore more paths (#5481)
+ * ci: whitelist needed endpoints and block access to sudo (#5485)
+ * docs: fix typos (#5189 #5349)
+ * docs: mention risk of SUID binaries and also firejail-users(5) (#5288
+ #5290)
+ * docs: set vim filetype on man pages for syntax highlighting (#5296)
+ * docs: note that blacklist/whitelist follow symlinks (#5344)
+ * docs: Add IRC channel info to README.md (#5361)
+ * docs: man: Note that some commands can be disabled in firejail.config
+ (#5366)
+ * docs: Add gist note to bug_report.md (#5398)
+ * docs: clarify that --appimage should appear before --profile (#5402 #5451)
+ * docs: add more Firefox examples to the firejail-local AppArmor profile
+ (#5493)
+ * docs: Fix broken Restrict-DBus wiki link on profile.template (#5554)
+ * docs: Remove invalid --profile-path from --help (#5585 #5586)
+ * several new profiles
+ -- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500
+
+firejail (0.9.70) baseline; urgency=low
+ * security: CVE-2022-31214 - root escalation in --join logic
+ Reported by Matthias Gerstner, working exploit code was provided to our
+ development team. In the same time frame, the problem was independently
+ reported by Birk Blechschmidt. Full working exploit code was also provided.
+ * feature: enable shell tab completion with --tab (#4936)
+ * feature: disable user profiles at compile time (#4990)
+ * feature: Allow resolution of .local names with avahi-daemon in the apparmor
+ profile (#5088)
+ * feature: always log seccomp errors (#5110)
+ * feature: firecfg --guide, guided user configuration (#5111)
+ * feature: --oom, kernel OutOfMemory-killer (#5122)
+ * modif: --ids feature needs to be enabled at compile time (#5155)
+ * modif: --nettrace only available to root user
+ * rework: whitelist restructuring (#4985)
+ * rework: firemon, speed up and lots of fixes
+ * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
+ * bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
+ * bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
+ * bugfix: fix printing in evince (#5011)
+ * bugfix: gcov: fix gcov functions always declared as dummy (#5028)
+ * bugfix: Stop warning on safe supplementary group clean (#5114)
+ * build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
+ * build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
+ * ci: replace centos (EOL) with almalinux (#4912)
+ * ci: fix --version not printing compile-time features (#5147)
+ * ci: print version after install & fix apparmor support on build_apparmor
+ (#5148)
+ * docs: Refer to firejail.config in configuration files (#4916)
+ * docs: firejail.config: add warning about allow-tray (#4946)
+ * docs: mention that the protocol command accumulates (#5043)
+ * docs: mention inconsistent homedir bug involving --private=dir (#5052)
+ * docs: mention capabilities(7) on --caps (#5078)
+ * new profiles: onionshare, onionshare-cli, opera-developer, songrec
+ * new profiles: node-gyp, npx, semver, ping-hardened
+ * removed profiles: nvm
+ -- netblue30 <netblue30@yahoo.com> Thu, 9 Jun 2022 09:00:00 -0500
+
+firejail (0.9.68) baseline; urgency=low
+ * security: on Ubuntu, the PPA is now recommended over the distro package
+ (see README.md) (#4748)
+ * security: bugfix: private-cwd leaks access to the entire filesystem
+ (#4780); reported by Hugo Osvaldo Barrera
+ * feature: remove (some) environment variables with auth-tokens (#4157)
+ * feature: ALLOW_TRAY condition (#4510 #4599)
+ * feature: add basic Firejail support to AppArmor base abstraction (#3226
+ #4628)
+ * feature: intrusion detection system (--ids-init, --ids-check)
+ * feature: deterministic shutdown command (--deterministic-exit-code,
+ --deterministic-shutdown) (#928 #3042 #4635)
+ * feature: noprinters command (#4607 #4827)
+ * feature: network monitor (--nettrace)
+ * feature: network locker (--netlock) (#4848)
+ * feature: whitelist-ro profile command (#4740)
+ * feature: disable pipewire with --nosound (#4855)
+ * feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
+ * feature: Allow apostrophe in whitelist and blacklist (#4614)
+ * feature: AppImage support in --build command (#4878)
+ * modifs: exit code: distinguish fatal signals by adding 128 (#4533)
+ * modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
+ * modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
+ * modifs: nogroups now stopped causing certain system groups to be dropped,
+ which are now controlled by the relevant "no" options instead (such as
+ nosound -> drop audio group), which fixes device access issues on systems
+ not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
+ * removal: --disable-whitelist at compile time
+ * removal: whitelist=yes/no in /etc/firejail/firejail.config
+ * bugfix: Fix sndio support (#4362 #4365)
+ * bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
+ * bugfix: --build clears the environment (#4460 #4467)
+ * bugfix: firejail hangs with net parameter (#3958 #4476)
+ * bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
+ * bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
+ * bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
+ * bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
+ * bugfix: Firejail rejects empty arguments (#4395)
+ * bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
+ * bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
+ * bugfix: private-etc does not work with symlinks (#4887)
+ * bugfix: Hardware key not detected on keepassxc (#4883)
+ * build: allow building with address sanitizer (#4594)
+ * build: Stop linking pthread (#4695)
+ * build: Configure cleanup and improvements (#4712)
+ * ci: add profile checks for sorting disable-programs.inc and
+ firecfg.config and for the required arguments in private-etc (#2739 #4643)
+ * ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
+ * docs: Add new command checklist to CONTRIBUTING.md (#4413)
+ * docs: Rework bug report issue template and add both a question and a
+ feature request template (#4479 #4515 #4561)
+ * docs: fix contradictory descriptions of machine-id ("preserves" vs
+ "spoofs") (#4689)
+ * docs: Document that private-bin and private-etc always accumulate (#4078)
+ * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
+ * new includes: disable-proc.inc (#4521)
+ * removed includes: disable-passwordmgr.inc (#4454 #4461)
+ * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
+ * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
+ * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
+ * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
+ * new profiles: imv, retroarch, torbrowser, CachyBrowser,
+ * new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
+ * new profiles: Seafile, neovim, com.github.tchx84.Flatseal
+ -- netblue30 <netblue30@yahoo.com> Sun, 6 Feb 2022 09:00:00 -0500
+
firejail (0.9.66) baseline; urgency=low
* deprecated --audit options, relpaced by jailcheck utility
* deprecated follow-symlink-as-user from firejail.config
@@ -47,7 +220,7 @@
firejail (0.9.64.2) baseline; urgency=low
* allow --tmpfs inside $HOME for unprivileged users
- * --disable-usertmpfs compile time option
+ * --disable-usertmpfs compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* Setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
@@ -554,7 +727,7 @@
* feature: disable 3D hardware acceleration (--no3d)
* feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* feature: move files in sandbox (--put)
- * feature: accept wildcard patterns in user name field of restricted
+ * feature: accept wildcard patterns in user name field of restricted
shell login feature
* new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
@@ -596,7 +769,7 @@
* compile time: disable whitelisting (--disable-whitelist)
* compile time: disable global config (--disable-globalcfg)
* run time: enable/disable overlayfs (overlayfs yes/no)
- * run time: enable/disable quiet as default (quiet-by-default yes/no)
+ * run time: enable/disable quiet as default (quiet-by-default yes/no)
* run time: user-defined network filter (netfilter-default)
* run time: enable/disable whitelisting (whitelist yes/no)
* run time: enable/disable remounting of /proc and /sys
@@ -694,7 +867,7 @@
-- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500
firejail (0.9.36) baseline; urgency=low
- * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
+ * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
parole and rtorrent profiles
* Google Chrome profile rework
* added google-chrome-stable profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/SECURITY.md
^
|
@@ -2,23 +2,26 @@
## Supported Versions
-| Version | Supported by us | EOL | Supported by distribution |
-| ------- | ------------------ | ---- | ---------------------------
-| 0.9.64 | :heavy_check_mark: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable)
-| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10
-| 0.9.60 | :x: | 29 Dec 2019 |
-| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10
-| 0.9.56 | :x: | 27 Jan 2019 |
-| 0.9.54 | :x: | 18 Sep 2018 |
-| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS
-| 0.9.50 | :x: | 12 Dec 2017 |
-| 0.9.48 | :x: | 09 Sep 2017 |
-| 0.9.46 | :x: | 12 Jun 2017 |
-| 0.9.44 | :x: | | :white_check_mark: Debian 9
-| 0.9.42 | :x: | 22 Oct 2016 |
-| 0.9.40 | :x: | 09 Sep 2016 |
-| 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS
-| <0.9.38 | :x: | Before 05 Feb 2016 |
+| Version | Supported by us | EOL | Supported by distribution |
+| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- |
+| 0.9.70 | :heavy_check_mark: | | |
+| 0.9.68 | :x: | | |
+| 0.9.66 | :x: | | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable) |
+| 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.10 |
+| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 |
+| 0.9.60 | :x: | 29 Dec 2019 | |
+| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 |
+| 0.9.56 | :x: | 27 Jan 2019 | |
+| 0.9.54 | :x: | 18 Sep 2018 | |
+| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS |
+| 0.9.50 | :x: | 12 Dec 2017 | |
+| 0.9.48 | :x: | 09 Sep 2017 | |
+| 0.9.46 | :x: | 12 Jun 2017 | |
+| 0.9.44 | :x: | | :white_check_mark: Debian 9 |
+| 0.9.42 | :x: | 22 Oct 2016 | |
+| 0.9.40 | :x: | 09 Sep 2016 | |
+| 0.9.38 | :x: | 31 May 2016 | |
+| <0.9.38 | :x: | Before 05 Feb 2016 | |
## Security vulnerabilities
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/private-etc-always-required.sh
^
|
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
+
+error=0
+while IFS=: read -r profile private_etc; do
+ for required in "${ALWAYS_REQUIRED[@]}"; do
+ if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then
+ printf '%s misses %s\n' "$profile" "$required" >&2
+ error=1
+ fi
+ done
+done < <(grep "^private-etc " "$@")
+
+exit "$error"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/sort-disable-programs.sh
^
|
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +5 "$1" | LC_ALL=C sort -c -u
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/sort-firecfg.config.sh
^
|
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/sort.py
^
|
+(symlink to ../../../contrib/sort.py)
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/config.mk.in
^
|
@@ -0,0 +1,69 @@
+# @configure_input@
+#
+# Configure-time variable definitions and any other common definition that can
+# be safely included by all makefiles.
+#
+# Note: Do not define any targets on this file, as that could potentially end
+# up overriding the includer's intended default target (which by default is the
+# first target encountered).
+
+NAME=@PACKAGE_NAME@
+TARNAME=@PACKAGE_TARNAME@
+PACKAGE_TARNAME=@PACKAGE_TARNAME@ # needed by docdir
+VERSION=@PACKAGE_VERSION@
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+bindir=@bindir@
+libdir=@libdir@
+datarootdir=@datarootdir@
+docdir=@docdir@
+mandir=@mandir@
+sysconfdir=@sysconfdir@
+
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
+BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
+HAVE_SUID=@HAVE_SUID@
+HAVE_MAN=@HAVE_MAN@
+
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+HAVE_IDS=@HAVE_IDS@
+HAVE_GCOV=@HAVE_GCOV@
+HAVE_SELINUX=@HAVE_SELINUX@
+HAVE_SUID=@HAVE_SUID@
+HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
+HAVE_USERTMPFS=@HAVE_USERTMPFS@
+HAVE_OUTPUT=@HAVE_OUTPUT@
+HAVE_LTS=@HAVE_LTS@
+HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
+HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
+
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
+
+# User variables - should not be modified in the code (as they are reserved for
+# the user building the package); see the following for details:
+# https://www.gnu.org/software/automake/manual/1.16.5/html_node/User-Variables.html
+CC=@CC@
+CFLAGS=@CFLAGS@
+LDFLAGS=@LDFLAGS@
+
+# Project variables
+LIBS=@LIBS@
+
+ifdef NO_EXTRA_CFLAGS
+else
+EXTRA_CFLAGS +=@EXTRA_CFLAGS@
+endif
+
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/config.sh.in
^
|
@@ -0,0 +1,8 @@
+# @configure_input@
+#
+# shellcheck shell=sh
+# shellcheck disable=SC2034
+
+NAME="@PACKAGE_NAME@"
+TARNAME="@PACKAGE_TARNAME@"
+VERSION="@PACKAGE_VERSION@"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/configure
^
|
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.66.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.72.
#
# Report bugs to <netblue30@protonmail.com>.
#
@@ -580,8 +580,8 @@
# Identity of this package.
PACKAGE_NAME='firejail'
PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.66'
-PACKAGE_STRING='firejail 0.9.66'
+PACKAGE_VERSION='0.9.72'
+PACKAGE_STRING='firejail 0.9.72'
PACKAGE_BUGREPORT='netblue30@protonmail.com'
PACKAGE_URL='https://firejail.wordpress.com'
@@ -628,13 +628,13 @@
GREP
CPP
HAVE_LTS
+HAVE_ONLY_SYSCFG_PROFILES
HAVE_FORCE_NONEWPRIVS
HAVE_CONTRIB_INSTALL
HAVE_GCOV
BUSYBOX_WORKAROUND
HAVE_FATAL_WARNINGS
HAVE_SUID
-HAVE_WHITELIST
HAVE_FILE_TRANSFER
HAVE_X11
HAVE_USERNS
@@ -652,16 +652,13 @@
EXTRA_LDFLAGS
EXTRA_CFLAGS
HAVE_SELINUX
-HAVE_APPARMOR
AA_LIBS
AA_CFLAGS
PKG_CONFIG_LIBDIR
PKG_CONFIG_PATH
PKG_CONFIG
-RANLIB
-INSTALL_DATA
-INSTALL_SCRIPT
-INSTALL_PROGRAM
+HAVE_APPARMOR
+HAVE_IDS
OBJEXT
EXEEXT
ac_ct_CC
@@ -712,6 +709,8 @@
ac_user_opts='
enable_option_checking
enable_analyzer
+enable_sanitizer
+enable_ids
enable_apparmor
enable_selinux
enable_dbusproxy
@@ -726,13 +725,13 @@
enable_userns
enable_x11
enable_file_transfer
-enable_whitelist
enable_suid
enable_fatal_warnings
enable_busybox_workaround
enable_gcov
enable_contrib_install
enable_force_nonewprivs
+enable_only_syscfg_profiles
enable_lts
'
ac_precious_vars='build_alias
@@ -1299,7 +1298,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures firejail 0.9.66 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.72 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1361,7 +1360,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of firejail 0.9.66:";;
+ short | recursive ) echo "Configuration of firejail 0.9.72:";;
esac
cat <<\_ACEOF
@@ -1370,22 +1369,24 @@
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-analyzer enable GCC static analyzer
+ --enable-sanitizer=[address | memory | undefined]
+ enable a compiler-based sanitizer (debug)
+ --enable-ids enable ids
--enable-apparmor enable apparmor
--enable-selinux SELinux labeling support
--disable-dbusproxy disable dbus proxy
--disable-output disable --output logging
--disable-usertmpfs disable tmpfs as regular user
--disable-man disable man pages
- --disable-firetunnel disable firetunnel
+ --enable-firetunnel enable firetunnel
--disable-private-home disable private home feature
--disable-chroot disable chroot
- --disable-globalcfg if the global config file firejail.cfg is not
+ --disable-globalcfg if the global config file firejail.config is not
present, continue the program using defaults
--disable-network disable network
--disable-userns disable user namespace
--disable-x11 disable X11 sandboxing support
--disable-file-transfer disable file transfer
- --disable-whitelist disable whitelist
--disable-suid install as a non-SUID executable
--enable-fatal-warnings -W -Wall -Werror
--enable-busybox-workaround
@@ -1395,6 +1396,8 @@
install contrib scripts
--enable-force-nonewprivs
enable force nonewprivs
+ --enable-only-syscfg-profiles
+ disable profiles in $HOME/.config/firejail
--enable-lts enable long-term support software version (LTS)
Some influential environment variables:
@@ -1481,7 +1484,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-firejail configure 0.9.66
+firejail configure 0.9.72
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1533,52 +1536,6 @@
} # ac_fn_c_try_compile
-# ac_fn_c_try_link LINENO
-# -----------------------
-# Try to link conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_link ()
-{
- as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
- rm -f conftest.$ac_objext conftest$ac_exeext
- if { { ac_try="$ac_link"
-case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_link") 2>conftest.err
- ac_status=$?
- if test -s conftest.err; then
- grep -v '^ *+' conftest.err >conftest.er1
- cat conftest.er1 >&5
- mv -f conftest.er1 conftest.err
- fi
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; } && {
- test -z "$ac_c_werror_flag" ||
- test ! -s conftest.err
- } && test -s conftest$ac_exeext && {
- test "$cross_compiling" = yes ||
- test -x conftest$ac_exeext
- }; then :
- ac_retval=0
-else
- $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
- ac_retval=1
-fi
- # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
- # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
- # interfere with the next link command; also delete a directory that is
- # left behind by Apple's compiler. We do this before executing the actions.
- rm -rf conftest.dSYM conftest_ipa8_conftest.oo
- eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
- as_fn_set_status $ac_retval
-
-} # ac_fn_c_try_link
-
# ac_fn_c_try_cpp LINENO
# ----------------------
# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
@@ -1783,7 +1740,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.66, which was
+It was created by firejail $as_me 0.9.72, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2924,220 +2881,6 @@
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-ac_aux_dir=
-for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
- if test -f "$ac_dir/install-sh"; then
- ac_aux_dir=$ac_dir
- ac_install_sh="$ac_aux_dir/install-sh -c"
- break
- elif test -f "$ac_dir/install.sh"; then
- ac_aux_dir=$ac_dir
- ac_install_sh="$ac_aux_dir/install.sh -c"
- break
- elif test -f "$ac_dir/shtool"; then
- ac_aux_dir=$ac_dir
- ac_install_sh="$ac_aux_dir/shtool install -c"
- break
- fi
-done
-if test -z "$ac_aux_dir"; then
- as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
-fi
-
-# These three variables are undocumented and unsupported,
-# and are intended to be withdrawn in a future Autoconf release.
-# They can cause serious problems if a builder's source tree is in a directory
-# whose full name contains unusual characters.
-ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var.
-ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var.
-ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
-
-
-# Find a good install program. We prefer a C program (faster),
-# so one script is as good as another. But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AmigaOS /C/install, which installs bootblocks on floppy discs
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# OS/2's system install, which has a completely different semantic
-# ./install, which can be erroneously created by make from ./install.sh.
-# Reject install programs that cannot install multiple files.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
-$as_echo_n "checking for a BSD-compatible install... " >&6; }
-if test -z "$INSTALL"; then
-if ${ac_cv_path_install+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in #((
- ./ | .// | /[cC]/* | \
- /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
- ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \
- /usr/ucb/* ) ;;
- *)
- # OSF1 and SCO ODT 3.0 have their own names for install.
- # Don't use installbsd from OSF since it installs stuff as root
- # by default.
- for ac_prog in ginstall scoinst install; do
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
- if test $ac_prog = install &&
- grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
- # AIX install. It has an incompatible calling convention.
- :
- elif test $ac_prog = install &&
- grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
- # program-specific install script used by HP pwplus--don't use.
- :
- else
- rm -rf conftest.one conftest.two conftest.dir
- echo one > conftest.one
- echo two > conftest.two
- mkdir conftest.dir
- if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
- test -s conftest.one && test -s conftest.two &&
- test -s conftest.dir/conftest.one &&
- test -s conftest.dir/conftest.two
- then
- ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
- break 3
- fi
- fi
- fi
- done
- done
- ;;
-esac
-
- done
-IFS=$as_save_IFS
-
-rm -rf conftest.one conftest.two conftest.dir
-
-fi
- if test "${ac_cv_path_install+set}" = set; then
- INSTALL=$ac_cv_path_install
- else
- # As a last resort, use the slow shell script. Don't cache a
- # value for INSTALL within a source directory, because that will
- # break other packages using the cache if that directory is
- # removed, or if the value is a relative name.
- INSTALL=$ac_install_sh
- fi
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5
-$as_echo "$INSTALL" >&6; }
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-
-if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_RANLIB+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- if test -n "$RANLIB"; then
- ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
-fi
-fi
-RANLIB=$ac_cv_prog_RANLIB
-if test -n "$RANLIB"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5
-$as_echo "$RANLIB" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_RANLIB"; then
- ac_ct_RANLIB=$RANLIB
- # Extract the first word of "ranlib", so it can be a program name with args.
-set dummy ranlib; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_ac_ct_RANLIB+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- if test -n "$ac_ct_RANLIB"; then
- ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_ac_ct_RANLIB="ranlib"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
-if test -n "$ac_ct_RANLIB"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5
-$as_echo "$ac_ct_RANLIB" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
- if test "x$ac_ct_RANLIB" = x; then
- RANLIB=":"
- else
- case $cross_compiling:$ac_tool_warned in
-yes:)
-{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-ac_tool_warned=yes ;;
-esac
- RANLIB=$ac_ct_RANLIB
- fi
-else
- RANLIB="$ac_cv_prog_RANLIB"
-fi
-
HAVE_SPECTRE="no"
@@ -3171,7 +2914,9 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5
$as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; }
if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then :
- HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
+
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
else
:
@@ -3207,7 +2952,9 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
$as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
- HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
+
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
else
:
@@ -3243,7 +2990,9 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5
$as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; }
if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then :
- HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
+
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
else
:
@@ -3279,7 +3028,9 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5
$as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; }
if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then :
- HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
+
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
else
:
@@ -3297,7 +3048,73 @@
fi
+# Check whether --enable-sanitizer was given.
+if test "${enable_sanitizer+set}" = set; then :
+ enableval=$enable_sanitizer;
+else
+ enable_sanitizer=no
+fi
+
+if test "x$enable_sanitizer" != "xno" ; then :
+
+ as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5
+$as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; }
+if eval \${$as_CACHEVAR+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -fsanitize=$enable_sanitizer"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ eval "$as_CACHEVAR=yes"
+else
+ eval "$as_CACHEVAR=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+eval ac_res=\$$as_CACHEVAR
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then :
+
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+ EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+
+else
+ as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5
+fi
+
+
+fi
+
+HAVE_IDS=""
+
+# Check whether --enable-ids was given.
+if test "${enable_ids+set}" = set; then :
+ enableval=$enable_ids;
+fi
+
+if test "x$enable_ids" = "xyes"; then :
+
+ HAVE_IDS="-DHAVE_IDS"
+
+fi
+
HAVE_APPARMOR=""
+
# Check whether --enable-apparmor was given.
if test "${enable_apparmor+set}" = set; then :
enableval=$enable_apparmor;
@@ -3428,8 +3245,8 @@
HAVE_APPARMOR="-DHAVE_APPARMOR"
pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
-$as_echo_n "checking for AA... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
+$as_echo_n "checking for libapparmor... " >&6; }
if test -n "$AA_CFLAGS"; then
pkg_cv_AA_CFLAGS="$AA_CFLAGS"
@@ -3469,7 +3286,7 @@
if test $pkg_failed = yes; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@@ -3496,7 +3313,7 @@
and AA_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details." "$LINENO" 5
elif test $pkg_failed = untried; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -3515,13 +3332,16 @@
AA_LIBS=$pkg_cv_AA_LIBS
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
- EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"
-fi
+ EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS"
+ LIBS="$LIBS $AA_LIBS"
+
+fi
fi
HAVE_SELINUX=""
+
# Check whether --enable-selinux was given.
if test "${enable_selinux+set}" = set; then :
enableval=$enable_selinux;
@@ -3530,16 +3350,15 @@
if test "x$enable_selinux" = "xyes"; then :
HAVE_SELINUX="-DHAVE_SELINUX"
- EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux "
-
+ LIBS="$LIBS -lselinux"
fi
-
HAVE_DBUSPROXY=""
+
# Check whether --enable-dbusproxy was given.
if test "${enable_dbusproxy+set}" = set; then :
enableval=$enable_dbusproxy;
@@ -3549,21 +3368,19 @@
HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
-
fi
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
HAVE_OVERLAYFS=""
-#
#AC_ARG_ENABLE([overlayfs],
-# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
#AS_IF([test "x$enable_overlayfs" != "xno"], [
# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
-# AC_SUBST(HAVE_OVERLAYFS)
#])
HAVE_OUTPUT=""
+
# Check whether --enable-output was given.
if test "${enable_output+set}" = set; then :
enableval=$enable_output;
@@ -3573,10 +3390,10 @@
HAVE_OUTPUT="-DHAVE_OUTPUT"
-
fi
HAVE_USERTMPFS=""
+
# Check whether --enable-usertmpfs was given.
if test "${enable_usertmpfs+set}" = set; then :
enableval=$enable_usertmpfs;
@@ -3586,10 +3403,10 @@
HAVE_USERTMPFS="-DHAVE_USERTMPFS"
-
fi
HAVE_MAN="no"
+
# Check whether --enable-man was given.
if test "${enable_man+set}" = set; then :
enableval=$enable_man;
@@ -3598,7 +3415,6 @@
if test "x$enable_man" != "xno"; then :
HAVE_MAN="-DHAVE_MAN"
-
# Extract the first word of "gawk", so it can be a program name with args.
set dummy gawk; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -3638,25 +3454,26 @@
if test "x$HAVE_GAWK" != "xyes"; then :
- as_fn_error $? "\"*** gawk not found ***\"" "$LINENO" 5
+ as_fn_error $? "*** gawk not found ***" "$LINENO" 5
fi
fi
HAVE_FIRETUNNEL=""
+
# Check whether --enable-firetunnel was given.
if test "${enable_firetunnel+set}" = set; then :
enableval=$enable_firetunnel;
fi
-if test "x$enable_firetunnel" != "xno"; then :
+if test "x$enable_firetunnel" = "xyes"; then :
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
-
fi
-HAVE_PRIVATEHOME=""
+HAVE_PRIVATE_HOME=""
+
# Check whether --enable-private-home was given.
if test "${enable_private_home+set}" = set; then :
enableval=$enable_private_home;
@@ -3666,10 +3483,10 @@
HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
-
fi
HAVE_CHROOT=""
+
# Check whether --enable-chroot was given.
if test "${enable_chroot+set}" = set; then :
enableval=$enable_chroot;
@@ -3679,10 +3496,10 @@
HAVE_CHROOT="-DHAVE_CHROOT"
-
fi
HAVE_GLOBALCFG=""
+
# Check whether --enable-globalcfg was given.
if test "${enable_globalcfg+set}" = set; then :
enableval=$enable_globalcfg;
@@ -3692,10 +3509,10 @@
HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
-
fi
HAVE_NETWORK=""
+
# Check whether --enable-network was given.
if test "${enable_network+set}" = set; then :
enableval=$enable_network;
@@ -3705,10 +3522,10 @@
HAVE_NETWORK="-DHAVE_NETWORK"
-
fi
HAVE_USERNS=""
+
# Check whether --enable-userns was given.
if test "${enable_userns+set}" = set; then :
enableval=$enable_userns;
@@ -3718,10 +3535,10 @@
HAVE_USERNS="-DHAVE_USERNS"
-
fi
HAVE_X11=""
+
# Check whether --enable-x11 was given.
if test "${enable_x11+set}" = set; then :
enableval=$enable_x11;
@@ -3731,10 +3548,10 @@
HAVE_X11="-DHAVE_X11"
-
fi
HAVE_FILE_TRANSFER=""
+
# Check whether --enable-file-transfer was given.
if test "${enable_file_transfer+set}" = set; then :
enableval=$enable_file_transfer;
@@ -3744,37 +3561,23 @@
HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
-
-fi
-
-HAVE_WHITELIST=""
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
- enableval=$enable_whitelist;
-fi
-
-if test "x$enable_whitelist" != "xno"; then :
-
- HAVE_WHITELIST="-DHAVE_WHITELIST"
-
-
fi
HAVE_SUID=""
+
# Check whether --enable-suid was given.
if test "${enable_suid+set}" = set; then :
enableval=$enable_suid;
fi
-if test "x$enable_suid" = "xno"; then :
- HAVE_SUID="no"
-else
- HAVE_SUID="yes"
+if test "x$enable_suid" != "xno"; then :
-fi
+ HAVE_SUID="-DHAVE_SUID"
+fi
HAVE_FATAL_WARNINGS=""
+
# Check whether --enable-fatal_warnings was given.
if test "${enable_fatal_warnings+set}" = set; then :
enableval=$enable_fatal_warnings;
@@ -3784,10 +3587,10 @@
HAVE_FATAL_WARNINGS="-W -Wall -Werror"
-
fi
BUSYBOX_WORKAROUND="no"
+
# Check whether --enable-busybox-workaround was given.
if test "${enable_busybox_workaround+set}" = set; then :
enableval=$enable_busybox_workaround;
@@ -3797,11 +3600,10 @@
BUSYBOX_WORKAROUND="yes"
-
fi
-
HAVE_GCOV=""
+
# Check whether --enable-gcov was given.
if test "${enable_gcov+set}" = set; then :
enableval=$enable_gcov;
@@ -3809,27 +3611,27 @@
if test "x$enable_gcov" = "xyes"; then :
- HAVE_GCOV="--coverage -DHAVE_GCOV "
- EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage "
-
+ HAVE_GCOV="--coverage -DHAVE_GCOV"
+ EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage"
+ LIBS="$LIBS -lgcov"
fi
HAVE_CONTRIB_INSTALL="yes"
+
# Check whether --enable-contrib-install was given.
if test "${enable_contrib_install+set}" = set; then :
enableval=$enable_contrib_install;
fi
if test "x$enable_contrib_install" = "xno"; then :
- HAVE_CONTRIB_INSTALL="no"
-else
- HAVE_CONTRIB_INSTALL="yes"
-fi
+ HAVE_CONTRIB_INSTALL="no"
+fi
HAVE_FORCE_NONEWPRIVS=""
+
# Check whether --enable-force-nonewprivs was given.
if test "${enable_force_nonewprivs+set}" = set; then :
enableval=$enable_force_nonewprivs;
@@ -3839,10 +3641,23 @@
HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
+fi
+
+HAVE_ONLY_SYSCFG_PROFILES=""
+
+# Check whether --enable-only-syscfg-profiles was given.
+if test "${enable_only_syscfg_profiles+set}" = set; then :
+ enableval=$enable_only_syscfg_profiles;
+fi
+
+if test "x$enable_only_syscfg_profiles" = "xyes"; then :
+
+ HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
fi
HAVE_LTS=""
+
# Check whether --enable-lts was given.
if test "${enable_lts+set}" = set; then :
enableval=$enable_lts;
@@ -3851,98 +3666,23 @@
if test "x$enable_lts" = "xyes"; then :
HAVE_LTS="-DHAVE_LTS"
-
-
+ HAVE_IDS=""
HAVE_DBUSPROXY=""
-
-
HAVE_OVERLAYFS=""
-
-
HAVE_OUTPUT=""
-
-
HAVE_USERTMPFS=""
-
-
HAVE_MAN="-DHAVE_MAN"
-
-
HAVE_FIRETUNNEL=""
-
-
- HAVE_PRIVATEHOME=""
-
-
+ HAVE_PRIVATE_HOME=""
HAVE_CHROOT=""
-
-
HAVE_GLOBALCFG=""
-
-
HAVE_USERNS=""
-
-
HAVE_X11=""
-
-
HAVE_FILE_TRANSFER=""
-
-
- HAVE_SUID="yes"
-
-
+ HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
+ HAVE_CONTRIB_INSTALL="no"
-
- HAVE_CONTRIB_INSTALL="no",
-
-
-fi
-
-
-
-
-# checking pthread library
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
-$as_echo_n "checking for main in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_main+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-
-int
-main ()
-{
-return main ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread_main=yes
-else
- ac_cv_lib_pthread_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
-$as_echo "$ac_cv_lib_pthread_main" >&6; }
-if test "x$ac_cv_lib_pthread_main" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
- LIBS="-lpthread $LIBS"
-
-else
- as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
fi
ac_ext=c
@@ -4342,14 +4082,6 @@
done
-ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default"
-if test "x$ac_cv_header_pthread_h" = xyes; then :
-
-else
- as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
-fi
-
-
ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :
@@ -4364,9 +4096,7 @@
test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
fi
-ac_config_files="$ac_config_files mkdeb.sh"
-
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile"
+ac_config_files="$ac_config_files config.mk config.sh"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -4910,7 +4640,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by firejail $as_me 0.9.66, which was
+This file was extended by firejail $as_me 0.9.72, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -4964,7 +4694,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-firejail config.status 0.9.66
+firejail config.status 0.9.72
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -4974,7 +4704,6 @@
ac_pwd='$ac_pwd'
srcdir='$srcdir'
-INSTALL='$INSTALL'
test -n "\$AWK" || AWK=awk
_ACEOF
@@ -5075,31 +4804,8 @@
for ac_config_target in $ac_config_targets
do
case $ac_config_target in
- "mkdeb.sh") CONFIG_FILES="$CONFIG_FILES mkdeb.sh" ;;
- "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
- "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;;
- "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
- "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
- "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
- "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
- "src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;;
- "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
- "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
- "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
- "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
- "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
- "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;;
- "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
- "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
- "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
- "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
- "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
- "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
- "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
- "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;;
- "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
- "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
- "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;;
+ "config.mk") CONFIG_FILES="$CONFIG_FILES config.mk" ;;
+ "config.sh") CONFIG_FILES="$CONFIG_FILES config.sh" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
esac
@@ -5434,10 +5140,6 @@
# CONFIG_FILE
#
- case $INSTALL in
- [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
- *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
- esac
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
@@ -5491,7 +5193,6 @@
s&@builddir@&$ac_builddir&;t t
s&@abs_builddir@&$ac_abs_builddir&;t t
s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
-s&@INSTALL@&$ac_INSTALL&;t t
$ac_datarootdir_hack
"
eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
@@ -5518,11 +5219,6 @@
esac
-
- case $ac_file$ac_mode in
- "mkdeb.sh":F) chmod +x mkdeb.sh ;;
-
- esac
done # for ac_tag
@@ -5562,47 +5258,51 @@
cat <<EOF
-Configuration options:
+Compile options:
+ CC: $CC
+ CFLAGS: $CFLAGS
+ LDFLAGS: $LDFLAGS
+ EXTRA_CFLAGS: $EXTRA_CFLAGS
+ EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+ LIBS: $LIBS
+ fatal warnings: $HAVE_FATAL_WARNINGS
+ gcov instrumentation: $HAVE_GCOV
+ install as a SUID executable: $HAVE_SUID
+ install contrib scripts: $HAVE_CONTRIB_INSTALL
prefix: $prefix
sysconfdir: $sysconfdir
+ Spectre compiler patch: $HAVE_SPECTRE
+
+Features:
+ allow tmpfs as regular user: $HAVE_USERTMPFS
+ always enforce filters: $HAVE_FORCE_NONEWPRIVS
apparmor: $HAVE_APPARMOR
- SELinux labeling support: $HAVE_SELINUX
- global config: $HAVE_GLOBALCFG
+ busybox workaround: $BUSYBOX_WORKAROUND
chroot: $HAVE_CHROOT
- network: $HAVE_NETWORK
- user namespace: $HAVE_USERNS
- X11 sandboxing support: $HAVE_X11
- whitelisting: $HAVE_WHITELIST
- private home support: $HAVE_PRIVATE_HOME
- file transfer support: $HAVE_FILE_TRANSFER
- overlayfs support: $HAVE_OVERLAYFS
DBUS proxy support: $HAVE_DBUSPROXY
- allow tmpfs as regular user: $HAVE_USERTMPFS
- enable --ouput logging: $HAVE_OUTPUT
- Manpage support: $HAVE_MAN
+ disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
+ enable --output logging: $HAVE_OUTPUT
+ file transfer support: $HAVE_FILE_TRANSFER
firetunnel support: $HAVE_FIRETUNNEL
- busybox workaround: $BUSYBOX_WORKAROUND
- Spectre compiler patch: $HAVE_SPECTRE
- EXTRA_LDFLAGS: $EXTRA_LDFLAGS
- EXTRA_CFLAGS: $EXTRA_CFLAGS
- fatal warnings: $HAVE_FATAL_WARNINGS
- Gcov instrumentation: $HAVE_GCOV
- Install contrib scripts: $HAVE_CONTRIB_INSTALL
- Install as a SUID executable: $HAVE_SUID
+ global config: $HAVE_GLOBALCFG
+ IDS support: $HAVE_IDS
LTS: $HAVE_LTS
- Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+ manpage support: $HAVE_MAN
+ network: $HAVE_NETWORK
+ overlayfs support: $HAVE_OVERLAYFS
+ private home support: $HAVE_PRIVATE_HOME
+ SELinux labeling support: $HAVE_SELINUX
+ user namespace: $HAVE_USERNS
+ X11 sandboxing support: $HAVE_X11
EOF
if test "$HAVE_LTS" = -DHAVE_LTS; then
cat <<\EOF
-
-
*********************************************************
* Warning: Long-term support (LTS) was enabled! *
-* Most compile-time options have bean rewritten! *
+* Most compile-time options have been rewritten! *
*********************************************************
-
EOF
fi
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/configure.ac
^
|
@@ -12,348 +12,330 @@
#
AC_PREREQ([2.68])
-AC_INIT([firejail],[0.9.66],[netblue30@protonmail.com],[],[https://firejail.wordpress.com])
-AC_CONFIG_SRCDIR([src/firejail/main.c])
+AC_INIT([firejail], [0.9.72], [netblue30@protonmail.com], [],
+ [https://firejail.wordpress.com])
+AC_CONFIG_SRCDIR([src/firejail/main.c])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_CC
-AC_PROG_INSTALL
-AC_PROG_RANLIB
HAVE_SPECTRE="no"
-AX_CHECK_COMPILE_FLAG(
- [-mindirect-branch=thunk],
- [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"]
-)
-AX_CHECK_COMPILE_FLAG(
- [-mretpoline],
- [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"]
-)
-AX_CHECK_COMPILE_FLAG(
- [-fstack-clash-protection],
- [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"]
-)
-AX_CHECK_COMPILE_FLAG(
- [-fstack-protector-strong],
- [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"]
-)
+AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
+])
+AX_CHECK_COMPILE_FLAG([-mretpoline], [
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
+])
+AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
+])
+AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [
+ HAVE_SPECTRE="yes"
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
+])
AC_ARG_ENABLE([analyzer],
- AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer]))
+ [AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])])
AS_IF([test "x$enable_analyzer" = "xyes"], [
EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
])
+AC_ARG_ENABLE([sanitizer],
+ [AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@],
+ [enable a compiler-based sanitizer (debug)])],
+ [],
+ [enable_sanitizer=no])
+AS_IF([test "x$enable_sanitizer" != "xno" ], [
+ AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [
+ EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+ EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+ ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])])
+])
+
+HAVE_IDS=""
+AC_SUBST([HAVE_IDS])
+AC_ARG_ENABLE([ids],
+ [AS_HELP_STRING([--enable-ids], [enable ids])])
+AS_IF([test "x$enable_ids" = "xyes"], [
+ HAVE_IDS="-DHAVE_IDS"
+])
+
HAVE_APPARMOR=""
+AC_SUBST([HAVE_APPARMOR])
AC_ARG_ENABLE([apparmor],
- AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
+ [AS_HELP_STRING([--enable-apparmor], [enable apparmor])])
AS_IF([test "x$enable_apparmor" = "xyes"], [
HAVE_APPARMOR="-DHAVE_APPARMOR"
- PKG_CHECK_MODULES([AA], libapparmor,
- [EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"])
- AC_SUBST(HAVE_APPARMOR)
+ PKG_CHECK_MODULES([AA], [libapparmor], [
+ EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS"
+ LIBS="$LIBS $AA_LIBS"
+ ])
])
HAVE_SELINUX=""
+AC_SUBST([HAVE_SELINUX])
AC_ARG_ENABLE([selinux],
- AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+ [AS_HELP_STRING([--enable-selinux], [SELinux labeling support])])
AS_IF([test "x$enable_selinux" = "xyes"], [
HAVE_SELINUX="-DHAVE_SELINUX"
- EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux "
- AC_SUBST(HAVE_SELINUX)
+ LIBS="$LIBS -lselinux"
])
AC_SUBST([EXTRA_CFLAGS])
AC_SUBST([EXTRA_LDFLAGS])
-
HAVE_DBUSPROXY=""
+AC_SUBST([HAVE_DBUSPROXY])
AC_ARG_ENABLE([dbusproxy],
- AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy]))
+ [AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])])
AS_IF([test "x$enable_dbusproxy" != "xno"], [
HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
- AC_SUBST(HAVE_DBUSPROXY)
])
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
HAVE_OVERLAYFS=""
-AC_SUBST(HAVE_OVERLAYFS)
-#
+AC_SUBST([HAVE_OVERLAYFS])
#AC_ARG_ENABLE([overlayfs],
-# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
#AS_IF([test "x$enable_overlayfs" != "xno"], [
# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
-# AC_SUBST(HAVE_OVERLAYFS)
#])
HAVE_OUTPUT=""
+AC_SUBST([HAVE_OUTPUT])
AC_ARG_ENABLE([output],
- AS_HELP_STRING([--disable-output], [disable --output logging]))
+ [AS_HELP_STRING([--disable-output], [disable --output logging])])
AS_IF([test "x$enable_output" != "xno"], [
HAVE_OUTPUT="-DHAVE_OUTPUT"
- AC_SUBST(HAVE_OUTPUT)
])
HAVE_USERTMPFS=""
+AC_SUBST([HAVE_USERTMPFS])
AC_ARG_ENABLE([usertmpfs],
- AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
+ [AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])])
AS_IF([test "x$enable_usertmpfs" != "xno"], [
HAVE_USERTMPFS="-DHAVE_USERTMPFS"
- AC_SUBST(HAVE_USERTMPFS)
])
HAVE_MAN="no"
+AC_SUBST([HAVE_MAN])
AC_ARG_ENABLE([man],
- AS_HELP_STRING([--disable-man], [disable man pages]))
+ [AS_HELP_STRING([--disable-man], [disable man pages])])
AS_IF([test "x$enable_man" != "xno"], [
HAVE_MAN="-DHAVE_MAN"
- AC_SUBST(HAVE_MAN)
AC_CHECK_PROG([HAVE_GAWK], [gawk], [yes], [no])
- AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR("*** gawk not found ***")])
+ AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR([*** gawk not found ***])])
])
HAVE_FIRETUNNEL=""
+AC_SUBST([HAVE_FIRETUNNEL])
AC_ARG_ENABLE([firetunnel],
- AS_HELP_STRING([--disable-firetunnel], [disable firetunnel]))
-AS_IF([test "x$enable_firetunnel" != "xno"], [
+ [AS_HELP_STRING([--enable-firetunnel], [enable firetunnel])])
+AS_IF([test "x$enable_firetunnel" = "xyes"], [
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
- AC_SUBST(HAVE_FIRETUNNEL)
])
-HAVE_PRIVATEHOME=""
+HAVE_PRIVATE_HOME=""
+AC_SUBST([HAVE_PRIVATE_HOME])
AC_ARG_ENABLE([private-home],
- AS_HELP_STRING([--disable-private-home], [disable private home feature]))
+ [AS_HELP_STRING([--disable-private-home], [disable private home feature])])
AS_IF([test "x$enable_private_home" != "xno"], [
HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
- AC_SUBST(HAVE_PRIVATE_HOME)
])
HAVE_CHROOT=""
+AC_SUBST([HAVE_CHROOT])
AC_ARG_ENABLE([chroot],
- AS_HELP_STRING([--disable-chroot], [disable chroot]))
+ [AS_HELP_STRING([--disable-chroot], [disable chroot])])
AS_IF([test "x$enable_chroot" != "xno"], [
HAVE_CHROOT="-DHAVE_CHROOT"
- AC_SUBST(HAVE_CHROOT)
])
HAVE_GLOBALCFG=""
+AC_SUBST([HAVE_GLOBALCFG])
AC_ARG_ENABLE([globalcfg],
- AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
+ [AS_HELP_STRING([--disable-globalcfg],
+ [if the global config file firejail.config is not present, continue the program using defaults])])
AS_IF([test "x$enable_globalcfg" != "xno"], [
HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
- AC_SUBST(HAVE_GLOBALCFG)
])
HAVE_NETWORK=""
+AC_SUBST([HAVE_NETWORK])
AC_ARG_ENABLE([network],
- AS_HELP_STRING([--disable-network], [disable network]))
+ [AS_HELP_STRING([--disable-network], [disable network])])
AS_IF([test "x$enable_network" != "xno"], [
HAVE_NETWORK="-DHAVE_NETWORK"
- AC_SUBST(HAVE_NETWORK)
])
HAVE_USERNS=""
+AC_SUBST([HAVE_USERNS])
AC_ARG_ENABLE([userns],
- AS_HELP_STRING([--disable-userns], [disable user namespace]))
+ [AS_HELP_STRING([--disable-userns], [disable user namespace])])
AS_IF([test "x$enable_userns" != "xno"], [
HAVE_USERNS="-DHAVE_USERNS"
- AC_SUBST(HAVE_USERNS)
])
HAVE_X11=""
+AC_SUBST([HAVE_X11])
AC_ARG_ENABLE([x11],
- AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support]))
+ [AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support])])
AS_IF([test "x$enable_x11" != "xno"], [
HAVE_X11="-DHAVE_X11"
- AC_SUBST(HAVE_X11)
])
HAVE_FILE_TRANSFER=""
+AC_SUBST([HAVE_FILE_TRANSFER])
AC_ARG_ENABLE([file-transfer],
- AS_HELP_STRING([--disable-file-transfer], [disable file transfer]))
+ [AS_HELP_STRING([--disable-file-transfer], [disable file transfer])])
AS_IF([test "x$enable_file_transfer" != "xno"], [
HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
- AC_SUBST(HAVE_FILE_TRANSFER)
-])
-
-HAVE_WHITELIST=""
-AC_ARG_ENABLE([whitelist],
- AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
-AS_IF([test "x$enable_whitelist" != "xno"], [
- HAVE_WHITELIST="-DHAVE_WHITELIST"
- AC_SUBST(HAVE_WHITELIST)
])
HAVE_SUID=""
+AC_SUBST([HAVE_SUID])
AC_ARG_ENABLE([suid],
- AS_HELP_STRING([--disable-suid], [install as a non-SUID executable]))
-AS_IF([test "x$enable_suid" = "xno"],
- [HAVE_SUID="no"],
- [HAVE_SUID="yes"]
-)
-AC_SUBST(HAVE_SUID)
+ [AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])])
+AS_IF([test "x$enable_suid" != "xno"], [
+ HAVE_SUID="-DHAVE_SUID"
+])
HAVE_FATAL_WARNINGS=""
+AC_SUBST([HAVE_FATAL_WARNINGS])
AC_ARG_ENABLE([fatal_warnings],
- AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
+ [AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])])
AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
HAVE_FATAL_WARNINGS="-W -Wall -Werror"
- AC_SUBST(HAVE_FATAL_WARNINGS)
])
BUSYBOX_WORKAROUND="no"
+AC_SUBST([BUSYBOX_WORKAROUND])
AC_ARG_ENABLE([busybox-workaround],
- AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround]))
+ [AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])])
AS_IF([test "x$enable_busybox_workaround" = "xyes"], [
BUSYBOX_WORKAROUND="yes"
- AC_SUBST(BUSYBOX_WORKAROUND)
])
-
HAVE_GCOV=""
+AC_SUBST([HAVE_GCOV])
AC_ARG_ENABLE([gcov],
- AS_HELP_STRING([--enable-gcov], [Gcov instrumentation]))
+ [AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])])
AS_IF([test "x$enable_gcov" = "xyes"], [
- HAVE_GCOV="--coverage -DHAVE_GCOV "
- EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage "
- AC_SUBST(HAVE_GCOV)
+ HAVE_GCOV="--coverage -DHAVE_GCOV"
+ EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage"
+ LIBS="$LIBS -lgcov"
])
HAVE_CONTRIB_INSTALL="yes"
+AC_SUBST([HAVE_CONTRIB_INSTALL])
AC_ARG_ENABLE([contrib-install],
- AS_HELP_STRING([--enable-contrib-install], [install contrib scripts]))
-AS_IF([test "x$enable_contrib_install" = "xno"],
- [HAVE_CONTRIB_INSTALL="no"],
- [HAVE_CONTRIB_INSTALL="yes"]
-)
-AC_SUBST(HAVE_CONTRIB_INSTALL)
+ [AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])])
+AS_IF([test "x$enable_contrib_install" = "xno"], [
+ HAVE_CONTRIB_INSTALL="no"
+])
HAVE_FORCE_NONEWPRIVS=""
+AC_SUBST([HAVE_FORCE_NONEWPRIVS])
AC_ARG_ENABLE([force-nonewprivs],
- AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs]))
+ [AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])])
AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
- AC_SUBST(HAVE_FORCE_NONEWPRIVS)
+])
+
+HAVE_ONLY_SYSCFG_PROFILES=""
+AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
+AC_ARG_ENABLE([only-syscfg-profiles],
+ [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
+AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
+ HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
])
HAVE_LTS=""
+AC_SUBST([HAVE_LTS])
AC_ARG_ENABLE([lts],
- AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
+ [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
AS_IF([test "x$enable_lts" = "xyes"], [
HAVE_LTS="-DHAVE_LTS"
- AC_SUBST(HAVE_LTS)
-
+ HAVE_IDS=""
HAVE_DBUSPROXY=""
- AC_SUBST(HAVE_DBUSPROXY)
-
HAVE_OVERLAYFS=""
- AC_SUBST(HAVE_OVERLAYFS)
-
HAVE_OUTPUT=""
- AC_SUBST(HAVE_OUTPUT)
-
HAVE_USERTMPFS=""
- AC_SUBST(HAVE_USERTMPFS)
-
HAVE_MAN="-DHAVE_MAN"
- AC_SUBST(HAVE_MAN)
-
HAVE_FIRETUNNEL=""
- AC_SUBST(HAVE_FIRETUNNEL)
-
- HAVE_PRIVATEHOME=""
- AC_SUBST(HAVE_PRIVATE_HOME)
-
+ HAVE_PRIVATE_HOME=""
HAVE_CHROOT=""
- AC_SUBST(HAVE_CHROOT)
-
HAVE_GLOBALCFG=""
- AC_SUBST(HAVE_GLOBALCFG)
-
HAVE_USERNS=""
- AC_SUBST(HAVE_USERNS)
-
HAVE_X11=""
- AC_SUBST(HAVE_X11)
-
HAVE_FILE_TRANSFER=""
- AC_SUBST(HAVE_FILE_TRANSFER)
-
- HAVE_SUID="yes"
- AC_SUBST(HAVE_SUID)
-
+ HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
- AC_SUBST(BUSYBOX_WORKAROUND)
-
- HAVE_CONTRIB_INSTALL="no",
- AC_SUBST(HAVE_CONTRIB_INSTALL)
+ HAVE_CONTRIB_INSTALL="no"
])
-
-
-
-# checking pthread library
-AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
-AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
-AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***]))
+AC_CHECK_HEADER([linux/seccomp.h], [],
+ [AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])])
# set sysconfdir
if test "$prefix" = /usr; then
test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
fi
-AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
-AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
-src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
-src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
-src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile])
+AC_CONFIG_FILES([config.mk config.sh])
AC_OUTPUT
cat <<EOF
-Configuration options:
+Compile options:
+ CC: $CC
+ CFLAGS: $CFLAGS
+ LDFLAGS: $LDFLAGS
+ EXTRA_CFLAGS: $EXTRA_CFLAGS
+ EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+ LIBS: $LIBS
+ fatal warnings: $HAVE_FATAL_WARNINGS
+ gcov instrumentation: $HAVE_GCOV
+ install as a SUID executable: $HAVE_SUID
+ install contrib scripts: $HAVE_CONTRIB_INSTALL
prefix: $prefix
sysconfdir: $sysconfdir
+ Spectre compiler patch: $HAVE_SPECTRE
+
+Features:
+ allow tmpfs as regular user: $HAVE_USERTMPFS
+ always enforce filters: $HAVE_FORCE_NONEWPRIVS
apparmor: $HAVE_APPARMOR
- SELinux labeling support: $HAVE_SELINUX
- global config: $HAVE_GLOBALCFG
+ busybox workaround: $BUSYBOX_WORKAROUND
chroot: $HAVE_CHROOT
- network: $HAVE_NETWORK
- user namespace: $HAVE_USERNS
- X11 sandboxing support: $HAVE_X11
- whitelisting: $HAVE_WHITELIST
- private home support: $HAVE_PRIVATE_HOME
- file transfer support: $HAVE_FILE_TRANSFER
- overlayfs support: $HAVE_OVERLAYFS
DBUS proxy support: $HAVE_DBUSPROXY
- allow tmpfs as regular user: $HAVE_USERTMPFS
- enable --ouput logging: $HAVE_OUTPUT
- Manpage support: $HAVE_MAN
+ disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
+ enable --output logging: $HAVE_OUTPUT
+ file transfer support: $HAVE_FILE_TRANSFER
firetunnel support: $HAVE_FIRETUNNEL
- busybox workaround: $BUSYBOX_WORKAROUND
- Spectre compiler patch: $HAVE_SPECTRE
- EXTRA_LDFLAGS: $EXTRA_LDFLAGS
- EXTRA_CFLAGS: $EXTRA_CFLAGS
- fatal warnings: $HAVE_FATAL_WARNINGS
- Gcov instrumentation: $HAVE_GCOV
- Install contrib scripts: $HAVE_CONTRIB_INSTALL
- Install as a SUID executable: $HAVE_SUID
+ global config: $HAVE_GLOBALCFG
+ IDS support: $HAVE_IDS
LTS: $HAVE_LTS
- Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+ manpage support: $HAVE_MAN
+ network: $HAVE_NETWORK
+ overlayfs support: $HAVE_OVERLAYFS
+ private home support: $HAVE_PRIVATE_HOME
+ SELinux labeling support: $HAVE_SELINUX
+ user namespace: $HAVE_USERNS
+ X11 sandboxing support: $HAVE_X11
EOF
if test "$HAVE_LTS" = -DHAVE_LTS; then
cat <<\EOF
-
-
*********************************************************
* Warning: Long-term support (LTS) was enabled! *
-* Most compile-time options have bean rewritten! *
+* Most compile-time options have been rewritten! *
*********************************************************
-
EOF
fi
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fix_private-bin.py
^
|
@@ -164,7 +164,7 @@
def main() -> None:
- """The main function. Parses the commandline args, shows messages and calles the function actually doing the work."""
+ """The main function. Parses the commandline args, shows messages and calls the function actually doing the work."""
if len(sys.argv) > 2 or (len(sys.argv) == 2 and
(sys.argv[1] == "-h" or sys.argv[1] == "--help")):
printHelp()
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fj-mkdeb.py
^
|
@@ -1,49 +1,39 @@
#!/usr/bin/env python3
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
-# This script automates the workaround for https://github.com/netblue30/firejail/issues/772
+# This script automates the creation of a .deb package. It was originally
+# created to work around https://github.com/netblue30/firejail/issues/772
-import os, shlex, subprocess, sys
+import os, subprocess, sys
def run(srcdir, args):
if srcdir: os.chdir(srcdir)
- if not (os.path.isfile('./mkdeb.sh.in')):
+ if not (os.path.isfile('./mkdeb.sh')):
print('Error: Not a firejail source tree? Exiting.')
return 1
- dry_run = False
- escaped_args = []
- # We need to modify the list as we go. So be sure to copy the list to be iterated!
+ # Ignore unsupported arguments.
for a in args[:]:
if a.startswith('--prefix'):
# prefix should ALWAYS be /usr here. Discard user-set values
args.remove(a)
- elif a == '--only-fix-mkdeb':
- # for us, not configure
- dry_run = True
- args.remove(a)
- else:
- escaped_args.append(shlex.quote(a))
- # Run configure to generate mkdeb.sh.
+ # Run configure to generate config.sh.
first_config = subprocess.call(['./configure', '--prefix=/usr'] + args)
if first_config != 0:
return first_config
- # Fix up dynamically-generated mkdeb.sh to include custom configure options.
- with open('mkdeb.sh', 'rb') as f:
- sh = str(f.read(), 'utf_8')
- with open('mkdeb.sh', 'wb') as f:
- f.write(bytes(sh.replace('./configure $CONFIG_ARGS',
- './configure $CONFIG_ARGS ' + (' '.join(escaped_args))), 'utf_8'))
-
- if dry_run: return 0
+ # Create the dist file used by mkdeb.sh.
+ make_dist = subprocess.call(['make', 'dist'])
+ if make_dist != 0:
+ return make_dist
- return subprocess.call(['make', 'deb'])
+ # Run mkdeb.sh with the custom configure options.
+ return subprocess.call(['./mkdeb.sh'] + args)
if __name__ == '__main__':
@@ -51,13 +41,12 @@
print('''Build a .deb of firejail with custom configure options
usage:
-{script} [--fj-src=SRCDIR] [--only-fix-mkdeb] [CONFIGURE_OPTIONS [...]]
+{script} [--fj-src=SRCDIR] [CONFIGURE_OPTIONS [...]]
--fj-src=SRCDIR: manually specify the location of firejail source tree
as SRCDIR. If not specified, looks in the parent directory
of the directory where this script is located, and then the
current working directory, in that order.
- --only-fix-mkdeb: don't run configure or make after modifying mkdeb.sh
CONFIGURE_OPTIONS: arguments for configure
'''.format(script=sys.argv[0]))
sys.exit(0)
@@ -73,9 +62,9 @@
if not (srcdir):
# srcdir not manually specified, try to auto-detect
srcdir = os.path.dirname(os.path.abspath(sys.argv[0] + '/..'))
- if not (os.path.isfile(srcdir + '/mkdeb.sh.in')):
+ if not (os.path.isfile(srcdir + '/mkdeb.sh')):
# Script is probably installed. Check the cwd.
- if os.path.isfile('./mkdeb.sh.in'):
+ if os.path.isfile('./mkdeb.sh'):
srcdir = None
else:
print(
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fjclip.py
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
import sys
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fjdisplay.py
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
import re
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fjresize.py
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
import sys
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/gdb-firejail.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set -x
@@ -17,8 +17,8 @@
else
# First argument is not named firejail, then add default unless environment
# variable already set.
- set -- ${FIREJAIL:=$(which firejail)} "$@"
+ set -- ${FIREJAIL:=$(command -v firejail)} "$@"
fi
bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
-sudo gdb -e "$FIREJAIL" -p "$!"
+sudo gdb -e "$FIREJAIL" -p "$!"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/gtksourceview-5/language-specs/firejail-profile.lang
^
|
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vim: set ts=2 sts=2 sw=2 et: -->
+<!--
+ https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md
+ https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-reference.md
+-->
+<language id="firejail-profile" name="Firejail Profile" version="2.0" _section="Other">
+ <metadata>
+ <property name="mimetypes">text/plain;text/x-firejail-profile</property>
+ <property name="globs">*.profile;*.local;*.inc</property>
+ <property name="line-comment-start">#</property>
+ </metadata>
+
+ <styles>
+ <style id="comment" name="Comment" map-to="def:comment"/>
+ <style id="condition" name="Condition" map-to="def:preprocessor"/>
+ <style id="command" name="Command" map-to="def:keyword"/>
+ <style id="invalid" name="Invalid" map-to="def:error"/>
+ </styles>
+
+ <definitions>
+ <define-regex id="commands-with-arguments" extended="true">
+ (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen)
+ </define-regex>
+
+ <define-regex id="commands-without-arguments" extended="true">
+ (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11)
+ </define-regex>
+
+ <define-regex id="conditions" extended="true">
+ (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11)
+ </define-regex>
+
+ <context id="conditional-line">
+ <match>\?(?P<condition>\%{conditions}): </match>
+ <include>
+ <context sub-pattern="condition" style-ref="condition"/>
+ </include>
+ </context>
+
+ <context id="command-with-args">
+ <match>(?P<command>\%{commands-with-arguments}) (?P<args>.+)</match>
+ <include>
+ <context sub-pattern="command" style-ref="command"/>
+ </include>
+ </context>
+
+ <context id="command-without-args">
+ <match dupnames="true">(?P<command>\%{commands-without-arguments})</match>
+ <include>
+ <context sub-pattern="command" style-ref="command"/>
+ </include>
+ </context>
+
+ <context id="invalid" style-ref="invalid">
+ <match>.+</match>
+ </context>
+
+ <context id="firejail-profile" class="no-spell-check">
+ <include>
+ <context ref="def:shell-like-comment"/>
+ <context ref="conditional-line"/>
+ <context ref="command-with-args"/>
+ <context ref="command-without-args"/>
+ <context ref="invalid"/>
+ </include>
+ </context>
+ </definitions>
+</language>
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/jail_prober.py
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
"""
Figure out which profile options may be causing a particular program to break
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/sort.py
^
|
@@ -1,49 +1,62 @@
#!/usr/bin/env python3
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
-"""
-Sort the items of multi-item options in profiles, the following options are supported:
- private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol
-Usage:
- $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ]
+# Requirements:
+# python >= 3.6
+from os import path
+from sys import argv, exit as sys_exit, stderr
+
+__doc__ = f"""\
+Sort the arguments of commands in profiles.
+
+Usage: {path.basename(argv[0])} [/path/to/profile ...]
+
+The following commands are supported:
+
+ private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop,
+ seccomp.drop, protocol
+
+Note that this is only applicable to commands that support multiple arguments.
+
Keep in mind that this will overwrite your profile(s).
Examples:
- $ ./sort.py MyAwesomeProfile.profile
- $ ./sort.py new_profile.profile second_new_profile.profile
- $ ./sort.py ~/.config/firejail/*.{profile,inc,local}
- $ sudo ./sort.py /etc/firejail/*.{profile,inc,local}
-
-Exit-Codes:
- 0: No Error; No Profile Fixed.
- 1: Error, one or more profiles were not processed correctly.
- 101: No Error; One or more profile were fixed.
+ $ {argv[0]} MyAwesomeProfile.profile
+ $ {argv[0]} new_profile.profile second_new_profile.profile
+ $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}}
+ $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}}
+
+Exit Codes:
+ 0: Success: No profiles needed fixing.
+ 1: Error: One or more profiles could not be processed correctly.
+ 2: Error: Missing arguments.
+ 101: Info: One or more profiles were fixed.
"""
-# Requirements:
-# python >= 3.6
-from sys import argv
-
-def sort_alphabetical(raw_items):
- items = raw_items.split(",")
- items.sort(key=lambda s: s.casefold())
+def sort_alphabetical(original_items):
+ items = original_items.split(",")
+ items.sort(key=str.casefold)
return ",".join(items)
-def sort_protocol(protocols):
- """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+def sort_protocol(original_protocols):
+ """
+ Sort the given protocols into the following order:
+
+ unix,inet,inet6,netlink,packet,bluetooth
+ """
# shortcut for common protocol lines
- if protocols in ("unix", "unix,inet,inet6"):
- return protocols
+ if original_protocols in ("unix", "unix,inet,inet6"):
+ return original_protocols
fixed_protocols = ""
for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
for prefix in ("", "-", "+", "="):
- if f",{prefix}{protocol}," in f",{protocols},":
+ if f",{prefix}{protocol}," in f",{original_protocols},":
fixed_protocols += f"{prefix}{protocol},"
return fixed_protocols[:-1]
@@ -53,7 +66,7 @@
lines = profile.read().split("\n")
was_fixed = False
fixed_profile = []
- for lineno, line in enumerate(lines):
+ for lineno, line in enumerate(lines, 1):
if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
@@ -69,8 +82,8 @@
if fixed_line != line:
was_fixed = True
print(
- f"{filename}:{lineno + 1}:-{line}\n"
- f"{filename}:{lineno + 1}:+{fixed_line}"
+ f"{filename}:{lineno}:-{line}\n"
+ f"{filename}:{lineno}:+{fixed_line}"
)
fixed_profile.append(fixed_line)
if was_fixed:
@@ -84,25 +97,33 @@
def main(args):
+ if len(args) < 1:
+ print(__doc__, file=stderr)
+ return 2
+
+ print(f"sort.py: checking {len(args)} profile(s)...")
+
exit_code = 0
- print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...")
for filename in args:
try:
if exit_code not in (1, 101):
exit_code = fix_profile(filename)
else:
fix_profile(filename)
- except FileNotFoundError:
- print(f"[ Error ] Can't find `{filename}'")
+ except FileNotFoundError as err:
+ print(f"[ Error ] {err}", file=stderr)
exit_code = 1
- except PermissionError:
- print(f"[ Error ] Can't read/write `{filename}'")
+ except PermissionError as err:
+ print(f"[ Error ] {err}", file=stderr)
exit_code = 1
except Exception as err:
- print(f"[ Error ] An error occurred while processing `{filename}': {err}")
+ print(
+ f"[ Error ] An error occurred while processing '{filename}': {err}",
+ file=stderr,
+ )
exit_code = 1
return exit_code
if __name__ == "__main__":
- exit(main(argv[1:]))
+ sys_exit(main(argv[1:]))
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/syscalls.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/update_deb.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/sh
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
# Purpose: Fetch, compile, and install firejail from GitHub source. For
@@ -9,15 +9,13 @@
git clone --depth=1 https://github.com/netblue30/firejail.git
cd firejail
-./configure --enable-apparmor --prefix=/usr
+./configure
# Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916920
-sed -i \
- -e "s/# cgroup .*/cgroup no/" \
- -e "s/# restricted-network .*/restricted-network yes/" \
+sed -i "s/# restricted-network .*/restricted-network yes/" \
etc/firejail.config
-make deb
+make deb-apparmor
sudo dpkg -i firejail*.deb
echo "Firejail updated."
cd ..
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/vim/syntax/firejail.vim
^
|
@@ -17,18 +17,21 @@
syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
syn match fjCapabilityList /,/ nextgroup=fjCapability contained
+syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
+syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
+
syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
syn match fjProtocolList /,/ nextgroup=fjProtocol contained
" Syscalls grabbed from: src/include/syscall*.h
-" Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' '
+" Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' '
syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
" Syscall groups grabbed from: src/fseccomp/syscall.c
-" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|'
+" Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|'
syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
" Errnos grabbed from: src/fseccomp/errno.c
-" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|'
+" Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|'
syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
syn match fjSyscallList /,/ nextgroup=fjSyscall contained
@@ -44,18 +47,19 @@
syn keyword fjFilter filter contained
" Variable names grabbed from: src/firejail/macros.c
-" Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|'
+" Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|'
syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/
" Commands grabbed from: src/firejail/profile.c
-" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
-" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+" Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
+syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+" Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
+syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
@@ -71,8 +75,8 @@
syn match fjCommandNoCond /quiet$/ contained
" Conditionals grabbed from: src/firejail/profile.c
-" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
-syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
+" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|'
+syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
" A line is either a command, a conditional or a comment
syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc-fixes/0.9.58/atom.profile
^
|
@@ -1,4 +1,3 @@
-
# Firejail profile for atom
# Description: A hackable text editor for the 21st Century
# This file is overwritten after every install/update
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc-fixes/seccomp-join-bug/README
^
|
@@ -8,4 +8,3 @@
The original discussion thread: https://github.com/netblue30/firejail/issues/2718
The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
-
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/apparmor/firejail-base
^
|
@@ -0,0 +1,27 @@
+#########################################
+# Firejail base abstraction drop-in
+#
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+# Also there is no support for Firejail chroot options.
+#########################################
+
+# Discovery of process names
+owner /proc/@{pid}/comm r,
+
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+
+# Library preloading
+/{,var/}run/firejail/lib/*.so mr,
+
+# Supporting seccomp
+owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+
+# Supporting trace
+owner /{,var/}run/firejail/mnt/trace w,
+
+# Supporting tracelog
+/{,var/}run/firejail/mnt/fslogger r,
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/apparmor/firejail-default
^
|
@@ -33,6 +33,7 @@
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=@{profile_name},
+ptrace (read,readby) peer=@{profile_name}//&unconfined,
##########
# Allow read access to whole filesystem and control it from firejail.
@@ -67,6 +68,9 @@
# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,
+# Allow access to avahi-daemon socket.
+/{,var/}run/avahi-daemon/socket w,
+
# Allow access to pcscd socket (smartcards)
/{,var/}run/pcscd/pcscd.comm w,
@@ -120,6 +124,7 @@
##########
# There is no equivalent in Firejail for filtering signals.
##########
+signal (send) peer=@{profile_name}//&unconfined,
signal (send) peer=@{profile_name},
signal (receive),
@@ -129,7 +134,7 @@
##########
# The list of recognized capabilities varies from one apparmor version to another.
# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
-# We allow all caps by default and remove the ones we don't like:
+# We allow all caps by default and remove the ones we don't like:
capability,
deny capability audit_write,
deny capability audit_control,
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/apparmor/firejail-local
^
|
@@ -8,8 +8,17 @@
#owner @HOME/bin/** ix
#owner @HOME/.local/bin/** ix
+# Uncomment to opt-in to apparmor for brave + ipfs
+#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
+
# Uncomment to opt-in to apparmor for brave + tor
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,
+# Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm)
+#owner @{HOME}/.mozilla/firefox/*/gm*/** ix,
+
+# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
+#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
+
# Uncomment to opt-in to apparmor for torbrowser-launcher
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/firejail.config
^
|
@@ -2,6 +2,10 @@
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.
+# Allow programs to display a tray icon (warning: allows escaping the sandbox;
+# see https://github.com/netblue30/firejail/discussions/4053)
+# allow-tray no
+
# Enable AppArmor functionality, default enabled.
# apparmor yes
@@ -21,11 +25,8 @@
# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes
-# Enable or disable cgroup support, default enabled.
-# cgroup yes
-
-# Enable or disable chroot support, default enabled.
-# chroot yes
+# Enable or disable chroot support, default disabled
+# chroot no
# Enable or disable dbus handling, default enabled.
# dbus yes
@@ -56,6 +57,11 @@
# to the specified period of time to allow sandbox setup to finish.
# join-timeout 5
+# tracelog enables auditing blacklisted files and directories. A message
+# is sent to syslog in case the file or the directory is accessed.
+# Disabled by default.
+# tracelog no
+
# Enable or disable sandbox name change, default enabled.
# name-change yes
@@ -63,7 +69,7 @@
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
-# format of iptables-save and iptable-restore commands. Example:
+# format of iptables-save and iptables-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable networking features, default enabled.
@@ -72,6 +78,10 @@
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
+# Hide blacklisted files in /etc directory (enabling this may break
+# /etc/resolv.conf; see #5010), default disabled.
+# etc-hide-blacklisted no
+
# Set the limit for file copy in several --private-* options. The size is set
# in megabytes. By default we allow up to 500MB.
# Note: the files are copied in RAM.
@@ -92,8 +102,8 @@
# Enable or disable private-home feature, default enabled
# private-home yes
-# Enable or disable private-lib feature, default enabled
-# private-lib yes
+# Enable or disable private-lib feature, default disabled
+# private-lib no
# Enable or disable private-opt feature, default enabled.
# private-opt yes
@@ -120,12 +130,15 @@
# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
# seccomp-error-action EPERM
+# If seccomp subsystem in Linux kernel kills a program, a message is posted to syslog.
+# Starting with Linux kernel version 4.14, it is possible to send seccomp violation messages
+# even if the program is allowed to continue (see "seccomp-error-action EPERM" above).
+# This logging feature is disabled by default in our implementation.
+# seccomp-log no
+
# Enable or disable user namespace support, default enabled.
# userns yes
-# Enable or disable whitelisting support, default enabled.
-# whitelist yes
-
# Disable whitelist top level directories, in addition to those
# that are disabled out of the box. None by default; this is an example.
# whitelist-disable-topdir /etc,/usr/etc
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/ids.config
^
|
@@ -0,0 +1,163 @@
+# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
+# This config file is overwritten when a new version of Firejail is installed.
+# For global customization use /etc/firejail/ids.config.local.
+include ids.config.local
+#
+# Each line is a file or directory name such as
+# /usr/bin
+# or
+# ${HOME}/Desktop/*.desktop
+#
+# ${HOME} is expanded to the user's home directory, and * is the regular
+# globbing match for zero or more characters.
+#
+# File or directory names starting with ! are not scanned. For example
+# !${HOME}/.ssh/known_hosts
+# ${HOME}/.ssh
+# will scan all files in ~/.ssh directory with the exception of known_hosts
+
+### system executables ###
+/bin
+/sbin
+/usr/bin
+/usr/games
+/usr/libexec
+/usr/sbin
+
+### user executables ###
+#/opt
+#/usr/local
+
+### system libraries ###
+#/lib
+#/usr/lib
+#/usr/lib32
+#/usr/lib64
+#/usr/libx32
+
+### shells local ###
+# bash
+${HOME}/.bash_aliases
+${HOME}/.bash_login
+${HOME}/.bash_logout
+${HOME}/.bash_profile
+${HOME}/.bashrc
+# fish
+${HOME}/.config/fish/config.fish
+# others
+${HOME}/.cshrc
+${HOME}/.kshrc
+${HOME}/.login
+${HOME}/.logout
+${HOME}/.profile
+${HOME}/.tcshrc
+# zsh
+${HOME}/.zlogin
+${HOME}/.zlogout
+${HOME}/.zshenv
+${HOME}/.zshprofile
+${HOME}/.zshrc
+
+# Note: This list should be kept in sync with the one in inc/disable-shell.inc.
+### shells global ###
+# all
+/etc/dircolors
+/etc/environment
+/etc/profile
+/etc/profile.d
+/etc/shells
+/etc/skel
+# bash
+/etc/bash
+/etc/bash.bashrc
+/etc/bash_completion*
+/etc/bashrc
+# fish
+/etc/fish
+# ksh
+/etc/ksh.kshrc
+/etc/suid_profile
+# tcsh
+/etc/complete.tcsh
+/etc/csh.cshrc
+/etc/csh.login
+/etc/csh.logout
+# zsh
+/etc/zlogin
+/etc/zlogout
+/etc/zprofile
+/etc/zsh
+/etc/zshenv
+/etc/zshrc
+
+### X11 ###
+/etc/X11
+${HOME}/.xinitrc
+${HOME}/.xmodmaprc
+${HOME}/.xprofile
+${HOME}/.Xresources
+${HOME}/.xserverrc
+${HOME}/.Xsession
+${HOME}/.xsession
+${HOME}/.xsessionrc
+
+### window/desktop manager ###
+${HOME}/Desktop/*.desktop
+${HOME}/.config/autostart
+${HOME}/.config/autostart-scripts
+${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.config/openbox/autostart
+${HOME}/.config/openbox/environment
+${HOME}/.config/plasma-workspace/env
+${HOME}/.config/plasma-workspace/shutdown
+${HOME}/.gnomerc
+${HOME}/.gtkrc
+${HOME}/.kde/Autostart
+${HOME}/.kde/env
+${HOME}/.kde/share/autostart
+${HOME}/.kde/shutdown
+${HOME}/.kde4/Autostart
+${HOME}/.kde4/env
+${HOME}/.kde4/share/autostart
+${HOME}/.kde4/shutdown
+${HOME}/.kderc
+${HOME}/.local/share/autostart
+
+### security ###
+/etc/aide
+/etc/apparmor*
+/etc/chkrootkit.conf
+/etc/cracklib
+/etc/doas.conf
+/etc/libaudit.conf
+/etc/group*
+/etc/gshadow*
+/etc/pam.*
+/etc/passwd*
+/etc/rkhunter*
+/etc/securetty
+/etc/security
+/etc/selinux
+/etc/shadow*
+/etc/sudoers*
+/etc/tripwire
+${HOME}/.config/firejail
+${HOME}/.gnupg
+${HOME}/.pam_environment
+
+### network security ###
+/etc/ca-certificates*
+/etc/hosts.*
+/etc/services
+/etc/snort
+/etc/ssh
+/etc/ssl
+/etc/wireshark
+!${HOME}/.ssh/known_hosts # excluding
+${HOME}/.ssh
+/usr/share/ca-certificates
+
+### system config ###
+/etc/cron.*
+/etc/crontab
+/etc/default
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-common-devel.inc
^
|
@@ -8,8 +8,13 @@
noblacklist ${HOME}/.git-credentials
# Java
+noblacklist ${HOME}/.ammonite
+noblacklist ${HOME}/.config/jgit
+noblacklist ${HOME}/.g8
noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.ivy2
noblacklist ${HOME}/.java
+noblacklist ${HOME}/.sbt
# Node.js
noblacklist ${HOME}/.node-gyp
@@ -27,5 +32,8 @@
noblacklist ${HOME}/.python_history
noblacklist ${HOME}/.pythonhist
+# Ruby
+noblacklist ${HOME}/.bundle
+
# Rust
-noblacklist ${HOME}/.cargo/*
+noblacklist ${HOME}/.cargo
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-nodejs.inc
^
|
@@ -2,6 +2,8 @@
# Persistent customizations should go in a .local file.
include allow-nodejs.local
+ignore read-only ${HOME}/.nvm
+noblacklist ${HOME}/.nvm
noblacklist ${PATH}/node
noblacklist /usr/include/node
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-opengl-game.inc
^
|
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-opengl-game.local
+
noblacklist ${PATH}/bash
whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-perl.inc
^
|
@@ -10,3 +10,6 @@
noblacklist /usr/lib/perl*
noblacklist /usr/lib64/perl*
noblacklist /usr/share/perl*
+
+# rxvt is also blacklisted in disable-interpreters.inc
+noblacklist ${PATH}/rxvt
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-ruby.inc
^
|
@@ -4,3 +4,4 @@
noblacklist ${PATH}/ruby
noblacklist /usr/lib/ruby
+noblacklist /usr/lib64/ruby
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-ssh.inc
^
|
@@ -5,4 +5,12 @@
noblacklist ${HOME}/.ssh
noblacklist /etc/ssh
noblacklist /etc/ssh/ssh_config
+noblacklist /etc/ssh/ssh_config.d
+noblacklist ${PATH}/ssh
noblacklist /tmp/ssh-*
+# Arch Linux and derivatives
+noblacklist /usr/lib/ssh
+# Debian/Ubuntu and derivatives
+noblacklist /usr/lib/openssh
+# Fedora and derivatives
+noblacklist /usr/libexec/openssh
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-X11.inc
^
|
@@ -0,0 +1,15 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-X11.local
+
+blacklist /tmp/.X11-unix
+blacklist ${HOME}/.Xauthority
+blacklist ${RUNUSER}/gdm/Xauthority
+blacklist ${RUNUSER}/.mutter-Xwaylandauth*
+blacklist ${RUNUSER}/xauth_*
+#blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
+blacklist /tmp/xauth*
+blacklist /tmp/.ICE-unix
+blacklist ${RUNUSER}/ICEauthority
+rmenv DISPLAY
+rmenv XAUTHORITY
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-common.inc
^
|
@@ -9,14 +9,20 @@
# History files in $HOME and clipboard managers
blacklist-nolog ${HOME}/.*_history
+blacklist-nolog ${HOME}/.*_history_*
blacklist-nolog ${HOME}/.adobe
+blacklist-nolog ${HOME}/.ammonite/history
blacklist-nolog ${HOME}/.cache/greenclip*
+blacklist-nolog ${HOME}/.cache/mupdf.history
blacklist-nolog ${HOME}/.histfile
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.kde/share/apps/klipper
blacklist-nolog ${HOME}/.kde4/share/apps/klipper
blacklist-nolog ${HOME}/.local/share/fish/fish_history
+blacklist-nolog ${HOME}/.local/share/ibus-typing-booster
blacklist-nolog ${HOME}/.local/share/klipper
+blacklist-nolog ${HOME}/.local/share/nvim
+blacklist-nolog ${HOME}/.local/state/nvim
blacklist-nolog ${HOME}/.macromedia
blacklist-nolog ${HOME}/.mupdf.history
blacklist-nolog ${HOME}/.python-history
@@ -159,20 +165,23 @@
# systemd
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
+blacklist ${PATH}/systemctl
blacklist ${PATH}/systemd-run
blacklist ${RUNUSER}/systemd
+blacklist /etc/systemd/network
+blacklist /etc/systemd/system
+blacklist /var/lib/systemd
# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
#blacklist /var/run/systemd
# openrc
-blacklist /etc/runlevels/
-blacklist /etc/init.d/
+blacklist /etc/init.d
blacklist /etc/rc.conf
+blacklist /etc/runlevels
# VirtualBox
-blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/VirtualBox VMs
# GNOME Boxes
@@ -242,20 +251,33 @@
blacklist /var/spool/mail
# etc
+blacklist /etc/adduser.conf
blacklist /etc/anacrontab
+blacklist /etc/apparmor*
blacklist /etc/cron*
-blacklist /etc/profile.d
+blacklist /etc/default
+blacklist /etc/dkms
+blacklist /etc/grub*
+blacklist /etc/kernel*
+blacklist /etc/logrotate*
+blacklist /etc/modules*
blacklist /etc/rc.local
# rc1.d, rc2.d, ...
blacklist /etc/rc?.d
-blacklist /etc/kernel*
-blacklist /etc/grub*
-blacklist /etc/dkms
-blacklist /etc/apparmor*
-blacklist /etc/selinux
-blacklist /etc/modules*
-blacklist /etc/logrotate*
-blacklist /etc/adduser.conf
+blacklist /etc/sysconfig
+
+# hide config for various intrusion detection systems
+blacklist /etc/aide
+blacklist /etc/aide.conf
+blacklist /etc/chkrootkit.conf
+blacklist /etc/fail2ban.conf
+blacklist /etc/logcheck
+blacklist /etc/lynis
+blacklist /etc/rkhunter.*
+blacklist /etc/snort
+blacklist /etc/suricata
+blacklist /etc/tripwire
+blacklist /var/lib/rkhunter
# Startup files
read-only ${HOME}/.antigen
@@ -305,6 +327,8 @@
# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc
read-only ${HOME}/.cargo/env
+read-only ${HOME}/.config/nvim
+read-only ${HOME}/.config/pkcs11
read-only ${HOME}/.dotfiles
read-only ${HOME}/.emacs
read-only ${HOME}/.emacs.d
@@ -314,6 +338,8 @@
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.local/lib
read-only ${HOME}/.local/share/cool-retro-term
+read-only ${HOME}/.local/share/nvim
+read-only ${HOME}/.local/state/nvim
read-only ${HOME}/.mailcap
read-only ${HOME}/.msmtprc
read-only ${HOME}/.mutt/muttrc
@@ -335,15 +361,19 @@
read-only ${HOME}/dotfiles
# Make directories commonly found in $PATH read-only
+read-only ${HOME}/.bin
+read-only ${HOME}/.cargo/bin
read-only ${HOME}/.gem
+read-only ${HOME}/.local/bin
+read-only ${HOME}/.local/share/coursier/bin
read-only ${HOME}/.luarocks
read-only ${HOME}/.npm-packages
read-only ${HOME}/.nvm
-read-only ${HOME}/bin
-read-only ${HOME}/.bin
-read-only ${HOME}/.local/bin
-read-only ${HOME}/.cargo/bin
read-only ${HOME}/.rustup
+read-only ${HOME}/bin
+
+# Write-protection for portable apps
+read-only ${HOME}/Applications # used for storing AppImages
# Write-protection for desktop entries
read-only ${HOME}/.config/menus
@@ -362,14 +392,32 @@
blacklist /tmp/ssh-*
# top secret
+blacklist /.fscrypt
+blacklist /etc/davfs2/secrets
+blacklist /etc/group+
+blacklist /etc/group-
+blacklist /etc/gshadow
+blacklist /etc/gshadow+
+blacklist /etc/gshadow-
+blacklist /etc/passwd+
+blacklist /etc/passwd-
+blacklist /etc/shadow
+blacklist /etc/shadow+
+blacklist /etc/shadow-
+blacklist /etc/ssh
+blacklist /etc/ssh/*
+blacklist /home/.ecryptfs
+blacklist /home/.fscrypt
blacklist ${HOME}/*.kdb
blacklist ${HOME}/*.kdbx
blacklist ${HOME}/*.key
+blacklist ${HOME}/Private
blacklist ${HOME}/.Private
blacklist ${HOME}/.caff
blacklist ${HOME}/.cargo/credentials
blacklist ${HOME}/.cargo/credentials.toml
blacklist ${HOME}/.cert
+blacklist ${HOME}/.config/hub
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.davfs2/secrets
blacklist ${HOME}/.ecryptfs
@@ -379,40 +427,37 @@
blacklist ${HOME}/.git-credentials
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/.gnupg
-blacklist ${HOME}/.config/hub
blacklist ${HOME}/.kde/share/apps/kwallet
blacklist ${HOME}/.kde4/share/apps/kwallet
blacklist ${HOME}/.local/share/keyrings
blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.local/share/pki
blacklist ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.minisign
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.netrc
blacklist ${HOME}/.nyx
blacklist ${HOME}/.pki
-blacklist ${HOME}/.local/share/pki
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/.ssh
blacklist ${HOME}/.vaults
-blacklist /.fscrypt
-blacklist /etc/davfs2/secrets
-blacklist /etc/group+
-blacklist /etc/group-
-blacklist /etc/gshadow
-blacklist /etc/gshadow+
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/passwd-
-blacklist /etc/shadow
-blacklist /etc/shadow+
-blacklist /etc/shadow-
-blacklist /etc/ssh
-blacklist /etc/ssh/*
-blacklist /home/.ecryptfs
-blacklist /home/.fscrypt
+blacklist /run/timeshift
blacklist /var/backup
+# Remove environment variables with auth tokens.
+# Note however that the sandbox might still have access to the
+# files where these variables are set.
+rmenv GH_TOKEN
+rmenv GITHUB_TOKEN
+rmenv GH_ENTERPRISE_TOKEN
+rmenv GITHUB_ENTERPRISE_TOKEN
+rmenv CARGO_REGISTRY_TOKEN
+rmenv RESTIC_KEY_HINT
+rmenv RESTIC_PASSWORD_COMMAND
+rmenv RESTIC_PASSWORD_FILE
+
# cloud provider configuration
blacklist ${HOME}/.aws
blacklist ${HOME}/.boto
@@ -427,13 +472,14 @@
blacklist /usr/local/sbin
blacklist /usr/sbin
-# system management
+# system management and various SUID executables
blacklist ${PATH}/at
blacklist ${PATH}/busybox
blacklist ${PATH}/chage
blacklist ${PATH}/chfn
blacklist ${PATH}/chsh
blacklist ${PATH}/crontab
+blacklist ${PATH}/doas
blacklist ${PATH}/evtest
blacklist ${PATH}/expiry
blacklist ${PATH}/fusermount
@@ -462,6 +508,43 @@
blacklist ${PATH}/unix_chkpwd
blacklist ${PATH}/xev
blacklist ${PATH}/xinput
+# from 0.9.67
+blacklist /usr/lib/openssh
+blacklist /usr/lib/ssh
+blacklist /usr/libexec/openssh
+blacklist ${PATH}/passwd
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+blacklist /usr/lib/eject/dmcrypt-get-device
+blacklist /usr/lib/chromium/chrome-sandbox
+blacklist /usr/lib/opera/opera_sandbox
+blacklist /usr/lib/vmware
+blacklist ${PATH}/suexec
+blacklist /usr/lib/squid/basic_pam_auth
+blacklist ${PATH}/slock
+blacklist ${PATH}/physlock
+blacklist ${PATH}/schroot
+blacklist ${PATH}/wshowkeys
+blacklist ${PATH}/pmount
+blacklist ${PATH}/pumount
+blacklist ${PATH}/bmon
+blacklist ${PATH}/fping
+blacklist ${PATH}/fping6
+blacklist ${PATH}/hostname
+# blacklist ${PATH}/ip - breaks --ip=dhcp
+blacklist ${PATH}/mtr
+blacklist ${PATH}/mtr-packet
+blacklist ${PATH}/netstat
+blacklist ${PATH}/nm-online
+blacklist ${PATH}/nmcli
+blacklist ${PATH}/nmtui
+blacklist ${PATH}/nmtui-connect
+blacklist ${PATH}/nmtui-edit
+blacklist ${PATH}/nmtui-hostname
+blacklist ${PATH}/networkctl
+blacklist ${PATH}/ss
+blacklist ${PATH}/traceroute
# other SUID binaries
blacklist /usr/lib/virtualbox
@@ -473,10 +556,13 @@
blacklist /tmp/tmux-*
# disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
+blacklist ${PATH}/kgx
+# blacklist ${PATH}/konsole
+# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
blacklist ${PATH}/lilyterm
+blacklist ${PATH}/lxterminal
blacklist ${PATH}/mate-terminal
blacklist ${PATH}/mate-terminal.wrapper
blacklist ${PATH}/pantheon-terminal
@@ -488,8 +574,6 @@
blacklist ${PATH}/urxvtcd
blacklist ${PATH}/xfce4-terminal
blacklist ${PATH}/xfce4-terminal.wrapper
-# blacklist ${PATH}/konsole
-# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
# kernel files
blacklist /initrd*
@@ -505,20 +589,27 @@
read-only ${HOME}/.local/share/flatpak/exports
blacklist ${HOME}/.local/share/flatpak/*
blacklist ${HOME}/.var
-blacklist ${RUNUSER}/app
-blacklist ${RUNUSER}/doc
+# most of the time bwrap is SUID binary
+blacklist ${PATH}/bwrap
blacklist ${RUNUSER}/.dbus-proxy
blacklist ${RUNUSER}/.flatpak
blacklist ${RUNUSER}/.flatpak-cache
blacklist ${RUNUSER}/.flatpak-helper
+blacklist ${RUNUSER}/app
+blacklist ${RUNUSER}/doc
blacklist /usr/share/flatpak
noblacklist /var/lib/flatpak/exports
blacklist /var/lib/flatpak/*
-# most of the time bwrap is SUID binary
-blacklist ${PATH}/bwrap
# snap
+blacklist ${HOME}/snap
+blacklist ${PATH}/snap
+blacklist ${PATH}/snapctl
blacklist ${RUNUSER}/snapd-session-agent.socket
+blacklist /snap
+blacklist /usr/lib/snapd
+blacklist /var/lib/snapd
+blacklist /var/snap
# mail directories used by mutt
blacklist ${HOME}/.Mail
@@ -529,11 +620,10 @@
blacklist ${HOME}/postponed
blacklist ${HOME}/sent
-# kernel configuration
+# kernel configuration - keep this here although it's also in disable-proc.inc
blacklist /proc/config.gz
-# prevent DNS malware attempting to communicate with the server
-# using regular DNS tools
+# prevent DNS malware attempting to communicate with the server using regular DNS tools
blacklist ${PATH}/dig
blacklist ${PATH}/dlint
blacklist ${PATH}/dns2tcp
@@ -551,8 +641,19 @@
blacklist ${PATH}/resolvectl
blacklist ${PATH}/unbound-host
+# prevent an intruder to guess passwords using regular network tools
+blacklist ${PATH}/ftp
+blacklist ${PATH}/ssh
+blacklist ${PATH}/telnet
+
# rest of ${RUNUSER}
blacklist ${RUNUSER}/*.lock
blacklist ${RUNUSER}/inaccessible
blacklist ${RUNUSER}/pk-debconf-socket
blacklist ${RUNUSER}/update-notifier.pid
+
+# tor-browser
+blacklist ${HOME}/.local/opt/tor-browser
+
+# pass utility (pass package in Debian etc.)
+blacklist ${HOME}/.password-store
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-devel.inc
^
|
@@ -41,6 +41,13 @@
blacklist /usr/lib/java
blacklist /usr/share/java
+# Scala
+blacklist ${PATH}/scala
+blacklist ${PATH}/scala3
+blacklist ${PATH}/scala3-compiler
+blacklist ${PATH}/scala3-repl
+blacklist ${PATH}/scalac
+
#OpenSSL
blacklist ${PATH}/openssl
blacklist ${PATH}/openssl-1.0
@@ -60,9 +67,7 @@
blacklist ${PATH}/valgrind*
blacklist /usr/lib/valgrind
-
# Source-Code
-
blacklist /usr/src
blacklist /usr/local/src
blacklist /usr/include
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-exec.inc
^
|
@@ -6,6 +6,7 @@
noexec ${RUNUSER}
noexec /dev/mqueue
noexec /dev/shm
+noexec /run/shm
noexec /tmp
# /var is noexec by default for unprivileged users
# except there is a writable-var option, so just in case:
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-interpreters.inc
^
|
@@ -40,6 +40,15 @@
blacklist /usr/lib64/perl*
blacklist /usr/share/perl*
+# rxvt needs Perl modules, thus does not work. In particular, blacklisting
+# it is needed so that Firefox can run applications with Terminal=true in
+# their .desktop file (depending on what is installed). The reason is that
+# this is done via glib, which currently uses a hardcoded list of terminal
+# emulators:
+# https://gitlab.gnome.org/GNOME/glib/-/issues/338
+# And in this list, rxvt comes before xterm.
+blacklist ${PATH}/rxvt
+
# PHP
blacklist ${PATH}/php*
blacklist /usr/lib/php*
@@ -48,6 +57,7 @@
# Ruby
blacklist ${PATH}/ruby
blacklist /usr/lib/ruby
+blacklist /usr/lib64/ruby
# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
# Python 2
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-proc.inc
^
|
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz # keep this here even though it's also in disable-common.inc
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-programs.inc
^
|
@@ -2,18 +2,6 @@
# Persistent customizations should go in a .local file.
include disable-programs.local
-blacklist ${HOME}/Arduino
-blacklist ${HOME}/i2p
-blacklist ${HOME}/Monero/wallets
-blacklist ${HOME}/Nextcloud
-blacklist ${HOME}/Nextcloud/Notes
-blacklist ${HOME}/SoftMaker
-blacklist ${HOME}/Standard Notes Backups
-blacklist ${HOME}/TeamSpeak3-Client-linux_x86
-blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
-blacklist ${HOME}/hyperrogue.ini
-blacklist ${HOME}/mps
-blacklist ${HOME}/wallet.dat
blacklist ${HOME}/.*coin
blacklist ${HOME}/.8pecxstudios
blacklist ${HOME}/.AndroidStudio*
@@ -38,10 +26,11 @@
blacklist ${HOME}/.WebStorm*
blacklist ${HOME}/.Wolfram Research
blacklist ${HOME}/.ZAP
+blacklist ${HOME}/.aMule
blacklist ${HOME}/.abook
blacklist ${HOME}/.addressbook
blacklist ${HOME}/.alpine-smime
-blacklist ${HOME}/.aMule
+blacklist ${HOME}/.ammonite
blacklist ${HOME}/.android
blacklist ${HOME}/.anydesk
blacklist ${HOME}/.arduino15
@@ -53,6 +42,7 @@
blacklist ${HOME}/.atom
blacklist ${HOME}/.attic
blacklist ${HOME}/.audacity-data
+blacklist ${HOME}/.avidemux3
blacklist ${HOME}/.avidemux6
blacklist ${HOME}/.ballbuster.hs
blacklist ${HOME}/.balsa
@@ -61,12 +51,200 @@
blacklist ${HOME}/.bitcoin
blacklist ${HOME}/.blobby
blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bundle
blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/*
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/BraveSoftware
+blacklist ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/ENCOM/Spectral
+blacklist ${HOME}/.cache/Enox
+blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
+blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/GoldenDict
+blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/JetBrains/CLion*
+blacklist ${HOME}/.cache/JetBrains/PyCharm*
+blacklist ${HOME}/.cache/KDE/neochat
+blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/PawelStolowski
+blacklist ${HOME}/.cache/Psi
+blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Quotient/quaternion
+blacklist ${HOME}/.cache/Shortwave
+blacklist ${HOME}/.cache/Tox
+blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
+blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/atril
+blacklist ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/audacity
+blacklist ${HOME}/.cache/babl
+blacklist ${HOME}/.cache/bnox
+blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/cachy
+blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
+blacklist ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/cliqz
+blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
+blacklist ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/dnox
+blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
+blacklist ${HOME}/.cache/ephemeral
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/falkon
+blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/firedragon
+blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/folks
+blacklist ${HOME}/.cache/font-manager
+blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fractal
+blacklist ${HOME}/.cache/freecol
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/gdfuse
+blacklist ${HOME}/.cache/geary
+blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/gegl-0.4
+blacklist ${HOME}/.cache/gfeeds
+blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
+blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
+blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
+blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/godot
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/inkscape
+blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
+blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/kcmshell5
+blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
+blacklist ${HOME}/.cache/kfind
+blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kmail2
+blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
+blacklist ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/lbry-viewer
+blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
+blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge
+blacklist ${HOME}/.cache/microsoft-edge-beta
+blacklist ${HOME}/.cache/microsoft-edge-dev
+blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/mirage
+blacklist ${HOME}/.cache/moonchild productions/basilisk
+blacklist ${HOME}/.cache/moonchild productions/pale moon
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/ms-excel-online
+blacklist ${HOME}/.cache/ms-office-online
+blacklist ${HOME}/.cache/ms-onenote-online
+blacklist ${HOME}/.cache/ms-outlook-online
+blacklist ${HOME}/.cache/ms-powerpoint-online
+blacklist ${HOME}/.cache/ms-skype-online
+blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/mypaint
+blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/nvim
+blacklist ${HOME}/.cache/ocenaudio
+blacklist ${HOME}/.cache/okular
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/opera-developer
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
+blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/org.gnome.Maps
+blacklist ${HOME}/.cache/pdfmod
+blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pipe-viewer
+blacklist ${HOME}/.cache/plasmashell
+blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/psi
+blacklist ${HOME}/.cache/qBittorrent
+blacklist ${HOME}/.cache/quodlibet
+blacklist ${HOME}/.cache/qupzilla
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rclone
+blacklist ${HOME}/.cache/rednotebook
+blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/rpcs3
+blacklist ${HOME}/.cache/shotwell
+blacklist ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/smuxi
+blacklist ${HOME}/.cache/snox
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/straw-viewer
+blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/supertuxkart
+blacklist ${HOME}/.cache/systemsettings
+blacklist ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
+blacklist ${HOME}/.cache/warsow-2.1
+blacklist ${HOME}/.cache/waterfox
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/wine
+blacklist ${HOME}/.cache/winetricks
+blacklist ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/xournalpp
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/yt-dlp
+blacklist ${HOME}/.cache/zim
+blacklist ${HOME}/.cachy
+blacklist ${HOME}/.cargo
blacklist ${HOME}/.claws-mail
+blacklist ${HOME}/.clion*
blacklist ${HOME}/.cliqz
blacklist ${HOME}/.clonk
blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.config/1Password
blacklist ${HOME}/.config/2048-qt
blacklist ${HOME}/.config/Atom
blacklist ${HOME}/.config/Audaciousrc
@@ -77,17 +255,20 @@
blacklist ${HOME}/.config/Brackets
blacklist ${HOME}/.config/BraveSoftware
blacklist ${HOME}/.config/Clementine
+blacklist ${HOME}/.config/ClipGrab
blacklist ${HOME}/.config/Code
blacklist ${HOME}/.config/Code - OSS
blacklist ${HOME}/.config/Code Industry
blacklist ${HOME}/.config/Cryptocat
blacklist ${HOME}/.config/Debauchee/Barrier.conf
blacklist ${HOME}/.config/Dharkael
+blacklist ${HOME}/.config/ENCOM
+blacklist ${HOME}/.config/Electron
blacklist ${HOME}/.config/Element
blacklist ${HOME}/.config/Element (Riot)
-blacklist ${HOME}/.config/ENCOM
blacklist ${HOME}/.config/Enox
blacklist ${HOME}/.config/Epic
+blacklist ${HOME}/.config/Exodus
blacklist ${HOME}/.config/Ferdi
blacklist ${HOME}/.config/Flavio Tordini
blacklist ${HOME}/.config/Franz
@@ -102,17 +283,24 @@
blacklist ${HOME}/.config/Gpredict
blacklist ${HOME}/.config/INRIA
blacklist ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/JetBrains/CLion*
+blacklist ${HOME}/.config/JetBrains/PyCharm*
blacklist ${HOME}/.config/Jitsi Meet
blacklist ${HOME}/.config/KDE/neochat
+blacklist ${HOME}/.config/KeePass
+blacklist ${HOME}/.config/KeePassXCrc
blacklist ${HOME}/.config/Kid3
blacklist ${HOME}/.config/Kingsoft
+blacklist ${HOME}/.config/Ledger Live
blacklist ${HOME}/.config/LibreCAD
blacklist ${HOME}/.config/Loop_Hero
blacklist ${HOME}/.config/Luminance
blacklist ${HOME}/.config/LyX
+blacklist ${HOME}/.config/MangoHud
blacklist ${HOME}/.config/Mattermost
blacklist ${HOME}/.config/Meltytech
blacklist ${HOME}/.config/Mendeley Ltd.
+blacklist ${HOME}/.config/Microsoft
blacklist ${HOME}/.config/Min
blacklist ${HOME}/.config/ModTheSpire
blacklist ${HOME}/.config/Mousepad
@@ -122,13 +310,17 @@
blacklist ${HOME}/.config/MusicBrainz
blacklist ${HOME}/.config/Nathan Osman
blacklist ${HOME}/.config/Nextcloud
+blacklist ${HOME}/.config/NitroShare
+blacklist ${HOME}/.config/Notable
blacklist ${HOME}/.config/Nylas Mail
+blacklist ${HOME}/.config/PBE
blacklist ${HOME}/.config/PacmanLogViewer
blacklist ${HOME}/.config/PawelStolowski
-blacklist ${HOME}/.config/PBE
blacklist ${HOME}/.config/Philipp Schmieder
+blacklist ${HOME}/.config/Pinta
blacklist ${HOME}/.config/QGIS
blacklist ${HOME}/.config/QMediathekView
+blacklist ${HOME}/.config/QQ
blacklist ${HOME}/.config/Qlipper
blacklist ${HOME}/.config/QuiteRss
blacklist ${HOME}/.config/QuiteRssrc
@@ -138,6 +330,7 @@
blacklist ${HOME}/.config/Rocket.Chat
blacklist ${HOME}/.config/RogueLegacy
blacklist ${HOME}/.config/RogueLegacyStorageContainer
+blacklist ${HOME}/.config/Seafile
blacklist ${HOME}/.config/Signal
blacklist ${HOME}/.config/Sinew Software Systems
blacklist ${HOME}/.config/Slack
@@ -146,11 +339,14 @@
blacklist ${HOME}/.config/Thunar
blacklist ${HOME}/.config/Twitch
blacklist ${HOME}/.config/Unknown Organization
+blacklist ${HOME}/.config/VSCodium
blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.config/Whalebird
blacklist ${HOME}/.config/Wire
blacklist ${HOME}/.config/Youtube
-blacklist ${HOME}/.config/Zeal
blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/Zeal
+blacklist ${HOME}/.config/Zulip
blacklist ${HOME}/.config/aacs
blacklist ${HOME}/.config/abiword
blacklist ${HOME}/.config/agenda
@@ -166,6 +362,7 @@
blacklist ${HOME}/.config/asunder
blacklist ${HOME}/.config/atril
blacklist ${HOME}/.config/audacious
+blacklist ${HOME}/.config/audacity
blacklist ${HOME}/.config/autokey
blacklist ${HOME}/.config/avidemux3_qt5rc
blacklist ${HOME}/.config/aweather
@@ -199,10 +396,12 @@
blacklist ${HOME}/.config/clipit
blacklist ${HOME}/.config/cliqz
blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/cointop
blacklist ${HOME}/.config/com.github.bleakgrey.tootle
blacklist ${HOME}/.config/corebird
blacklist ${HOME}/.config/cower
blacklist ${HOME}/.config/coyim
+blacklist ${HOME}/.config/d-feet
blacklist ${HOME}/.config/darktable
blacklist ${HOME}/.config/deadbeef
blacklist ${HOME}/.config/deluge
@@ -217,7 +416,7 @@
blacklist ${HOME}/.config/dolphinrc
blacklist ${HOME}/.config/dragonplayerrc
blacklist ${HOME}/.config/draw.io
-blacklist ${HOME}/.config/d-feet
+blacklist ${HOME}/.config/electron*-flag*.conf
blacklist ${HOME}/.config/electron-mail
blacklist ${HOME}/.config/emaildefaults
blacklist ${HOME}/.config/emailidentities
@@ -237,7 +436,9 @@
blacklist ${HOME}/.config/freecol
blacklist ${HOME}/.config/gajim
blacklist ${HOME}/.config/galculator
+blacklist ${HOME}/.config/gallery-dl
blacklist ${HOME}/.config/gconf
+blacklist ${HOME}/.config/gdfuse
blacklist ${HOME}/.config/geany
blacklist ${HOME}/.config/geary
blacklist ${HOME}/.config/gedit
@@ -277,6 +478,7 @@
blacklist ${HOME}/.config/itch
blacklist ${HOME}/.config/jami
blacklist ${HOME}/.config/jd-gui.cfg
+blacklist ${HOME}/.config/jgit
blacklist ${HOME}/.config/k3brc
blacklist ${HOME}/.config/kaffeinerc
blacklist ${HOME}/.config/kalgebrarc
@@ -291,6 +493,9 @@
blacklist ${HOME}/.config/kdenliverc
blacklist ${HOME}/.config/kdiff3fileitemactionrc
blacklist ${HOME}/.config/kdiff3rc
+blacklist ${HOME}/.config/keepass
+blacklist ${HOME}/.config/keepassx
+blacklist ${HOME}/.config/keepassxc
blacklist ${HOME}/.config/kfindrc
blacklist ${HOME}/.config/kgetrc
blacklist ${HOME}/.config/kid3rc
@@ -300,13 +505,14 @@
blacklist ${HOME}/.config/kmailsearchindexingrc
blacklist ${HOME}/.config/kmplayerrc
blacklist ${HOME}/.config/knotesrc
-blacklist ${HOME}/.config/konversationrc
blacklist ${HOME}/.config/konversation.notifyrc
+blacklist ${HOME}/.config/konversationrc
blacklist ${HOME}/.config/kritarc
blacklist ${HOME}/.config/ktorrentrc
blacklist ${HOME}/.config/ktouch2rc
blacklist ${HOME}/.config/kube
blacklist ${HOME}/.config/kwriterc
+blacklist ${HOME}/.config/lbry-viewer
blacklist ${HOME}/.config/leafpad
blacklist ${HOME}/.config/libreoffice
blacklist ${HOME}/.config/liferea
@@ -322,13 +528,15 @@
blacklist ${HOME}/.config/matrix-mirage
blacklist ${HOME}/.config/mcomix
blacklist ${HOME}/.config/meld
-blacklist ${HOME}/.config/meteo-qt
blacklist ${HOME}/.config/menulibre.cfg
+blacklist ${HOME}/.config/meteo-qt
blacklist ${HOME}/.config/mfusion
-blacklist ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/microsoft-edge
+blacklist ${HOME}/.config/microsoft-edge-beta
blacklist ${HOME}/.config/microsoft-edge-dev
blacklist ${HOME}/.config/midori
blacklist ${HOME}/.config/mirage
+blacklist ${HOME}/.config/monero-project
blacklist ${HOME}/.config/mono
blacklist ${HOME}/.config/mpDris2
blacklist ${HOME}/.config/mpd
@@ -341,17 +549,17 @@
blacklist ${HOME}/.config/nano
blacklist ${HOME}/.config/nautilus
blacklist ${HOME}/.config/nemo
-blacklist ${HOME}/.config/neochatrc
blacklist ${HOME}/.config/neochat.notifyrc
+blacklist ${HOME}/.config/neochatrc
blacklist ${HOME}/.config/neomutt
blacklist ${HOME}/.config/netsurf
blacklist ${HOME}/.config/newsbeuter
blacklist ${HOME}/.config/newsboat
blacklist ${HOME}/.config/newsflash
blacklist ${HOME}/.config/nheko
-blacklist ${HOME}/.config/NitroShare
blacklist ${HOME}/.config/nomacs
blacklist ${HOME}/.config/nuclear
+blacklist ${HOME}/.config/nvim
blacklist ${HOME}/.config/obs-studio
blacklist ${HOME}/.config/okularpartrc
blacklist ${HOME}/.config/okularrc
@@ -361,6 +569,7 @@
blacklist ${HOME}/.config/openmw
blacklist ${HOME}/.config/opera
blacklist ${HOME}/.config/opera-beta
+blacklist ${HOME}/.config/opera-developer
blacklist ${HOME}/.config/orage
blacklist ${HOME}/.config/org.gabmus.gfeeds.json
blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
@@ -370,7 +579,6 @@
blacklist ${HOME}/.config/pavucontrol.ini
blacklist ${HOME}/.config/pcmanfm
blacklist ${HOME}/.config/pdfmod
-blacklist ${HOME}/.config/Pinta
blacklist ${HOME}/.config/pipe-viewer
blacklist ${HOME}/.config/pitivi
blacklist ${HOME}/.config/pix
@@ -388,10 +596,12 @@
blacklist ${HOME}/.config/qupzilla
blacklist ${HOME}/.config/qutebrowser
blacklist ${HOME}/.config/ranger
+blacklist ${HOME}/.config/rclone
blacklist ${HOME}/.config/redshift
blacklist ${HOME}/.config/redshift.conf
blacklist ${HOME}/.config/remmina
blacklist ${HOME}/.config/ristretto
+blacklist ${HOME}/.config/rpcs3
blacklist ${HOME}/.config/rtv
blacklist ${HOME}/.config/scribus
blacklist ${HOME}/.config/scribusrc
@@ -407,10 +617,11 @@
blacklist ${HOME}/.config/specialmailcollectionsrc
blacklist ${HOME}/.config/spectaclerc
blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/spotify-adblock
blacklist ${HOME}/.config/sqlitebrowser
blacklist ${HOME}/.config/stellarium
-blacklist ${HOME}/.config/strawberry
blacklist ${HOME}/.config/straw-viewer
+blacklist ${HOME}/.config/strawberry
blacklist ${HOME}/.config/supertuxkart
blacklist ${HOME}/.config/synfig
blacklist ${HOME}/.config/teams
@@ -422,6 +633,7 @@
blacklist ${HOME}/.config/transgui
blacklist ${HOME}/.config/transmission
blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuir
blacklist ${HOME}/.config/tuta_integration
blacklist ${HOME}/.config/tutanota-desktop
blacklist ${HOME}/.config/tvbrowser
@@ -433,19 +645,20 @@
blacklist ${HOME}/.config/vivaldi-snapshot
blacklist ${HOME}/.config/vlc
blacklist ${HOME}/.config/wesnoth
-blacklist ${HOME}/.config/wormux
-blacklist ${HOME}/.config/Whalebird
+blacklist ${HOME}/.config/wget
blacklist ${HOME}/.config/wireshark
+blacklist ${HOME}/.config/wormux
blacklist ${HOME}/.config/xchat
blacklist ${HOME}/.config/xed
blacklist ${HOME}/.config/xfburn
+blacklist ${HOME}/.config/xfce4-dict
blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-blacklist ${HOME}/.config/xfce4-dict
blacklist ${HOME}/.config/xiaoyong
blacklist ${HOME}/.config/xmms2
+blacklist ${HOME}/.config/xournalpp
blacklist ${HOME}/.config/xplayer
blacklist ${HOME}/.config/xreader
blacklist ${HOME}/.config/xviewer
@@ -454,12 +667,14 @@
blacklist ${HOME}/.config/yelp
blacklist ${HOME}/.config/youtube-dl
blacklist ${HOME}/.config/youtube-dlg
-blacklist ${HOME}/.config/youtubemusic-nativefier-040164
blacklist ${HOME}/.config/youtube-music-desktop-app
blacklist ${HOME}/.config/youtube-viewer
+blacklist ${HOME}/.config/youtubemusic-nativefier-040164
+blacklist ${HOME}/.config/yt-dlp
+blacklist ${HOME}/.config/yt-dlp.conf
blacklist ${HOME}/.config/zathura
+blacklist ${HOME}/.config/zim
blacklist ${HOME}/.config/zoomus.conf
-blacklist ${HOME}/.config/Zulip
blacklist ${HOME}/.conkeror.mozdev.org
blacklist ${HOME}/.crawl
blacklist ${HOME}/.cups
@@ -487,31 +702,38 @@
blacklist ${HOME}/.flowblade
blacklist ${HOME}/.fltk
blacklist ${HOME}/.fossamail
+blacklist ${HOME}/.fpm
blacklist ${HOME}/.freeciv
blacklist ${HOME}/.freecol
blacklist ${HOME}/.freemind
blacklist ${HOME}/.frogatto
blacklist ${HOME}/.frozen-bubble
blacklist ${HOME}/.funnyboat
+blacklist ${HOME}/.g8
+blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.gdfuse
+blacklist ${HOME}/.geekbench5
blacklist ${HOME}/.gimp*
blacklist ${HOME}/.gist
blacklist ${HOME}/.gitconfig
blacklist ${HOME}/.gl-117
blacklist ${HOME}/.glaxiumrc
blacklist ${HOME}/.gnome/gnome-schedule
+blacklist ${HOME}/.goldendict
blacklist ${HOME}/.googleearth
blacklist ${HOME}/.gradle
blacklist ${HOME}/.gramps
blacklist ${HOME}/.guayadeque
blacklist ${HOME}/.hashcat
-blacklist ${HOME}/.hex-a-hop
blacklist ${HOME}/.hedgewars
+blacklist ${HOME}/.hex-a-hop
blacklist ${HOME}/.hugin
blacklist ${HOME}/.i2p
blacklist ${HOME}/.icedove
blacklist ${HOME}/.imagej
blacklist ${HOME}/.inkscape
blacklist ${HOME}/.itch
+blacklist ${HOME}/.ivy2
blacklist ${HOME}/.jack-server
blacklist ${HOME}/.jack-settings
blacklist ${HOME}/.jak
@@ -581,6 +803,9 @@
blacklist ${HOME}/.kde4/share/config/ktorrentrc
blacklist ${HOME}/.kde4/share/config/okularpartrc
blacklist ${HOME}/.kde4/share/config/okularrc
+blacklist ${HOME}/.keepass
+blacklist ${HOME}/.keepassx
+blacklist ${HOME}/.keepassxc
blacklist ${HOME}/.killingfloor
blacklist ${HOME}/.kingsoft
blacklist ${HOME}/.kino-history
@@ -588,6 +813,7 @@
blacklist ${HOME}/.klatexformula
blacklist ${HOME}/.klei
blacklist ${HOME}/.kodi
+blacklist ${HOME}/.lastpass
blacklist ${HOME}/.librewolf
blacklist ${HOME}/.lincity-ng
blacklist ${HOME}/.links
@@ -599,18 +825,24 @@
blacklist ${HOME}/.local/share/0ad
blacklist ${HOME}/.local/share/3909/PapersPlease
blacklist ${HOME}/.local/share/Anki2
+blacklist ${HOME}/.local/share/Colossal Order
blacklist ${HOME}/.local/share/Dredmor
blacklist ${HOME}/.local/share/Empathy
blacklist ${HOME}/.local/share/Enpass
+blacklist ${HOME}/.local/share/FasterThanLight
blacklist ${HOME}/.local/share/Flavio Tordini
+blacklist ${HOME}/.local/share/HotlineMiami
+blacklist ${HOME}/.local/share/IntoTheBreach
blacklist ${HOME}/.local/share/JetBrains
blacklist ${HOME}/.local/share/KDE/neochat
+blacklist ${HOME}/.local/share/KeePass
blacklist ${HOME}/.local/share/Kingsoft
blacklist ${HOME}/.local/share/LibreCAD
blacklist ${HOME}/.local/share/Mendeley Ltd.
blacklist ${HOME}/.local/share/Mumble
blacklist ${HOME}/.local/share/Nextcloud
blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/Paradox Interactive
blacklist ${HOME}/.local/share/PawelStolowski
blacklist ${HOME}/.local/share/PillarsOfEternity
blacklist ${HOME}/.local/share/Psi
@@ -621,21 +853,23 @@
blacklist ${HOME}/.local/share/RogueLegacy
blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
blacklist ${HOME}/.local/share/Shortwave
+blacklist ${HOME}/.local/share/SongRec
blacklist ${HOME}/.local/share/Steam
-blacklist ${HOME}/.local/share/SteamWorldDig
blacklist ${HOME}/.local/share/SteamWorld Dig 2
+blacklist ${HOME}/.local/share/SteamWorldDig
blacklist ${HOME}/.local/share/SuperHexagon
blacklist ${HOME}/.local/share/TelegramDesktop
blacklist ${HOME}/.local/share/Terraria
blacklist ${HOME}/.local/share/TpLogger
blacklist ${HOME}/.local/share/Zeal
+blacklist ${HOME}/.local/share/agenda
blacklist ${HOME}/.local/share/akonadi*
blacklist ${HOME}/.local/share/akregator
-blacklist ${HOME}/.local/share/agenda
blacklist ${HOME}/.local/share/apps/korganizer
blacklist ${HOME}/.local/share/aspyr-media
-blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/audacity
blacklist ${HOME}/.local/share/authenticator-rs
+blacklist ${HOME}/.local/share/autokey
blacklist ${HOME}/.local/share/backintime
blacklist ${HOME}/.local/share/baloo
blacklist ${HOME}/.local/share/barrier
@@ -646,6 +880,7 @@
blacklist ${HOME}/.local/share/calligragemini
blacklist ${HOME}/.local/share/cantata
blacklist ${HOME}/.local/share/cdprojektred
+blacklist ${HOME}/.local/share/chatterino
blacklist ${HOME}/.local/share/clipit
blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
blacklist ${HOME}/.local/share/contacts
@@ -662,12 +897,12 @@
blacklist ${HOME}/.local/share/emailidentities
blacklist ${HOME}/.local/share/epiphany
blacklist ${HOME}/.local/share/evolution
-blacklist ${HOME}/.local/share/FasterThanLight
blacklist ${HOME}/.local/share/feedreader
blacklist ${HOME}/.local/share/feral-interactive
blacklist ${HOME}/.local/share/five-or-more
blacklist ${HOME}/.local/share/freecol
blacklist ${HOME}/.local/share/gajim
+blacklist ${HOME}/.local/share/gdfuse
blacklist ${HOME}/.local/share/geary
blacklist ${HOME}/.local/share/geeqie
blacklist ${HOME}/.local/share/ghostwriter
@@ -692,12 +927,13 @@
blacklist ${HOME}/.local/share/gradio
blacklist ${HOME}/.local/share/gwenview
blacklist ${HOME}/.local/share/i2p
-blacklist ${HOME}/.local/share/IntoTheBreach
+blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
blacklist ${HOME}/.local/share/jami
blacklist ${HOME}/.local/share/kaffeine
blacklist ${HOME}/.local/share/kalgebra
blacklist ${HOME}/.local/share/kate
blacklist ${HOME}/.local/share/kdenlive
+blacklist ${HOME}/.local/share/keepass
blacklist ${HOME}/.local/share/kget
blacklist ${HOME}/.local/share/kiwix
blacklist ${HOME}/.local/share/kiwix-desktop
@@ -748,14 +984,14 @@
blacklist ${HOME}/.local/share/openmw
blacklist ${HOME}/.local/share/orage
blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/Paradox Interactive
blacklist ${HOME}/.local/share/pix
blacklist ${HOME}/.local/share/plasma_notes
blacklist ${HOME}/.local/share/profanity
blacklist ${HOME}/.local/share/psi
blacklist ${HOME}/.local/share/psi+
-blacklist ${HOME}/.local/share/quadrapassel
+blacklist ${HOME}/.local/share/qBittorrent
blacklist ${HOME}/.local/share/qpdfview
+blacklist ${HOME}/.local/share/quadrapassel
blacklist ${HOME}/.local/share/qutebrowser
blacklist ${HOME}/.local/share/remmina
blacklist ${HOME}/.local/share/rhythmbox
@@ -775,16 +1011,21 @@
blacklist ${HOME}/.local/share/terasology
blacklist ${HOME}/.local/share/torbrowser
blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/tuir
blacklist ${HOME}/.local/share/uzbl
blacklist ${HOME}/.local/share/vlc
blacklist ${HOME}/.local/share/vpltd
blacklist ${HOME}/.local/share/vulkan
blacklist ${HOME}/.local/share/warsow-2.1
+blacklist ${HOME}/.local/share/warzone2100-3.*
blacklist ${HOME}/.local/share/wesnoth
+blacklist ${HOME}/.local/share/wget
blacklist ${HOME}/.local/share/wormux
blacklist ${HOME}/.local/share/xplayer
blacklist ${HOME}/.local/share/xreader
blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/audacity
+blacklist ${HOME}/.local/state/pipewire
blacklist ${HOME}/.lv2
blacklist ${HOME}/.lyx
blacklist ${HOME}/.magicor
@@ -815,6 +1056,7 @@
blacklist ${HOME}/.newsrc
blacklist ${HOME}/.nicotine
blacklist ${HOME}/.node-gyp
+blacklist ${HOME}/.notable
blacklist ${HOME}/.npm
blacklist ${HOME}/.npmrc
blacklist ${HOME}/.nv
@@ -828,8 +1070,10 @@
blacklist ${HOME}/.openttd
blacklist ${HOME}/.opera
blacklist ${HOME}/.opera-beta
+blacklist ${HOME}/.opera-developer
blacklist ${HOME}/.ostrichriders
blacklist ${HOME}/.paradoxinteractive
+blacklist ${HOME}/.paradoxlauncher
blacklist ${HOME}/.parallelrealities/blobwars
blacklist ${HOME}/.pcsxr
blacklist ${HOME}/.penguin-command
@@ -843,6 +1087,7 @@
blacklist ${HOME}/.pinercex
blacklist ${HOME}/.pingus
blacklist ${HOME}/.pioneer
+blacklist ${HOME}/.prey
blacklist ${HOME}/.purple
blacklist ${HOME}/.pylint.d
blacklist ${HOME}/.qemu-launcher
@@ -850,11 +1095,13 @@
blacklist ${HOME}/.qmmp
blacklist ${HOME}/.quodlibet
blacklist ${HOME}/.redeclipse
+blacklist ${HOME}/.rednotebook
blacklist ${HOME}/.remmina
blacklist ${HOME}/.repo_.gitconfig.json
blacklist ${HOME}/.repoconfig
blacklist ${HOME}/.retroshare
blacklist ${HOME}/.ripperXrc
+blacklist ${HOME}/.sbt
blacklist ${HOME}/.scorched3d
blacklist ${HOME}/.scribus
blacklist ${HOME}/.scribusrc
@@ -920,176 +1167,31 @@
blacklist ${HOME}/.yarncache
blacklist ${HOME}/.yarnrc
blacklist ${HOME}/.zoom
-blacklist /tmp/akonadi-*
+blacklist ${HOME}/Applications # used for storing AppImages
+blacklist ${HOME}/Arduino
+blacklist ${HOME}/Monero/wallets
+blacklist ${HOME}/Nextcloud
+blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/Seafile/.seafile-data
+blacklist ${HOME}/SoftMaker
+blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+blacklist ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/hyperrogue.ini
+blacklist ${HOME}/i2p
+blacklist ${HOME}/mps
+blacklist ${HOME}/openstego.ini
+blacklist ${HOME}/wallet.dat
+blacklist ${HOME}/yt-dlp.conf
+blacklist ${HOME}/yt-dlp.conf.txt
+blacklist ${RUNUSER}/*firefox*
+blacklist ${RUNUSER}/akonadi
+blacklist ${RUNUSER}/psd/*firefox*
+blacklist /etc/ssmtp
blacklist /tmp/.wine-*
+blacklist /tmp/akonadi-*
blacklist /var/games/nethack
blacklist /var/games/slashem
blacklist /var/games/vulturesclaw
blacklist /var/games/vultureseye
blacklist /var/lib/games/Maelstrom-Scores
-
-# ${HOME}/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Authenticator
-blacklist ${HOME}/.cache/BraveSoftware
-blacklist ${HOME}/.cache/Clementine
-blacklist ${HOME}/.cache/ENCOM/Spectral
-blacklist ${HOME}/.cache/Enox
-blacklist ${HOME}/.cache/Enpass
-blacklist ${HOME}/.cache/Ferdi
-blacklist ${HOME}/.cache/Flavio Tordini
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/MusicBrainz
-blacklist ${HOME}/.cache/NewsFlashGTK
-blacklist ${HOME}/.cache/Otter
-blacklist ${HOME}/.cache/PawelStolowski
-blacklist ${HOME}/.cache/Psi
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/quodlibet
-blacklist ${HOME}/.cache/Quotient/quaternion
-blacklist ${HOME}/.cache/Shortwave
-blacklist ${HOME}/.cache/Tox
-blacklist ${HOME}/.cache/Zeal
-blacklist ${HOME}/.cache/agenda
-blacklist ${HOME}/.cache/akonadi*
-blacklist ${HOME}/.cache/atril
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/babl
-blacklist ${HOME}/.cache/bnox
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/cantata
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/deja-dup
-blacklist ${HOME}/.cache/discover
-blacklist ${HOME}/.cache/dnox
-blacklist ${HOME}/.cache/dolphin
-blacklist ${HOME}/.cache/dolphin-emu
-blacklist ${HOME}/.cache/ephemeral
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/falkon
-blacklist ${HOME}/.cache/feedreader
-blacklist ${HOME}/.cache/firedragon
-blacklist ${HOME}/.cache/flaska.net/trojita
-blacklist ${HOME}/.cache/folks
-blacklist ${HOME}/.cache/font-manager
-blacklist ${HOME}/.cache/fossamail
-blacklist ${HOME}/.cache/fractal
-blacklist ${HOME}/.cache/freecol
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geary
-blacklist ${HOME}/.cache/gegl-0.4
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/gfeeds
-blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-control-center
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-screenshot
-blacklist ${HOME}/.cache/gnome-software
-blacklist ${HOME}/.cache/gnome-twitch
-blacklist ${HOME}/.cache/godot
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gradio
-blacklist ${HOME}/.cache/gummi
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/inkscape
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/iridium
-blacklist ${HOME}/.cache/kcmshell5
-blacklist ${HOME}/.cache/KDE/neochat
-blacklist ${HOME}/.cache/kdenlive
-blacklist ${HOME}/.cache/keepassxc
-blacklist ${HOME}/.cache/kfind
-blacklist ${HOME}/.cache/kinfocenter
-blacklist ${HOME}/.cache/kmail2
-blacklist ${HOME}/.cache/krunner
-blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/kscreenlocker_greet
-blacklist ${HOME}/.cache/ksmserver-logout-greeter
-blacklist ${HOME}/.cache/ksplashqml
-blacklist ${HOME}/.cache/kube
-blacklist ${HOME}/.cache/kwin
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/librewolf
-blacklist ${HOME}/.cache/liferea
-blacklist ${HOME}/.cache/lutris
-blacklist ${HOME}/.cache/Mendeley Ltd.
-blacklist ${HOME}/.cache/marker
-blacklist ${HOME}/.cache/matrix-mirage
-blacklist ${HOME}/.cache/microsoft-edge-dev
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/minetest
-blacklist ${HOME}/.cache/mirage
-blacklist ${HOME}/.cache/moonchild productions/basilisk
-blacklist ${HOME}/.cache/moonchild productions/pale moon
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/ms-excel-online
-blacklist ${HOME}/.cache/ms-office-online
-blacklist ${HOME}/.cache/ms-onenote-online
-blacklist ${HOME}/.cache/ms-outlook-online
-blacklist ${HOME}/.cache/ms-powerpoint-online
-blacklist ${HOME}/.cache/ms-skype-online
-blacklist ${HOME}/.cache/ms-word-online
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/okular
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gabmus.gfeeds
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/org.gnome.Maps
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/pip
-blacklist ${HOME}/.cache/pipe-viewer
-blacklist ${HOME}/.cache/plasmashell
-blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/psi
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/rhythmbox
-blacklist ${HOME}/.cache/shotwell
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/smuxi
-blacklist ${HOME}/.cache/snox
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/strawberry
-blacklist ${HOME}/.cache/straw-viewer
-blacklist ${HOME}/.cache/supertuxkart
-blacklist ${HOME}/.cache/systemsettings
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/ungoogled-chromium
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/vivaldi-snapshot
-blacklist ${HOME}/.cache/vlc
-blacklist ${HOME}/.cache/vmware
-blacklist ${HOME}/.cache/warsow-2.1
-blacklist ${HOME}/.cache/waterfox
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/winetricks
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist ${HOME}/.cache/youtube-dl
-blacklist ${HOME}/.cache/youtube-viewer
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-shell.inc
^
|
@@ -13,3 +13,35 @@
blacklist ${PATH}/tclsh
blacklist ${PATH}/tcsh
blacklist ${PATH}/zsh
+
+# Note: This list should be kept in sync with the one in ../ids.config.
+### shells global ###
+# all
+blacklist /etc/dircolors
+blacklist /etc/environment
+blacklist /etc/profile
+blacklist /etc/profile.d
+blacklist /etc/shells
+blacklist /etc/skel
+# bash
+blacklist /etc/bash
+blacklist /etc/bash.bashrc
+blacklist /etc/bash_completion*
+blacklist /etc/bashrc
+# fish
+blacklist /etc/fish
+# ksh
+blacklist /etc/ksh.kshrc
+blacklist /etc/suid_profile
+# tcsh
+blacklist /etc/complete.tcsh
+blacklist /etc/csh.cshrc
+blacklist /etc/csh.login
+blacklist /etc/csh.logout
+# zsh
+blacklist /etc/zlogin
+blacklist /etc/zlogout
+blacklist /etc/zprofile
+blacklist /etc/zsh
+blacklist /etc/zshenv
+blacklist /etc/zshrc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-1793-workaround.inc
^
|
@@ -23,6 +23,7 @@
noblacklist ${HOME}/.config/kioslaverc
noblacklist ${HOME}/.config/ksslcablacklist
noblacklist ${HOME}/.config/qt5ct
+noblacklist ${HOME}/.config/qt6ct
noblacklist ${HOME}/.config/qtcurve
blacklist ${HOME}/.config/*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-common.inc
^
|
@@ -23,6 +23,7 @@
whitelist ${HOME}/.local/share/icons
whitelist ${HOME}/.local/share/mime
whitelist ${HOME}/.mime.types
+whitelist ${HOME}/.sndio/cookie
whitelist ${HOME}/.uim.d
# dconf
@@ -68,6 +69,7 @@
whitelist ${HOME}/.config/kioslaverc
whitelist ${HOME}/.config/ksslcablacklist
whitelist ${HOME}/.config/qt5ct
+whitelist ${HOME}/.config/qt6ct
whitelist ${HOME}/.config/qtcurve
whitelist ${HOME}/.kde/share/config/kdeglobals
whitelist ${HOME}/.kde/share/config/kio_httprc
@@ -82,3 +84,8 @@
whitelist ${HOME}/.kde4/share/config/oxygenrc
whitelist ${HOME}/.kde4/share/icons
whitelist ${HOME}/.local/share/qt5ct
+whitelist ${HOME}/.local/share/qt6ct
+
+# NixOS specific to resolve binary paths in
+# user environment
+whitelist ${HOME}/.nix-profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-run-common.inc
^
|
@@ -0,0 +1,18 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-run-common.local
+
+whitelist /run/NetworkManager/resolv.conf
+whitelist /run/avahi-daemon/socket
+whitelist /run/cups/cups.sock
+whitelist /run/dbus/system_bus_socket
+whitelist /run/media
+whitelist /run/resolvconf/resolv.conf
+whitelist /run/netconfig/resolv.conf # openSUSE Leap
+whitelist /run/shm
+whitelist /run/systemd/journal/dev-log
+whitelist /run/systemd/journal/socket
+whitelist /run/systemd/resolve/resolv.conf
+whitelist /run/systemd/resolve/stub-resolv.conf
+whitelist /run/udev/data
+whitelist /run/opengl-driver # NixOS
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-runuser-common.inc
^
|
@@ -10,7 +10,7 @@
whitelist ${RUNUSER}/ICEauthority
whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
whitelist ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/wayland-1
+whitelist ${RUNUSER}/pipewire-?
+whitelist ${RUNUSER}/wayland-?
whitelist ${RUNUSER}/xauth_*
whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-usr-share-common.inc
^
|
@@ -12,6 +12,7 @@
whitelist /usr/share/dconf
whitelist /usr/share/distro-info
whitelist /usr/share/drirc.d
+whitelist /usr/share/egl
whitelist /usr/share/enchant
whitelist /usr/share/enchant-2
whitelist /usr/share/file
@@ -45,6 +46,7 @@
whitelist /usr/share/p11-kit
whitelist /usr/share/perl
whitelist /usr/share/perl5
+whitelist /usr/share/pipewire
whitelist /usr/share/pixmaps
whitelist /usr/share/pki
whitelist /usr/share/plasma
@@ -53,6 +55,8 @@
whitelist /usr/share/qt4
whitelist /usr/share/qt5
whitelist /usr/share/qt5ct
+whitelist /usr/share/qt6
+whitelist /usr/share/qt6ct
whitelist /usr/share/sounds
whitelist /usr/share/tcl8.6
whitelist /usr/share/tcltk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/net/nolocal.net
^
|
@@ -20,8 +20,8 @@
# allow ping etc.
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
--A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# accept dns requests going out to a server on the local network
-A OUTPUT -p udp --dport 53 -j ACCEPT
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/net/nolocal6.net
^
|
@@ -20,8 +20,8 @@
# allow ping etc.
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
--A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT
# required for ipv6
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/0ad.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -45,7 +44,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -56,3 +54,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/1password.profile
^
|
@@ -0,0 +1,20 @@
+# Firejail profile for 1password
+# Description: 1Password is a password manager developed by AgileBits Inc.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 1password.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/1Password
+
+mkdir ${HOME}/.config/1Password
+whitelist ${HOME}/.config/1Password
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# Needed for keychain things, talking to Firefox, possibly other things? Not sure how to narrow down
+ignore dbus-user none
+
+# Redirect
+include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/2048-qt.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/2048-qt
@@ -37,8 +36,9 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Books.profile
^
|
@@ -1,6 +1,10 @@
# Firejail profile for gnome-books
# This file is overwritten after every install/update
-
+# Persistent local customizations
+include Books.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
# Temporary fix for https://github.com/netblue30/firejail/issues/2624
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Cryptocat.profile
^
|
@@ -10,7 +10,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -25,8 +24,9 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Discord.profile
^
|
@@ -3,15 +3,8 @@
# Persistent local customizations
include Discord.local
# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.config/discord
-
-mkdir ${HOME}/.config/discord
-whitelist ${HOME}/.config/discord
-
-private-bin Discord
-private-opt Discord
+# added by included profile
+#include globals.local
# Redirect
-include discord-common.profile
+include discord.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/DiscordCanary.profile
^
|
@@ -3,15 +3,8 @@
# Persistent local customizations
include DiscordCanary.local
# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.config/discordcanary
-
-mkdir ${HOME}/.config/discordcanary
-whitelist ${HOME}/.config/discordcanary
-
-private-bin DiscordCanary
-private-opt DiscordCanary
+# added by included profile
+#include globals.local
# Redirect
-include discord-common.profile
+include discord-canary.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Fritzing.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,8 +32,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/JDownloader.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/abiword.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -37,14 +36,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin abiword
private-cache
private-dev
-private-etc fonts,gtk-3.0,passwd
+private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
private-tmp
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/agetpkg.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,16 +44,16 @@
novideo
protocol inet,inet6
seccomp
-shell none
tracelog
private-bin agetpkg,python3
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/akonadi_control.profile
^
|
@@ -17,6 +17,7 @@
noblacklist ${HOME}/.local/share/contacts
noblacklist ${HOME}/.local/share/local-mail
noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
noblacklist /sbin
noblacklist /tmp/akonadi-*
noblacklist /usr/sbin
@@ -25,9 +26,9 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
@@ -54,3 +55,4 @@
private-dev
# private-tmp - breaks programs that depend on akonadi
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/akregator.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -26,6 +25,7 @@
whitelist ${HOME}/.local/share/kssl
whitelist ${HOME}/.local/share/kxmlgui5/akregator
include whitelist-common.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
caps.drop all
@@ -42,10 +42,11 @@
protocol unix,inet,inet6,netlink
# chroot syscalls are needed for setting up the built-in sandbox
seccomp !chroot
-shell none
disable-mnt
private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5
private-dev
private-tmp
+deterministic-shutdown
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/alacarte.profile
^
|
@@ -15,7 +15,6 @@
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
-include disable-passwdmgr.inc
include disable-xdg.inc
# Whitelist your system icon directory,varies by distro
@@ -47,14 +46,13 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
# private-bin alacarte,bash,python*,sh
private-cache
private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
private-tmp
dbus-user none
@@ -64,3 +62,4 @@
read-write ${HOME}/.gnome/apps
read-write ${HOME}/.local/share/applications
read-write ${HOME}/.local/share/flatpak/exports
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/alienarena.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -30,7 +29,6 @@
netfilter
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -39,7 +37,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -51,3 +48,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/alpine.profile
^
|
@@ -37,7 +37,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -85,7 +84,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -102,3 +100,4 @@
memory-deny-write-execute
read-only ${HOME}/.signature
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/amarok.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -28,7 +27,6 @@
novideo
protocol unix,inet,inet6
# seccomp
-shell none
# private-bin amarok
private-dev
@@ -40,9 +38,11 @@
dbus-user.own org.mpris.amarok
dbus-user.own org.mpris.MediaPlayer2.amarok
dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
# If you're not on kde-plasma add the next lines to your amarok.local.
#dbus-user.own org.kde.kded
#dbus-user.own org.kde.klauncher
#dbus-user.talk org.kde.knotify
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/amule.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.aMule
@@ -33,11 +32,12 @@
notv
nou2f
novideo
+# Add netlink protocol to use UPnP
protocol unix,inet,inet6
seccomp
-shell none
private-bin amule
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/android-studio.profile
^
|
@@ -20,7 +20,6 @@
include allow-ssh.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -35,10 +34,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
# private-tmp
# noexec /tmp breaks 'Android Profiler'
#noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/anki.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,15 +44,15 @@
protocol unix,inet,inet6
# QtWebengine needs chroot to set up its own sandbox
seccomp !chroot
-shell none
-tracelog
disable-mnt
private-bin anki,python*
private-cache
private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
private-tmp
dbus-user none
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/anydesk.profile
^
|
@@ -10,7 +10,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -29,9 +28,10 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin anydesk
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/aosp.profile
^
|
@@ -20,7 +20,6 @@
include allow-ssh.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,6 +38,7 @@
novideo
protocol unix,inet,inet6
#seccomp
-shell none
private-tmp
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/apktool.profile
^
|
@@ -9,7 +9,6 @@
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -29,7 +28,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin apktool,basename,bash,dirname,expr,java,sh
private-cache
@@ -37,3 +35,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/apostrophe.profile
^
|
@@ -26,7 +26,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -57,7 +56,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -71,3 +69,5 @@
dbus-user.own org.gnome.gitlab.somas.Apostrophe
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/arch-audit.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol inet,inet6
seccomp
-shell none
disable-mnt
private
@@ -51,3 +49,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/archaudit-report.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -29,7 +28,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private
@@ -38,3 +36,4 @@
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/archiver-common.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc.
#include disable-programs.inc
include disable-shell.inc
@@ -40,7 +39,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -51,3 +49,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ardour5.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -32,7 +31,6 @@
nou2f
protocol unix
seccomp
-shell none
#private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh
private-cache
@@ -42,3 +40,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/arduino.profile
^
|
@@ -10,14 +10,10 @@
noblacklist ${HOME}/Arduino
noblacklist ${DOCUMENTS}
-# Allow java (blacklisted by disable-devel.inc)
-include allow-java.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,8 +29,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/aria2c.profile
^
|
@@ -7,6 +7,7 @@
include globals.local
noblacklist ${HOME}/.aria2
+noblacklist ${HOME}/.cache/winetricks # XXX: See #5238
noblacklist ${HOME}/.config/aria2
noblacklist ${HOME}/.netrc
@@ -17,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-usr-share-common.inc
@@ -38,7 +38,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
# disable-mnt
# Add your custom event hook commands to 'private-bin' in your aria2c.local.
@@ -46,7 +45,7 @@
# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
#private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
private-lib libreadline.so.*
private-tmp
@@ -54,3 +53,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ark.profile
^
|
@@ -13,10 +13,10 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/ark
+include whitelist-run-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -35,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo
#private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg
@@ -45,3 +44,5 @@
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/arm.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.arm
@@ -38,12 +37,12 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/artha.profile
^
|
@@ -10,14 +10,12 @@
noblacklist ${HOME}/.config/artha.log
noblacklist ${HOME}/.config/enchant
-blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -50,18 +48,21 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin artha,enchant,notify-send
private-cache
private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-lib libnotify.so.*
private-tmp
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.artha.unique.*
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/assogiate.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -53,3 +51,4 @@
memory-deny-write-execute
read-write ${HOME}/.local/share/mime
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/asunder.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
@@ -47,3 +45,4 @@
# mdwe is disabled due to breaking hardware accelerated decoding
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/atom.profile
^
|
@@ -11,6 +11,8 @@
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/atool.profile
^
|
@@ -13,7 +13,7 @@
noroot
# without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
private-tmp
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/atril.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,12 +37,11 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
# atril uses webkit gtk to display epub files
# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
@@ -51,3 +49,4 @@
# webkit gtk killed by memory-deny-write-execute
#memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/audacious.profile
^
|
@@ -14,10 +14,10 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
apparmor
@@ -32,7 +32,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
# private-bin audacious
@@ -43,3 +42,5 @@
# dbus needed for MPRIS
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/audacity.profile
^
|
@@ -6,7 +6,16 @@
# Persistent global definitions
include globals.local
+# Add the below lines to your audacity.local if you need online plugins.
+#ignore net none
+#netfilter
+#protocol inet6
+
noblacklist ${HOME}/.audacity-data
+noblacklist ${HOME}/.cache/audacity
+noblacklist ${HOME}/.config/audacity
+noblacklist ${HOME}/.local/share/audacity
+noblacklist ${HOME}/.local/state/audacity
noblacklist ${DOCUMENTS}
noblacklist ${MUSIC}
@@ -14,14 +23,16 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
include whitelist-var-common.inc
-apparmor
+# Silence blacklist violation. See #5539.
+allow-debuggers
+## Enabling App Armor appears to break some Fedora / Arch installs
+#apparmor
caps.drop all
net none
no3d
@@ -33,9 +44,8 @@
notv
nou2f
novideo
-protocol unix
+protocol unix,inet
seccomp
-shell none
tracelog
private-bin audacity
@@ -45,3 +55,5 @@
# problems on Fedora 27
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/audio-recorder.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -53,3 +51,4 @@
dbus-system none
# memory-deny-write-execute - breaks on Arch
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/authenticator-rs.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,16 +40,17 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin authenticator-rs
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
private-tmp
dbus-user filter
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/authenticator.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# apparmor
@@ -35,12 +34,11 @@
# novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
# private-bin authenticator,python*
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
private-tmp
# makes settings immutable
@@ -48,3 +46,4 @@
# dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/autokey-common.profile
^
|
@@ -19,7 +19,6 @@
# disable-exec.inc might break scripting functionality
#include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -33,7 +32,6 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-cache
@@ -41,3 +39,4 @@
private-tmp
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux.profile
^
|
@@ -1,10 +1,12 @@
# Firejail profile for Avidemux
# Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks.
+# This file is overwritten after every install/update
# Persistent local customizations
include avidemux.local
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.avidemux3
noblacklist ${HOME}/.avidemux6
noblacklist ${HOME}/.config/avidemux3_qt5rc
noblacklist ${VIDEOS}
@@ -13,16 +15,18 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+mkdir ${HOME}/.avidemux3
mkdir ${HOME}/.avidemux6
mkdir ${HOME}/.config/avidemux3_qt5rc
+whitelist ${HOME}/.avidemux3
whitelist ${HOME}/.avidemux6
whitelist ${HOME}/.config/avidemux3_qt5rc
whitelist ${VIDEOS}
+
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
@@ -42,7 +46,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5
@@ -52,3 +55,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux3_cli.profile
^
|
@@ -0,0 +1,11 @@
+# Firejail profile for avidemux3_cli
+# Description: The command-line interface for Avidemux.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include avidemux3_cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include avidemux.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux3_jobs_qt5.profile
^
|
@@ -0,0 +1,18 @@
+# Firejail profile for avidemux3_jobs_qt5
+# Description: The Qt5 GUI to run Avidemux jobs.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include avidemux3_jobs_qt5.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Provide a shell to spawn avidemux3_cli
+include allow-bin-sh.inc
+private-bin sh
+
+# Needs to bind to a socket on localhost
+protocol inet,inet6
+
+# Redirect
+include avidemux3_qt5.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux3_qt5.profile
^
|
@@ -0,0 +1,15 @@
+# Firejail profile for avidemux3_qt5
+# Description: The Qt5 GUI for Avidemux.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include avidemux3_qt5.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Allow translations
+whitelist /usr/share/avidemux3
+whitelist /usr/share/avidemux6
+
+# Redirect
+include avidemux.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/aweather.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -33,9 +32,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin aweather
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/awesome.profile
^
|
@@ -14,6 +14,7 @@
netfilter
noroot
protocol unix,inet,inet6
-seccomp
+seccomp !chroot
read-only ${HOME}/.config/awesome/autorun.sh
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ballbuster.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -51,3 +49,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/baloo_file.profile
^
|
@@ -23,9 +23,9 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
apparmor
@@ -46,10 +46,11 @@
protocol unix
# blacklisting of ioprio_set system calls breaks baloo_file
seccomp !ioprio_set
-shell none
# x11 xorg
private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/balsa.profile
^
|
@@ -7,77 +7,20 @@
include globals.local
noblacklist ${HOME}/.balsa
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.signature
noblacklist ${HOME}/mail
-noblacklist /var/mail
-noblacklist /var/spool/mail
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
include disable-shell.inc
-include disable-xdg.inc
mkdir ${HOME}/.balsa
-mkdir ${HOME}/.gnupg
-mkfile ${HOME}/.signature
mkdir ${HOME}/mail
whitelist ${HOME}/.balsa
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.signature
whitelist ${HOME}/mail
-whitelist ${RUNUSER}/gnupg
whitelist /usr/share/balsa
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /var/mail
-whitelist /var/spool/mail
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# disable-mnt
-# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
-private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
-private-tmp
-writable-run-user
-writable-var
-dbus-user filter
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg.
+#private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
+
dbus-user.own org.desktop.Balsa
-dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.freedesktop.secrets
-dbus-user.talk org.gnome.keyring.SystemPrompter
-dbus-system none
-read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
+# Redirect
+include email-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/baobab.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# include disable-programs.inc
include disable-shell.inc
# include disable-xdg.inc
@@ -32,7 +31,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin baobab
@@ -43,3 +41,4 @@
# dbus-system none
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/barrier.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -44,3 +42,4 @@
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/basilisk.profile
^
|
@@ -22,5 +22,8 @@
#private-etc basilisk
#private-opt basilisk
+restrict-namespaces
+ignore restrict-namespaces
+
# Redirect
include firefox-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bcompare.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
#include disable-programs.inc
#include disable-shell.inc - breaks launch
@@ -37,7 +36,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
@@ -46,3 +44,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bibletime.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.bibletime
@@ -47,14 +46,15 @@
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
disable-mnt
-# private-bin bibletime,qt5ct
+# private-bin bibletime
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
private-tmp
dbus-user none
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bijiben.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,14 +44,13 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin bijiben
# private-cache -- access to .cache/tracker is required
private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
private-tmp
dbus-user filter
@@ -62,3 +60,4 @@
dbus-system none
env WEBKIT_FORCE_SANDBOX=0
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bitcoin-qt.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -39,7 +38,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin bitcoin-qt
@@ -49,3 +47,4 @@
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bitlbee.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,3 +38,4 @@
private-tmp
read-write /var/lib/bitlbee
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bitwarden.profile
^
|
@@ -23,7 +23,7 @@
nosound
?HAS_APPIMAGE: ignore private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
private-opt Bitwarden
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blackbox.profile
^
|
@@ -14,5 +14,6 @@
netfilter
noroot
protocol unix,inet,inet6
-seccomp
+seccomp !chroot
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bleachbit.profile
^
|
@@ -1,6 +1,7 @@
# Firejail profile for bleachbit
# Description: Delete unnecessary files from the system
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include bleachbit.local
# Persistent global definitions
@@ -14,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# include disable-programs.inc
caps.drop all
@@ -31,7 +31,6 @@
novideo
protocol unix
seccomp
-shell none
private-dev
# private-tmp
@@ -41,3 +40,4 @@
# memory-deny-write-execute breaks some systems, see issue #1850
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blender.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# Allow usage of AMD GPU by OpenCL
@@ -36,6 +35,7 @@
protocol unix,inet,inet6,netlink
# numpy, used by many add-ons, requires the mbind syscall
seccomp !mbind
-shell none
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bless.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -31,13 +30,14 @@
novideo
protocol unix
seccomp
-shell none
# private-bin bash,bless,mono,sh
private-cache
private-dev
-private-etc alternatives,fonts,mono
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blobby.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,13 +35,12 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin blobby
private-dev
-private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse
+private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse
private-lib
private-tmp
@@ -50,3 +48,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blobwars.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -20,6 +19,7 @@
mkdir ${HOME}/.parallelrealities/blobwars
whitelist ${HOME}/.parallelrealities/blobwars
whitelist /usr/share/blobwars
+whitelist /usr/share/games/blobwars
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -29,7 +29,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -37,15 +36,16 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin blobwars
private-cache
private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bluefish.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -30,7 +29,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin bluefish
@@ -39,3 +37,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bnox.profile
^
|
@@ -6,7 +6,8 @@
include globals.local
# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/brackets.profile
^
|
@@ -13,7 +13,6 @@
include allow-common-devel.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -29,7 +28,8 @@
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot,!ioperm
-shell none
private-cache
private-dev
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/brasero.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -28,10 +27,11 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin brasero
private-cache
# private-dev
# private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/brave.profile
^
|
@@ -13,6 +13,8 @@
# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
# Alternatively you can add 'ignore apparmor' to your brave.local.
ignore noexec ${HOME}
+# Causes slow starts (#4604)
+ignore private-cache
noblacklist ${HOME}/.cache/BraveSoftware
noblacklist ${HOME}/.config/BraveSoftware
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bsdtar.profile
^
|
@@ -6,7 +6,7 @@
# Persistent global definitions
include globals.local
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
# Redirect
include archiver-common.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/build-systems-common.profile
^
|
@@ -0,0 +1,67 @@
+# Firejail profile for build-systems-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include build-systems-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+ignore noexec ${HOME}
+ignore noexec /tmp
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/pkgconfig
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bundle.profile
^
|
@@ -0,0 +1,23 @@
+# Firejail profile for bundle
+# Description: Ruby Dependency Management
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bundle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bundle
+
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+
+#whitelist ${HOME}/.bundle
+#whitelist ${HOME}/.gem
+#whitelist ${HOME}/.local/share/gem
+whitelist /usr/share/gems
+whitelist /usr/share/ruby
+whitelist /usr/share/rubygems
+
+# Redirect
+include build-systems-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bzflag.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -46,3 +44,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cachy-browser.profile
^
|
@@ -0,0 +1,56 @@
+# Firejail profile for Cachy-Browser
+# Description: Librewolf fork based on enhanced privacy with gentoo patchset
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cachy-browser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/cachy
+noblacklist ${HOME}/.cachy
+
+mkdir ${HOME}/.cache/cachy
+mkdir ${HOME}/.cachy
+whitelist ${HOME}/.cache/cachy
+whitelist ${HOME}/.cachy
+
+# Add the next lines to your cachy-browser.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
+# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+
+# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
+#private-bin dbus-launch,dbus-send,cachy-browser,sh
+# Add the next line to your cachy-browser.local to enable private-etc.
+# NOTE: private-etc must first be enabled in firefox-common.local.
+#private-etc cachy-browser
+
+dbus-user filter
+dbus-user.own org.mozilla.cachybrowser.*
+# Add the next line to your cachy-browser.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your cachy-browser.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your cachy-browser.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your cachy-browser.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your cachy-browser.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/calibre.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,8 @@
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
private-dev
private-tmp
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/calligra.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -29,7 +28,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
private-dev
@@ -39,3 +37,4 @@
# noexec ${HOME}
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cameramonitor.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,16 +40,16 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin cameramonitor,python*
private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
# dbus-user none
# dbus-system none
# memory-deny-write-execute - breaks on Arch
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cantata.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -34,8 +33,9 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
-# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
+# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
private-bin cantata,mpd,perl
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cargo.profile
^
|
@@ -7,67 +7,18 @@
# Persistent global definitions
include globals.local
-ignore noexec ${HOME}
-ignore noexec /tmp
-
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+ignore read-only ${HOME}/.cargo/bin
noblacklist ${HOME}/.cargo/credentials
noblacklist ${HOME}/.cargo/credentials.toml
-# Allows files commonly used by IDEs
-include allow-common-devel.inc
-
-# Allow ssh (blacklisted by disable-common.inc)
-#include allow-ssh.inc
-
-include disable-common.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-#mkdir ${HOME}/.cargo
-#whitelist ${HOME}/YOUR_CARGO_PROJECTS
#whitelist ${HOME}/.cargo
#whitelist ${HOME}/.rustup
-#include whitelist-common.inc
-whitelist /usr/share/pkgconfig
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-shell none
-tracelog
-disable-mnt
#private-bin cargo,rustc
-private-cache
-private-dev
private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
-private-tmp
-
-dbus-user none
-dbus-system none
memory-deny-write-execute
-read-write ${HOME}/.cargo/bin
+
+# Redirect
+include build-systems-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/catfish.profile
^
|
@@ -18,7 +18,6 @@
# include disable-common.inc
# include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# include disable-programs.inc
whitelist /var/lib/mlocate
@@ -37,7 +36,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# These options work but are disabled in case
@@ -48,3 +46,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cawbird.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -33,15 +32,16 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin cawbird
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
private-tmp
# dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/celluloid.profile
^
|
@@ -23,10 +23,8 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
-read-only ${DESKTOP}
mkdir ${HOME}/.config/celluloid
mkdir ${HOME}/.config/gnome-mpv
mkdir ${HOME}/.config/youtube-dl
@@ -50,19 +48,20 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin celluloid,env,gnome-mpv,python*,youtube-dl
private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
private-dev
private-tmp
dbus-user filter
dbus-user.own io.github.celluloid_player.Celluloid
+dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
dbus-system none
read-only ${HOME}
read-write ${HOME}/.config/celluloid
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chafa.profile
^
|
@@ -0,0 +1,56 @@
+# Firejail profile for chafa
+# Description: A terminal-based image viewer and image-to-text converter.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chafa.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+# Add the following to your chafa.local if you do not need to view images in
+# /usr/share.
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp socket
+seccomp.block-secondary
+tracelog
+x11 none
+
+private-bin chafa
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chatterino.profile
^
|
@@ -0,0 +1,92 @@
+# Firejail profile for Chatterino
+# Description: Chat client for https://twitch.tv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chatterino.local
+# Persistent global definitions
+include globals.local
+
+# To upload images, whitelist/noblacklist their path in chatterino.local.
+#whitelist ${PICTURES}
+# For custom notification sounds, whitelist/noblacklist their path in chatterino.local.
+#whitelist ${MUSIC}
+
+# Also allow access to mpv/vlc, they're usable via streamlink.
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/pulse
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.local/share/chatterino
+noblacklist ${HOME}/.local/share/vlc
+
+# Allow Lua for mpv (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Also allow read-only access to mpv/VLC, they're usable via streamlink.
+mkdir ${HOME}/.local/share/chatterino
+# VLC preferences will fail to save with read-only set.
+whitelist ${HOME}/.local/share/chatterino
+whitelist-ro ${HOME}/.config/mpv
+whitelist-ro ${HOME}/.config/pulse
+whitelist-ro ${HOME}/.config/vlc
+whitelist-ro ${HOME}/.local/share/vlc
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Streamlink+VLC doesn't seem to close properly with apparmor enabled.
+#apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+# Netlink is required for streamlink integration.
+protocol unix,inet,inet6,netlink
+# Seccomp may break browser integration.
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+# Add more private-bin lines for browsers or video players to chatterino.local if wanted.
+private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc
+# private-cache may cause issues with mpv (see #2838)
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11
+private-srv none
+private-tmp
+
+dbus-user filter
+dbus-user.own com.chatterino.*
+# Allow notifications.
+dbus-user.talk org.freedesktop.Notifications
+# For media player integration.
+dbus-user.talk org.freedesktop.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.own org.mpris.MediaPlayer2.chatterino
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
+
+# Prevents browsers/players from lingering after Chatterino is closed.
+#deterministic-shutdown
+# memory-deny-write-execute may break streamlink and browser integration.
+#memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/checkbashisms.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
novideo
protocol unix
seccomp
-shell none
x11 none
private-cache
@@ -54,3 +52,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cheese.profile
^
|
@@ -9,18 +9,23 @@
noblacklist ${VIDEOS}
noblacklist ${PICTURES}
+include allow-python3.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
+include disable-shell.inc
include disable-xdg.inc
whitelist ${VIDEOS}
whitelist ${PICTURES}
+whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
whitelist /usr/share/gnome-video-effects
+whitelist /usr/share/gstreamer-1.0
include whitelist-common.inc
+include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -31,21 +36,27 @@
net none
nodvd
nogroups
+noinput
nonewprivs
noroot
+nosound
notv
nou2f
protocol unix
seccomp
-shell none
+seccomp.block-secondary
tracelog
disable-mnt
private-bin cheese
private-cache
-private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
+private-dev
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload
private-tmp
dbus-user filter
+dbus-user.own org.gnome.Cheese
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cherrytree.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,10 +34,10 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chromium-common-hardened.inc.profile
^
|
@@ -6,5 +6,6 @@
nonewprivs
noroot
protocol unix,inet,inet6,netlink
-# kcmp is required for ozone-platform=wayland, see #3783.
-seccomp !chroot,!kcmp
+seccomp !chroot
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chromium-common.profile
^
|
@@ -9,8 +9,9 @@
# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
+noblacklist /usr/lib/chromium/chrome-sandbox
# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
# to have access to Gnome extensions (extensions.gnome.org) via browser connector
@@ -20,16 +21,18 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-# include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
+whitelist /usr/share/mozilla/extensions
+whitelist /usr/share/webext
include whitelist-common.inc
+include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -37,10 +40,6 @@
# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
#include chromium-common-hardened.inc.profile
-# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-
apparmor
caps.keep sys_admin,sys_chroot
netfilter
@@ -49,13 +48,16 @@
noinput
notv
?BROWSER_DISABLE_U2F: nou2f
-shell none
disable-mnt
private-cache
?BROWSER_DISABLE_U2F: private-dev
#private-tmp - issues when using multiple browser sessions
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
+
#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
dbus-system none
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chromium.profile
^
|
@@ -16,7 +16,6 @@
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf
whitelist /usr/share/chromium
-whitelist /usr/share/mozilla/extensions
# private-bin chromium,chromium-browser,chromedriver
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cin.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -28,7 +27,6 @@
# If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local.
seccomp
-shell none
#private-bin cin,ffmpeg
private-cache
@@ -36,3 +34,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cinelerra-gg.profile
^
|
@@ -0,0 +1,10 @@
+# Firejail profile alias for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cinelerra-gg.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cin.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clamav.profile
^
|
@@ -26,7 +26,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -38,3 +37,4 @@
read-only ${HOME}
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clamtk.profile
^
|
@@ -22,9 +22,10 @@
novideo
protocol unix
seccomp
-shell none
private-dev
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/claws-mail.profile
^
|
@@ -1,5 +1,5 @@
# Firejail profile for claws-mail
-# Description: Fast, lightweight and user-friendly GTK+2 based email client
+# Description: Fast, lightweight and user-friendly GTK based email client
# This file is overwritten after every install/update
# Persistent local customizations
include claws-mail.local
@@ -20,11 +20,5 @@
# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
-dbus-user filter
-dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.gnome.keyring.SystemPrompter
-# Add the next line to your claws-mail.local if you use the notification plugin.
-# dbus-user.talk org.freedesktop.Notifications
-
# Redirect
include email-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clawsker.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.claws-mail
@@ -39,13 +38,12 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin bash,clawsker,perl,sh,which
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
private-tmp
@@ -53,3 +51,4 @@
dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clementine.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,3 +38,5 @@
dbus-system none
# dbus-user none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clion-eap.profile
^
|
@@ -0,0 +1,10 @@
+# Firejail profile for CLion EAP
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clion-eap.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clion.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clion.profile
^
|
@@ -5,6 +5,9 @@
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.config/JetBrains/CLion*
+noblacklist ${HOME}/.cache/JetBrains/CLion*
+noblacklist ${HOME}/.clion*
noblacklist ${HOME}/.CLion*
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.gitconfig
@@ -17,7 +20,6 @@
include allow-ssh.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -32,10 +34,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
# private-tmp
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clipgrab.profile
^
|
@@ -6,15 +6,18 @@
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.config/ClipGrab
noblacklist ${HOME}/.config/Philipp Schmieder
noblacklist ${HOME}/.pki
noblacklist ${VIDEOS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,7 +39,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
disable-mnt
private-cache
@@ -46,3 +48,5 @@
# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
# dbus-user none
# dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clipit.profile
^
|
@@ -13,8 +13,9 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
+include disable-proc.inc
include disable-programs.inc
+include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.config/clipit
@@ -22,6 +23,8 @@
whitelist ${HOME}/.config/clipit
whitelist ${HOME}/.local/share/clipit
include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -35,6 +38,7 @@
nogroups
noinput
nonewprivs
+noprinters
noroot
nosound
notv
@@ -42,10 +46,18 @@
novideo
protocol unix
seccomp
-shell none
+tracelog
disable-mnt
+private-bin clipit,xdotool
private-cache
private-dev
+private-lib libxdo.so.*
private-tmp
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cmake.profile
^
|
@@ -0,0 +1,16 @@
+# Firejail profile for cmake
+# Description: A cross-platform open-source make system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cmake.local
+# Persistent global definitions
+include globals.local
+
+whitelist /usr/share/cmake
+whitelist /usr/share/cmake-*
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cmus.profile
^
|
@@ -12,7 +12,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -25,7 +24,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/code.profile
^
|
@@ -5,6 +5,23 @@
# Persistent global definitions
include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron*-flag*.conf
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore dbus-user none
+ignore dbus-system none
+
noblacklist ${HOME}/.config/Code
noblacklist ${HOME}/.config/Code - OSS
noblacklist ${HOME}/.vscode
@@ -13,31 +30,13 @@
# Allows files commonly used by IDEs
include allow-common-devel.inc
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-cache
-private-dev
-private-tmp
# Disabling noexec ${HOME} for now since it will
# probably interfere with running some programmes
# in VS Code
# noexec ${HOME}
noexec /tmp
+
+# Redirect
+include electron.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/codium.profile
^
|
@@ -0,0 +1,10 @@
+# Firejail profile alias for VSCodium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include codium.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vscodium.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cointop.profile
^
|
@@ -0,0 +1,63 @@
+# Firejail profile for cointop
+# Description: TUI for tracking cryptocurrency stats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cointop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cointop
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/cointop
+whitelist ${HOME}/.config/cointop
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin cointop
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cola.profile
^
|
@@ -7,4 +7,4 @@
include globals.local
# Redirect
-include git-cola.profile
\ No newline at end of file
+include git-cola.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/colorful.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -51,3 +49,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.bleakgrey.tootle.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,14 +38,13 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin com.github.bleakgrey.tootle
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
private-tmp
# Settings are immutable
@@ -54,3 +52,5 @@
# dbus-user.own com.github.bleakgrey.tootle
# dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.dahenson.agenda.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -46,14 +45,13 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin com.github.dahenson.agenda
private-cache
private-dev
-private-etc dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
private-tmp
dbus-user filter
@@ -65,3 +63,4 @@
read-write ${HOME}/.cache/agenda
read-write ${HOME}/.config/agenda
read-write ${HOME}/.local/share/agenda
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -49,16 +48,16 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin com.github.johnfactotum.Foliate,gjs
private-cache
private-dev
-private-etc dconf,fonts,gconf,gtk-3.0
+private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload
private-tmp
read-only ${HOME}
read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.phase1geo.minder.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -46,7 +45,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -60,3 +58,5 @@
dbus-user.own com.github.phase1geo.minder
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.tchx84.Flatseal.profile
^
|
@@ -0,0 +1,65 @@
+# Firejail profile for flatseal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.tchx84.Flatseal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/flatpak/overrides
+noblacklist /var/lib/flatpak/app
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/flatpak/overrides
+whitelist ${HOME}/.local/share/flatpak/overrides
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin com.github.tchx84.Flatseal,gjs
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.tchx84.Flatseal
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.impl.portal.PermissionStore
+dbus-user.talk org.gnome.Software
+dbus-system none
+
+read-write ${HOME}/.local/share/flatpak/overrides
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/conkeror.profile
^
|
@@ -34,3 +34,5 @@
seccomp
disable-mnt
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/conky.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-cache
@@ -45,3 +43,4 @@
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/corebird.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -31,9 +30,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin corebird
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cower.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin cower
@@ -48,3 +46,4 @@
memory-deny-write-execute
read-only ${HOME}/.config/cower/config
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/coyim.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,16 +34,16 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl
private-tmp
dbus-user none
dbus-system none
#memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/crawl.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin crawl,crawl-tiles
@@ -46,3 +44,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/crow.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,13 +34,13 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
private-bin crow
private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
private-opt none
private-tmp
private-srv none
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/curl.profile
^
|
@@ -18,9 +18,12 @@
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}
+# If you use nvm, add the below lines to your curl.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local.
#include disable-xdg.inc
@@ -45,7 +48,6 @@
novideo
protocol inet,inet6
seccomp
-shell none
tracelog
# private-bin curl
@@ -56,3 +58,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/d-feet.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,13 +44,13 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin d-feet,python*
private-cache
private-dev
-private-etc alternatives,dbus-1,fonts,machine-id
+private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/darktable.profile
^
|
@@ -10,11 +10,16 @@
noblacklist ${HOME}/.config/darktable
noblacklist ${PICTURES}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,9 +36,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
-#private-bin darktable
+#private-bin darktable,exiftool,perl
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dbus-send.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -44,7 +43,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -52,9 +50,10 @@
private-bin dbus-send
private-cache
private-dev
-private-etc alternatives,dbus-1
+private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload
private-lib libpcre*
private-tmp
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dconf-editor.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,14 +36,13 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin dconf-editor
private-cache
private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id
private-lib
private-tmp
@@ -52,3 +50,5 @@
dbus-user.own ca.desrt.dconf-editor
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dconf.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -47,8 +45,9 @@
private-bin dconf,gsettings
private-cache
private-dev
-private-etc alternatives,dconf
+private-etc alternatives,dconf,ld.so.cache,ld.so.preload
private-lib
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ddgtk.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,16 +39,16 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
# memory-deny-write-execute - breaks on Arch
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/deadbeef.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -29,8 +28,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/default.profile
^
|
@@ -12,7 +12,6 @@
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# include disable-shell.inc
# include disable-write-mnt.inc
@@ -58,5 +57,7 @@
# dbus-user none
# dbus-system none
+# deterministic-shutdown
# memory-deny-write-execute
# read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/deluge.profile
^
|
@@ -16,7 +16,6 @@
# include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/deluge
@@ -37,11 +36,12 @@
notv
nou2f
novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
seccomp
-shell none
# deluge is using python on Debian
private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/desktopeditors.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-usr-share-common.inc
@@ -34,7 +33,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-bin desktopeditors,sh
@@ -44,3 +42,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/devhelp.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,14 +35,13 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin devhelp
private-cache
private-dev
-private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
+private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
private-tmp
# makes settings immutable
@@ -52,3 +50,4 @@
#memory-deny-write-execute - breaks on Arch (see issue #1803)
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/devilspie.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -49,7 +47,7 @@
private-bin devilspie
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-lib gconv
private-tmp
@@ -58,3 +56,4 @@
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dex2jar.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname
private-cache
@@ -41,3 +39,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dia.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -45,7 +44,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -56,3 +54,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dig.profile
^
|
@@ -17,7 +17,6 @@
# include disable-devel.inc
include disable-exec.inc
# include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -44,7 +43,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -58,3 +56,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/digikam.profile
^
|
@@ -13,11 +13,13 @@
noblacklist ${HOME}/.local/share/kxmlgui5/digikam
noblacklist ${PICTURES}
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,7 +36,6 @@
protocol unix,inet,inet6,netlink
# QtWebengine needs chroot to set up its own sandbox
seccomp !chroot
-shell none
# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
@@ -42,3 +43,5 @@
# dbus-user none
# dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dillo.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.dillo
@@ -36,3 +35,6 @@
private-dev
private-tmp
+
+deterministic-shutdown
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dino.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -33,10 +32,9 @@
noroot
notv
nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -45,4 +43,15 @@
# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
private-tmp
-dbus-system none
+dbus-user filter
+# Integration with notification and other desktop environment functionalities
+dbus-user.own im.dino.Dino
+# dconf integration
+dbus-user.talk ca.desrt.dconf
+# Notification support
+dbus-user.talk org.freedesktop.Notifications
+dbus-system filter
+# Integration with systemd-logind or elogind
+dbus-system.talk org.freedesktop.login1
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/discord-canary.profile
^
|
@@ -10,8 +10,8 @@
mkdir ${HOME}/.config/discordcanary
whitelist ${HOME}/.config/discordcanary
-private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]
-private-opt discord-canary
+private-bin discord-canary,DiscordCanary
+private-opt discord-canary,DiscordCanary
# Redirect
include discord-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/discord-common.profile
^
|
@@ -23,8 +23,8 @@
whitelist ${HOME}/.config/BetterDiscord
whitelist ${HOME}/.local/share/betterdiscordctl
-private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
join-or-start discord
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/discord.profile
^
|
@@ -10,8 +10,8 @@
mkdir ${HOME}/.config/discord
whitelist ${HOME}/.config/discord
-private-bin discord
-private-opt discord
+private-bin discord,Discord
+private-opt discord,Discord
# Redirect
include discord-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/display.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,14 +34,16 @@
nou2f
protocol unix
seccomp
-shell none
# x11 xorg - problems on kubuntu 17.04
private-bin display,python*
private-dev
# On Debian-based systems, display is a symlink in /etc/alternatives
-private-etc alternatives
+private-etc alternatives,ImageMagick-6,ImageMagick-7,ld.so.cache,ld.so.preload
+private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.*
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dnox.profile
^
|
@@ -6,7 +6,8 @@
include globals.local
# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dnscrypt-proxy.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
novideo
protocol inet,inet6
seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
-shell none
tracelog
disable-mnt
@@ -53,3 +51,4 @@
# mdwe can break modules/plugins
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dnsmasq.profile
^
|
@@ -9,17 +9,20 @@
noblacklist /sbin
noblacklist /usr/sbin
+noblacklist /var/lib/libvirt
blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
+whitelist /var/lib/libvirt/dnsmasq
+whitelist /var/run
+
caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
no3d
nodvd
@@ -34,5 +37,8 @@
disable-mnt
private
-private-cache
private-dev
+private-tmp
+writable-var
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dolphin-emu.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-write-mnt.inc
include disable-xdg.inc
@@ -49,7 +48,6 @@
novideo
protocol unix,inet,inet6,netlink,bluetooth
seccomp
-shell none
tracelog
private-bin bash,dolphin-emu,dolphin-emu-x11,sh
@@ -62,3 +60,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dooble.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.dooble
@@ -33,10 +32,10 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dosbox.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin dosbox
@@ -43,3 +41,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dragon.profile
^
|
@@ -14,12 +14,12 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
whitelist /usr/share/dragonplayer
+include whitelist-run-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -34,9 +34,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin dragon
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/drawio.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,16 +39,16 @@
novideo
protocol unix
seccomp !chroot
-shell none
# tracelog - breaks on Arch
private-bin drawio
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
# memory-deny-write-execute - breaks on Arch
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/drill.profile
^
|
@@ -16,7 +16,6 @@
# include disable-devel.inc
include disable-exec.inc
# include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -54,3 +52,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dropbox.profile
^
|
@@ -15,7 +15,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.dropbox
@@ -42,9 +41,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
private-tmp
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/easystroke.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -46,7 +44,7 @@
#private-bin bash,easystroke,sh
private-cache
private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
# breaks custom shell command functionality
#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
private-tmp
@@ -55,3 +53,4 @@
# dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electron-hardened.inc.profile
^
|
@@ -0,0 +1,10 @@
+# Firejail profile alias for chrome-common-hardened.inc
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron-hardened.inc.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# Redirect
+include chrome-common-hardened.inc.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electron-mail.profile
^
|
@@ -1,57 +1,43 @@
-# Firejail profile for electron-mail
-# Description: Unofficial desktop app for several E2E encrypted email providers
+# Firejail profile for ElectronMail
+# Description: Unofficial desktop app for the Proton Mail E2E encrypted email provider
# This file is overwritten after every install/update
# Persistent local customizations
include electron-mail.local
# Persistent global definitions
include globals.local
+ignore dbus-user none
+ignore disable-mnt
+
noblacklist ${HOME}/.config/electron-mail
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
include disable-shell.inc
-include disable-xdg.inc
mkdir ${HOME}/.config/electron-mail
whitelist ${HOME}/.config/electron-mail
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-# tracelog - breaks on Arch
-
-private-bin electron-mail
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+machine-id
+nosound
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
private-opt ElectronMail
-private-tmp
-# breaks tray functionality
-# dbus-user none
-dbus-system none
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
-# memory-deny-write-execute - breaks on Arch
+# Redirect
+include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electron.profile
^
|
@@ -4,22 +4,26 @@
# Persistent local customizations
include electron.local
+noblacklist ${HOME}/.config/Electron
+noblacklist ${HOME}/.config/electron*-flag*.conf
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Electron
+whitelist ${HOME}/.config/electron*-flag*.conf
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
-# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
-#include chromium-common-hardened.inc.profile
+# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
+#include electron-hardened.inc.profile
apparmor
caps.keep sys_admin,sys_chroot
@@ -30,7 +34,6 @@
notv
nou2f
novideo
-shell none
disable-mnt
private-cache
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electrum.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,15 +40,16 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin electrum,python*
private-cache
?HAS_APPIMAGE: ignore private-dev
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
private-tmp
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/elinks.profile
^
|
@@ -9,6 +9,9 @@
noblacklist ${HOME}/.elinks
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
mkdir ${HOME}/.elinks
whitelist ${HOME}/.elinks
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/emacs.profile
^
|
@@ -15,7 +15,6 @@
include allow-common-devel.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -31,3 +30,4 @@
read-write ${HOME}/.emacs
read-write ${HOME}/.emacs.d
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/email-common.profile
^
|
@@ -1,5 +1,5 @@
# Firejail profile for email-common
-# Description: Common profile for claws-mail and sylpheed email clients
+# Description: Common profile for GUI mail clients
# This file is overwritten after every install/update
# Persistent local customizations
include email-common.local
@@ -7,12 +7,15 @@
# added by caller profile
#include globals.local
+noblacklist ${HOME}/.bogofilter
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.signature
# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
-# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
+# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
noblacklist ${HOME}/Mail
+noblacklist /var/mail
+noblacklist /var/spool/mail
noblacklist ${DOCUMENTS}
@@ -20,7 +23,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,6 +40,8 @@
whitelist ${RUNUSER}/gnupg
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
@@ -60,25 +64,26 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
# disable-mnt
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,timezone,xdg
private-tmp
# encrypting and signing email
writable-run-user
+writable-var
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.*
+dbus-user.talk org.gnome.seahorse.*
+dbus-user.talk org.mozilla.*
dbus-system none
-# If you want to read local mail stored in /var/mail, add the following to email-common.local:
-#noblacklist /var/mail
-#noblacklist /var/spool/mail
-#whitelist /var/mail
-#whitelist /var/spool/mail
-#writable-var
-
read-only ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.signature
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/empathy.profile
^
|
@@ -24,3 +24,5 @@
private-cache
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/enchant.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -42,14 +41,13 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
private-bin enchant,enchant-*
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-lib
private-tmp
@@ -57,3 +55,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/engrampa.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -30,7 +29,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin engrampa
@@ -40,3 +38,5 @@
dbus-user filter
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/enox.profile
^
|
@@ -6,7 +6,8 @@
include globals.local
# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/enpass.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -51,7 +50,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-bin dirname,Enpass,importer_enpass,readlink,sh
@@ -61,3 +59,4 @@
private-tmp
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/eo-common.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-write-mnt.inc
@@ -43,11 +42,12 @@
protocol unix,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
private-cache
private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/eog.profile
^
|
@@ -18,7 +18,7 @@
private-bin eog
-# broken on Debian 10 (buster) running LXDE got the folowing error:
+# broken on Debian 10 (buster) running LXDE got the following error:
# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
#dbus-user filter
#dbus-user.own org.gnome.eog
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ephemeral.profile
^
|
@@ -9,8 +9,8 @@
# enforce private-cache
#noblacklist ${HOME}/.cache/ephemeral
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
@@ -23,12 +23,12 @@
# enforce private-cache
#mkdir ${HOME}/.cache/ephemeral
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
# enforce private-cache
#whitelist ${HOME}/.cache/ephemeral
-whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-usr-share-common.inc
@@ -49,7 +49,6 @@
?BROWSER_DISABLE_U2F: nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -62,3 +61,5 @@
# breaks preferences
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/epiphany.profile
^
|
@@ -34,3 +34,5 @@
notv
protocol unix,inet,inet6
seccomp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/equalx.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -48,17 +47,17 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin equalx,gs,pdflatex,pdftocairo
private-cache
private-dev
-private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/etr.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,7 +42,6 @@
protocol unix,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -55,3 +53,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/evince.profile
^
|
@@ -6,20 +6,20 @@
# Persistent global definitions
include globals.local
-# WARNING: using bookmarks possibly exposes information, including file history from other programs.
-# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
-#noblacklist ${HOME}/.local/share/gvfs-metadata
+# WARNING: This exposes information like file history from other programs.
+# You can add a blacklist for it in your evince.local for additional hardening if you can live with some restrictions.
+noblacklist ${HOME}/.local/share/gvfs-metadata
noblacklist ${HOME}/.config/evince
noblacklist ${DOCUMENTS}
blacklist /usr/libexec
+include allow-bin-sh.inc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -49,20 +49,20 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
-private-bin evince,evince-previewer,evince-thumbnailer
+private-bin evince,evince-previewer,evince-thumbnailer,sh
private-cache
private-dev
-private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
# private-lib might break two-page-view on some systems
-private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
private-tmp
-# dbus-user filtering might break two-page-view on some systems
dbus-user filter
-# Add the next two lines to your evince.local if you need bookmarks support.
-#dbus-user.talk org.gtk.vfs.Daemon
-#dbus-user.talk org.gtk.vfs.Metadata
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.Daemon
+dbus-user.talk org.gtk.vfs.Metadata
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/evolution.profile
^
|
@@ -20,7 +20,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-runuser-common.inc
@@ -40,8 +39,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
private-tmp
writable-var
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/exiftool.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/perl-image-exiftool
@@ -39,7 +38,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -49,10 +47,11 @@
#private-bin exiftool,perl
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/falkon.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -24,6 +23,7 @@
whitelist ${HOME}/.config/falkon
whitelist /usr/share/falkon
include whitelist-common.inc
+include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -47,9 +47,11 @@
# private-bin falkon
private-cache
private-dev
-private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
private-tmp
# dbus-user filter
# dbus-user.own org.kde.Falkon
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fbreader.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -33,8 +32,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin fbreader,FBReader
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fdns.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -43,8 +42,9 @@
private-bin bash,fdns,sh
private-cache
#private-dev
-private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
# private-lib
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/feedreader.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -58,3 +56,5 @@
#dbus-user.talk org.freedesktop.Notifications
#dbus-user.talk org.gnome.OnlineAccounts
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/feh-network.inc.profile
^
|
@@ -5,4 +5,4 @@
ignore net none
netfilter
protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/feh.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -32,13 +31,14 @@
novideo
protocol unix
seccomp
-shell none
private-bin feh,jpegexiforient,jpegtran
private-cache
private-dev
-private-etc alternatives,feh
+private-etc alternatives,feh,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ferdi.profile
^
|
@@ -9,8 +9,8 @@
noblacklist ${HOME}/.cache/Ferdi
noblacklist ${HOME}/.config/Ferdi
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
include disable-common.inc
include disable-devel.inc
@@ -20,13 +20,13 @@
mkdir ${HOME}/.cache/Ferdi
mkdir ${HOME}/.config/Ferdi
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/Ferdi
whitelist ${HOME}/.config/Ferdi
-whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
include whitelist-common.inc
caps.drop all
@@ -40,8 +40,9 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
disable-mnt
private-dev
private-tmp
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fetchmail.profile
^
|
@@ -12,7 +12,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -29,7 +28,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
#private-bin bash,chmod,fetchmail,procmail
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ffmpeg.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,7 +42,6 @@
# allow set_mempolicy, which is required to encode using libx265
seccomp !set_mempolicy
seccomp.block-secondary
-shell none
tracelog
private-bin ffmpeg
@@ -56,3 +54,4 @@
dbus-system none
# memory-deny-write-execute - it breaks old versions of ffmpeg
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ffplay.profile
^
|
@@ -14,7 +14,7 @@
ignore nosound
private-bin ffplay
-private-etc alsa,asound.conf,group
+private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload
# Redirect
include ffmpeg.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/file-manager-common.profile
^
|
@@ -26,7 +26,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
#include disable-programs.inc
allusers
@@ -44,10 +43,11 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-dev
#dbus-user none
#dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/file-roller.profile
^
|
@@ -10,10 +10,10 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/libexec/file-roller
+whitelist /usr/libexec/p7zip
whitelist /usr/share/file-roller
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
@@ -37,13 +37,14 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
private-cache
private-dev
-private-etc dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
# private-tmp
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/file.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
apparmor
@@ -31,7 +30,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -46,3 +44,4 @@
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/filezilla.profile
^
|
@@ -36,9 +36,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
# private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin
private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/firefox-common-addons.profile
^
|
@@ -2,7 +2,13 @@
# Persistent customizations should go in a .local file.
include firefox-common-addons.local
+# Prevent whitelisting in ${RUNUSER}
+ignore whitelist ${RUNUSER}/*firefox*
+ignore whitelist ${RUNUSER}/psd/*firefox*
+ignore whitelist ${RUNUSER}/kpxc_server
+ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
ignore include whitelist-runuser-common.inc
+
ignore private-cache
noblacklist ${HOME}/.cache/youtube-dl
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/firefox-common.profile
^
|
@@ -8,29 +8,35 @@
# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+# noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon.
+?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER}
# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
#include firefox-common-addons.profile
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
+include disable-proc.inc
include disable-programs.inc
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
include whitelist-common.inc
+include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor
+# Fixme!
+apparmor-replace
caps.drop all
# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
#machine-id
@@ -46,7 +52,6 @@
protocol unix,inet,inet6,netlink
# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
seccomp !chroot
-shell none
# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
#tracelog
@@ -57,7 +62,13 @@
#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-tmp
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
+
# 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
# Gnome connector, KDE connect and power management on KDE Plasma.
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/firefox.profile
^
|
@@ -16,6 +16,8 @@
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
+noblacklist ${RUNUSER}/*firefox*
+noblacklist ${RUNUSER}/psd/*firefox*
blacklist /usr/libexec
@@ -35,6 +37,8 @@
whitelist /usr/share/gtk-doc/html
whitelist /usr/share/mozilla
whitelist /usr/share/webext
+whitelist ${RUNUSER}/*firefox*
+whitelist ${RUNUSER}/psd/*firefox*
include whitelist-usr-share-common.inc
# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
@@ -45,8 +49,7 @@
#private-etc firefox
dbus-user filter
-dbus-user.own org.mozilla.Firefox.*
-dbus-user.own org.mozilla.firefox.*
+dbus-user.own org.mozilla.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
# Add the next line to your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
@@ -56,10 +59,8 @@
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your firefox.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
+# Add the next line to your firefox.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/flameshot.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -47,13 +46,12 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin flameshot
private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
private-dev
#private-tmp
@@ -64,6 +62,8 @@
dbus-user.talk org.freedesktop.portal.Desktop
dbus-user.talk org.gnome.Shell
dbus-user.talk org.kde.KWin
-dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user.own org.kde.*
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/flashpeak-slimjet.profile
^
|
@@ -6,7 +6,8 @@
include globals.local
# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/flowblade.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -31,9 +30,9 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fluxbox.profile
^
|
@@ -14,5 +14,6 @@
netfilter
noroot
protocol unix,inet,inet6
-seccomp
+seccomp !chroot
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/font-manager.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -47,7 +46,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -56,3 +54,4 @@
private-tmp
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fontforge.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,9 +33,9 @@
novideo
protocol unix
seccomp
-shell none
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fractal.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -57,3 +55,5 @@
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.secrets
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/franz.profile
^
|
@@ -9,8 +9,8 @@
noblacklist ${HOME}/.cache/Franz
noblacklist ${HOME}/.config/Franz
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
include disable-common.inc
include disable-devel.inc
@@ -20,13 +20,13 @@
mkdir ${HOME}/.cache/Franz
mkdir ${HOME}/.config/Franz
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/Franz
whitelist ${HOME}/.config/Franz
-whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
include whitelist-common.inc
caps.drop all
@@ -40,8 +40,9 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
disable-mnt
private-dev
private-tmp
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freecad.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin freecad,freecadcmd,python*
private-cache
@@ -44,3 +42,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freeciv.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -46,3 +44,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freecol.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -47,7 +46,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -57,3 +55,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freemind.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -52,3 +50,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freetube.profile
^
|
@@ -6,15 +6,23 @@
# Persistent global definitions
include globals.local
+ignore dbus-user none
+
noblacklist ${HOME}/.config/FreeTube
+include allow-bin-sh.inc
+
include disable-shell.inc
mkdir ${HOME}/.config/FreeTube
whitelist ${HOME}/.config/FreeTube
-private-bin freetube
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.chromium.*
+dbus-user.own org.mpris.MediaPlayer2.freetube
# Redirect
include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freshclam.profile
^
|
@@ -22,7 +22,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -34,3 +33,4 @@
writable-var-log
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/frogatto.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,15 +38,16 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin frogatto,sh
private-cache
private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/frozen-bubble.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,7 +30,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -39,7 +37,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -49,3 +46,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ftp.profile
^
|
@@ -0,0 +1,54 @@
+# Firejail profile for ftp
+# Description: standard File Access Protocol utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ftp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/ftp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+#include disable-shell.inc
+include disable-write-mnt.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+tracelog
+
+#disable-mnt
+#private-bin PROGRAMS
+private-cache
+private-dev
+#private-etc FILES
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+noexec ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/funnyboat.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# include disable-shell.inc
include disable-xdg.inc
@@ -36,14 +35,12 @@
netfilter
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
novideo
protocol unix,inet,inet6
seccomp
-shell none
# tracelog
disable-mnt
@@ -55,3 +52,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gajim.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads.
include disable-xdg.inc
@@ -53,14 +52,13 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
private-tmp
writable-run-user
@@ -77,4 +75,5 @@
# Add the next line to your gajim.local to enable location plugin support.
#dbus-system.talk org.freedesktop.GeoClue2
+restrict-namespaces
join-or-start gajim
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/galculator.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,13 +37,12 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin galculator
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-lib
private-tmp
@@ -52,3 +50,4 @@
dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gallery-dl.profile
^
|
@@ -0,0 +1,18 @@
+# Firejail profile for gallery-dl
+# Description: Downloader of images from various sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gallery-dl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/gallery-dl
+noblacklist ${HOME}/.gallery-dl.conf
+
+private-bin gallery-dl
+private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload
+
+# Redirect
+include youtube-dl.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gapplication.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
x11 none
@@ -50,7 +48,7 @@
private-bin gapplication
private-cache
private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
# Add the next line to your gapplication.local to filter D-Bus names.
@@ -72,3 +70,4 @@
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gcloud.profile
^
|
@@ -31,13 +31,14 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gconf-editor.profile
^
|
@@ -13,5 +13,7 @@
ignore x11 none
+ignore memory-deny-write-execute
+
# Redirect
include gconf.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gconf.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -47,7 +46,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -55,8 +53,9 @@
private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
private-cache
private-dev
-private-etc alternatives,fonts,gconf
+private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload
private-lib GConf,libpython*,python2*
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gdu.profile
^
|
@@ -0,0 +1,47 @@
+# Firejail profile for gdu
+# Description: Fast disk usage analyzer with console interface
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gdu.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-exec.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+seccomp.block-secondary
+x11 none
+
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+restrict-namespaces
+
+# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
+# Depending on workflow and use case the sandbox can be hardened by adding the
+# lines below to your gdu.local if you don't need/want these functionalities.
+#include disable-shell.inc
+#private-bin gdu
+#read-only ${HOME}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geany.profile
^
|
@@ -12,7 +12,6 @@
include allow-common-devel.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -29,8 +28,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geary.profile
^
|
@@ -13,13 +13,16 @@
noblacklist ${HOME}/.config/geary
noblacklist ${HOME}/.local/share/evolution
noblacklist ${HOME}/.local/share/geary
+noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+
+include allow-bin-sh.inc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,7 +42,9 @@
whitelist ${HOME}/.config/geary
whitelist ${HOME}/.local/share/evolution
whitelist ${HOME}/.local/share/geary
+whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
whitelist /usr/share/geary
include whitelist-common.inc
include whitelist-runuser-common.inc
@@ -48,7 +53,8 @@
apparmor
caps.drop all
-machine-id
+#ipc-namespace - may cause issues with X11
+#machine-id
netfilter
no3d
nodvd
@@ -56,32 +62,34 @@
noinput
nonewprivs
noroot
-nosound
+#nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
# disable-mnt
-# Add 'ignore private-bin' to geary.local for hyperlink support
-private-bin geary
+#private-bin geary,sh
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mailcap,mime.types,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
private-tmp
dbus-user filter
dbus-user.own org.gnome.Geary
dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.secrets
dbus-user.talk org.gnome.Contacts
dbus-user.talk org.gnome.OnlineAccounts
dbus-user.talk org.gnome.evolution.dataserver.AddressBook10
dbus-user.talk org.gnome.evolution.dataserver.Sources5
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.talk org.mozilla.*
dbus-system none
read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gedit.profile
^
|
@@ -16,7 +16,6 @@
# include disable-devel.inc
include disable-exec.inc
# include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-runuser-common.inc
@@ -39,7 +38,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
# private-bin gedit
@@ -51,3 +49,5 @@
# makes settings immutable
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geekbench.profile
^
|
@@ -6,14 +6,19 @@
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -36,20 +41,18 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
private-cache
private-dev
-private-etc alternatives,group,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
+private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd
private-tmp
dbus-user none
dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
read-only ${HOME}
+read-write ${HOME}/.geekbench5
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geeqie.profile
^
|
@@ -10,10 +10,12 @@
noblacklist ${HOME}/.config/geeqie
noblacklist ${HOME}/.local/share/geeqie
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -26,9 +28,11 @@
notv
nou2f
novideo
-protocol unix
+# remove inet,inet6 to disable network access
+protocol unix,inet,inet6
seccomp
-shell none
# private-bin geeqie
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gfeeds.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -55,7 +54,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -69,3 +67,5 @@
dbus-user.own org.gabmus.gfeeds
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gget.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,14 +42,13 @@
protocol inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin gget
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
private-lib
private-tmp
@@ -58,3 +56,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ghostwriter.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -46,7 +45,6 @@
protocol unix,inet,inet6,netlink
seccomp !chroot
seccomp.block-secondary
-shell none
#tracelog -- breaks
private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
@@ -58,3 +56,5 @@
dbus-user filter
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gimp.profile
^
|
@@ -13,7 +13,6 @@
#ignore net
#protocol unix,inet,inet6
-
# gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
# If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
ignore noexec ${HOME}
@@ -26,10 +25,13 @@
noblacklist ${DOCUMENTS}
noblacklist ${PICTURES}
+# See issue #4367, gimp 2.10.22-3: gegl:introspect broken
+noblacklist /sbin
+noblacklist /usr/sbin
+
include disable-common.inc
include disable-exec.inc
include disable-devel.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,6 +39,7 @@
whitelist /usr/share/gimp
whitelist /usr/share/mypaint-data
whitelist /usr/share/lensfun
+include whitelist-run-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -53,7 +56,6 @@
nou2f
protocol unix
seccomp !mbind
-shell none
tracelog
private-dev
@@ -61,3 +63,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gist.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -47,16 +46,16 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/git-cola.profile
^
|
@@ -28,7 +28,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -63,7 +62,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
# Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local.
@@ -71,7 +69,7 @@
private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
private-tmp
writable-run-user
@@ -86,3 +84,5 @@
# Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts.
read-only ${HOME}/.ssh
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/git.profile
^
|
@@ -12,12 +12,19 @@
noblacklist ${HOME}/.emacs
noblacklist ${HOME}/.emacs.d
noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credential-cache
noblacklist ${HOME}/.git-credentials
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.nanorc
noblacklist ${HOME}/.vim
noblacklist ${HOME}/.viminfo
+# Allow environment variables (rmenv'ed by disable-common.inc)
+ignore rmenv GH_TOKEN
+ignore rmenv GITHUB_TOKEN
+ignore rmenv GH_ENTERPRISE_TOKEN
+ignore rmenv GITHUB_ENTERPRISE_TOKEN
+
# Allow ssh (blacklisted by disable-common.inc)
include allow-ssh.inc
@@ -26,7 +33,6 @@
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/git
@@ -54,9 +60,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gitg.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
#whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
@@ -49,7 +48,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin git,gitg,ssh
@@ -63,3 +61,5 @@
# Add the next line to your gitg.local if you need keyring access.
#dbus-user.talk org.freedesktop.secrets
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/github-desktop.profile
^
|
@@ -14,6 +14,8 @@
# Disabled until someone reported positive feedback
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gitter.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/Gitter
@@ -34,12 +33,12 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
private-bin bash,env,gitter
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl
private-opt Gitter
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gjs.profile
^
|
@@ -19,7 +19,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-runuser-common.inc
@@ -37,10 +36,11 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
private-dev
# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gl-117.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -30,7 +29,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -39,7 +37,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -51,3 +48,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/glaxium.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -30,7 +29,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -39,7 +37,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -51,3 +48,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/globaltime.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -29,10 +28,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gmpc.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,13 +38,12 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
#private-bin gmpc
private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
writable-run-user
@@ -53,3 +51,4 @@
# dbus-system none
# memory-deny-write-execute - breaks on Arch
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-books.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,10 +37,10 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin gjs,gnome-books
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-builder.profile
^
|
@@ -16,7 +16,6 @@
include allow-common-devel.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-runuser-common.inc
@@ -34,8 +33,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
read-write ${HOME}/.bash_history
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-calculator.profile
^
|
@@ -10,7 +10,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
@@ -40,7 +39,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -54,3 +52,5 @@
dbus-user.own org.gnome.Calculator
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-calendar.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -46,7 +44,7 @@
private-bin gnome-calendar
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
private-tmp
dbus-user filter
@@ -62,3 +60,4 @@
#dbus-system.talk org.freedesktop.GeoClue2
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-characters.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -58,3 +56,4 @@
# dbus-system none
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-chess.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -44,12 +43,13 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin fairymax,gnome-chess,gnuchess,hoichess
private-cache
private-dev
-private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-clocks.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,13 +35,13 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin gnome-clocks,gsound-play
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-contacts.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,3 +38,4 @@
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-documents.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,10 +35,10 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-font-viewer.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,3 +35,4 @@
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-hexgl.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -43,7 +41,7 @@
private-bin gnome-hexgl
private-cache
private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
private-tmp
dbus-user none
@@ -51,3 +49,4 @@
read-only ${HOME}
read-write ${HOME}/.cache/mesa_shader_cache
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-keyring.profile
^
|
@@ -12,7 +12,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
@@ -47,7 +46,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -61,3 +59,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-latex.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/gnome-latex
@@ -43,12 +42,13 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-cache
private-dev
# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-logs.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -34,14 +33,13 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin gnome-logs
private-cache
private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
private-tmp
writable-var-log
@@ -53,3 +51,4 @@
# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-maps.profile
^
|
@@ -24,7 +24,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -58,7 +57,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -75,3 +73,5 @@
dbus-system filter
#dbus-system.talk org.freedesktop.NetworkManager
dbus-system.talk org.freedesktop.GeoClue2
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-mplayer.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -26,10 +25,10 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
# private-bin gnome-mplayer,mplayer
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-music.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,12 +36,12 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin calls a file manager - whatever is installed!
#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
private-dev
-private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-nettool.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -47,3 +46,5 @@
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-passwordsafe.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -47,17 +46,18 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin gnome-passwordsafe,python3*
private-cache
private-dev
-private-etc dconf,fonts,gtk-3.0,passwd
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
private-tmp
dbus-user filter
dbus-user.own org.gnome.PasswordSafe
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-photos.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-runuser-common.inc
@@ -35,10 +34,10 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
# private-bin gjs,gnome-photos
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-pie.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
#include disable-interpreters.inc
-include disable-passwdmgr.inc
#include disable-programs.inc
caps.drop all
@@ -30,13 +29,13 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-cache
private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-pomodoro.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,14 +37,13 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin gnome-pomodoro
private-cache
private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
private-tmp
dbus-user filter
@@ -58,3 +56,4 @@
read-only ${HOME}
read-write ${HOME}/.local/share/gnome-pomodoro
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-recipes.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -43,12 +42,12 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin gnome-recipes,tar
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl
private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-ring.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -26,9 +25,9 @@
notv
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
# private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-schedule.profile
^
|
@@ -29,7 +29,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -56,11 +55,9 @@
notv
nou2f
novideo
-shell none
tracelog
disable-mnt
private-cache
private-dev
writable-var
-
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-screenshot.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,16 +36,17 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin gnome-screenshot
private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id
private-tmp
dbus-user filter
dbus-user.own org.gnome.Screenshot
dbus-user.talk org.gnome.Shell.Screenshot
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-sound-recorder.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,11 +34,12 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-cache
private-dev
-private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-system-log.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,13 +37,12 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin gnome-system-log
private-cache
private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
private-lib
private-tmp
writable-var-log
@@ -55,3 +53,4 @@
memory-deny-write-execute
# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-todo.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -47,7 +45,7 @@
private-bin gnome-todo
private-cache
private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg
private-tmp
dbus-user filter
@@ -63,3 +61,4 @@
#dbus-system.talk org.freedesktop.login1
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-twitch.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/gnome-twitch
@@ -33,9 +32,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-weather.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -48,3 +46,4 @@
# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome_games-common.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,15 +35,16 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-cache
private-dev
-private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11
private-tmp
dbus-user filter
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnote.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -22,6 +21,7 @@
mkdir ${HOME}/.local/share/gnote
whitelist ${HOME}/.config/gnote
whitelist ${HOME}/.local/share/gnote
+whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/gnote
include whitelist-common.inc
include whitelist-runuser-common.inc
@@ -44,17 +44,18 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin gnote
private-cache
private-dev
-private-etc dconf,fonts,gtk-3.0,pango,X11
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11
private-tmp
dbus-user filter
dbus-user.own org.gnome.Gnote
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnubik.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -44,8 +42,10 @@
private-bin gnubik
private-cache
private-dev
-private-etc drirc,fonts,gtk-2.0
+private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/godot.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -32,15 +31,16 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
# private-bin godot
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/godot3.profile
^
|
@@ -0,0 +1,11 @@
+# Firejail profile for godot
+# Description: multi-platform 2D and 3D game engine with a feature-rich editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include godot3.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include godot.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/goldendict.profile
^
|
@@ -0,0 +1,59 @@
+# Firejail profile for goldendict
+# This file is overwritten after every install/update
+# Persistent local customizations
+include goldendict.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.goldendict
+noblacklist ${HOME}/.cache/GoldenDict
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.goldendict
+mkdir ${HOME}/.cache/GoldenDict
+whitelist ${HOME}/.goldendict
+whitelist ${HOME}/.cache/GoldenDict
+whitelist /usr/share/goldendict
+# The default path of dictionaries
+whitelist /usr/share/stardict/dic
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+# no3d leads to the libGL MESA-LOADER errors
+#no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin goldendict
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/goobox.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -27,10 +26,11 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
# private-bin goobox
private-dev
# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
# private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-chrome-beta.profile
^
|
@@ -5,11 +5,6 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
noblacklist ${HOME}/.cache/google-chrome-beta
noblacklist ${HOME}/.config/google-chrome-beta
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-chrome-unstable.profile
^
|
@@ -5,11 +5,6 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
noblacklist ${HOME}/.cache/google-chrome-unstable
noblacklist ${HOME}/.config/google-chrome-unstable
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-chrome.profile
^
|
@@ -5,11 +5,6 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
noblacklist ${HOME}/.cache/google-chrome
noblacklist ${HOME}/.config/google-chrome
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-earth.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/Google
@@ -34,10 +33,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin bash,dirname,google-earth,grep,ls,sed,sh
private-dev
private-opt google
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-play-music-desktop-player.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/Google Play Music Desktop Player
@@ -36,8 +35,9 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/googler-common.profile
^
|
@@ -21,7 +21,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -48,15 +47,16 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin env,python3*,sh,w3m
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpa.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -27,8 +26,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
# private-bin gpa,gpg
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpg-agent.profile
^
|
@@ -15,7 +15,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -45,9 +44,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
-# private-bin gpg-agent,gpg
+# private-bin gpg-agent
private-cache
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpg.profile
^
|
@@ -15,7 +15,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist ${RUNUSER}/gnupg
@@ -41,10 +40,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
-# private-bin gpg,gpg-agent
+# private-bin gpg
private-cache
private-dev
@@ -53,3 +51,4 @@
# installing/upgrading archlinux-keyring extremely slow.
read-write /etc/pacman.d/gnupg
read-write /usr/share/pacman/keyrings
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpicview.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -36,13 +35,12 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin gpicview
private-cache
private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
private-lib
private-tmp
@@ -50,3 +48,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpredict.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -32,11 +31,11 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin gpredict
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gradio.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,14 +38,13 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin gradio
private-cache
private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
private-tmp
dbus-user filter
@@ -54,3 +52,5 @@
dbus-user.own org.mpris.MediaPlayer2.gradio
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gramps.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-cache
@@ -50,3 +48,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -41,8 +39,10 @@
private-bin gravity-beams-and-evaporating-stars
private-cache
private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gthumb.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -29,10 +28,11 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin gthumb
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gtk-lbry-viewer.profile
^
|
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-lbry-viewer
+# Description: Gtk front-end to lbry-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-lbry-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+# Redirect
+include lbry-viewer.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gtk-update-icon-cache.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -47,7 +45,7 @@
private-bin gtk-update-icon-cache
private-cache
private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-lib
private-tmp
@@ -55,3 +53,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/guayadeque.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -28,9 +27,9 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-bin guayadeque
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gucharmap.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -53,3 +51,4 @@
# dbus-system none
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/guvcview.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
protocol unix,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -54,3 +52,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gwenview.profile
^
|
@@ -22,10 +22,10 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
apparmor
@@ -42,14 +42,14 @@
novideo
protocol unix
seccomp
-shell none
# tracelog
private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
private-dev
-private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg
# dbus-user none
# dbus-system none
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/handbrake.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,10 +30,11 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hashcat.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
novideo
protocol unix
seccomp
-shell none
x11 none
disable-mnt
@@ -45,3 +43,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hasher-common.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc.
#include disable-programs.inc
include disable-shell.inc
@@ -43,7 +42,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
x11 none
@@ -58,3 +56,4 @@
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hedgewars.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.hedgewars
@@ -36,3 +35,5 @@
disable-mnt
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hexchat.profile
^
|
@@ -22,7 +22,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -46,7 +45,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -57,3 +55,4 @@
private-tmp
# memory-deny-write-execute - breaks python
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/highlight.profile
^
|
@@ -8,10 +8,12 @@
blacklist ${RUNUSER}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -29,7 +31,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -40,3 +41,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/homebank.profile
^
|
@@ -13,7 +13,6 @@
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
-include disable-passwdmgr.inc
include disable-shell.inc
include disable-xdg.inc
@@ -44,7 +43,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -58,3 +56,4 @@
dbus-system none
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/host.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -51,3 +49,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hugin.profile
^
|
@@ -10,11 +10,16 @@
noblacklist ${DOCUMENTS}
noblacklist ${PICTURES}
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -32,12 +37,13 @@
novideo
protocol unix
seccomp
-shell none
-private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize
+private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
private-cache
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hyperrogue.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,16 +36,17 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin hyperrogue
private-cache
-private-cwd ${HOME}
+private-cwd
private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/i2prouter.profile
^
|
@@ -28,7 +28,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -64,10 +63,11 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/i3.profile
^
|
@@ -14,5 +14,6 @@
netfilter
noroot
protocol unix,inet,inet6
-seccomp
+seccomp !chroot
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/iagno.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -29,7 +28,6 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private
@@ -39,3 +37,5 @@
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/idea.sh.profile
^
|
@@ -19,7 +19,6 @@
include allow-ssh.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -34,10 +33,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
# private-tmp
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/imagej.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -32,7 +31,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop
private-dev
@@ -40,3 +38,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/img2txt.profile
^
|
@@ -1,5 +1,6 @@
# Firejail profile for img2txt
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include img2txt.local
# Persistent global definitions
@@ -14,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,7 +38,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -51,3 +50,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/impressive.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -44,7 +43,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
@@ -56,3 +54,4 @@
read-only ${HOME}
read-write ${HOME}/.cache/mesa_shader_cache
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/imv.profile
^
|
@@ -0,0 +1,57 @@
+# Firejail profile for imv
+# Description: imv is an image viewer.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include imv.local
+# Persistent global definitions
+include globals.local
+
+include allow-bin-sh.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+# Users may want to view images in ${HOME}
+#include disable-xdg.inc
+
+# Users may want to view images in ${HOME}
+#include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+# Users may want to view images in /usr/share
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+private-bin imv,imv-wayland,imv-x11,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/inkscape.profile
^
|
@@ -1,6 +1,7 @@
# Firejail profile for inkscape
# Description: Vector-based drawing program
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include inkscape.local
# Persistent global definitions
@@ -24,11 +25,11 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
whitelist /usr/share/inkscape
+include whitelist-run-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -48,7 +49,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin inkscape,potrace,python* - problems on Debian stretch
@@ -60,3 +60,4 @@
dbus-system none
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/inox.profile
^
|
@@ -6,7 +6,8 @@
include globals.local
# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/io.github.lainsce.Notejot.profile
^
|
@@ -0,0 +1,61 @@
+# Firejail profile for notejot
+# Description: Jot your ideas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include io.github.lainsce.Notejot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/io.github.lainsce.Notejot
+noblacklist ${HOME}/.local/share/io.github.lainsce.Notejot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/io.github.lainsce.Notejot
+mkdir ${HOME}/.local/share/io.github.lainsce.Notejot
+whitelist ${HOME}/.cache/io.github.lainsce.Notejot
+whitelist ${HOME}/.local/share/io.github.lainsce.Notejot
+whitelist /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin io.github.lainsce.Notejot
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own io.github.lainsce.Notejot
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ipcalc.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# include disable-shell.inc
include disable-write-mnt.inc
@@ -42,7 +41,6 @@
novideo
# protocol unix
seccomp
-shell none
# tracelog
disable-mnt
@@ -51,7 +49,7 @@
# private-cache
private-dev
# empty etc directory
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-lib
private-opt none
private-tmp
@@ -61,3 +59,4 @@
# memory-deny-write-execute
# read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/iridium.profile
^
|
@@ -5,11 +5,6 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
noblacklist ${HOME}/.cache/iridium
noblacklist ${HOME}/.config/iridium
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/itch.profile
^
|
@@ -14,7 +14,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.itch
@@ -35,9 +34,9 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-dev
private-tmp
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jami-gnome.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
#include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/jami
@@ -34,10 +33,10 @@
notv
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
private-dev
private-tmp
env QT_QPA_PLATFORM=xcb
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jd-gui.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin bash,jd-gui,sh
private-cache
@@ -43,3 +41,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jerry.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -30,15 +29,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin bash,jerry,sh,stockfish
private-dev
-private-etc fonts,gtk-2.0,gtk-3.0
+private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jitsi.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -24,9 +23,10 @@
notv
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-cache
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jumpnbump.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -28,7 +27,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -36,15 +34,16 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin jumpnbump
private-cache
private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/k3b.profile
^
|
@@ -15,7 +15,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,8 @@
novideo
# protocol unix - breaks privileged helpers
# seccomp - breaks privileged helpers
-shell none
private-dev
# private-tmp
+
+# restrict-namespaces - breaks privileged helpers
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kaffeine.profile
^
|
@@ -19,10 +19,10 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
caps.drop all
@@ -35,9 +35,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
# private-bin kaffeine
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kalgebra.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,15 +35,16 @@
novideo
protocol unix,netlink
seccomp !chroot
-shell none
# tracelog
disable-mnt
private-bin kalgebra,kalgebramobile
private-cache
private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kate.profile
^
|
@@ -14,6 +14,7 @@
noblacklist ${HOME}/.config/kateschemarc
noblacklist ${HOME}/.config/katesyntaxhighlightingrc
noblacklist ${HOME}/.config/katevirc
+noblacklist ${HOME}/.config/kwinrc
noblacklist ${HOME}/.local/share/kate
noblacklist ${HOME}/.local/share/kxmlgui5/kate
noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
@@ -23,13 +24,16 @@
noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
include disable-common.inc
# include disable-devel.inc
include disable-exec.inc
# include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
# apparmor
@@ -47,8 +51,6 @@
novideo
protocol unix
seccomp
-shell none
-tracelog
# private-bin kate,kbuildsycoca4,kdeinit4
private-dev
@@ -58,4 +60,5 @@
# dbus-user none
# dbus-system none
+restrict-namespaces
join-or-start kate
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kazam.profile
^
|
@@ -21,7 +21,6 @@
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
-include disable-passwdmgr.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,14 +42,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
# private-bin kazam,python*
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg
private-tmp
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kcalc.profile
^
|
@@ -12,15 +12,18 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+# Legacy paths
+#mkdir ${HOME}/.kde/share/config
+#mkdir ${HOME}/.kde4/share/config
+#mkfile ${HOME}/.kde/share/config/kcalcrc
+#mkfile ${HOME}/.kde4/share/config/kcalcrc
+
mkdir ${HOME}/.local/share/kxmlgui5/kcalc
mkfile ${HOME}/.config/kcalcrc
-mkfile ${HOME}/.kde/share/config/kcalcrc
-mkfile ${HOME}/.kde4/share/config/kcalcrc
whitelist ${HOME}/.config/kcalcrc
whitelist ${HOME}/.kde/share/config/kcalcrc
whitelist ${HOME}/.kde4/share/config/kcalcrc
@@ -29,6 +32,7 @@
whitelist /usr/share/kcalc
whitelist /usr/share/kconf_update/kcalcrc.upd
include whitelist-common.inc
+include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -49,14 +53,13 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin kcalc
private-cache
private-dev
-private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf
# private-lib - problems on Arch
private-tmp
@@ -64,3 +67,4 @@
dbus-system none
#memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kdeinit4.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -30,9 +29,9 @@
notv
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-bin kbuildsycoca4,kded4,kdeinit4,knotify4
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kdenlive.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
apparmor
@@ -32,7 +31,6 @@
nou2f
protocol unix,netlink
seccomp
-shell none
private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
private-dev
@@ -40,3 +38,5 @@
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kdiff3.profile
^
|
@@ -18,12 +18,13 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc.
#include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+# Add the next line to your kdiff3.local if you don't need to compare files in /run.
+#include whitelist-run-common.inc
include whitelist-runuser-common.inc
# Add the next line to your kdiff3.local if you don't need to compare files in /usr/share.
#include whitelist-usr-share-common.inc
@@ -45,13 +46,14 @@
novideo
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
-private-bin kdiff3
+private-bin kdiff3
private-cache
private-dev
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepass.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,13 +32,15 @@
noroot
nosound
notv
-nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-cache
+# Note: private-dev prevents the program from seeing new devices (such as
+# hardware keys) on /dev after it has already started; add "ignore private-dev"
+# to keepassxc.local if this is an issue (see #4883).
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepassx.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,15 +36,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin keepassx,keepassx2
private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepassxc-cli.profile
^
|
@@ -1,6 +1,7 @@
# Firejail profile for keepassxc-cli
# Description: command line interface for KeePassXC
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include keepassxc-cli.local
# Persistent global definitions
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepassxc.profile
^
|
@@ -28,7 +28,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,16 +37,22 @@
#mkdir ${HOME}/Documents/KeePassXC
#whitelist ${HOME}/Documents/KeePassXC
# Needed for KeePassXC-Browser.
+#mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts
#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/chromium/NativeMessagingHosts
#mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/google-chrome/NativeMessagingHosts
#mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/vivaldi/NativeMessagingHosts
#mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts
#mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.mozilla/native-messaging-hosts
#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#mkdir ${HOME}/.cache/keepassxc
@@ -58,6 +63,7 @@
#include whitelist-common.inc
whitelist /usr/share/keepassxc
+include whitelist-run-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -72,34 +78,35 @@
noroot
nosound
notv
-nou2f
novideo
-protocol unix,netlink
+protocol unix
seccomp !name_to_handle_at
seccomp.block-secondary
-shell none
tracelog
private-bin keepassxc,keepassxc-cli,keepassxc-proxy
+# Note: private-dev prevents the program from seeing new devices (such as
+# hardware keys) on /dev after it has already started; add "ignore private-dev"
+# to keepassxc.local if this is an issue (see #4883).
private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user filter
-#dbus-user.own org.keepassxc.KeePassXC
-dbus-user.talk com.canonical.Unity.Session
+dbus-user.own org.keepassxc.KeePassXC.*
+dbus-user.talk com.canonical.Unity
dbus-user.talk org.freedesktop.ScreenSaver
-dbus-user.talk org.freedesktop.login1.Manager
-dbus-user.talk org.freedesktop.login1.Session
dbus-user.talk org.gnome.ScreenSaver
dbus-user.talk org.gnome.SessionManager
-dbus-user.talk org.gnome.SessionManager.Presence
+dbus-user.talk org.xfce.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
# Add the next line to your keepassxc.local to allow notifications.
#dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your keepassxc.local to allow the tray menu.
-#dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.own org.kde.*
-dbus-system none
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
+
+restrict-namespaces
# Mutex is stored in /tmp by default, which is broken by private-tmp.
join-or-start keepassxc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kfind.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# include disable-programs.inc
apparmor
@@ -38,7 +37,6 @@
novideo
protocol unix
seccomp
-shell none
# private-bin kbuildsycoca4,kdeinit4,kfind
private-dev
@@ -46,3 +44,5 @@
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kget.profile
^
|
@@ -18,9 +18,9 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
caps.drop all
@@ -41,3 +41,4 @@
private-tmp
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kid3.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,12 +32,11 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
private-tmp
private-opt none
private-srv none
@@ -47,3 +45,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kino.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -30,9 +29,9 @@
novideo
protocol unix
seccomp
-shell none
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kiwix-desktop.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,13 +39,14 @@
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
disable-mnt
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/klatexformula.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
apparmor
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
@@ -44,3 +42,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/klavaro.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,17 +38,18 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,klavaro,sh,tclsh,tclsh*
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
private-opt none
private-srv none
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kmail.profile
^
|
@@ -29,15 +29,16 @@
noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
noblacklist ${HOME}/.local/share/local-mail
noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
noblacklist /tmp/akonadi-*
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
# apparmor
@@ -61,3 +62,5 @@
# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
# writable-run-user is needed for signing and encrypting emails
writable-run-user
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kmplayer.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,10 +32,10 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
# private-bin kmplayer,mplayer
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kodi.profile
^
|
@@ -12,6 +12,12 @@
#ignore nogroups
#ignore noroot
#ignore private-dev
+# Add the following to your kodi.local if you use the Lutris Kodi Addon
+#noblacklist /sbin
+#noblacklist /usr/sbin
+#noblacklist ${HOME}/.cache/lutris
+#noblacklist ${HOME}/.config/lutris
+#noblacklist ${HOME}/.local/share/lutris
noblacklist ${HOME}/.kodi
noblacklist ${MUSIC}
@@ -26,7 +32,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,13 +43,13 @@
nogroups
noinput
nonewprivs
-# Seems to cause issues with Nvidia drivers sometimes (#3501)
noroot
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/konversation.profile
^
|
@@ -16,11 +16,11 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
caps.drop all
@@ -35,7 +35,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-bin kbuildsycoca4,konversation
@@ -44,3 +43,4 @@
private-tmp
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kopete.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /var/lib/winpopup
@@ -38,3 +37,4 @@
private-tmp
writable-var
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/krita.profile
^
|
@@ -22,7 +22,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
novideo
protocol unix
seccomp
-shell none
private-cache
private-dev
@@ -50,3 +48,5 @@
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/krunner.profile
^
|
@@ -22,7 +22,6 @@
include disable-common.inc
# include disable-devel.inc
# include disable-interpreters.inc
-# include disable-passwdmgr.inc
# include disable-programs.inc
include whitelist-var-common.inc
@@ -36,3 +35,5 @@
seccomp
# private-cache
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ktorrent.profile
^
|
@@ -18,17 +18,20 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
-mkdir ${HOME}/.kde/share/apps/ktorrent
-mkdir ${HOME}/.kde4/share/apps/ktorrent
+# Legacy paths
+#mkdir ${HOME}/.kde/share/apps/ktorrent
+#mkdir ${HOME}/.kde/share/config
+#mkdir ${HOME}/.kde4/share/apps/ktorrent
+#mkdir ${HOME}/.kde4/share/config
+#mkfile ${HOME}/.kde/share/config/ktorrentrc
+#mkfile ${HOME}/.kde4/share/config/ktorrentrc
+
mkdir ${HOME}/.local/share/ktorrent
mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
mkfile ${HOME}/.config/ktorrentrc
-mkfile ${HOME}/.kde/share/config/ktorrentrc
-mkfile ${HOME}/.kde4/share/config/ktorrentrc
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ktorrentrc
whitelist ${HOME}/.kde/share/apps/ktorrent
@@ -38,6 +41,7 @@
whitelist ${HOME}/.local/share/ktorrent
whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
include whitelist-common.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
caps.drop all
@@ -55,11 +59,12 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
-private-bin kbuildsycoca4,kdeinit4,ktorrent
+private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest
private-dev
# private-lib - problems on Arch
private-tmp
+deterministic-shutdown
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ktouch.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,15 +39,16 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin ktouch
private-cache
private-dev
-private-etc alternatives,fonts,kde5rc,machine-id
+private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kube.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -60,7 +59,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
# disable-mnt
@@ -69,7 +67,7 @@
private-bin kube,sink_synchronizer
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
private-tmp
writable-run-user
@@ -80,3 +78,4 @@
dbus-system none
read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kwin_x11.profile
^
|
@@ -17,11 +17,11 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
caps.drop all
@@ -37,11 +37,12 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin kwin_x11
private-dev
-private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kwrite.profile
^
|
@@ -20,11 +20,11 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
apparmor
@@ -42,15 +42,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin kbuildsycoca4,kdeinit4,kwrite
private-dev
-private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg
private-tmp
# dbus-user none
# dbus-system none
+restrict-namespaces
join-or-start kwrite
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/latex-common.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /var/lib
@@ -31,7 +30,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
@@ -40,3 +38,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lbry-viewer.profile
^
|
@@ -0,0 +1,21 @@
+# Firejail profile for lbry-viewer
+# Description:CLI for searching and playing videos from LBRY, with the Librarian frontend
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lbry-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/lbry-viewer
+noblacklist ${HOME}/.config/lbry-viewer
+
+mkdir ${HOME}/.config/lbry-viewer
+mkdir ${HOME}/.cache/lbry-viewer
+whitelist ${HOME}/.cache/lbry-viewer
+whitelist ${HOME}/.config/lbry-viewer
+
+private-bin gtk-lbry-viewer,lbry-viewer
+
+# Redirect
+include youtube-viewers-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/leafpad.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -33,10 +32,10 @@
novideo
protocol unix
seccomp
-shell none
private-bin leafpad
private-dev
private-lib
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/less.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
apparmor
caps.drop all
@@ -32,7 +31,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -50,3 +48,4 @@
memory-deny-write-execute
read-only ${HOME}
read-write ${HOME}/.lesshst
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/librecad.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,13 +34,12 @@
protocol unix,inet,inet6
netfilter
seccomp
-shell none
#tracelog
#disable-mnt
private-bin librecad
private-dev
-# private-etc cups,drirc,fonts,passwd,xdg
+#private-etc alternatives,cups,drirc,fonts,passwd,xdg
#private-lib
private-tmp
@@ -49,3 +47,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/libreoffice.profile
^
|
@@ -19,9 +19,9 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
+include whitelist-run-common.inc
include whitelist-var-common.inc
# Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode.
@@ -45,7 +45,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
@@ -55,4 +54,5 @@
dbus-system none
+restrict-namespaces
join-or-start libreoffice
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/librewolf.profile
^
|
@@ -25,6 +25,7 @@
whitelist /usr/share/doc
whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/librewolf
whitelist /usr/share/mozilla
whitelist /usr/share/webext
include whitelist-usr-share-common.inc
@@ -36,6 +37,8 @@
#private-etc librewolf
dbus-user filter
+dbus-user.own io.gitlab.librewolf.*
+dbus-user.own org.mozilla.librewolf.*
# Add the next line to your librewolf.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your librewolf.local to allow inhibiting screensavers.
@@ -44,13 +47,12 @@
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
+# Add the next line to your librewolf.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your librewolf.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
+ignore apparmor
ignore dbus-user none
# Redirect
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lifeograph.profile
^
|
@@ -0,0 +1,58 @@
+# Firejail profile for lifeograph
+# Description: Lifeograph is a diary program to take personal notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lifeograph.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist /usr/share/lifeograph
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin lifeograph
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/liferea.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/liferea
@@ -46,7 +45,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -61,3 +59,5 @@
# Add the next line to your liferea.local if you use the 'Libsecret Support' plugin.
#dbus-user.talk org.freedesktop.secrets
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lincity-ng.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/links-common.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
# used as associated programs can be added in your links-common.local.
include disable-programs.inc
@@ -44,15 +43,14 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
-# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
+# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
private-bin sh
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
# Add the next line to your links-common.local to allow external media players.
# private-etc alsa,asound.conf,machine-id,openal,pulse
private-tmp
@@ -61,3 +59,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/linphone.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# linphone 4.0 (released 2017-06-26) moved config and database files to respect
@@ -43,9 +42,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/linuxqq.profile
^
|
@@ -0,0 +1,43 @@
+# Firejail profile for linuxqq
+# Description: IM client based on Electron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include linuxqq.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/QQ
+noblacklist ${HOME}/.mozilla
+
+include allow-bin-sh.inc
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/QQ
+whitelist ${HOME}/.config/QQ
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${DESKTOP}
+
+ignore apparmor
+noprinters
+
+# If you don't need/want to save anything to disk you can add `private` to your linuxqq.local.
+#private
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-opt QQ
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.portal.Desktop
+dbus-user.talk org.freedesktop.portal.Fcitx
+dbus-user.talk org.freedesktop.portal.IBus
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.talk org.mozilla.*
+ignore dbus-user none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+# Redirect
+include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lmms.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -32,10 +31,11 @@
novideo
protocol unix
seccomp
-shell none
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lollypop.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,9 +34,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lugaru.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -51,3 +49,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/luminance-hdr.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -30,7 +29,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
@@ -38,3 +36,4 @@
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lutris.profile
^
|
@@ -9,6 +9,7 @@
noblacklist ${PATH}/llvm*
noblacklist ${HOME}/Games
noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/wine
noblacklist ${HOME}/.cache/winetricks
noblacklist ${HOME}/.config/lutris
noblacklist ${HOME}/.local/share/lutris
@@ -29,12 +30,12 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/Games
mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/wine
mkdir ${HOME}/.cache/winetricks
mkdir ${HOME}/.config/lutris
mkdir ${HOME}/.local/share/lutris
@@ -42,6 +43,7 @@
whitelist ${DOWNLOADS}
whitelist ${HOME}/Games
whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/wine
whitelist ${HOME}/.cache/winetricks
whitelist ${HOME}/.config/lutris
whitelist ${HOME}/.local/share/lutris
@@ -67,8 +69,8 @@
nou2f
novideo
protocol unix,inet,inet6,netlink
-seccomp
-shell none
+seccomp !modify_ldt
+seccomp.32 !modify_ldt
# Add the next line to your lutris.local if you do not need controller support.
#private-dev
@@ -78,3 +80,5 @@
dbus-user.own net.lutris.Lutris
dbus-user.talk com.feralinteractive.GameMode
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lximage-qt.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -31,9 +30,9 @@
novideo
protocol unix
seccomp
-shell none
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lxmusic.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,8 +33,8 @@
novideo
protocol unix
seccomp
-shell none
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lynx.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
# private-bin lynx
@@ -41,3 +39,5 @@
private-dev
# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lyx.profile
^
|
@@ -32,7 +32,7 @@
machine-id
# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
# Redirect
include latex-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Maelstrom.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
novideo
#protocol unix
#seccomp
-shell none
tracelog
disable-mnt
@@ -45,3 +43,5 @@
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Mathematica.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.Mathematica
@@ -28,3 +27,5 @@
noroot
notv
seccomp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/PCSX2.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -42,7 +41,6 @@
novideo
protocol unix,netlink
#seccomp - breaks loading with no logs
-shell none
#tracelog - 32/64 bit incompatibility
private-bin PCSX2
@@ -55,3 +53,5 @@
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/QMediathekView.profile
^
|
@@ -23,15 +23,34 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+mkdir ${HOME}/.config/QMediathekView
+mkdir ${HOME}/.local/share/QMediathekView
+whitelist ${HOME}/.config/QMediathekView
+whitelist ${HOME}/.local/share/QMediathekView
+
+whitelist ${DOWNLOADS}
+whitelist ${VIDEOS}
+
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/smplayer
+whitelist ${HOME}/.config/totem
+whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.config/xplayer
+whitelist ${HOME}/.local/share/totem
+whitelist ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.mplayer
whitelist /usr/share/qtchooser
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
+apparmor
caps.drop all
netfilter
# no3d
@@ -39,22 +58,24 @@
nogroups
noinput
nonewprivs
+noprinters
noroot
notv
nou2f
novideo
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
private-cache
private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,login.defs,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/QOwnNotes.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,12 +44,12 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin gio,QOwnNotes
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Viber.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.ViberPC
@@ -30,9 +29,10 @@
notv
protocol unix,inet,inet6
seccomp !chroot
-shell none
disable-mnt
private-bin awk,bash,dig,sh,Viber
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
private-tmp
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/XMind.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.xmind
@@ -30,10 +29,10 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin cp,sh,XMind
private-tmp
private-dev
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Xephyr.profile
^
|
@@ -31,7 +31,6 @@
nou2f
protocol unix
seccomp
-shell none
disable-mnt
# using a private home directory
@@ -41,3 +40,5 @@
private-dev
# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
#private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Xvfb.profile
^
|
@@ -35,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
# using a private home directory
@@ -43,5 +42,7 @@
# private-bin sh,xkbcomp,Xvfb
# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
private-dev
-private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ZeGrapher.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -36,7 +35,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/macrofusion.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python*
private-cache
@@ -44,3 +42,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/magicor.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,15 +38,16 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin magicor,python2*
private-cache
private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/make.profile
^
|
@@ -0,0 +1,13 @@
+# Firejail profile for make
+# Description: GNU make utility to maintain groups of programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include make.local
+# Persistent global definitions
+include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/makedeb.profile
^
|
@@ -0,0 +1,13 @@
+# Firejail profile for makedeb
+# Description: A utility to automate the building of Debian packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include makedeb.local
+# Persistent global definitions
+#include globals.local
+
+ignore noblacklist /var/lib/pacman
+
+# Redirect
+include makepkg.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/makepkg.profile
^
|
@@ -1,4 +1,5 @@
# Firejail profile for makepkg
+# Description: A utility to automate the building of Arch Linux packages
# This file is overwritten after every install/update
quiet
# Persistent local customizations
@@ -32,7 +33,6 @@
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -51,7 +51,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -59,3 +58,4 @@
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/man.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -26,7 +25,6 @@
whitelist /usr/share/groff
whitelist /usr/share/info
whitelist /usr/share/lintian
-whitelist /usr/share/locale
whitelist /usr/share/man
whitelist /var/cache/man
#include whitelist-common.inc
@@ -51,7 +49,6 @@
nou2f
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -59,7 +56,7 @@
#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
private-cache
private-dev
-private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg
#private-tmp
dbus-user none
@@ -67,4 +64,5 @@
memory-deny-write-execute
read-only ${HOME}
-read-only /tmp
+#read-only /tmp # breaks mandoc (see #4927)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/manaplus.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -50,3 +48,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/marker.profile
^
|
@@ -20,7 +20,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -49,7 +48,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin marker,python3*
@@ -62,3 +60,5 @@
dbus-user.own com.github.fabiocolacio.marker
dbus-user.talk ca.desrt.dconf
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/masterpdfeditor.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -32,11 +31,11 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mate-calc.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/mate-calc
@@ -39,11 +38,10 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin mate-calc,mate-calculator
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
private-dev
private-opt none
private-tmp
@@ -52,3 +50,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mate-color-select.profile
^
|
@@ -9,7 +9,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -30,13 +29,13 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin mate-color-select
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-dev
private-lib
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mate-dictionary.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -34,13 +33,13 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin mate-dictionary
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
private-opt mate-dictionary
private-dev
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mcabber.profile
^
|
@@ -12,7 +12,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -28,8 +27,9 @@
novideo
protocol inet,inet6
seccomp
-shell none
private-bin mcabber
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mcomix.profile
^
|
@@ -22,7 +22,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -51,7 +50,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
# mcomix <= 1.2 uses python2
@@ -72,3 +70,4 @@
read-write ${HOME}/.local/share
# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
read-write ${HOME}/.thumbnails
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mdr.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -46,7 +44,7 @@
private-bin mdr
private-cache
private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-lib
private-tmp
@@ -54,3 +52,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mediainfo.profile
^
|
@@ -1,6 +1,7 @@
# Firejail profile for mediainfo
# Description: Command-line utility for reading information from audio/video files
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include mediainfo.local
# Persistent global definitions
@@ -12,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -36,17 +36,17 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
private-bin mediainfo
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mediathekview.profile
^
|
@@ -17,6 +17,8 @@
noblacklist ${HOME}/.mplayer
noblacklist ${VIDEOS}
+ignore noexec /tmp
+
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc
@@ -24,10 +26,11 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
+mkdir ${HOME}/.mediathek3
+whitelist ${HOME}/.mediathek3
include whitelist-var-common.inc
caps.drop all
@@ -48,3 +51,4 @@
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/megaglest.profile
^
|
@@ -8,11 +8,12 @@
noblacklist ${HOME}/.megaglest
+include allow-lua.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -20,7 +21,8 @@
mkdir ${HOME}/.megaglest
whitelist ${HOME}/.megaglest
whitelist /usr/share/megaglest
-whitelist /usr/share/games/megaglest # Debian version
+# Debian version
+whitelist /usr/share/games/megaglest
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
@@ -41,7 +43,6 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -52,3 +53,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/meld.profile
^
|
@@ -36,7 +36,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# Add the next line to your meld.local if you don't need to compare files in disable-programs.inc.
#include disable-programs.inc
include disable-shell.inc
@@ -68,7 +67,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin bzr,cvs,git,hg,meld,python*,svn
@@ -80,3 +78,4 @@
private-tmp
read-only ${HOME}/.ssh
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mencoder.profile
^
|
@@ -11,7 +11,6 @@
#include disable-common.inc
#include disable-devel.inc
#include disable-interpreters.inc
-#include disable-passwdmgr.inc
#include disable-programs.inc
ipc-namespace
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mendeleydesktop.profile
^
|
@@ -22,7 +22,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -39,7 +38,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -49,3 +47,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/meson.profile
^
|
@@ -0,0 +1,14 @@
+# Firejail profile for meson
+# Description: A high productivity build system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+# Redirect
+include build-systems-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/meteo-qt.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -53,3 +51,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/microsoft-edge-beta.profile
^
|
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Beta
+# Description: Web browser from Microsoft,beta channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-beta.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge-beta
+noblacklist ${HOME}/.config/microsoft-edge-beta
+
+mkdir ${HOME}/.cache/microsoft-edge-beta
+mkdir ${HOME}/.config/microsoft-edge-beta
+whitelist ${HOME}/.cache/microsoft-edge-beta
+whitelist ${HOME}/.config/microsoft-edge-beta
+
+whitelist /opt/microsoft/msedge-beta
+
+# Redirect
+include chromium-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/microsoft-edge-dev.profile
^
|
@@ -14,7 +14,7 @@
whitelist ${HOME}/.cache/microsoft-edge-dev
whitelist ${HOME}/.config/microsoft-edge-dev
-private-opt microsoft
+whitelist /opt/microsoft/msedge-dev
# Redirect
include chromium-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/microsoft-edge.profile
^
|
@@ -1,11 +1,20 @@
# Firejail profile for Microsoft Edge
-# Description: Web browser from Microsoft
+# Description: Web browser from Microsoft,stable channel
# This file is overwritten after every install/update
# Persistent local customizations
include microsoft-edge.local
# Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge
+noblacklist ${HOME}/.config/microsoft-edge
+
+mkdir ${HOME}/.cache/microsoft-edge
+mkdir ${HOME}/.config/microsoft-edge
+whitelist ${HOME}/.cache/microsoft-edge
+whitelist ${HOME}/.config/microsoft-edge
+
+whitelist /opt/microsoft/msedge
# Redirect
-include microsoft-edge-dev.profile
+include chromium-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/midori.profile
^
|
@@ -12,10 +12,10 @@
noblacklist ${HOME}/.cache/midori
noblacklist ${HOME}/.config/midori
noblacklist ${HOME}/.local/share/midori
+noblacklist ${HOME}/.local/share/pki
# noblacklist ${HOME}/.local/share/webkit
# noblacklist ${HOME}/.local/share/webkitgtk
noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.cache/gnome-mplayer
noblacklist ${HOME}/.config/gnome-mplayer
@@ -25,17 +25,16 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-#include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.cache/midori
mkdir ${HOME}/.config/midori
mkdir ${HOME}/.local/share/midori
+mkdir ${HOME}/.local/share/pki
mkdir ${HOME}/.local/share/webkit
mkdir ${HOME}/.local/share/webkitgtk
mkdir ${HOME}/.pki
-mkdir ${HOME}/.local/share/pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/gnome-mplayer/plugin
whitelist ${HOME}/.cache/midori
@@ -43,10 +42,10 @@
whitelist ${HOME}/.config/midori
whitelist ${HOME}/.lastpass
whitelist ${HOME}/.local/share/midori
+whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.local/share/webkit
whitelist ${HOME}/.local/share/webkitgtk
whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
include whitelist-common.inc
include whitelist-var-common.inc
@@ -63,3 +62,5 @@
disable-mnt
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mindless.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -43,10 +41,11 @@
private-bin mindless
private-cache
private-dev
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/minecraft-launcher.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,7 +42,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -58,3 +56,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/minetest.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -49,7 +48,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -63,3 +61,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/minitube.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -47,8 +46,7 @@
nou2f
novideo
protocol unix,inet,inet6,netlink
-seccomp !kcmp
-shell none
+seccomp
tracelog
disable-mnt
@@ -60,3 +58,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mirage.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -48,7 +47,6 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -60,3 +58,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mirrormagic.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -45,8 +43,10 @@
private-bin mirrormagic
private-cache
private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mocp.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,13 +36,12 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-bin mocp
private-cache
private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
private-tmp
dbus-user none
@@ -52,3 +50,4 @@
memory-deny-write-execute
read-only ${HOME}
read-write ${HOME}/.moc
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mousepad.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -32,10 +31,11 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin mousepad
private-dev
private-lib
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mp3splt-gtk.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -32,14 +31,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin mp3splt-gtk
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mp3splt.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -45,10 +43,11 @@
private-bin flacsplt,mp3splt,mp3wrap,oggsplt
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
-memory-deny-write-execute
-
dbus-user none
dbus-system none
+
+memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpDris2.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,15 +44,15 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin mpDris2,notify-send,python*
private-cache
private-dev
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
private-tmp
#memory-deny-write-execute - breaks on Arch (see issue #1803)
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpd.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,10 +35,10 @@
# blacklisting of ioprio_set system calls breaks auto-updating of
# MPD's database when files in music_directory are changed
seccomp !ioprio_set
-shell none
#private-bin bash,mpd
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpg123.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
#private-bin mpg123*
@@ -44,3 +42,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mplayer.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
read-only ${DESKTOP}
@@ -34,8 +33,9 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-bin mplayer
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpsyt.profile
^
|
@@ -27,7 +27,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -51,7 +50,6 @@
caps.drop all
netfilter
nodvd
-# Seems to cause issues with Nvidia drivers sometimes
nogroups
noinput
nonewprivs
@@ -61,7 +59,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
@@ -71,3 +68,4 @@
dbus-user none
dbus-system none
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpv.profile
^
|
@@ -11,7 +11,7 @@
# edit ~/.config/mpv/foobar.conf:
# screenshot-directory=~/Pictures
-# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# Mpv has a powerful lua-API, some off these lua-scripts interact
# with external resources which are blocked by firejail. In such cases
# you need to allow these resources by
# - adding additional binaries to private-bin
@@ -26,7 +26,11 @@
noblacklist ${HOME}/.config/mpv
noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp.conf
noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf.txt
# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc
@@ -41,29 +45,30 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
read-only ${DESKTOP}
mkdir ${HOME}/.config/mpv
-mkdir ${HOME}/.config/youtube-dl
mkfile ${HOME}/.netrc
whitelist ${HOME}/.config/mpv
whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/yt-dlp
+whitelist ${HOME}/.config/yt-dlp.conf
whitelist ${HOME}/.netrc
-include whitelist-common.inc
-include whitelist-player-common.inc
+whitelist ${HOME}/yt-dlp.conf
+whitelist ${HOME}/yt-dlp.conf.txt
whitelist /usr/share/lua
whitelist /usr/share/lua*
whitelist /usr/share/vulkan
+include whitelist-common.inc
+include whitelist-player-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
netfilter
-# nogroups seems to cause issues with Nvidia drivers sometimes
nogroups
noinput
nonewprivs
@@ -72,13 +77,14 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
-private-bin env,mpv,python*,waf,youtube-dl
+private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
# private-cache causes slow OSD, see #2838
#private-cache
private-dev
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mrrescue.profile
^
|
@@ -20,7 +20,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -47,15 +45,16 @@
protocol unix,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin love,mrrescue,sh
private-cache
private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ms-office.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -31,14 +30,15 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,env,fonts,jak,ms-office,python*,sh
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mtpaint.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -48,3 +46,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/multimc5.profile
^
|
@@ -9,6 +9,10 @@
noblacklist ${HOME}/.local/share/multimc5
noblacklist ${HOME}/.multimc5
+# Ignore noexec on ${HOME} as MultiMC installs LWJGL native
+# libraries in ${HOME}/.local/share/multimc
+ignore noexec ${HOME}
+
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc
@@ -16,7 +20,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.local/share/multimc
@@ -39,7 +42,6 @@
novideo
protocol unix,inet,inet6
# seccomp
-shell none
disable-mnt
# private-bin works, but causes weirdness
@@ -47,3 +49,4 @@
private-dev
private-tmp
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mumble.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -36,7 +35,6 @@
notv
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -44,3 +42,4 @@
private-tmp
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf-gl.profile
^
|
@@ -7,7 +7,10 @@
# added by included profile
#include globals.local
+noblacklist ${HOME}/.cache/mupdf.history
noblacklist ${HOME}/.mupdf.history
+ignore no3d
+
# Redirect
include mupdf.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf-x11-curl.profile
^
|
@@ -12,7 +12,7 @@
netfilter
protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
# Redirect
include mupdf.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf-x11.profile
^
|
@@ -7,8 +7,5 @@
# added by included profile
#include globals.local
-memory-deny-write-execute
-read-only ${HOME}
-
# Redirect
include mupdf.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf.profile
^
|
@@ -4,7 +4,7 @@
# Persistent local customizations
include mupdf.local
# Persistent global definitions
-#include globals.local
+include globals.local
noblacklist ${DOCUMENTS}
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -22,6 +21,7 @@
caps.drop all
machine-id
net none
+no3d
nodvd
nogroups
noinput
@@ -33,7 +33,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-dev
@@ -42,3 +41,7 @@
dbus-user none
dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupen64plus.profile
^
|
@@ -11,8 +11,6 @@
include disable-common.inc
include disable-devel.inc
-include disable-passwdmgr.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# you'll need to manually whitelist ROM files
@@ -33,3 +31,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/musescore.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,8 +35,9 @@
protocol unix,inet,inet6
# QtWebengine needs chroot to set up its own sandbox
seccomp !chroot
-shell none
tracelog
# private-bin musescore,mscore
private-tmp
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/musictube.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -44,7 +43,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -56,3 +54,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/musixmatch.profile
^
|
@@ -10,7 +10,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -30,9 +29,10 @@
nou2f
novideo
protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
disable-mnt
private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mutt.profile
^
|
@@ -47,7 +47,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -129,13 +128,12 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
# disable-mnt
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
private-tmp
writable-run-user
writable-var
@@ -148,3 +146,4 @@
read-only ${HOME}/.nanorc
read-only ${HOME}/.signature
read-only ${HOME}/.w3m
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mypaint.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,13 +38,14 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-cache
private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nano.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/nano
@@ -39,7 +38,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -50,7 +48,7 @@
# Add the next lines to your nano.local if you want to edit files in /etc directly.
#ignore private-etc
#writable-etc
-private-etc alternatives,nanorc
+private-etc alternatives,ld.so.cache,ld.so.preload,nanorc
# Add the next line to your nano.local if you want to edit files in /var directly.
#writable-var
@@ -58,3 +56,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/natron.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -30,9 +29,10 @@
nou2f
protocol unix
seccomp
-shell none
private-bin natron,Natron,NatronRenderer
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ncdu.profile
^
|
@@ -1,6 +1,7 @@
# Firejail profile for ncdu
# Description: Ncurses disk usage viewer
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include ncdu.local
# Persistent global definitions
@@ -25,7 +26,6 @@
novideo
protocol unix
seccomp
-shell none
x11 none
private-dev
@@ -35,3 +35,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ncdu2.profile
^
|
@@ -0,0 +1,12 @@
+# Firejail profile for ncdu2
+# Description: Ncurses disk usage viewer (zig rewrite)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ncdu2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ncdu.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/neochat.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -49,7 +48,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -61,6 +59,8 @@
dbus-user filter
dbus-user.own org.kde.neochat
dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.kde.kwalletd5
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/neomutt.profile
^
|
@@ -46,36 +46,15 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.Mail
-mkdir ${HOME}/.bogofilter
-mkdir ${HOME}/.config/mutt
-mkdir ${HOME}/.config/nano
-mkdir ${HOME}/.config/neomutt
-mkdir ${HOME}/.elinks
-mkdir ${HOME}/.emacs.d
-mkdir ${HOME}/.gnupg
mkdir ${HOME}/.mail
-mkdir ${HOME}/.mutt
-mkdir ${HOME}/.neomutt
-mkdir ${HOME}/.vim
-mkdir ${HOME}/.w3m
mkdir ${HOME}/Mail
mkdir ${HOME}/mail
mkdir ${HOME}/postponed
mkdir ${HOME}/sent
-mkfile ${HOME}/.emacs
-mkfile ${HOME}/.mailcap
-mkfile ${HOME}/.msmtprc
-mkfile ${HOME}/.muttrc
-mkfile ${HOME}/.nanorc
-mkfile ${HOME}/.neomuttrc
-mkfile ${HOME}/.signature
-mkfile ${HOME}/.viminfo
-mkfile ${HOME}/.vimrc
whitelist ${DOCUMENTS}
whitelist ${DOWNLOADS}
whitelist ${HOME}/.Mail
@@ -132,13 +111,12 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
# disable-mnt
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
private-tmp
writable-run-user
writable-var
@@ -151,3 +129,4 @@
read-only ${HOME}/.nanorc
read-only ${HOME}/.signature
read-only ${HOME}/.w3m
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/netactview.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,13 +39,12 @@
nou2f
novideo
seccomp
-shell none
disable-mnt
private-bin netactview,netactview_polkit
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-lib
private-tmp
@@ -54,3 +52,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nethack-vultures.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.vultures
@@ -33,7 +32,6 @@
novideo
#protocol unix,netlink
#seccomp
-shell none
disable-mnt
#private
@@ -44,3 +42,5 @@
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nethack.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /var/games/nethack
@@ -33,7 +32,6 @@
novideo
#protocol unix,netlink
#seccomp
-shell none
disable-mnt
#private
@@ -46,3 +44,4 @@
dbus-system none
#memory-deny-write-execute
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/netsurf.profile
^
|
@@ -32,3 +32,5 @@
tracelog
disable-mnt
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/neverball.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -50,3 +48,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/newsboat.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -48,16 +47,16 @@
novideo
protocol inet,inet6
seccomp
-shell none
disable-mnt
private-bin gzip,lynx,newsboat,sh,w3m
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/newsflash.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,17 +44,18 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin com.gitlab.newsflash,newsflash
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
private-tmp
dbus-user none
#dbus-user.own com.gitlab.newsflash
#dbus-user.talk org.freedesktop.Notifications
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nextcloud.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -30,6 +29,7 @@
whitelist ${HOME}/Nextcloud
whitelist ${HOME}/.config/Nextcloud
whitelist ${HOME}/.local/share/Nextcloud
+whitelist /usr/share/nextcloud
# Add the next lines to your nextcloud.local to allow sync in more directories.
#whitelist ${DOCUMENTS}
#whitelist ${MUSIC}
@@ -44,7 +44,6 @@
caps.drop all
machine-id
netfilter
-no3d
nodvd
nogroups
noinput
@@ -57,16 +56,18 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin nextcloud,nextcloud-desktop
private-cache
-private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
private-dev
private-tmp
dbus-user filter
dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nheko.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
notv
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -52,11 +50,11 @@
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-tmp
-
-# Add the next lines to your nheko.local to enable notification support.
-#ignore dbus-user none
-#dbus-user filter
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Add the next line to your nheko.local to enable notification support.
#dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nicotine.profile
^
|
@@ -8,14 +8,17 @@
noblacklist ${HOME}/.nicotine
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
+include allow-python3.inc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,6 +41,7 @@
nogroups
noinput
nonewprivs
+noprinters
noroot
nosound
notv
@@ -45,14 +49,15 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
-private-bin nicotine,python2*
+#private-bin nicotine,python2*
private-cache
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nitroshare.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-usr-share-common.inc
@@ -37,13 +36,12 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
private-cache
private-dev
-private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl
# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
private-tmp
@@ -51,3 +49,4 @@
# dbus-system none
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/node-gyp.profile
^
|
@@ -0,0 +1,11 @@
+# Firejail profile for node-gyp
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include node-gyp.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nodejs-common.profile
^
|
@@ -7,7 +7,14 @@
# added by caller profile
#include globals.local
-blacklist /tmp/.X11-unix
+# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
+# node.js stack will be firejailed. The only exception is nvm, which is implemented
+# as a sourced shell function, not an executable binary. Hence it is not
+# directly firejailable. You can work around this by sandboxing the programs
+# used by nvm: curl, sha256sum, tar and wget. We have comments in these
+# profiles on how to enable nvm support via local overrides.
+
blacklist ${RUNUSER}
ignore read-only ${HOME}/.npm-packages
@@ -25,14 +32,13 @@
noblacklist ${HOME}/.yarnrc
ignore noexec ${HOME}
-
include allow-bin-sh.inc
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
+include disable-X11.inc
include disable-xdg.inc
# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
@@ -74,6 +80,7 @@
nogroups
noinput
nonewprivs
+noprinters
noroot
nosound
notv
@@ -82,7 +89,6 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
disable-mnt
private-dev
@@ -94,3 +100,4 @@
# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
#env GATSBY_TELEMETRY_DISABLED=1
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nomacs.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,11 +35,12 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
#private-bin nomacs
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/noprofile.profile
^
|
@@ -0,0 +1,29 @@
+# This is the weakest possible firejail profile.
+# If a program still fail with this profile, it is incompatible with firejail.
+# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
+#
+# Usage:
+# 1. download
+# 2. firejail --profile=noprofile.profile /path/to/program
+
+# Keep in mind that even with this profile some things are done
+# which can break the program.
+# - some env-vars are cleared
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
+# - a new private pid-namespace is created
+# - a minimal hardcoded blacklist is applied
+# - ...
+
+noblacklist /sys/fs
+noblacklist /sys/module
+
+allow-debuggers
+allusers
+keep-config-pulse
+keep-dev-shm
+keep-fd all
+keep-var-tmp
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/notable.profile
^
|
@@ -0,0 +1,37 @@
+# Firejail profile for notable
+# Description: The Markdown-based note-taking app that doesn't suck
+# This file is overwritten after every install/update
+# Persistent local customizations
+include notable.local
+# Persistent global definitions
+include globals.local
+
+# Note: On debian-based distributions the binary might be located in
+# /opt/Notable/notable, and therefore not be in PATH.
+# If that's the case you can start Notable with firejail via
+# `firejail "/opt/Notable/notable"`.
+
+noblacklist ${HOME}/.config/Notable
+noblacklist ${HOME}/.notable
+
+net none
+nosound
+
+?HAS_APPIMAGE: ignore private-dev
+private-opt Notable
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+ignore dbus-user none
+
+# Notable keeps claiming it is started for the first time when whitelisting - see #4812.
+ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron*-flag*.conf
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+
+# Redirect
+include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/notify-send.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -41,7 +40,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -50,7 +48,7 @@
private-bin notify-send
private-cache
private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user filter
@@ -59,3 +57,4 @@
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/npx.profile
^
|
@@ -0,0 +1,11 @@
+# Firejail profile for npx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npx.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nslookup.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -54,3 +52,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nuclear.profile
^
|
@@ -18,7 +18,7 @@
no3d
# private-bin nuclear
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-opt nuclear
# Redirect
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nvim.profile
^
|
@@ -0,0 +1,54 @@
+# Firejail profile for neovim
+# Description: Nvim is open source and freely distributable
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nvim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.vimrc
+noblacklist ${HOME}/.cache/nvim
+noblacklist ${HOME}/.config/nvim
+noblacklist ${HOME}/.local/share/nvim
+noblacklist ${HOME}/.local/state/nvim
+
+include disable-common.inc
+include disable-devel.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+blacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+x11 none
+
+private-dev
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}/.config
+read-write ${HOME}/.config/nvim
+read-write ${HOME}/.local/share/nvim
+read-write ${HOME}/.local/state/nvim
+read-write ${HOME}/.vim
+read-write ${HOME}/.vimrc
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nylas.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/Nylas Mail
@@ -34,6 +33,7 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nyx.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,16 +39,17 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin nyx,python*
private-cache
private-dev
-private-etc alternatives,fonts,passwd,tor
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor
private-opt none
private-srv none
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/obs.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin bash,obs,obs-ffmpeg-mux,python*,sh
@@ -42,3 +40,4 @@
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ocenaudio.profile
^
|
@@ -6,51 +6,58 @@
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.cache/ocenaudio
noblacklist ${HOME}/.local/share/ocenaudio
-noblacklist ${DOCUMENTS}
+
noblacklist ${MUSIC}
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+mkdir ${HOME}/.cache/ocenaudio
+mkdir ${HOME}/.local/share/ocenaudio
+whitelist ${HOME}/.cache/ocenaudio
+whitelist ${HOME}/.local/share/ocenaudio
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
-ipc-namespace
-# net none - breaks update functionality and AppArmor on Ubuntu systems
-# Add 'net none' to your ocenaudio.local when you want that functionality.
-#net none
+#ipc-namespace
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
+noprinters
noroot
notv
nou2f
novideo
-protocol unix
+# Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking.
+protocol unix,inet,inet6
seccomp
-shell none
tracelog
-private-bin ocenaudio
+private-bin ocenaudio,ocenvst
private-cache
private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-opt ocenaudio
private-tmp
-# breaks preferences
-# dbus-user none
-# dbus-system none
+dbus-user none
+dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/odt2txt.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -32,17 +31,17 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
private-bin odt2txt
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/okular.profile
^
|
@@ -23,7 +23,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,6 +36,7 @@
whitelist /usr/share/kxmlgui5/okular
whitelist /usr/share/okular
whitelist /usr/share/poppler
+include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -57,12 +57,11 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
private-dev
-private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg
# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
# dbus-user none
@@ -70,4 +69,5 @@
# memory-deny-write-execute
+restrict-namespaces
join-or-start okular
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onboard.profile
^
|
@@ -17,7 +17,6 @@
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
-include disable-passwdmgr.inc
include disable-shell.inc
include disable-xdg.inc
@@ -44,14 +43,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-cache
private-bin onboard,python*,tput
private-dev
-private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
private-tmp
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onionshare-cli.profile
^
|
@@ -0,0 +1,12 @@
+# Firejail profile for onionshare-cli
+# Description: Share a file over Tor Hidden Services anonymously and securely (CLI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include onionshare-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include onionshare-gui.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onionshare-gui.profile
^
|
@@ -1,4 +1,5 @@
# Firejail profile for onionshare-gui
+# Description: Share a file over Tor Hidden Services anonymously and securely
# This file is overwritten after every install/update
# Persistent local customizations
include onionshare-gui.local
@@ -10,23 +11,37 @@
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python3.inc
+blacklist /sys/class/net
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
+include disable-proc.inc
include disable-programs.inc
+include disable-shell.inc
+mkdir ${HOME}/.config/onionshare
+mkdir ${HOME}/OnionShare
+whitelist ${HOME}/.config/onionshare
+whitelist ${HOME}/OnionShare
+whitelist /usr/share/onionshare
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
include whitelist-var-common.inc
caps.drop all
ipc-namespace
+machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
+noprinters
noroot
nosound
notv
@@ -34,9 +49,20 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
+seccomp.block-secondary
+#tracelog - may cause issues, see #1930
+disable-mnt
+private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
+private-cache
private-dev
private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onionshare.profile
^
|
@@ -0,0 +1,11 @@
+# Firejail profile for onionshare
+# Description: Share a file over Tor Hidden Services anonymously and securely (GUI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include onionshare.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include onionshare-gui.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/open-invaders.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -26,7 +25,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -34,7 +32,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
private-bin open-invaders
private-dev
@@ -42,3 +39,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openarena.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,15 +36,16 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
private-cache
private-dev
-private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openbox.profile
^
|
@@ -14,7 +14,8 @@
netfilter
noroot
protocol unix,inet,inet6
-seccomp
+seccomp !chroot
read-only ${HOME}/.config/openbox/autostart
read-only ${HOME}/.config/openbox/environment
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opencity.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openclonk.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -29,7 +28,6 @@
netfilter
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -37,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -48,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openmw.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -48,7 +47,6 @@
protocol unix,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard
@@ -60,3 +58,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openshot.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/blender
@@ -38,7 +37,6 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin blender,inkscape,openshot,openshot-qt,python3*
@@ -48,3 +46,5 @@
dbus-user filter
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openstego.profile
^
|
@@ -0,0 +1,59 @@
+# Firejail profile for OpenStego
+# Description: Steganography application that provides data hiding and watermarking functionality
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openstego.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/openstego.ini
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+
+mkfile ${HOME}/openstego.ini
+whitelist ${HOME}/openstego.ini
+whitelist ${HOME}/.java
+whitelist ${PICTURES}
+whitelist ${DOCUMENTS}
+whitelist ${DESKTOP}
+whitelist /usr/share/java
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin bash,dirname,openstego,readlink,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openttd.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opera-beta.profile
^
|
@@ -5,18 +5,16 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
-noblacklist ${HOME}/.cache/opera
+noblacklist ${HOME}/.cache/opera-beta
noblacklist ${HOME}/.config/opera-beta
+noblacklist ${HOME}/.opera-beta
-mkdir ${HOME}/.cache/opera
+mkdir ${HOME}/.cache/opera-beta
mkdir ${HOME}/.config/opera-beta
-whitelist ${HOME}/.cache/opera
+mkdir ${HOME}/.opera-beta
+whitelist ${HOME}/.cache/opera-beta
whitelist ${HOME}/.config/opera-beta
+whitelist ${HOME}/.opera-beta
# Redirect
include chromium-common.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opera-developer.profile
^
|
@@ -0,0 +1,20 @@
+# Firejail profile for opera-developer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opera-developer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/opera-developer
+noblacklist ${HOME}/.config/opera-developer
+noblacklist ${HOME}/.opera-developer
+
+mkdir ${HOME}/.cache/opera-developer
+mkdir ${HOME}/.config/opera-developer
+mkdir ${HOME}/.opera-developer
+whitelist ${HOME}/.cache/opera-developer
+whitelist ${HOME}/.config/opera-developer
+whitelist ${HOME}/.opera-developer
+
+# Redirect
+include chromium-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opera.profile
^
|
@@ -6,11 +6,6 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
noblacklist ${HOME}/.cache/opera
noblacklist ${HOME}/.config/opera
noblacklist ${HOME}/.opera
@@ -22,5 +17,16 @@
whitelist ${HOME}/.config/opera
whitelist ${HOME}/.opera
+# https://github.com/netblue30/firejail/issues/4965
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
+
+# opera uses opera_sandbox instead of chrome-sandbox
+noblacklist /usr/lib/opera/opera_sandbox
+ignore noblacklist /usr/lib/chromium/chrome-sandbox
+
+# Add the below to your opera.local if you want to disable auto update
+#env OPERA_AUTOUPDATE_DISABLED=1
+
# Redirect
include chromium-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/orage.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,10 +30,10 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ostrichriders.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -49,3 +47,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/otter-browser.profile
^
|
@@ -10,26 +10,25 @@
noblacklist ${HOME}/.cache/Otter
noblacklist ${HOME}/.config/otter
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.cache/Otter
mkdir ${HOME}/.config/otter
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/Otter
whitelist ${HOME}/.config/otter
-whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
whitelist /usr/share/otter-browser
include whitelist-common.inc
include whitelist-runuser-common.inc
@@ -48,7 +47,6 @@
?BROWSER_DISABLE_U2F: nou2f
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
disable-mnt
private-bin bash,otter-browser,sh,which
@@ -58,3 +56,5 @@
private-tmp
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/palemoon.profile
^
|
@@ -22,5 +22,8 @@
#private-etc palemoon
#private-opt palemoon
+restrict-namespaces
+ignore restrict-namespaces
+
# Redirect
include firefox-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pandoc.profile
^
|
@@ -11,15 +11,17 @@
noblacklist ${DOCUMENTS}
+include allow-bin-sh.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+include whitelist-runuser-common.inc
# breaks pdf output
#include whitelist-var-common.inc
@@ -40,18 +42,18 @@
novideo
protocol unix
seccomp
-shell none
+seccomp.block-secondary
tracelog
x11 none
disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
private-cache
private-dev
-private-etc alternatives,texlive,texmf
+private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/parole.profile
^
|
@@ -12,7 +12,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -24,8 +23,9 @@
notv
protocol unix,inet,inet6
seccomp
-shell none
private-bin dbus-launch,parole
private-cache
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/patch.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
x11 none
@@ -50,3 +48,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pavucontrol.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -39,14 +38,13 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin pavucontrol
private-cache
private-dev
-private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
private-lib
private-tmp
@@ -55,3 +53,4 @@
# mdwe is broken under Wayland, but works under Xorg.
#memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pcsxr.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -42,7 +41,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
private-bin pcsxr
@@ -55,3 +53,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdfchain.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,14 +30,14 @@
novideo
protocol unix
seccomp
-shell none
private-bin pdfchain,pdftk,sh
private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdfmod.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,10 +35,11 @@
novideo
protocol unix
seccomp
-shell none
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdfsam.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which
private-cache
@@ -43,3 +41,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdftotext.profile
^
|
@@ -1,6 +1,7 @@
# Firejail profile for pdftotext
# Description: Portable Document Format (PDF) to text converter
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include pdftotext.local
# Persistent global definitions
@@ -14,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -42,15 +42,16 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
x11 none
private-bin pdftotext
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/peek.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -43,13 +42,12 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
private-dev
-private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
+private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11
private-tmp
dbus-user filter
@@ -61,3 +59,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/penguin-command.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -33,7 +32,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
private-bin penguin-command
private-dev
@@ -41,3 +39,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/photoflare.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,15 +36,16 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin photoflare
private-cache
private-dev
-private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/picard.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,8 +36,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pidgin.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -46,3 +45,5 @@
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pinball.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -54,3 +52,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ping-hardened.inc.profile
^
|
@@ -0,0 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include ping-hardened.inc.local
+
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ping.profile
^
|
@@ -7,24 +7,30 @@
# Persistent global definitions
include globals.local
-blacklist /tmp/.X11-unix
blacklist ${RUNUSER}
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
+include disable-proc.inc
include disable-programs.inc
+include disable-X11.inc
include disable-xdg.inc
include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
+# Add the next line to your ping.local if your kernel allows unprivileged userns clone.
+#include ping-hardened.inc.profile
+
apparmor
caps.keep net_raw
ipc-namespace
+machine-id
#net tun0
#netfilter /etc/firejail/ping.net
netfilter
@@ -32,8 +38,9 @@
nodvd
nogroups
noinput
-# ping needs to rise privileges, noroot and nonewprivs will kill it
+# ping needs to raise privileges, nonewprivs and noroot will kill it
#nonewprivs
+noprinters
#noroot
nosound
notv
@@ -41,15 +48,17 @@
novideo
# protocol command is built using seccomp; nonewprivs will kill it
#protocol unix,inet,inet6,netlink,packet
-# killed by no-new-privs
#seccomp
+tracelog
disable-mnt
private
-#private-bin has mammoth problems with execvp: "No such file or directory"
+#private-bin ping - has mammoth problems with execvp: "No such file or directory"
+private-cache
private-dev
# /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
-#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-lib
private-tmp
# memory-deny-write-execute is built using seccomp; nonewprivs will kill it
@@ -57,3 +66,6 @@
dbus-user none
dbus-system none
+
+read-only ${HOME}
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pingus.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -44,15 +43,16 @@
protocol unix,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin pingus,pingus.bin,sh
private-cache
private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pinta.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -32,7 +31,6 @@
novideo
protocol unix
seccomp
-shell none
private-dev
private-cache
@@ -40,3 +38,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pioneer.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -46,3 +44,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pip.profile
^
|
@@ -0,0 +1,21 @@
+# Firejail profile for pip
+# Description: package manager for Python packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pip.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.local/lib
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+noblacklist ${HOME}/.cache/pip
+
+#whitelist ${HOME}/.cache/pip
+#whitelist ${HOME}/.local/lib/python*
+
+# Redirect
+include build-systems-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pithos.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,10 +34,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin env,pithos,python*
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pitivi.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-runuser-common.inc
@@ -36,8 +35,8 @@
novideo
protocol unix
seccomp
-shell none
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pix.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -29,10 +28,11 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin pix
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pkglog.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
nou2f
novideo
seccomp
-shell none
tracelog
disable-mnt
@@ -45,7 +43,7 @@
private-bin pkglog,python*
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-opt none
private-tmp
writable-var-log
@@ -58,3 +56,4 @@
read-only /var/log/apt/history.log
read-only /var/log/dnf.rpm.log
read-only /var/log/pacman.log
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pluma.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -38,7 +37,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin pluma
@@ -50,4 +48,5 @@
# dbus-user none
# dbus-system none
+restrict-namespaces
join-or-start pluma
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/plv.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,14 +39,13 @@
nou2f
novideo
seccomp
-shell none
tracelog
disable-mnt
private-bin plv
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-opt none
private-tmp
writable-var-log
@@ -59,3 +57,4 @@
read-only ${HOME}
read-write ${HOME}/.config/PacmanLogViewer
read-only /var/log/pacman.log
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pngquant.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,20 +38,19 @@
notv
nou2f
novideo
-# protocol can be empty, but this is not yet supported see #639
-protocol inet
-seccomp
-shell none
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
tracelog
x11 none
private-bin pngquant
private-cache
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/polari.profile
^
|
@@ -43,10 +43,10 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ppsspp.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-write-mnt.inc
include disable-xdg.inc
@@ -39,7 +38,6 @@
novideo
protocol unix,netlink
seccomp
-shell none
private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
# Add the next line to your ppsspp.local if you do not need controller support.
@@ -50,3 +48,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pragha.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,9 +30,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/profanity.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,15 +39,15 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin profanity
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/psi-plus.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/psi+
@@ -39,8 +38,9 @@
protocol unix,inet,inet6
# QtWebengine needs chroot to set up its own sandbox
seccomp !chroot
-shell none
disable-mnt
private-dev
private-tmp
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/psi.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -63,7 +62,6 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
#tracelog - breaks on Arch
disable-mnt
@@ -72,8 +70,10 @@
private-bin getopt,psi
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
private-tmp
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pybitmessage.profile
^
|
@@ -16,7 +16,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-interpreters.inc
@@ -37,7 +36,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat
@@ -45,3 +43,4 @@
private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pycharm-professional.profile
^
|
@@ -6,7 +6,5 @@
# added by included profile
#include globals.local
-noblacklist ${HOME}/.PyCharm*
-
# Redirect
include pycharm-community.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qbittorrent.profile
^
|
@@ -1,5 +1,5 @@
# Firejail profile for qbittorrent
-# Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI
+# Description: An advanced BitTorrent client programmed in C++, based on Qt toolkit and libtorrent-rasterbar
# This file is overwritten after every install/update
# Persistent local customizations
include qbittorrent.local
@@ -10,6 +10,7 @@
noblacklist ${HOME}/.config/qBittorrent
noblacklist ${HOME}/.config/qBittorrentrc
noblacklist ${HOME}/.local/share/data/qBittorrent
+noblacklist ${HOME}/.local/share/qBittorrent
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@@ -19,7 +20,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -27,11 +27,13 @@
mkdir ${HOME}/.config/qBittorrent
mkfile ${HOME}/.config/qBittorrentrc
mkdir ${HOME}/.local/share/data/qBittorrent
+mkdir ${HOME}/.local/share/qBittorrent
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/qBittorrent
whitelist ${HOME}/.config/qBittorrent
whitelist ${HOME}/.config/qBittorrentrc
whitelist ${HOME}/.local/share/data/qBittorrent
+whitelist ${HOME}/.local/share/qBittorrent
include whitelist-common.inc
include whitelist-var-common.inc
@@ -50,7 +52,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-bin python*,qbittorrent
private-dev
@@ -62,3 +63,4 @@
dbus-system none
# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qcomicbook.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -48,7 +47,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
@@ -66,3 +64,4 @@
read-write ${HOME}/.local/share/PawelStolowski
#to allow ${HOME}/.local/share/recently-used.xbel
read-write ${HOME}/.local/share
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qemu-launcher.profile
^
|
@@ -8,7 +8,6 @@
noblacklist ${HOME}/.qemu-launcher
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -20,10 +19,10 @@
notv
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-cache
private-tmp
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qemu-system-x86_64.profile
^
|
@@ -7,7 +7,6 @@
include globals.local
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -19,10 +18,10 @@
notv
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-cache
private-tmp
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qgis.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -47,14 +46,15 @@
# blacklisting of mbind system calls breaks old version
seccomp !mbind
protocol unix,inet,inet6,netlink
-shell none
tracelog
disable-mnt
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qlipper.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -30,10 +29,10 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qmmp.profile
^
|
@@ -12,7 +12,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -29,7 +28,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin bzip2,gzip,qmmp,tar,unzip
@@ -38,3 +36,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qnapi.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -42,15 +41,16 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-bin 7z,qnapi
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-opt none
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qpdfview.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin qpdfview
@@ -45,3 +43,5 @@
# needs D-Bus when started from a file manager
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qq.profile
^
|
@@ -0,0 +1,11 @@
+# Firejail profile for qq
+# Description: IM client based on Electron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qq.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include linuxqq.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qrencode.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -40,7 +39,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -48,7 +46,7 @@
private-bin qrencode
private-cache
private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-lib libpcre*
private-tmp
@@ -56,3 +54,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qtox.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,17 +36,17 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin qtox
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/quassel.profile
^
|
@@ -24,3 +24,5 @@
private-cache
private-tmp
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/quaternion.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -53,3 +51,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/quodlibet.profile
^
|
@@ -21,7 +21,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -55,7 +54,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin exfalso,operon,python*,quodlibet,sh
@@ -65,3 +63,5 @@
private-tmp
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qupzilla.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/qupzilla
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qutebrowser.profile
^
|
@@ -10,14 +10,19 @@
noblacklist ${HOME}/.config/qutebrowser
noblacklist ${HOME}/.local/share/qutebrowser
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc
include disable-common.inc
include disable-devel.inc
+include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
+include disable-shell.inc
mkdir ${HOME}/.cache/qutebrowser
mkdir ${HOME}/.config/qutebrowser
@@ -26,8 +31,14 @@
whitelist ${HOME}/.cache/qutebrowser
whitelist ${HOME}/.config/qutebrowser
whitelist ${HOME}/.local/share/qutebrowser
+whitelist /usr/share/qutebrowser
include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
caps.drop all
netfilter
nodvd
@@ -37,4 +48,22 @@
protocol unix,inet,inet6,netlink
# blacklisting of chroot system calls breaks qt webengine
seccomp !chroot,!name_to_handle_at
-# tracelog
+#tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.qutebrowser.*
+dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your qutebrowser.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Add the next line to your qutebrowser.local if screen sharing sharing still does not work
+# with the above lines (might depend on the portal implementation).
+#ignore noroot
+dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/raincat.profile
^
|
@@ -0,0 +1,49 @@
+# Firejail profile for raincat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include raincat.local
+# Persistent global definitions
+include globals.local
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/games
+whitelist /usr/share/timidity
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+net none
+seccomp
+tracelog
+
+disable-mnt
+private
+private-bin raincat
+private-cache
+private-dev
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rambox.profile
^
|
@@ -7,8 +7,8 @@
include globals.local
noblacklist ${HOME}/.config/Rambox
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
include disable-common.inc
include disable-devel.inc
@@ -16,12 +16,12 @@
include disable-programs.inc
mkdir ${HOME}/.config/Rambox
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Rambox
-whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
include whitelist-common.inc
caps.drop all
@@ -35,4 +35,6 @@
# electron-based application, needing chroot
#seccomp
seccomp !chroot
-# tracelog
+#tracelog
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/redeclipse.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rednotebook.profile
^
|
@@ -0,0 +1,67 @@
+# Firejail profile for rednotebook
+# Description: Daily journal with calendar, templates and keyword searching
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rednotebook.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/rednotebook
+noblacklist ${HOME}/.rednotebook
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/rednotebook
+mkdir ${HOME}/.rednotebook
+whitelist ${HOME}/.cache/rednotebook
+whitelist ${HOME}/.rednotebook
+whitelist ${DESKTOP}
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+whitelist /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin python3*,rednotebook
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/redshift.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -52,3 +50,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/regextester.profile
^
|
@@ -9,7 +9,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
@@ -37,14 +36,13 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin regextester
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-lib libgranite.so.*
private-tmp
@@ -54,3 +52,4 @@
# never write anything
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/remmina.profile
^
|
@@ -13,11 +13,13 @@
# Allow ssh (blacklisted by disable-common.inc)
include allow-ssh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,9 +37,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/retroarch.profile
^
|
@@ -0,0 +1,55 @@
+# Firejail profile for retroarch
+# Description: retroarch is a frontend to libretro emulator cores.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include retroarch.local
+# Persistent global definitions
+include globals.local
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/retroarch
+whitelist ${HOME}/.config/retroarch
+whitelist /run/udev
+whitelist /usr/share/retroarch
+whitelist /usr/share/libretro
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+# If you need access to cameras, add `ignore novideo` to retroarch.local
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin retroarch
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rhythmbox.profile
^
|
@@ -21,7 +21,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -47,7 +46,6 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin rhythmbox,rhythmbox-client
@@ -65,3 +63,5 @@
dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
dbus-system filter
dbus-system.talk org.freedesktop.Avahi
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ricochet.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -34,10 +33,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin ricochet,tor
private-dev
#private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ripperx.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-cache
@@ -42,3 +40,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ristretto.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -35,9 +34,9 @@
novideo
protocol unix
seccomp
-shell none
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rpcs3.profile
^
|
@@ -0,0 +1,63 @@
+# Firejail profile for RPCS3 emulator
+# Description: RPCS3 emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rpcs3.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/rpcs3
+noblacklist ${HOME}/.cache/rpcs3
+# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
+# won't even start.
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc # disable if PPU compilation crashes
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/rpcs3
+mkdir ${HOME}/.config/rpcs3
+whitelist ${HOME}/.cache/rpcs3
+whitelist ${HOME}/.config/rpcs3
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+netfilter
+nodvd
+nogroups
+#noinput
+nonewprivs
+noroot
+noprinters
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+#private-cache
+#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rsync-download_only.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,17 +42,17 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin rsync
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rtin.profile
^
|
@@ -5,4 +5,5 @@
# Persistent local customizations
include rtin.local
+# Redirect
include tin.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rtorrent.profile
^
|
@@ -10,7 +10,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -27,9 +26,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin rtorrent
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rtv.profile
^
|
@@ -27,7 +27,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -53,7 +52,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -64,3 +62,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sayonara.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -28,10 +27,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin sayonara
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scallion.profile
^
|
@@ -14,7 +14,6 @@
include disable-common.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private
@@ -43,3 +41,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scorched3d.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -49,3 +47,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scorchwentbonkers.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,15 +36,16 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
private-bin scorchwentbonkers
private-cache
private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scribus.profile
^
|
@@ -34,7 +34,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -54,7 +53,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin gimp*,gs,scribus
@@ -63,3 +61,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sdat2img.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
private-bin env,python*,sdat2img
private-cache
@@ -43,3 +41,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seafile-applet.profile
^
|
@@ -0,0 +1,63 @@
+# Firejail profile for Seafile
+# Description: Seafile desktop client.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seafile-applet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Seafile
+noblacklist ${HOME}/Seafile/.seafile-data
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.ccnet
+mkdir ${HOME}/.config/Seafile
+mkdir ${HOME}/Seafile
+whitelist ${HOME}/.ccnet
+whitelist ${HOME}/.config/Seafile
+whitelist ${HOME}/Seafile
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin seaf-cli,seaf-daemon,seafile-applet
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+#private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse-adventures.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -49,8 +47,10 @@
private-bin bash,dash,python*,seahorse-adventures,sh
private-cache
private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse-daemon.profile
^
|
@@ -8,6 +8,9 @@
# added by included profile
#include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-X11.inc
+
memory-deny-write-execute
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse-tool.profile
^
|
@@ -7,9 +7,5 @@
# added by included profile
#include globals.local
-# private-etc workaround for: #2877
-private-etc firejail,login.defs,passwd
-private-tmp
-
# Redirect
include seahorse.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse.profile
^
|
@@ -6,8 +6,6 @@
# Persistent global definitions
include globals.local
-blacklist /tmp/.X11-unix
-
noblacklist ${HOME}/.gnupg
# Allow ssh (blacklisted by disable-common.inc)
@@ -17,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -55,17 +52,20 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg
+private-tmp
writable-run-user
dbus-user filter
dbus-user.own org.gnome.seahorse
dbus-user.own org.gnome.seahorse.Application
+dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.secrets
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seamonkey.profile
^
|
@@ -7,9 +7,10 @@
include globals.local
noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
include disable-common.inc
include disable-devel.inc
@@ -17,22 +18,24 @@
include disable-programs.inc
mkdir ${HOME}/.cache/mozilla
+mkdir ${HOME}/.gnupg
mkdir ${HOME}/.mozilla
-mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/gnome-mplayer/plugin
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/.config/gnome-mplayer
whitelist ${HOME}/.config/pipelight-silverlight5.1
whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.gnupg
whitelist ${HOME}/.keysnail.js
whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.pentadactyl
whitelist ${HOME}/.pentadactylrc
whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.vimperator
whitelist ${HOME}/.vimperatorrc
whitelist ${HOME}/.wine-pipelight
@@ -53,3 +56,6 @@
disable-mnt
# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
+writable-run-user
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/semver.profile
^
|
@@ -0,0 +1,11 @@
+# Firejail profile for semver
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include semver.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/server.profile
^
|
@@ -7,7 +7,6 @@
# [sudo] password for netblue:
# Reading profile /etc/firejail/server.profile
# Reading profile /etc/firejail/disable-common.inc
-# Reading profile /etc/firejail/disable-passwdmgr.inc
# Reading profile /etc/firejail/disable-programs.inc
#
# ** Note: you can use --noprofile to disable server.profile **
@@ -34,6 +33,7 @@
noblacklist /sbin
noblacklist /usr/sbin
+noblacklist /etc/init.d
# noblacklist /var/opt
blacklist /tmp/.X11-unix
@@ -43,7 +43,6 @@
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-write-mnt.inc
include disable-xdg.inc
@@ -52,7 +51,9 @@
# include whitelist-usr-share-common.inc
# include whitelist-var-common.inc
-apparmor
+# people use to install servers all over the place!
+# apparmor runs executable only from default system locations
+# apparmor
caps
# ipc-namespace
machine-id
@@ -61,15 +62,16 @@
nodvd
# nogroups
noinput
-# nonewprivs
+nonewprivs
# noroot
nosound
notv
nou2f
novideo
-# protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6,netlink,packet
seccomp
# shell none
+tab # allow tab completion
disable-mnt
private
@@ -81,12 +83,14 @@
# private-lib
# private-opt none
private-tmp
+# writable-run-user
+# writable-var
+# writable-var-log
dbus-user none
# dbus-system none
+# deterministic-shutdown
# memory-deny-write-execute
# read-only ${HOME}
-# writable-run-user
-# writable-var
-# writable-var-log
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/servo.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -48,3 +46,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sha256sum.profile
^
|
@@ -7,6 +7,9 @@
# Persistent global definitions
include globals.local
+# If you use nvm, add the below lines to your sha256sum.local
+#noblacklist ${HOME}/.nvm
+
private-bin sha256sum
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shellcheck.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
x11 none
@@ -52,4 +50,4 @@
dbus-user none
dbus-system none
-memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shortwave.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -49,3 +47,5 @@
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shotcut.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -28,7 +27,6 @@
nou2f
protocol unix
seccomp
-shell none
tracelog
#private-bin melt,nice,qmelt,shotcut
@@ -37,3 +35,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shotwell.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -44,13 +43,12 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin shotwell
private-cache
private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-opt none
private-tmp
@@ -59,3 +57,5 @@
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/signal-cli.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -50,3 +48,5 @@
# Does not work with all Java configurations. You will notice immediately, so you might want to give it a try
#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/signal-desktop.profile
^
|
@@ -21,9 +21,14 @@
private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-# allow D-Bus notifications
dbus-user filter
+
+# allow D-Bus notifications
dbus-user.talk org.freedesktop.Notifications
+
+# allow D-Bus communication with Firefox browsers for opening links
+dbus-user.talk org.mozilla.*
+
ignore dbus-user none
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/silentarmy.profile
^
|
@@ -10,7 +10,6 @@
# include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -30,7 +29,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private
@@ -39,3 +37,4 @@
private-opt none
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/simple-scan.profile
^
|
@@ -12,7 +12,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,10 +32,11 @@
protocol unix,inet,inet6,netlink
# blacklisting of ioperm system calls breaks simple-scan
seccomp !ioperm
-shell none
tracelog
# private-bin simple-scan
# private-dev
# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
# private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/simplescreenrecorder.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -32,9 +31,10 @@
nou2f
protocol unix
seccomp
-shell none
tracelog
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/simutrans.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.simutrans
@@ -33,7 +32,6 @@
novideo
protocol unix
seccomp
-shell none
# private-bin simutrans
private-dev
@@ -41,3 +39,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/skanlite.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -27,7 +26,6 @@
protocol unix,inet,inet6,netlink
# blacklisting of ioperm system calls breaks skanlite
seccomp !ioperm
-shell none
# private-bin kbuildsycoca4,kdeinit4,skanlite
# private-dev
@@ -35,3 +33,5 @@
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/skypeforlinux.profile
^
|
@@ -6,24 +6,28 @@
include globals.local
# Disabled until someone reported positive feedback
-ignore whitelist ${DOWNLOADS}
-ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore nou2f
-ignore novideo
-ignore private-dev
-ignore dbus-user none
-ignore dbus-system none
# breaks Skype
ignore apparmor
+ignore dbus-user none
ignore noexec /tmp
+ignore novideo
+ignore private-dev # needs /dev/disk
noblacklist ${HOME}/.config/skypeforlinux
-# private-dev - needs /dev/disk
+mkdir ${HOME}/.config/skypeforlinux
+whitelist ${HOME}/.config/skypeforlinux
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+# Note: Skype will log out the current session on start-up without this:
+dbus-user.talk org.kde.StatusNotifierWatcher
# Redirect
include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/slack.profile
^
|
@@ -26,7 +26,7 @@
whitelist ${HOME}/.config/Slack
private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
# Redirect
include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/slashem.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /var/games/slashem
@@ -33,7 +32,6 @@
novideo
#protocol unix,netlink
#seccomp
-shell none
disable-mnt
#private
@@ -46,3 +44,4 @@
dbus-system none
#memory-deny-write-execute
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/smplayer.profile
^
|
@@ -24,7 +24,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -45,7 +44,6 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-bin env,mplayer,mpv,python*,smplayer,smtube,waf,youtube-dl
private-dev
@@ -54,3 +52,5 @@
# problems with KDE
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/smtube.profile
^
|
@@ -19,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -41,9 +40,9 @@
noroot
protocol unix,inet,inet6,netlink
seccomp
-shell none
#no private-bin because users can add their own players to smtube and that would prevent that
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/smuxi-frontend-gnome.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -42,15 +41,16 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/snox.profile
^
|
@@ -5,8 +5,9 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/softmaker-common.profile
^
|
@@ -6,9 +6,9 @@
# added by caller profile
#include globals.local
-# The offical packages install the desktop file under /usr/local/share/applications
-# with an absolute Exec line. These files are NOT handelt by firecfg,
-# therefore you must manualy copy them in you home and remove '/usr/bin/'.
+# The official packages install the desktop file under /usr/local/share/applications
+# with an absolute Exec line. These files are NOT handled by firecfg,
+# therefore you must manually copy them in you home and remove '/usr/bin/'.
noblacklist ${HOME}/SoftMaker
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/office2018
@@ -38,14 +37,15 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sol.profile
^
|
@@ -9,7 +9,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -34,7 +33,6 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin sol
@@ -46,3 +44,4 @@
dbus-system none
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/songrec.profile
^
|
@@ -0,0 +1,55 @@
+# Firejail profile for songrec
+# Description: An open-source Shazam client for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include songrec.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/SongRec
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+nowhitelist ${PICTURES}
+
+mkdir ${HOME}/.local/share/SongRec
+whitelist ${HOME}/.local/share/SongRec
+include whitelist-common.inc
+include whitelist-player-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+
+disable-mnt
+private-bin ffmpeg,songrec
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sound-juicer.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
private-cache
@@ -42,3 +40,5 @@
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/soundconverter.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -43,9 +42,9 @@
novideo
protocol unix
seccomp
-shell none
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spectacle.profile
^
|
@@ -19,11 +19,10 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-mkfile ${HOME}/.config/spectaclerc
+mkfile ${HOME}/.config/spectaclerc
whitelist ${HOME}/.config/spectaclerc
whitelist ${PICTURES}
whitelist /usr/share/kconf_update/spectacle_newConfig.upd
@@ -50,14 +49,13 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin spectacle
private-cache
private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
private-tmp
dbus-user filter
@@ -67,3 +65,5 @@
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kglobalaccel
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spectral.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -50,10 +48,10 @@
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-tmp
-dbus-user none
-# Add the next lines to your spectral.local to enable notification support.
-#ignore dbus-user none
-#dbus-user filter
+dbus-user filter
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Add the next line to your spectral.local to enable notification support.
#dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spectre-meltdown-checker.profile
^
|
@@ -10,6 +10,7 @@
noblacklist ${PATH}/mount
noblacklist ${PATH}/umount
+noblacklist /proc/config.gz
# Allow perl (blacklisted by disable-interpreters.inc)
include allow-perl.inc
@@ -18,7 +19,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -38,12 +38,11 @@
novideo
protocol unix
seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap
-shell none
x11 none
disable-mnt
private
-private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
+private-bin awk,basename,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,ps,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,unzstd,which,xz-utils
private-cache
private-tmp
@@ -51,3 +50,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spotify.profile
^
|
@@ -7,6 +7,7 @@
noblacklist ${HOME}/.cache/spotify
noblacklist ${HOME}/.config/spotify
+noblacklist ${HOME}/.config/spotify-adblock
noblacklist ${HOME}/.local/share/spotify
blacklist ${HOME}/.bashrc
@@ -15,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/spotify
@@ -23,6 +23,7 @@
mkdir ${HOME}/.local/share/spotify
whitelist ${HOME}/.cache/spotify
whitelist ${HOME}/.config/spotify
+whitelist ${HOME}/.config/spotify-adblock
whitelist ${HOME}/.local/share/spotify
include whitelist-common.inc
include whitelist-var-common.inc
@@ -38,14 +39,13 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
private-dev
# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,spotify-adblock,ssl
private-opt spotify
private-srv none
private-tmp
@@ -53,3 +53,5 @@
# dbus needed for MPRIS
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sqlitebrowser.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,12 +37,11 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
private-bin sqlitebrowser
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl
private-tmp
# breaks proxy creation
@@ -51,3 +49,4 @@
# dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ssh-agent.profile
^
|
@@ -13,7 +13,6 @@
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-usr-share-common.inc
@@ -28,10 +27,11 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
writable-run-user
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ssh.profile
^
|
@@ -16,7 +16,6 @@
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
@@ -40,7 +39,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-cache
@@ -51,4 +49,6 @@
dbus-user none
dbus-system none
+deterministic-shutdown
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ssmtp.profile
^
|
@@ -0,0 +1,75 @@
+# Firejail profile for ssmtp
+# Description: Extremely simple MTA to get mail off the system to a mailhub
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ssmtp.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+
+noblacklist /etc/logcheck
+noblacklist /etc/ssmtp
+noblacklist /sbin
+noblacklist /usr/sbin
+
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include disable-X11.inc
+
+mkfile ${HOME}/dead.letter
+whitelist ${HOME}/dead.letter
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+#nogroups breaks app
+noinput
+nonewprivs
+noprinters
+#noroot breaks app
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+# private works but then we lose ${HOME}/dead.letter
+# which is useful to get notified on mail issues
+#private
+private-bin mailq,newaliases,sendmail,ssmtp
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+restrict-namespaces
+read-only ${HOME}
+read-write ${HOME}/dead.letter
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/standardnotes-desktop.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/Standard Notes Backups
@@ -39,7 +38,9 @@
disable-mnt
private-dev
private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
dbus-user none
dbus-system none
+
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/steam.profile
^
|
@@ -8,6 +8,7 @@
noblacklist ${HOME}/.config/Epic
noblacklist ${HOME}/.config/Loop_Hero
+noblacklist ${HOME}/.config/MangoHud
noblacklist ${HOME}/.config/ModTheSpire
noblacklist ${HOME}/.config/RogueLegacy
noblacklist ${HOME}/.config/RogueLegacyStorageContainer
@@ -17,9 +18,11 @@
noblacklist ${HOME}/.local/share/aspyr-media
noblacklist ${HOME}/.local/share/bohemiainteractive
noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/Colossal Order
noblacklist ${HOME}/.local/share/Dredmor
noblacklist ${HOME}/.local/share/FasterThanLight
noblacklist ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/HotlineMiami
noblacklist ${HOME}/.local/share/IntoTheBreach
noblacklist ${HOME}/.local/share/Paradox Interactive
noblacklist ${HOME}/.local/share/PillarsOfEternity
@@ -34,6 +37,8 @@
noblacklist ${HOME}/.local/share/vulkan
noblacklist ${HOME}/.mbwarband
noblacklist ${HOME}/.paradoxinteractive
+noblacklist ${HOME}/.paradoxlauncher
+noblacklist ${HOME}/.prey
noblacklist ${HOME}/.steam
noblacklist ${HOME}/.steampath
noblacklist ${HOME}/.steampid
@@ -51,11 +56,11 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/Epic
mkdir ${HOME}/.config/Loop_Hero
+mkdir ${HOME}/.config/MangoHud
mkdir ${HOME}/.config/ModTheSpire
mkdir ${HOME}/.config/RogueLegacy
mkdir ${HOME}/.config/unity3d
@@ -65,9 +70,11 @@
mkdir ${HOME}/.local/share/aspyr-media
mkdir ${HOME}/.local/share/bohemiainteractive
mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/Colossal Order
mkdir ${HOME}/.local/share/Dredmor
mkdir ${HOME}/.local/share/FasterThanLight
mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/HotlineMiami
mkdir ${HOME}/.local/share/IntoTheBreach
mkdir ${HOME}/.local/share/Paradox Interactive
mkdir ${HOME}/.local/share/PillarsOfEternity
@@ -81,11 +88,14 @@
mkdir ${HOME}/.local/share/vulkan
mkdir ${HOME}/.mbwarband
mkdir ${HOME}/.paradoxinteractive
+mkdir ${HOME}/.paradoxlauncher
+mkdir ${HOME}/.prey
mkdir ${HOME}/.steam
mkfile ${HOME}/.steampath
mkfile ${HOME}/.steampid
whitelist ${HOME}/.config/Epic
whitelist ${HOME}/.config/Loop_Hero
+whitelist ${HOME}/.config/MangoHud
whitelist ${HOME}/.config/ModTheSpire
whitelist ${HOME}/.config/RogueLegacy
whitelist ${HOME}/.config/RogueLegacyStorageContainer
@@ -96,9 +106,11 @@
whitelist ${HOME}/.local/share/aspyr-media
whitelist ${HOME}/.local/share/bohemiainteractive
whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/Colossal Order
whitelist ${HOME}/.local/share/Dredmor
whitelist ${HOME}/.local/share/FasterThanLight
whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/HotlineMiami
whitelist ${HOME}/.local/share/IntoTheBreach
whitelist ${HOME}/.local/share/Paradox Interactive
whitelist ${HOME}/.local/share/PillarsOfEternity
@@ -113,6 +125,8 @@
whitelist ${HOME}/.local/share/vulkan
whitelist ${HOME}/.mbwarband
whitelist ${HOME}/.paradoxinteractive
+whitelist ${HOME}/.paradoxlauncher
+whitelist ${HOME}/.prey
whitelist ${HOME}/.steam
whitelist ${HOME}/.steampath
whitelist ${HOME}/.steampid
@@ -133,7 +147,6 @@
nodvd
nogroups
nonewprivs
-# If you use nVidia you might need to add 'ignore noroot' to your steam.local.
noroot
notv
nou2f
@@ -142,14 +155,17 @@
protocol unix,inet,inet6,netlink
# seccomp sometimes causes issues (see #2951, #3267).
# Add 'ignore seccomp' to your steam.local if you experience this.
-seccomp !ptrace
-shell none
+# mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
+# (see #4366).
+seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
+# process_vm_readv is used by GE-Proton7-18 (see #5185).
+seccomp.32 !process_vm_readv
# tracelog breaks integrated browser
#tracelog
# private-bin is disabled while in testing, but is known to work with multiple games.
# Add the next line to your steam.local to enable private-bin.
-#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,wget2,which,whoami,xterm,xz,zenity
# Extra programs are available which might be needed for select games.
# Add the next line to your steam.local to enable support for these programs.
#private-bin java,java-config,mono
@@ -159,8 +175,11 @@
private-dev
# private-etc breaks a small selection of games on some systems. Add 'ignore private-etc'
# to your steam.local to support those.
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan
private-tmp
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
+
+read-only ${HOME}/.config/MangoHud
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/stellarium.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -37,7 +36,6 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -45,3 +43,4 @@
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/straw-viewer.profile
^
|
@@ -18,4 +18,4 @@
private-bin gtk-straw-viewer,straw-viewer
# Redirect
-include youtube-viewers-common.profile
\ No newline at end of file
+include youtube-viewers-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/strawberry.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -37,14 +36,15 @@
protocol unix,inet,inet6,netlink
# blacklisting of ioprio_set system calls breaks strawberry
seccomp !ioprio_set
-shell none
tracelog
disable-mnt
private-bin strawberry,strawberry-tagreader
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
private-tmp
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/strings.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
#include disable-programs.inc
include disable-shell.inc
#include disable-xdg.inc
@@ -39,7 +38,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
x11 none
@@ -56,3 +54,4 @@
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/subdownloader.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,15 +39,15 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/supertux2.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -31,7 +30,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -40,15 +38,16 @@
protocol unix,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
# private-bin supertux2
private-cache
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/supertuxkart.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -44,10 +43,9 @@
notv
nou2f
novideo
-protocol unix,inet,inet6,bluetooth
+protocol unix,inet,inet6,netlink,bluetooth
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -55,10 +53,12 @@
private-cache
# Add the next line to your supertuxkart.local if you do not need controller support.
#private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
private-tmp
private-opt none
private-srv none
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/surf.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.surf
@@ -29,12 +28,12 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sushi.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
# include disable-programs.inc
include disable-shell.inc
@@ -32,7 +31,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin gjs,sushi
@@ -47,3 +45,4 @@
read-only /run/mount
read-only /run/media
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sway.profile
^
|
@@ -0,0 +1,21 @@
+# Firejail profile for Sway
+# Description: i3-compatible Wayland compositor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sway.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in sway will run in this profile
+noblacklist ${HOME}/.config/sway
+# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
+noblacklist ${HOME}/.config/i3
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sylpheed.profile
^
|
@@ -15,12 +15,5 @@
# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
-dbus-user filter
-dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
-dbus-user.talk org.gnome.keyring.SystemPrompter
-# Add the next line to your sylpheed.local to enable notifications.
-# dbus-user.talk org.freedesktop.Notifications
-
# Redirect
include email-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/synfigstudio.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -29,7 +28,6 @@
novideo
protocol unix
seccomp
-shell none
#private-bin ffmpeg,synfig,synfigstudio
private-cache
@@ -38,3 +36,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sysprof.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -57,14 +56,13 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
#private-bin sysprof - breaks help menu
private-cache
private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
# private-lib - breaks help menu
#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
private-tmp
@@ -76,3 +74,4 @@
dbus-user.talk ca.desrt.dconf
# memory-deny-write-execute - breaks on Arch
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tar.profile
^
|
@@ -7,6 +7,9 @@
# Persistent global definitions
include globals.local
+# If you use nvm, add the below lines to your tar.local
+#noblacklist ${HOME}/.nvm
+
# Included in archiver-common.profile
ignore include disable-shell.inc
@@ -14,7 +17,7 @@
# all capabilities this is automatically read-only.
noblacklist /var/lib/pacman
-private-etc alternatives,group,localtime,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd
#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
writable-var
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tcpdump.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -45,3 +44,4 @@
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/teams-for-linux.profile
^
|
@@ -11,6 +11,8 @@
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
+ignore noinput
+
ignore dbus-user none
ignore dbus-system none
@@ -19,8 +21,8 @@
mkdir ${HOME}/.config/teams-for-linux
whitelist ${HOME}/.config/teams-for-linux
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
+private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
# Redirect
include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/teamspeak3.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.ts3client
@@ -35,9 +34,9 @@
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot
-shell none
disable-mnt
private-dev
private-tmp
+# restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/teeworlds.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -27,7 +26,6 @@
netfilter
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -35,7 +33,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -46,3 +43,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/telegram.profile
^
|
@@ -8,11 +8,13 @@
noblacklist ${HOME}/.TelegramDesktop
noblacklist ${HOME}/.local/share/TelegramDesktop
+# Allow opening hyperlinks
+include allow-bin-sh.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -22,6 +24,7 @@
whitelist ${HOME}/.TelegramDesktop
whitelist ${HOME}/.local/share/TelegramDesktop
whitelist ${DOWNLOADS}
+whitelist /usr/share/TelegramDesktop
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
@@ -38,18 +41,20 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
disable-mnt
-#private-bin telegram,Telegram,telegram-desktop
+private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
private-cache
private-dev
-private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
private-tmp
dbus-user filter
+dbus-user.own org.telegram.desktop.*
dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.gnome.Mutter.IdleMonitor
dbus-user.talk org.freedesktop.ScreenSaver
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/telnet.profile
^
|
@@ -0,0 +1,54 @@
+# Firejail profile for telnet
+# Description: standard telnet client
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include telnet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/telnet
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+#include disable-shell.inc
+include disable-write-mnt.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+tracelog
+
+#disable-mnt
+#private-bin PROGRAMS
+private-cache
+private-dev
+#private-etc FILES
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+noexec ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/terasology.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.java
@@ -38,7 +37,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-dev
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tesseract.profile
^
|
@@ -0,0 +1,65 @@
+# Firejail profile for tesseract
+# Description: An OCR program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tesseract.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/tessdata
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname tesseract
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+tracelog
+x11 none
+
+#disable-mnt
+private-bin ambiguous_words,classifier_tester,cntraining,combine_lang_model,combine_tessdata,dawg2wordlist,lstmeval,lstmtraining,merge_unicharsets,mftraining,set_unicharset_properties,shapeclustering,tesseract,text2image,unicharset_extractor,wordlist2dawg
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+#private-lib libtesseract.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/thunderbird.profile
^
|
@@ -31,7 +31,6 @@
# noblacklist ${HOME}/.icedove
noblacklist ${HOME}/.thunderbird
-include disable-passwdmgr.inc
include disable-xdg.inc
# If you have setup Thunderbird to archive emails to a local folder,
@@ -48,6 +47,7 @@
whitelist ${HOME}/.thunderbird
whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
whitelist /usr/share/mozilla
whitelist /usr/share/thunderbird
whitelist /usr/share/webext
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tilp.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -25,12 +24,12 @@
novideo
protocol unix,netlink
seccomp
-shell none
tracelog
disable-mnt
private-bin tilp
private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tin.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -52,14 +51,13 @@
protocol inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin rtin,tin
private-cache
private-dev
-private-etc passwd,resolv.conf,terminfo,tin
+private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin
private-lib terminfo
private-tmp
@@ -67,3 +65,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tmux.profile
^
|
@@ -15,7 +15,6 @@
# include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
-include disable-passwdmgr.inc
# include disable-programs.inc
caps.drop all
@@ -35,7 +34,6 @@
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
-shell none
tracelog
# private-cache
@@ -44,3 +42,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tor-browser.profile
^
|
@@ -7,9 +7,12 @@
#include globals.local
noblacklist ${HOME}/.tor-browser
+noblacklist ${HOME}/.local/opt/tor-browser
mkdir ${HOME}/.tor-browser
whitelist ${HOME}/.tor-browser
+mkdir ${HOME}/.local/opt/tor-browser
+whitelist ${HOME}/.local/opt/tor-browser
# Redirect
include torbrowser-launcher.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tor.profile
^
|
@@ -21,7 +21,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,13 +39,14 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private
private-bin bash,tor
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
private-tmp
writable-var
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/torbrowser-launcher.profile
^
|
@@ -15,14 +15,13 @@
include allow-python2.inc
include allow-python3.inc
-blacklist /opt
blacklist /srv
+blacklist /sys/class/net
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,6 +30,7 @@
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/torbrowser
whitelist ${HOME}/.local/share/torbrowser
+whitelist /opt/tor-browser
whitelist /usr/share/torbrowser-launcher
include whitelist-common.inc
include whitelist-var-common.inc
@@ -53,7 +53,6 @@
novideo
protocol unix,inet,inet6
seccomp !chroot
-shell none
#tracelog - may cause issues, see #1930
disable-mnt
@@ -64,3 +63,5 @@
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/torbrowser.profile
^
|
@@ -0,0 +1,27 @@
+# Firejail profile for torbrowser
+# Description: This profile was tested with www-client/torbrowser::torbrowser
+# on Gentoo Linux.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torbrowser.local
+# Persistent global definitions
+include globals.local
+
+ignore dbus-user none
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+
+blacklist /usr/libexec
+blacklist /sys/class/net
+
+mkdir ${HOME}/.cache/mozilla/torbrowser
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/torbrowser
+whitelist ${HOME}/.mozilla
+include whitelist-usr-share-common.inc
+
+dbus-user filter
+dbus-user.own org.mozilla.torbrowser.*
+
+include firefox-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/torcs.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -29,7 +28,6 @@
net none
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -37,7 +35,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -48,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/totem.profile
^
|
@@ -20,7 +20,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -46,7 +45,6 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin totem
@@ -59,3 +57,5 @@
# makes settings immutable
# dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tracker.profile
^
|
@@ -14,7 +14,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -32,9 +31,10 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin tracker
# private-dev
# private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transgui.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -40,13 +39,12 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin geoiplookup,geoiplookup6,transgui
private-cache
private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
private-tmp
@@ -54,3 +52,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-cli.profile
^
|
@@ -8,7 +8,7 @@
include globals.local
private-bin transmission-cli
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
# Redirect
include transmission-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-common.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/transmission
@@ -41,15 +40,14 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
private-cache
private-dev
-private-lib
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-daemon.profile
^
|
@@ -17,7 +17,7 @@
protocol packet
private-bin transmission-daemon
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
read-write /var/lib/transmission
writable-var-log
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-gtk.profile
^
|
@@ -12,6 +12,12 @@
private-bin transmission-gtk
private-cache
+# If you need native notifications, add the next lines to your transmission-gtk.local.
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.own com.transmissionbt.Transmission.*
+#dbus-user.talk org.freedesktop.Notifications
+
ignore memory-deny-write-execute
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-qt.profile
^
|
@@ -9,8 +9,11 @@
private-bin transmission-qt
-# private-lib - breaks on Arch
-ignore private-lib
+# If you need native notifications, add the next lines to your transmission-qt.local.
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.own com.transmissionbt.Transmission.*
+#dbus-user.talk org.freedesktop.Notifications
ignore memory-deny-write-execute
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-remote-gtk.profile
^
|
@@ -12,9 +12,7 @@
mkdir ${HOME}/.config/transmission-remote-gtk
whitelist ${HOME}/.config/transmission-remote-gtk
-private-etc fonts,hostname,hosts,resolv.conf
-# Problems with private-lib (see issue #2889)
-ignore private-lib
+private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf
ignore memory-deny-write-execute
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-remote.profile
^
|
@@ -8,7 +8,7 @@
include globals.local
private-bin transmission-remote
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
# Redirect
include transmission-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-show.profile
^
|
@@ -8,7 +8,7 @@
include globals.local
private-bin transmission-show
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
# Redirect
include transmission-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tremulous.profile
^
|
@@ -8,11 +8,13 @@
noblacklist ${HOME}/.tremulous
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,14 +40,15 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
private-cache
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/trojita.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -47,7 +46,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
# disable-mnt
@@ -55,7 +53,7 @@
private-bin trojita
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
private-tmp
dbus-user filter
@@ -63,3 +61,4 @@
dbus-system none
read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/truecraft.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.config/mono
@@ -32,9 +31,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tuir.profile
^
|
@@ -0,0 +1,23 @@
+# Firejail profile for tuir
+# Description: Browse Reddit from your terminal (rtv fork)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tuir.local
+# Persistent global definitions
+#include globals.local
+
+ignore mkdir ${HOME}/.config/rtv
+ignore mkdir ${HOME}/.local/share/rtv
+
+noblacklist ${HOME}/.config/tuir
+noblacklist ${HOME}/.local/share/tuir
+
+mkdir ${HOME}/.config/tuir
+mkdir ${HOME}/.local/share/tuir
+whitelist ${HOME}/.config/tuir
+whitelist ${HOME}/.local/share/tuir
+
+private-bin tuir
+
+# Redirect
+include rtv.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tuxguitar.profile
^
|
@@ -20,7 +20,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -44,3 +43,5 @@
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tvbrowser.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -42,7 +41,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -52,3 +50,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/twitch.profile
^
|
@@ -17,8 +17,8 @@
mkdir ${HOME}/.config/Twitch
whitelist ${HOME}/.config/Twitch
-private-bin twitch
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],twitch
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-opt Twitch
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/udiskie.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
novideo
protocol unix
seccomp !request_key
-shell none
tracelog
private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
@@ -44,3 +42,5 @@
private-dev
private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uefitool.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -30,7 +29,6 @@
novideo
protocol unix
seccomp
-shell none
private-cache
private-dev
@@ -38,3 +36,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uget-gtk.profile
^
|
@@ -32,8 +32,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin uget-gtk
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unbound.profile
^
|
@@ -10,18 +10,20 @@
noblacklist /usr/sbin
blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
+whitelist /usr/share/dns
include whitelist-usr-share-common.inc
+whitelist /var/lib/ca-certificates
+read-only /var/lib/ca-certificates
whitelist /var/lib/unbound
whitelist /var/run
@@ -38,7 +40,7 @@
nou2f
novideo
protocol inet,inet6
-seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+seccomp !chroot
disable-mnt
private
@@ -49,5 +51,5 @@
dbus-user none
dbus-system none
-# mdwe can break modules/plugins
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unf.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,7 +40,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
@@ -50,7 +48,7 @@
private-cache
?HAS_APPIMAGE: ignore private-dev
private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
private-lib gcc/*/*/libgcc_s.so.*
private-tmp
@@ -58,3 +56,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unknown-horizons.profile
^
|
@@ -10,7 +10,6 @@
include disable-common.inc
include disable-exec.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.unknown-horizons
@@ -33,7 +32,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
disable-mnt
# private-bin unknown-horizons
@@ -43,3 +41,4 @@
# doesn't work - maybe all Tcl/Tk programs have this problem
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unrar.profile
^
|
@@ -8,7 +8,7 @@
include globals.local
private-bin unrar
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
private-tmp
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unzip.profile
^
|
@@ -10,7 +10,7 @@
# GNOME Shell integration (chrome-gnome-shell)
noblacklist ${HOME}/.local/share/gnome-shell
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
# Redirect
include archiver-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/utox.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,14 +36,14 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin utox
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uudeview.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -35,14 +34,15 @@
novideo
protocol unix
seccomp
-shell none
tracelog
x11 none
private-bin uudeview
private-cache
private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uzbl-browser.profile
^
|
@@ -8,6 +8,7 @@
noblacklist ${HOME}/.config/uzbl
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.local/share/uzbl
+noblacklist ${HOME}/.password-store
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@@ -38,3 +39,5 @@
protocol unix,inet,inet6
seccomp
tracelog
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/viewnior.profile
^
|
@@ -16,10 +16,10 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
+whitelist /usr/share/viewnior
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -38,16 +38,16 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin viewnior
private-cache
private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
dbus-user none
dbus-system none
#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/viking.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -31,8 +30,8 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vim.profile
^
|
@@ -14,7 +14,6 @@
include allow-common-devel.inc
include disable-common.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-runuser-common.inc
@@ -33,3 +32,5 @@
seccomp
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/virtualbox.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,13 +39,12 @@
nodvd
#nogroups
notv
-shell none
tracelog
#disable-mnt
#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
private-cache
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
private-tmp
dbus-user none
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vlc.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
read-only ${DESKTOP}
@@ -28,9 +27,11 @@
whitelist ${HOME}/.local/share/vlc
include whitelist-common.inc
include whitelist-player-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
include whitelist-var-common.inc
-#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
+apparmor
caps.drop all
netfilter
nogroups
@@ -40,15 +41,17 @@
nou2f
protocol unix,inet,inet6,netlink
seccomp
-shell none
private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
private-dev
private-tmp
-# dbus needed for MPRIS
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.vlc
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
-# mdwe is disabled due to breaking hardware accelerated decoding
-#memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vmware-view.profile
^
|
@@ -7,6 +7,7 @@
include globals.local
noblacklist ${HOME}/.vmware
+noblacklist /usr/lib/vmware
noblacklist /sbin
noblacklist /usr/sbin
@@ -17,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,7 +43,6 @@
protocol unix,inet,inet6
seccomp !iopl
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -55,3 +54,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vmware.profile
^
|
@@ -8,12 +8,12 @@
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
+noblacklist /usr/lib/vmware
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -33,12 +33,11 @@
netfilter
nogroups
notv
-shell none
tracelog
#disable-mnt
# Add the next line to your vmware.local to enable private-bin.
#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
dbus-user none
dbus-system none
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vscodium.profile
^
|
@@ -1,4 +1,4 @@
-# Firejail profile alias for Visual Studio Code
+# Firejail profile alias for VSCodium
# This file is overwritten after every install/update
# Persistent local customizations
include vscodium.local
@@ -7,6 +7,7 @@
#include globals.local
noblacklist ${HOME}/.VSCodium
+noblacklist ${HOME}/.config/VSCodium
# Redirect
include code.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vym.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -29,9 +28,9 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/w3m.profile
^
|
@@ -27,7 +27,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -56,17 +55,17 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin perl,sh,w3m
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/warmux.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,15 +42,16 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin warmux
private-cache
private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/warsow.profile
^
|
@@ -11,11 +11,13 @@
noblacklist ${HOME}/.cache/warsow-2.1
noblacklist ${HOME}/.local/share/warsow-2.1
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -35,22 +37,22 @@
netfilter
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
nou2f
novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
private-cache
private-dev
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/warzone2100.profile
^
|
@@ -7,20 +7,22 @@
include globals.local
noblacklist ${HOME}/.warzone2100-3.*
+noblacklist ${HOME}/.local/share/warzone2100-3.*
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
-include disable-shell.inc
+#include disable-shell.inc - problems on Debian 11
mkdir ${HOME}/.warzone2100-3.1
mkdir ${HOME}/.warzone2100-3.2
+whitelist ${HOME}/.local/share/warzone2100-3.3.0 # config dir moved under .local/share
whitelist ${HOME}/.warzone2100-3.1
whitelist ${HOME}/.warzone2100-3.2
whitelist /usr/share/games
+whitelist /usr/share/gdm
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
@@ -39,10 +41,11 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
-private-bin warzone2100
+private-bin bash,dash,sh,warzone2100,which
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/webstorm.profile
^
|
@@ -18,13 +18,12 @@
# Allow ssh (blacklisted by disable-common.inc)
include allow-ssh.inc
-noblacklist ${PATH}/node
noblacklist ${HOME}/.nvm
+noblacklist ${PATH}/node
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -39,8 +38,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/webui-aria2.profile
^
|
@@ -6,13 +6,13 @@
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.nvm
noblacklist ${PATH}/node
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -29,7 +29,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-cache
private-dev
@@ -37,3 +36,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/weechat-curses.profile
^
|
@@ -1,5 +1,6 @@
# Firejail profile alias for weechat
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include weechat-curses.local
# Persistent global definitions
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/weechat.profile
^
|
@@ -1,6 +1,7 @@
# Firejail profile for weechat
# Description: Fast, light and extensible chat client
# This file is overwritten after every install/update
+quiet
# Persistent local customizations
include weechat.local
# Persistent global definitions
@@ -27,3 +28,5 @@
# no private-bin support for various reasons:
# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wesnoth.profile
^
|
@@ -13,7 +13,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.cache/wesnoth
@@ -37,3 +36,5 @@
private-dev
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wget.profile
^
|
@@ -11,6 +11,10 @@
noblacklist ${HOME}/.wget-hsts
noblacklist ${HOME}/.wgetrc
+# If you use nvm, add the below lines to your wget.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}
@@ -18,7 +22,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
# Depending on workflow you can add the next line to your wget.local.
@@ -45,7 +48,6 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin wget
@@ -59,3 +61,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wget2.profile
^
|
@@ -0,0 +1,20 @@
+# Firejail profile for wget2
+# Description: Updated version of the popular wget URL retrieval tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include wget2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/wget
+noblacklist ${HOME}/.local/share/wget
+ignore noblacklist ${HOME}/.wgetrc
+
+private-bin wget2
+# Depending on workflow you can add the next line to your wget2.local.
+#private-etc wget2rc
+
+# Redirect
+include wget.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/whalebird.profile
^
|
@@ -10,6 +10,7 @@
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
+ignore apparmor
ignore dbus-user none
ignore dbus-system none
@@ -20,8 +21,8 @@
no3d
-private-bin whalebird
-private-etc fonts,machine-id
+private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
# Redirect
include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/whois.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -40,7 +39,6 @@
protocol inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
@@ -48,7 +46,7 @@
private-bin bash,sh,whois
private-cache
private-dev
-private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
+private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf
private-lib gconv
private-tmp
@@ -56,3 +54,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/widelands.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -36,7 +35,6 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
tracelog
disable-mnt
@@ -47,3 +45,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wine.profile
^
|
@@ -6,6 +6,7 @@
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.cache/wine
noblacklist ${HOME}/.cache/winetricks
noblacklist ${HOME}/.Steam
noblacklist ${HOME}/.local/share/Steam
@@ -17,7 +18,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
# whitelist /usr/share/wine
@@ -40,3 +40,5 @@
seccomp
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wire-desktop.profile
^
|
@@ -26,7 +26,7 @@
whitelist ${HOME}/.config/Wire
private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
# Redirect
include electron.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wireshark.profile
^
|
@@ -17,7 +17,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -27,7 +26,7 @@
apparmor
# caps.drop all
-caps.keep dac_override,net_admin,net_raw
+caps.keep dac_override,dac_read_search,net_admin,net_raw
netfilter
no3d
# nogroups - breaks network traffic capture for unprivileged users
@@ -41,14 +40,17 @@
novideo
# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
#seccomp
-shell none
tracelog
# private-bin wireshark
private-cache
-private-dev
+# private-dev prevents (some) interfaces from being shown.
+# Add the below line to your wirehsark.local if you only want to inspect pcap files.
+#private-dev
# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
private-tmp
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wordwarvi.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,7 +37,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -46,8 +44,10 @@
private-bin wordwarvi
private-cache
private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wps.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-usr-share-common.inc
@@ -39,7 +38,6 @@
protocol unix,inet,inet6
# seccomp causes some minor issues. Add the next line to your wps.local if you can live with those.
#seccomp
-shell none
tracelog
private-cache
@@ -48,3 +46,5 @@
dbus-user none
dbus-system none
+
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/x-terminal-emulator.profile
^
|
@@ -21,3 +21,4 @@
dbus-system none
noexec /tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/x2goclient.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
apparmor
@@ -34,7 +33,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
#private-bin nxproxy,x2goclient
@@ -50,3 +48,4 @@
dbus-system none
#memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xbill.profile
^
|
@@ -10,7 +10,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,7 +36,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
disable-mnt
@@ -45,7 +43,7 @@
private-bin xbill
private-cache
private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
private-tmp
dbus-user none
@@ -53,3 +51,4 @@
memory-deny-write-execute
read-only ${HOME}
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xcalc.profile
^
|
@@ -9,7 +9,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -31,7 +30,6 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private
@@ -42,3 +40,5 @@
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xchat.profile
^
|
@@ -21,3 +21,5 @@
seccomp
# private-bin requires perl, python*, etc.
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xed.profile
^
|
@@ -18,7 +18,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -40,7 +39,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin xed
@@ -53,3 +51,4 @@
# xed uses python plugins, memory-deny-write-execute breaks python
# memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfburn.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
caps.drop all
@@ -24,9 +23,10 @@
novideo
protocol unix
seccomp
-shell none
tracelog
# private-bin xfburn
# private-dev
# private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-dict.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -32,10 +31,10 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-mixer.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -41,13 +40,12 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-bin xfce4-mixer,xfconf-query
private-cache
private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
private-tmp
dbus-user filter
@@ -56,3 +54,4 @@
dbus-system none
# memory-deny-write-execute - breaks on Arch
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-notes.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-var-common.inc
@@ -34,10 +33,10 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
private-cache
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-screenshooter.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -37,16 +36,16 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin xfce4-screenshooter,xfconf-query
private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
# memory-deny-write-execute -- see #3790
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xiphos.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -41,12 +40,13 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
private-bin xiphos
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xlinks.profile
^
|
@@ -14,7 +14,7 @@
# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
private-bin xlinks
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
# Redirect
include links.profile
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xlinks2.profile
^
|
@@ -0,0 +1,20 @@
+# Firejail profile for xlinks2
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /tmp/.X11-unix
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks2
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+
+# Redirect
+include links2.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xmms.profile
^
|
@@ -11,7 +11,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -27,7 +26,8 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
private-bin xmms
private-dev
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xmr-stak.profile
^
|
@@ -11,7 +11,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -33,15 +32,15 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private ${HOME}/.xmr-stak
private-bin xmr-stak
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
private-opt cuda
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xonotic.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -33,7 +32,6 @@
netfilter
nodvd
nogroups
-noinput
nonewprivs
noroot
notv
@@ -41,7 +39,6 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
@@ -56,3 +53,4 @@
read-only ${HOME}
read-write ${HOME}/.xonotic
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xournal.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -38,15 +37,16 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin xournal
private-cache
private-dev
-private-etc alternatives,fonts,group,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
# TODO should use private-lib
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xournalpp.profile
^
|
@@ -7,6 +7,8 @@
# added by included profile
#include globals.local
+noblacklist ${HOME}/.cache/xournalpp
+noblacklist ${HOME}/.config/xournalpp
noblacklist ${HOME}/.xournalpp
include allow-lua.inc
@@ -16,14 +18,17 @@
whitelist /var/lib/texmf
include whitelist-runuser-common.inc
-#mkdir ${HOME}/.xournalpp
+#mkdir ${HOME}/.cache/xournalpp
+#mkdir ${HOME}/.config/xournalpp
+#whitelist ${HOME}/.cache/xournalpp
+#whitelist ${HOME}/.config/xournalpp
#whitelist ${HOME}/.xournalpp
#whitelist ${HOME}/.texlive20*
#whitelist ${DOCUMENTS}
#include whitelist-common.inc
private-bin kpsewhich,pdflatex,xournalpp
-private-etc latexmk.conf,texlive
+private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive
# Redirect
include xournal.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xpdf.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
private-dev
private-tmp
@@ -44,3 +42,4 @@
dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xplayer.profile
^
|
@@ -16,7 +16,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
read-only ${DESKTOP}
@@ -38,7 +37,6 @@
nou2f
protocol unix,inet,inet6
seccomp
-shell none
tracelog
private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
@@ -49,3 +47,5 @@
# makes settings immutable
# dbus-user none
# dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xpra.profile
^
|
@@ -22,7 +22,6 @@
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
whitelist /var/lib/xkb
@@ -43,7 +42,6 @@
novideo
protocol unix
seccomp
-shell none
disable-mnt
# private home directory doesn't work on some distros, so we go for a regular home
@@ -53,3 +51,5 @@
private-dev
# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xreader.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -35,12 +34,12 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin xreader,xreader-previewer,xreader-thumbnailer
private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
private-tmp
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xviewer.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
@@ -35,7 +34,6 @@
novideo
protocol unix
seccomp
-shell none
tracelog
private-bin xviewer
@@ -48,3 +46,4 @@
# dbus-system none
memory-deny-write-execute
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/yandex-browser.profile
^
|
@@ -5,8 +5,9 @@
# Persistent global definitions
include globals.local
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/yelp.profile
^
|
@@ -12,7 +12,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -50,14 +49,13 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin groff,man,tbl,troff,yelp
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
private-tmp
dbus-user filter
@@ -76,3 +74,5 @@
# your yelp.local if you need PDF printing support.
#noblacklist ${DOCUMENTS}
#whitelist ${DOCUMENTS}
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-dl-gui.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -43,15 +42,16 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
disable-mnt
private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl
private-tmp
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-dl.profile
^
|
@@ -27,7 +27,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -53,16 +52,16 @@
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin env,ffmpeg,python*,youtube-dl
private-cache
private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
private-tmp
dbus-user none
dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-viewer.profile
^
|
@@ -18,4 +18,4 @@
private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
# Redirect
-include youtube-viewers-common.profile
\ No newline at end of file
+include youtube-viewers-common.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-viewers-common.profile
^
|
@@ -19,11 +19,17 @@
include allow-python2.inc
include allow-python3.inc
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
@@ -47,15 +53,19 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
tracelog
disable-mnt
-private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl
+private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp
private-cache
private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
private-tmp
-dbus-user none
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube.profile
^
|
@@ -16,8 +16,8 @@
mkdir ${HOME}/.config/Youtube
whitelist ${HOME}/.config/Youtube
-private-bin youtube
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],youtube
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-opt Youtube
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtubemusic-nativefier.profile
^
|
@@ -13,8 +13,8 @@
mkdir ${HOME}/.config/youtubemusic-nativefier-040164
whitelist ${HOME}/.config/youtubemusic-nativefier-040164
-private-bin youtubemusic-nativefier
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-opt youtubemusic-nativefier
# Redirect
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/yt-dlp.profile
^
|
@@ -0,0 +1,21 @@
+# Firejail profile for yt-dlp
+# Description: Downloader of videos of various sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include yt-dlp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf.txt
+
+private-bin ffprobe,yt-dlp
+private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf
+
+# Redirect
+include youtube-dl.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ytmdesktop.profile
^
|
@@ -1,5 +1,5 @@
# Firejail profile for ytmdesktop
-# Description: Unofficial electron based desktop warpper for YouTube Music
+# Description: Unofficial electron based desktop wrapper for YouTube Music
# This file is overwritten after every install/update
# Persistent local customizations
include youtube.local
@@ -14,7 +14,7 @@
whitelist ${HOME}/.config/youtube-music-desktop-app
# private-bin env,ytmdesktop
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
# private-opt
# Redirect
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zaproxy.profile
^
|
@@ -15,7 +15,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.java
@@ -40,9 +39,9 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-dev
private-tmp
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zart.profile
^
|
@@ -13,7 +13,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -30,10 +29,11 @@
nou2f
protocol unix
seccomp
-shell none
private-bin ffmpeg,ffplay,ffprobe,melt,zart
private-dev
dbus-user none
dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zathura.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
@@ -44,7 +43,6 @@
protocol unix
seccomp
seccomp.block-secondary
-shell none
tracelog
private-bin zathura
@@ -61,3 +59,4 @@
read-only ${HOME}
read-write ${HOME}/.config/zathura
read-write ${HOME}/.local/share/zathura
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zeal.profile
^
|
@@ -6,27 +6,35 @@
# Persistent global definitions
include globals.local
-noblacklist ${HOME}/.config/Zeal
noblacklist ${HOME}/.cache/Zeal
+noblacklist ${HOME}/.config/Zeal
noblacklist ${HOME}/.local/share/Zeal
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
+include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
+# Allow zeal to open links in Firefox browsers.
+# This also requires dbus-user filtering (see below).
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
mkdir ${HOME}/.cache/Zeal
-mkdir ${HOME}/.config/qt5ct
mkdir ${HOME}/.config/Zeal
mkdir ${HOME}/.local/share/Zeal
whitelist ${HOME}/.cache/Zeal
whitelist ${HOME}/.config/Zeal
whitelist ${HOME}/.local/share/Zeal
include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
@@ -45,7 +53,7 @@
novideo
protocol unix,inet,inet6,netlink
seccomp
-shell none
+seccomp.block-secondary
tracelog
disable-mnt
@@ -55,7 +63,10 @@
private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
private-tmp
-dbus-user none
+dbus-user filter
+dbus-user.talk org.mozilla.*
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-system none
# memory-deny-write-execute - breaks on Arch
+restrict-namespaces
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zim.profile
^
|
@@ -0,0 +1,72 @@
+# Firejail profile for Zim
+# Description: Desktop wiki & notekeeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/zim
+noblacklist ${HOME}/.config/zim
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/zim
+mkdir ${HOME}/.config/zim
+mkdir ${HOME}/Notebooks
+whitelist ${HOME}/.cache/zim
+whitelist ${HOME}/.config/zim
+whitelist ${HOME}/Notebooks
+whitelist ${DESKTOP}
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+whitelist /usr/share/zim
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin python*,zim
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zulip.profile
^
|
@@ -14,7 +14,6 @@
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
-include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
@@ -39,11 +38,12 @@
novideo
protocol unix,inet,inet6
seccomp
-shell none
disable-mnt
private-bin locale,zulip
private-cache
private-dev
-private-etc asound.conf,fonts,machine-id
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id
private-tmp
+
+restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/templates/profile.template
^
|
@@ -102,13 +102,11 @@
#include allow-ssh.inc
##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only; supersedes Disable Wayland)
#blacklist ${RUNUSER}
-# Remove the next blacklist if you system has no /usr/libexec dir,
+# Remove the next blacklist if your system has no /usr/libexec dir,
# otherwise try to add it.
#blacklist /usr/libexec
@@ -118,10 +116,11 @@
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
-#include disable-passwdmgr.inc
+#include disable-proc.inc
#include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
+#include disable-X11.inc
#include disable-xdg.inc
# This section often mirrors noblacklist section above. The idea is
@@ -133,6 +132,7 @@
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
+#include whitelist-run-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc
@@ -155,6 +155,7 @@
#nogroups
#noinput
#nonewprivs
+#noprinters
#noroot
#nosound
#notv
@@ -173,7 +174,7 @@
##seccomp-error-action log (only for debugging seccomp issues)
#shell none
#tracelog
-# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
##x11 none
#disable-mnt
@@ -205,7 +206,7 @@
# Since 0.9.63 also a more granular control of dbus is supported.
# To get the dbus-addresses an application needs access to you can
-# check with flatpak (when the application is distriputed that way):
+# check with flatpak (when the application is distributed that way):
# flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
# - flatpak implicitly allows an app to own <APP-ID> on the session bus
@@ -213,16 +214,18 @@
# - In order to make dconf work (when used by the app) you need to allow
# 'ca.desrt.dconf' even when not allowed by flatpak.
# Notes and policies about addresses can be found at
-# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
+# <https://github.com/netblue30/firejail/wiki/Restrict-DBus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none
+##deterministic-shutdown
##env VAR=VALUE
##join-or-start NAME
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}
##read-write ${HOME}
+#restrict-namespaces
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/templates/syscalls.txt
^
|
@@ -27,26 +27,26 @@
Definition of groups
--------------------
-@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
-@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
+@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit,io_uring_enter,io_uring_register,io_uring_setup
+@basic-io=_llseek,close,close_range,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
-@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@debug=lookup_dcookie,perf_event_open,pidfd_getfd,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
@default-nodebuggers=@default,ptrace,personality,process_vm_readv
@default-keep=execveat,execve,prctl
-@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
+@file-system=access,chdir,chmod,close,close_range,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,openat2,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
-@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
+@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_madvise,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
@keyring=add_key,keyctl,request_key
@memlock=mlock,mlock2,mlockall,munlock,munlockall
@module=delete_module,finit_module,init_module
-@mount=chroot,mount,pivot_root,umount,umount2
+@mount=chroot,fsconfig,fsmount,fsopen,fspick,mount,move_mount,open_tree,pivot_root,umount,umount2
@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
-@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
+@process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
@reboot=kexec_load,kexec_file_load,reboot
@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
@@ -89,18 +89,24 @@
What to do if seccomp breaks a program
--------------------------------------
+Start `journalctl --grep=SECCOMP --follow` in a terminal and run
+`firejail --seccomp-error-action=log /path/to/program` in a second terminal.
+Now switch back to the first terminal (where `journalctl` is running) and look
+for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you
+have found them, you can stop `journalctl` (^C) and execute
+`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall.
+In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`.
+Now you can add a seccomp exception using `seccomp !NAME`.
+
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
+
```
-$ journalctl --grep=syscall --follow
-<...> audit[…]: SECCOMP <...> syscall=161 <...>
-$ firejail --debug-syscalls | grep 161
-161 - chroot
+term1$ journalctl --grep=SECCOMP --follow
+term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop
+term1$ (journalctl --grep=SECCOMP --follow)
+audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ...
+^C
+term1$ firejail --debug-syscalls | grep "^161[[:space:]]"
+161 - chroot
```
Profile: `seccomp -> seccomp !chroot`
-
-Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
-program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
-Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
-will see something like `NUMBER - NAME`, because you now know the name of the
-syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
-
-If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/gcov.sh
^
|
@@ -1,10 +1,10 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
gcov_init() {
- USER=`whoami`
+ USER="$(whoami)"
firejail --help > /dev/null
firemon --help > /dev/null
/usr/lib/firejail/fnet --help > /dev/null
@@ -20,22 +20,22 @@
/usr/lib/firejail/faudit --help > /dev/null
/usr/lib/firejail/fbuilder --help > /dev/null
- sudo chown $USER:$USER `find .`
+ find . -exec sudo chown "$USER:$USER" '{}' +
}
generate() {
- lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
- lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
+ lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
+ lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
rm -fr gcov-dir
genhtml -q gcov-file --output-directory gcov-dir
- sudo rm `find . -name *.gcda`
+ find . -name '*.gcda' -exec sudo rm '{}' +
cp gcov-file gcov-file-old
gcov_init
}
gcov_init
-lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
+lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
#make test-utils
#generate
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/install.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/sh
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
echo "installing..."
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/linecnt.sh
^
|
@@ -1,10 +1,10 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
gcov_init() {
- USER=`whoami`
+ USER="$(whoami)"
firejail --help > /dev/null
firemon --help > /dev/null
/usr/lib/firejail/fnet --help > /dev/null
@@ -20,12 +20,12 @@
/usr/lib/firejail/faudit --help > /dev/null
/usr/lib/firejail/fbuilder --help > /dev/null
- sudo chown $USER:$USER `find .`
+ find . -exec sudo chown "$USER:$USER" '{}' +
}
rm -fr gcov-dir
gcov_init
lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \
- -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
- -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file
+ -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
+ -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file
genhtml -q gcov-file --output-directory gcov-dir
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/m4/ax_check_compile_flag.m4
^
|
@@ -29,33 +29,12 @@
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation, either version 3 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program. If not, see <https://www.gnu.org/licenses/>.
-#
-# As a special exception, the respective Autoconf Macro's copyright owner
-# gives unlimited permission to copy, distribute and modify the configure
-# scripts that are the output of Autoconf when processing the Macro. You
-# need not follow the terms of the GNU General Public License when using
-# or distributing such scripts, even though portions of the text of the
-# Macro appear in them. The GNU General Public License (GPL) does govern
-# all other use of the material that constitutes the Autoconf Macro.
-#
-# This special exception to the GPL applies to versions of the Autoconf
-# Macro released by the Autoconf Archive. When you make and distribute a
-# modified version of the Autoconf Macro, you may extend this special
-# exception to the GPL to apply to your modified version as well.
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
-#serial 5
+#serial 6
AC_DEFUN([AX_CHECK_COMPILE_FLAG],
[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkasc.sh
^
|
@@ -1,13 +1,13 @@
#!/bin/sh
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
echo "Calculating SHA256 for all files in /transfer - firejail version $1"
-cd /transfer
-sha256sum * > firejail-$1-unsigned
-gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc
-gpg --verify firejail-$1.asc
-gpg --detach-sign --armor firejail-$1.tar.xz
-rm firejail-$1-unsigned
+cd /transfer || exit 1
+sha256sum ./* > "firejail-$1-unsigned"
+gpg --clearsign --digest-algo SHA256 < "firejail-$1-unsigned" > "firejail-$1.asc"
+gpg --verify "firejail-$1.asc"
+gpg --detach-sign --armor "firejail-$1.tar.xz"
+rm "firejail-$1-unsigned"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkdeb.sh
^
|
@@ -0,0 +1,61 @@
+#!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+# based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/
+# a code archive should already be available
+
+set -e
+
+. "$(dirname "$0")/config.sh"
+
+EXTRA_VERSION=$1
+
+test "$#" -gt 0 && shift
+
+CODE_ARCHIVE="$TARNAME-$VERSION.tar.xz"
+CODE_DIR="$TARNAME-$VERSION"
+INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
+DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
+
+echo "*****************************************"
+echo "code archive: $CODE_ARCHIVE"
+echo "code directory: $CODE_DIR"
+echo "install directory: $INSTALL_DIR"
+echo "debian control directory: $DEBIAN_CTRL_DIR"
+echo "*****************************************"
+
+tar -xJvf "$CODE_ARCHIVE"
+#mkdir -p "$INSTALL_DIR"
+cd "$CODE_DIR"
+./configure --prefix=/usr "$@"
+make -j2
+mkdir debian
+DESTDIR=debian make install-strip
+
+cd ..
+echo "*****************************************"
+SIZE="$(du -s "$INSTALL_DIR")"
+echo "install size $SIZE"
+echo "*****************************************"
+
+mv "$INSTALL_DIR/usr/share/doc/firejail/RELNOTES" "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian"
+gzip -9 -n "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian"
+rm "$INSTALL_DIR/usr/share/doc/firejail/COPYING"
+install -m644 "$CODE_DIR/platform/debian/copyright" "$INSTALL_DIR/usr/share/doc/firejail/."
+mkdir -p "$DEBIAN_CTRL_DIR"
+sed "s/FIREJAILVER/$VERSION/g" "$CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH)" > "$DEBIAN_CTRL_DIR/control"
+
+mkdir -p "$INSTALL_DIR/usr/share/lintian/overrides/"
+install -m644 "$CODE_DIR/platform/debian/firejail.lintian-overrides" "$INSTALL_DIR/usr/share/lintian/overrides/firejail"
+
+find "$INSTALL_DIR/etc" -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > "$DEBIAN_CTRL_DIR/conffiles"
+chmod 644 "$DEBIAN_CTRL_DIR/conffiles"
+find "$INSTALL_DIR" -type d -exec chmod 755 '{}' +
+cd "$CODE_DIR"
+fakeroot dpkg-deb --build debian
+lintian --no-tag-display-limit debian.deb
+mv debian.deb "../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb"
+cd ..
+rm -fr "$CODE_DIR"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mketc.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/sh
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
sed -i -e '
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkman.sh
^
|
@@ -1,12 +1,12 @@
#!/bin/sh
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set -e
-sed "s/VERSION/$1/g" $2 > $3
-MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
-sed -i "s/MONTH/$MONTH/g" $3
-YEAR=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y`
-sed -i "s/YEAR/$YEAR/g" $3
+sed "s/VERSION/$1/g" "$2" > "$3"
+MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
+sed -i "s/MONTH/$MONTH/g" "$3"
+YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
+sed -i "s/YEAR/$YEAR/g" "$3"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkuid.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/sh
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
echo "extracting UID_MIN and GID_MIN"
@@ -9,8 +9,8 @@
if [ -r /etc/login.defs ]
then
- UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
- GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+ UID_MIN="$(awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)"
+ GID_MIN="$(awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)"
fi
# use default values if not found
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/platform/debian/copyright
^
|
@@ -7,7 +7,7 @@
and networking stack isolation, and it runs on any recent Linux system. It
includes a sandbox profile for Mozilla Firefox.
- Copyright (C) 2014-2021 Firejail Authors (see README file for more details)
+ Copyright (C) 2014-2022 Firejail Authors (see README file for more details)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/platform/rpm/mkrpm.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/bash_completion/Makefile
^
|
@@ -0,0 +1,17 @@
+.PHONY: all
+all: firejail.bash_completion
+
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk
+ gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
+ sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
+ rm $@.tmp
+
+.PHONY: clean
+clean:
+ rm -fr firejail.bash_completion
+
+.PHONY: distclean
+distclean: clean
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/bash_completion/firejail.bash_completion.in
^
|
@@ -5,7 +5,7 @@
# http://bash-completion.alioth.debian.org
#*******************************************************************
-__interfaces(){
+__interfaces() {
cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
}
@@ -42,10 +42,6 @@
_filedir -d
return 0
;;
- --cgroup)
- _filedir -d
- return 0
- ;;
--tmpfs)
_filedir
return 0
@@ -90,11 +86,11 @@
_filedir
return 0
;;
- --net)
- comps=$(__interfaces)
+ --net)
+ comps=$(__interfaces)
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
return 0
- ;;
+ ;;
esac
$split && return 0
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/Makefile
^
|
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fbuilder
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/syscall.h
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_bin.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_fs.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -68,8 +68,23 @@
ptr += 7;
else if (strncmp(ptr, "open ", 5) == 0)
ptr += 5;
+ else if (strncmp(ptr, "opendir ", 8) == 0)
+ ptr += 8;
+ else if (strncmp(ptr, "connect ", 8) == 0) {
+ ptr += 8;
+ // file descriptor argument
+ if (!isdigit(*ptr))
+ continue;
+ while (isdigit(*ptr))
+ ptr++;
+ if (*ptr++ != ' ')
+ continue;
+ if (*ptr != '/')
+ continue;
+ }
else
continue;
+
if (strncmp(ptr, dir, dir_len) != 0)
continue;
@@ -117,8 +132,19 @@
if (strncmp(ptr, "/etc/firejail", 13) == 0)
return;
+ // extract the directory:
+ assert(strncmp(ptr, "/etc", 4) == 0);
+ ptr += 4;
+ if (*ptr != '/')
+ return;
+ ptr++;
+
+ if (*ptr == '/') // double '/'
+ ptr++;
+ if (*ptr == '\0')
+ return;
+
// add only top files and directories
- ptr += 5; // skip "/etc/"
char *end = strchr(ptr, '/');
if (end)
*end = '\0';
@@ -163,6 +189,11 @@
static FileDB *var_out = NULL;
static FileDB *var_skip = NULL;
static void var_callback(char *ptr) {
+ // skip /var/lib/flatpak, /var/lib/snapd directory
+ if (strncmp(ptr, "/var/lib/flatpak", 16) == 0 ||
+ strncmp(ptr, "/var/lib/snapd", 14) == 0)
+ return;
+
// extract the directory:
assert(strncmp(ptr, "/var", 4) == 0);
char *p1 = ptr + 4;
@@ -191,6 +222,88 @@
fprintf(fp, "include whitelist-var-common.inc\n");
}
+//*******************************************
+// run directory
+//*******************************************
+static FileDB *run_out = NULL;
+static FileDB *run_skip = NULL;
+static void run_callback(char *ptr) {
+ // skip /run/firejail
+ if (strncmp(ptr, "/run/firejail", 13) == 0)
+ return;
+ // skip files in /run/user
+ if (strncmp(ptr, "/run/user", 9) == 0)
+ return;
+
+ // extract the directory:
+ assert(strncmp(ptr, "/run", 4) == 0);
+ char *p1 = ptr + 4;
+ if (*p1 != '/')
+ return;
+ p1++;
+
+ if (*p1 == '/') // double '/'
+ p1++;
+ if (*p1 == '\0')
+ return;
+
+ if (!filedb_find(run_skip, p1))
+ run_out = filedb_add(run_out, p1);
+}
+
+void build_run(const char *fname, FILE *fp) {
+ assert(fname);
+
+ run_skip = filedb_load_whitelist(run_skip, "whitelist-run-common.inc", "whitelist /run/");
+ process_files(fname, "/run", run_callback);
+
+ // always whitelist /run
+ if (run_out)
+ filedb_print(run_out, "whitelist /run/", fp);
+ fprintf(fp, "include whitelist-run-common.inc\n");
+}
+
+//*******************************************
+// ${RUNUSER} directory
+//*******************************************
+static char *runuser_fname = NULL;
+static FileDB *runuser_out = NULL;
+static FileDB *runuser_skip = NULL;
+static void runuser_callback(char *ptr) {
+ // extract the directory:
+ assert(runuser_fname);
+ assert(strncmp(ptr, runuser_fname, strlen(runuser_fname)) == 0);
+ char *p1 = ptr + strlen(runuser_fname);
+ if (*p1 != '/')
+ return;
+ p1++;
+
+ if (*p1 == '/') // double '/'
+ p1++;
+ if (*p1 == '\0')
+ return;
+
+ if (!filedb_find(runuser_skip, p1))
+ runuser_out = filedb_add(runuser_out, p1);
+}
+
+void build_runuser(const char *fname, FILE *fp) {
+ assert(fname);
+
+ if (asprintf(&runuser_fname, "/run/user/%d", getuid()) < 0)
+ errExit("asprintf");
+
+ if (!is_dir(runuser_fname))
+ return;
+
+ runuser_skip = filedb_load_whitelist(runuser_skip, "whitelist-runuser-common.inc", "whitelist ${RUNUSER}/");
+ process_files(fname, runuser_fname, runuser_callback);
+
+ // always whitelist /run/user/$UID
+ if (runuser_out)
+ filedb_print(runuser_out, "whitelist ${RUNUSER}/", fp);
+ fprintf(fp, "include whitelist-runuser-common.inc\n");
+}
//*******************************************
// usr/share directory
@@ -236,9 +349,6 @@
//*******************************************
static FileDB *tmp_out = NULL;
static void tmp_callback(char *ptr) {
- // skip strace file
- if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
- return;
if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
return;
if (strcmp(ptr, "/tmp") == 0)
@@ -289,6 +399,7 @@
"/dev/pts",
"/dev/ptmx",
"/dev/log",
+ "/dev/shm",
"/dev/aload", // old ALSA devices, not covered in private-dev
"/dev/dsp", // old OSS device, deprecated
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_home.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -68,6 +68,8 @@
ptr += 7;
else if (strncmp(ptr, "open /home", 10) == 0)
ptr += 5;
+ else if (strncmp(ptr, "opendir /home", 13) == 0)
+ ptr += 8;
else
continue;
@@ -93,6 +95,9 @@
strcmp(ptr, ".bashrc") == 0)
continue;
+ // skip flatpak files
+ if (strncmp(ptr, ".local/share/flatpak", 20) == 0)
+ continue;
// try to find the relevant directory for this file
char *dir = extract_dir(ptr);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_profile.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,7 +22,6 @@
#include <sys/wait.h>
#define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
-#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
void build_profile(int argc, char **argv, int index, FILE *fp) {
// next index is the application name
@@ -31,79 +30,42 @@
exit(1);
}
- char trace_output[] = "/tmp/firejail-trace.XXXXXX";
- char strace_output[] = "/tmp/firejail-strace.XXXXXX";
-
+ char trace_output[] = TRACE_OUTPUT;
int tfile = mkstemp(trace_output);
- int stfile = mkstemp(strace_output);
- if(tfile == -1 || stfile == -1)
+ if(tfile == -1)
errExit("mkstemp");
-
- // close the files, firejail/strace will overwrite them!
close(tfile);
- close(stfile);
-
char *output;
- char *stroutput;
if(asprintf(&output,"--trace=%s",trace_output) == -1)
errExit("asprintf");
- if(asprintf(&stroutput,"-o%s",strace_output) == -1)
- errExit("asprintf");
-
- char *cmdlist[] = {
- BINDIR "/firejail",
- "--quiet",
- "--noprofile",
- "--caps.drop=all",
- "--nonewprivs",
- output,
- "--shell=none",
- "/usr/bin/strace", // also used as a marker in build_profile()
- "-c",
- "-f",
- stroutput,
- };
-
- // detect strace and check if Yama LSM allows us to use it
- int have_strace = 0;
- int have_yama_permission = 1;
- if (access("/usr/bin/strace", X_OK) == 0) {
- have_strace = 1;
- FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r");
- if (ps) {
- unsigned val;
- if (fscanf(ps, "%u", &val) == 1)
- have_yama_permission = (val < 2);
- fclose(ps);
- }
- }
// calculate command length
- unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
- if (arg_debug)
- printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index);
- char *cmd[len];
- cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error
+ unsigned len = 64; // plenty of space for firejail command line
+ len += argc - index; // program command line
+ len += 1; // NULL
// build command
- // skip strace if not installed, or no permission to use it
- int skip_strace = !(have_strace && have_yama_permission);
- unsigned i = 0;
- for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
- if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
- break;
- cmd[i] = cmdlist[i];
- }
+ char *cmd[len];
+ unsigned curr_len = 0;
+ cmd[curr_len++] = BINDIR "/firejail";
+ cmd[curr_len++] = "--quiet";
+ cmd[curr_len++] = "--noprofile";
+ cmd[curr_len++] = "--caps.drop=all";
+ cmd[curr_len++] = "--seccomp=!chroot";
+ cmd[curr_len++] = output;
+ if (arg_appimage)
+ cmd[curr_len++] = "--appimage";
+
+ int i;
+ for (i = index; i < argc; i++)
+ cmd[curr_len++] = argv[i];
- int i2 = index;
- for (; i < (len - 1); i++, i2++)
- cmd[i] = argv[i2];
- assert(i < len);
- cmd[i] = NULL;
+ assert(curr_len < len);
+ cmd[curr_len] = NULL;
if (arg_debug) {
- for (i = 0; i < len; i++)
+ for (i = 0; cmd[i]; i++)
printf("%s%s\n", (i)?"\t":"", cmd[i]);
}
@@ -125,7 +87,7 @@
if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
if (fp == stdout)
- printf("--- Built profile beings after this line ---\n");
+ printf("--- Built profile begins after this line ---\n");
fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
@@ -147,7 +109,6 @@
fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n");
fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n");
fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n");
- fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n");
fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n");
fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n");
fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n");
@@ -160,8 +121,10 @@
fprintf(fp, "\n");
fprintf(fp, "### Filesystem Whitelisting ###\n");
- build_share(trace_output, fp);
- //todo: include whitelist-runuser-common.inc
+ build_run(trace_output, fp);
+ build_runuser(trace_output, fp);
+ if (!arg_appimage)
+ build_share(trace_output, fp);
build_var(trace_output, fp);
fprintf(fp, "\n");
@@ -179,21 +142,14 @@
fprintf(fp, "#nou2f\t# disable U2F devices\n");
fprintf(fp, "#novideo\t# disable video capture devices\n");
build_protocol(trace_output, fp);
- fprintf(fp, "seccomp\n");
- if (!have_strace) {
- fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
- fprintf(fp, "### whitelisted seccomp filter.\n");
- }
- else if (!have_yama_permission)
- fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
- else
- build_seccomp(strace_output, fp);
+ fprintf(fp, "seccomp !chroot\t# allowing chroot, just in case this is an Electron app\n");
fprintf(fp, "shell none\n");
- fprintf(fp, "tracelog\n");
+ fprintf(fp, "#tracelog\t# send blacklist violations to syslog\n");
fprintf(fp, "\n");
fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n");
- build_bin(trace_output, fp);
+ if (!arg_appimage)
+ build_bin(trace_output, fp);
fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n");
build_dev(trace_output, fp);
build_etc(trace_output, fp);
@@ -206,10 +162,8 @@
fprintf(fp, "\n");
fprintf(fp, "#memory-deny-write-execute\n");
- if (!arg_debug) {
+ if (!arg_debug)
unlink(trace_output);
- unlink(strace_output);
- }
}
else {
fprintf(stderr, "Error: cannot run the sandbox\n");
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_seccomp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,6 +20,7 @@
#include "fbuilder.h"
+#if 0
void build_seccomp(const char *fname, FILE *fp) {
assert(fname);
assert(fp);
@@ -78,6 +79,7 @@
fclose(fp2);
}
+#endif
//***************************************
// protocol
@@ -188,7 +190,7 @@
if (net == 0)
fprintf(fp, "net none\n");
else {
- fprintf(fp, "# net eth0\n");
+ fprintf(fp, "#net eth0\n");
fprintf(fp, "netfilter\n");
}
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/fbuilder.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -26,11 +26,12 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
-
+#include <fnmatch.h>
#define MAX_BUF 4096
// main.c
extern int arg_debug;
+extern int arg_appimage;
// build_profile.c
void build_profile(int argc, char **argv, int index, FILE *fp);
@@ -45,6 +46,8 @@
void build_tmp(const char *fname, FILE *fp);
void build_dev(const char *fname, FILE *fp);
void build_share(const char *fname, FILE *fp);
+void build_run(const char *fname, FILE *fp);
+void build_runuser(const char *fname, FILE *fp);
// build_bin.c
void build_bin(const char *fname, FILE *fp);
@@ -60,7 +63,7 @@
typedef struct filedb_t {
struct filedb_t *next;
char *fname; // file name
- int len; // length of file name
+ unsigned len; // length of file name
} FileDB;
FileDB *filedb_add(FileDB *head, const char *fname);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/filedb.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -25,17 +25,17 @@
assert(fname);
FileDB *ptr = head;
int found = 0;
- int len = strlen(fname);
while (ptr) {
- // exact name
- if (strcmp(fname, ptr->fname) == 0) {
+ // ptr->fname can be a pattern, like .mutter-Xwaylandauth.*
+ // check if fname is a match
+ if (fnmatch(ptr->fname, fname, FNM_PATHNAME) == 0) {
found = 1;
break;
}
// parent directory in the list
- if (len > ptr->len &&
+ if (strlen(fname) > ptr->len &&
fname[ptr->len] == '/' &&
strncmp(ptr->fname, fname, ptr->len) == 0) {
found = 1;
@@ -54,8 +54,6 @@
FileDB *filedb_add(FileDB *head, const char *fname) {
assert(fname);
- // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.*
-
// don't add it if it is already there or if the parent directory is already in the list
if (filedb_find(head, fname))
return head;
@@ -96,7 +94,7 @@
errExit("asprintf");
FILE *fp = fopen(f, "r");
if (!fp) {
- fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
+ fprintf(stderr, "Error: cannot open %s\n", f);
free(f);
exit(1);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -19,6 +19,7 @@
*/
#include "fbuilder.h"
int arg_debug = 0;
+int arg_appimage = 0;
static void usage(void) {
printf("Firejail profile builder\n");
@@ -49,6 +50,8 @@
}
else if (strcmp(argv[i], "--debug") == 0)
arg_debug = 1;
+ else if (strcmp(argv[i], "--appimage") == 0)
+ arg_appimage = 1;
else if (strcmp(argv[i], "--build") == 0)
; // do nothing, this is passed down from firejail
else if (strncmp(argv[i], "--build=", 8) == 0) {
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/utils.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fcopy/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fcopy
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fcopy/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -88,7 +88,8 @@
if (arg_debug)
printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
- setfilecon_raw(procfs_path, fcon);
+ if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+ printf("Cannot relabel %s: %s\n", path, strerror(errno));
}
freecon(fcon);
close:
@@ -199,7 +200,8 @@
// check where /proc/self points to
static const char proc_self[] = "/proc/self";
- if (!(proc_pid = realpath(proc_self, NULL)))
+ proc_pid = realpath(proc_self, NULL);
+ if (proc_pid == NULL)
goto done;
// redirect /proc/PID/xxx -> /proc/self/XXX
@@ -284,11 +286,9 @@
}
// extract mode and ownership
- if (stat(infname, &s) != 0) {
- if (!arg_quiet)
- fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname);
+ if (stat(infname, &s) != 0)
goto out;
- }
+
uid_t uid = s.st_uid;
gid_t gid = s.st_gid;
mode_t mode = s.st_mode;
@@ -470,18 +470,12 @@
size_t len = strlen(src);
while (len > 1 && src[len - 1] == '/')
src[--len] = '\0';
- if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) {
- fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
- exit(1);
- }
+ reject_meta_chars(src, 0);
len = strlen(dest);
while (len > 1 && dest[len - 1] == '/')
dest[--len] = '\0';
- if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) {
- fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
- exit(1);
- }
+ reject_meta_chars(dest, 0);
// the destination should be a directory;
struct stat s;
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/Makefile
^
|
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fids
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/blake2b.c
^
|
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/* A simple unkeyed BLAKE2b Implementation based on the official reference
+ * from https://github.com/BLAKE2/BLAKE2.
+ *
+ * The original code was released under CC0 1.0 Universal license (Creative Commons),
+ * a public domain license.
+ */
+
+#include "fids.h"
+
+// little-endian vs big-endian is irrelevant since the checksum is calculated and checked on the same computer.
+static inline uint64_t load64( const void *src ) {
+ uint64_t w;
+ memcpy( &w, src, sizeof( w ) );
+ return w;
+}
+
+// mixing function
+#define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y))))
+#define G(a, b, c, d, x, y) { \
+ v[a] = v[a] + v[b] + x; \
+ v[d] = ROTR64(v[d] ^ v[a], 32); \
+ v[c] = v[c] + v[d]; \
+ v[b] = ROTR64(v[b] ^ v[c], 24); \
+ v[a] = v[a] + v[b] + y; \
+ v[d] = ROTR64(v[d] ^ v[a], 16); \
+ v[c] = v[c] + v[d]; \
+ v[b] = ROTR64(v[b] ^ v[c], 63); }
+
+// init vector
+static const uint64_t iv[8] = {
+ 0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
+ 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
+ 0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
+ 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
+};
+
+
+const uint8_t sigma[12][16] = {
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
+};
+
+// blake2b context
+typedef struct {
+ uint8_t b[128]; // input buffer
+ uint64_t h[8]; // chained state
+ uint64_t t[2]; // total number of bytes
+ size_t c; // pointer for b[]
+ size_t outlen; // digest size
+} CTX;
+
+// compress function
+static void compress(CTX *ctx, int last) {
+ uint64_t m[16];
+ uint64_t v[16];
+ size_t i;
+
+ for (i = 0; i < 16; i++)
+ m[i] = load64(&ctx->b[8 * i]);
+
+ for (i = 0; i < 8; i++) {
+ v[i] = ctx->h[i];
+ v[i + 8] = iv[i];
+ }
+
+ v[12] ^= ctx->t[0];
+ v[13] ^= ctx->t[1];
+ if (last)
+ v[14] = ~v[14];
+
+ for (i = 0; i < 12; i++) {
+ G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
+ G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
+ G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
+ G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
+ G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
+ G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
+ G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]);
+ G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]);
+ }
+
+ for( i = 0; i < 8; ++i )
+ ctx->h[i] ^= v[i] ^ v[i + 8];
+}
+
+static int init(CTX *ctx, size_t outlen) { // (keylen=0: no key)
+ size_t i;
+
+ if (outlen == 0 || outlen > 64)
+ return -1;
+
+ for (i = 0; i < 8; i++)
+ ctx->h[i] = iv[i];
+ ctx->h[0] ^= 0x01010000 ^ outlen;
+
+ ctx->t[0] = 0;
+ ctx->t[1] = 0;
+ ctx->c = 0;
+ ctx->outlen = outlen;
+
+ return 0;
+}
+
+static void update(CTX *ctx, const void *in, size_t inlen) {
+ size_t i;
+
+ for (i = 0; i < inlen; i++) {
+ if (ctx->c == 128) {
+ ctx->t[0] += ctx->c;
+ if (ctx->t[0] < ctx->c)
+ ctx->t[1]++;
+ compress(ctx, 0);
+ ctx->c = 0;
+ }
+ ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
+ }
+}
+
+static void final(CTX *ctx, void *out) {
+ size_t i;
+
+ ctx->t[0] += ctx->c;
+ if (ctx->t[0] < ctx->c)
+ ctx->t[1]++;
+
+ while (ctx->c < 128)
+ ctx->b[ctx->c++] = 0;
+ compress(ctx, 1);
+
+ for (i = 0; i < ctx->outlen; i++) {
+ ((uint8_t *) out)[i] =
+ (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
+ }
+}
+
+// public function
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen) {
+ CTX ctx;
+
+ if (init(&ctx, outlen))
+ return -1;
+ update(&ctx, in, inlen);
+ final(&ctx, out);
+
+ return 0;
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/config
^
|
@@ -0,0 +1,16 @@
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/games
+/opt
+/usr/share/ca-certificates
+
+
+/home/netblue/.bashrc
+/home/netblue/.config/firejail
+/home/netblue/.config/autostart
+/home/netblue/Desktop/*.desktop
+/home/netblue/.ssh
+/home/netblue/.gnupg
+
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/db.c
^
|
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+
+typedef struct db_t {
+ struct db_t *next;
+ char *fname;
+ char *checksum;
+ char *mode;
+ int checked;
+} DB;
+
+#define MAXBUF 4096
+static DB *database[HASH_MAX] = {NULL};
+
+// djb2 hash function by Dan Bernstein
+static unsigned hash(const char *str) {
+ unsigned long hash = 5381;
+ int c;
+
+ while ((c = *str++) != '\0')
+ hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
+
+ return hash & (HASH_MAX - 1);
+}
+
+#if 0
+// for testing the hash table
+static void db_print(void) {
+ int i;
+ for (i = 0; i < HASH_MAX; i++) {
+ int cnt = 0;
+ DB *ptr = database[i];
+ while (ptr) {
+ cnt++;
+ ptr = ptr->next;
+ }
+ printf("%d ", cnt);
+ fflush(0);
+ }
+ printf("\n");
+}
+#endif
+
+static void db_add(const char *fname, const char *checksum, const char *mode) {
+ DB *ptr = malloc(sizeof(DB));
+ if (!ptr)
+ errExit("malloc");
+ ptr->fname = strdup(fname);
+ ptr->checksum = strdup(checksum);
+ ptr->mode = strdup(mode);
+ ptr->checked = 0;
+ if (!ptr->fname || !ptr->checksum || !ptr->mode)
+ errExit("strdup");
+
+ unsigned h = hash(fname);
+ ptr->next = database[h];
+ database[h] = ptr;
+}
+
+void db_check(const char *fname, const char *checksum, const char *mode) {
+ assert(fname);
+ assert(checksum);
+ assert(mode);
+
+ unsigned h =hash(fname);
+ DB *ptr = database[h];
+ while (ptr) {
+ if (strcmp(fname, ptr->fname) == 0) {
+ ptr->checked = 1;
+ break;
+ }
+ ptr = ptr->next;
+ }
+
+ if (ptr ) {
+ if (strcmp(checksum, ptr->checksum)) {
+ f_modified++;
+ fprintf(stderr, "\nWarning: modified %s\n", fname);
+ }
+ if (strcmp(mode, ptr->mode)) {
+ f_permissions++;
+ fprintf(stderr, "\nWarning: permissions %s: old %s, new %s\n",
+ fname, ptr->mode, mode);
+ }
+ }
+ else {
+ f_new++;
+ fprintf(stderr, "\nWarning: new file %s\n", fname);
+ }
+}
+
+void db_missing(void) {
+ int i;
+ for (i = 0; i < HASH_MAX; i++) {
+ DB *ptr = database[i];
+ while (ptr) {
+ if (!ptr->checked) {
+ f_removed++;
+ fprintf(stderr, "Warning: removed %s\n", ptr->fname);
+ }
+ ptr = ptr->next;
+ }
+ }
+}
+
+// return 0 if ok, 1 if error
+int db_init(void) {
+ char buf[MAXBUF];
+ while(fgets(buf, MAXBUF, stdin)) {
+ // split - tab separated
+
+ char *mode = buf;
+ char *ptr = strchr(buf, '\t');
+ if (!ptr)
+ goto errexit;
+ *ptr = '\0';
+
+ char *checksum = ptr + 1;
+ ptr = strchr(checksum, '\t');
+ if (!ptr)
+ goto errexit;
+ *ptr = '\0';
+
+ char *fname = ptr + 1;
+ ptr = strchr(fname, '\n');
+ if (!ptr)
+ goto errexit;
+ *ptr = '\0';
+
+ db_add(fname, checksum, mode);
+ }
+// db_print();
+
+ return 0;
+
+errexit:
+ fprintf(stderr, "Error fids: database corrupted\n");
+ exit(1);
+}
+
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/db_exclude.c
^
|
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+
+typedef struct db_exclude_t {
+ struct db_exclude_t *next;
+ char *fname;
+ int len;
+} DB_EXCLUDE;
+static DB_EXCLUDE *database = NULL;
+
+void db_exclude_add(const char *fname) {
+ assert(fname);
+
+ DB_EXCLUDE *ptr = malloc(sizeof(DB_EXCLUDE));
+ if (!ptr)
+ errExit("malloc");
+
+ ptr->fname = strdup(fname);
+ if (!ptr->fname)
+ errExit("strdup");
+ ptr->len = strlen(fname);
+ ptr->next = database;
+ database = ptr;
+}
+
+int db_exclude_check(const char *fname) {
+ assert(fname);
+
+ DB_EXCLUDE *ptr = database;
+ while (ptr != NULL) {
+ if (strncmp(fname, ptr->fname, ptr->len) == 0)
+ return 1;
+ ptr = ptr->next;
+ }
+
+ return 0;
+}
+
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/fids.h
^
|
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FIDS_H
+#define FIDS_H
+
+#include "../include/common.h"
+
+// main.c
+#define MAX_DIR_LEVEL 20 // max directory tree depth
+#define MAX_INCLUDE_LEVEL 10 // max include level for config files
+extern int f_scanned;
+extern int f_modified;
+extern int f_new;
+extern int f_removed;
+extern int f_permissions;
+
+// db.c
+#define HASH_MAX 2048 // power of 2
+int db_init(void);
+void db_check(const char *fname, const char *checksum, const char *mode);
+void db_missing(void);
+
+// db_exclude.c
+void db_exclude_add(const char *fname);
+int db_exclude_check(const char *fname);
+
+
+// blake2b.c
+//#define KEY_SIZE 128 // key size in bytes
+#define KEY_SIZE 256
+//#define KEY_SIZE 512
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
+
+#endif
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/main.c
^
|
@@ -0,0 +1,378 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fids.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <dirent.h>
+#include <glob.h>
+
+#define MAXBUF 4096
+
+static int dir_level = 1;
+static int include_level = 0;
+int arg_init = 0;
+int arg_check = 0;
+char *arg_homedir = NULL;
+char *arg_dbfile = NULL;
+
+int f_scanned = 0;
+int f_modified = 0;
+int f_new = 0;
+int f_removed = 0;
+int f_permissions = 0;
+
+
+
+static inline int is_dir(const char *fname) {
+ assert(fname);
+
+ struct stat s;
+ if (stat(fname, &s) == 0) {
+ if (S_ISDIR(s.st_mode))
+ return 1;
+ }
+ return 0;
+}
+
+static inline int is_link(const char *fname) {
+ assert(fname);
+
+ char c;
+ ssize_t rv = readlink(fname, &c, 1);
+ return (rv != -1);
+}
+
+// mode is an array of 10 chars or more
+static inline void file_mode(const char *fname, char *mode) {
+ assert(fname);
+ assert(mode);
+
+ struct stat s;
+ if (stat(fname, &s)) {
+ *mode = '\0';
+ return;
+ }
+
+ sprintf(mode, (s.st_mode & S_IRUSR) ? "r" : "-");
+ sprintf(mode + 1, (s.st_mode & S_IWUSR) ? "w" : "-");
+ sprintf(mode + 2, (s.st_mode & S_IXUSR) ? "x" : "-");
+ sprintf(mode + 3, (s.st_mode & S_IRGRP) ? "r" : "-");
+ sprintf(mode + 4, (s.st_mode & S_IWGRP) ? "w" : "-");
+ sprintf(mode + 5, (s.st_mode & S_IXGRP) ? "x" : "-");
+ sprintf(mode + 6, (s.st_mode & S_IROTH) ? "r" : "-");
+ sprintf(mode + 7, (s.st_mode & S_IWOTH) ? "w" : "-");
+ sprintf(mode + 8, (s.st_mode & S_IXOTH) ? "x" : "-");
+}
+
+
+static void file_checksum(const char *fname) {
+ assert(fname);
+
+ int fd = open(fname, O_RDONLY);
+ if (fd == -1)
+ return;
+
+ off_t size = lseek(fd, 0, SEEK_END);
+ if (size < 0) {
+ close(fd);
+ return;
+ }
+
+ char *content = "empty";
+ int mmapped = 0;
+ if (size == 0) {
+ // empty files don't mmap - use "empty" string as the file content
+ size = 6; // strlen("empty") + 1
+ }
+ else {
+ content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+ close(fd);
+ mmapped = 1;
+ }
+
+ unsigned char checksum[KEY_SIZE / 8];
+ blake2b(checksum, sizeof(checksum), content, size);
+ if (mmapped)
+ munmap(content, size);
+
+ // calculate blake2 checksum
+ char str_checksum[(KEY_SIZE / 8) * 2 + 1];
+ int long unsigned i;
+ char *ptr = str_checksum;
+ for (i = 0; i < sizeof(checksum); i++, ptr += 2)
+ sprintf(ptr, "%02x", (unsigned char ) checksum[i]);
+
+ // build permissions string
+ char mode[10];
+ file_mode(fname, mode);
+
+ if (arg_init)
+ printf("%s\t%s\t%s\n", mode, str_checksum, fname);
+ else if (arg_check)
+ db_check(fname, str_checksum, mode);
+ else
+ assert(0);
+
+ f_scanned++;
+ if (f_scanned % 500 == 0)
+ fprintf(stderr, "%d ", f_scanned);
+ fflush(0);
+}
+
+void list_directory(const char *fname) {
+ assert(fname);
+ if (dir_level > MAX_DIR_LEVEL) {
+ fprintf(stderr, "Warning fids: maximum depth level exceeded for %s\n", fname);
+ return;
+ }
+
+ if (db_exclude_check(fname))
+ return;
+
+ if (is_link(fname))
+ return;
+
+ if (!is_dir(fname)) {
+ file_checksum(fname);
+ return;
+ }
+
+ DIR *dir;
+ struct dirent *entry;
+
+ if (!(dir = opendir(fname)))
+ return;
+
+ dir_level++;
+ while ((entry = readdir(dir)) != NULL) {
+ if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+ continue;
+ char *path;
+ if (asprintf(&path, "%s/%s", fname, entry->d_name) == -1)
+ errExit("asprintf");
+ list_directory(path);
+ free(path);
+ }
+ closedir(dir);
+ dir_level--;
+}
+
+void globbing(const char *fname) {
+ assert(fname);
+
+ // filter top directory
+ if (strcmp(fname, "/") == 0)
+ return;
+
+ glob_t globbuf;
+ int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+ if (globerr) {
+ fprintf(stderr, "Error fids: failed to glob pattern %s\n", fname);
+ exit(1);
+ }
+
+ long unsigned i;
+ for (i = 0; i < globbuf.gl_pathc; i++) {
+ char *path = globbuf.gl_pathv[i];
+ assert(path);
+
+ list_directory(path);
+ }
+
+ globfree(&globbuf);
+}
+
+static void process_config(const char *fname) {
+ assert(fname);
+
+ if (++include_level >= MAX_INCLUDE_LEVEL) {
+ fprintf(stderr, "Error ids: maximum include level for config files exceeded\n");
+ exit(1);
+ }
+
+ fprintf(stderr, "Opening config file %s\n", fname);
+ int fd = open(fname, O_RDONLY|O_CLOEXEC);
+ if (fd < 0) {
+ if (include_level == 1) {
+ fprintf(stderr, "Error ids: cannot open config file %s\n", fname);
+ exit(1);
+ }
+ return;
+ }
+
+ // make sure the file is owned by root
+ struct stat s;
+ if (fstat(fd, &s)) {
+ fprintf(stderr, "Error ids: cannot stat config file %s\n", fname);
+ exit(1);
+ }
+ if (s.st_uid || s.st_gid) {
+ fprintf(stderr, "Error ids: config file not owned by root\n");
+ exit(1);
+ }
+
+ fprintf(stderr, "Loading config file %s\n", fname);
+ FILE *fp = fdopen(fd, "r");
+ if (!fp) {
+ fprintf(stderr, "Error fids: cannot open config file %s\n", fname);
+ exit(1);
+ }
+
+ char buf[MAXBUF];
+ int line = 0;
+ while (fgets(buf, MAXBUF, fp)) {
+ line++;
+
+ // trim \n
+ char *ptr = strchr(buf, '\n');
+ if (ptr)
+ *ptr = '\0';
+
+ // comments
+ ptr = strchr(buf, '#');
+ if (ptr)
+ *ptr = '\0';
+
+ // empty space
+ ptr = buf;
+ while (*ptr == ' ' || *ptr == '\t')
+ ptr++;
+ char *start = ptr;
+
+ // empty line
+ if (*start == '\0')
+ continue;
+
+ // trailing spaces
+ ptr = start + strlen(start);
+ ptr--;
+ while (*ptr == ' ' || *ptr == '\t')
+ *ptr-- = '\0';
+
+ // replace ${HOME}
+ if (strncmp(start, "include", 7) == 0) {
+ ptr = start + 7;
+ if ((*ptr != ' ' && *ptr != '\t') || *ptr == '\0') {
+ fprintf(stderr, "Error fids: invalid line %d in %s\n", line, fname);
+ exit(1);
+ }
+ while (*ptr == ' ' || *ptr == '\t')
+ ptr++;
+
+ if (*ptr == '/')
+ process_config(ptr);
+ else {
+ // assume the file is in /etc/firejail
+ char *tmp;
+ if (asprintf(&tmp, "/etc/firejail/%s", ptr) == -1)
+ errExit("asprintf");
+ process_config(tmp);
+ free(tmp);
+ }
+ }
+ else if (*start == '!') {
+ // exclude file or dir
+ start++;
+ if (strncmp(start, "${HOME}", 7))
+ db_exclude_add(start);
+ else {
+ char *fname;
+ if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+ errExit("asprintf");
+ db_exclude_add(fname);
+ free(fname);
+ }
+ }
+ else if (strncmp(start, "${HOME}", 7))
+ globbing(start);
+ else {
+ char *fname;
+ if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+ errExit("asprintf");
+ globbing(fname);
+ free(fname);
+ }
+ }
+
+ fclose(fp);
+ include_level--;
+}
+
+
+
+void usage(void) {
+ printf("Usage: fids [--help|-h|-?] --init|--check homedir\n");
+}
+
+int main(int argc, char **argv) {
+ int i;
+ for (i = 1; i < argc; i++) {
+ if (strcmp(argv[i], "-h") == 0 ||
+ strcmp(argv[i], "-?") == 0 ||
+ strcmp(argv[i], "--help") == 0) {
+ usage();
+ return 0;
+ }
+ else if (strcmp(argv[i], "--init") == 0)
+ arg_init = 1;
+ else if (strcmp(argv[i], "--check") == 0)
+ arg_check = 1;
+ else if (strncmp(argv[i], "--", 2) == 0) {
+ fprintf(stderr, "Error fids: invalid argument %s\n", argv[i]);
+ exit(1);
+ }
+ }
+
+ if (argc != 3) {
+ fprintf(stderr, "Error fids: invalid number of arguments\n");
+ exit(1);
+ }
+ arg_homedir = argv[2];
+
+ int op = arg_check + arg_init;
+ if (op == 0 || op == 2) {
+ fprintf(stderr, "Error fids: use either --init or --check\n");
+ exit(1);
+ }
+
+ if (arg_init) {
+ process_config(SYSCONFDIR"/ids.config");
+ fprintf(stderr, "\n%d files scanned\n", f_scanned);
+ fprintf(stderr, "IDS database initialized\n");
+ }
+ else if (arg_check) {
+ if (db_init()) {
+ fprintf(stderr, "Error: IDS database not initialized, please run \"firejail --ids-init\"\n");
+ exit(1);
+ }
+
+ process_config(SYSCONFDIR"/ids.config");
+ fprintf(stderr, "\n%d files scanned: modified %d, permissions %d, new %d, removed %d\n",
+ f_scanned, f_modified, f_permissions, f_new, f_removed);
+ db_missing();
+ }
+ else
+ assert(0);
+
+ return 0;
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/Makefile
^
|
@@ -0,0 +1,16 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = firecfg
+TARGET = $(PROG)
+
+MOD_HDRS = \
+../include/common.h \
+../include/euid_common.h \
+../include/libnetlink.h \
+../include/firejail_user.h \
+../include/pid.h
+
+MOD_OBJS = ../lib/common.o ../lib/firejail_user.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/desktop_files.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -24,11 +24,16 @@
static int check_profile(const char *name, const char *homedir) {
// build profile name
char *profname1;
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
char *profname2;
+#endif
if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1)
errExit("asprintf");
+
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1)
errExit("asprintf");
+#endif
int rv = 0;
if (access(profname1, R_OK) == 0) {
@@ -36,14 +41,18 @@
printf("found %s\n", profname1);
rv = 1;
}
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
else if (access(profname2, R_OK) == 0) {
if (arg_debug)
printf("found %s\n", profname2);
rv = 1;
}
+#endif
free(profname1);
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
free(profname2);
+#endif
return rv;
}
@@ -168,9 +177,9 @@
char *filename = entry->d_name;
- // skip links
- if (is_link(filename))
- continue;
+ // skip links - Discord on Arch #4235 seems to be a symlink to /opt directory
+// if (is_link(filename))
+// continue;
// no profile in /etc/firejail, no desktop file fixing
if (!have_profile(filename, homedir))
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/firecfg.config
^
|
@@ -1,8 +1,8 @@
-# /usr/lib/firejail/firecfg.config - firecfg utility configuration file
+# /etc/firejail/firecfg.config - firecfg utility configuration file
# This is the list of programs in alphabetical order handled by firecfg utility
#
-#qemu-system-x86_64
0ad
+1password
2048-qt
Books
Builder
@@ -45,8 +45,8 @@
amuled
android-studio
anydesk
-apostrophe
apktool
+apostrophe
# ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
arch-audit
archaudit-report
@@ -74,6 +74,8 @@
autokey-qt
autokey-run
autokey-shell
+avidemux3_cli
+avidemux3_jobs_qt5
avidemux3_qt5
aweather
ballbuster
@@ -94,6 +96,7 @@
blender
blender-2.8
bless
+blobby
blobwars
bluefish
bnox
@@ -109,6 +112,7 @@
# bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
bzflag
# bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+cachy-browser
calibre
calligra
calligraauthor
@@ -125,6 +129,8 @@
catfish
cawbird
celluloid
+chafa
+chatterino
checkbashisms
cheese
cherrytree
@@ -134,27 +140,32 @@
chromium-freeworld
cin
cinelerra
+cinelerra-gg
clamdscan
clamdtop
clamscan
clamtk
-claws-mail
clawsker
+claws-mail
clementine
clion
-clipit
+clion-eap
clipgrab
+clipit
cliqz
clocks
cmus
code
code-oss
+codium
+cointop
cola
colorful
com.github.bleakgrey.tootle
com.github.dahenson.agenda
com.github.johnfactotum.Foliate
com.github.phase1geo.minder
+com.github.tchx84.Flatseal
com.gitlab.newsflash
conkeror
conky
@@ -176,6 +187,7 @@
desktopeditors
devhelp
dex2jar
+d-feet
dia
dig
digikam
@@ -197,13 +209,12 @@
drawio
drill
dropbox
-d-feet
easystroke
-ebook-viewer
ebook-convert
ebook-edit
ebook-meta
ebook-polish
+ebook-viewer
electron-mail
electrum
element-desktop
@@ -253,8 +264,8 @@
flameshot
flashpeak-slimjet
flowblade
-font-manager
fontforge
+font-manager
fossamail
four-in-a-row
fractal
@@ -273,14 +284,17 @@
freshclam
frogatto
frozen-bubble
+ftp
funnyboat
gajim
gajim-history-manager
galculator
+gallery-dl
gapplication
gcalccmd
gcloud
gconf-editor
+gdu
geany
geary
gedit
@@ -294,8 +308,8 @@
gimp-2.8
gist
gist-paste
-gitg
git-cola
+gitg
github-desktop
gitter
# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
@@ -345,6 +359,8 @@
gnote
gnubik
godot
+godot3
+goldendict
goobox
google-chrome
google-chrome-beta
@@ -361,11 +377,12 @@
gramps
gravity-beams-and-evaporating-stars
gthumb
+gtk2-youtube-viewer
+gtk3-youtube-viewer
+gtk-lbry-viewer
gtk-pipe-viewer
gtk-straw-viewer
gtk-youtube-viewer
-gtk2-youtube-viewer
-gtk3-youtube-viewer
guayadeque
gucharmap
gummi
@@ -391,9 +408,11 @@
imagej
img2txt
impressive
+imv
inkscape
inkview
inox
+io.github.lainsce.Notejot
ipcalc
ipcalc-ng
iridium
@@ -446,18 +465,21 @@
kube
# kwin_x11
kwrite
+lbry-viewer
leafpad
# less - breaks man
librecad
libreoffice
librewolf
librewolf-nightly
+lifeograph
liferea
lightsoff
lincity-ng
links
links2
linphone
+linuxqq
lmms
lobase
localc
@@ -507,6 +529,7 @@
menulibre
meteo-qt
microsoft-edge
+microsoft-edge-beta
microsoft-edge-dev
midori
min
@@ -523,8 +546,8 @@
mp3wrap
mpDris2
mpg123
-mpg123.bin
mpg123-alsa
+mpg123.bin
mpg123-id3dump
mpg123-jack
mpg123-nas
@@ -563,6 +586,7 @@
mypaint-ora-thumbnailer
natron
ncdu
+ncdu2
neochat
neomutt
netactview
@@ -583,6 +607,7 @@
nitroshare-send
nitroshare-ui
nomacs
+notable
nslookup
nuclear
nylas
@@ -593,22 +618,26 @@
oggsplt
okular
onboard
+onionshare
+onionshare-cli
onionshare-gui
ooffice
ooviewdoc
-open-invaders
openarena
openarena_ded
opencity
openclonk
+open-invaders
openmw
openmw-launcher
openoffice.org
openshot
openshot-qt
+openstego
openttd
opera
opera-beta
+opera-developer
orage
ostrichriders
otter-browser
@@ -630,7 +659,7 @@
picard
pidgin
pinball
-#ping - disabled until we fix #1912
+ping
pingus
pinta
pioneer
@@ -659,11 +688,13 @@
qbittorrent
qcomicbook
qemu-launcher
+#qemu-system-x86_64
qgis
qlipper
qmmp
qnapi
qpdfview
+qq
qt-faststart
qtox
quadrapassel
@@ -672,11 +703,14 @@
quiterss
qupzilla
qutebrowser
+raincat
rambox
redeclipse
+rednotebook
redshift
regextester
remmina
+retroarch
rhythmbox
rhythmbox-client
ricochet
@@ -685,6 +719,7 @@
ripperx
ristretto
rocketchat
+rpcs3
rtorrent
runenpass.sh
sayonara
@@ -693,6 +728,7 @@
scorchwentbonkers
scribus
sdat2img
+seafile-applet
seahorse
seahorse-adventures
seahorse-daemon
@@ -720,8 +756,8 @@
snox
soffice
sol
-sound-juicer
soundconverter
+sound-juicer
spectacle
spectral
spotify
@@ -755,7 +791,9 @@
teeworlds
telegram
telegram-desktop
+telnet
terasology
+tesseract
textmaker18
textmaker18free
thunderbird
@@ -763,6 +801,7 @@
thunderbird-wayland
tilp
tor-browser
+torbrowser
tor-browser-ar
tor-browser-ca
tor-browser-cs
@@ -784,6 +823,7 @@
tor-browser-ja
tor-browser-ka
tor-browser-ko
+torbrowser-launcher
tor-browser-nb
tor-browser-nl
tor-browser-pl
@@ -794,7 +834,6 @@
tor-browser-vi
tor-browser-zh-cn
tor-browser-zh-tw
-torbrowser-launcher
torcs
totem
tracker
@@ -813,6 +852,7 @@
trojita
truecraft
tshark
+tuir
tutanota-desktop
tuxguitar
tvbrowser
@@ -854,6 +894,7 @@
weechat-curses
wesnoth
wget
+wget2
whalebird
whois
widelands
@@ -862,10 +903,10 @@
wireshark
wireshark-gtk
wireshark-qt
+wordwarvi
wpp
wps
wpspdf
-wordwarvi
x2goclient
xbill
xcalc
@@ -900,13 +941,15 @@
youtube
youtube-dl
youtube-dl-gui
-youtube-viewer
youtubemusic-nativefier
+youtube-viewer
+yt-dlp
ytmdesktop
zaproxy
zart
zathura
zeal
+zim
zoom
# zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
# zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/firecfg.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/firejail-welcome.sh
^
|
@@ -0,0 +1,204 @@
+#!/bin/bash
+
+# This file is part of Firejail project
+# Copyright (C) 2020-2022 Firejail Authors
+# License GPL v2
+#
+# Usage: firejail-welcome PROGRAM SYSCONFDIR USER_NAME
+# where PROGRAM is detected and driven by firecfg.
+# SYSCONFDIR is most of the time /etc/firejail.
+#
+# The plan is to go with zenity by default. If zenity is not installed
+# we will provide a console-only replacement in /usr/lib/firejail/fzenity
+#
+
+if ! command -v "$1" >/dev/null; then
+ echo "Please install $1."
+ exit 1
+fi
+
+PROGRAM="sudo -u $3 $1"
+SYSCONFDIR=$2
+export LANG=en_US.UTF8
+
+TITLE="Firejail Configuration Guide"
+sed_scripts=()
+run_firecfg=false
+enable_u2f=false
+enable_drm=false
+enable_seccomp_kill=false
+enable_restricted_net=false
+enable_nonewprivs=false
+
+#******************************************************
+# Intro
+#******************************************************
+read -r -d $'\0' MSG_INTRO <<EOM
+<big><b>Welcome to Firejail!</b></big>
+
+This guide will walk you through some of the most common sandbox customizations.
+At the end of the guide you'll have the option to save your changes in Firejail's
+global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is saved
+as <b>/etc/firejal/firejail.config-</b>.
+
+Please note that running this script a second time can set new options, but does
+not clear options set in a previous run.
+
+Press OK to continue, or close this window to stop the program.
+
+EOM
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO"
+[[ $? -eq 1 ]] && exit 0
+
+#******************************************************
+# symlinks
+#******************************************************
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should most programs be sandboxed by default?</b></big>
+
+Currently, Firejail recognizes more than 1000 regular desktop programs. These programs
+can be sandboxed automatically when you start them.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+ run_firecfg=true
+fi
+
+#******************************************************
+# U2F
+#******************************************************
+read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
+<big><b>Should browsers be allowed to access u2f hardware?</b></big>
+
+Universal Two-Factor (U2F) devices are used as a password store for online
+accounts. These devices usually come in a form of a USB key.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+ enable_u2f=true
+ sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+
+#******************************************************
+# DRM
+#******************************************************
+read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
+<big><b>Should browsers be able to play DRM content?</b></big>
+
+The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications.
+This means that executing programs located in your home directory is forbidden.
+
+Browsers install proprietary DRM plug-ins such as Widevine in your home directory.
+In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This
+may give the people developing and distributing the plug-in access to your private
+data.
+
+NOTE: Software written in an interpreted language such as bash, python or java can
+always be started from home directory.
+
+HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+ enable_drm=true
+ sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+
+#******************************************************
+# nonewprivs
+#******************************************************
+read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM
+<big><b>Should we force nonewprivs by default?</b></big>
+
+nonewprivs is a Linux kernel feature that prevents programs from rising privileges.
+It is also a strong mitigation against exploits in Firejail. However, some programs
+like chromium, wireshark, or even ping might not work.
+
+NOTE: seccomp enables nonewprivs automatically. Most applications supported by
+default by Firejail are using seccomp.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then
+ enable_nonewprivs=true
+ sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+
+#******************************************************
+# restricted network
+#******************************************************
+read -r -d $'\0' MSG_Q_NETWORK <<EOM
+<big><b>Should we restrict network functionality?</b></big>
+
+Restrict all network related commands except '<tt>net none</tt>' to root only.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then
+ enable_restricted_net=true
+ sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+fi
+
+#******************************************************
+# seccomp kill
+#******************************************************
+read -r -d $'\0' MSG_Q_SECCOMP <<EOM
+<big><b>Should we kill programs that violate seccomp rules?</b></big>
+
+By default seccomp prevents the program from running the syscall and returns an error.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then
+ enable_seccomp_kill=true
+ sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+fi
+
+#******************************************************
+# root
+#******************************************************
+read -r -d $'\0' MSG_RUN <<EOM
+Now, I will apply the changes. This is what I will do:
+
+
+EOM
+MSG_RUN+="\n\n"
+if [[ "$run_firecfg" == "true" ]]; then
+ MSG_RUN+=" * enable Firejail for all recognized programs\n"
+fi
+if [[ "$enable_u2f" == "true" ]]; then
+ MSG_RUN+=" * allow browsers to access U2F devices\n"
+fi
+if [[ "$enable_drm" == "true" ]]; then
+ MSG_RUN+=" * allow browsers to play DRM content\n"
+fi
+if [[ "$enable_nonewprivs" == "true" ]]; then
+ MSG_RUN+=" * enable nonewprivs globally\n"
+fi
+if [[ "$enable_restricted_net" == "true" ]]; then
+ MSG_RUN+=" * restrict networking features\n"
+fi
+if [[ "$enable_seccomp_kill" == "true" ]]; then
+ MSG_RUN+=" * enable seccomp kill\n"
+fi
+MSG_RUN+="\n\nPress OK to continue, or close this window to stop the program."
+
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN"
+[[ $? -eq 1 ]] && exit 0
+
+if [[ -n "${sed_scripts[*]}" ]]; then
+ cp "$SYSCONFDIR"/firejail.config "$SYSCONFDIR"/firejail.config-
+ sed -i "${sed_scripts[@]}" "$SYSCONFDIR"/firejail.config
+fi
+if [[ "$run_firecfg" == "true" ]]; then
+ # return 55 to inform firecfg symlinks are desired
+ exit 55
+fi
+
+#******************************************************
+# all done
+#******************************************************
+exit 0
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,6 +22,7 @@
#include "../include/firejail_user.h"
int arg_debug = 0;
char *arg_bindir = "/usr/local/bin";
+int arg_guide = 0;
static char *usage_str =
"Firecfg is the desktop configuration utility for Firejail software. The utility\n"
@@ -37,6 +38,7 @@
" --debug - print debug messages.\n\n"
" --fix - fix .desktop files.\n\n"
" --fix-sound - create ~/.config/pulse/client.conf file.\n\n"
+ " --guide - guided configuration for new users.\n\n"
" --help, -? - this help screen.\n\n"
" --list - list all firejail symbolic links.\n\n"
" --version - print program version and exit.\n\n"
@@ -171,17 +173,17 @@
free(fname);
}
-// parse /usr/lib/firejail/firecfg.cfg file
+// parse /etc/firejail/firecfg.config file
static void set_links_firecfg(void) {
char *cfgfile;
- if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1)
+ if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1)
errExit("asprintf");
char *firejail_exec;
if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
errExit("asprintf");
- // parse /usr/lib/firejail/firecfg.cfg file
+ // parse /etc/firejail/firecfg.config file
FILE *fp = fopen(cfgfile, "r");
if (!fp) {
perror("fopen");
@@ -373,6 +375,9 @@
fix_desktop_files(home);
return 0;
}
+ else if (strcmp(argv[i], "--guide") == 0) {
+ arg_guide = 1;
+ }
else if (strcmp(argv[i], "--list") == 0) {
list();
return 0;
@@ -437,10 +442,33 @@
umask(orig_umask);
}
+ if (arg_guide) {
+ char *cmd;
+if (arg_debug) {
+ if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/lib/firejail/fzenity %s %s", LIBDIR, SYSCONFDIR, user) == -1)
+ errExit("asprintf");
+}
+else {
+ if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/bin/zenity %s %s", LIBDIR, SYSCONFDIR, user) == -1)
+ errExit("asprintf");
+}
+ int status = system(cmd);
+ if (status == -1) {
+ fprintf(stderr, "Error: cannot run firejail-welcome.sh\n");
+ exit(1);
+ }
+ free(cmd);
+
+ // the last 8 bits of the status is the return value of the command executed by system()
+ // firejail-welcome.sh returns 55 if setting sysmlinks is required
+ if (WEXITSTATUS(status) != 55)
+ return 0;
+ }
+
// clear all symlinks
clean();
- // set new symlinks based on /usr/lib/firejail/firecfg.cfg
+ // set new symlinks based on /etc/firejail/firecfg.config
set_links_firecfg();
if (getuid() == 0) {
@@ -468,8 +496,6 @@
#endif
}
-
-
// set new symlinks based on ~/.config/firejail directory
set_links_homedir(home);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/sound.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/util.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/Makefile
^
|
@@ -0,0 +1,25 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = firejail
+TARGET = $(PROG)
+
+MOD_HDRS = \
+../include/rundefs.h \
+../include/common.h \
+../include/ldd_utils.h \
+../include/euid_common.h \
+../include/pid.h \
+../include/seccomp.h \
+../include/syscall_i386.h \
+../include/syscall_x86_64.h \
+../include/firejail_user.h
+
+MOD_OBJS = \
+../lib/common.o \
+../lib/ldd_utils.o \
+../lib/firejail_user.o \
+../lib/errno.o \
+../lib/syscall.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/appimage.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -45,10 +45,10 @@
assert(archive);
assert(strlen(archive));
- // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config
- FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r");
+ // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
+ FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
if (!fp) {
- fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config");
+ fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", SYSCONFDIR "/firecfg.config");
exit(1);
}
char buf[MAXBUF];
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/appimage_size.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/arp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,6 +20,7 @@
#include "firejail.h"
#include <sys/socket.h>
#include <sys/ioctl.h>
+#include <sys/time.h>
#include <linux/if_ether.h> //TCP/IP Protocol Suite for Linux
#include <net/if.h>
#include <netinet/in.h>
@@ -188,9 +189,14 @@
FD_SET(sock, &fds);
int maxfd = sock;
struct timeval ts;
- ts.tv_sec = 0; // 0.5 seconds wait time
- ts.tv_usec = 500000;
+ gettimeofday(&ts, NULL);
+ double timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5;
while (1) {
+ gettimeofday(&ts, NULL);
+ double now = ts.tv_sec + ts.tv_usec / 1000000.0;
+ double timeout = timerend - now;
+ ts.tv_sec = timeout;
+ ts.tv_usec = (timeout - ts.tv_sec) * 1000000;
int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts);
if (nready < 0)
errExit("select");
@@ -201,8 +207,8 @@
}
if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
errExit("send");
- ts.tv_sec = 0; // 0.5 seconds wait time
- ts.tv_usec = 500000;
+ gettimeofday(&ts, NULL);
+ timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5;
fflush(0);
}
else {
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/bandwidth.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/caps.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,6 +22,7 @@
#include <errno.h>
#include <linux/filter.h>
#include <stddef.h>
+#include <fcntl.h>
#include <linux/capability.h>
#include <linux/audit.h>
#include <sys/prctl.h>
@@ -381,34 +382,21 @@
}
#define MAXBUF 4098
-static uint64_t extract_caps(int pid) {
- EUID_ASSERT();
-
- char *file;
- if (asprintf(&file, "/proc/%d/status", pid) == -1)
- errExit("asprintf");
-
- EUID_ROOT(); // grsecurity
- FILE *fp = fopen(file, "re");
- EUID_USER(); // grsecurity
- if (!fp)
- goto errexit;
+static uint64_t extract_caps(ProcessHandle process) {
+ FILE *fp = process_fopen(process, "status");
char buf[MAXBUF];
while (fgets(buf, MAXBUF, fp)) {
if (strncmp(buf, "CapBnd:\t", 8) == 0) {
- char *ptr = buf + 8;
unsigned long long val;
- sscanf(ptr, "%llx", &val);
- free(file);
- fclose(fp);
- return val;
+ if (sscanf(buf + 8, "%llx", &val) == 1) {
+ fclose(fp);
+ return val;
+ }
+ break;
}
}
- fclose(fp);
-errexit:
- free(file);
fprintf(stderr, "Error: cannot read caps configuration\n");
exit(1);
}
@@ -416,13 +404,11 @@
void caps_print_filter(pid_t pid) {
EUID_ASSERT();
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- // exit if no permission to join the sandbox
- check_join_permission(pid);
+ uint64_t caps = extract_caps(sandbox);
+ unpin_process(sandbox);
- uint64_t caps = extract_caps(pid);
int i;
uint64_t mask;
int elems = sizeof(capslist) / sizeof(capslist[0]);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/checkcfg.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -51,6 +51,7 @@
cfg_val[i] = 1; // most of them are enabled by default
cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
+ cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0;
cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
cfg_val[CFG_FIREJAIL_PROMPT] = 0;
cfg_val[CFG_DISABLE_MNT] = 0;
@@ -58,6 +59,11 @@
cfg_val[CFG_XPRA_ATTACH] = 0;
cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
+ cfg_val[CFG_ALLOW_TRAY] = 0;
+ cfg_val[CFG_CHROOT] = 0;
+ cfg_val[CFG_SECCOMP_LOG] = 0;
+ cfg_val[CFG_PRIVATE_LIB] = 0;
+ cfg_val[CFG_TRACELOG] = 0;
// open configuration file
const char *fname = SYSCONFDIR "/firejail.config";
@@ -99,18 +105,18 @@
PARSE_YESNO(CFG_X11, "x11")
PARSE_YESNO(CFG_APPARMOR, "apparmor")
PARSE_YESNO(CFG_BIND, "bind")
- PARSE_YESNO(CFG_CGROUP, "cgroup")
PARSE_YESNO(CFG_NAME_CHANGE, "name-change")
PARSE_YESNO(CFG_USERNS, "userns")
PARSE_YESNO(CFG_CHROOT, "chroot")
PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
PARSE_YESNO(CFG_SECCOMP, "seccomp")
- PARSE_YESNO(CFG_WHITELIST, "whitelist")
PARSE_YESNO(CFG_NETWORK, "network")
PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
+ PARSE_YESNO(CFG_TRACELOG, "tracelog")
PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
+ PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted")
PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
@@ -123,6 +129,8 @@
PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
+ PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
+ PARSE_YESNO(CFG_SECCOMP_LOG, "seccomp-log")
#undef PARSE_YESNO
// netfilter
@@ -299,6 +307,12 @@
exit(1);
}
+void print_version(void) {
+ printf("firejail version %s\n", VERSION);
+ printf("\n");
+ print_compiletime_support();
+ printf("\n");
+}
void print_compiletime_support(void) {
printf("Compile time support:\n");
@@ -342,24 +356,24 @@
#endif
);
- printf("\t- file and directory whitelisting support is %s\n",
-#ifdef HAVE_WHITELIST
+ printf("\t- file transfer support is %s\n",
+#ifdef HAVE_FILE_TRANSFER
"enabled"
#else
"disabled"
#endif
);
- printf("\t- file transfer support is %s\n",
-#ifdef HAVE_FILE_TRANSFER
+ printf("\t- firetunnel support is %s\n",
+#ifdef HAVE_FIRETUNNEL
"enabled"
#else
"disabled"
#endif
);
- printf("\t- firetunnel support is %s\n",
-#ifdef HAVE_FIRETUNNEL
+ printf("\t- IDS support is %s\n",
+#ifdef HAVE_IDS
"enabled"
#else
"disabled"
@@ -428,6 +442,4 @@
"disabled"
#endif
);
-
-
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/chroot.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,7 +22,6 @@
#include "firejail.h"
#include "../include/gcov_wrapper.h"
#include <sys/mount.h>
-#include <sys/sendfile.h>
#include <errno.h>
#include <fcntl.h>
@@ -34,41 +33,27 @@
void fs_check_chroot_dir(void) {
EUID_ASSERT();
assert(cfg.chrootdir);
- if (strstr(cfg.chrootdir, "..") ||
- is_link(cfg.chrootdir))
- goto errout;
// check chroot dirname exists, chrooting into the root directory is not allowed
char *rpath = realpath(cfg.chrootdir, NULL);
- if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0)
- goto errout;
-
- char *overlay;
- if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1)
- errExit("asprintf");
- if (strncmp(rpath, overlay, strlen(overlay)) == 0) {
- fprintf(stderr, "Error: invalid chroot directory: no directories in %s are allowed\n", overlay);
+ if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0) {
+ fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir);
exit(1);
}
- free(overlay);
cfg.chrootdir = rpath;
return;
-
-errout:
- fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir);
- exit(1);
}
// copy /etc/resolv.conf or /etc/machine-id in chroot directory
static void update_file(int parentfd, const char *relpath) {
assert(relpath && relpath[0] && relpath[0] != '/');
- char *abspath;
- if (asprintf(&abspath, "/%s", relpath) == -1)
- errExit("asprintf");
- int in = open(abspath, O_RDONLY|O_CLOEXEC);
- free(abspath);
+ int rootfd = open("/", O_PATH|O_CLOEXEC);
+ if (rootfd == -1)
+ errExit("open");
+ int in = openat(rootfd, relpath, O_RDONLY|O_CLOEXEC);
+ close(rootfd);
if (in == -1)
goto errout;
@@ -86,13 +71,13 @@
if (arg_debug)
printf("Updating chroot /%s\n", relpath);
unlinkat(parentfd, relpath, 0);
- int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+ int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (out == -1) {
close(in);
goto errout;
}
- if (sendfile(out, in, NULL, src.st_size) == -1)
- errExit("sendfile");
+ if (copy_file_by_fd(in, out) != 0)
+ errExit("copy_file_by_fd");
close(in);
close(out);
return;
@@ -134,6 +119,11 @@
int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
if (parentfd == -1)
errExit("safer_openat");
+
+ if (faccessat(parentfd, ".", X_OK, 0) != 0) {
+ fprintf(stderr, "Error: no search permission on chroot directory\n");
+ exit(1);
+ }
// rootdir has to be owned by root and is not allowed to be generally writable,
// this also excludes /tmp and friends
struct stat s;
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/cmdline.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/cpu.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -18,6 +18,7 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "firejail.h"
+#include <fcntl.h>
#include <sched.h>
#include <unistd.h>
#include <sys/stat.h>
@@ -87,22 +88,6 @@
}
}
-void load_cpu(const char *fname) {
- if (!fname)
- return;
-
- FILE *fp = fopen(fname, "re");
- if (fp) {
- unsigned tmp;
- int rv = fscanf(fp, "%x", &tmp);
- if (rv)
- cfg.cpus = (uint32_t) tmp;
- fclose(fp);
- }
- else
- fwarning("cannot load cpu affinity mask\n");
-}
-
void set_cpu_affinity(void) {
// set cpu affinity
cpu_set_t mask;
@@ -131,21 +116,8 @@
}
}
-static void print_cpu(int pid) {
- char *file;
- if (asprintf(&file, "/proc/%d/status", pid) == -1) {
- errExit("asprintf");
- exit(1);
- }
-
- EUID_ROOT(); // grsecurity
- FILE *fp = fopen(file, "re");
- EUID_USER(); // grsecurity
- if (!fp) {
- printf(" Error: cannot open %s\n", file);
- free(file);
- return;
- }
+static void print_cpu(ProcessHandle process) {
+ FILE *fp = process_fopen(process, "status");
#define MAXBUF 4096
char buf[MAXBUF];
@@ -153,28 +125,21 @@
if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
printf(" %s", buf);
fflush(0);
- free(file);
fclose(fp);
return;
}
}
fclose(fp);
- free(file);
}
-// allow any user to run --cpu.print
+// TODO: allow any user to run --cpu.print
void cpu_print_filter(pid_t pid) {
EUID_ASSERT();
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- // now check if the pid belongs to a firejail sandbox
- if (is_ready_for_join(pid) == false) {
- fprintf(stderr, "Error: no valid sandbox\n");
- exit(1);
- }
+ print_cpu(sandbox);
+ unpin_process(sandbox);
- print_cpu(pid);
exit(0);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/dbus.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -180,7 +180,7 @@
}
}
- if (num_matches > 0) {
+ if (num_matches > 0 && !arg_quiet) {
assert(first_match != NULL);
if (num_matches == 1) {
fprintf(stderr, "Ignoring \"%s\".\n", first_match);
@@ -297,11 +297,12 @@
if (dbus_proxy_pid == -1)
errExit("fork");
if (dbus_proxy_pid == 0) {
- int i;
- for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
- if (i != status_pipe[1] && i != args_pipe[0])
- close(i); // close open files
- }
+ // close open files
+ int keep[2];
+ keep[0] = status_pipe[1];
+ keep[1] = args_pipe[0];
+ close_all(keep, ARRAY_SIZE(keep));
+
if (arg_dbus_log_file != NULL) {
int output_fd = creat(arg_dbus_log_file, 0666);
if (output_fd < 0)
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/dhcp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/env.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,6 +22,7 @@
#include <sys/stat.h>
#include <unistd.h>
#include <dirent.h>
+#include <limits.h>
typedef struct env_t {
struct env_t *next;
@@ -117,10 +118,7 @@
// env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV);
// env_store_name_val("MOZ_NO_REMOTE, "1", SETENV);
env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc,
- if (!cfg.shell)
- cfg.shell = guess_shell();
- if (cfg.shell)
- env_store_name_val("SHELL", cfg.shell, SETENV);
+ env_store_name_val("SHELL", cfg.usershell, SETENV);
// spawn KIO slaves inside the sandbox
env_store_name_val("KDE_FORK_SLAVES", "1", SETENV);
@@ -262,7 +260,7 @@
"LANG",
"LANGUAGE",
"LC_MESSAGES",
- "PATH",
+ // "PATH",
"DISPLAY" // required by X11
};
@@ -311,6 +309,10 @@
errExit("clearenv");
env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
+
+ // hardcoding PATH
+ if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
+ errExit("setenv");
}
// Filter env variables for a sbox app
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/firejail.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,6 +22,7 @@
#include "../include/common.h"
#include "../include/euid_common.h"
#include "../include/rundefs.h"
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
#include <stdarg.h>
#include <sys/stat.h>
@@ -153,11 +154,15 @@
// user data
char *username;
char *homedir;
+ char *usershell;
// filesystem
ProfileEntry *profile;
+ ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()
+
#define MAX_PROFILE_IGNORE 32
char *profile_ignore[MAX_PROFILE_IGNORE];
+ char *keep_fd; // inherit file descriptors to sandbox
char *chrootdir; // chroot directory
char *home_private; // private home directory
char *home_private_keep; // keep list for private home directory
@@ -193,6 +198,7 @@
char *seccomp_list_drop, *seccomp_list_drop32; // seccomp drop list
char *seccomp_list_keep, *seccomp_list_keep32; // seccomp keep list
char *protocol; // protocol list
+ char *restrict_namespaces; // namespaces list
char *seccomp_error_action; // error action: kill, log or errno
// rlimits
@@ -207,13 +213,11 @@
// cpu affinity, nice and control groups
uint32_t cpus;
int nice;
- char *cgroup;
// command line
char *command_line;
char *window_title;
char *command_name;
- char *shell;
char **original_argv;
int original_argc;
int original_program_index;
@@ -306,7 +310,6 @@
extern char *arg_netfilter6_file; // netfilter file
extern char *arg_netns; // "ip netns"-created network namespace to use
extern int arg_doubledash; // double dash
-extern int arg_shell_none; // run the program directly without a shell
extern int arg_private_dev; // private dev directory
extern int arg_keep_dev_shm; // preserve /dev/shm
extern int arg_private_etc; // private etc directory
@@ -321,6 +324,7 @@
extern int arg_nosound; // disable sound
extern int arg_novideo; //disable video devices in /dev
extern int arg_no3d; // disable 3d hardware acceleration
+extern int arg_noprinters; // disable printers
extern int arg_quiet; // no output for scripting
extern int arg_join_network; // join only the network namespace
extern int arg_join_filesystem; // join only the mount namespace
@@ -334,11 +338,13 @@
extern int arg_writable_var_log; // writable /var/log
extern int arg_appimage; // appimage
extern int arg_apparmor; // apparmor
+extern char *apparmor_profile; // apparmor profile
+extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior)
extern int arg_allow_debuggers; // allow debuggers
extern int arg_x11_block; // block X11
extern int arg_x11_xorg; // use X11 security extension
extern int arg_allusers; // all user home directories visible
-extern int arg_machineid; // preserve /etc/machine-id
+extern int arg_machineid; // spoof /etc/machine-id
extern int arg_disable_mnt; // disable /mnt and /media
extern int arg_noprofile; // use default.profile if none other found/specified
extern int arg_memory_deny_write_execute; // block writable and executable memory
@@ -347,6 +353,9 @@
extern int arg_nou2f; // --nou2f
extern int arg_noinput; // --noinput
extern int arg_deterministic_exit_code; // always exit with first child's exit status
+extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies
+extern int arg_keep_fd_all; // inherit all file descriptors to sandbox
+extern int arg_netlock; // netlocker
typedef enum {
DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus
@@ -358,6 +367,7 @@
extern int arg_dbus_log_user;
extern int arg_dbus_log_system;
extern const char *arg_dbus_log_file;
+extern int arg_tab;
extern int login_shell;
extern int parent_to_child_fds[2];
@@ -379,7 +389,6 @@
#define SANDBOX_DONE '1'
int sandbox(void* sandbox_arg);
void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
-void set_apparmor(void);
// network_main.c
void net_configure_sandbox_ip(Bridge *br);
@@ -431,13 +440,15 @@
void disable_config(void);
// build a basic read-only filesystem
void fs_basic_fs(void);
-// mount overlayfs on top of / directory
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
-void fs_overlayfs(void);
void fs_private_tmp(void);
void fs_private_cache(void);
void fs_mnt(const int enforce);
+// fs_overlayfs.c
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
+void fs_overlayfs(void);
+int remove_overlay_directory(void);
+
// chroot.c
// chroot into an existing directory; mount existing /dev and update /etc/resolv.conf
void fs_check_chroot_dir(void);
@@ -467,11 +478,29 @@
// usage.c
void usage(void);
+// process.c
+typedef struct processhandle_instance_t * ProcessHandle;
+
+ProcessHandle pin_process(pid_t pid);
+void unpin_process(ProcessHandle process);
+pid_t process_get_pid(ProcessHandle process);
+int process_get_fd(ProcessHandle process);
+int process_stat_nofail(ProcessHandle process, const char *fname, struct stat *s);
+int process_stat(ProcessHandle process, const char *fname, struct stat *s);
+int process_open_nofail(ProcessHandle process, const char *fname);
+int process_open(ProcessHandle process, const char *fname);
+FILE *process_fopen(ProcessHandle process, const char *fname);
+int process_join_namespace(ProcessHandle process, char *type);
+void process_send_signal(ProcessHandle process, int signum);
+ProcessHandle pin_parent_process(ProcessHandle process);
+ProcessHandle pin_child_process(ProcessHandle process, pid_t child);
+void process_rootfs_chroot(ProcessHandle process);
+int process_rootfs_stat(ProcessHandle process, const char *fname, struct stat *s);
+int process_rootfs_open(ProcessHandle process, const char *fname);
+
// join.c
+ProcessHandle pin_sandbox_process(pid_t pid);
void join(pid_t pid, int argc, char **argv, int index) __attribute__((noreturn));
-bool is_ready_for_join(const pid_t pid);
-void check_join_permission(pid_t pid);
-pid_t switch_to_child(pid_t pid);
// shutdown.c
void shut(pid_t pid);
@@ -499,7 +528,8 @@
void fwarning(char* fmt, ...);
void fmessage(char* fmt, ...);
long long unsigned parse_arg_size(char *str);
-void drop_privs(int nogroups);
+int check_can_drop_all_groups();
+void drop_privs(int force_nogroups);
int mkpath_as_root(const char* path);
void extract_command_name(int index, char **argv);
void logsignal(int s);
@@ -507,6 +537,7 @@
void logargs(int argc, char **argv) ;
void logerr(const char *msg);
void set_nice(int inc);
+int copy_file_by_fd(int src, int dst);
int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
@@ -514,6 +545,7 @@
int is_dir(const char *fname);
int is_link(const char *fname);
char *realpath_as_user(const char *fname);
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz);
int stat_as_user(const char *fname, struct stat *s);
int lstat_as_user(const char *fname, struct stat *s);
void trim_trailing_slash_or_dot(char *path);
@@ -527,8 +559,7 @@
void wait_for_other(int fd);
void notify_other(int fd);
uid_t pid_get_uid(pid_t pid);
-uid_t get_group_id(const char *group);
-int remove_overlay_directory(void);
+gid_t get_group_id(const char *groupname);
void flush_stdin(void);
int create_empty_dir_as_user(const char *dir, mode_t mode);
void create_empty_dir_as_root(const char *dir, mode_t mode);
@@ -543,6 +574,7 @@
int bind_mount_by_fd(int src, int dst);
int bind_mount_path_to_fd(const char *srcname, int dst);
int bind_mount_fd_to_path(int src, const char *destname);
+void close_all(int *keep_list, size_t sz);
int has_handler(pid_t pid, int signal);
void enter_network_namespace(pid_t pid);
int read_pid(const char *name, pid_t *pid);
@@ -561,8 +593,8 @@
// mountinfo.c
MountData *get_last_mount(void);
-int get_mount_id(const char *path);
-char **build_mount_array(const int mount_id, const char *path);
+int get_mount_id(int fd);
+char **build_mount_array(const int mountid, const char *path);
// fs_var.c
void fs_var_log(void); // mounting /var/log
@@ -604,6 +636,7 @@
int seccomp_filter_drop(bool native);
int seccomp_filter_keep(bool native);
int seccomp_filter_mdwx(bool native);
+int seccomp_filter_namespaces(bool native, const char *list);
void seccomp_print_filter(pid_t pid) __attribute__((noreturn));
// caps.c
@@ -619,13 +652,13 @@
void caps_drop_dac_override(void);
// fs_trace.c
-void fs_trace_preload(void);
+void fs_trace_touch_preload(void);
+void fs_trace_touch_or_store_preload(void);
void fs_tracefile(void);
void fs_trace(void);
// fs_hostname.c
void fs_hostname(const char *hostname);
-void fs_resolvconf(void);
char *fs_check_hosts_file(const char *fname);
void fs_store_hosts_file(void);
void fs_mount_hosts_file(void);
@@ -636,19 +669,15 @@
// cpu.c
void read_cpu_list(const char *str);
void set_cpu_affinity(void);
-void load_cpu(const char *fname);
void save_cpu(void);
void cpu_print_filter(pid_t pid) __attribute__((noreturn));
-// cgroup.c
-void save_cgroup(void);
-void load_cgroup(const char *fname);
-void set_cgroup(const char *path);
-
// output.c
void check_output(int argc, char **argv);
// netfilter.c
+void netfilter_netlock(pid_t pid);
+void netfilter_trace(pid_t pid, const char *cmd);
void check_netfilter_file(const char *fname);
void netfilter(const char *fname);
void netfilter6(const char *fname);
@@ -668,6 +697,7 @@
void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list);
void fs_private_dir_mount(const char *private_dir, const char *private_run_dir);
void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
+void fs_rebuild_etc(void);
// no_sandbox.c
int check_namespace_virt(void);
@@ -695,6 +725,7 @@
void fs_whitelist(void);
// pulseaudio.c
+void pipewire_disable(void);
void pulseaudio_init(void);
void pulseaudio_disable(void);
@@ -702,6 +733,8 @@
void fs_private_bin_list(void);
// fs_lib.c
+int is_firejail_link(const char *fname);
+char *find_in_path(const char *program);
void fs_private_lib(void);
// protocol.c
@@ -776,9 +809,9 @@
CFG_NETWORK,
CFG_RESTRICTED_NETWORK,
CFG_FORCE_NONEWPRIVS,
- CFG_WHITELIST,
CFG_XEPHYR_WINDOW_TITLE,
CFG_OVERLAYFS,
+ CFG_ETC_HIDE_BLACKLISTED,
CFG_PRIVATE_BIN,
CFG_PRIVATE_BIN_NO_LOCAL,
CFG_PRIVATE_CACHE,
@@ -796,10 +829,12 @@
CFG_BROWSER_ALLOW_DRM,
CFG_APPARMOR,
CFG_DBUS,
- CFG_CGROUP,
CFG_NAME_CHANGE,
CFG_SECCOMP_ERROR_ACTION,
// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
+ CFG_ALLOW_TRAY,
+ CFG_SECCOMP_LOG,
+ CFG_TRACELOG,
CFG_MAX // this should always be the last entry
};
extern char *xephyr_screen;
@@ -814,6 +849,7 @@
extern char **whitelist_reject_topdirs;
int checkcfg(int val);
+void print_version(void);
void print_compiletime_support(void);
// appimage.c
@@ -834,7 +870,6 @@
#define PATH_FNET_MAIN (LIBDIR "/firejail/fnet") // when called from main thread
#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet") // when called from sandbox thread
-//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
#define PATH_FIREMON (PREFIX "/bin/firemon")
@@ -843,21 +878,18 @@
#define PATH_FSECCOMP_MAIN (LIBDIR "/firejail/fseccomp") // when called from main thread
#define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp") // when called from sandbox thread
-// FSEC_PRINT is run outside of sandbox by --seccomp.print
-// it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
-#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
+#define PATH_FSEC_PRINT (RUN_FIREJAIL_LIB_DIR "/fsec-print")
-//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
-//#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
-//#define PATH_FLDD (LIBDIR "/firejail/fldd")
#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
+#define PATH_FIDS (LIBDIR "/firejail/fids")
+
// bitmapped filters for sbox_run
#define SBOX_ROOT (1 << 0) // run the sandbox as root
#define SBOX_USER (1 << 1) // run the sandbox as a regular user
@@ -869,7 +901,6 @@
#define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon
#define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
#define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
-#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
// run sbox
int sbox_run(unsigned filter, int num, ...);
@@ -882,6 +913,8 @@
void set_name_run_file(pid_t pid);
void set_x11_run_file(pid_t pid, int display);
void set_profile_run_file(pid_t pid, const char *fname);
+void set_sandbox_run_file(pid_t pid, pid_t child);
+void release_sandbox_lock(void);
// dbus.c
int dbus_check_name(const char *name);
@@ -902,4 +935,10 @@
// selinux.c
void selinux_relabel_path(const char *path, const char *inside_path);
+// ids.c
+void run_ids(int argc, char **argv);
+
+// oom.c
+void oom_set(const char *oom_string);
+
#endif
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,10 +20,7 @@
#include "firejail.h"
#include "../include/gcov_wrapper.h"
#include <sys/mount.h>
-#include <sys/stat.h>
#include <sys/statvfs.h>
-#include <sys/wait.h>
-#include <linux/limits.h>
#include <fnmatch.h>
#include <glob.h>
#include <dirent.h>
@@ -35,7 +32,7 @@
#endif
#define MAX_BUF 4096
-#define EMPTY_STRING ("")
+
// check noblacklist statements not matched by a proper blacklist in disable-*.inc files
//#define TEST_NO_BLACKLIST_MATCHING
@@ -97,22 +94,31 @@
return;
}
- // if the file is not present, do nothing
assert(fname);
- struct stat s;
- if (stat(fname, &s) < 0) {
+ // check for firejail executable
+ // we might have a file found in ${PATH} pointing to /usr/bin/firejail
+ // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
+ // and expects Firefox to open in the same sandbox
+ if (strcmp(BINDIR "/firejail", fname) == 0) {
+ free(fname);
+ return;
+ }
+
+ // if the file is not present, do nothing
+ int fd = open(fname, O_PATH|O_CLOEXEC);
+ if (fd < 0) {
if (arg_debug)
- printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno));
+ printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
free(fname);
return;
}
- // check for firejail executable
- // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
- // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
- // and expects Firefox to open in the same sandbox
- if (strcmp(BINDIR "/firejail", fname) == 0) {
+ struct stat s;
+ if (fstat(fd, &s) < 0) {
+ if (arg_debug)
+ printf("Warning (blacklisting): cannot stat %s: %s\n", fname, strerror(errno));
free(fname);
+ close(fd);
return;
}
@@ -139,13 +145,6 @@
printf(" - no logging\n");
}
- int fd = open(fname, O_PATH|O_CLOEXEC);
- if (fd < 0) {
- if (arg_debug)
- printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
- free(fname);
- return;
- }
EUID_ROOT();
if (S_ISDIR(s.st_mode)) {
if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
@@ -156,12 +155,24 @@
errExit("disable file");
}
EUID_USER();
- close(fd);
if (op == BLACKLIST_FILE)
fs_logger2("blacklist", fname);
else
fs_logger2("blacklist-nolog", fname);
+
+ // files in /etc will be reprocessed during /etc rebuild
+ if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
+ ProfileEntry *prf = malloc(sizeof(ProfileEntry));
+ if (!prf)
+ errExit("malloc");
+ memset(prf, 0, sizeof(ProfileEntry));
+ prf->data = strdup(fname);
+ if (!prf->data)
+ errExit("strdup");
+ prf->next = cfg.profile_rebuild_etc;
+ cfg.profile_rebuild_etc = prf;
+ }
}
}
else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
@@ -170,8 +181,7 @@
else if (op == MOUNT_TMPFS) {
if (!S_ISDIR(s.st_mode)) {
fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
- free(fname);
- return;
+ goto out;
}
uid_t uid = getuid();
@@ -181,19 +191,18 @@
strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
fname[strlen(cfg.homedir)] != '/') {
fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
- free(fname);
- return;
+ goto out;
}
}
fs_tmpfs(fname, uid);
- EUID_USER(); // fs_tmpfs returns with EUID 0
-
selinux_relabel_path(fname, fname);
}
else
assert(0);
+out:
+ close(fd);
free(fname);
}
@@ -269,6 +278,8 @@
// blacklist files or directories by mounting empty files on top of them
void fs_blacklist(void) {
+ EUID_ASSERT();
+
ProfileEntry *entry = cfg.profile;
if (!entry)
return;
@@ -280,7 +291,6 @@
if (noblacklist == NULL)
errExit("failed allocating memory for noblacklist entries");
- EUID_USER();
while (entry) {
OPERATION op = OPERATION_MAX;
char *ptr;
@@ -456,8 +466,6 @@
for (i = 0; i < noblacklist_c; i++)
free(noblacklist[i]);
free(noblacklist);
-
- EUID_ROOT();
}
//***********************************************
@@ -466,7 +474,7 @@
// mount a writable tmpfs on directory; requires a resolved path
void fs_tmpfs(const char *dir, unsigned check_owner) {
- EUID_USER();
+ EUID_ASSERT();
assert(dir);
if (arg_debug)
printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -489,14 +497,15 @@
struct statvfs buf;
if (fstatvfs(fd, &buf) == -1)
errExit("fstatvfs");
- unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);
+ unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
// mount via the symbolic link in /proc/self/fd
- EUID_ROOT();
char *proc;
if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
errExit("asprintf");
+ EUID_ROOT();
if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0)
errExit("mounting tmpfs");
+ EUID_USER();
// check the last mount operation
MountData *mdata = get_last_mount();
if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0)
@@ -521,7 +530,9 @@
if (fstat(fd, &s) < 0) {
// fstat can fail with EACCES if path is a FUSE mount,
// mounted without 'allow_root' or 'allow_other'
- if (errno != EACCES)
+ // fstat can also fail with EIO if the underlying FUSE system
+ // is being buggy
+ if (errno != EACCES && errno != EIO)
errExit("fstat");
close(fd);
goto out;
@@ -622,40 +633,37 @@
}
// remount recursively; requires a resolved path
-static void fs_remount_rec(const char *dir, OPERATION op) {
+static void fs_remount_rec(const char *path, OPERATION op) {
EUID_ASSERT();
- assert(dir);
+ assert(op < OPERATION_MAX);
+ assert(path);
- struct stat s;
- if (stat(dir, &s) != 0)
- return;
- if (!S_ISDIR(s.st_mode)) {
- // no need to search in /proc/self/mountinfo for submounts if not a directory
- fs_remount_simple(dir, op);
+ // no need to search /proc/self/mountinfo for submounts if not a directory
+ int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+ if (fd < 0) {
+ fs_remount_simple(path, op);
return;
}
- // get mount point of the directory
- int mountid = get_mount_id(dir);
- if (mountid == -1)
- return;
- if (mountid == -2) {
- // falling back to a simple remount on old kernels
- static int mount_warning = 0;
- if (!mount_warning) {
- fwarning("read-only, read-write and noexec options are not applied recursively\n");
- mount_warning = 1;
- }
- fs_remount_simple(dir, op);
+
+ // get mount id of the directory
+ int mountid = get_mount_id(fd);
+ close(fd);
+ if (mountid < 0) {
+ // falling back to a simple remount
+ fwarning("%s %s not applied recursively\n", opstr[op], path);
+ fs_remount_simple(path, op);
return;
}
+
// build array with all mount points that need to get remounted
- char **arr = build_mount_array(mountid, dir);
- assert(arr);
+ char **arr = build_mount_array(mountid, path);
+ if (!arr)
+ return;
// remount
- char **tmp = arr;
- while (*tmp) {
- fs_remount_simple(*tmp, op);
- free(*tmp++);
+ int i;
+ for (i = 0; arr[i]; i++) {
+ fs_remount_simple(arr[i], op);
+ free(arr[i]);
}
free(arr);
}
@@ -819,13 +827,16 @@
// disable firejail configuration in ~/.config/firejail
void disable_config(void) {
EUID_USER();
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
char *fname;
if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
errExit("asprintf");
disable_file(BLACKLIST_FILE, fname);
free(fname);
+#endif
// disable run time information
+ disable_file(BLACKLIST_FILE, RUN_FIREJAIL_SANDBOX_DIR);
disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
@@ -890,367 +901,6 @@
}
-
-#ifdef HAVE_OVERLAYFS
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
- assert(subdirname);
- EUID_ASSERT();
- struct stat s;
- char *dirname;
-
- if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
- errExit("asprintf");
- // check if ~/.firejail already exists
- if (lstat(dirname, &s) == 0) {
- if (!S_ISDIR(s.st_mode)) {
- if (S_ISLNK(s.st_mode))
- fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
- else
- fprintf(stderr, "Error: %s is not a directory\n", dirname);
- exit(1);
- }
- if (s.st_uid != getuid()) {
- fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
- exit(1);
- }
- }
- else {
- // create ~/.firejail directory
- create_empty_dir_as_user(dirname, 0700);
- if (stat(dirname, &s) == -1) {
- fprintf(stderr, "Error: cannot create directory %s\n", dirname);
- exit(1);
- }
- }
- free(dirname);
-
- // check overlay directory
- if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
- errExit("asprintf");
- if (lstat(dirname, &s) == 0) {
- if (!S_ISDIR(s.st_mode)) {
- if (S_ISLNK(s.st_mode))
- fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
- else
- fprintf(stderr, "Error: %s is not a directory\n", dirname);
- exit(1);
- }
- if (s.st_uid != 0) {
- fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
- exit(1);
- }
- if (allow_reuse == 0) {
- fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
- exit(1);
- }
- }
-
- return dirname;
-}
-
-
-
-// mount overlayfs on top of / directory
-// mounting an overlay and chrooting into it:
-//
-// Old Ubuntu kernel
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then unmount the overlay
-// # exit
-// # umount /root/overlay/root
-//
-// Kernels 3.18+
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mkdir -p overlay/work
-// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
-// # cat /etc/mtab | grep overlay
-// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then unmount the overlay
-// # exit
-// # umount /root/overlay/root
-
-
-// to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean
-#include <sys/utsname.h>
-void fs_overlayfs(void) {
- struct stat s;
-
- // check kernel version
- struct utsname u;
- int rv = uname(&u);
- if (rv != 0)
- errExit("uname");
- int major;
- int minor;
- if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
- fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
- exit(1);
- }
-
- if (arg_debug)
- printf("Linux kernel version %d.%d\n", major, minor);
- int oldkernel = 0;
- if (major < 3) {
- fprintf(stderr, "Error: minimum kernel version required 3.x\n");
- exit(1);
- }
- if (major == 3 && minor < 18)
- oldkernel = 1;
-
- // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
- // we disable overlayfs for now, pending fixing
- if (major >= 4 &&minor >= 19) {
- fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
- exit(1);
- }
-
- char *oroot = RUN_OVERLAY_ROOT;
- mkdir_attr(oroot, 0755, 0, 0);
-
- // set base for working and diff directories
- char *basedir = RUN_MNT_DIR;
- int basefd = -1;
-
- if (arg_overlay_keep) {
- basedir = cfg.overlay_dir;
- assert(basedir);
- // get a file descriptor for ~/.firejail, fails if there is any symlink
- char *firejail;
- if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
- errExit("asprintf");
- int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
- if (fd == -1)
- errExit("safer_openat");
- free(firejail);
- // create basedir if it doesn't exist
- // the new directory will be owned by root
- const char *dirname = gnu_basename(basedir);
- if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
- perror("mkdir");
- fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
- exit(1);
- }
- // open basedir
- basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
- close(fd);
- }
- else {
- basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
- }
- if (basefd == -1) {
- perror("open");
- fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
- exit(1);
- }
-
- // confirm once more base is owned by root
- if (fstat(basefd, &s) == -1)
- errExit("fstat");
- if (s.st_uid != 0) {
- fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
- exit(1);
- }
- // confirm permissions of base are 0755
- if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
- fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
- exit(1);
- }
-
- // create diff and work directories inside base
- // no need to check arg_overlay_reuse
- char *odiff;
- if (asprintf(&odiff, "%s/odiff", basedir) == -1)
- errExit("asprintf");
- // the new directory will be owned by root
- if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
- perror("mkdir");
- fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
- exit(1);
- }
- ASSERT_PERMS(odiff, 0, 0, 0755);
-
- char *owork;
- if (asprintf(&owork, "%s/owork", basedir) == -1)
- errExit("asprintf");
- // the new directory will be owned by root
- if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
- perror("mkdir");
- fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
- exit(1);
- }
- ASSERT_PERMS(owork, 0, 0, 0755);
-
- // mount overlayfs
- if (arg_debug)
- printf("Mounting OverlayFS\n");
- char *option;
- if (oldkernel) { // old Ubuntu/OpenSUSE kernels
- if (arg_overlay_keep) {
- fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
- exit(1);
- }
- if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
- errExit("asprintf");
- if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
- errExit("mounting overlayfs");
- }
- else { // kernel 3.18 or newer
- if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
- errExit("asprintf");
- if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
- fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
- errExit("mounting overlayfs");
- }
-
- //***************************
- // issue #263 start code
- // My setup has a separate mount point for /home. When the overlay is mounted,
- // the overlay does not contain the original /home contents.
- // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
- // @dshmgh, Jan 2016
- {
- char *overlayhome;
- struct stat s;
- char *hroot;
- char *hdiff;
- char *hwork;
-
- // dons add debug
- if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork);
-
- // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
- // must create var for oroot/cfg.homedir
- if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
- errExit("asprintf");
- if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
-
- // if no homedir in overlay -- create another overlay for /home
- if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
-
- // no need to check arg_overlay_reuse
- if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
- errExit("asprintf");
- // the new directory will be owned by root
- if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
- perror("mkdir");
- fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
- exit(1);
- }
- ASSERT_PERMS(hdiff, 0, 0, 0755);
-
- // no need to check arg_overlay_reuse
- if (asprintf(&hwork, "%s/hwork", basedir) == -1)
- errExit("asprintf");
- // the new directory will be owned by root
- if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
- perror("mkdir");
- fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
- exit(1);
- }
- ASSERT_PERMS(hwork, 0, 0, 0755);
-
- // no homedir in overlay so now mount another overlay for /home
- if (asprintf(&hroot, "%s/home", oroot) == -1)
- errExit("asprintf");
- if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
- errExit("asprintf");
- if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
- errExit("mounting overlayfs for mounted home directory");
-
- printf("OverlayFS for /home configured in %s directory\n", basedir);
- free(hroot);
- free(hdiff);
- free(hwork);
-
- } // stat(overlayhome)
- free(overlayhome);
- }
- // issue #263 end code
- //***************************
- }
- fmessage("OverlayFS configured in %s directory\n", basedir);
- close(basefd);
-
- // /dev, /run and /tmp are not covered by the overlay
- // mount-bind dev directory
- if (arg_debug)
- printf("Mounting /dev\n");
- char *dev;
- if (asprintf(&dev, "%s/dev", oroot) == -1)
- errExit("asprintf");
- if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
- errExit("mounting /dev");
- fs_logger("whitelist /dev");
-
- // mount-bind run directory
- if (arg_debug)
- printf("Mounting /run\n");
- char *run;
- if (asprintf(&run, "%s/run", oroot) == -1)
- errExit("asprintf");
- if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
- errExit("mounting /run");
- fs_logger("whitelist /run");
-
- // mount-bind tmp directory
- if (arg_debug)
- printf("Mounting /tmp\n");
- char *tmp;
- if (asprintf(&tmp, "%s/tmp", oroot) == -1)
- errExit("asprintf");
- if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
- errExit("mounting /tmp");
- fs_logger("whitelist /tmp");
-
- // chroot in the new filesystem
- __gcov_flush();
-
- if (chroot(oroot) == -1)
- errExit("chroot");
-
- // mount a new proc filesystem
- if (arg_debug)
- printf("Mounting /proc filesystem representing the PID namespace\n");
- if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
- errExit("mounting /proc");
-
- // update /var directory in order to support multiple sandboxes running on the same root directory
-// if (!arg_private_dev)
-// fs_dev_shm();
- fs_var_lock();
- if (!arg_keep_var_tmp)
- fs_var_tmp();
- if (!arg_writable_var_log)
- fs_var_log();
- fs_var_lib();
- fs_var_cache();
- fs_var_utmp();
- fs_machineid();
-
- // don't leak user information
- restrict_users();
-
- // when starting as root, firejail config is not disabled;
- if (getuid() != 0)
- disable_config();
-
- // cleanup and exit
- free(option);
- free(odiff);
- free(owork);
- free(dev);
- free(run);
- free(tmp);
-}
-#endif
-
// this function is called from sandbox.c before blacklist/whitelist functions
void fs_private_tmp(void) {
EUID_ASSERT();
@@ -1274,9 +924,11 @@
// whitelist x11 directory
profile_add("whitelist /tmp/.X11-unix");
- // read-only x11 directory
profile_add("read-only /tmp/.X11-unix");
+ // whitelist sndio directory
+ profile_add("whitelist /tmp/sndio");
+
// whitelist any pulse* file in /tmp directory
// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
DIR *dir;
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_bin.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -27,7 +27,7 @@
static int prog_cnt = 0;
-static char *paths[] = {
+static const char * const paths[] = {
"/usr/local/bin",
"/usr/bin",
"/bin",
@@ -40,10 +40,10 @@
};
// return 1 if found, 0 if not found
-static char *check_dir_or_file(const char *name) {
+static const char *check_dir_or_file(const char *name) {
+ EUID_ASSERT();
assert(name);
struct stat s;
- char *fname = NULL;
int i = 0;
while (paths[i]) {
@@ -54,50 +54,34 @@
}
// check file
+ char *fname;
if (asprintf(&fname, "%s/%s", paths[i], name) == -1)
errExit("asprintf");
if (arg_debug)
printf("Checking %s/%s\n", paths[i], name);
- if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
- // check symlink to firejail executable in /usr/local/bin
- if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
- /* coverity[toctou] */
- char *actual_path = realpath(fname, NULL);
- if (actual_path) {
- char *ptr = strstr(actual_path, "/firejail");
- if (ptr && strlen(ptr) == strlen("/firejail")) {
- if (arg_debug)
- printf("firejail exec symlink detected\n");
- free(actual_path);
- free(fname);
- fname = NULL;
- i++;
- continue;
- }
- free(actual_path);
- }
-
- }
+ if (stat(fname, &s) == 0 &&
+ !S_ISDIR(s.st_mode) && // do not allow directories
+ !is_firejail_link(fname)) { // skip symlinks to firejail executable, as created by firecfg
+ free(fname);
break; // file found
}
free(fname);
- fname = NULL;
i++;
}
- if (!fname) {
+ if (!paths[i]) {
if (arg_debug)
fwarning("file %s not found\n", name);
return NULL;
}
- free(fname);
return paths[i];
}
// return 1 if the file is in paths[]
static int valid_full_path_file(const char *name) {
+ EUID_ASSERT();
assert(name);
if (*name != '/')
@@ -149,6 +133,7 @@
}
static void duplicate(char *fname) {
+ EUID_ASSERT();
assert(fname);
if (*fname == '~' || strstr(fname, "..")) {
@@ -175,7 +160,7 @@
else {
// Find the standard directory (by looping through paths[])
// where the filename fname is located
- char *path = check_dir_or_file(fname);
+ const char *path = check_dir_or_file(fname);
if (!path)
return;
if (asprintf(&full_path, "%s/%s", path, fname) == -1)
@@ -220,6 +205,7 @@
}
static void globbing(char *fname) {
+ EUID_ASSERT();
assert(fname);
// go directly to duplicate() if no globbing char is present - see man 7 glob
@@ -256,6 +242,9 @@
// testing for GLOB_NOCHECK - no pattern matched returns the original pattern
if (strcmp(globbuf.gl_pathv[j], pattern) == 0)
continue;
+ // skip symlinks to firejail executable, as created by firecfg
+ if (is_firejail_link(globbuf.gl_pathv[j]))
+ continue;
duplicate(globbuf.gl_pathv[j]);
}
@@ -267,6 +256,7 @@
}
void fs_private_bin_list(void) {
+ EUID_ASSERT();
char *private_list = cfg.bin_private_keep;
assert(private_list);
@@ -274,7 +264,9 @@
timetrace_start();
// create /run/firejail/mnt/bin directory
+ EUID_ROOT();
mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
+ EUID_USER();
if (arg_debug)
printf("Copying files in the new bin directory\n");
@@ -293,9 +285,9 @@
while ((ptr = strtok(NULL, ",")) != NULL)
globbing(ptr);
free(dlist);
- fs_logger_print();
// mount-bind
+ EUID_ROOT();
int i = 0;
while (paths[i]) {
struct stat s;
@@ -309,6 +301,9 @@
}
i++;
}
+ fs_logger_print();
+ EUID_USER();
+
selinux_relabel_path(RUN_BIN_DIR, "/bin");
fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end());
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_dev.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,7 +20,6 @@
#include "firejail.h"
#include <sys/mount.h>
#include <sys/stat.h>
-#include <linux/limits.h>
#include <glob.h>
#include <dirent.h>
#include <fcntl.h>
@@ -330,8 +329,10 @@
}
// disable all jack sockets in /dev/shm
+ EUID_USER();
glob_t globbuf;
int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+ EUID_ROOT();
if (globerr)
return;
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_etc.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -24,6 +24,7 @@
#include <sys/types.h>
#include <time.h>
#include <unistd.h>
+#include <dirent.h>
// spoof /etc/machine_id
void fs_machineid(void) {
@@ -103,7 +104,10 @@
*q = '\0';
*r = '/';
r = q;
- create_empty_dir_as_root(dst, s.st_mode);
+ if (mkdir(dst, 0700) != 0 && errno != EEXIST)
+ errExit("mkdir");
+ if (chmod(dst, s.st_mode) != 0)
+ errExit("chmod");
}
if (!last) {
// If we're not at the final terminating null, restore
@@ -141,7 +145,7 @@
static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
assert(fname);
- if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
+ if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
exit(1);
}
@@ -164,7 +168,14 @@
errExit("asprintf");
build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
- sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+
+ // follow links! this will make a copy of the file or directory pointed by the symlink
+ // this will solve problems such as NixOS #4887
+ // don't follow links to dynamic directories such as /proc
+ if (strcmp(src, "/etc/mtab") == 0)
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+ else
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
free(dst);
fs_logger2("clone", src);
@@ -250,3 +261,134 @@
fs_private_dir_mount(private_dir, private_run_dir);
fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
}
+
+void fs_rebuild_etc(void) {
+ int have_dhcp = 1;
+ if (cfg.dns1 == NULL && !any_dhcp()) {
+ // Disabling this option ensures that updates to files using
+ // rename(2) propagate into the sandbox, in order to avoid
+ // breaking /etc/resolv.conf (issue #5010).
+ if (!checkcfg(CFG_ETC_HIDE_BLACKLISTED))
+ return;
+ have_dhcp = 0;
+ }
+
+ if (arg_debug)
+ printf("rebuilding /etc directory\n");
+ if (mkdir(RUN_DNS_ETC, 0755))
+ errExit("mkdir");
+ selinux_relabel_path(RUN_DNS_ETC, "/etc");
+ fs_logger("tmpfs /etc");
+
+ DIR *dir = opendir("/etc");
+ if (!dir)
+ errExit("opendir");
+
+ struct stat s;
+ struct dirent *entry;
+ while ((entry = readdir(dir))) {
+ if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+ continue;
+
+ // skip files in cfg.profile_rebuild_etc list
+ // these files are already blacklisted
+ {
+ ProfileEntry *prf = cfg.profile_rebuild_etc;
+ int found = 0;
+ while (prf) {
+ if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/")
+ found = 1;
+ break;
+ }
+ prf = prf->next;
+ }
+ if (found)
+ continue;
+ }
+
+ // for resolv.conf we might have to create a brand new file later
+ if (have_dhcp &&
+ (strcmp(entry->d_name, "resolv.conf") == 0 ||
+ strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0))
+ continue;
+// printf("linking %s\n", entry->d_name);
+
+ char *src;
+ if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
+ errExit("asprintf");
+ if (stat(src, &s) != 0) {
+ free(src);
+ continue;
+ }
+
+ char *dest;
+ if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
+ errExit("asprintf");
+
+ int symlink_done = 0;
+ if (is_link(src)) {
+ char *rp =realpath(src, NULL);
+ if (rp == NULL) {
+ free(src);
+ free(dest);
+ continue;
+ }
+ if (symlink(rp, dest))
+ errExit("symlink");
+ else
+ symlink_done = 1;
+ }
+ else if (S_ISDIR(s.st_mode))
+ create_empty_dir_as_root(dest, S_IRWXU);
+ else
+ create_empty_file_as_root(dest, S_IRUSR | S_IWUSR);
+
+ // bind-mount src on top of dest
+ if (!symlink_done) {
+ if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
+ errExit("mount bind mirroring /etc");
+ }
+ fs_logger2("clone", src);
+
+ free(src);
+ free(dest);
+ }
+ closedir(dir);
+
+ // mount bind our private etc directory on top of /etc
+ if (arg_debug)
+ printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
+ if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+ errExit("mount bind mirroring /etc");
+ fs_logger("mount /etc");
+
+ if (have_dhcp == 0)
+ return;
+
+ if (arg_debug)
+ printf("Creating a new /etc/resolv.conf file\n");
+ FILE *fp = fopen("/etc/resolv.conf", "wxe");
+ if (!fp) {
+ fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
+ exit(1);
+ }
+
+ if (cfg.dns1) {
+ if (any_dhcp())
+ fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
+ fprintf(fp, "nameserver %s\n", cfg.dns1);
+ }
+ if (cfg.dns2)
+ fprintf(fp, "nameserver %s\n", cfg.dns2);
+ if (cfg.dns3)
+ fprintf(fp, "nameserver %s\n", cfg.dns3);
+ if (cfg.dns4)
+ fprintf(fp, "nameserver %s\n", cfg.dns4);
+
+ // mode and owner
+ SET_PERMS_STREAM(fp, 0, 0, 0644);
+
+ fclose(fp);
+
+ fs_logger("create /etc/resolv.conf");
+}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_home.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -19,7 +19,6 @@
*/
#include "firejail.h"
#include <sys/mount.h>
-#include <linux/limits.h>
#include <dirent.h>
#include <errno.h>
#include <sys/stat.h>
@@ -34,13 +33,37 @@
#define O_PATH 010000000
#endif
+static void disable_tab_completion(const char *homedir) {
+ if (arg_tab)
+ return;
+
+ char *fname;
+ if (asprintf(&fname, "%s/.inputrc", homedir) == -1)
+ errExit("asprintf");
+
+ // don't create a new one if we already have it
+ if (access(fname, F_OK)) {
+ FILE *fp = fopen(fname, "w");
+ if (!fp)
+ errExit("fopen");
+ fprintf(fp, "set disable-completion on\n");
+ fclose(fp);
+ if (chmod(fname, 0644))
+ errExit("chmod");
+ }
+ free(fname);
+}
+
+
static void skel(const char *homedir) {
EUID_ASSERT();
+ char *fname;
+
+ disable_tab_completion(homedir);
// zsh
- if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
+ if (strcmp(cfg.usershell,"/usr/bin/zsh") == 0 || strcmp(cfg.usershell,"/bin/zsh") == 0) {
// copy skel files
- char *fname;
if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
errExit("asprintf");
// don't copy it if we already have the file
@@ -63,9 +86,8 @@
free(fname);
}
// csh
- else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
+ else if (strcmp(cfg.usershell,"/bin/csh") == 0) {
// copy skel files
- char *fname;
if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
errExit("asprintf");
// don't copy it if we already have the file
@@ -90,7 +112,6 @@
// bash etc.
else {
// copy skel files
- char *fname;
if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
errExit("asprintf");
// don't copy it if we already have the file
@@ -381,12 +402,14 @@
selinux_relabel_path("/home", "/home");
fs_logger("tmpfs /home");
}
+ EUID_USER();
if (u != 0) {
if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
// create new empty /home/user directory
if (arg_debug)
printf("Create a new user directory\n");
+ EUID_ROOT();
if (mkdir(homedir, S_IRWXU) == -1) {
if (mkpath_as_root(homedir) == -1)
errExit("mkpath");
@@ -395,7 +418,7 @@
}
if (chown(homedir, u, g) < 0)
errExit("chown");
-
+ EUID_USER();
fs_logger2("mkdir", homedir);
fs_logger2("tmpfs", homedir);
}
@@ -406,7 +429,6 @@
selinux_relabel_path(homedir, homedir);
}
- EUID_USER();
skel(homedir);
if (xflag)
@@ -433,18 +455,33 @@
}
// check new private working directory (--private-cwd= option) - exit if it fails
+// for testing:
+// $ firejail --private --private-cwd=. --noprofile ls
+// issue #4780: exposes full home directory, not the --private one
+// $ firejail --private-cwd=.. --noprofile ls -> error: full dir path required
+// $ firejail --private-cwd=/etc --noprofile ls -> OK
+// $ firejail --private-cwd=FULL-SYMLINK-PATH --noprofile ls -> error: no symlinks
+// $ firejail --private --private-cwd="${HOME}" --noprofile ls -al --> OK
+// $ firejail --private --private-cwd='${HOME}' --noprofile ls -al --> OK
+// $ firejail --private-cwd --> OK: should go in top of the home dir
+// profile with "private-cwd ${HOME}
void fs_check_private_cwd(const char *dir) {
EUID_ASSERT();
invalid_filename(dir, 0); // no globbing
+ if (strcmp(dir, ".") == 0)
+ goto errout;
// Expand the working directory
cfg.cwd = expand_macros(dir);
// realpath/is_dir not used because path may not exist outside of jail
- if (strstr(cfg.cwd, "..")) {
- fprintf(stderr, "Error: invalid private working directory\n");
- exit(1);
- }
+ if (strstr(cfg.cwd, "..") || *cfg.cwd != '/')
+ goto errout;
+
+ return;
+errout:
+ fprintf(stderr, "Error: invalid private working directory\n");
+ exit(1);
}
//***********************************************************************************
@@ -564,12 +601,13 @@
int xflag = store_xauthority();
int aflag = store_asoundrc();
- // create /run/firejail/mnt/home directory
EUID_ROOT();
+ // create /run/firejail/mnt/home directory
mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
selinux_relabel_path(RUN_HOME_DIR, homedir);
- fs_logger_print(); // save the current log
+ // save the current log
+ fs_logger_print();
EUID_USER();
// copy the list of files in the new home directory
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_hostname.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,7 +20,6 @@
#include "firejail.h"
#include <sys/mount.h>
#include <sys/stat.h>
-#include <linux/limits.h>
#include <glob.h>
#include <dirent.h>
#include <fcntl.h>
@@ -33,7 +32,7 @@
if (arg_debug)
printf("Creating a new /etc/hostname file\n");
- create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+ create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
// bind-mount the file on top of /etc/hostname
if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -75,7 +74,7 @@
}
fclose(fp1);
// mode and owner
- SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+ SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
fclose(fp2);
// bind-mount the file on top of /etc/hostname
@@ -88,118 +87,11 @@
exit(1);
}
-void fs_resolvconf(void) {
- if (cfg.dns1 == NULL && !any_dhcp())
- return;
-
- if (arg_debug)
- printf("mirroring /etc directory\n");
- if (mkdir(RUN_DNS_ETC, 0755))
- errExit("mkdir");
- selinux_relabel_path(RUN_DNS_ETC, "/etc");
- fs_logger("tmpfs /etc");
-
- DIR *dir = opendir("/etc");
- if (!dir)
- errExit("opendir");
-
- struct stat s;
- struct dirent *entry;
- while ((entry = readdir(dir))) {
- if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
- continue;
- // for resolv.conf we create a brand new file
- if (strcmp(entry->d_name, "resolv.conf") == 0 ||
- strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0)
- continue;
-// printf("linking %s\n", entry->d_name);
-
- char *src;
- if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
- errExit("asprintf");
- if (stat(src, &s) != 0) {
- free(src);
- continue;
- }
-
- char *dest;
- if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
- errExit("asprintf");
-
- int symlink_done = 0;
- if (is_link(src)) {
- char *rp =realpath(src, NULL);
- if (rp == NULL) {
- free(src);
- free(dest);
- continue;
- }
- if (symlink(rp, dest))
- errExit("symlink");
- else
- symlink_done = 1;
- }
- else if (S_ISDIR(s.st_mode))
- create_empty_dir_as_root(dest, s.st_mode);
- else
- create_empty_file_as_root(dest, s.st_mode);
-
- // bind-mount src on top of dest
- if (!symlink_done) {
- if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
- errExit("mount bind mirroring /etc");
- }
- fs_logger2("clone", src);
-
- free(src);
- free(dest);
- }
- closedir(dir);
-
- // mount bind our private etc directory on top of /etc
- if (arg_debug)
- printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
- if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
- errExit("mount bind mirroring /etc");
- fs_logger("mount /etc");
-
- if (arg_debug)
- printf("Creating a new /etc/resolv.conf file\n");
- FILE *fp = fopen("/etc/resolv.conf", "wxe");
- if (!fp) {
- fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
- exit(1);
- }
-
- if (cfg.dns1) {
- if (any_dhcp())
- fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
- fprintf(fp, "nameserver %s\n", cfg.dns1);
- }
- if (cfg.dns2)
- fprintf(fp, "nameserver %s\n", cfg.dns2);
- if (cfg.dns3)
- fprintf(fp, "nameserver %s\n", cfg.dns3);
- if (cfg.dns4)
- fprintf(fp, "nameserver %s\n", cfg.dns4);
-
- // mode and owner
- SET_PERMS_STREAM(fp, 0, 0, 0644);
-
- fclose(fp);
-
- fs_logger("create /etc/resolv.conf");
-}
-
char *fs_check_hosts_file(const char *fname) {
assert(fname);
invalid_filename(fname, 0); // no globbing
char *rv = expand_macros(fname);
- // no a link
- if (is_link(rv))
- goto errexit;
-
// the user has read access to the file
if (access(rv, R_OK))
goto errexit;
@@ -222,9 +114,6 @@
struct stat s;
if (stat("/etc/hosts", &s) == -1)
goto errexit;
- // not a link
- if (is_link("/etc/hosts"))
- goto errexit;
// owned by root
if (s.st_uid != 0)
goto errexit;
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_lib.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -61,17 +61,31 @@
return 0;
}
+// return 1 if symlink to firejail executable
+int is_firejail_link(const char *fname) {
+ EUID_ASSERT();
+
+ if (!is_link(fname))
+ return 0;
+
+ char *rp = realpath(fname, NULL);
+ if (!rp)
+ return 0;
+
+ int rv = 0;
+ const char *base = gnu_basename(rp);
+ if (strcmp(base, "firejail") == 0)
+ rv = 1;
+
+ free(rp);
+ return rv;
+}
+
char *find_in_path(const char *program) {
EUID_ASSERT();
if (arg_debug)
printf("Searching $PATH for %s\n", program);
- char self[MAXBUF];
- ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
- if (len < 0)
- errExit("readlink");
- self[len] = '\0';
-
const char *path = env_get("PATH");
if (!path)
return NULL;
@@ -88,18 +102,12 @@
if (arg_debug)
printf("trying #%s#\n", fname);
struct stat s;
- if (stat(fname, &s) == 0) {
- // but skip links created by firecfg
- char *rp = realpath(fname, NULL);
- if (!rp)
- errExit("realpath");
- if (strcmp(self, rp) != 0) {
- free(rp);
- free(dup);
- return fname;
- }
- free(rp);
+ if (stat(fname, &s) == 0 &&
+ !is_firejail_link(fname)) { // skip links created by firecfg
+ free(dup);
+ return fname;
}
+
free(fname);
tok = strtok(NULL, ":");
}
@@ -195,6 +203,11 @@
assert(full_path);
// if library/executable does not exist or the user does not have read access to it
// print a warning and exit the function.
+ if (access(full_path, F_OK)) {
+ if (arg_debug || arg_debug_private_lib)
+ printf("Cannot find %s, skipping...\n", full_path);
+ return;
+ }
if (user && access(full_path, R_OK)) {
if (arg_debug || arg_debug_private_lib)
printf("Cannot read %s, skipping...\n", full_path);
@@ -263,9 +276,9 @@
assert(lib);
// filename check
- int len = strlen(lib);
- if (strcspn(lib, "\\&!?\"'<>%^(){}[];,") != (size_t)len ||
- strstr(lib, "..")) {
+ reject_meta_chars(lib, 1);
+
+ if (strstr(lib, "..")) {
fprintf(stderr, "Error: \"%s\" is an invalid library\n", lib);
exit(1);
}
@@ -379,8 +392,7 @@
char *private_list = cfg.lib_private_keep;
if (arg_debug || arg_debug_private_lib)
printf("Starting private-lib processing: program %s, shell %s\n",
- (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none",
- (arg_shell_none)? "none": cfg.shell);
+ (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", cfg.usershell);
// create /run/firejail/mnt/lib directory
mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
@@ -417,15 +429,15 @@
}
}
- // for the shell
- if (!arg_shell_none) {
- if (arg_debug || arg_debug_private_lib)
- printf("Installing shell libraries\n");
-
- fslib_install_list(cfg.shell);
- // a shell is useless without some basic commands
- fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm");
- }
+// Note: this might be used for appimages!!!
+// if (!arg_shell_none) {
+// if (arg_debug || arg_debug_private_lib)
+// printf("Installing shell libraries\n");
+//
+// fslib_install_list(cfg.shell);
+// // a shell is useless without some basic commands
+// fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm");
+// }
// for the listed libs and directories
if (private_list && *private_list != '\0') {
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_lib2.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -143,7 +143,7 @@
NULL,
};
- // need to parse as root user, unprivileged users have no read permission on executables
+ // need to parse as root user, unprivileged users have no read permission on some of these binaries
int i;
for (i = 0; fbin[i]; i++)
fslib_mount_libs(fbin[i], 0);
@@ -153,7 +153,9 @@
timetrace_start();
// bring in firejail executable libraries, in case we are redirected here
// by a firejail symlink from /usr/local/bin/firejail
- fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user
+ // fldd might have no read permission on the firejail executable
+ // parse as root in order to support these setups
+ fslib_mount_libs(PATH_FIREJAIL, 0);
// bring in firejail directory
fdir();
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_logger.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,6 +22,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
+#include <fcntl.h>
#define MAXBUF 4098
@@ -120,24 +121,21 @@
void fs_logger_print_log(pid_t pid) {
EUID_ASSERT();
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- // exit if no permission to join the sandbox
- check_join_permission(pid);
+ // chroot in the sandbox
+ process_rootfs_chroot(sandbox);
+ unpin_process(sandbox);
- // print RUN_FSLOGGER_FILE
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_FSLOGGER_FILE) == -1)
- errExit("asprintf");
+ drop_privs(0);
- EUID_ROOT();
- FILE *fp = fopen(fname, "re");
- free(fname);
+ // print RUN_FSLOGGER_FILE
+ FILE *fp = fopen(RUN_FSLOGGER_FILE, "re");
if (!fp) {
fprintf(stderr, "Error: Cannot open filesystem log\n");
exit(1);
}
+
char buf[MAXBUF];
while (fgets(buf, MAXBUF, fp))
printf("%s", buf);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_mkdir.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_overlayfs.c
^
|
@@ -0,0 +1,470 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifdef HAVE_OVERLAYFS
+#include "firejail.h"
+#include "../include/gcov_wrapper.h"
+#include <sys/mount.h>
+#include <sys/wait.h>
+#include <ftw.h>
+#include <errno.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+ assert(subdirname);
+ EUID_ASSERT();
+ struct stat s;
+ char *dirname;
+
+ if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+ errExit("asprintf");
+ // check if ~/.firejail already exists
+ if (lstat(dirname, &s) == 0) {
+ if (!S_ISDIR(s.st_mode)) {
+ if (S_ISLNK(s.st_mode))
+ fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+ else
+ fprintf(stderr, "Error: %s is not a directory\n", dirname);
+ exit(1);
+ }
+ if (s.st_uid != getuid()) {
+ fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
+ exit(1);
+ }
+ }
+ else {
+ // create ~/.firejail directory
+ create_empty_dir_as_user(dirname, 0700);
+ if (stat(dirname, &s) == -1) {
+ fprintf(stderr, "Error: cannot create directory %s\n", dirname);
+ exit(1);
+ }
+ }
+ free(dirname);
+
+ // check overlay directory
+ if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
+ errExit("asprintf");
+ if (lstat(dirname, &s) == 0) {
+ if (!S_ISDIR(s.st_mode)) {
+ if (S_ISLNK(s.st_mode))
+ fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+ else
+ fprintf(stderr, "Error: %s is not a directory\n", dirname);
+ exit(1);
+ }
+ if (s.st_uid != 0) {
+ fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
+ exit(1);
+ }
+ if (allow_reuse == 0) {
+ fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
+ exit(1);
+ }
+ }
+
+ return dirname;
+}
+
+
+// mount overlayfs on top of / directory
+// mounting an overlay and chrooting into it:
+//
+// Old Ubuntu kernel
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then unmount the overlay
+// # exit
+// # umount /root/overlay/root
+//
+// Kernels 3.18+
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mkdir -p overlay/work
+// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
+// # cat /etc/mtab | grep overlay
+// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then unmount the overlay
+// # exit
+// # umount /root/overlay/root
+
+// to do: fix the code below
+#include <sys/utsname.h>
+void fs_overlayfs(void) {
+ struct stat s;
+
+ // check kernel version
+ struct utsname u;
+ int rv = uname(&u);
+ if (rv != 0)
+ errExit("uname");
+ int major;
+ int minor;
+ if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+ fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+ exit(1);
+ }
+
+ if (arg_debug)
+ printf("Linux kernel version %d.%d\n", major, minor);
+ int oldkernel = 0;
+ if (major < 3) {
+ fprintf(stderr, "Error: minimum kernel version required 3.x\n");
+ exit(1);
+ }
+ if (major == 3 && minor < 18)
+ oldkernel = 1;
+
+ // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
+ // we disable overlayfs for now, pending fixing
+ if (major >= 4 &&minor >= 19) {
+ fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
+ exit(1);
+ }
+
+ char *oroot = RUN_OVERLAY_ROOT;
+ mkdir_attr(oroot, 0755, 0, 0);
+
+ // set base for working and diff directories
+ char *basedir = RUN_MNT_DIR;
+ int basefd = -1;
+
+ if (arg_overlay_keep) {
+ basedir = cfg.overlay_dir;
+ assert(basedir);
+ // get a file descriptor for ~/.firejail, fails if there is any symlink
+ char *firejail;
+ if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
+ errExit("asprintf");
+ int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+ if (fd == -1)
+ errExit("safer_openat");
+ free(firejail);
+ // create basedir if it doesn't exist
+ // the new directory will be owned by root
+ const char *dirname = gnu_basename(basedir);
+ if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
+ perror("mkdir");
+ fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
+ exit(1);
+ }
+ // open basedir
+ basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+ close(fd);
+ }
+ else {
+ basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+ }
+ if (basefd == -1) {
+ perror("open");
+ fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
+ exit(1);
+ }
+
+ // confirm once more base is owned by root
+ if (fstat(basefd, &s) == -1)
+ errExit("fstat");
+ if (s.st_uid != 0) {
+ fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
+ exit(1);
+ }
+ // confirm permissions of base are 0755
+ if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
+ fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
+ exit(1);
+ }
+
+ // create diff and work directories inside base
+ // no need to check arg_overlay_reuse
+ char *odiff;
+ if (asprintf(&odiff, "%s/odiff", basedir) == -1)
+ errExit("asprintf");
+ // the new directory will be owned by root
+ if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
+ perror("mkdir");
+ fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
+ exit(1);
+ }
+ ASSERT_PERMS(odiff, 0, 0, 0755);
+
+ char *owork;
+ if (asprintf(&owork, "%s/owork", basedir) == -1)
+ errExit("asprintf");
+ // the new directory will be owned by root
+ if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
+ perror("mkdir");
+ fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
+ exit(1);
+ }
+ ASSERT_PERMS(owork, 0, 0, 0755);
+
+ // mount overlayfs
+ if (arg_debug)
+ printf("Mounting OverlayFS\n");
+ char *option;
+ if (oldkernel) { // old Ubuntu/OpenSUSE kernels
+ if (arg_overlay_keep) {
+ fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
+ exit(1);
+ }
+ if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
+ errExit("asprintf");
+ if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
+ errExit("mounting overlayfs");
+ }
+ else { // kernel 3.18 or newer
+ if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
+ errExit("asprintf");
+ if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
+ fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
+ errExit("mounting overlayfs");
+ }
+
+ //***************************
+ // issue #263 start code
+ // My setup has a separate mount point for /home. When the overlay is mounted,
+ // the overlay does not contain the original /home contents.
+ // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
+ // @dshmgh, Jan 2016
+ {
+ char *overlayhome;
+ struct stat s;
+ char *hroot;
+ char *hdiff;
+ char *hwork;
+
+ // dons add debug
+ if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork);
+
+ // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
+ // must create var for oroot/cfg.homedir
+ if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
+ errExit("asprintf");
+ if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
+
+ // if no homedir in overlay -- create another overlay for /home
+ if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
+
+ // no need to check arg_overlay_reuse
+ if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
+ errExit("asprintf");
+ // the new directory will be owned by root
+ if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
+ perror("mkdir");
+ fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
+ exit(1);
+ }
+ ASSERT_PERMS(hdiff, 0, 0, 0755);
+
+ // no need to check arg_overlay_reuse
+ if (asprintf(&hwork, "%s/hwork", basedir) == -1)
+ errExit("asprintf");
+ // the new directory will be owned by root
+ if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
+ perror("mkdir");
+ fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
+ exit(1);
+ }
+ ASSERT_PERMS(hwork, 0, 0, 0755);
+
+ // no homedir in overlay so now mount another overlay for /home
+ if (asprintf(&hroot, "%s/home", oroot) == -1)
+ errExit("asprintf");
+ if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
+ errExit("asprintf");
+ if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
+ errExit("mounting overlayfs for mounted home directory");
+
+ printf("OverlayFS for /home configured in %s directory\n", basedir);
+ free(hroot);
+ free(hdiff);
+ free(hwork);
+
+ } // stat(overlayhome)
+ free(overlayhome);
+ }
+ // issue #263 end code
+ //***************************
+ }
+ fmessage("OverlayFS configured in %s directory\n", basedir);
+ close(basefd);
+
+ // /dev, /run and /tmp are not covered by the overlay
+ // mount-bind dev directory
+ if (arg_debug)
+ printf("Mounting /dev\n");
+ char *dev;
+ if (asprintf(&dev, "%s/dev", oroot) == -1)
+ errExit("asprintf");
+ if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
+ errExit("mounting /dev");
+ fs_logger("whitelist /dev");
+
+ // mount-bind run directory
+ if (arg_debug)
+ printf("Mounting /run\n");
+ char *run;
+ if (asprintf(&run, "%s/run", oroot) == -1)
+ errExit("asprintf");
+ if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
+ errExit("mounting /run");
+ fs_logger("whitelist /run");
+
+ // mount-bind tmp directory
+ if (arg_debug)
+ printf("Mounting /tmp\n");
+ char *tmp;
+ if (asprintf(&tmp, "%s/tmp", oroot) == -1)
+ errExit("asprintf");
+ if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
+ errExit("mounting /tmp");
+ fs_logger("whitelist /tmp");
+
+ // chroot in the new filesystem
+ __gcov_flush();
+
+ if (chroot(oroot) == -1)
+ errExit("chroot");
+
+ // mount a new proc filesystem
+ if (arg_debug)
+ printf("Mounting /proc filesystem representing the PID namespace\n");
+ if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+ errExit("mounting /proc");
+
+ // update /var directory in order to support multiple sandboxes running on the same root directory
+// if (!arg_private_dev)
+// fs_dev_shm();
+ fs_var_lock();
+ if (!arg_keep_var_tmp)
+ fs_var_tmp();
+ if (!arg_writable_var_log)
+ fs_var_log();
+ fs_var_lib();
+ fs_var_cache();
+ fs_var_utmp();
+ fs_machineid();
+
+ // don't leak user information
+ restrict_users();
+
+ // when starting as root, firejail config is not disabled;
+ if (getuid() != 0)
+ disable_config();
+
+ // cleanup and exit
+ free(option);
+ free(odiff);
+ free(owork);
+ free(dev);
+ free(run);
+ free(tmp);
+}
+
+
+static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
+ (void) sb;
+ (void) typeflag;
+ (void) ftwbuf;
+ assert(fpath);
+
+ if (strcmp(fpath, ".") == 0) // rmdir would fail with EINVAL
+ return 0;
+
+ if (remove(fpath)) { // removes the link not the actual file
+ fprintf(stderr, "Error: cannot remove file: %s\n", strerror(errno));
+ exit(1);
+ }
+
+ return 0;
+}
+
+int remove_overlay_directory(void) {
+ EUID_ASSERT();
+ sleep(1);
+
+ char *path;
+ if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+ errExit("asprintf");
+
+ if (access(path, F_OK) == 0) {
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // open ~/.firejail
+ int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+ if (fd == -1) {
+ fprintf(stderr, "Error: cannot open %s\n", path);
+ exit(1);
+ }
+ struct stat s;
+ if (fstat(fd, &s) == -1)
+ errExit("fstat");
+ if (!S_ISDIR(s.st_mode)) {
+ if (S_ISLNK(s.st_mode))
+ fprintf(stderr, "Error: %s is a symbolic link\n", path);
+ else
+ fprintf(stderr, "Error: %s is not a directory\n", path);
+ exit(1);
+ }
+ if (s.st_uid != getuid()) {
+ fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+ exit(1);
+ }
+ // chdir to ~/.firejail
+ if (fchdir(fd) == -1)
+ errExit("fchdir");
+ close(fd);
+
+ EUID_ROOT();
+ // FTW_PHYS - do not follow symbolic links
+ if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
+ errExit("nftw");
+
+ EUID_USER();
+ // remove ~/.firejail
+ if (rmdir(path) == -1)
+ errExit("rmdir");
+
+ __gcov_flush();
+
+ _exit(0);
+ }
+ // wait for the child to finish
+ waitpid(child, NULL, 0);
+ // check if ~/.firejail was deleted
+ if (access(path, F_OK) == 0)
+ return 1;
+ }
+ return 0;
+}
+
+#endif // HAVE_OVERLAYFS
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_trace.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,25 +20,31 @@
#include "firejail.h"
#include <sys/mount.h>
#include <sys/stat.h>
-#include <linux/limits.h>
#include <glob.h>
#include <dirent.h>
#include <fcntl.h>
#include <pwd.h>
-void fs_trace_preload(void) {
+// create an empty /etc/ld.so.preload
+void fs_trace_touch_preload(void) {
+ create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+}
+
+void fs_trace_touch_or_store_preload(void) {
struct stat s;
- // create an empty /etc/ld.so.preload
- if (stat("/etc/ld.so.preload", &s)) {
- if (arg_debug)
- printf("Creating an empty /etc/ld.so.preload file\n");
- FILE *fp = fopen("/etc/ld.so.preload", "wxe");
- if (!fp)
- errExit("fopen");
- SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
- fclose(fp);
- fs_logger("touch /etc/ld.so.preload");
+ if (stat("/etc/ld.so.preload", &s) != 0) {
+ fs_trace_touch_preload();
+ return;
+ }
+
+ if (s.st_size == 0)
+ return;
+
+ // create a copy of /etc/ld.so.preload
+ if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) {
+ fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n");
+ exit(1);
}
}
@@ -47,7 +53,7 @@
if (arg_debug)
printf("Creating an empty trace log file: %s\n", arg_tracefile);
EUID_USER();
- int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+ int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd == -1) {
perror("open");
fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
@@ -83,7 +89,7 @@
if (arg_debug)
printf("Create the new ld.so.preload file\n");
- FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we");
+ FILE *fp = fopen(RUN_LDPRELOAD_FILE, "ae");
if (!fp)
errExit("fopen");
const char *prefix = RUN_FIREJAIL_LIB_DIR;
@@ -100,7 +106,7 @@
fmessage("Post-exec seccomp protector enabled\n");
}
- SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+ SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
fclose(fp);
// mount the new preload file
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_var.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,7 +20,6 @@
#include "firejail.h"
#include <sys/mount.h>
#include <sys/stat.h>
-#include <linux/limits.h>
#include <glob.h>
#include <dirent.h>
#include <fcntl.h>
@@ -129,7 +128,7 @@
/* coverity[toctou] */
FILE *fp = fopen("/var/log/wtmp", "wxe");
if (fp) {
- SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+ SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
fclose(fp);
}
fs_logger("touch /var/log/wtmp");
@@ -137,7 +136,7 @@
// create an empty /var/log/btmp file
fp = fopen("/var/log/btmp", "wxe");
if (fp) {
- SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
+ SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
fclose(fp);
}
fs_logger("touch /var/log/btmp");
@@ -301,7 +300,7 @@
// read current utmp
struct utmp *u;
- struct utmp u_boot;
+ struct utmp u_boot = {0};
setutent();
while ((u = getutent()) != NULL) {
if (u->ut_type == BOOT_TIME) {
@@ -314,7 +313,7 @@
// save new utmp file
int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
(void) rv;
- SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+ SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
fclose(fp);
// mount the new utmp file
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_whitelist.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -49,21 +49,32 @@
exit(1);
}
-static int whitelist_mkpath(const char* path, mode_t mode) {
+static int whitelist_mkpath(const char *parentdir, const char *relpath, mode_t mode) {
+ // starting from top level directory
+ int parentfd = safer_openat(-1, parentdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+ if (parentfd < 0)
+ errExit("open");
+
+ // top level directory mount id
+ int mountid = get_mount_id(parentfd);
+ if (mountid < 0) {
+ close(parentfd);
+ return -1;
+ }
+
// work on a copy of the path
- char *dup = strdup(path);
+ char *dup = strdup(relpath);
if (!dup)
errExit("strdup");
// only create leading directories, don't create the file
char *p = strrchr(dup, '/');
- assert(p);
+ if (!p) { // nothing to do
+ free(dup);
+ return parentfd;
+ }
*p = '\0';
- int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC);
- if (parentfd == -1)
- errExit("open");
-
// traverse the path, return -1 if a symlink is encountered
int fd = -1;
int done = 0;
@@ -91,29 +102,50 @@
free(dup);
return -1;
}
+ // different mount id indicates earlier whitelist mount
+ if (get_mount_id(fd) != mountid) {
+ if (arg_debug || arg_debug_whitelists)
+ printf("Debug %d: whitelisted already\n", __LINE__);
+ close(parentfd);
+ close(fd);
+ free(dup);
+ return -1;
+ }
// move on to next path segment
close(parentfd);
parentfd = fd;
tok = strtok(NULL, "/");
}
- if (done)
- fs_logger2("mkpath", path);
+ if (done) {
+ char *abspath;
+ if (asprintf(&abspath, "%s/%s", parentdir, relpath) < 0)
+ errExit("asprintf");
+ fs_logger2("mkpath", abspath);
+ free(abspath);
+ }
free(dup);
return fd;
}
-static void whitelist_file(int dirfd, const char *relpath, const char *path) {
- assert(relpath && path);
+static void whitelist_file(const TopDir * const top, const char *path) {
+ EUID_ASSERT();
+ assert(top && path);
+
+ // check if path is inside top level directory
+ size_t top_pathlen = strlen(top->path);
+ if (strncmp(top->path, path, top_pathlen) != 0 || path[top_pathlen] != '/')
+ return;
+ const char *relpath = path + top_pathlen + 1;
// open mount source, using a file descriptor that refers to the
// top level directory
// as the top level directory was opened before mounting the tmpfs
// we still have full access to all directory contents
- // take care to not follow symbolic links (dirfd was obtained without
+ // take care to not follow symbolic links (top->fd was obtained without
// following a link, too)
- int fd = safer_openat(dirfd, relpath, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+ int fd = safer_openat(top->fd, relpath, O_PATH|O_NOFOLLOW|O_CLOEXEC);
if (fd == -1) {
if (arg_debug || arg_debug_whitelists)
printf("Debug %d: skip whitelist %s\n", __LINE__, path);
@@ -129,36 +161,31 @@
return;
}
+ // now modify the tmpfs:
// create mount target as root, except if inside home or run/user/$UID directory
- int userprivs = 0;
- if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') ||
- (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) {
- EUID_USER();
- userprivs = 1;
- }
+ if (strcmp(top->path, cfg.homedir) != 0 &&
+ strcmp(top->path, runuser) != 0)
+ EUID_ROOT();
// create path of the mount target
- int fd2 = whitelist_mkpath(path, 0755);
+ int fd2 = whitelist_mkpath(top->path, relpath, 0755);
if (fd2 == -1) {
- // something went wrong during path creation or a symlink was found;
- // if there is a symlink somewhere in the path of the mount target,
- // assume the file is whitelisted already
if (arg_debug || arg_debug_whitelists)
printf("Debug %d: skip whitelist %s\n", __LINE__, path);
close(fd);
- if (userprivs)
- EUID_ROOT();
+ EUID_USER();
return;
}
// get file name of the mount target
- const char *file = gnu_basename(path);
+ const char *file = gnu_basename(relpath);
- // create mount target itself and open it, a symlink is rejected
+ // create mount target itself if necessary
+ // and open it, a symlink is not allowed
int fd3 = -1;
if (S_ISDIR(s.st_mode)) {
- // directory foo can exist already:
- // firejail --whitelist=~/foo/bar --whitelist=~/foo
+ // directory bar can exist already:
+ // firejail --whitelist=/foo/bar/baz --whitelist=/foo/bar
if (mkdirat(fd2, file, 0755) == -1 && errno != EEXIST) {
if (arg_debug || arg_debug_whitelists) {
perror("mkdir");
@@ -166,15 +193,14 @@
}
close(fd);
close(fd2);
- if (userprivs)
- EUID_ROOT();
+ EUID_USER();
return;
}
fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
}
else
- // create an empty file, fails with EEXIST if it is whitelisted already:
- // firejail --whitelist=/foo --whitelist=/foo/bar
+ // create an empty file
+ // fails with EEXIST if it is whitelisted already
fd3 = openat(fd2, file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR|S_IWUSR);
if (fd3 == -1) {
@@ -184,19 +210,17 @@
}
close(fd);
close(fd2);
- if (userprivs)
- EUID_ROOT();
+ EUID_USER();
return;
}
-
close(fd2);
- if (userprivs)
- EUID_ROOT();
if (arg_debug || arg_debug_whitelists)
printf("Whitelisting %s\n", path);
+ EUID_ROOT();
if (bind_mount_by_fd(fd, fd3))
errExit("mount bind");
+ EUID_USER();
// check the last mount operation
MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
#ifdef TEST_MOUNTINFO
@@ -218,28 +242,32 @@
fs_logger2("whitelist", path);
}
-static void whitelist_symlink(const char *link, const char *target) {
- assert(link && target);
+static void whitelist_symlink(const TopDir * const top, const char *link, const char *target) {
+ EUID_ASSERT();
+ assert(top && link && target);
- // create files as root, except if inside home or run/user/$UID directory
- int userprivs = 0;
- if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') ||
- (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) {
- EUID_USER();
- userprivs = 1;
- }
+ // confirm link is inside top level directory
+ // this should never fail
+ size_t top_pathlen = strlen(top->path);
+ assert(strncmp(top->path, link, top_pathlen) == 0 && link[top_pathlen] == '/');
+
+ const char *relpath = link + top_pathlen + 1;
+
+ // create link as root, except if inside home or run/user/$UID directory
+ if (strcmp(top->path, cfg.homedir) != 0 &&
+ strcmp(top->path, runuser) != 0)
+ EUID_ROOT();
- int fd = whitelist_mkpath(link, 0755);
+ int fd = whitelist_mkpath(top->path, relpath, 0755);
if (fd == -1) {
if (arg_debug || arg_debug_whitelists)
printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
- if (userprivs)
- EUID_ROOT();
+ EUID_USER();
return;
}
// get file name of symlink
- const char *file = gnu_basename(link);
+ const char *file = gnu_basename(relpath);
// create the link
if (symlinkat(target, fd, file) == -1) {
@@ -252,8 +280,7 @@
printf("Created symbolic link %s -> %s\n", link, target);
close(fd);
- if (userprivs)
- EUID_ROOT();
+ EUID_USER();
}
static void globbing(const char *pattern) {
@@ -295,7 +322,7 @@
}
// mount tmpfs on all top level directories
-static void tmpfs_topdirs(const TopDir *topdirs) {
+static void tmpfs_topdirs(const TopDir * const topdirs) {
int tmpfs_home = 0;
int tmpfs_runuser = 0;
@@ -330,55 +357,61 @@
// init tmpfs
if (strcmp(topdirs[i].path, "/run") == 0) {
// restore /run/firejail directory
- if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1)
- errExit("mkdir");
+ EUID_ROOT();
+ mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0);
if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
errExit("mount bind");
+ EUID_USER();
close(fd);
fs_logger2("whitelist", RUN_FIREJAIL_DIR);
// restore /run/user/$UID directory
- // get path relative to /run
- const char *rel = runuser + 5;
- whitelist_file(topdirs[i].fd, rel, runuser);
+ whitelist_file(&topdirs[i], runuser);
}
else if (strcmp(topdirs[i].path, "/tmp") == 0) {
// fix pam-tmpdir (#2685)
const char *env = env_get("TMP");
if (env) {
- char *pamtmpdir;
- if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
+ // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151
+ char *pamtmpdir1;
+ if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1)
+ errExit("asprintf");
+ char *pamtmpdir2;
+ if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1)
errExit("asprintf");
- if (strcmp(env, pamtmpdir) == 0) {
+ if (strcmp(env, pamtmpdir1) == 0) {
// create empty user-owned /tmp/user/$UID directory
- mkdir_attr("/tmp/user", 0711, 0, 0);
+ EUID_ROOT();
+ mkdir_attr("/tmp/user", 0755, 0, 0);
selinux_relabel_path("/tmp/user", "/tmp/user");
fs_logger("mkdir /tmp/user");
- mkdir_attr(pamtmpdir, 0700, getuid(), 0);
- selinux_relabel_path(pamtmpdir, pamtmpdir);
- fs_logger2("mkdir", pamtmpdir);
+ mkdir_attr(pamtmpdir1, 0700, getuid(), 0);
+ selinux_relabel_path(pamtmpdir1, pamtmpdir1);
+ fs_logger2("mkdir", pamtmpdir1);
+ EUID_USER();
}
- free(pamtmpdir);
+ else if (strcmp(env, pamtmpdir2) == 0) {
+ // create empty user-owned /tmp/$UID directory
+ EUID_ROOT();
+ mkdir_attr(pamtmpdir2, 0700, getuid(), 0);
+ selinux_relabel_path(pamtmpdir2, pamtmpdir2);
+ fs_logger2("mkdir", pamtmpdir2);
+ EUID_USER();
+ }
+ free(pamtmpdir1);
+ free(pamtmpdir2);
}
}
// restore user home directory if it is masked by the tmpfs
// creates path owned by root
// does nothing if user home directory doesn't exist
- size_t topdir_len = strlen(topdirs[i].path);
- if (strncmp(topdirs[i].path, cfg.homedir, topdir_len) == 0 && cfg.homedir[topdir_len] == '/') {
- // get path relative to top level directory
- const char *rel = cfg.homedir + topdir_len + 1;
- whitelist_file(topdirs[i].fd, rel, cfg.homedir);
- }
+ whitelist_file(&topdirs[i], cfg.homedir);
}
// user home directory
- if (tmpfs_home) {
- EUID_USER();
+ if (tmpfs_home)
fs_private(); // checks owner if outside /home
- EUID_ROOT();
- }
// /run/user/$UID directory
if (tmpfs_runuser) {
@@ -402,6 +435,7 @@
// keep track of whitelist top level directories by adding them to an array
// open each directory
static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
+ EUID_ASSERT();
assert(dir && path);
// /proc and /sys are not allowed
@@ -516,6 +550,8 @@
}
void fs_whitelist(void) {
+ EUID_ASSERT();
+
ProfileEntry *entry = cfg.profile;
if (!entry)
return;
@@ -536,7 +572,6 @@
errExit("calloc");
// verify whitelist files, extract symbolic links, etc.
- EUID_USER();
while (entry) {
int nowhitelist_flag = 0;
@@ -587,10 +622,6 @@
if (strstr(new_name, ".."))
whitelist_error(new_name);
- // /run/firejail is not allowed
- if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0)
- whitelist_error(new_name);
-
TopDir *current_top = NULL;
if (!nowhitelist_flag) {
// extract whitelist top level directory
@@ -612,6 +643,13 @@
free(dir);
}
+ // /run/firejail directory is internal and not allowed
+ if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) {
+ entry = entry->next;
+ free(new_name);
+ continue;
+ }
+
// extract resolved path of the file
// realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission
// special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr
@@ -630,7 +668,7 @@
if (!fname) {
if (arg_debug || arg_debug_whitelists) {
printf("Removed path: %s\n", entry->data);
- printf("\texpanded: %s\n", new_name);
+ printf("\tnew_name: %s\n", new_name);
printf("\trealpath: (null)\n");
printf("\t%s\n", strerror(errno));
}
@@ -648,9 +686,13 @@
continue;
}
- // /run/firejail is not allowed
- if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0)
- whitelist_error(fname);
+ // /run/firejail directory is internal and not allowed
+ if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) {
+ entry = entry->next;
+ free(new_name);
+ free(fname);
+ continue;
+ }
if (nowhitelist_flag) {
// store the path in nowhitelist array
@@ -708,11 +750,7 @@
entry = entry->next;
}
- // release nowhitelist memory
- free(nowhitelist);
-
// mount tmpfs on all top level directories
- EUID_ROOT();
tmpfs_topdirs(topdirs);
// go through profile rules again, and interpret whitelist commands
@@ -721,24 +759,15 @@
if (entry->wparam) {
char *file = entry->wparam->file;
char *link = entry->wparam->link;
- const char *topdir = entry->wparam->top->path;
- size_t topdir_len = strlen(topdir);
- int dirfd = entry->wparam->top->fd;
+ const TopDir * const current_top = entry->wparam->top;
// top level directories of link and file can differ
- // whitelist the file only if it is in same top level directory
- if (strncmp(file, topdir, topdir_len) == 0 && file[topdir_len] == '/') {
- // get path relative to top level directory
- const char *rel = file + topdir_len + 1;
-
- if (arg_debug || arg_debug_whitelists)
- printf("Debug %d: file: %s; dirfd: %d; topdir: %s; rel: %s\n", __LINE__, file, dirfd, topdir, rel);
- whitelist_file(dirfd, rel, file);
- }
+ // will whitelist the file only if it is in same top level directory
+ whitelist_file(current_top, file);
// create the link if any
if (link) {
- whitelist_symlink(link, file);
+ whitelist_symlink(current_top, link, file);
free(link);
}
@@ -751,12 +780,15 @@
}
// release resources
- free(runuser);
-
size_t i;
+ for (i = 0; i < nowhitelist_c; i++)
+ free(nowhitelist[i]);
+ free(nowhitelist);
+
for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
free(topdirs[i].path);
close(topdirs[i].fd);
}
free(topdirs);
+ free(runuser);
}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/ids.c
^
|
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+static void ids_init(void) {
+ // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+ char *fname;
+ if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+ errExit("asprintf");
+
+ int rv = unlink(fname);
+ (void) rv;
+ int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+ if (fd < 0) {
+ fprintf(stderr, "Error: cannot create %s\n", fname);
+ exit(1);
+ }
+
+ // redirect output
+ close(STDOUT_FILENO);
+ if (dup(fd) != STDOUT_FILENO)
+ errExit("dup");
+ close(fd);
+
+ sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
+}
+
+static void ids_check(void) {
+ // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+ char *fname;
+ if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+ errExit("asprintf");
+
+ int fd = open(fname, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "Error: cannot open %s\n", fname);
+ exit(1);
+ }
+
+ // redirect input
+ close(STDIN_FILENO);
+ if (dup(fd) != STDIN_FILENO)
+ errExit("dup");
+ close(fd);
+
+ sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
+}
+
+void run_ids(int argc, char **argv) {
+ if (argc != 2) {
+ fprintf(stderr, "Error: only one IDS command expected\n");
+ exit(1);
+ }
+
+ EUID_ROOT();
+ struct stat s;
+ if (stat(VARDIR, &s)) // /var/lib/firejail
+ create_empty_dir_as_root(VARDIR, 0700);
+
+ if (strcmp(argv[1], "--ids-init") == 0)
+ ids_init();
+ else if (strcmp(argv[1], "--ids-check") == 0)
+ ids_check();
+ else
+ fprintf(stderr, "Error: unrecognized IDS command\n");
+
+ exit(0);
+}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/join.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -33,19 +33,16 @@
#define PR_SET_NO_NEW_PRIVS 38
#endif
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif
-
static int apply_caps = 0;
static uint64_t caps = 0;
static unsigned display = 0;
#define BUFLEN 4096
+
static void signal_handler(int sig){
flush_stdin();
- exit(sig);
+ exit(128 + sig);
}
static void install_handler(void) {
@@ -58,46 +55,6 @@
sigaction(SIGTERM, &sga, NULL);
}
-#ifdef HAVE_APPARMOR
-static void extract_apparmor(pid_t pid) {
- if (checkcfg(CFG_APPARMOR)) {
- EUID_USER();
- if (aa_is_enabled() == 1) {
- // get pid of next child process
- pid_t child;
- if (find_child(pid, &child) == 1)
- child = pid; // no child, proceed with current pid
-
- // get name of AppArmor profile
- char *fname;
- if (asprintf(&fname, "/proc/%d/attr/current", child) == -1)
- errExit("asprintf");
- EUID_ROOT();
- int fd = open(fname, O_RDONLY|O_CLOEXEC);
- EUID_USER();
- free(fname);
- if (fd == -1)
- goto errexit;
- char buf[BUFLEN];
- ssize_t rv = read(fd, buf, sizeof(buf) - 1);
- close(fd);
- if (rv < 0)
- goto errexit;
- buf[rv] = '\0';
- // process confined by Firejail's AppArmor policy?
- if (strncmp(buf, "firejail-default", 16) == 0)
- arg_apparmor = 1;
- }
- EUID_ROOT();
- }
- return;
-
-errexit:
- fprintf(stderr, "Error: cannot read /proc file\n");
- exit(1);
-}
-#endif // HAVE_APPARMOR
-
static void extract_x11_display(pid_t pid) {
char *fname;
if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
@@ -150,152 +107,115 @@
build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true);
}
-static void extract_nogroups(pid_t pid) {
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1)
- errExit("asprintf");
+#if 0
+static int open_shell(void) {
+ EUID_ASSERT();
- struct stat s;
- if (stat(fname, &s) == -1) {
- free(fname);
- return;
+ if (arg_debug)
+ printf("Opening shell %s\n", cfg.usershell);
+ // file descriptor will leak if not opened with O_CLOEXEC !!
+ int fd = open(cfg.usershell, O_PATH|O_CLOEXEC);
+ if (fd == -1) {
+ fprintf(stderr, "Error: cannot open shell %s\n", cfg.usershell);
+ exit(1);
}
- arg_nogroups = 1;
- free(fname);
-}
-
-static void extract_nonewprivs(pid_t pid) {
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_NONEWPRIVS_CFG) == -1)
+ // file descriptor needs to reach final fexecve
+ if (asprintf(&cfg.keep_fd, "%s,%d", cfg.keep_fd ? cfg.keep_fd : "", fd) == -1)
errExit("asprintf");
- struct stat s;
- if (stat(fname, &s) == -1) {
- free(fname);
- return;
- }
-
- arg_nonewprivs = 1;
- free(fname);
+ return fd;
}
+#endif
-static void extract_cpu(pid_t pid) {
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1)
- errExit("asprintf");
-
+static void extract_nogroups(ProcessHandle sandbox) {
struct stat s;
- if (stat(fname, &s) == -1) {
- free(fname);
- return;
- }
- // there is a CPU_CFG file, load it!
- load_cpu(fname);
- free(fname);
+ if (process_rootfs_stat(sandbox, RUN_GROUPS_CFG, &s) == 0)
+ arg_nogroups = 1;
+ else if (errno != ENOENT)
+ errExit("stat");
}
-static void extract_cgroup(pid_t pid) {
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1)
- errExit("asprintf");
-
+static void extract_nonewprivs(ProcessHandle sandbox) {
struct stat s;
- if (stat(fname, &s) == -1) {
- free(fname);
- return;
- }
- // there is a cgroup file CGROUP_CFG, load it!
- load_cgroup(fname);
- free(fname);
+ if (process_rootfs_stat(sandbox, RUN_NONEWPRIVS_CFG, &s) == 0)
+ arg_nonewprivs = 1;
+ else if (errno != ENOENT)
+ errExit("stat");
}
-static void extract_caps(pid_t pid) {
- // open stat file
- char *file;
- if (asprintf(&file, "/proc/%u/status", pid) == -1) {
- perror("asprintf");
- exit(1);
- }
- FILE *fp = fopen(file, "re");
- if (!fp)
- goto errexit;
+static void extract_caps(ProcessHandle sandbox) {
+ // open status file
+ FILE *fp = process_fopen(sandbox, "status");
char buf[BUFLEN];
- while (fgets(buf, BUFLEN - 1, fp)) {
+ while (fgets(buf, BUFLEN, fp)) {
if (strncmp(buf, "CapBnd:", 7) == 0) {
- char *ptr = buf + 7;
unsigned long long val;
- if (sscanf(ptr, "%llx", &val) != 1)
+ if (sscanf(buf + 7, "%llx", &val) != 1)
goto errexit;
apply_caps = 1;
caps = val;
}
else if (strncmp(buf, "NoNewPrivs:", 11) == 0) {
- char *ptr = buf + 11;
int val;
- if (sscanf(ptr, "%d", &val) != 1)
+ if (sscanf(buf + 11, "%d", &val) != 1)
goto errexit;
if (val)
arg_nonewprivs = 1;
}
}
fclose(fp);
- free(file);
return;
errexit:
- fprintf(stderr, "Error: cannot read stat file for process %u\n", pid);
+ fprintf(stderr, "Error: cannot read /proc/%d/status\n", process_get_pid(sandbox));
exit(1);
}
-static void extract_user_namespace(pid_t pid) {
+static void extract_user_namespace(ProcessHandle sandbox) {
// test user namespaces available in the kernel
- struct stat s1;
- struct stat s2;
- struct stat s3;
- if (stat("/proc/self/ns/user", &s1) == 0 &&
- stat("/proc/self/uid_map", &s2) == 0 &&
- stat("/proc/self/gid_map", &s3) == 0);
- else
+ struct stat self_userns;
+ if (stat("/proc/self/ns/user", &self_userns) != 0)
return;
- // read uid map
- char *uidmap;
- if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1)
- errExit("asprintf");
- FILE *fp = fopen(uidmap, "re");
- if (!fp) {
- free(uidmap);
- return;
- }
+ // check sandbox user namespace
+ struct stat dest_userns;
+ process_stat(sandbox, "ns/user", &dest_userns);
- // check uid map
- int u1;
- int u2;
- if (fscanf(fp, "%d %d", &u1, &u2) == 2) {
- if (arg_debug)
- printf("User namespace detected: %s, %d, %d\n", uidmap, u1, u2);
- if (u1 != 0 || u2 != 0)
- arg_noroot = 1;
- }
- fclose(fp);
- free(uidmap);
+ if (dest_userns.st_ino != self_userns.st_ino ||
+ dest_userns.st_dev != self_userns.st_dev)
+ arg_noroot = 1;
}
-static void extract_umask(pid_t pid) {
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_UMASK_FILE) == -1)
- errExit("asprintf");
+static void extract_cpu(ProcessHandle sandbox) {
+ int fd = process_rootfs_open(sandbox, RUN_CPU_CFG);
+ if (fd < 0)
+ return; // not configured
- FILE *fp = fopen(fname, "re");
- free(fname);
- if (!fp) {
+ FILE *fp = fdopen(fd, "r");
+ if (!fp)
+ errExit("fdopen");
+
+ unsigned tmp;
+ if (fscanf(fp, "%x", &tmp) == 1)
+ cfg.cpus = (uint32_t) tmp;
+ fclose(fp);
+}
+
+static void extract_umask(ProcessHandle sandbox) {
+ int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE);
+ if (fd < 0) {
fprintf(stderr, "Error: cannot open umask file\n");
exit(1);
}
+
+ FILE *fp = fdopen(fd, "r");
+ if (!fp)
+ errExit("fdopen");
+
if (fscanf(fp, "%3o", &orig_umask) != 1) {
fprintf(stderr, "Error: cannot read umask\n");
exit(1);
@@ -303,33 +223,11 @@
fclose(fp);
}
-static int open_shell(void) {
- EUID_ASSERT();
- assert(cfg.shell);
-
- if (arg_debug)
- printf("Opening shell %s\n", cfg.shell);
- // file descriptor will leak if not opened with O_CLOEXEC !!
- int fd = open(cfg.shell, O_PATH|O_CLOEXEC);
- if (fd == -1) {
- fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell);
- exit(1);
- }
- return fd;
-}
-
-// return false if the sandbox identified by pid is not fully set up yet or if
-// it is no firejail sandbox at all, return true if the sandbox is complete
-bool is_ready_for_join(const pid_t pid) {
- EUID_ASSERT();
+// returns false if the sandbox is not fully set up yet,
+// or true if the sandbox is complete
+static bool has_join_file(ProcessHandle sandbox) {
// check if a file /run/firejail/mnt/join exists
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_JOIN_FILE) == -1)
- errExit("asprintf");
- EUID_ROOT();
- int fd = open(fname, O_RDONLY|O_CLOEXEC);
- EUID_USER();
- free(fname);
+ int fd = process_rootfs_open(sandbox, RUN_JOIN_FILE);
if (fd == -1)
return false;
struct stat s;
@@ -349,105 +247,201 @@
}
#define SNOOZE 10000 // sleep interval in microseconds
-void check_join_permission(pid_t pid) {
+static void check_joinable(ProcessHandle sandbox) {
// check if pid belongs to a fully set up firejail sandbox
unsigned long i;
- for (i = SNOOZE; is_ready_for_join(pid) == false; i += SNOOZE) { // give sandbox some time to start up
+ for (i = SNOOZE; has_join_file(sandbox) == false; i += SNOOZE) { // give sandbox some time to start up
if (i > join_timeout) {
fprintf(stderr, "Error: no valid sandbox\n");
exit(1);
}
usleep(SNOOZE);
}
- // check privileges for non-root users
- uid_t uid = getuid();
- if (uid != 0) {
- uid_t sandbox_uid = pid_get_uid(pid);
- if (uid != sandbox_uid) {
- fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
- exit(1);
- }
+}
+
+static ProcessHandle find_pidns_parent(pid_t pid) {
+ // identify current pid namespace
+ struct stat self_pidns;
+ if (stat("/proc/self/ns/pid", &self_pidns) < 0)
+ errExit("stat");
+
+ ProcessHandle process = pin_process(pid);
+
+ // in case pid is member of a different pid namespace
+ // find parent who created that namespace
+ while (1) {
+ struct stat dest_pidns;
+ process_stat(process, "ns/pid", &dest_pidns);
+
+ if (dest_pidns.st_ino == self_pidns.st_ino &&
+ dest_pidns.st_dev == self_pidns.st_dev)
+ break; // always true for init process
+
+ // next parent process
+ ProcessHandle next = pin_parent_process(process);
+ unpin_process(process);
+ process = next;
}
+
+ return process;
}
-pid_t switch_to_child(pid_t pid) {
- EUID_ASSERT();
- EUID_ROOT();
- pid_t rv = pid;
- errno = 0;
- char *comm = pid_proc_comm(pid);
- if (!comm) {
- if (errno == ENOENT)
- fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
- else
- fprintf(stderr, "Error: cannot read /proc file\n");
+static void check_firejail_comm(ProcessHandle process) {
+ // open /proc/pid/comm
+ // note: comm value is under control of the target process
+ FILE *fp = process_fopen(process, "comm");
+
+ char comm[16];
+ if (fscanf(fp, "%15s", comm) != 1) {
+ fprintf(stderr, "Error: cannot read /proc file\n");
exit(1);
}
- EUID_USER();
+ fclose(fp);
- if (strcmp(comm, "firejail") == 0) {
- if (find_child(pid, &rv) == 1) {
- fprintf(stderr, "Error: no valid sandbox\n");
- exit(1);
- }
- fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) rv);
+ if (strcmp(comm, "firejail") != 0) {
+ fprintf(stderr, "Error: no valid sandbox\n");
+ exit(1);
+ }
+
+ return;
+}
+
+static void check_firejail_credentials(ProcessHandle process) {
+ // open /proc/pid/status
+ FILE *fp = process_fopen(process, "status");
+
+ uid_t ruid = -1;
+ uid_t suid = -1;
+ char buf[4096];
+ while (fgets(buf, sizeof(buf), fp)) {
+ if (sscanf(buf, "Uid: %u %*u %u", &ruid, &suid) == 2)
+ break;
}
- free(comm);
- return rv;
+ fclose(fp);
+
+ // target process should be privileged and owned by the user
+ if (suid != 0)
+ goto errexit;
+ uid_t u = getuid();
+ if (ruid != u && u != 0)
+ goto errexit;
+
+ return;
+
+errexit:
+ fprintf(stderr, "Error: no valid sandbox\n");
+ exit(1);
}
+static pid_t read_sandbox_pidfile(pid_t parent) {
+ char *pidfile;
+ if (asprintf(&pidfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, parent) == -1)
+ errExit("asprintf");
+
+ // open the pidfile
+ EUID_ROOT();
+ int pidfile_fd = open(pidfile, O_RDWR|O_CLOEXEC);
+ free(pidfile);
+ EUID_USER();
+ if (pidfile_fd < 0)
+ goto errexit;
+ // assume pidfile is outdated if parent doesn't hold a lock
+ struct flock pidfile_lock = {
+ .l_type = F_WRLCK,
+ .l_whence = SEEK_SET,
+ .l_start = 0,
+ .l_len = 0,
+ .l_pid = 0,
+ };
+ if (fcntl(pidfile_fd, F_GETLK, &pidfile_lock) < 0)
+ errExit("fcntl");
+ if (pidfile_lock.l_type == F_UNLCK)
+ goto errexit;
+ if (pidfile_lock.l_pid != parent)
+ goto errexit;
-void join(pid_t pid, int argc, char **argv, int index) {
+ // read pidfile
+ pid_t sandbox;
+ FILE *fp = fdopen(pidfile_fd, "r");
+ if (!fp)
+ errExit("fdopen");
+ if (fscanf(fp, "%d", &sandbox) != 1)
+ goto errexit;
+ fclose(fp);
+
+ return sandbox;
+
+errexit:
+ fprintf(stderr, "Error: no valid sandbox\n");
+ exit(1);
+}
+
+static ProcessHandle switch_to_sandbox(ProcessHandle parent) {
+ // firejail forks many children, identify the sandbox child
+ // using a pidfile created by the sandbox parent
+ pid_t pid = read_sandbox_pidfile(process_get_pid(parent));
+
+ // pin the sandbox child
+ fmessage("Switching to pid %d, the first child process inside the sandbox\n", pid);
+ ProcessHandle sandbox = pin_child_process(parent, pid);
+
+ return sandbox;
+}
+
+ProcessHandle pin_sandbox_process(pid_t pid) {
EUID_ASSERT();
- pid_t parent = pid;
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
+ ProcessHandle parent = find_pidns_parent(pid);
+ check_firejail_comm(parent);
+ check_firejail_credentials(parent);
+
+ ProcessHandle sandbox = switch_to_sandbox(parent);
+ check_joinable(sandbox);
+
+ unpin_process(parent);
+ return sandbox;
+}
+
+
- // exit if no permission to join the sandbox
- check_join_permission(pid);
+void join(pid_t pid, int argc, char **argv, int index) {
+ EUID_ASSERT();
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- extract_x11_display(parent);
+ extract_x11_display(pid);
int shfd = -1;
- if (!arg_shell_none)
- shfd = open_shell();
+// Note: this might be used by joining appimages!!!!
+// if (!arg_shell_none)
+// shfd = open_shell();
- EUID_ROOT();
- // in user mode set caps seccomp, cpu, cgroup, etc
+ // in user mode set caps seccomp, cpu etc.
if (getuid() != 0) {
- extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps
- extract_caps(pid);
- extract_cpu(pid);
- extract_cgroup(pid);
- extract_nogroups(pid);
- extract_user_namespace(pid);
- extract_umask(pid);
-#ifdef HAVE_APPARMOR
- extract_apparmor(pid);
-#endif
+ extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps
+ extract_caps(sandbox);
+ extract_cpu(sandbox);
+ extract_nogroups(sandbox);
+ extract_user_namespace(sandbox);
+ extract_umask(sandbox);
}
- // set cgroup
- if (cfg.cgroup) // not available for uid 0
- set_cgroup(cfg.cgroup);
-
// join namespaces
+ EUID_ROOT();
if (arg_join_network) {
- if (join_namespace(pid, "net"))
+ if (process_join_namespace(sandbox, "net"))
exit(1);
}
else if (arg_join_filesystem) {
- if (join_namespace(pid, "mnt"))
+ if (process_join_namespace(sandbox, "mnt"))
exit(1);
}
else {
- if (join_namespace(pid, "ipc") ||
- join_namespace(pid, "net") ||
- join_namespace(pid, "pid") ||
- join_namespace(pid, "uts") ||
- join_namespace(pid, "mnt"))
+ if (process_join_namespace(sandbox, "ipc") ||
+ process_join_namespace(sandbox, "net") ||
+ process_join_namespace(sandbox, "pid") ||
+ process_join_namespace(sandbox, "uts") ||
+ process_join_namespace(sandbox, "mnt"))
exit(1);
}
@@ -458,42 +452,25 @@
// drop discretionary access control capabilities for root sandboxes
caps_drop_dac_override();
- // chroot into /proc/PID/root directory
- char *rootdir;
- if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
- errExit("asprintf");
-
- int rv;
if (!arg_join_network) {
- rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option
- if (rv == 0)
- printf("changing root to %s\n", rootdir);
- }
-
- EUID_USER();
- if (chdir("/") < 0)
- errExit("chdir");
- if (cfg.homedir) {
- struct stat s;
- if (stat(cfg.homedir, &s) == 0) {
- /* coverity[toctou] */
- if (chdir(cfg.homedir) < 0)
- errExit("chdir");
- }
+ // mount namespace doesn't know about --chroot
+ fmessage("Changing root to /proc/%d/root\n", process_get_pid(sandbox));
+ process_rootfs_chroot(sandbox);
+
+ // load seccomp filters
+ if (getuid() != 0)
+ seccomp_load_file_list();
}
// set caps filter
- EUID_ROOT();
if (apply_caps == 1) // not available for uid 0
caps_set(caps);
- if (getuid() != 0)
- seccomp_load_file_list();
- // mount user namespace or drop privileges
+ // user namespace
if (arg_noroot) { // not available for uid 0
if (arg_debug)
printf("Joining user namespace\n");
- if (join_namespace(1, "user"))
+ if (process_join_namespace(sandbox, "user"))
exit(1);
// user namespace resets capabilities
@@ -501,15 +478,9 @@
if (apply_caps == 1) // not available for uid 0
caps_set(caps);
}
-
- // set nonewprivs
- if (arg_nonewprivs == 1) { // not available for uid 0
- int rv = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
- if (arg_debug && rv == 0)
- printf("NO_NEW_PRIVS set\n");
- }
-
EUID_USER();
+ unpin_process(sandbox);
+
int cwd = 0;
if (cfg.cwd) {
if (chdir(cfg.cwd) == 0)
@@ -529,22 +500,26 @@
}
}
+ // set nonewprivs
+#ifndef HAVE_FORCE_NONEWPRIVS
+ if (arg_nonewprivs == 1) // not available for uid 0
+#endif
+ {
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0)
+ errExit("prctl");
+ if (arg_debug)
+ printf("NO_NEW_PRIVS set\n");
+ }
+
// drop privileges
drop_privs(arg_nogroups);
// kill the child in case the parent died
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
-#ifdef HAVE_APPARMOR
- // add apparmor confinement after the execve
- set_apparmor();
-#endif
-
extract_command(argc, argv, index);
- if (cfg.command_line == NULL) {
- assert(cfg.shell);
- cfg.window_title = cfg.shell;
- }
+ if (cfg.command_line == NULL)
+ cfg.window_title = cfg.usershell;
else if (arg_debug)
printf("Extracted command #%s#\n", cfg.command_line);
@@ -552,10 +527,6 @@
if (cfg.cpus) // not available for uid 0
set_cpu_affinity();
- // set nice value
- if (arg_nice)
- set_nice(cfg.nice);
-
// add x11 display
if (display) {
char *display_str;
@@ -574,11 +545,13 @@
dbus_set_system_bus_env();
#endif
- start_application(0, shfd, NULL);
+ start_application(arg_join_network || arg_join_filesystem, shfd, NULL);
__builtin_unreachable();
}
EUID_USER();
+ unpin_process(sandbox);
+
if (shfd != -1)
close(shfd);
@@ -596,15 +569,17 @@
// end of signal-safe code
//*****************************
- flush_stdin();
if (WIFEXITED(status)) {
+ // if we had a proper exit, return that exit status
status = WEXITSTATUS(status);
} else if (WIFSIGNALED(status)) {
- status = WTERMSIG(status);
+ // distinguish fatal signals by adding 128
+ status = 128 + WTERMSIG(status);
} else {
- status = 0;
+ status = -1;
}
+ flush_stdin();
exit(status);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/ls.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -46,7 +46,8 @@
struct stat s;
if (stat(name, &s) == -1) {
if (lstat(name, &s) == -1) {
- printf("Error: cannot access %s\n", name);
+ printf("Error: cannot access %s\n", do_replace_cntrl_chars(name, '?'));
+ free(name);
return;
}
}
@@ -151,12 +152,17 @@
if (allocated)
free(groupname);
+ // file size
char *sz;
if (asprintf(&sz, "%d", (int) s.st_size) == -1)
errExit("asprintf");
- printf("%11.10s %s\n", sz, fname);
- free(sz);
+ // file name
+ char *fname_print = replace_cntrl_chars(fname, '?');
+
+ printf("%11.10s %s\n", sz, fname_print);
+ free(sz);
+ free(fname_print);
}
static void print_directory(const char *path) {
@@ -192,13 +198,15 @@
fprintf(stderr, "Error: cannot access %s\n", path);
exit(1);
}
+
+ // debug doesn't filter control characters currently
if (arg_debug)
printf("ls %s\n", rp);
// list directory contents
struct stat s;
if (stat(rp, &s) == -1) {
- fprintf(stderr, "Error: cannot access %s\n", rp);
+ fprintf(stderr, "Error: cannot access %s\n", do_replace_cntrl_chars(rp, '?'));
exit(1);
}
if (S_ISDIR(s.st_mode))
@@ -237,13 +245,13 @@
fprintf(stderr, "Error: %s is not a regular file\n", path);
exit(1);
}
- bool tty = isatty(STDOUT_FILENO);
+ int tty = isatty(STDOUT_FILENO);
int c;
while ((c = fgetc(fp)) != EOF) {
// file is untrusted
// replace control characters when printing to a terminal
- if (tty && c != '\t' && c != '\n' && iscntrl((unsigned char) c))
+ if (tty && iscntrl((unsigned char) c) && c != '\t' && c != '\n')
c = '?';
fputc(c, stdout);
}
@@ -278,11 +286,7 @@
EUID_ASSERT();
assert(path1);
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
-
- // exit if no permission to join the sandbox
- check_join_permission(pid);
+ ProcessHandle sandbox = pin_sandbox_process(pid);
// expand paths
char *fname1 = expand_path(path1);
@@ -305,43 +309,34 @@
}
// create destination file if necessary
EUID_ASSERT();
- int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
- if (fd == -1) {
+ int dest = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR);
+ if (dest == -1) {
fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
exit(1);
}
struct stat s;
- if (fstat(fd, &s) == -1)
+ if (fstat(dest, &s) == -1)
errExit("fstat");
if (!S_ISREG(s.st_mode)) {
- fprintf(stderr, "Error: %s is no regular file\n", dest_fname);
+ fprintf(stderr, "Error: %s is not a regular file\n", dest_fname);
exit(1);
}
- if (ftruncate(fd, 0) == -1)
+ if (ftruncate(dest, 0) == -1)
errExit("ftruncate");
// go quiet - messages on stdout will corrupt the file
arg_debug = 0;
arg_quiet = 1;
// redirection
- if (dup2(fd, STDOUT_FILENO) == -1)
+ if (dup2(dest, STDOUT_FILENO) == -1)
errExit("dup2");
- assert(fd != STDOUT_FILENO);
- close(fd);
+ close(dest);
op = SANDBOX_FS_CAT;
}
- // sandbox root directory
- char *rootdir;
- if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
- errExit("asprintf");
-
if (op == SANDBOX_FS_LS || op == SANDBOX_FS_CAT) {
- EUID_ROOT();
- // chroot
- if (chroot(rootdir) < 0)
- errExit("chroot");
- if (chdir("/") < 0)
- errExit("chdir");
+ // chroot into the sandbox
+ process_rootfs_chroot(sandbox);
+ unpin_process(sandbox);
// drop privileges
drop_privs(0);
@@ -350,95 +345,48 @@
ls(fname1);
else
cat(fname1);
-
- __gcov_flush();
}
// get file from host and store it in the sandbox
else if (op == SANDBOX_FS_PUT && path2) {
- char *src_fname =fname1;
+ char *src_fname = fname1;
char *dest_fname = fname2;
- EUID_ROOT();
- if (arg_debug)
- printf("copy %s to %s\n", src_fname, dest_fname);
-
- // create a user-owned temporary file in /run/firejail directory
- char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
- int fd = mkstemp(tmp_fname);
- if (fd == -1) {
- fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname);
+ EUID_ASSERT();
+ int src = open(src_fname, O_RDONLY|O_CLOEXEC);
+ if (src == -1) {
+ fprintf(stderr, "Error: cannot open %s for reading\n", src_fname);
exit(1);
}
- SET_PERMS_FD(fd, getuid(), getgid(), 0600);
- close(fd);
- // copy the source file into the temporary file - we need to chroot
- pid_t child = fork();
- if (child < 0)
- errExit("fork");
- if (child == 0) {
- // drop privileges
- drop_privs(0);
-
- // copy the file
- if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
- _exit(1);
-
- __gcov_flush();
-
- _exit(0);
- }
-
- // wait for the child to finish
- int status = 0;
- waitpid(child, &status, 0);
- if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
- else {
- unlink(tmp_fname);
+ // chroot into the sandbox
+ process_rootfs_chroot(sandbox);
+ unpin_process(sandbox);
+
+ // drop privileges
+ drop_privs(0);
+
+ int dest = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR);
+ if (dest == -1) {
+ fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
exit(1);
}
-
- // copy the temporary file into the destination file
- child = fork();
- if (child < 0)
- errExit("fork");
- if (child == 0) {
- // chroot
- if (chroot(rootdir) < 0)
- errExit("chroot");
- if (chdir("/") < 0)
- errExit("chdir");
-
- // drop privileges
- drop_privs(0);
-
- // copy the file
- if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
- _exit(1);
-
- __gcov_flush();
-
- _exit(0);
- }
-
- // wait for the child to finish
- status = 0;
- waitpid(child, &status, 0);
- if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
- else {
- unlink(tmp_fname);
+ struct stat s;
+ if (fstat(dest, &s) == -1)
+ errExit("fstat");
+ if (!S_ISREG(s.st_mode)) {
+ fprintf(stderr, "Error: %s is not a regular file\n", dest_fname);
exit(1);
}
+ if (ftruncate(dest, 0) == -1)
+ errExit("ftruncate");
- // remove the temporary file
- unlink(tmp_fname);
- EUID_USER();
+ if (copy_file_by_fd(src, dest) != 0)
+ fwarning("an error occured during copying\n");
+ close(src);
+ close(dest);
}
- if (fname2)
- free(fname2);
- free(fname1);
- free(rootdir);
+ __gcov_flush();
exit(0);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/macros.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,9 +22,11 @@
#define MAXBUF 4098
typedef struct macro_t {
- char *name; // macro name
+ char *name; // macro name
char *xdg; // xdg line in ~/.config/user-dirs.dirs
-#define MAX_TRANSLATIONS 3 // several translations in case ~/.config/user-dirs.dirs not found
+ // several translations in case ~/.config/user-dirs.dirs not found
+ // covered currently: English, Russian, French, Italian, Spanish, Portuguese, German
+#define MAX_TRANSLATIONS 7
char *translation[MAX_TRANSLATIONS];
} Macro;
@@ -32,37 +34,37 @@
{
"${DOWNLOADS}",
"XDG_DOWNLOAD_DIR=\"$HOME/",
- { "Downloads", "Загрузки", "Téléchargement" }
+ {"Downloads", "Загрузки", "Téléchargement", "Scaricati", "Descargas"}
},
{
"${MUSIC}",
"XDG_MUSIC_DIR=\"$HOME/",
- {"Music", "Музыка", "Musique"}
+ {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"}
},
{
"${VIDEOS}",
"XDG_VIDEOS_DIR=\"$HOME/",
- {"Videos", "Видео", "Vidéos"}
+ {"Videos", "Видео", "Vidéos", "Video", "Vídeos"}
},
{
"${PICTURES}",
"XDG_PICTURES_DIR=\"$HOME/",
- {"Pictures", "Изображения", "Photos"}
+ {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"}
},
{
"${DESKTOP}",
"XDG_DESKTOP_DIR=\"$HOME/",
- {"Desktop", "Рабочий стол", "Bureau"}
+ {"Desktop", "Рабочий стол", "Bureau", "Scrivania", "Escritorio", "Área de trabalho", "Schreibtisch"}
},
{
"${DOCUMENTS}",
"XDG_DOCUMENTS_DIR=\"$HOME/",
- {"Documents", "Документы", "Documents"}
+ {"Documents", "Документы", "Documenti", "Documentos", "Dokumente"}
},
{ 0 }
@@ -154,7 +156,7 @@
struct stat s;
int i = 0;
- while (entries[i] != NULL) {
+ while (i < MAX_TRANSLATIONS && entries[i] != NULL) {
if (asprintf(&fname, "%s/%s", cfg.homedir, entries[i]) == -1)
errExit("asprintf");
@@ -263,28 +265,6 @@
return rv;
}
-// replace control characters with a '?'
-static char *fix_control_chars(const char *fname) {
- assert(fname);
-
- size_t len = strlen(fname);
- char *rv = malloc(len + 1);
- if (!rv)
- errExit("malloc");
-
- size_t i = 0;
- while (fname[i] != '\0') {
- if (iscntrl((unsigned char) fname[i]))
- rv[i] = '?';
- else
- rv[i] = fname[i];
- i++;
- }
- rv[i] = '\0';
-
- return rv;
-}
-
void invalid_filename(const char *fname, int globbing) {
// EUID_ASSERT();
assert(fname);
@@ -302,24 +282,5 @@
return;
}
- size_t i = 0;
- while (ptr[i] != '\0') {
- if (iscntrl((unsigned char) ptr[i])) {
- char *new = fix_control_chars(fname);
- fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters allowed\n", new);
- exit(1);
- }
- i++;
- }
-
- char *reject;
- if (globbing)
- reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed
- else
- reject = "\\&!?\"'<>%^{};,*[]";
- char *c = strpbrk(ptr, reject);
- if (c) {
- fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
- exit(1);
- }
+ reject_meta_chars(ptr, globbing);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -32,7 +32,8 @@
#include <dirent.h>
#include <pwd.h>
#include <errno.h>
-//#include <limits.h>
+
+#include <limits.h>
#include <sys/file.h>
#include <sys/prctl.h>
#include <signal.h>
@@ -104,7 +105,6 @@
char *arg_netfilter6_file = NULL; // netfilter6 file
char *arg_netns = NULL; // "ip netns"-created network namespace to use
int arg_doubledash = 0; // double dash
-int arg_shell_none = 0; // run the program directly without a shell
int arg_private_dev = 0; // private dev directory
int arg_keep_dev_shm = 0; // preserve /dev/shm
int arg_private_etc = 0; // private etc directory
@@ -119,6 +119,7 @@
int arg_nosound = 0; // disable sound
int arg_novideo = 0; //disable video devices in /dev
int arg_no3d; // disable 3d hardware acceleration
+int arg_noprinters = 0; // disable printers
int arg_quiet = 0; // no output for scripting
int arg_join_network = 0; // join only the network namespace
int arg_join_filesystem = 0; // join only the mount namespace
@@ -132,11 +133,13 @@
int arg_writable_var_log = 0; // writable /var/log
int arg_appimage = 0; // appimage
int arg_apparmor = 0; // apparmor
+char *apparmor_profile = NULL; // apparmor profile
+bool apparmor_replace = false; // apparmor profile
int arg_allow_debuggers = 0; // allow debuggers
int arg_x11_block = 0; // block X11
int arg_x11_xorg = 0; // use X11 security extension
int arg_allusers = 0; // all user home directories visible
-int arg_machineid = 0; // preserve /etc/machine-id
+int arg_machineid = 0; // spoof /etc/machine-id
int arg_allow_private_blacklist = 0; // blacklist things in private directories
int arg_disable_mnt = 0; // disable /mnt and /media
int arg_noprofile = 0; // use default.profile if none other found/specified
@@ -146,12 +149,17 @@
int arg_nou2f = 0; // --nou2f
int arg_noinput = 0; // --noinput
int arg_deterministic_exit_code = 0; // always exit with first child's exit status
+int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies
+int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox
DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user
DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
const char *arg_dbus_log_file = NULL;
int arg_dbus_log_user = 0;
int arg_dbus_log_system = 0;
+int arg_tab = 0;
int login_shell = 0;
+int just_run_the_shell = 0;
+int arg_netlock = 0;
int parent_to_child_fds[2];
int child_to_parent_fds[2];
@@ -189,13 +197,16 @@
logsignal(s);
if (waitpid(child, NULL, WNOHANG) == 0) {
- if (has_handler(child, s)) // signals are not delivered if there is no handler yet
+ // child is pid 1 of a pid namespace:
+ // signals are not delivered if there is no handler yet
+ if (has_handler(child, s))
kill(child, s);
else
kill(child, SIGKILL);
waitpid(child, NULL, 0);
}
- myexit(s);
+ release_sandbox_lock();
+ myexit(128 + s);
}
static void install_handler(void) {
@@ -238,6 +249,9 @@
cfg.username = strdup(pw->pw_name);
if (!cfg.username)
errExit("strdup");
+ cfg.usershell = strdup(pw->pw_shell);
+ if (!cfg.usershell)
+ errExit("strdup");
// check user database
if (!firejail_user_check(cfg.username)) {
@@ -331,7 +345,8 @@
static void exit_err_feature(const char *feature) {
- fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
+ fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
+ feature, SYSCONFDIR "/firejail.config");
exit(1);
}
@@ -349,10 +364,7 @@
exit(0);
}
else if (strcmp(argv[i], "--version") == 0) {
- printf("firejail version %s\n", VERSION);
- printf("\n");
- print_compiletime_support();
- printf("\n");
+ print_version();
exit(0);
}
#ifdef HAVE_OVERLAYFS
@@ -403,6 +415,111 @@
}
#endif
#ifdef HAVE_NETWORK
+ else if (strcmp(argv[i], "--nettrace") == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: --nettrace is only available to root user\n");
+ exit(1);
+ }
+ netfilter_trace(0, LIBDIR "/firejail/fnettrace");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+ else if (strncmp(argv[i], "--nettrace=", 11) == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: --nettrace is only available to root user\n");
+ exit(1);
+ }
+ pid_t pid = require_pid(argv[i] + 11);
+ netfilter_trace(pid, LIBDIR "/firejail/fnettrace");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+ else if (strcmp(argv[i], "--dnstrace") == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: --dnstrace is only available to root user\n");
+ exit(1);
+ }
+ netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+ else if (strncmp(argv[i], "--dnstrace=", 11) == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: --dnstrace is only available to root user\n");
+ exit(1);
+ }
+ pid_t pid = require_pid(argv[i] + 11);
+ netfilter_trace(pid, LIBDIR "/firejail/fnettrace-dns");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+ else if (strcmp(argv[i], "--snitrace") == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: --snitrace is only available to root user\n");
+ exit(1);
+ }
+ netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+ else if (strncmp(argv[i], "--snitrace=", 11) == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: --snitrace is only available to root user\n");
+ exit(1);
+ }
+ pid_t pid = require_pid(argv[i] + 11);
+ netfilter_trace(pid, LIBDIR "/firejail/fnettrace-sni");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+
+
+ else if (strcmp(argv[i], "--icmptrace") == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: --icmptrace is only available to root user\n");
+ exit(1);
+ }
+ netfilter_trace(0, LIBDIR "/firejail/fnettrace-icmp");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+ else if (strncmp(argv[i], "--icmptrace=", 12) == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: -icmptrace is only available to root user\n");
+ exit(1);
+ }
+ pid_t pid = require_pid(argv[i] + 12);
+ netfilter_trace(pid, LIBDIR "/firejail/fnettrace-icmp");
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
+
+
+
else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
if (checkcfg(CFG_NETWORK)) {
logargs(argc, argv);
@@ -613,8 +730,7 @@
#ifdef HAVE_NETWORK
else if (strcmp(argv[i], "--netstats") == 0) {
if (checkcfg(CFG_NETWORK)) {
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
+ if (pid_hidepid())
sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
2, PATH_FIREMON, "--netstats");
else
@@ -763,16 +879,9 @@
if (checkcfg(CFG_JOIN) || getuid() == 0) {
logargs(argc, argv);
- if (arg_shell_none) {
- if (argc <= (i+1)) {
- fprintf(stderr, "Error: --shell=none set, but no command specified\n");
- exit(1);
- }
- cfg.original_program_index = i + 1;
- }
-
- if (!cfg.shell && !arg_shell_none)
- cfg.shell = guess_shell();
+ if (argc <= (i+1))
+ just_run_the_shell = 1;
+ cfg.original_program_index = i + 1;
// join sandbox by pid or by name
pid_t pid = require_pid(argv[i] + 7);
@@ -789,20 +898,13 @@
if (checkcfg(CFG_JOIN) || getuid() == 0) {
logargs(argc, argv);
- if (arg_shell_none) {
- if (argc <= (i+1)) {
- fprintf(stderr, "Error: --shell=none set, but no command specified\n");
- exit(1);
- }
- cfg.original_program_index = i + 1;
- }
+ if (argc <= (i+1))
+ just_run_the_shell = 1;
+ cfg.original_program_index = i + 1;
// try to join by name only
pid_t pid;
if (!read_pid(argv[i] + 16, &pid)) {
- if (!cfg.shell && !arg_shell_none)
- cfg.shell = guess_shell();
-
join(pid, argc, argv, i + 1);
exit(0);
}
@@ -821,8 +923,9 @@
exit(1);
}
- if (!cfg.shell && !arg_shell_none)
- cfg.shell = guess_shell();
+ if (argc <= (i+1))
+ just_run_the_shell = 1;
+ cfg.original_program_index = i + 1;
// join sandbox by pid or by name
pid_t pid = require_pid(argv[i] + 15);
@@ -841,8 +944,9 @@
exit(1);
}
- if (!cfg.shell && !arg_shell_none)
- cfg.shell = guess_shell();
+ if (argc <= (i+1))
+ just_run_the_shell = 1;
+ cfg.original_program_index = i + 1;
// join sandbox by pid or by name
pid_t pid = require_pid(argv[i] + 18);
@@ -860,40 +964,6 @@
}
-char *guess_shell(void) {
- const char *shell;
- char *retval;
-
- shell = env_get("SHELL");
- if (shell) {
- invalid_filename(shell, 0); // no globbing
- if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
- strcmp(shell, PATH_FIREJAIL) != 0)
- goto found;
- }
-
- // shells in order of preference
- static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
-
- int i = 0;
- while (shells[i] != NULL) {
- // access call checks as real UID/GID, not as effective UID/GID
- if (access(shells[i], X_OK) == 0) {
- shell = shells[i];
- goto found;
- }
- i++;
- }
-
- return NULL;
-
- found:
- retval = strdup(shell);
- if (!retval)
- errExit("strdup");
- return retval;
-}
-
// return argument index
static int check_arg(int argc, char **argv, const char *argument, int strict) {
int i;
@@ -932,12 +1002,14 @@
if (setresuid(-1, getuid(), getuid()) != 0)
errExit("setresuid");
+ if (env_get("LD_PRELOAD") != NULL)
+ fprintf(stderr, "run_builder: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD"));
assert(env_get("LD_PRELOAD") == NULL);
assert(getenv("LD_PRELOAD") == NULL);
umask(orig_umask);
- // restore some environment variables
- env_apply_whitelist_sbox();
+ // restore original environment variables
+ env_apply_all();
argv[0] = LIBDIR "/firejail/fbuilder";
execvp(argv[0], argv);
@@ -980,136 +1052,61 @@
int prog_index = -1; // index in argv where the program command starts
int lockfd_network = -1;
int lockfd_directory = -1;
- int option_cgroup = 0;
int custom_profile = 0; // custom profile loaded
int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot)
char **ptr;
-#ifndef HAVE_SUID
- if (geteuid() != 0) {
- fprintf(stderr, "Error: Firejail needs to be SUID.\n");
- fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
- fprintf(stderr, " chmod u+s /usr/bin/firejail\n");
- }
-#endif
// sanitize the umask
orig_umask = umask(022);
- // check standard streams before printing anything
- fix_std_streams();
-
// drop permissions by default and rise them when required
EUID_INIT();
EUID_USER();
+ // check standard streams before opening any file
+ fix_std_streams();
+
// argument count should be larger than 0
if (argc == 0 || !argv || strlen(argv[0]) == 0) {
fprintf(stderr, "Error: argv is invalid\n");
exit(1);
} else if (argc >= MAX_ARGS) {
- fprintf(stderr, "Error: too many arguments\n");
+ fprintf(stderr, "Error: too many arguments: argc (%d) >= MAX_ARGS (%d)\n", argc, MAX_ARGS);
exit(1);
}
+ // sanity check for arguments
+ for (i = 0; i < argc; i++) {
+ if (strlen(argv[i]) >= MAX_ARG_LEN) {
+ fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN);
+ exit(1);
+ }
+ }
+
// Stash environment variables
for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
env_store(*ptr, SETENV);
// sanity check for environment variables
if (i >= MAX_ENVS) {
- fprintf(stderr, "Error: too many environment variables\n");
+ fprintf(stderr, "Error: too many environment variables: >= MAX_ENVS (%d)\n", MAX_ENVS);
exit(1);
}
- // sanity check for arguments
- for (i = 0; i < argc; i++) {
- if (*argv[i] == 0) {
- fprintf(stderr, "Error: too short arguments\n");
- exit(1);
- }
- if (strlen(argv[i]) >= MAX_ARG_LEN) {
- fprintf(stderr, "Error: too long arguments\n");
- exit(1);
- }
- }
-
// Reapply a minimal set of environment variables
env_apply_whitelist();
- // check if the user is allowed to use firejail
- init_cfg(argc, argv);
-
- // get starting timestamp, process --quiet
- timetrace_start();
+ // process --quiet
const char *env_quiet = env_get("FIREJAIL_QUIET");
if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
arg_quiet = 1;
- // cleanup at exit
- EUID_ROOT();
- atexit(clear_atexit);
-
- // build /run/firejail directory structure
- preproc_build_firejail_dir();
- const char *container_name = env_get("container");
- if (!container_name || strcmp(container_name, "firejail")) {
- lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
- if (lockfd_directory != -1) {
- int rv = fchown(lockfd_directory, 0, 0);
- (void) rv;
- flock(lockfd_directory, LOCK_EX);
- }
- preproc_clean_run();
- flock(lockfd_directory, LOCK_UN);
- close(lockfd_directory);
- }
- EUID_USER();
-
- // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
- // these paths are disabled in disable-common.inc
- if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
- if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
- profile_add("noblacklist /sbin");
- profile_add("noblacklist /usr/sbin");
- }
- }
-
- // for appimages we need to remove "include disable-shell.inc from the profile
- // a --profile command can show up before --appimage
- if (check_arg(argc, argv, "--appimage", 1))
- arg_appimage = 1;
-
- // process allow-debuggers
- if (check_arg(argc, argv, "--allow-debuggers", 1)) {
- // check kernel version
- struct utsname u;
- int rv = uname(&u);
- if (rv != 0)
- errExit("uname");
- int major;
- int minor;
- if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
- fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
- exit(1);
- }
- if (major < 4 || (major == 4 && minor < 8)) {
- fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
- "A bug in ptrace call allows a full bypass of the seccomp filter. "
- "Your current kernel version is %d.%d.\n", major, minor);
- exit(1);
- }
-
- arg_allow_debuggers = 1;
- char *cmd = strdup("noblacklist ${PATH}/strace");
- if (!cmd)
- errExit("strdup");
- profile_add(cmd);
- }
+ // check if the user is allowed to use firejail
+ init_cfg(argc, argv);
- // profile builder
- if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
- run_builder(argc, argv); // this function will not return
+ // get starting timestamp
+ timetrace_start();
// check argv[0] symlink wrapper if this is not a login shell
if (*argv[0] != '-')
@@ -1125,7 +1122,7 @@
EUID_USER();
if (rv == 0) {
if (check_arg(argc, argv, "--version", 1)) {
- printf("firejail version %s\n", VERSION);
+ print_version();
exit(0);
}
@@ -1134,15 +1131,53 @@
__builtin_unreachable();
}
}
- EUID_ASSERT();
+ // profile builder
+ if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
+ run_builder(argc, argv); // this function will not return
+
+ // intrusion detection system
+#ifdef HAVE_IDS
+ if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check
+ run_ids(argc, argv); // this function will not return
+#else
+ if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check
+ fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n"
+ "\tTo enable it, configure your build system using --enable-ids.\n"
+ "\tExample: ./configure --prefix=/usr --enable-ids\n\n");
+ exit(1);
+ }
+#endif
- // check firejail directories
EUID_ROOT();
- delete_run_files(sandbox_pid);
+#ifndef HAVE_SUID
+ if (geteuid() != 0) {
+ fprintf(stderr, "Error: Firejail needs to be SUID.\n");
+ fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
+ fprintf(stderr, " chmod u+s /usr/bin/firejail\n");
+ }
+#endif
+
+ // build /run/firejail directory structure
+ preproc_build_firejail_dir();
+ const char *container_name = env_get("container");
+ if (!container_name || strcmp(container_name, "firejail")) {
+ lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+ if (lockfd_directory != -1) {
+ int rv = fchown(lockfd_directory, 0, 0);
+ (void) rv;
+ flock(lockfd_directory, LOCK_EX);
+ }
+ preproc_clean_run();
+ flock(lockfd_directory, LOCK_UN);
+ close(lockfd_directory);
+ }
+
+ delete_run_files(getpid());
+ atexit(clear_atexit);
EUID_USER();
- //check if the parent is sshd daemon
+ // check if the parent is sshd daemon
int parent_sshd = 0;
{
pid_t ppid = getppid();
@@ -1199,7 +1234,8 @@
}
EUID_ASSERT();
- // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
+ // is this a login shell, or a command passed by sshd,
+ // insert command line options from /etc/firejail/login.users
if (*argv[0] == '-' || parent_sshd) {
if (argc == 1)
login_shell = 1;
@@ -1251,10 +1287,56 @@
#endif
EUID_ASSERT();
- // check for force-nonewprivs in /etc/firejail/firejail.config file
+ // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
+ // these paths are disabled in disable-common.inc
+ if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
+ if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
+ profile_add("noblacklist /sbin");
+ profile_add("noblacklist /usr/sbin");
+ }
+ }
+
+ // process allow-debuggers
+ if (check_arg(argc, argv, "--allow-debuggers", 1)) {
+ // check kernel version
+ struct utsname u;
+ int rv = uname(&u);
+ if (rv != 0)
+ errExit("uname");
+ int major;
+ int minor;
+ if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+ fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+ exit(1);
+ }
+ if (major < 4 || (major == 4 && minor < 8)) {
+ fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+ "A bug in ptrace call allows a full bypass of the seccomp filter. "
+ "Your current kernel version is %d.%d.\n", major, minor);
+ exit(1);
+ }
+
+ arg_allow_debuggers = 1;
+ char *cmd = strdup("noblacklist ${PATH}/strace");
+ if (!cmd)
+ errExit("strdup");
+ profile_add(cmd);
+ }
+
+ // for appimages we need to remove "include disable-shell.inc from the profile
+ // a --profile command can show up before --appimage
+ if (check_arg(argc, argv, "--appimage", 1))
+ arg_appimage = 1;
+
+ // load configuration file /etc/firejail/firejail.config
+ // and check for force-nonewprivs
if (checkcfg(CFG_FORCE_NONEWPRIVS))
arg_nonewprivs = 1;
+ // check oom
+ if ((i = check_arg(argc, argv, "--oom=", 0)) != 0)
+ oom_set(argv[i] + 6);
+
// parse arguments
for (i = 1; i < argc; i++) {
run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
@@ -1294,8 +1376,18 @@
// filtering
//*************************************
#ifdef HAVE_APPARMOR
- else if (strcmp(argv[i], "--apparmor") == 0)
+ else if (strcmp(argv[i], "--apparmor") == 0) {
+ arg_apparmor = 1;
+ apparmor_profile = "firejail-default";
+ }
+ else if (strncmp(argv[i], "--apparmor=", 11) == 0) {
+ arg_apparmor = 1;
+ apparmor_profile = argv[i] + 11;
+ }
+ else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) {
arg_apparmor = 1;
+ apparmor_replace = true;
+ }
#endif
else if (strncmp(argv[i], "--protocol=", 11) == 0) {
if (checkcfg(CFG_SECCOMP)) {
@@ -1407,6 +1499,20 @@
else
exit_err_feature("seccomp");
}
+ else if (strcmp(argv[i], "--restrict-namespaces") == 0) {
+ if (checkcfg(CFG_SECCOMP))
+ profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+ else
+ exit_err_feature("seccomp");
+ }
+ else if (strncmp(argv[i], "--restrict-namespaces=", 22) == 0) {
+ if (checkcfg(CFG_SECCOMP)) {
+ const char *add = argv[i] + 22;
+ profile_list_augment(&cfg.restrict_namespaces, add);
+ }
+ else
+ exit_err_feature("seccomp");
+ }
else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) {
if (checkcfg(CFG_SECCOMP)) {
int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
@@ -1475,8 +1581,12 @@
arg_tracefile = tmp;
}
}
- else if (strcmp(argv[i], "--tracelog") == 0)
- arg_tracelog = 1;
+ else if (strcmp(argv[i], "--tracelog") == 0) {
+ if (checkcfg(CFG_TRACELOG))
+ arg_tracelog = 1;
+ else
+ exit_err_feature("tracelog");
+ }
else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
check_unsigned(argv[i] + 13, "Error: invalid rlimit");
sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);
@@ -1523,22 +1633,6 @@
cfg.nice = 0;
arg_nice = 1;
}
- else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
- if (checkcfg(CFG_CGROUP)) {
- if (option_cgroup) {
- fprintf(stderr, "Error: only a cgroup can be defined\n");
- exit(1);
- }
-
- option_cgroup = 1;
- cfg.cgroup = strdup(argv[i] + 9);
- if (!cfg.cgroup)
- errExit("strdup");
- set_cgroup(cfg.cgroup);
- }
- else
- exit_err_feature("cgroup");
- }
//*************************************
// filesystem
@@ -1565,6 +1659,7 @@
profile_check_line(line, 0, NULL); // will exit if something wrong
profile_add(line);
}
+
else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
char *line;
if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1581,19 +1676,13 @@
profile_check_line(line, 0, NULL); // will exit if something wrong
profile_add(line);
}
-
-#ifdef HAVE_WHITELIST
else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
- if (checkcfg(CFG_WHITELIST)) {
- char *line;
- if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
- errExit("asprintf");
+ char *line;
+ if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+ errExit("asprintf");
- profile_check_line(line, 0, NULL); // will exit if something wrong
- profile_add(line);
- }
- else
- exit_err_feature("whitelist");
+ profile_check_line(line, 0, NULL); // will exit if something wrong
+ profile_add(line);
}
else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
char *line;
@@ -1603,7 +1692,7 @@
profile_check_line(line, 0, NULL); // will exit if something wrong
profile_add(line);
}
-#endif
+
else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
char *line;
if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
@@ -1662,11 +1751,6 @@
fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
exit(1);
}
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
- fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
- exit(1);
- }
arg_overlay = 1;
arg_overlay_keep = 1;
@@ -1690,11 +1774,6 @@
fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
exit(1);
}
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
- fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
- exit(1);
- }
arg_overlay = 1;
arg_overlay_keep = 1;
arg_overlay_reuse = 1;
@@ -1726,11 +1805,6 @@
fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
exit(1);
}
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
- fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
- exit(1);
- }
arg_overlay = 1;
}
else
@@ -1853,6 +1927,14 @@
}
profile_add_ignore(argv[i] + 9);
}
+ else if (strncmp(argv[i], "--keep-fd=", 10) == 0) {
+ if (strcmp(argv[i] + 10, "all") == 0)
+ arg_keep_fd_all = 1;
+ else {
+ const char *add = argv[i] + 10;
+ profile_list_augment(&cfg.keep_fd, add);
+ }
+ }
#ifdef HAVE_CHROOT
else if (strncmp(argv[i], "--chroot=", 9) == 0) {
if (checkcfg(CFG_CHROOT)) {
@@ -1861,11 +1943,6 @@
exit(1);
}
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
- fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n");
- exit(1);
- }
// extract chroot dirname
cfg.chrootdir = argv[i] + 9;
if (*cfg.chrootdir == '\0') {
@@ -2121,6 +2198,11 @@
arg_novideo = 1;
else if (strcmp(argv[i], "--no3d") == 0)
arg_no3d = 1;
+ else if (strcmp(argv[i], "--noprinters") == 0) {
+ arg_noprinters = 1;
+ profile_add("blacklist /dev/lp*");
+ profile_add("blacklist /run/cups/cups.sock");
+ }
else if (strcmp(argv[i], "--notv") == 0)
arg_notv = 1;
else if (strcmp(argv[i], "--nodvd") == 0)
@@ -2293,6 +2375,21 @@
continue;
}
#ifdef HAVE_NETWORK
+ else if (strcmp(argv[i], "--netlock") == 0) {
+ if (checkcfg(CFG_NETWORK))
+ arg_netlock = 1;
+ else
+ exit_err_feature("networking");
+ }
+ else if (strncmp(argv[i], "--netlock=", 10) == 0) {
+ if (checkcfg(CFG_NETWORK)) {
+ pid_t pid = require_pid(argv[i] + 10);
+ netfilter_netlock(pid);
+ }
+ else
+ exit_err_feature("networking");
+ exit(0);
+ }
else if (strncmp(argv[i], "--interface=", 12) == 0) {
if (checkcfg(CFG_NETWORK)) {
// checks
@@ -2598,7 +2695,7 @@
else if (cfg.dns4 == NULL)
cfg.dns4 = dns;
else {
- fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+ fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns);
free(dns);
}
}
@@ -2619,6 +2716,15 @@
if (checkcfg(CFG_NETWORK)) {
arg_netfilter = 1;
arg_netfilter_file = argv[i] + 12;
+
+ // expand tilde
+ if (*arg_netfilter_file == '~') {
+ char *tmp;
+ if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1)
+ errExit("asprintf");
+ arg_netfilter_file = tmp;
+ }
+
check_netfilter_file(arg_netfilter_file);
}
else
@@ -2629,6 +2735,15 @@
if (checkcfg(CFG_NETWORK)) {
arg_netfilter6 = 1;
arg_netfilter6_file = argv[i] + 13;
+
+ // expand tilde
+ if (*arg_netfilter6_file == '~') {
+ char *tmp;
+ if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1)
+ errExit("asprintf");
+ arg_netfilter6_file = tmp;
+ }
+
check_netfilter_file(arg_netfilter6_file);
}
else
@@ -2649,47 +2764,15 @@
//*************************************
else if (strncmp(argv[i], "--timeout=", 10) == 0)
cfg.timeout = extract_timeout(argv[i] + 10);
- else if (strcmp(argv[i], "--appimage") == 0)
- arg_appimage = 1;
- else if (strcmp(argv[i], "--shell=none") == 0) {
- arg_shell_none = 1;
- if (cfg.shell) {
- fprintf(stderr, "Error: a shell was already specified\n");
- return 1;
- }
+ else if (strcmp(argv[i], "--appimage") == 0) {
+ // already handled
+ }
+ else if (strncmp(argv[i], "--oom=", 6) == 0) {
+ // already handled
}
else if (strncmp(argv[i], "--shell=", 8) == 0) {
- if (arg_shell_none) {
- fprintf(stderr, "Error: --shell=none was already specified.\n");
- return 1;
- }
- invalid_filename(argv[i] + 8, 0); // no globbing
-
- if (cfg.shell) {
- fprintf(stderr, "Error: only one user shell can be specified\n");
- return 1;
- }
- cfg.shell = argv[i] + 8;
-
- if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) {
- fprintf(stderr, "Error: invalid shell\n");
- exit(1);
- }
-
- // access call checks as real UID/GID, not as effective UID/GID
- if(cfg.chrootdir) {
- char *shellpath;
- if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
- errExit("asprintf");
- if (access(shellpath, X_OK)) {
- fprintf(stderr, "Error: cannot access shell file in chroot\n");
- exit(1);
- }
- free(shellpath);
- } else if (access(cfg.shell, X_OK)) {
- fprintf(stderr, "Error: cannot access shell file\n");
- exit(1);
- }
+ fprintf(stderr, "Warning: --shell feature has been deprecated\n");
+ exit(1);
}
else if (strcmp(argv[i], "-c") == 0) {
arg_command = 1;
@@ -2725,6 +2808,11 @@
else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
arg_deterministic_exit_code = 1;
}
+ else if (strcmp(argv[i], "--deterministic-shutdown") == 0) {
+ arg_deterministic_shutdown = 1;
+ }
+ else if (strcmp(argv[i], "--tab") == 0)
+ arg_tab = 1;
else {
// double dash - positional params to follow
if (strcmp(argv[i], "--") == 0) {
@@ -2746,9 +2834,6 @@
cfg.command_name = strdup(argv[i]);
if (!cfg.command_name)
errExit("strdup");
-
- // disable shell=* for appimages
- arg_shell_none = 0;
}
else
extract_command_name(i, argv);
@@ -2775,11 +2860,6 @@
}
}
- // prog_index could still be -1 if no program was specified
- if (prog_index == -1 && arg_shell_none) {
- fprintf(stderr, "Error: shell=none configured, but no program specified\n");
- exit(1);
- }
// check trace configuration
if (arg_trace && arg_tracelog) {
@@ -2798,6 +2878,17 @@
}
}
+ // check writable_etc and DNS/DHCP
+ if (arg_writable_etc) {
+ if (cfg.dns1 != NULL || any_dhcp()) {
+ // we could end up overwriting the real /etc/resolv.conf, so we better exit now!
+ fprintf(stderr, "Error: --dns/--ip=dhcp and --writable-etc are mutually exclusive\n");
+ exit(1);
+ }
+ }
+
+
+
// enable seccomp if only seccomp.block-secondary was specified
if (arg_seccomp_block_secondary)
arg_seccomp = 1;
@@ -2812,27 +2903,18 @@
free(msg);
}
- // guess shell if unspecified
- if (!arg_shell_none && !cfg.shell) {
- cfg.shell = guess_shell();
- if (!cfg.shell) {
- fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
- exit(1);
- }
- if (arg_debug)
- printf("Autoselecting %s as shell\n", cfg.shell);
- }
-
// build the sandbox command
- if (prog_index == -1 && cfg.shell) {
- assert(cfg.command_line == NULL); // runs cfg.shell
+ if (prog_index == -1) {
+ just_run_the_shell = 1;
+
+ assert(cfg.command_line == NULL); // runs the user shell
if (arg_appimage) {
fprintf(stderr, "Error: no appimage archive specified\n");
exit(1);
}
- cfg.window_title = cfg.shell;
- cfg.command_name = cfg.shell;
+ cfg.window_title = cfg.usershell;
+ cfg.command_name = cfg.usershell;
}
else if (arg_appimage) {
if (arg_debug)
@@ -2856,11 +2938,8 @@
// load the profile
if (!arg_noprofile && !custom_profile) {
- if (arg_appimage) {
+ if (arg_appimage)
custom_profile = appimage_find_profile(cfg.command_name);
- // disable shell=* for appimages
- arg_shell_none = 0;
- }
else
custom_profile = profile_find_firejail(cfg.command_name, 1);
}
@@ -3015,6 +3094,9 @@
errExit("clone");
EUID_USER();
+ // sandbox pidfile
+ set_sandbox_run_file(getpid(), child);
+
if (!arg_command && !arg_quiet) {
fmessage("Parent pid %u, child pid %u\n", sandbox_pid, child);
// print the path of the new log directory
@@ -3048,100 +3130,179 @@
}
EUID_ASSERT();
- // close each end of the unused pipes
- close(parent_to_child_fds[0]);
- close(child_to_parent_fds[1]);
+ // close each end of the unused pipes
+ close(parent_to_child_fds[0]);
+ close(child_to_parent_fds[1]);
// notify child that base setup is complete
- notify_other(parent_to_child_fds[1]);
+ notify_other(parent_to_child_fds[1]);
- // wait for child to create new user namespace with CLONE_NEWUSER
- wait_for_other(child_to_parent_fds[0]);
- close(child_to_parent_fds[0]);
+ // wait for child to create new user namespace with CLONE_NEWUSER
+ wait_for_other(child_to_parent_fds[0]);
+ close(child_to_parent_fds[0]);
- if (arg_noroot) {
- // update the UID and GID maps in the new child user namespace
+ if (arg_noroot) {
+ // update the UID and GID maps in the new child user namespace
// uid
- char *map_path;
- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
- errExit("asprintf");
-
- char *map;
- uid_t uid = getuid();
- if (asprintf(&map, "%d %d 1", uid, uid) == -1)
- errExit("asprintf");
- EUID_ROOT();
- update_map(map, map_path);
- EUID_USER();
- free(map);
- free(map_path);
+ char *map_path;
+ if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
+ errExit("asprintf");
+
+ char *map;
+ uid_t uid = getuid();
+ if (asprintf(&map, "%d %d 1", uid, uid) == -1)
+ errExit("asprintf");
+ EUID_ROOT();
+ update_map(map, map_path);
+ EUID_USER();
+ free(map);
+ free(map_path);
- // gid file
+ // gid file
if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
errExit("asprintf");
- char gidmap[1024];
- char *ptr = gidmap;
- *ptr = '\0';
-
- // add user group
- gid_t gid = getgid();
- sprintf(ptr, "%d %d 1\n", gid, gid);
- ptr += strlen(ptr);
-
- if (!arg_nogroups) {
- // add firejail group
- gid_t g = get_group_id("firejail");
- if (g) {
- sprintf(ptr, "%d %d 1\n", g, g);
- ptr += strlen(ptr);
- }
-
- // add tty group
- g = get_group_id("tty");
- if (g) {
- sprintf(ptr, "%d %d 1\n", g, g);
- ptr += strlen(ptr);
- }
-
- // add audio group
- g = get_group_id("audio");
- if (g) {
- sprintf(ptr, "%d %d 1\n", g, g);
- ptr += strlen(ptr);
- }
-
- // add video group
- g = get_group_id("video");
- if (g) {
- sprintf(ptr, "%d %d 1\n", g, g);
- ptr += strlen(ptr);
- }
-
- // add games group
- g = get_group_id("games");
- if (g) {
- sprintf(ptr, "%d %d 1\n", g, g);
- }
- }
-
- EUID_ROOT();
- update_map(gidmap, map_path);
- EUID_USER();
- free(map_path);
- }
+ char gidmap[1024];
+ char *ptr = gidmap;
+ *ptr = '\0';
+
+ // add user group
+ gid_t gid = getgid();
+ sprintf(ptr, "%d %d 1\n", gid, gid);
+ ptr += strlen(ptr);
+
+ gid_t g;
+ if (!arg_nogroups || !check_can_drop_all_groups()) {
+ // add audio group
+ if (!arg_nosound) {
+ g = get_group_id("audio");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add video group
+ if (!arg_novideo) {
+ g = get_group_id("video");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add render/vglusers group
+ if (!arg_no3d) {
+ g = get_group_id("render");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ g = get_group_id("vglusers");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add lp group
+ if (!arg_noprinters) {
+ g = get_group_id("lp");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add cdrom/optical groups
+ if (!arg_nodvd) {
+ g = get_group_id("cdrom");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ g = get_group_id("optical");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add input group
+ if (!arg_noinput) {
+ g = get_group_id("input");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+ }
+
+ if (!arg_nogroups) {
+ // add firejail group
+ g = get_group_id("firejail");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+
+ // add tty group
+ g = get_group_id("tty");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+
+ // add games group
+ g = get_group_id("games");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ }
+ }
+
+ EUID_ROOT();
+ update_map(gidmap, map_path);
+ EUID_USER();
+ free(map_path);
+ }
EUID_ASSERT();
- // notify child that UID/GID mapping is complete
- notify_other(parent_to_child_fds[1]);
- close(parent_to_child_fds[1]);
+ // notify child that UID/GID mapping is complete
+ notify_other(parent_to_child_fds[1]);
+ close(parent_to_child_fds[1]);
- EUID_ROOT();
+ EUID_ROOT();
if (lockfd_network != -1) {
flock(lockfd_network, LOCK_UN);
close(lockfd_network);
}
EUID_USER();
+ // lock netfilter firewall
+ if (arg_netlock) {
+ pid_t netlock_child = fork();
+ if (netlock_child < 0)
+ errExit("fork");
+ if (netlock_child == 0) {
+ close_all(NULL, 0);
+ // drop privileges
+ if (setresgid(-1, getgid(), getgid()) != 0)
+ errExit("setresgid");
+ if (setresuid(-1, getuid(), getuid()) != 0)
+ errExit("setresuid");
+
+ char arg[64];
+ snprintf(arg, sizeof(arg), "--netlock=%d", sandbox_pid);
+
+ char *cmd[3];
+ cmd[0] = BINDIR "/firejail";
+ cmd[1] = arg;
+ cmd[2] = NULL;
+ execvp(cmd[0], cmd);
+ perror("Cannot start netlock");
+ _exit(1);
+ }
+ }
+
int status = 0;
//*****************************
// following code is signal-safe
@@ -3159,35 +3320,16 @@
// end of signal-safe code
//*****************************
-#if 0
-// at this point the sandbox was closed and we are on our way out
-// it would make sense to move this before waitpid above to free some memory
-// crash for now as of issue #3662 from dhcp code
- // free globals
- if (cfg.profile) {
- ProfileEntry *prf = cfg.profile;
- while (prf != NULL) {
- ProfileEntry *next = prf->next;
-printf("data #%s#\n", prf->data);
- if (prf->data)
- free(prf->data);
-printf("link #%s#\n", prf->link);
- if (prf->link)
- free(prf->link);
- free(prf);
- prf = next;
- }
- }
-#endif
-
+ release_sandbox_lock();
if (WIFEXITED(status)){
myexit(WEXITSTATUS(status));
} else if (WIFSIGNALED(status)) {
- myexit(WTERMSIG(status));
+ // distinguish fatal signals by adding 128
+ myexit(128 + WTERMSIG(status));
} else {
- myexit(0);
+ myexit(1);
}
- return 0;
+ return 1;
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/mountinfo.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -19,6 +19,7 @@
*/
#include "firejail.h"
+#include <errno.h>
#include <fcntl.h>
#ifndef O_PATH
@@ -32,43 +33,38 @@
// Convert octal escape sequence to decimal value
-static int read_oct(const char *path) {
- int dec = 0;
- int digit, i;
- // there are always exactly three octal digits
- for (i = 1; i < 4; i++) {
- digit = *(path + i);
- if (digit < '0' || digit > '7') {
- fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
- exit(1);
- }
- dec = (dec << 3) + (digit - '0');
- }
- return dec;
+static unsigned read_oct(char *s) {
+ assert(s[0] == '\\');
+ s++;
+
+ int i;
+ for (i = 0; i < 3; i++)
+ assert(s[i] >= '0' && s[i] <= '7');
+
+ return ((s[0] - '0') << 6 |
+ (s[1] - '0') << 3 |
+ (s[2] - '0') << 0);
}
// Restore empty spaces in pathnames extracted from /proc/self/mountinfo
static void unmangle_path(char *path) {
- char *p = strchr(path, '\\');
- if (p && read_oct(p) == ' ') {
- *p = ' ';
- int i = 3;
- do {
- p++;
- if (*(p + i) == '\\' && read_oct(p + i) == ' ') {
- *p = ' ';
- i += 3;
- }
- else
- *p = *(p + i);
- } while (*p);
- }
+ char *r = strchr(path, '\\');
+ if (!r)
+ return;
+
+ char *w = r;
+ do {
+ while (*r == '\\') {
+ *w++ = read_oct(r);
+ r += 4;
+ }
+ *w++ = *r;
+ } while (*r++);
}
// Parse a line from /proc/self/mountinfo,
// the function does an exit(1) if anything goes wrong.
static void parse_line(char *line, MountData *output) {
- assert(line && output);
memset(output, 0, sizeof(*output));
// extract mount id, filesystem name, directory and filesystem types
// examples:
@@ -86,8 +82,6 @@
char *ptr = strtok(line, " ");
if (!ptr)
goto errexit;
- if (ptr != line)
- goto errexit;
output->mountid = atoi(ptr);
int cnt = 1;
@@ -108,10 +102,9 @@
ptr = strtok(NULL, " ");
if (!ptr)
goto errexit;
- output->fstype = ptr++;
+ output->fstype = ptr;
-
- if (output->mountid == 0 ||
+ if (output->mountid < 0 ||
output->fsname == NULL ||
output->dir == NULL ||
output->fstype == NULL)
@@ -151,111 +144,118 @@
return &mdata;
}
-// Extract the mount id from /proc/self/fdinfo and return it.
-int get_mount_id(const char *path) {
- EUID_ASSERT();
- assert(path);
+// Returns mount id, or -1 if fd refers to a procfs or sysfs file
+static int get_mount_id_from_handle(int fd) {
+ char *proc;
+ if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+ errExit("asprintf");
+
+ struct file_handle *fh = malloc(sizeof *fh);
+ if (!fh)
+ errExit("malloc");
+ fh->handle_bytes = 0;
+
+ int rv = -1;
+ int tmp;
+ if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) {
+ fprintf(stderr, "Error: unexpected result from name_to_handle_at\n");
+ exit(1);
+ }
+ if (errno == EOVERFLOW && fh->handle_bytes)
+ rv = tmp;
- int fd = open(path, O_PATH|O_CLOEXEC);
- if (fd == -1)
- return -1;
+ free(proc);
+ free(fh);
+ return rv;
+}
- char *fdinfo;
- if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
+// Returns mount id, or -1 on kernels < 3.15
+static int get_mount_id_from_fdinfo(int fd) {
+ char *proc;
+ if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
errExit("asprintf");
- EUID_ROOT();
- FILE *fp = fopen(fdinfo, "re");
- EUID_USER();
- free(fdinfo);
- if (!fp)
- goto errexit;
- // read the file
+ int called_as_root = 0;
+ if (geteuid() == 0)
+ called_as_root = 1;
+
+ if (called_as_root == 0)
+ EUID_ROOT();
+
+ FILE *fp = fopen(proc, "re");
+ if (!fp) {
+ fprintf(stderr, "Error: cannot read proc file\n");
+ exit(1);
+ }
+
+ if (called_as_root == 0)
+ EUID_USER();
+
+ int rv = -1;
char buf[MAX_BUF];
- if (fgets(buf, MAX_BUF, fp) == NULL)
- goto errexit;
- do {
- if (strncmp(buf, "mnt_id:", 7) == 0) {
- char *ptr = buf + 7;
- while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
- ptr++;
- }
- if (*ptr == '\0')
- goto errexit;
- fclose(fp);
- close(fd);
- return atoi(ptr);
- }
- } while (fgets(buf, MAX_BUF, fp));
+ while (fgets(buf, MAX_BUF, fp)) {
+ if (sscanf(buf, "mnt_id: %d", &rv) == 1)
+ break;
+ }
- // fallback, kernels older than 3.15 don't expose the mount id in this place
+ free(proc);
fclose(fp);
- close(fd);
- return -2;
+ return rv;
+}
-errexit:
- fprintf(stderr, "Error: cannot read proc file\n");
- exit(1);
+int get_mount_id(int fd) {
+ int rv = get_mount_id_from_handle(fd);
+ if (rv < 0)
+ rv = get_mount_id_from_fdinfo(fd);
+ return rv;
}
// Check /proc/self/mountinfo if path contains any mounts points.
// Returns an array that can be iterated over for recursive remounting.
-char **build_mount_array(const int mount_id, const char *path) {
+char **build_mount_array(const int mountid, const char *path) {
assert(path);
- // open /proc/self/mountinfo
FILE *fp = fopen("/proc/self/mountinfo", "re");
if (!fp) {
fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
exit(1);
}
- // array to be returned
- size_t cnt = 0;
+ // try to find line with mount id
+ int found = 0;
+ MountData mntp;
+ char line[MAX_BUF];
+ while (fgets(line, MAX_BUF, fp)) {
+ parse_line(line, &mntp);
+ if (mntp.mountid == mountid) {
+ found = 1;
+ break;
+ }
+ }
+
+ if (!found) {
+ fclose(fp);
+ return NULL;
+ }
+
+ // allocate array
size_t size = 32;
char **rv = malloc(size * sizeof(*rv));
if (!rv)
errExit("malloc");
- // read /proc/self/mountinfo
- size_t pathlen = strlen(path);
- char buf[MAX_BUF];
- MountData mntp;
- int found = 0;
-
- if (fgets(buf, MAX_BUF, fp) == NULL) {
- fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
- exit(1);
- }
- do {
- parse_line(buf, &mntp);
- // find mount point with mount id
- if (!found) {
- if (mntp.mountid == mount_id) {
- // give up if mount id has been reassigned,
- // don't remount blacklisted path
- if (strncmp(mntp.dir, path, strlen(mntp.dir)) ||
- strstr(mntp.fsname, "firejail.ro.dir") ||
- strstr(mntp.fsname, "firejail.ro.file"))
- break;
-
- rv[cnt] = strdup(path);
- if (rv[cnt] == NULL)
- errExit("strdup");
- cnt++;
- found = 1;
- continue;
- }
- continue;
- }
- // from here on add all mount points below path,
- // don't remount blacklisted paths
- if (strncmp(mntp.dir, path, pathlen) == 0 &&
- mntp.dir[pathlen] == '/' &&
- strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
- strstr(mntp.fsname, "firejail.ro.file") == NULL) {
+ // add directory itself
+ size_t cnt = 0;
+ rv[cnt] = strdup(path);
+ if (rv[cnt] == NULL)
+ errExit("strdup");
- if (cnt == size) {
+ // and add all following mountpoints contained in this directory
+ size_t pathlen = strlen(path);
+ while (fgets(line, MAX_BUF, fp)) {
+ parse_line(line, &mntp);
+ if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') {
+ if (++cnt == size) {
size *= 2;
rv = realloc(rv, size * sizeof(*rv));
if (!rv)
@@ -264,18 +264,17 @@
rv[cnt] = strdup(mntp.dir);
if (rv[cnt] == NULL)
errExit("strdup");
- cnt++;
}
- } while (fgets(buf, MAX_BUF, fp));
+ }
+ fclose(fp);
- if (cnt == size) {
- size++;
+ // end of array
+ if (++cnt == size) {
+ ++size;
rv = realloc(rv, size * sizeof(*rv));
if (!rv)
errExit("realloc");
}
- rv[cnt] = NULL; // end of the array
-
- fclose(fp);
+ rv[cnt] = NULL;
return rv;
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/netfilter.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -24,6 +24,94 @@
#include <sys/wait.h>
#include <fcntl.h>
+void netfilter_netlock(pid_t pid) {
+ EUID_ASSERT();
+
+ // give the sandbox a chance to start up before entering the network namespace
+ sleep(1);
+ enter_network_namespace(pid);
+
+ char *flog;
+ if (asprintf(&flog, "/run/firejail/network/%d-netlock", getpid()) == -1)
+ errExit("asprintf");
+ FILE *fp = fopen(flog, "w");
+ if (!fp)
+ errExit("fopen");
+ fclose(fp);
+
+ // try to find a X terminal
+ char *terminal = NULL;
+ if (access("/usr/bin/xterm", X_OK) == 0)
+ terminal = "/usr/bin/xterm";
+ else if (access("/usr/bin/lxterminal", X_OK) == 0)
+ terminal = "/usr/bin/lxterminal";
+ else if (access("/usr/bin/xfce4-terminal", X_OK) == 0)
+ terminal = "/usr/bin/xfce4-terminal";
+ else if (access("/usr/bin/konsole", X_OK) == 0)
+ terminal = "/usr/bin/konsole";
+// problem: newer gnome-terminal versions don't support -e command line option???
+// same for mate-terminal
+
+ if (isatty(STDIN_FILENO))
+ terminal = NULL;
+
+ if (terminal) {
+ pid_t p = fork();
+ if (p == -1)
+ ; // run without terminal logger
+ else if (p == 0) { // child
+ drop_privs(0);
+ env_apply_all();
+ umask(orig_umask);
+
+ char *cmd;
+ if (asprintf(&cmd, "%s -e \"%s/firejail/fnettrace --tail --log=%s\"", terminal, LIBDIR, flog) == -1)
+ errExit("asprintf");
+ int rv = system(cmd);
+ (void) rv;
+ exit(0);
+ }
+ }
+
+ char *cmd;
+ if (asprintf(&cmd, "%s/firejail/fnettrace --netfilter --log=%s", LIBDIR, flog) == -1)
+ errExit("asprintf");
+ free(flog);
+
+ //************************
+ // build command
+ //************************
+ char *arg[4];
+ arg[0] = "/bin/sh";
+ arg[1] = "-c";
+ arg[2] = cmd;
+ arg[3] = NULL;
+ clearenv();
+ sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+ // it will never get here!!
+}
+
+void netfilter_trace(pid_t pid, const char *cmd) {
+ EUID_ASSERT();
+
+ // a pid of 0 means the main system network namespace
+ if (pid)
+ enter_network_namespace(pid);
+
+ //************************
+ // build command
+ //************************
+ char *arg[4];
+ arg[0] = "/bin/sh";
+ arg[1] = "-c";
+ arg[2] = (char *) cmd;
+ arg[3] = NULL;
+
+ clearenv();
+ sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+ // it will never get here!!
+}
+
void check_netfilter_file(const char *fname) {
EUID_ASSERT();
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/netns.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020-2021 Firejail Authors
+ * Copyright (C) 2020-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/network.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/network_main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -271,44 +271,25 @@
#define MAXBUF 4096
void net_dns_print(pid_t pid) {
EUID_ASSERT();
- // drop privileges - will not be able to read /etc/resolv.conf for --noroot option
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
-
- // exit if no permission to join the sandbox
- check_join_permission(pid);
-
- EUID_ROOT();
- if (join_namespace(pid, "mnt"))
+ // chroot in the sandbox
+ process_rootfs_chroot(sandbox);
+ unpin_process(sandbox);
+
+ drop_privs(0);
+
+ // read /etc/resolv.conf
+ FILE *fp = fopen("/etc/resolv.conf", "re");
+ if (!fp) {
+ fprintf(stderr, "Error: cannot read /etc/resolv.conf\n");
exit(1);
-
- pid_t child = fork();
- if (child < 0)
- errExit("fork");
- if (child == 0) {
- caps_drop_all();
- if (chdir("/") < 0)
- errExit("chdir");
-
- // access /etc/resolv.conf
- FILE *fp = fopen("/etc/resolv.conf", "re");
- if (!fp) {
- fprintf(stderr, "Error: cannot access /etc/resolv.conf\n");
- exit(1);
- }
-
- char buf[MAXBUF];
- while (fgets(buf, MAXBUF, fp))
- printf("%s", buf);
- printf("\n");
- fclose(fp);
- exit(0);
}
- // wait for the child to finish
- waitpid(child, NULL, 0);
- flush_stdin();
+ char buf[MAXBUF];
+ while (fgets(buf, MAXBUF, fp))
+ printf("%s", buf);
+
exit(0);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/no_sandbox.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -49,6 +49,7 @@
// check PID 1 container environment variable
EUID_ROOT();
FILE *fp = fopen("/proc/1/environ", "re");
+ EUID_USER();
if (fp) {
int c = 0;
while (c != EOF) {
@@ -69,7 +70,6 @@
// found it
if (is_container(buf + 10)) {
fclose(fp);
- EUID_USER();
return 1;
}
}
@@ -79,7 +79,6 @@
fclose(fp);
}
- EUID_USER();
return 0;
}
@@ -190,25 +189,15 @@
}
if (prog_index == 0) {
- // got no command, require a shell and try to execute it
- cfg.shell = guess_shell();
- if (!cfg.shell) {
- fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
- exit(1);
- }
-
assert(cfg.command_line == NULL);
- cfg.window_title = cfg.shell;
+ cfg.window_title = cfg.usershell;
} else {
// this sandbox might not allow execution of a shell
- // force --shell=none in order to not break firecfg symbolic links
- arg_shell_none = 1;
-
build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
}
fwarning("an existing sandbox was detected. "
- "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell);
+ "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.usershell);
cfg.original_argv = argv;
cfg.original_program_index = prog_index;
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/oom.c
^
|
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/wait.h>
+
+void oom_set(const char *oom_string) {
+ int oom = atoi(oom_string);
+ uid_t uid = getuid();
+ if (uid == 0) {
+ if (oom < -1000 || oom > 1000) {
+ fprintf(stderr, "Error: invalid oom value (-1000 to 1000)\n");
+ exit(1);
+ }
+ }
+ else {
+ if (oom < 0 || oom > 1000) {
+ fprintf(stderr, "Error: invalid oom value (0 to 1000)\n");
+ exit(1);
+ }
+ }
+
+ pid_t parent = getpid();
+ pid_t child = fork();
+ if (child == -1)
+ errExit("fork");
+ if (child == 0) {
+ EUID_ROOT();
+ // elevate privileges
+ if (setreuid(0, 0))
+ errExit("setreuid");
+ if (setregid(0, 0))
+ errExit("setregid");
+
+ char *fname;
+ if (asprintf(&fname, "/proc/%d/oom_score_adj", parent) == -1)
+ errExit("asprintf");
+ FILE *fp = fopen(fname, "w");
+ if (!fp) {
+ fprintf(stderr, "Error: cannot open %s\n", fname);
+ exit(1);
+ }
+ fprintf(fp, "%d", oom);
+ fclose(fp);
+ free(fname);
+
+ if (asprintf(&fname, "/proc/%d/oom_score", parent) == -1)
+ errExit("asprintf");
+ fp = fopen(fname, "r");
+ if (!fp) {
+ fprintf(stderr, "Error: cannot open %s\n", fname);
+ exit(1);
+ }
+ int newoom;
+ if (1 != fscanf(fp, "%d", &newoom)) {
+ fprintf(stderr, "Error: cannot read from %s\n", fname);
+ exit(1);
+ }
+ fclose(fp);
+ free(fname);
+
+ if (!arg_quiet)
+ printf("Out-Of-Memory score adjusted, new value %d\n", newoom);
+ exit(0);
+ }
+
+ int status;
+ if (waitpid(child, &status, 0) == -1 )
+ errExit("waitpid");
+}
+
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/output.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -50,13 +50,21 @@
if (!outindex)
return;
-
- // check filename
drop_privs(0);
char *outfile = argv[outindex];
outfile += (enable_stderr)? 16:9;
+
+ // check filename
invalid_filename(outfile, 0); // no globbing
+ // expand user home directory
+ if (outfile[0] == '~') {
+ char *full;
+ if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1)
+ errExit("asprintf");
+ outfile = full;
+ }
+
// do not accept directories, links, and files with ".."
if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/paths.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/preproc.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -34,58 +34,28 @@
create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
}
- if (stat(RUN_FIREJAIL_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
- }
-
- if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
- }
+ create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
+ create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
+ create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
+ create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
+ create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755);
+ create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
+ create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
+ create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
+ create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+
+ // restricted search permission
+ // only root should be able to lock files in this directory
+ create_empty_dir_as_root(RUN_FIREJAIL_SANDBOX_DIR, 0700);
- if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
- }
-
- if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
- }
+ create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755);
+ fs_remount(RUN_FIREJAIL_DBUS_DIR, MOUNT_NOEXEC, 0);
- if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755);
- }
-
- if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
- }
-
- if (stat(RUN_FIREJAIL_DBUS_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755);
- if (arg_debug)
- printf("Remounting the " RUN_FIREJAIL_DBUS_DIR
- " directory as noexec\n");
- if (mount(RUN_FIREJAIL_DBUS_DIR, RUN_FIREJAIL_DBUS_DIR, NULL,
- MS_BIND, NULL) == -1)
- errExit("mounting " RUN_FIREJAIL_DBUS_DIR);
- if (mount(NULL, RUN_FIREJAIL_DBUS_DIR, NULL,
- MS_REMOUNT | MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV,
- "mode=755,gid=0") == -1)
- errExit("remounting " RUN_FIREJAIL_DBUS_DIR);
- }
-
- if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
- }
-
- if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
- create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
- }
-
- if (stat(RUN_MNT_DIR, &s)) {
- create_empty_dir_as_root(RUN_MNT_DIR, 0755);
- }
+ create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
+ fs_remount(RUN_RO_DIR, MOUNT_READONLY, 0);
create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
- create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
+ fs_remount(RUN_RO_FILE, MOUNT_READONLY, 0);
}
// build /run/firejail/mnt directory
@@ -121,10 +91,18 @@
copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
copy_file(PATH_SECCOMP_MDWX_32, RUN_SECCOMP_MDWX_32, getuid(), getgid(), 0644); // root needed
}
- // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files
+ // as root, create empty RUN_SECCOMP_PROTOCOL, RUN_SECCOMP_NS and RUN_SECCOMP_POSTEXEC files
create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
errExit("set_perms");
+ if (cfg.restrict_namespaces) {
+ create_empty_file_as_root(RUN_SECCOMP_NS, 0644);
+ if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644))
+ errExit("set_perms");
+ create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644);
+ if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644))
+ errExit("set_perms");
+ }
create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
errExit("set_perms");
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/process.c
^
|
@@ -0,0 +1,244 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <errno.h>
+#include <signal.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#include <sys/syscall.h>
+#ifndef __NR_pidfd_send_signal
+#define __NR_pidfd_send_signal 424
+#endif
+
+#define BUFLEN 4096
+
+struct processhandle_instance_t {
+ pid_t pid;
+ int fd; // file descriptor referring to /proc/[PID]
+};
+
+
+ProcessHandle pin_process(pid_t pid) {
+ EUID_ASSERT();
+
+ ProcessHandle rv = malloc(sizeof(struct processhandle_instance_t));
+ if (!rv)
+ errExit("malloc");
+ rv->pid = pid;
+
+ char proc[64];
+ snprintf(proc, sizeof(proc), "/proc/%d", pid);
+
+ EUID_ROOT();
+ int fd = open(proc, O_RDONLY|O_CLOEXEC);
+ EUID_USER();
+ if (fd < 0) {
+ if (errno == ENOENT)
+ fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
+ else
+ fprintf(stderr, "Error: cannot open %s: %s\n", proc, strerror(errno));
+ exit(1);
+ }
+ rv->fd = fd;
+
+ return rv;
+}
+
+void unpin_process(ProcessHandle process) {
+ close(process->fd);
+ free(process);
+}
+
+pid_t process_get_pid(ProcessHandle process) {
+ return process->pid;
+}
+
+int process_get_fd(ProcessHandle process) {
+ return process->fd;
+}
+
+/*********************************************
+ * access path in proc filesystem
+ *********************************************/
+
+int process_stat_nofail(ProcessHandle process, const char *fname, struct stat *s) {
+ EUID_ASSERT();
+ assert(fname[0] != '/');
+
+ EUID_ROOT();
+ int rv = fstatat(process_get_fd(process), fname, s, 0);
+ EUID_USER();
+
+ return rv;
+}
+
+int process_stat(ProcessHandle process, const char *fname, struct stat *s) {
+ int rv = process_stat_nofail(process, fname, s);
+ if (rv) {
+ fprintf(stderr, "Error: cannot stat /proc/%d/%s: %s\n", process_get_pid(process), fname, strerror(errno));
+ exit(1);
+ }
+
+ return rv;
+}
+
+int process_open_nofail(ProcessHandle process, const char *fname) {
+ EUID_ASSERT();
+ assert(fname[0] != '/');
+
+ EUID_ROOT();
+ int rv = openat(process_get_fd(process), fname, O_RDONLY|O_CLOEXEC);
+ EUID_USER();
+
+ return rv;
+}
+
+int process_open(ProcessHandle process, const char *fname) {
+ int rv = process_open_nofail(process, fname);
+ if (rv < 0) {
+ fprintf(stderr, "Error: cannot open /proc/%d/%s: %s\n", process_get_pid(process), fname, strerror(errno));
+ exit(1);
+ }
+
+ return rv;
+}
+
+FILE *process_fopen(ProcessHandle process, const char *fname) {
+ int fd = process_open(process, fname);
+ FILE *rv = fdopen(fd, "r");
+ if (!rv)
+ errExit("fdopen");
+
+ return rv;
+}
+
+int process_join_namespace(ProcessHandle process, char *type) {
+ return join_namespace_by_fd(process_get_fd(process), type);
+}
+
+/*********************************************
+ * sending a signal
+ *********************************************/
+
+void process_send_signal(ProcessHandle process, int signum) {
+ fmessage("Sending signal %d to pid %d\n", signum, process_get_pid(process));
+
+ if (syscall(__NR_pidfd_send_signal, process_get_fd(process), signum, NULL, 0) == -1 && errno == ENOSYS)
+ kill(process_get_pid(process), signum);
+}
+
+/*********************************************
+ * parent and child process
+ *********************************************/
+
+static pid_t process_parent_pid(ProcessHandle process) {
+ pid_t rv = 0;
+
+ FILE *fp = process_fopen(process, "status");
+ char buf[BUFLEN];
+ while (fgets(buf, BUFLEN, fp)) {
+ if (sscanf(buf, "PPid: %d", &rv) == 1)
+ break;
+ }
+ fclose(fp);
+
+ return rv;
+}
+
+static ProcessHandle pin_process_relative_to(ProcessHandle process, pid_t pid) {
+ ProcessHandle rv = malloc(sizeof(struct processhandle_instance_t));
+ if (!rv)
+ errExit("malloc");
+ rv->pid = pid;
+
+ char proc[64];
+ snprintf(proc, sizeof(proc), "../%d", pid);
+
+ rv->fd = process_open(process, proc);
+
+ return rv;
+}
+
+ProcessHandle pin_parent_process(ProcessHandle process) {
+ ProcessHandle parent = pin_process_relative_to(process, process_parent_pid(process));
+ return parent;
+}
+
+ProcessHandle pin_child_process(ProcessHandle process, pid_t child_pid) {
+ ProcessHandle child = pin_process_relative_to(process, child_pid);
+
+ // verify parent/child relationship
+ if (process_parent_pid(child) != process_get_pid(process)) {
+ fprintf(stderr, "Error: cannot find child process of pid %d\n", process_get_pid(process));
+ exit(1);
+ }
+
+ return child;
+}
+
+/*********************************************
+ * access process rootfs
+ *********************************************/
+
+void process_rootfs_chroot(ProcessHandle process) {
+ if (fchdir(process_get_fd(process)) < 0)
+ errExit("fchdir");
+
+ int called_as_root = 0;
+ if (geteuid() == 0)
+ called_as_root = 1;
+ if (called_as_root == 0)
+ EUID_ROOT();
+
+ if (chroot("root") < 0)
+ errExit("chroot");
+
+ if (called_as_root == 0)
+ EUID_USER();
+
+ if (chdir("/") < 0)
+ errExit("chdir");
+}
+
+int process_rootfs_stat(ProcessHandle process, const char *fname, struct stat *s) {
+ char *proc;
+ if (asprintf(&proc, "root%s", fname) < 0)
+ errExit("asprintf");
+
+ int rv = process_stat_nofail(process, proc, s);
+
+ free(proc);
+ return rv;
+}
+
+int process_rootfs_open(ProcessHandle process, const char *fname) {
+ char *proc;
+ if (asprintf(&proc, "root%s", fname) < 0)
+ errExit("asprintf");
+
+ int rv = process_open_nofail(process, proc);
+
+ free(proc);
+ return rv;
+}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/profile.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -26,7 +26,8 @@
extern char *xephyr_screen;
-#define MAX_READ 8192 // line buffer for profile files
+#define MAX_READ 8192 // line buffer for profile files
+#define MAX_LIST 16384 // size limit for argument lists
// find and read the profile specified by name from dir directory
// return 1 if a profile was found
@@ -72,6 +73,7 @@
// search and read the profile specified by name from firejail directories
// return 1 if a profile was found
int profile_find_firejail(const char *name, int add_ext) {
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
// look for a profile in ~/.config/firejail directory
char *usercfgdir;
if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
@@ -84,6 +86,9 @@
rv = profile_find(name, SYSCONFDIR, add_ext);
return rv;
+#else
+ return profile_find(name, SYSCONFDIR, add_ext);
+#endif
}
//***************************************************
@@ -175,6 +180,10 @@
return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
}
+static int check_allow_tray(void) {
+ return checkcfg(CFG_ALLOW_TRAY) != 0;
+}
+
Cond conditionals[] = {
{"HAS_APPIMAGE", check_appimage},
{"HAS_NET", check_netoptions},
@@ -184,6 +193,7 @@
{"HAS_X11", check_x11},
{"BROWSER_DISABLE_U2F", check_disable_u2f},
{"BROWSER_ALLOW_DRM", check_allow_drm},
+ {"ALLOW_TRAY", check_allow_tray},
{ NULL, NULL }
};
@@ -285,6 +295,15 @@
return 0;
}
+ if (strncmp(ptr, "keep-fd ", 8) == 0) {
+ if (strcmp(ptr + 8, "all") == 0)
+ arg_keep_fd_all = 1;
+ else {
+ const char *add = ptr + 8;
+ profile_list_augment(&cfg.keep_fd, add);
+ }
+ return 0;
+ }
if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
#ifdef HAVE_X11
if (checkcfg(CFG_X11)) {
@@ -349,11 +368,13 @@
return 0;
}
else if (strcmp(ptr, "shell none") == 0) {
- arg_shell_none = 1;
+ fprintf(stderr, "Warning: \"shell none\" command in the profile file is done by default; the command will be deprecated\n");
return 0;
}
else if (strcmp(ptr, "tracelog") == 0) {
- arg_tracelog = 1;
+ if (checkcfg(CFG_TRACELOG))
+ arg_tracelog = 1;
+ // no warning, we have tracelog in over 400 profiles
return 0;
}
else if (strcmp(ptr, "private") == 0) {
@@ -375,6 +396,10 @@
#endif
return 0;
}
+ else if (strcmp(ptr, "tab") == 0) {
+ arg_tab = 1;
+ return 0;
+ }
else if (strcmp(ptr, "private-cwd") == 0) {
cfg.cwd = NULL;
arg_private_cwd = 1;
@@ -411,13 +436,7 @@
return 0;
}
else if (strcmp(ptr, "nogroups") == 0) {
- // nvidia cards require video group; disable nogroups
- if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
- fwarning("Warning: NVIDIA card detected, nogroups command disabled\n");
- arg_nogroups = 0;
- }
- else
- arg_nogroups = 1;
+ arg_nogroups = 1;
return 0;
}
else if (strcmp(ptr, "nosound") == 0) {
@@ -444,6 +463,12 @@
arg_no3d = 1;
return 0;
}
+ else if (strcmp(ptr, "noprinters") == 0) {
+ arg_noprinters = 1;
+ profile_add("blacklist /dev/lp*");
+ profile_add("blacklist /run/cups/cups.sock");
+ return 0;
+ }
else if (strcmp(ptr, "noinput") == 0) {
arg_noinput = 1;
return 0;
@@ -630,7 +655,17 @@
#endif
return 0;
}
- else if (strncmp(ptr, "netns ", 6) == 0) {
+ else if (strcmp(ptr, "netlock") == 0) {
+#ifdef HAVE_NETWORK
+ if (checkcfg(CFG_NETWORK)) {
+ arg_netlock = 1;
+ }
+ else
+ warning_feature_disabled("networking");
+#endif
+ return 0;
+ }
+ else if (strncmp(ptr, "netns ", 6) == 0) {
#ifdef HAVE_NETWORK
if (checkcfg(CFG_NETWORK)) {
arg_netns = ptr + 6;
@@ -916,6 +951,33 @@
if (strcmp(ptr, "apparmor") == 0) {
#ifdef HAVE_APPARMOR
arg_apparmor = 1;
+ apparmor_profile = "firejail-default";
+#endif
+ return 0;
+ }
+
+ if (strncmp(ptr, "apparmor ", 9) == 0) {
+#ifdef HAVE_APPARMOR
+ arg_apparmor = 1;
+ apparmor_profile = strdup(ptr + 9);
+ if (!apparmor_profile)
+ errExit("strdup");
+#endif
+ return 0;
+ }
+
+ if (strcmp(ptr, "apparmor-replace") == 0) {
+#ifdef HAVE_APPARMOR
+ arg_apparmor = 1;
+ apparmor_replace = true;
+#endif
+ return 0;
+ }
+
+ if (strcmp(ptr, "apparmor-stack") == 0) {
+#ifdef HAVE_APPARMOR
+ arg_apparmor = 1;
+ apparmor_replace = false;
#endif
return 0;
}
@@ -981,10 +1043,10 @@
warning_feature_disabled("seccomp");
return 0;
}
- if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
+ if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) {
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp32 = 1;
- cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
+ cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16);
}
else
warning_feature_disabled("seccomp");
@@ -1001,10 +1063,10 @@
warning_feature_disabled("seccomp");
return 0;
}
- if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
+ if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) {
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp32 = 1;
- cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
+ cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16);
}
else
warning_feature_disabled("seccomp");
@@ -1020,6 +1082,24 @@
return 0;
}
+ // restrict-namespaces
+ if (strcmp(ptr, "restrict-namespaces") == 0) {
+ if (checkcfg(CFG_SECCOMP))
+ profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+ else
+ warning_feature_disabled("seccomp");
+ return 0;
+ }
+ if (strncmp(ptr, "restrict-namespaces ", 20) == 0) {
+ if (checkcfg(CFG_SECCOMP)) {
+ const char *add = ptr + 20;
+ profile_list_augment(&cfg.restrict_namespaces, add);
+ }
+ else
+ warning_feature_disabled("seccomp");
+ return 0;
+ }
+
// seccomp error action
if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
if (checkcfg(CFG_SECCOMP)) {
@@ -1101,7 +1181,7 @@
else if (cfg.dns4 == NULL)
cfg.dns4 = dns;
else {
- fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+ fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns);
free(dns);
}
return 0;
@@ -1122,15 +1202,6 @@
return 0;
}
- // cgroup
- if (strncmp(ptr, "cgroup ", 7) == 0) {
- if (checkcfg(CFG_CGROUP))
- set_cgroup(ptr + 7);
- else
- warning_feature_disabled("cgroup");
- return 0;
- }
-
// writable-etc
if (strcmp(ptr, "writable-etc") == 0) {
if (cfg.etc_private_keep) {
@@ -1373,11 +1444,6 @@
fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
exit(1);
}
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
- fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
- exit(1);
- }
arg_overlay = 1;
arg_overlay_keep = 1;
arg_overlay_reuse = 1;
@@ -1410,11 +1476,6 @@
fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
exit(1);
}
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
- fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
- exit(1);
- }
arg_overlay = 1;
}
else
@@ -1431,11 +1492,6 @@
fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
exit(1);
}
- struct stat s;
- if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
- fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
- exit(1);
- }
arg_overlay = 1;
arg_overlay_keep = 1;
@@ -1548,9 +1604,6 @@
int r = name2pid(ptr + 14, &pid);
EUID_USER();
if (!r) {
- if (!cfg.shell && !arg_shell_none)
- cfg.shell = guess_shell();
-
// find first non-option arg
int i;
for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
@@ -1581,6 +1634,11 @@
return 0;
}
+ if (strcmp(ptr, "deterministic-shutdown") == 0) {
+ arg_deterministic_shutdown = 1;
+ return 0;
+ }
+
// rest of filesystem
if (strncmp(ptr, "blacklist ", 10) == 0)
ptr += 10;
@@ -1589,22 +1647,8 @@
else if (strncmp(ptr, "noblacklist ", 12) == 0)
ptr += 12;
else if (strncmp(ptr, "whitelist ", 10) == 0) {
-#ifdef HAVE_WHITELIST
- if (checkcfg(CFG_WHITELIST)) {
- arg_whitelist = 1;
- ptr += 10;
- }
- else {
- static int whitelist_warning_printed = 0;
- if (!whitelist_warning_printed) {
- warning_feature_disabled("whitelist");
- whitelist_warning_printed = 1;
- }
- return 0;
- }
-#else
- return 0;
-#endif
+ arg_whitelist = 1;
+ ptr += 10;
}
else if (strncmp(ptr, "nowhitelist ", 12) == 0)
ptr += 12;
@@ -1750,6 +1794,18 @@
continue;
}
+ if (strncmp(ptr, "whitelist-ro ", 13) == 0) {
+ char *whitelist, *readonly;
+ if (asprintf(&whitelist, "whitelist %s", ptr + 13) == -1)
+ errExit("asprintf");
+ profile_add(whitelist);
+ if (asprintf(&readonly, "read-only %s", ptr + 13) == -1)
+ errExit("asprintf");
+ profile_add(readonly);
+ free(ptr);
+ continue;
+ }
+
// process quiet
// todo: a quiet in the profile file cannot be disabled by --ignore on command line
if (strcmp(ptr, "quiet") == 0) {
@@ -1914,7 +1970,7 @@
/* Include non-empty item */
if (!*item)
in[i] = 0;
- /* Remove all allready included items */
+ /* Remove all already included items */
for (k = 0; k < i; ++k)
in[k] = 0;
break;
@@ -1946,4 +2002,10 @@
errExit("asprintf");
free(*list);
*list = profile_list_compress(tmp);
+
+ // lists should not grow indefinitely
+ if (strlen(*list) > MAX_LIST) {
+ fprintf(stderr, "Error: argument list is too long\n");
+ exit(1);
+ }
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/protocol.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -63,27 +63,23 @@
(void) pid;
#ifdef SYS_socket
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- // exit if no permission to join the sandbox
- check_join_permission(pid);
+ // chroot in the sandbox
+ process_rootfs_chroot(sandbox);
+ unpin_process(sandbox);
// find the seccomp filter
- EUID_ROOT();
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_PROTOCOL_CFG) == -1)
- errExit("asprintf");
-
struct stat s;
- if (stat(fname, &s) == -1) {
+ if (stat(RUN_PROTOCOL_CFG, &s) != 0) {
printf("Cannot access seccomp filter.\n");
exit(1);
}
// read and print the filter
- protocol_filter_load(fname);
- free(fname);
+ EUID_ROOT();
+ protocol_filter_load(RUN_PROTOCOL_CFG);
+
if (cfg.protocol)
printf("%s\n", cfg.protocol);
exit(0);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/pulseaudio.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -25,6 +25,7 @@
#include <dirent.h>
#include <errno.h>
#include <sys/wait.h>
+#include <glob.h>
#include <fcntl.h>
#ifndef O_PATH
@@ -33,6 +34,59 @@
#define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
+
+
+static void disable_rundir_pipewire(const char *path) {
+ assert(path);
+
+ // globbing for path/pipewire-*
+ char *pattern;
+ if (asprintf(&pattern, "%s/pipewire-*", path) == -1)
+ errExit("asprintf");
+
+ glob_t globbuf;
+ int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+ if (globerr) {
+ fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
+ exit(1);
+ }
+
+ size_t i;
+ for (i = 0; i < globbuf.gl_pathc; i++) {
+ char *dir = globbuf.gl_pathv[i];
+ assert(dir);
+
+ // don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it!
+ if (is_link(dir))
+ continue;
+ disable_file_or_dir(dir);
+ }
+ globfree(&globbuf);
+ free(pattern);
+}
+
+
+
+// disable pipewire socket
+void pipewire_disable(void) {
+ if (arg_debug)
+ printf("disable pipewire\n");
+ // blacklist user config directory
+ disable_file_path(cfg.homedir, ".config/pipewire");
+
+ // blacklist pipewire in XDG_RUNTIME_DIR
+ const char *name = env_get("XDG_RUNTIME_DIR");
+ if (name)
+ disable_rundir_pipewire(name);
+
+ // try the default location anyway
+ char *path;
+ if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+ errExit("asprintf");
+ disable_rundir_pipewire(path);
+ free(path);
+}
+
// disable pulseaudio socket
void pulseaudio_disable(void) {
if (arg_debug)
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/restrict_users.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -21,7 +21,6 @@
#include "../include/firejail_user.h"
#include <sys/mount.h>
#include <sys/stat.h>
-#include <linux/limits.h>
#include <fnmatch.h>
#include <glob.h>
#include <dirent.h>
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/restricted_shell.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/rlimit.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/run_files.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,8 +20,18 @@
#include "firejail.h"
#include "../include/pid.h"
+#include <fcntl.h>
#define BUFLEN 4096
+static void delete_sandbox_run_file(pid_t pid) {
+ char *fname;
+ if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1)
+ errExit("asprintf");
+ int rv = unlink(fname);
+ (void) rv;
+ free(fname);
+}
+
static void delete_x11_run_file(pid_t pid) {
char *fname;
if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
@@ -68,6 +78,7 @@
void delete_run_files(pid_t pid) {
+ delete_sandbox_run_file(pid);
delete_bandwidth_run_file(pid);
delete_network_run_file(pid);
delete_name_run_file(pid);
@@ -152,3 +163,52 @@
EUID_USER();
free(runfile);
}
+
+static int sandbox_lock_fd = -1;
+void set_sandbox_run_file(pid_t pid, pid_t child) {
+ char *runfile;
+ if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1)
+ errExit("asprintf");
+
+ EUID_ROOT();
+ // the file is deleted first
+ // this file should be opened with O_CLOEXEC set
+ int fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR);
+ if (fd < 0) {
+ fprintf(stderr, "Error: cannot create %s\n", runfile);
+ exit(1);
+ }
+ free(runfile);
+ EUID_USER();
+
+ char buf[64];
+ snprintf(buf, sizeof(buf), "%d\n", child);
+ size_t len = strlen(buf);
+ size_t done = 0;
+ while (done != len) {
+ ssize_t rv = write(fd, buf + done, len - done);
+ if (rv < 0)
+ errExit("write");
+ done += rv;
+ }
+
+ // set exclusive lock on the file
+ // the lock is never inherited, and is released if this process dies ungracefully
+ struct flock sandbox_lock = {
+ .l_type = F_WRLCK,
+ .l_whence = SEEK_SET,
+ .l_start = 0,
+ .l_len = 0,
+ };
+ if (fcntl(fd, F_SETLK, &sandbox_lock) < 0)
+ errExit("fcntl");
+
+ sandbox_lock_fd = fd;
+}
+
+void release_sandbox_lock(void) {
+ assert(sandbox_lock_fd > -1);
+
+ close(sandbox_lock_fd);
+ sandbox_lock_fd = -1;
+}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/run_symlink.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,7 +22,6 @@
#include <sys/stat.h>
#include <unistd.h>
-extern char *find_in_path(const char *program);
void run_symlink(int argc, char **argv, int run_as_is) {
EUID_ASSERT();
@@ -77,6 +76,8 @@
a[i + 2] = argv[i + 1];
}
a[i + 2] = NULL;
+ if (env_get("LD_PRELOAD") != NULL)
+ fprintf(stderr, "run_symlink: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD"));
assert(env_get("LD_PRELOAD") == NULL);
assert(getenv("LD_PRELOAD") == NULL);
execvp(a[0], a);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/sandbox.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -50,7 +50,7 @@
#include <sys/apparmor.h>
#endif
-static int force_nonewprivs = 0;
+extern int just_run_the_shell;
static int monitored_pid = 0;
static void sandbox_handler(int sig){
@@ -87,9 +87,9 @@
// broadcast a SIGKILL
kill(-1, SIGKILL);
- flush_stdin();
- exit(sig);
+ flush_stdin();
+ exit(128 + sig);
}
static void install_handler(void) {
@@ -127,10 +127,17 @@
}
#ifdef HAVE_APPARMOR
-void set_apparmor(void) {
+static void set_apparmor(void) {
EUID_ASSERT();
if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
- if (aa_change_onexec("firejail-default")) {
+ int res = 0;
+ if(apparmor_replace){
+ fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n");
+ res = aa_change_onexec(apparmor_profile);
+ } else {
+ res = aa_stack_onexec(apparmor_profile);
+ }
+ if (res) {
fwarning("Cannot confine the application using AppArmor.\n"
"Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
"As root, run \"aa-enforce firejail-default\" to load it.\n");
@@ -204,7 +211,7 @@
}
static char *create_join_file(void) {
- int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+ int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd == -1)
errExit("open");
if (ftruncate(fd, 1) == -1)
@@ -356,6 +363,15 @@
if (arg_debug)
printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status);
+ if (arg_deterministic_shutdown) {
+ if (arg_debug)
+ printf("Sandbox monitor: monitored process died, shut down the sandbox\n");
+ kill(-1, SIGTERM);
+ usleep(100000);
+ kill(-1, SIGKILL);
+ break;
+ }
+
DIR *dir;
if (!(dir = opendir("/proc"))) {
// sleep 2 seconds and try again
@@ -377,18 +393,6 @@
if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid)
continue;
- // todo: make this generic
- // Dillo browser leaves a dpid process running, we need to shut it down
- int found = 0;
- if (strcmp(cfg.command_name, "dillo") == 0) {
- char *pidname = pid_proc_comm(pid);
- if (pidname && strcmp(pidname, "dpid") == 0)
- found = 1;
- free(pidname);
- }
- if (found)
- break;
-
monitored_pid = pid;
break;
}
@@ -407,7 +411,6 @@
fmessage("Child process initialized in %.02f ms\n", delta);
}
-
// check execute permissions for the program
// this is done typically by the shell
// we are here because of --shell=none
@@ -464,10 +467,45 @@
return 0;
}
+static void close_file_descriptors(void) {
+ if (arg_keep_fd_all)
+ return;
+
+ if (arg_debug)
+ printf("Closing non-standard file descriptors\n");
+
+ if (!cfg.keep_fd) {
+ close_all(NULL, 0);
+ return;
+ }
+
+ size_t sz = 0;
+ int *keep = str_to_int_array(cfg.keep_fd, &sz);
+ if (!keep) {
+ fprintf(stderr, "Error: invalid keep-fd option\n");
+ exit(1);
+ }
+ close_all(keep, sz);
+ free(keep);
+}
+
+
void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
- // set environment
- if (no_sandbox == 0)
+ if (no_sandbox == 0) {
+#ifdef HAVE_APPARMOR
+ set_apparmor();
+#endif
+ close_file_descriptors();
+
+ // set nice and rlimits
+ if (arg_nice)
+ set_nice(cfg.nice);
+ set_rlimits();
+
env_defaults();
+ }
+
+ // set environment
env_apply_all();
// restore original umask
@@ -478,10 +516,28 @@
printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
}
+ if (just_run_the_shell) {
+ char *arg[2];
+ arg[0] = cfg.usershell;
+ arg[1] = NULL;
+
+ if (!arg_command && !arg_quiet)
+ print_time();
+
+ __gcov_dump();
+
+ seccomp_install_filters();
+
+ if (set_sandbox_status)
+ *set_sandbox_status = SANDBOX_DONE;
+ execvp(arg[0], arg);
+
+
+ }
//****************************************
// start the program without using a shell
//****************************************
- if (arg_shell_none) {
+ else if (!arg_appimage && !arg_doubledash) {
if (arg_debug) {
int i;
for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
@@ -515,15 +571,14 @@
//****************************************
// start the program using a shell
//****************************************
- else {
- assert(cfg.shell);
-
+ else { // appimage or double-dash
char *arg[5];
int index = 0;
- arg[index++] = cfg.shell;
+ assert(cfg.usershell);
+ arg[index++] = cfg.usershell;
if (cfg.command_line) {
if (arg_debug)
- printf("Running %s command through %s\n", cfg.command_line, cfg.shell);
+ printf("Running %s command through %s\n", cfg.command_line, cfg.usershell);
arg[index++] = "-c";
if (arg_doubledash)
arg[index++] = "--";
@@ -531,11 +586,11 @@
}
else if (login_shell) {
if (arg_debug)
- printf("Starting %s login shell\n", cfg.shell);
+ printf("Starting %s login shell\n", cfg.usershell);
arg[index++] = "-l";
}
else if (arg_debug)
- printf("Starting %s shell\n", cfg.shell);
+ printf("Starting %s shell\n", cfg.usershell);
assert(index < 5);
arg[index] = NULL;
@@ -543,7 +598,7 @@
if (arg_debug) {
char *msg;
if (asprintf(&msg, "sandbox %d, execvp into %s",
- sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1)
+ sandbox_pid, cfg.command_line ? cfg.command_line : cfg.usershell) == -1)
errExit("asprintf");
logmsg(msg);
free(msg);
@@ -580,7 +635,6 @@
fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n");
// enforce NO_NEW_PRIVS
arg_nonewprivs = 1;
- force_nonewprivs = 1;
// disable all capabilities
arg_caps_drop_all = 1;
@@ -783,14 +837,9 @@
exit(rv);
}
-#ifdef HAVE_FORCE_NONEWPRIVS
- bool always_enforce_filters = true;
-#else
- bool always_enforce_filters = false;
-#endif
// for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
// and drop all capabilities
- if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters))
+ if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay))
enforce_filters();
// need ld.so.preload if tracing or seccomp with any non-default lists
@@ -798,7 +847,7 @@
// trace pre-install
if (need_preload)
- fs_trace_preload();
+ fs_trace_touch_or_store_preload();
// store hosts file
if (cfg.hosts_file)
@@ -814,8 +863,11 @@
//****************************
// trace pre-install, this time inside chroot
//****************************
- if (need_preload)
- fs_trace_preload();
+ if (need_preload) {
+ int rv = unlink(RUN_LDPRELOAD_FILE);
+ (void) rv;
+ fs_trace_touch_or_store_preload();
+ }
}
else
#endif
@@ -887,16 +939,16 @@
else if (arg_overlay)
fwarning("private-bin feature is disabled in overlay\n");
else {
+ EUID_USER();
// for --x11=xorg we need to add xauth command
if (arg_x11_xorg) {
- EUID_USER();
char *tmp;
if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
errExit("asprintf");
cfg.bin_private_keep = tmp;
- EUID_ROOT();
}
fs_private_bin_list();
+ EUID_ROOT();
}
}
@@ -992,7 +1044,7 @@
// create /etc/ld.so.preload file again
if (need_preload)
- fs_trace_preload();
+ fs_trace_touch_preload();
// openSUSE configuration is split between /etc and /usr/etc
// process private-etc a second time
@@ -1004,10 +1056,12 @@
// apply the profile file
//****************************
// apply all whitelist commands ...
+ EUID_USER();
fs_whitelist();
// ... followed by blacklist commands
fs_blacklist(); // mkdir and mkfile are processed all over again
+ EUID_ROOT();
//****************************
// nosound/no3d/notv/novideo and fix for pulseaudio 7.0
@@ -1016,6 +1070,9 @@
// disable pulseaudio
pulseaudio_disable();
+ // disable pipewire
+ pipewire_disable();
+
// disable /dev/snd
fs_dev_disable_sound();
}
@@ -1041,9 +1098,10 @@
fs_dev_disable_input();
//****************************
- // set dns
+ // rebuild etc directory, set dns
//****************************
- fs_resolvconf();
+ if (!arg_writable_etc)
+ fs_rebuild_etc();
//****************************
// start dhcp client
@@ -1056,6 +1114,11 @@
EUID_USER();
int cwd = 0;
if (cfg.cwd) {
+ if (is_link(cfg.cwd)) {
+ fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd);
+ exit(1);
+ }
+
if (chdir(cfg.cwd) == 0)
cwd = 1;
else if (arg_private_cwd) {
@@ -1071,8 +1134,10 @@
struct stat s;
if (stat(cfg.homedir, &s) == 0) {
/* coverity[toctou] */
- if (chdir(cfg.homedir) < 0)
- errExit("chdir");
+ if (chdir(cfg.homedir) < 0) {
+ fprintf(stderr, "Error: unable to enter home directory: %s: %s\n", cfg.homedir, strerror(errno));
+ exit(1);
+ }
}
}
}
@@ -1108,9 +1173,6 @@
// save cpu affinity mask to CPU_CFG file
save_cpu();
- // save cgroup in CGROUP_CFG file
- save_cgroup();
-
// set seccomp
// install protocol filter
#ifdef SYS_socket
@@ -1152,6 +1214,16 @@
seccomp_load(RUN_SECCOMP_MDWX_32);
}
+ if (cfg.restrict_namespaces) {
+ seccomp_filter_namespaces(true, cfg.restrict_namespaces);
+ seccomp_filter_namespaces(false, cfg.restrict_namespaces);
+
+ if (arg_debug)
+ printf("Install namespaces filter\n");
+ seccomp_load(RUN_SECCOMP_NS); // install filter
+ seccomp_load(RUN_SECCOMP_NS_32);
+ }
+
// make seccomp filters read-only
fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
seccomp_debug();
@@ -1206,24 +1278,22 @@
//****************************************
// Set NO_NEW_PRIVS if desired
//****************************************
- if (arg_nonewprivs) {
- prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-
- if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) {
- fwarning("cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n");
- if (force_nonewprivs) {
- fprintf(stderr, "Error: NO_NEW_PRIVS required for this sandbox, exiting ...\n");
- exit(1);
- }
+#ifndef HAVE_FORCE_NONEWPRIVS
+ if (arg_nonewprivs)
+#endif
+ {
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
+ fprintf(stderr, "Error: cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n");
+ exit(1);
}
- else if (arg_debug)
+ if (arg_debug)
printf("NO_NEW_PRIVS set\n");
}
//****************************************
// drop privileges
//****************************************
- drop_privs(arg_nogroups);
+ drop_privs(0);
// kill the sandbox in case the parent died
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
@@ -1242,29 +1312,23 @@
errExit("fork");
if (app_pid == 0) {
-#ifdef HAVE_APPARMOR
- // add apparmor confinement after the execve
- set_apparmor();
-#endif
-
- // set nice and rlimits
- if (arg_nice)
- set_nice(cfg.nice);
- set_rlimits();
-
- start_application(0, -1, set_sandbox_status);
+ start_application(0, -1, set_sandbox_status); // this function does not return
}
munmap(set_sandbox_status, 1);
int status = monitor_application(app_pid); // monitor application
- flush_stdin();
if (WIFEXITED(status)) {
// if we had a proper exit, return that exit status
- return WEXITSTATUS(status);
+ status = WEXITSTATUS(status);
+ } else if (WIFSIGNALED(status)) {
+ // distinguish fatal signals by adding 128
+ status = 128 + WTERMSIG(status);
} else {
- // something else went wrong!
- return -1;
+ status = -1;
}
+
+ flush_stdin();
+ return status;
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/sbox.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -23,6 +23,7 @@
#include <unistd.h>
#include <net/if.h>
#include <stdarg.h>
+#include <sys/resource.h>
#include <sys/wait.h>
#include "../include/seccomp.h"
@@ -72,11 +73,8 @@
}
// close all other file descriptors
- if ((filtermask & SBOX_KEEP_FDS) == 0) {
- int i;
- for (i = 3; i < FIREJAIL_MAX_FD; i++)
- close(i); // close open files
- }
+ if ((filtermask & SBOX_KEEP_FDS) == 0)
+ close_all(NULL, 0);
umask(027);
@@ -206,6 +204,11 @@
if (filtermask & SBOX_USER)
drop_privs(1);
else if (filtermask & SBOX_ROOT) {
+ // https://seclists.org/oss-sec/2021/q4/43
+ struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
+ if (setrlimit(RLIMIT_CORE, &tozero))
+ errExit("setrlimit");
+
// elevate privileges in order to get grsecurity working
if (setreuid(0, 0))
errExit("setreuid");
@@ -292,7 +295,8 @@
if (waitpid(child, &status, 0) == -1 ) {
errExit("waitpid");
}
- if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+ if (WIFSIGNALED(status) ||
+ (WIFEXITED(status) && WEXITSTATUS(status) != 0)) {
fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
exit(1);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/seccomp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -21,6 +21,7 @@
#include "firejail.h"
#include "../include/seccomp.h"
#include <sys/mman.h>
+#include <sys/wait.h>
typedef struct filter_list {
struct filter_list *next;
@@ -70,9 +71,17 @@
assert(fl->fname);
if (arg_debug)
printf("Installing %s seccomp filter\n", fl->fname);
+ int rv = 0;
+#ifdef SECCOMP_FILTER_FLAG_LOG
+ if (checkcfg(CFG_SECCOMP_LOG))
+ rv = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog);
+ else
+ rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
+#else
+ rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
+#endif
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
-
+ if (rv == -1) {
if (!err_printed)
fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
err_printed = 1;
@@ -407,7 +416,7 @@
// build the seccomp filter as a regular user
int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
- PATH_FSECCOMP, command, filter);
+ PATH_FSECCOMP, command, filter);
if (rv) {
fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");
@@ -420,29 +429,52 @@
return 0;
}
+// create namespaces filter
+int seccomp_filter_namespaces(bool native, const char *list) {
+ if (arg_debug)
+ printf("Build restrict-namespaces filter\n");
+
+ const char *command, *filter;
+ if (native) {
+ command = "restrict-namespaces";
+ filter = RUN_SECCOMP_NS;
+ } else {
+ command = "restrict-namespaces.32";
+ filter = RUN_SECCOMP_NS_32;
+ }
+
+ // build the seccomp filter as a regular user
+ int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+ PATH_FSECCOMP, command, filter, list);
+
+ if (rv) {
+ fprintf(stderr, "Error: cannot build restrict-namespaces filter\n");
+ exit(rv);
+ }
+
+ if (arg_debug)
+ printf("restrict-namespaces filter configured\n");
+
+ return 0;
+}
+
void seccomp_print_filter(pid_t pid) {
EUID_ASSERT();
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid = switch_to_child(pid);
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- // exit if no permission to join the sandbox
- check_join_permission(pid);
+ // chroot in the sandbox
+ process_rootfs_chroot(sandbox);
+ unpin_process(sandbox);
- // find the seccomp list file
- EUID_ROOT();
- char *fname;
- if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1)
- errExit("asprintf");
+ drop_privs(0);
- struct stat s;
- if (stat(fname, &s) == -1)
- goto errexit;
-
- FILE *fp = fopen(fname, "re");
- if (!fp)
- goto errexit;
- free(fname);
+ // find the seccomp list file
+ FILE *fp = fopen(RUN_SECCOMP_LIST, "re");
+ if (!fp) {
+ printf("Cannot access seccomp filter.\n");
+ exit(1);
+ }
char buf[MAXBUF];
while (fgets(buf, MAXBUF, fp)) {
@@ -451,21 +483,21 @@
if (ptr)
*ptr = '\0';
- if (asprintf(&fname, "/proc/%d/root%s", pid, buf) == -1)
- errExit("asprintf");
- printf("FILE: %s\n", fname); fflush(0);
-
- // read and print the filter - run this as root, the user doesn't have access
- sbox_run(SBOX_ROOT | SBOX_SECCOMP, 2, PATH_FSEC_PRINT, fname);
- fflush(0);
+ printf("FILE: %s\n", buf); fflush(0);
+
+ // read and print the filter
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ execl(PATH_FSEC_PRINT, PATH_FSEC_PRINT, buf, NULL);
+ errExit("execl");
+ }
+ waitpid(child, NULL, 0);
printf("\n"); fflush(0);
- free(fname);
}
fclose(fp);
- exit(0);
-errexit:
- printf("Cannot access seccomp filter.\n");
- exit(1);
+ exit(0);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/selinux.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020-2021 Firejail and systemd authors
+ * Copyright (C) 2020-2022 Firejail and systemd authors
*
* This file is part of firejail project, from systemd selinux-util.c
*
@@ -21,6 +21,7 @@
#include "firejail.h"
#include <sys/types.h>
#include <sys/stat.h>
+#include <errno.h>
#include <fcntl.h>
#ifndef O_PATH
@@ -57,7 +58,17 @@
/* Open the file as O_PATH, to pin it while we determine and adjust the label
* Defeat symlink races by not allowing symbolic links */
+ int called_as_root = 0;
+ if (geteuid() == 0)
+ called_as_root = 1;
+ if (called_as_root)
+ EUID_USER();
+
fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+
+ if (called_as_root)
+ EUID_ROOT();
+
if (fd < 0)
return;
if (fstat(fd, &st) < 0)
@@ -68,8 +79,16 @@
if (arg_debug)
printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
- setfilecon_raw(procfs_path, fcon);
+ if (!called_as_root)
+ EUID_ROOT();
+
+ if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+ printf("Cannot relabel %s: %s\n", path, strerror(errno));
+
+ if (!called_as_root)
+ EUID_USER();
}
+
freecon(fcon);
close:
close(fd);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/shutdown.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -18,85 +18,43 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "firejail.h"
-#include <sys/stat.h>
-#include <sys/wait.h>
#include <fcntl.h>
-#include <sys/prctl.h>
+#include <signal.h>
void shut(pid_t pid) {
EUID_ASSERT();
- EUID_ROOT();
- char *comm = pid_proc_comm(pid);
- EUID_USER();
- if (comm) {
- if (strcmp(comm, "firejail") != 0) {
- fprintf(stderr, "Error: this is not a firejail sandbox\n");
- exit(1);
- }
- free(comm);
- }
- else {
- fprintf(stderr, "Error: cannot find process %d\n", pid);
- exit(1);
- }
+ ProcessHandle sandbox = pin_sandbox_process(pid);
- // check privileges for non-root users
- uid_t uid = getuid();
- if (uid != 0) {
- uid_t sandbox_uid = pid_get_uid(pid);
- if (uid != sandbox_uid) {
- fprintf(stderr, "Error: permission is denied to shutdown a sandbox created by a different user.\n");
- exit(1);
- }
- }
-
- printf("Sending SIGTERM to %u\n", pid);
- kill(pid, SIGTERM);
+ process_send_signal(sandbox, SIGTERM);
// wait for not more than 11 seconds
int monsec = 11;
- char *monfile;
- if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1)
- errExit("asprintf");
int killdone = 0;
while (monsec) {
sleep(1);
monsec--;
- EUID_ROOT();
- FILE *fp = fopen(monfile, "re");
- EUID_USER();
- if (!fp) {
+ int monfd = process_open_nofail(sandbox, "cmdline");
+ if (monfd < 0) {
killdone = 1;
break;
}
char c;
- size_t count = fread(&c, 1, 1, fp);
- fclose(fp);
+ ssize_t count = read(monfd, &c, 1);
+ close(monfd);
if (count == 0) {
// all done
killdone = 1;
break;
}
}
- free(monfile);
-
// force SIGKILL
- if (!killdone) {
- // kill the process and its child
- pid_t child;
- if (find_child(pid, &child) == 0) {
- printf("Sending SIGKILL to %u\n", child);
- kill(child, SIGKILL);
- }
- printf("Sending SIGKILL to %u\n", pid);
- kill(pid, SIGKILL);
- }
+ if (!killdone)
+ process_send_signal(sandbox, SIGKILL);
- EUID_ROOT();
- delete_run_files(pid);
+ unpin_process(sandbox);
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/usage.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -30,7 +30,9 @@
" -- - signal the end of options and disables further option processing.\n"
" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
" --allusers - all user home directories are visible inside the sandbox.\n"
- " --apparmor - enable AppArmor confinement.\n"
+ " --apparmor - enable AppArmor confinement with the default profile.\n"
+ " --apparmor=profile_name - enable AppArmor confinement with a\n"
+ "\tcustom profile.\n"
" --apparmor.print=name|pid - print apparmor status.\n"
" --appimage - sandbox an AppImage application.\n"
#ifdef HAVE_NETWORK
@@ -49,7 +51,6 @@
#ifdef HAVE_FILE_TRANSFER
" --cat=name|pid filename - print content of file from sandbox container.\n"
#endif
- " --cgroup=tasks-file - place the sandbox in the specified control group.\n"
#ifdef HAVE_CHROOT
" --chroot=dirname - chroot into directory.\n"
#endif
@@ -58,16 +59,18 @@
#ifdef HAVE_DBUSPROXY
" --dbus-log=file - set DBus log file location.\n"
" --dbus-system=filter|none - set system DBus access policy.\n"
- " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n"
+ " --dbus-system.broadcast=rule - allow signals on the system DBus according\n"
+ "\tto rule.\n"
" --dbus-system.call=rule - allow calls on the system DBus according to rule.\n"
- " --dbus-system.log - turn on logging for the system DBus."
+ " --dbus-system.log - turn on logging for the system DBus.\n"
" --dbus-system.own=name - allow ownership of name on the system DBus.\n"
" --dbus-system.see=name - allow seeing name on the system DBus.\n"
" --dbus-system.talk=name - allow talking to name on the system DBus.\n"
" --dbus-user=filter|none - set session DBus access policy.\n"
- " --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n"
+ " --dbus-user.broadcast=rule - allow signals on the session DBus according\n"
+ "\tto rule.\n"
" --dbus-user.call=rule - allow calls on the session DBus according to rule.\n"
- " --dbus-user.log - turn on logging for the user DBus."
+ " --dbus-user.log - turn on logging for the user DBus.\n"
" --dbus-user.own=name - allow ownership of name on the session DBus.\n"
" --dbus-user.see=name - allow seeing name on the session DBus.\n"
" --dbus-user.talk=name - allow talking to name on the session DBus.\n"
@@ -80,15 +83,17 @@
" --debug-protocols - print all recognized protocols.\n"
" --debug-syscalls - print all recognized system calls.\n"
" --debug-syscalls32 - print all recognized 32 bit system calls.\n"
-#ifdef HAVE_WHITELIST
" --debug-whitelists - debug whitelisting.\n"
-#endif
#ifdef HAVE_NETWORK
" --defaultgw=address - configure default gateway.\n"
#endif
" --deterministic-exit-code - always exit with first child's status code.\n"
+ " --deterministic-shutdown - terminate orphan processes.\n"
" --dns=address - set DNS server.\n"
" --dns.print=name|pid - print DNS configuration.\n"
+#ifdef HAVE_NETWORK
+ " --dnstrace - monitor DNS queries.\n"
+#endif
" --env=name=value - set environment variable.\n"
" --fs.print=name|pid - print the filesystem log.\n"
#ifdef HAVE_FILE_TRANSFER
@@ -97,6 +102,11 @@
" --help, -? - this help screen.\n"
" --hostname=name - set sandbox hostname.\n"
" --hosts-file=file - use file as /etc/hosts.\n"
+#ifdef HAVE_NETWORK
+ " --icmptrace - monitor Server Name Indiication (TLS/SNI).\n"
+#endif
+ " --ids-check - verify file system.\n"
+ " --ids-init - initialize IDS database.\n"
" --ignore=command - ignore command in profile files.\n"
#ifdef HAVE_NETWORK
" --interface=name - move interface in sandbox.\n"
@@ -116,6 +126,7 @@
" --join-or-start=name|pid - join the sandbox or start a new one.\n"
" --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
" --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+ " --keep-fd - inherit open file descriptors to sandbox.\n"
" --keep-var-tmp - /var/tmp directory is untouched.\n"
" --list - list all sandboxes.\n"
#ifdef HAVE_FILE_TRANSFER
@@ -124,7 +135,7 @@
#ifdef HAVE_NETWORK
" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
#endif
- " --machine-id - preserve /etc/machine-id\n"
+ " --machine-id - spoof /etc/machine-id with a random id\n"
" --memory-deny-write-execute - seccomp filter to block attempts to create\n"
"\tmemory mappings that are both writable and executable.\n"
" --mkdir=dirname - create a directory.\n"
@@ -143,10 +154,12 @@
" --netfilter.print=name|pid - print the firewall.\n"
" --netfilter6=filename - enable IPv6 firewall.\n"
" --netfilter6.print=name|pid - print the IPv6 firewall.\n"
- " --netmask=address - define a network mask when dealing with unconfigured"
- "\tparrent interfaces.\n"
+ " --netlock - enable the network locking feature\n"
+ " --netmask=address - define a network mask when dealing with unconfigured\n"
+ "\tparent interfaces.\n"
" --netns=name - Run the program in a named, persistent network namespace.\n"
" --netstats - monitor network statistics.\n"
+ " --nettrace - monitor received TCP, UDP and ICMP traffic.\n"
#endif
" --nice=value - set nice value.\n"
" --no3d - disable 3D hardware acceleration.\n"
@@ -157,6 +170,7 @@
" --nogroups - disable supplementary groups.\n"
" --noinput - disable input devices.\n"
" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+ " --noprinters - disable printers.\n"
" --noprofile - do not use a security profile.\n"
#ifdef HAVE_USERNS
" --noroot - install a user namespace with only the current user.\n"
@@ -166,6 +180,7 @@
" --novideo - disable video devices.\n"
" --nou2f - disable U2F devices.\n"
" --nowhitelist=filename - disable whitelist for file or directory.\n"
+ " --oom=value - configure OutOfMemory killer for the sandbox\n"
#ifdef HAVE_OUTPUT
" --output=logfile - stdout logging and log rotation.\n"
" --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
@@ -197,7 +212,6 @@
" --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
" --profile=filename|profile_name - use a custom profile.\n"
" --profile.print=name|pid - print the name of profile file.\n"
- " --profile-path=directory - use this directory to look for profile files.\n"
" --protocol=protocol,protocol,protocol - enable protocol filter.\n"
" --protocol.print=name|pid - print the protocol filter.\n"
#ifdef HAVE_FILE_TRANSFER
@@ -207,6 +221,9 @@
" --quiet - turn off Firejail's output.\n"
" --read-only=filename - set directory or file read-only.\n"
" --read-write=filename - set directory or file read-write.\n"
+ " --restrict-namespaces - seccomp filter that blocks attempts to create new namespaces.\n"
+ " --restrict-namespaces=namespace,namespace - seccomp filter that blocks attempts\n"
+ "\tto create specified namespaces.\n"
" --rlimit-as=number - set the maximum size of the process's virtual memory.\n"
"\t(address space) in bytes.\n"
" --rlimit-cpu=number - set the maximum CPU time in seconds.\n"
@@ -235,9 +252,9 @@
" --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
" --seccomp-error-action=errno|kill|log - change error code, kill process\n"
"\tor log the attempt.\n"
- " --shell=none - run the program directly without a user shell.\n"
- " --shell=program - set default user shell.\n"
" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
+ " --tab - enable shell tab completion in sandboxes using private or\n"
+ "\twhitelisted home directories.\n"
" --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"
"\thas elapsed.\n"
" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
@@ -252,9 +269,7 @@
#ifdef HAVE_NETWORK
" --veth-name=name - use this name for the interface connected to the bridge.\n"
#endif
-#ifdef HAVE_WHITELIST
" --whitelist=filename - whitelist directory or file.\n"
-#endif
" --writable-etc - /etc directory is mounted read-write.\n"
" --writable-run-user - allow access to /run/user/$UID/systemd and\n"
"\t/run/user/$UID/gnupg.\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/util.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -20,8 +20,6 @@
#define _XOPEN_SOURCE 500
#include "firejail.h"
#include "../include/gcov_wrapper.h"
-#include <ftw.h>
-#include <sys/stat.h>
#include <sys/mount.h>
#include <syslog.h>
#include <errno.h>
@@ -32,9 +30,6 @@
#include <sys/wait.h>
#include <limits.h>
-#include <string.h>
-#include <ctype.h>
-
#include <fcntl.h>
#ifndef O_PATH
#define O_PATH 010000000
@@ -46,7 +41,7 @@
#endif
#define MAX_GROUPS 1024
-#define MAXBUF 4098
+#define MAXBUF 4096
#define EMPTY_STRING ("")
@@ -108,43 +103,140 @@
exit(1);
}
+// Returns whether all supplementary groups can be safely dropped
+int check_can_drop_all_groups() {
+ static int can_drop_all_groups = -1;
+
+ // Avoid needlessly checking (and printing) things twice
+ if (can_drop_all_groups != -1)
+ goto out;
+
+ // nvidia cards require video group; ignore nogroups
+ if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+ fwarning("NVIDIA card detected, nogroups command ignored\n");
+ can_drop_all_groups = 0;
+ goto out;
+ }
+
+ /* When we are not sure that the system has working seat-based ACLs
+ * (e.g.: probably yes on (e)udev + (e)logind, probably not on eudev +
+ * seatd), supplementary groups (e.g.: audio and input) might be needed
+ * to avoid breakage (e.g.: audio or gamepads not working). See #4600
+ * and #4603.
+ */
+ if (access("/run/systemd/seats/", F_OK) != 0) {
+ // TODO: wrc causes this to be printed even with (e)logind (see #4930)
+ //fwarning("logind not detected, nogroups command ignored\n");
+ can_drop_all_groups = 0;
+ goto out;
+ }
+
+ if (arg_debug)
+ fprintf(stderr, "nogroups command not ignored\n");
+ can_drop_all_groups = 1;
+
+out:
+ return can_drop_all_groups;
+}
+
+static int find_group(gid_t group, const gid_t *groups, int ngroups) {
+ int i;
+ for (i = 0; i < ngroups; i++) {
+ if (group == groups[i])
+ return i;
+ }
+
+ return -1;
+}
+
+// Gets group from "groupname" and adds it to "new_groups" if it exists on
+// "groups". Always returns the current value of new_ngroups.
+static int copy_group_ifcont(const char *groupname,
+ const gid_t *groups, int ngroups,
+ gid_t *new_groups, int *new_ngroups, int new_sz) {
+ if (*new_ngroups >= new_sz) {
+ errno = ERANGE;
+ goto out;
+ }
+
+ gid_t g = get_group_id(groupname);
+ if (g && find_group(g, groups, ngroups) >= 0) {
+ new_groups[*new_ngroups] = g;
+ (*new_ngroups)++;
+ }
+
+out:
+ return *new_ngroups;
+}
+
static void clean_supplementary_groups(gid_t gid) {
assert(cfg.username);
gid_t groups[MAX_GROUPS];
int ngroups = MAX_GROUPS;
+
+ if (arg_nogroups && check_can_drop_all_groups()) {
+ if (setgroups(0, NULL) < 0)
+ errExit("setgroups");
+ if (arg_debug)
+ printf("No supplementary groups\n");
+ return;
+ }
+
int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
if (rv == -1)
goto clean_all;
// clean supplementary group list
- // allow only firejail, tty, audio, video, games
gid_t new_groups[MAX_GROUPS];
int new_ngroups = 0;
char *allowed[] = {
"firejail",
"tty",
- "audio",
- "video",
"games",
NULL
};
int i = 0;
while (allowed[i]) {
- gid_t g = get_group_id(allowed[i]);
- if (g) {
- int j;
- for (j = 0; j < ngroups; j++) {
- if (g == groups[j]) {
- new_groups[new_ngroups] = g;
- new_ngroups++;
- break;
- }
- }
- }
+ copy_group_ifcont(allowed[i], groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
i++;
}
+ if (!arg_nosound) {
+ copy_group_ifcont("audio", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_novideo) {
+ copy_group_ifcont("video", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_no3d) {
+ copy_group_ifcont("render", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ copy_group_ifcont("vglusers", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_noprinters) {
+ copy_group_ifcont("lp", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_nodvd) {
+ copy_group_ifcont("cdrom", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ copy_group_ifcont("optical", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_noinput) {
+ copy_group_ifcont("input", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
if (new_ngroups) {
rv = setgroups(new_ngroups, new_groups);
if (rv)
@@ -170,21 +262,22 @@
// drop privileges
-// - for root group or if nogroups is set, supplementary groups are not configured
-void drop_privs(int nogroups) {
+// - for root group or if force_nogroups is set, supplementary groups are not configured
+void drop_privs(int force_nogroups) {
gid_t gid = getgid();
if (arg_debug)
- printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n", getpid(), getuid(), gid, nogroups);
+ printf("Drop privileges: pid %d, uid %d, gid %d, force_nogroups %d\n",
+ getpid(), getuid(), gid, force_nogroups);
// configure supplementary groups
EUID_ROOT();
- if (gid == 0 || nogroups) {
+ if (gid == 0 || force_nogroups) {
if (setgroups(0, NULL) < 0)
errExit("setgroups");
if (arg_debug)
printf("No supplementary groups\n");
}
- else if (arg_noroot)
+ else if (arg_noroot || arg_nogroups)
clean_supplementary_groups(gid);
// set uid/gid
@@ -313,7 +406,7 @@
}
-static int copy_file_by_fd(int src, int dst) {
+int copy_file_by_fd(int src, int dst) {
assert(src >= 0);
assert(dst >= 0);
@@ -459,31 +552,21 @@
if (*fname == '\0')
return 0;
- int called_as_root = 0;
- if (geteuid() == 0)
- called_as_root = 1;
-
- if (called_as_root)
- EUID_USER();
-
// if fname doesn't end in '/', add one
int rv;
struct stat s;
if (fname[strlen(fname) - 1] == '/')
- rv = stat(fname, &s);
+ rv = stat_as_user(fname, &s);
else {
char *tmp;
if (asprintf(&tmp, "%s/", fname) == -1) {
fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
errExit("asprintf");
}
- rv = stat(tmp, &s);
+ rv = stat_as_user(tmp, &s);
free(tmp);
}
- if (called_as_root)
- EUID_ROOT();
-
if (rv == -1)
return 0;
@@ -499,13 +582,6 @@
if (*fname == '\0')
return 0;
- int called_as_root = 0;
- if (geteuid() == 0)
- called_as_root = 1;
-
- if (called_as_root)
- EUID_USER();
-
// remove trailing '/' if any
char *tmp = strdup(fname);
if (!tmp)
@@ -513,12 +589,9 @@
trim_trailing_slash_or_dot(tmp);
char c;
- ssize_t rv = readlink(tmp, &c, 1);
+ ssize_t rv = readlink_as_user(tmp, &c, 1);
free(tmp);
- if (called_as_root)
- EUID_ROOT();
-
return (rv != -1);
}
@@ -540,6 +613,24 @@
return rv;
}
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz) {
+ assert(fname && buf && sz);
+
+ int called_as_root = 0;
+ if (geteuid() == 0)
+ called_as_root = 1;
+
+ if (called_as_root)
+ EUID_USER();
+
+ ssize_t rv = readlink(fname, buf, sz);
+
+ if (called_as_root)
+ EUID_ROOT();
+
+ return rv;
+}
+
int stat_as_user(const char *fname, struct stat *s) {
assert(fname);
@@ -711,77 +802,6 @@
}
-#define BUFLEN 4096
-// find the first child for this parent; return 1 if error
-int find_child(pid_t parent, pid_t *child) {
- EUID_ASSERT();
- *child = 0; // use it to flag a found child
-
- DIR *dir;
- EUID_ROOT(); // grsecurity fix
- if (!(dir = opendir("/proc"))) {
- // sleep 2 seconds and try again
- sleep(2);
- if (!(dir = opendir("/proc"))) {
- fprintf(stderr, "Error: cannot open /proc directory\n");
- exit(1);
- }
- }
-
- struct dirent *entry;
- char *end;
- while (*child == 0 && (entry = readdir(dir))) {
- pid_t pid = strtol(entry->d_name, &end, 10);
- if (end == entry->d_name || *end)
- continue;
- if (pid == parent)
- continue;
-
- // open stat file
- char *file;
- if (asprintf(&file, "/proc/%u/status", pid) == -1) {
- perror("asprintf");
- exit(1);
- }
- FILE *fp = fopen(file, "re");
- if (!fp) {
- free(file);
- continue;
- }
-
- // look for firejail executable name
- char buf[BUFLEN];
- while (fgets(buf, BUFLEN - 1, fp)) {
- if (strncmp(buf, "PPid:", 5) == 0) {
- char *ptr = buf + 5;
- while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
- ptr++;
- }
- if (*ptr == '\0') {
- fprintf(stderr, "Error: cannot read /proc file\n");
- exit(1);
- }
- if (parent == atoi(ptr)) {
- // we don't want /usr/bin/xdg-dbus-proxy!
- char *cmdline = pid_proc_cmdline(pid);
- if (cmdline) {
- if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
- *child = pid;
- free(cmdline);
- }
- }
- break; // stop reading the file
- }
- }
- fclose(fp);
- free(file);
- }
- closedir(dir);
- EUID_USER();
- return (*child)? 0:1; // 0 = found, 1 = not found
-}
-
-
void extract_command_name(int index, char **argv) {
EUID_ASSERT();
assert(argv);
@@ -870,14 +890,14 @@
//****************************
// wait for the parent to be initialized
//****************************
- char childstr[BUFLEN + 1];
+ char childstr[MAXBUF + 1];
int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0);
if (newfd == -1)
errExit("fcntl");
FILE* stream;
stream = fdopen(newfd, "r");
*childstr = '\0';
- if (fgets(childstr, BUFLEN, stream)) {
+ if (fgets(childstr, MAXBUF, stream)) {
// remove \n)
char *ptr = childstr;
while(*ptr !='\0' && *ptr != '\n')
@@ -929,57 +949,10 @@
fclose(stream);
}
-uid_t pid_get_uid(pid_t pid) {
- EUID_ASSERT();
- uid_t rv = 0;
-
- // open status file
- char *file;
- if (asprintf(&file, "/proc/%u/status", pid) == -1) {
- perror("asprintf");
- exit(1);
- }
- EUID_ROOT(); // grsecurity fix
- FILE *fp = fopen(file, "re");
- if (!fp) {
- free(file);
- fprintf(stderr, "Error: cannot open /proc file\n");
- exit(1);
- }
-
- // extract uid
- static const int PIDS_BUFLEN = 1024;
- char buf[PIDS_BUFLEN];
- while (fgets(buf, PIDS_BUFLEN - 1, fp)) {
- if (strncmp(buf, "Uid:", 4) == 0) {
- char *ptr = buf + 4;
- while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
- ptr++;
- }
- if (*ptr == '\0') {
- fprintf(stderr, "Error: cannot read /proc file\n");
- exit(1);
- }
-
- rv = atoi(ptr);
- break; // break regardless!
- }
- }
-
- fclose(fp);
- free(file);
- EUID_USER(); // grsecurity fix
-
- return rv;
-}
-
-
-
-uid_t get_group_id(const char *group) {
- // find tty group id
+gid_t get_group_id(const char *groupname) {
gid_t gid = 0;
- struct group *g = getgrnam(group);
+ struct group *g = getgrnam(groupname);
if (g)
gid = g->gr_gid;
@@ -987,86 +960,6 @@
}
-static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
- (void) sb;
- (void) typeflag;
- (void) ftwbuf;
- assert(fpath);
-
- if (strcmp(fpath, ".") == 0)
- return 0;
-
- if (remove(fpath)) { // removes the link not the actual file
- perror("remove");
- fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath);
- exit(1);
- }
-
- return 0;
-}
-
-
-int remove_overlay_directory(void) {
- EUID_ASSERT();
- sleep(1);
-
- char *path;
- if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
- errExit("asprintf");
-
- if (access(path, F_OK) == 0) {
- pid_t child = fork();
- if (child < 0)
- errExit("fork");
- if (child == 0) {
- // open ~/.firejail
- int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
- if (fd == -1) {
- fprintf(stderr, "Error: cannot open %s\n", path);
- exit(1);
- }
- struct stat s;
- if (fstat(fd, &s) == -1)
- errExit("fstat");
- if (!S_ISDIR(s.st_mode)) {
- if (S_ISLNK(s.st_mode))
- fprintf(stderr, "Error: %s is a symbolic link\n", path);
- else
- fprintf(stderr, "Error: %s is not a directory\n", path);
- exit(1);
- }
- if (s.st_uid != getuid()) {
- fprintf(stderr, "Error: %s is not owned by the current user\n", path);
- exit(1);
- }
- // chdir to ~/.firejail
- if (fchdir(fd) == -1)
- errExit("fchdir");
- close(fd);
-
- EUID_ROOT();
- // FTW_PHYS - do not follow symbolic links
- if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
- errExit("nftw");
-
- EUID_USER();
- // remove ~/.firejail
- if (rmdir(path) == -1)
- errExit("rmdir");
-
- __gcov_flush();
-
- _exit(0);
- }
- // wait for the child to finish
- waitpid(child, NULL, 0);
- // check if ~/.firejail was deleted
- if (access(path, F_OK) == 0)
- return 1;
- }
- return 0;
-}
-
// flush stdin if it is connected to a tty and has input
void flush_stdin(void) {
if (!isatty(STDIN_FILENO))
@@ -1095,31 +988,33 @@
assert(dir);
mode &= 07777;
- if (access(dir, F_OK) != 0) {
+ if (access(dir, F_OK) == 0)
+ return 0;
+
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // drop privileges
+ drop_privs(0);
+
if (arg_debug)
printf("Creating empty %s directory\n", dir);
- pid_t child = fork();
- if (child < 0)
- errExit("fork");
- if (child == 0) {
- // drop privileges
- drop_privs(0);
-
- if (mkdir(dir, mode) == 0) {
- int err = chmod(dir, mode);
- (void) err;
- }
- else if (arg_debug)
- printf("Directory %s not created: %s\n", dir, strerror(errno));
+ if (mkdir(dir, mode) == 0) {
+ int err = chmod(dir, mode);
+ (void) err;
+ }
+ else if (arg_debug)
+ printf("Directory %s not created: %s\n", dir, strerror(errno));
- __gcov_flush();
+ __gcov_flush();
- _exit(0);
- }
- waitpid(child, NULL, 0);
- if (access(dir, F_OK) == 0)
- return 1;
+ _exit(0);
}
+ waitpid(child, NULL, 0);
+
+ if (access(dir, F_OK) == 0)
+ return 1;
return 0;
}
@@ -1134,12 +1029,14 @@
/* coverity[toctou] */
// don't fail if directory already exists. This can be the case in a race
// condition, when two jails launch at the same time. See #1013
- if (mkdir(dir, mode) == -1 && errno != EEXIST)
+ mode_t tmp = umask(~mode); // let's avoid an extra chmod race
+ int rv = mkdir(dir, mode);
+ umask(tmp);
+ if (rv < 0 && errno != EEXIST)
errExit("mkdir");
- if (set_perms(dir, 0, 0, mode))
- errExit("set_perms");
- ASSERT_PERMS(dir, 0, 0, mode);
}
+
+ ASSERT_PERMS(dir, 0, 0, mode);
}
void create_empty_file_as_root(const char *fname, mode_t mode) {
@@ -1153,12 +1050,15 @@
/* coverity[toctou] */
// don't fail if file already exists. This can be the case in a race
// condition, when two jails launch at the same time. Compare to #1013
- FILE *fp = fopen(fname, "we");
- if (!fp)
- errExit("fopen");
- SET_PERMS_STREAM(fp, 0, 0, mode);
- fclose(fp);
+ mode_t tmp = umask(~mode); // let's avoid an extra chmod race
+ int fd = open(fname, O_RDONLY|O_CREAT|O_CLOEXEC, mode);
+ umask(tmp);
+ if (fd < 0)
+ errExit("open");
+ close(fd);
}
+
+ ASSERT_PERMS(fname, 0, 0, mode);
}
// return 1 if error
@@ -1397,6 +1297,52 @@
return rv;
}
+void close_all(int *keep_list, size_t sz) {
+ DIR *dir;
+ if (!(dir = opendir("/proc/self/fd"))) {
+ // sleep 2 seconds and try again
+ sleep(2);
+ if (!(dir = opendir("/proc/self/fd"))) {
+ fprintf(stderr, "Error: cannot open /proc/self/fd directory\n");
+ exit(1);
+ }
+ }
+ struct dirent *entry;
+ while ((entry = readdir(dir)) != NULL) {
+ if (strcmp(entry->d_name, ".") == 0 ||
+ strcmp(entry->d_name, "..") == 0)
+ continue;
+
+ int fd = atoi(entry->d_name);
+
+ // don't close standard streams
+ if (fd == STDIN_FILENO ||
+ fd == STDOUT_FILENO ||
+ fd == STDERR_FILENO)
+ continue;
+
+ if (fd == dirfd(dir))
+ continue; // just postponed
+
+ // dont't close file descriptors in keep list
+ int keep = 0;
+ if (keep_list) {
+ size_t i;
+ for (i = 0; i < sz; i++) {
+ if (keep_list[i] == fd) {
+ keep = 1;
+ break;
+ }
+ }
+ }
+ if (keep)
+ continue;
+
+ close(fd);
+ }
+ closedir(dir);
+}
+
int has_handler(pid_t pid, int signal) {
if (signal > 0 && signal <= SIGRTMAX) {
char *fname;
@@ -1407,8 +1353,8 @@
EUID_USER();
free(fname);
if (fp) {
- char buf[BUFLEN];
- while (fgets(buf, BUFLEN, fp)) {
+ char buf[MAXBUF];
+ while (fgets(buf, MAXBUF, fp)) {
if (strncmp(buf, "SigCgt:", 7) == 0) {
unsigned long long val;
if (sscanf(buf + 7, "%llx", &val) != 1) {
@@ -1428,11 +1374,7 @@
}
void enter_network_namespace(pid_t pid) {
- // in case the pid is that of a firejail process, use the pid of the first child process
- pid_t child = switch_to_child(pid);
-
- // exit if no permission to join the sandbox
- check_join_permission(child);
+ ProcessHandle sandbox = pin_sandbox_process(pid);
// check network namespace
char *name;
@@ -1446,10 +1388,11 @@
// join the namespace
EUID_ROOT();
- if (join_namespace(child, "net")) {
+ if (process_join_namespace(sandbox, "net")) {
fprintf(stderr, "Error: cannot join the network namespace\n");
exit(1);
}
+ unpin_process(sandbox);
}
// return 1 if error, 0 if a valid pid was found
@@ -1509,12 +1452,11 @@
void check_homedir(const char *dir) {
assert(dir);
if (dir[0] != '/') {
- fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
+ fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
exit(1);
}
// symlinks are rejected in many places
- if (has_link(dir)) {
- fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
+ if (has_link(dir))
+ fmessage("No full support for symbolic links in path of user directory.\n"
"Please provide resolved path in password database (/etc/passwd).\n\n");
- }
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/x11.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = firemon
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/pid.h
+MOD_OBJS = ../lib/common.o ../lib/pid.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/apparmor.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/arp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/caps.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/cpu.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/firemon.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -34,7 +34,6 @@
static int arg_seccomp = 0;
static int arg_caps = 0;
static int arg_cpu = 0;
-static int arg_cgroup = 0;
static int arg_x11 = 0;
static int arg_top = 0;
static int arg_list = 0;
@@ -173,8 +172,6 @@
// cumulative options with or without a pid argument
else if (strcmp(argv[i], "--x11") == 0)
arg_x11 = 1;
- else if (strcmp(argv[i], "--cgroup") == 0)
- arg_cgroup = 1;
else if (strcmp(argv[i], "--cpu") == 0)
arg_cpu = 1;
else if (strcmp(argv[i], "--seccomp") == 0)
@@ -264,12 +261,11 @@
// if --name requested without other options, print all data
if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
- !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
+ !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
arg_tree = 1;
arg_cpu = 1;
arg_seccomp = 1;
arg_caps = 1;
- arg_cgroup = 1;
arg_x11 = 1;
arg_interface = 1;
arg_route = 1;
@@ -295,10 +291,6 @@
apparmor((pid_t) pid, print_procs);
print_procs = 0;
}
- if (arg_cgroup) {
- cgroup((pid_t) pid, print_procs);
- print_procs = 0;
- }
if (arg_x11) {
x11((pid_t) pid, print_procs);
print_procs = 0;
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/firemon.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -75,9 +75,6 @@
// cpu.c
void cpu(pid_t pid, int print_procs);
-// cgroup.c
-void cgroup(pid_t pid, int print_procs);
-
// tree.c
void tree(pid_t pid);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/interface.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/list.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/netstats.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -47,7 +47,7 @@
static char *get_header(void) {
char *rv;
- if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
+ if (asprintf(&rv, "%-7.7s %-9.9s %-10.10s %-10.10s %s",
"PID", "User", "RX(KB/s)", "TX(KB/s)", "Command") == -1)
errExit("asprintf");
@@ -106,10 +106,8 @@
}
// store data
- pids[parent].rx_delta = rx - pids[parent].rx;
- pids[parent].rx = rx;
- pids[parent].tx_delta = tx - pids[parent].tx;
- pids[parent].tx = tx;
+ pids[parent].option.netstats.rx = rx - pids[parent].option.netstats.rx;
+ pids[parent].option.netstats.tx = tx - pids[parent].option.netstats.tx;
free(fname);
@@ -117,10 +115,8 @@
return;
errexit:
- pids[parent].rx = 0;
- pids[parent].tx = 0;
- pids[parent].rx_delta = 0;
- pids[parent].tx_delta = 0;
+ pids[parent].option.netstats.rx = 0;
+ pids[parent].option.netstats.tx = 0;
}
@@ -174,16 +170,16 @@
ptruser = "";
- float rx_kbps = ((float) pids[index].rx_delta / 1000) / itv;
+ float rx_kbps = ((float) pids[index].option.netstats.rx / 1000) / itv;
char ptrrx[15];
sprintf(ptrrx, "%.03f", rx_kbps);
- float tx_kbps = ((float) pids[index].tx_delta / 1000) / itv;
+ float tx_kbps = ((float) pids[index].option.netstats.tx / 1000) / itv;
char ptrtx[15];
sprintf(ptrtx, "%.03f", tx_kbps);
char buf[1024 + 1];
- snprintf(buf, 1024, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
+ snprintf(buf, 1024, "%-7.7s %-9.9s %-10.10s %-10.10s %s",
pidstr, ptruser, ptrrx, ptrtx, ptrcmd);
if (col < 1024)
buf[col] = '\0';
@@ -205,7 +201,7 @@
while (1) {
// set pid table
int i;
- int itv = 1; // 1 second interval
+ int itv = 3; // 3 second interval
pid_read(0);
// start rx/tx measurements
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/procevent.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -417,18 +417,18 @@
sprintf(lineptr, " %u", pid);
lineptr += strlen(lineptr);
- char *user = pids[pid].user;
+ char *user = pids[pid].option.event.user;
if (!user)
user = pid_get_user_name(pids[pid].uid);
if (user) {
- pids[pid].user = user;
+ pids[pid].option.event.user = user;
sprintf(lineptr, " (%s)", user);
lineptr += strlen(lineptr);
}
int sandbox_closed = 0; // exit sandbox flag
- char *cmd = pids[pid].cmd;
+ char *cmd = pids[pid].option.event.cmd;
if (!cmd) {
cmd = pid_proc_cmdline(pid);
}
@@ -465,10 +465,10 @@
// unflag pid for exit events
if (remove_pid) {
- if (pids[pid].user)
- free(pids[pid].user);
- if (pids[pid].cmd)
- free(pids[pid].cmd);
+ if (pids[pid].option.event.user)
+ free(pids[pid].option.event.user);
+ if (pids[pid].option.event.cmd)
+ free(pids[pid].option.event.cmd);
memset(&pids[pid], 0, sizeof(Process));
}
@@ -485,9 +485,9 @@
// on uid events the uid is changing
if (proc_ev->what == PROC_EVENT_UID) {
- if (pids[pid].user)
- free(pids[pid].user);
- pids[pid].user = 0;
+ if (pids[pid].option.event.user)
+ free(pids[pid].option.event.user);
+ pids[pid].option.event.user = 0;
pids[pid].uid = pid_get_uid(pid);
}
@@ -505,6 +505,17 @@
exit(1);
}
+ // set max_pids to the max value allowed by the kernel
+ FILE *fp = fopen("/proc/sys/kernel/pid_max", "r");
+ if (fp) {
+ int val;
+ if (fscanf(fp, "%d", &val) == 1) {
+ if (val >= max_pids)
+ max_pids = val + 1;
+ }
+ fclose(fp);
+ }
+
// monitor using netlink
int sock = procevent_netlink_setup();
if (sock < 0) {
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/route.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/seccomp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/top.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -47,7 +47,7 @@
static char *get_header(void) {
char *rv;
- if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s",
+ if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s",
"PID", "User", "RES(KiB)", "SHR(KiB)", "CPU%", "Prcs", "Uptime", "Command") == -1)
errExit("asprintf");
@@ -154,8 +154,8 @@
// cpu
itv *= clocktick;
- float ud = (float) (*utime - pids[index].utime) / itv * 100;
- float sd = (float) (*stime - pids[index].stime) / itv * 100;
+ float ud = (float) (*utime - pids[index].option.top.utime) / itv * 100;
+ float sd = (float) (*stime - pids[index].option.top.stime) / itv * 100;
float cd = ud + sd;
*cpu = cd;
char cpu_str[10];
@@ -165,7 +165,7 @@
char prcs_str[10];
snprintf(prcs_str, 10, "%d", *cnt);
- if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s",
+ if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s",
pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1)
errExit("asprintf");
@@ -179,6 +179,34 @@
return rv;
}
+// recursivity!!!
+void pid_store_cpu(unsigned index, unsigned parent, unsigned *utime, unsigned *stime) {
+ if (pids[index].level == 1) {
+ *utime = 0;
+ *stime = 0;
+ }
+
+ // Remove unused parameter warning
+ (void)parent;
+
+ unsigned utmp = 0;
+ unsigned stmp = 0;
+ pid_get_cpu_time(index, &utmp, &stmp);
+ *utime += utmp;
+ *stime += stmp;
+
+ unsigned i;
+ for (i = index + 1; i < (unsigned)max_pids; i++) {
+ if (pids[i].parent == (pid_t)index)
+ pid_store_cpu(i, index, utime, stime);
+ }
+
+ if (pids[index].level == 1) {
+ pids[index].option.top.utime = *utime;
+ pids[index].option.top.stime = *stime;
+ }
+}
+
typedef struct node_t {
struct node_t *next;
@@ -267,7 +295,7 @@
// set pid table
int i;
- int itv = 1; // 1 second interval
+ int itv = 3; // 3 second interval
pid_read(0);
// start cpu measurements
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/tree.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/usage.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -29,7 +29,6 @@
"\t--apparmor - print AppArmor confinement status for each sandbox.\n\n"
"\t--arp - print ARP table for each sandbox.\n\n"
"\t--caps - print capabilities configuration for each sandbox.\n\n"
- "\t--cgroup - print control group information for each sandbox.\n\n"
"\t--cpu - print CPU affinity for each sandbox.\n\n"
"\t--debug - print debug messages.\n\n"
"\t--help, -? - this help screen.\n\n"
@@ -38,12 +37,12 @@
"\t--name=name - print information only about named sandbox.\n\n"
"\t--netstats - monitor network statistics for sandboxes creating a new\n"
"\t\tnetwork namespace.\n\n"
- "\t--nowrap - enable line wrapping in terminals.\n\n"
"\t--route - print route table for each sandbox.\n\n"
"\t--seccomp - print seccomp configuration for each sandbox.\n\n"
"\t--tree - print a tree of all sandboxed processes.\n\n"
"\t--top - monitor the most CPU-intensive sandboxes.\n\n"
"\t--version - print program version and exit.\n\n"
+ "\t--wrap - enable line wrapping in terminals.\n\n"
"\t--x11 - print X11 display number.\n\n"
"Without any options, firemon monitors all fork, exec, id change, and exit\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/x11.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fldd/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fldd
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/syscall.h ../include/ldd_utils.h
+MOD_OBJS = ../lib/common.o ../lib/ldd_utils.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fldd/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -261,12 +261,21 @@
// check directory
// entry->d_type field is supported in glibc since version 2.19 (Feb 2014)
- // we'll use stat to check for directories
+ // we'll use stat to check for directories using the real path
+ // (sometimes the path is a double symlink to a real file and stat would fail)
+ char *rpath = realpath(path, NULL);
+ if (!rpath) {
+ free(path);
+ continue;
+ }
+ free(path);
+
struct stat s;
- if (stat(path, &s) == -1)
+ if (stat(rpath, &s) == -1)
errExit("stat");
if (S_ISDIR(s.st_mode))
- walk_directory(path);
+ walk_directory(rpath);
+ free(rpath);
}
closedir(dir);
}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fnet
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/libnetlink.h
+MOD_OBJS = ../lib/common.o ../lib/libnetlink.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/arp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/fnet.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/interface.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/veth.c
^
|
@@ -26,7 +26,7 @@
*
*/
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnetfilter/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fnetfilter
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnetfilter/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -187,10 +187,9 @@
char *command = (argc == 3)? argv[1]: NULL;
//printf("command %s\n", command);
//printf("destfile %s\n", destfile);
+
// destfile is a real filename
- int len = strlen(destfile);
- if (strcspn(destfile, "\\&!?\"'<>%^(){};,*[]") != (size_t)len)
- err_exit_cannot_open_file(destfile);
+ reject_meta_chars(destfile, 0);
// handle default config (command = NULL, destfile)
if (command == NULL) {
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-dns/Makefile
^
|
@@ -0,0 +1,7 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fnettrace-dns
+TARGET = $(PROG)
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-dns/fnettrace_dns.h
^
|
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNETTRACE_DNS_H
+#define FNETTRACE_DNS_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+#endif
\ No newline at end of file
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-dns/main.c
^
|
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace_dns.h"
+#include <sys/ioctl.h>
+#include <time.h>
+#include <linux/filter.h>
+#include <linux/if_ether.h>
+#include <sys/prctl.h>
+#include <signal.h>
+#define MAX_BUF_SIZE (64 * 1024)
+
+static char last[512] = {'\0'};
+
+// pkt - start of DNS layer
+void print_dns(uint32_t ip_src, unsigned char *pkt) {
+ assert(pkt);
+
+ char ip[30];
+ sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_src));
+ time_t seconds = time(NULL);
+ struct tm *t = localtime(&seconds);
+
+ int nxdomain = ((*(pkt + 3) & 0x03) == 0x03)? 1: 0;
+
+ // expecting a single question count
+ if (pkt[4] != 0 || pkt[5] != 1)
+ goto errout;
+
+ // check cname
+ unsigned char *ptr = pkt + 12;
+ int len = 0;
+ while (*ptr != 0 && len < 255) { // 255 is the maximum length of a domain name including multiple '.'
+ if (*ptr > 63) // the name left of a '.' is 63 length maximum
+ goto errout;
+
+ int delta = *ptr + 1;
+ *ptr = '.';
+ len += delta;;
+ ptr += delta;
+ }
+ if (*ptr != 0)
+ goto errout;
+
+ ptr++;
+ uint16_t type;
+ memcpy(&type, ptr, 2);
+ type = ntohs(type);
+
+ // filter output
+ char tmp[sizeof(last)];
+ snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s (type %u)%s",
+ t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1,
+ type, (nxdomain)? " NXDOMAIN": "");
+ if (strcmp(tmp, last)) {
+ printf("%s\n", tmp);
+ fflush(0);
+ strcpy(last, tmp);
+ }
+
+ return;
+
+errout:
+ printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
+ fflush(0);
+}
+
+// https://www.kernel.org/doc/html/latest/networking/filter.html
+static void custom_bpf(int sock) {
+ struct sock_filter code[] = {
+ // sudo tcpdump ip and udp and src port 53 -dd
+ { 0x28, 0, 0, 0x0000000c },
+ { 0x15, 0, 8, 0x00000800 },
+ { 0x30, 0, 0, 0x00000017 },
+ { 0x15, 0, 6, 0x00000011 },
+ { 0x28, 0, 0, 0x00000014 },
+ { 0x45, 4, 0, 0x00001fff },
+ { 0xb1, 0, 0, 0x0000000e },
+ { 0x48, 0, 0, 0x0000000e },
+ { 0x15, 0, 1, 0x00000035 },
+ { 0x6, 0, 0, 0x00040000 },
+ { 0x6, 0, 0, 0x00000000 },
+ };
+
+ struct sock_fprog bpf = {
+ .len = (unsigned short) sizeof(code) / sizeof(code[0]),
+ .filter = code,
+ };
+
+ int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
+ if (rv < 0) {
+ fprintf(stderr, "Error: cannot attach BPF filter\n");
+ exit(1);
+ }
+}
+
+static void print_date(void) {
+ static int day = -1;
+ time_t now = time(NULL);
+ struct tm *t = localtime(&now);
+
+ if (day != t->tm_yday) {
+ printf("\nDNS trace for %s", ctime(&now));
+ day = t->tm_yday;
+ }
+ fflush(0);
+}
+
+static void run_trace(void) {
+ // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53
+ int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if (s < 0)
+ errExit("socket");
+ custom_bpf(s);
+
+ struct timeval tv;
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ unsigned char buf[MAX_BUF_SIZE];
+ while (1) {
+ fd_set rfds;
+ FD_ZERO(&rfds);
+ FD_SET(s, &rfds);
+ int rv = select(s + 1, &rfds, NULL, NULL, &tv);
+ if (rv < 0)
+ errExit("select");
+ else if (rv == 0) {
+ print_date();
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ continue;
+ }
+
+ unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+
+ if (bytes >= (14 + 20 + 8)) { // size of MAC + IP + UDP headers
+ uint8_t ip_hlen = (buf[14] & 0x0f) * 4;
+ uint16_t port_src;
+ memcpy(&port_src, buf + 14 + ip_hlen, 2);
+ port_src = ntohs(port_src);
+ uint8_t protocol = buf[14 + 9];
+ uint32_t ip_src;
+ memcpy(&ip_src, buf + 14 + 12, 4);
+ ip_src = ntohl(ip_src);
+
+ // if DNS packet, extract the query
+ if (port_src == 53 && protocol == 0x11) // UDP protocol
+ print_dns(ip_src, buf + 14 + ip_hlen + 8); // IP and UDP header len
+ }
+ }
+
+ close(s);
+}
+
+
+static void usage(void) {
+ printf("Usage: fnettrace-dns [OPTIONS]\n");
+ printf("Options:\n");
+ printf(" --help, -? - this help screen\n");
+ printf("\n");
+}
+
+int main(int argc, char **argv) {
+ int i;
+
+ for (i = 1; i < argc; i++) {
+ if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+ usage();
+ return 0;
+ }
+ else {
+ fprintf(stderr, "Error: invalid argument\n");
+ return 1;
+ }
+ }
+
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: you need to be root to run this program\n");
+ return 1;
+ }
+
+ // kill the process if the parent died
+ prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+ print_date();
+ run_trace();
+
+ return 0;
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-icmp/Makefile
^
|
@@ -0,0 +1,7 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fnettrace-icmp
+TARGET = $(PROG)
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-icmp/fnettrace_icmp.h
^
|
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNETTRACE_SNI_H
+#define FNETTRACE_SNI_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+#endif
\ No newline at end of file
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-icmp/main.c
^
|
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace_icmp.h"
+#include <sys/ioctl.h>
+#include <time.h>
+#include <linux/filter.h>
+#include <linux/if_ether.h>
+#include <sys/prctl.h>
+#include <signal.h>
+#define MAX_BUF_SIZE (64 * 1024)
+
+char *type_description[19] = {
+ "Echo reply",
+ "unassigned",
+ "unassigned",
+ "Destination unreachable",
+ "Source quench",
+ "Redirect message",
+ "unassigned",
+ "unassigned",
+ "Echo request",
+ "Router advertisement",
+ "Router solicitation",
+ "Time exceeded",
+ "Bad IP header",
+ "Timestamp",
+ "Timestamp replay",
+ "Information request",
+ "Information reply",
+ "Address mask request",
+ "Address mask reply"
+};
+
+char *code_dest_unreachable[16] = {
+ "Network unreachable",
+ "Host unreachable",
+ "Protocol unreachable",
+ "Port unreachable",
+ "Fragmentation required, and DF flag set",
+ "Source route failed",
+ "Network unknown",
+ "Host unknown",
+ "Source host isolated",
+ "Network administratively prohibited",
+ "Host administratively prohibited",
+ "Network unreachable for ToS",
+ "Host unreachable for ToS",
+ "Communication administratively prohibited",
+ "Host Precedence Violation",
+ "Precedence cutoff in effect"
+};
+
+char *code_redirect_message[4] = {
+ "Datagram for the Network",
+ "Datagram for the Host",
+ "Datagram for the ToS & network",
+ "Datagram for the ToS & host"
+};
+
+char *code_time_exceeded[2] = {
+ "TTL expired in transit",
+ "Fragment reassembly time exceeded"
+};
+
+char *code_bad_ip_header[3] = {
+ "Pointer indicates the error",
+ "Missing a required option",
+ "Bad length"
+};
+
+static void print_icmp(uint32_t ip_dest, uint32_t ip_src, uint8_t type, uint8_t code, unsigned icmp_bytes) {
+ char type_number[10];
+ char *type_ptr = type_number;
+ if (type < 19)
+ type_ptr = type_description[type];
+ else
+ sprintf(type_number, "%u", type);
+
+ char code_number[10];
+ char *code_ptr = code_number;
+ if (type ==3 && code < 16)
+ code_ptr = code_dest_unreachable[code];
+ else if (type == 5 && code < 4)
+ code_ptr = code_redirect_message[code];
+ else if (type == 11 && code < 2)
+ code_ptr = code_time_exceeded[code];
+ else if (type == 12 && code < 3)
+ code_ptr = code_bad_ip_header[code];
+ else
+ sprintf(code_number, "%u", code);
+
+ time_t seconds = time(NULL);
+ struct tm *t = localtime(&seconds);
+ printf("%02d:%02d:%02d %d.%d.%d.%d -> %d.%d.%d.%d - %u bytes - %s/%s\n",
+ t->tm_hour, t->tm_min, t->tm_sec,
+ PRINT_IP(ip_src),
+ PRINT_IP(ip_dest),
+ icmp_bytes,
+ type_ptr,
+ code_ptr);
+ fflush(0);
+}
+
+// https://www.kernel.org/doc/html/latest/networking/filter.html
+static void custom_bpf(int sock) {
+ struct sock_filter code[] = {
+ // sudo tcpdump "icmp" -dd
+ { 0x28, 0, 0, 0x0000000c },
+ { 0x15, 0, 3, 0x00000800 },
+ { 0x30, 0, 0, 0x00000017 },
+ { 0x15, 0, 1, 0x00000001 },
+ { 0x6, 0, 0, 0x00040000 },
+ { 0x6, 0, 0, 0x00000000 },
+ };
+
+ struct sock_fprog bpf = {
+ .len = (unsigned short) sizeof(code) / sizeof(code[0]),
+ .filter = code,
+ };
+
+ int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
+ if (rv < 0) {
+ fprintf(stderr, "Error: cannot attach BPF filter\n");
+ exit(1);
+ }
+}
+
+static void print_date(void) {
+ static int day = -1;
+ time_t now = time(NULL);
+ struct tm *t = localtime(&now);
+
+ if (day != t->tm_yday) {
+ printf("\nICMP trace for %s", ctime(&now));
+ day = t->tm_yday;
+ }
+
+ fflush(0);
+}
+
+static void run_trace(void) {
+ // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets
+ int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if (s < 0)
+ errExit("socket");
+ custom_bpf(s);
+
+ struct timeval tv;
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ unsigned char buf[MAX_BUF_SIZE];
+ while (1) {
+ fd_set rfds;
+ FD_ZERO(&rfds);
+ FD_SET(s, &rfds);
+ int rv = select(s + 1, &rfds, NULL, NULL, &tv);
+ if (rv < 0)
+ errExit("select");
+ else if (rv == 0) {
+ print_date();
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ continue;
+ }
+
+ unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+
+ if (bytes >= (14 + 20 + 2)) { // size of MAC + IP + ICMP code and type fields
+ uint8_t ip_hlen = (buf[14] & 0x0f) * 4;
+ uint8_t type = *(buf + 14 +ip_hlen);
+ uint8_t code = *(buf + 14 + ip_hlen + 1);
+
+ uint32_t ip_dest;
+ memcpy(&ip_dest, buf + 14 + 16, 4);
+ ip_dest = ntohl(ip_dest);
+ uint32_t ip_src;
+ memcpy(&ip_src, buf + 14 + 12, 4);
+ ip_src = ntohl(ip_src);
+
+ print_icmp(ip_dest, ip_src, type, code, bytes);
+ }
+ }
+
+ close(s);
+}
+
+static void usage(void) {
+ printf("Usage: fnettrace-icmp [OPTIONS]\n");
+ printf("Options:\n");
+ printf(" --help, -? - this help screen\n");
+ printf("\n");
+}
+
+int main(int argc, char **argv) {
+ int i;
+
+ for (i = 1; i < argc; i++) {
+ if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+ usage();
+ return 0;
+ }
+ else {
+ fprintf(stderr, "Error: invalid argument\n");
+ return 1;
+ }
+ }
+
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: you need to be root to run this program\n");
+ return 1;
+ }
+
+ // kill the process if the parent died
+ prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+ print_date();
+ run_trace();
+
+ return 0;
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-sni/Makefile
^
|
@@ -0,0 +1,7 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fnettrace-sni
+TARGET = $(PROG)
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-sni/fnettrace_sni.h
^
|
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNETTRACE_SNI_H
+#define FNETTRACE_SNI_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+#endif
\ No newline at end of file
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-sni/main.c
^
|
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace_sni.h"
+#include <sys/ioctl.h>
+#include <time.h>
+#include <linux/filter.h>
+#include <linux/if_ether.h>
+#include <sys/prctl.h>
+#include <signal.h>
+#define MAX_BUF_SIZE (64 * 1024)
+
+static char last[512] = {'\0'};
+
+// pkt - start of TLS layer
+static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
+ assert(pkt);
+
+ char ip[30];
+ sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_dest));
+ time_t seconds = time(NULL);
+ struct tm *t = localtime(&seconds);
+
+ // expecting a handshake packet and client hello
+ if (pkt[0] != 0x16 || pkt[5] != 0x01)
+ goto errout;
+
+
+ // look for server name indication
+ unsigned char *ptr = pkt;
+ unsigned int i = 0;
+ char *name = NULL;
+ while (i < (len - 20)) {
+ // 3 zeros and 3 matching length fields
+ if (*ptr == 0 && *(ptr + 1) == 0 && (*(ptr + 2) == 0 || *(ptr + 2) == 1) && *(ptr + 6) == 0) {
+ uint16_t len1;
+ memcpy(&len1, ptr + 2, 2);
+ len1 = ntohs(len1);
+
+ uint16_t len2;
+ memcpy(&len2, ptr + 4, 2);
+ len2 = ntohs(len2);
+
+ uint16_t len3;
+ memcpy(&len3, ptr + 7, 2);
+ len3 = ntohs(len3);
+
+ if (len1 == (len2 + 2) && len1 == (len3 + 5)) {
+ *(ptr + 9 + len3) = 0;
+ name = (char *) (ptr + 9);
+ break;
+ }
+ }
+ ptr++;
+ i++;
+ }
+
+ if (name) {
+ // filter output
+ char tmp[sizeof(last)];
+ snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
+ if (strcmp(tmp, last)) {
+ printf("%s\n", tmp);
+ fflush(0);
+ strcpy(last, tmp);
+ }
+ }
+ else
+ goto nosni;
+ return;
+
+errout:
+ printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
+ fflush(0);
+ return;
+
+nosni:
+ printf("%02d:%02d:%02d %-15s no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
+ return;
+}
+
+// https://www.kernel.org/doc/html/latest/networking/filter.html
+static void custom_bpf(int sock) {
+ struct sock_filter code[] = {
+ // ports: 443 (regular TLS), 853 (DoT)
+ // sudo tcpdump "tcp port (443 or 853) and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01)" -dd
+ { 0x28, 0, 0, 0x0000000c },
+ { 0x15, 29, 0, 0x000086dd },
+ { 0x15, 0, 28, 0x00000800 },
+ { 0x30, 0, 0, 0x00000017 },
+ { 0x15, 0, 26, 0x00000006 },
+ { 0x28, 0, 0, 0x00000014 },
+ { 0x45, 24, 0, 0x00001fff },
+ { 0xb1, 0, 0, 0x0000000e },
+ { 0x48, 0, 0, 0x0000000e },
+ { 0x15, 4, 0, 0x000001bb },
+ { 0x15, 3, 0, 0x00000355 },
+ { 0x48, 0, 0, 0x00000010 },
+ { 0x15, 1, 0, 0x000001bb },
+ { 0x15, 0, 17, 0x00000355 },
+ { 0x50, 0, 0, 0x0000001a },
+ { 0x54, 0, 0, 0x000000f0 },
+ { 0x74, 0, 0, 0x00000002 },
+ { 0xc, 0, 0, 0x00000000 },
+ { 0x7, 0, 0, 0x00000000 },
+ { 0x50, 0, 0, 0x0000000e },
+ { 0x15, 0, 10, 0x00000016 },
+ { 0xb1, 0, 0, 0x0000000e },
+ { 0x50, 0, 0, 0x0000001a },
+ { 0x54, 0, 0, 0x000000f0 },
+ { 0x74, 0, 0, 0x00000002 },
+ { 0x4, 0, 0, 0x00000005 },
+ { 0xc, 0, 0, 0x00000000 },
+ { 0x7, 0, 0, 0x00000000 },
+ { 0x50, 0, 0, 0x0000000e },
+ { 0x15, 0, 1, 0x00000001 },
+ { 0x6, 0, 0, 0x00040000 },
+ { 0x6, 0, 0, 0x00000000 },
+ };
+
+ struct sock_fprog bpf = {
+ .len = (unsigned short) sizeof(code) / sizeof(code[0]),
+ .filter = code,
+ };
+
+ int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
+ if (rv < 0) {
+ fprintf(stderr, "Error: cannot attach BPF filter\n");
+ exit(1);
+ }
+}
+
+static void print_date(void) {
+ static int day = -1;
+ time_t now = time(NULL);
+ struct tm *t = localtime(&now);
+
+ if (day != t->tm_yday) {
+ printf("\nSNI trace for %s", ctime(&now));
+ day = t->tm_yday;
+ }
+
+ fflush(0);
+}
+
+static void run_trace(void) {
+ // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets
+ int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if (s < 0)
+ errExit("socket");
+ custom_bpf(s);
+
+ struct timeval tv;
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ unsigned char buf[MAX_BUF_SIZE];
+ while (1) {
+ fd_set rfds;
+ FD_ZERO(&rfds);
+ FD_SET(s, &rfds);
+ int rv = select(s + 1, &rfds, NULL, NULL, &tv);
+ if (rv < 0)
+ errExit("select");
+ else if (rv == 0) {
+ print_date();
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ continue;
+ }
+
+ unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+
+ if (bytes >= (14 + 20 + 20)) { // size of MAC + IP + TCP headers
+ uint8_t ip_hlen = (buf[14] & 0x0f) * 4;
+ uint16_t port_dest;
+ memcpy(&port_dest, buf + 14 + ip_hlen + 2, 2);
+ port_dest = ntohs(port_dest);
+ uint32_t ip_dest;
+ memcpy(&ip_dest, buf + 14 + 16, 4);
+ ip_dest = ntohl(ip_dest);
+ uint8_t tcp_hlen = (buf[14 + ip_hlen + 12] & 0xf0) >> 2;
+
+ // extract SNI
+ print_tls(ip_dest, buf + 14 + ip_hlen + tcp_hlen, bytes - 14 - ip_hlen - tcp_hlen); // IP and TCP header len
+ }
+ }
+
+ close(s);
+}
+
+
+static void usage(void) {
+ printf("Usage: fnettrace-sni [OPTIONS]\n");
+ printf("Options:\n");
+ printf(" --help, -? - this help screen\n");
+ printf("\n");
+}
+
+int main(int argc, char **argv) {
+ int i;
+
+ for (i = 1; i < argc; i++) {
+ if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+ usage();
+ return 0;
+ }
+ else {
+ fprintf(stderr, "Error: invalid argument\n");
+ return 1;
+ }
+ }
+
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: you need to be root to run this program\n");
+ return 1;
+ }
+
+ // kill the process if the parent died
+ prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+ print_date();
+ run_trace();
+
+ return 0;
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/Makefile
^
|
@@ -0,0 +1,7 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fnettrace
+TARGET = $(PROG)
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/fnettrace.h
^
|
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNETTRACE_H
+#define FNETTRACE_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+
+//#define DEBUG 1
+
+#define NETLOCK_INTERVAL 60 // seconds
+#define DISPLAY_INTERVAL 2 // seconds
+#define DISPLAY_TTL 4 // display intervals (4 * 2 seconds)
+#define DISPLAY_BW_UNITS 20 // length of the bandwidth bar
+
+
+static inline void ansi_topleft(void) {
+ char str[] = {0x1b, '[', '1', ';', '1', 'H', '\0'};
+ printf("%s", str);
+ fflush(0);
+}
+
+static inline void ansi_clrscr(void) {
+ ansi_topleft();
+ char str[] = {0x1b, '[', '0', 'J', '\0'};
+ printf("%s", str);
+ fflush(0);
+}
+
+static inline uint8_t hash(uint32_t ip) {
+ uint8_t *ptr = (uint8_t *) &ip;
+ // simple byte xor
+ return *ptr ^ *(ptr + 1) ^ *(ptr + 2) ^ *(ptr + 3);
+}
+
+// main.c
+void logprintf(char* fmt, ...);
+
+// hostnames.c
+extern int geoip_calls;
+void load_hostnames(const char *fname);
+char* retrieve_hostname(uint32_t ip);
+
+// tail.c
+void tail(const char *logfile);
+
+#endif
\ No newline at end of file
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/hostnames.c
^
|
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+#include "radix.h"
+#define MAXBUF 1024
+
+int geoip_calls = 0;
+static int geoip_not_found = 0;
+static char buf[MAXBUF];
+
+char *retrieve_hostname(uint32_t ip) {
+ if (geoip_not_found)
+ return NULL;
+ geoip_calls++;
+
+ char *rv = NULL;
+ char *cmd;
+ if (asprintf(&cmd, "/usr/bin/geoiplookup %d.%d.%d.%d", PRINT_IP(ip)) == -1)
+ errExit("asprintf");
+
+ FILE *fp = popen(cmd, "r");
+ if (fp) {
+ char *ptr;
+ if (fgets(buf, MAXBUF, fp)) {
+ ptr = strchr(buf, '\n');
+ if (ptr)
+ *ptr = '\0';
+ if (strncmp(buf, "GeoIP Country Edition:", 22) == 0) {
+ ptr = buf + 22;
+ if (*ptr == ' ' && *(ptr + 3) == ',' && *(ptr + 4) == ' ') {
+ rv = ptr + 5;
+ rv = radix_add(ip, 0xffffffff, rv);
+ }
+ }
+ }
+ pclose(fp);
+ return rv;
+ }
+ else
+ geoip_not_found = 1;
+
+ free(cmd);
+
+ return NULL;
+}
+
+void load_hostnames(const char *fname) {
+ assert(fname);
+ FILE *fp = fopen(fname, "r");
+ if (!fp) {
+ fprintf(stderr, "Warning: cannot find %s file\n", fname);
+ return;
+ }
+
+ char buf[MAXBUF];
+ int line = 0;
+ while (fgets(buf, MAXBUF, fp)) {
+ line++;
+
+ // skip empty spaces
+ char *start = buf;
+ while (*start == ' ' || *start == '\t')
+ start++;
+ // comments
+ if (*start == '#')
+ continue;
+ char *end = strchr(start, '#');
+ if (end)
+ *end = '\0';
+
+ // end
+ end = strchr(start, '\n');
+ if (end)
+ *end = '\0';
+ end = start + strlen(start);
+ if (end == start) // empty line
+ continue;
+
+ // line format: 1.2.3.4/32 name_without_empty_spaces
+ // a single empty space between address and name
+ end = strchr(start, ' ');
+ if (!end)
+ goto errexit;
+ *end = '\0';
+ end++;
+ if (*end == '\0')
+ goto errexit;
+
+ uint32_t ip;
+ uint32_t mask;
+ if (atocidr(start, &ip, &mask)) {
+ fprintf(stderr, "Error: invalid CIDR address\n");
+ goto errexit;
+ }
+
+ radix_add(ip, mask, end);
+ }
+
+ fclose(fp);
+ return;
+
+
+errexit:
+ fprintf(stderr, "Error: invalid line %d in file %s\n", line, fname);
+ exit(1);
+}
+
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/main.c
^
|
@@ -0,0 +1,762 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+#include "radix.h"
+#include <limits.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <signal.h>
+#define MAX_BUF_SIZE (64 * 1024)
+
+static int arg_netfilter = 0;
+static int arg_tail = 0;
+static char *arg_log = NULL;
+
+typedef struct hnode_t {
+ struct hnode_t *hnext; // used for hash table and unused linked list
+ struct hnode_t *dnext; // used to display streams on the screen
+ uint32_t ip_src;
+ uint32_t bytes; // number of bytes received in the last display interval
+ uint16_t port_src;
+ uint8_t protocol;
+ // the firewall is build based on source address, and in the linked list
+ // we have elements with the same address but different ports
+ uint8_t ip_instance;
+ char *hostname;
+ int ttl;
+} HNode;
+
+// hash table
+#define HMAX 256
+HNode *htable[HMAX] = {NULL};
+// display linked list
+HNode *dlist = NULL;
+
+
+// speed up malloc/free
+#define HNODE_MAX_MALLOC 16
+static HNode *hnode_unused = NULL;
+HNode *hmalloc(void) {
+ if (hnode_unused == NULL) {
+ hnode_unused = malloc(sizeof(HNode) * HNODE_MAX_MALLOC);
+ if (!hnode_unused)
+ errExit("malloc");
+ memset(hnode_unused, 0, sizeof(HNode) * HNODE_MAX_MALLOC);
+ HNode *ptr = hnode_unused;
+ int i;
+ for ( i = 1; i < HNODE_MAX_MALLOC; i++, ptr++)
+ ptr->hnext = hnode_unused + i;
+ }
+
+ HNode *rv = hnode_unused;
+ hnode_unused = hnode_unused->hnext;
+ return rv;
+}
+
+void hfree(HNode *ptr) {
+ assert(ptr);
+ memset(ptr, 0, sizeof(HNode));
+ ptr->hnext = hnode_unused;
+ hnode_unused = ptr;
+}
+
+// using protocol 0 and port 0 for ICMP
+static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint32_t bytes) {
+ uint8_t h = hash(ip_src);
+
+ // find
+ int ip_instance = 0;
+ HNode *ptr = htable[h];
+ while (ptr) {
+ if (ptr->ip_src == ip_src) {
+ ip_instance++;
+ if (ptr->port_src == port_src && ptr->protocol == protocol) {
+ ptr->bytes += bytes;
+ return;
+ }
+ }
+ ptr = ptr->hnext;
+ }
+
+#ifdef DEBUG
+ printf("malloc %d.%d.%d.%d\n", PRINT_IP(ip_src));
+#endif
+ HNode *hnew = hmalloc();
+ assert(hnew);
+ hnew->hostname = NULL;
+ hnew->ip_src = ip_src;
+ hnew->port_src = port_src;
+ hnew->protocol = protocol;
+ hnew->hnext = NULL;
+ hnew->bytes = bytes;
+ hnew->ip_instance = ip_instance + 1;
+ hnew->ttl = DISPLAY_TTL;
+ if (htable[h] == NULL)
+ htable[h] = hnew;
+ else {
+ hnew->hnext = htable[h];
+ htable[h] = hnew;
+ }
+
+ // add to the end of list
+ hnew->dnext = NULL;
+ if (dlist == NULL)
+ dlist = hnew;
+ else {
+ ptr = dlist;
+ while (ptr->dnext != NULL)
+ ptr = ptr->dnext;
+ ptr->dnext = hnew;
+ }
+
+ if (arg_netfilter)
+ logprintf(" %d.%d.%d.%d ", PRINT_IP(hnew->ip_src));
+}
+
+static void hnode_free(HNode *elem) {
+ assert(elem);
+#ifdef DEBUG
+ printf("free %d.%d.%d.%d\n", PRINT_IP(elem->ip_src));
+#endif
+
+ uint8_t h = hash(elem->ip_src);
+ HNode *ptr = htable[h];
+ assert(ptr);
+
+ HNode *prev = NULL;
+ while (ptr != elem) {
+ prev = ptr;
+ ptr = ptr->hnext;
+ }
+ if (prev == NULL)
+ htable[h] = elem->hnext;
+ else
+ prev->hnext = elem->hnext;
+ hfree(elem);
+}
+
+#ifdef DEBUG
+static void debug_dlist(void) {
+ HNode *ptr = dlist;
+ while (ptr) {
+ printf("dlist %d.%d.%d.%d:%d\n", PRINT_IP(ptr->ip_src), ptr->port_src);
+ ptr = ptr->dnext;
+ }
+}
+static void debug_hnode(void) {
+ int i;
+ for (i = 0; i < HMAX; i++) {
+ HNode *ptr = htable[i];
+ while (ptr) {
+ printf("hnode (%d) %d.%d.%d.%d:%d\n", i, PRINT_IP(ptr->ip_src), ptr->port_src);
+ ptr = ptr->hnext;
+ }
+ }
+}
+#endif
+
+static char *bw_line[DISPLAY_BW_UNITS + 1] = { NULL };
+
+static char *print_bw(unsigned units) {
+ if (units > DISPLAY_BW_UNITS)
+ units = DISPLAY_BW_UNITS ;
+
+ if (bw_line[units] == NULL) {
+ char *ptr = malloc(DISPLAY_BW_UNITS + 2);
+ if (!ptr)
+ errExit("malloc");
+ bw_line[units] = ptr;
+
+ unsigned i;
+ for (i = 0; i < DISPLAY_BW_UNITS; i++, ptr++)
+ sprintf(ptr, "%s", (i < units) ? "*" : " ");
+ sprintf(ptr, "%s", " ");
+ }
+
+ return bw_line[units];
+}
+
+static inline void adjust_line(char *str, int len, int cols) {
+ if (len > LINE_MAX) // functions such as snprintf truncate the string, and return the length of the untruncated string
+ len = LINE_MAX;
+ if (cols > 4 && len > cols) {
+ str[cols] = '\0';
+ str[cols - 1] = '\n';
+ }
+}
+
+#define BWMAX_CNT 8
+static unsigned adjust_bandwidth(unsigned bw) {
+ static unsigned array[BWMAX_CNT] = {0};
+ static int instance = 0;
+
+ array[instance] = bw;
+ int i;
+ unsigned sum = 0;
+ unsigned max = 0;
+ for ( i = 0; i < BWMAX_CNT; i++) {
+ sum += array[i];
+ max = (max > array[i]) ? max : array[i];
+ }
+ sum /= BWMAX_CNT;
+
+ if (++instance >= BWMAX_CNT)
+ instance = 0;
+
+ return (max < (sum / 2)) ? sum : max;
+}
+
+typedef struct port_type_t {
+ uint16_t port;
+ char *service;
+} PortType;
+static PortType ports[] = {
+ {20, "(FTP)"},
+ {21, "(FTP)"},
+ {22, "(SSH)"},
+ {23, "(telnet)"},
+ {25, "(SMTP)"},
+ {43, "(WHOIS)"},
+ {67, "(DHCP)"},
+ {68, "(DHCP)"},
+ {69, "(TFTP)"},
+ {80, "(HTTP)"},
+ {109, "(POP2)"},
+ {110, "(POP3)"},
+ {113, "(IRC)"},
+ {123, "(NTP)"},
+ {161, "(SNP)"},
+ {162, "(SNP)"},
+ {194, "(IRC)"},
+ {0, NULL},
+};
+
+
+static inline const char *common_port(uint16_t port) {
+ if (port >= 6660 && port <= 9150) {
+ if (port >= 6660 && port <= 6669)
+ return "(IRC)";
+ else if (port == 6679)
+ return "(IRC)";
+ else if (port == 6771)
+ return "(BitTorrent)";
+ else if (port >= 6881 && port <= 6999)
+ return "(BitTorrent)";
+ else if (port == 9001)
+ return "(Tor)";
+ else if (port == 9030)
+ return "(Tor)";
+ else if (port == 9050)
+ return "(Tor)";
+ else if (port == 9051)
+ return "(Tor)";
+ else if (port == 9150)
+ return "(Tor)";
+ return NULL;
+ }
+
+ if (port <= 194) {
+ PortType *ptr =&ports[0];
+ while(ptr->service != NULL) {
+ if (ptr->port == port)
+ return ptr->service;
+ ptr++;
+ }
+ }
+
+ return NULL;
+}
+
+
+
+static void hnode_print(unsigned bw) {
+ assert(!arg_netfilter);
+ bw = (bw < 1024 * DISPLAY_INTERVAL) ? 1024 * DISPLAY_INTERVAL : bw;
+#ifdef DEBUG
+ printf("*********************\n");
+ debug_dlist();
+ printf("-----------------------------\n");
+ debug_hnode();
+ printf("*********************\n");
+#else
+ ansi_clrscr();
+#endif
+
+ // get terminal size
+ struct winsize sz;
+ int cols = 80;
+ if (isatty(STDIN_FILENO)) {
+ if (!ioctl(0, TIOCGWINSZ, &sz))
+ cols = sz.ws_col;
+ }
+ if (cols > LINE_MAX)
+ cols = LINE_MAX;
+ char line[LINE_MAX + 1];
+
+ // print stats line
+ bw = adjust_bandwidth(bw);
+ char stats[31];
+ if (bw > (1024 * 1024 * DISPLAY_INTERVAL))
+ sprintf(stats, "%u MB/s ", bw / (1024 * 1024 * DISPLAY_INTERVAL));
+ else
+ sprintf(stats, "%u KB/s ", bw / (1024 * DISPLAY_INTERVAL));
+ int len = snprintf(line, LINE_MAX, "%32s geoip %d, IP database %d\n", stats, geoip_calls, radix_nodes);
+ adjust_line(line, len, cols);
+ printf("%s", line);
+
+ HNode *ptr = dlist;
+ HNode *prev = NULL;
+ while (ptr) {
+ HNode *next = ptr->dnext;
+ if (--ptr->ttl > 0) {
+ char bytes[11];
+ if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 1024 * 2)) // > 2 MB/second
+ snprintf(bytes, 11, "%u MB/s",
+ (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024 * 1024)));
+ else if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
+ snprintf(bytes, 11, "%u KB/s",
+ (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024)));
+ else
+ snprintf(bytes, 11, "%u B/s ", (unsigned) (ptr->bytes / DISPLAY_INTERVAL));
+
+ if (!ptr->hostname)
+ ptr->hostname = radix_longest_prefix_match(ptr->ip_src);
+ if (!ptr->hostname)
+ ptr->hostname = retrieve_hostname(ptr->ip_src);
+ if (!ptr->hostname)
+ ptr->hostname = " ";
+
+ unsigned bwunit = bw / DISPLAY_BW_UNITS;
+ char *bwline;
+ if (bwunit == 0)
+ bwline = print_bw(0);
+ else
+ bwline = print_bw(ptr->bytes / bwunit);
+
+ const char *protocol = NULL;
+ if (ptr->port_src == 443)
+ protocol = "(TLS)";
+ else if (ptr->port_src == 53)
+ protocol = "(DNS)";
+ else if (ptr->port_src == 853) {
+ if (ptr->protocol == 0x06)
+ protocol = "(DoT)";
+ else if (ptr->protocol == 0x11)
+ protocol = "(DoQ)";
+ else
+ protocol = NULL;
+ }
+ else if ((protocol = common_port(ptr->port_src)) != NULL)
+ ;
+ else if (ptr->protocol == 0x11)
+ protocol = "(UDP)";
+
+ if (protocol == NULL)
+ protocol = "";
+ if (ptr->port_src == 0)
+ len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d (ICMP) %s\n",
+ bytes, bwline, PRINT_IP(ptr->ip_src), ptr->hostname);
+ else
+ len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s\n",
+ bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->hostname);
+
+ adjust_line(line, len, cols);
+ printf("%s", line);
+
+ if (ptr->bytes)
+ ptr->ttl = DISPLAY_TTL;
+ ptr->bytes = 0;
+ prev = ptr;
+ }
+ else {
+ // free the element
+ if (prev == NULL)
+ dlist = next;
+ else
+ prev->dnext = next;
+ hnode_free(ptr);
+ }
+
+ ptr = next;
+ }
+
+#ifdef DEBUG
+ {
+ int cnt = 0;
+ HNode *ptr = hnode_unused;
+ while (ptr) {
+ cnt++;
+ ptr = ptr->hnext;
+ }
+ printf("hnode unused %d\n", cnt);
+ }
+#endif
+}
+
+// trace rx traffic coming in
+static void run_trace(void) {
+ if (arg_netfilter)
+ logprintf("accumulating traffic for %d seconds\n", NETLOCK_INTERVAL);
+
+ // trace only rx ipv4 tcp and upd
+ int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
+ int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+ int s3 = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ if (s1 < 0 || s2 < 0 || s3 < 0)
+ errExit("socket");
+
+ unsigned start = time(NULL);
+ unsigned last_print_traces = 0;
+ unsigned last_print_remaining = 0;
+ unsigned char buf[MAX_BUF_SIZE];
+ unsigned bw = 0; // bandwidth calculations
+ while (1) {
+ unsigned end = time(NULL);
+ if (arg_netfilter && end - start >= NETLOCK_INTERVAL)
+ break;
+ if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
+ if (!arg_netfilter)
+ hnode_print(bw);
+ last_print_traces = end;
+ bw = 0;
+ }
+ if (arg_netfilter && last_print_remaining != end) {
+ logprintf(".");
+ fflush(0);
+ last_print_remaining = end;
+ }
+
+ fd_set rfds;
+ FD_ZERO(&rfds);
+ FD_SET(s1, &rfds);
+ FD_SET(s2, &rfds);
+ FD_SET(s3, &rfds);
+ int maxfd = (s1 > s2) ? s1 : s2;
+ maxfd = (s3 > maxfd) ? s3 : maxfd;
+ maxfd++;
+
+ struct timeval tv;
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+
+ int rv = select(maxfd, &rfds, NULL, NULL, &tv);
+ if (rv < 0)
+ errExit("select");
+ else if (rv == 0)
+ continue;
+
+ int icmp = 0;
+ int sock = s1;
+ if (FD_ISSET(s2, &rfds))
+ sock = s2;
+ else if (FD_ISSET(s3, &rfds)) {
+ sock = s3;
+ icmp = 1;
+ }
+
+ unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+ if (bytes >= 20) { // size of IP header
+#ifdef DEBUG
+ {
+ uint32_t ip_src;
+ memcpy(&ip_src, buf + 12, 4);
+ ip_src = ntohl(ip_src);
+
+ uint32_t ip_dst;
+ memcpy(&ip_dst, buf + 16, 4);
+ ip_dst = ntohl(ip_dst);
+ printf("%d.%d.%d.%d -> %d.%d.%d.%d, %u bytes\n", PRINT_IP(ip_src), PRINT_IP(ip_dst), bytes);
+ }
+#endif
+ // filter out loopback traffic
+ if (buf[12] != 127 && buf[16] != 127) {
+ bw += bytes + 14; // assume a 14 byte Ethernet layer
+
+ uint32_t ip_src;
+ memcpy(&ip_src, buf + 12, 4);
+ ip_src = ntohl(ip_src);
+
+ uint8_t hlen = (buf[0] & 0x0f) * 4;
+ if (icmp)
+ hnode_add(ip_src, 0, 0, bytes + 14);
+ else {
+ uint16_t port_src;
+ memcpy(&port_src, buf + hlen, 2);
+ port_src = ntohs(port_src);
+
+ uint8_t protocol = buf[9];
+ hnode_add(ip_src, protocol, port_src, bytes + 14);
+ }
+ }
+ }
+ }
+
+ close(s1);
+ close(s2);
+}
+
+static char *filter_start =
+ "*filter\n"
+ ":INPUT DROP [0:0]\n"
+ ":FORWARD DROP [0:0]\n"
+ ":OUTPUT DROP [0:0]\n";
+
+// return 1 if error
+static int print_filter(FILE *fp) {
+ if (dlist == NULL)
+ return 1;
+ fprintf(fp, "%s\n", filter_start);
+ fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
+ fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n");
+ fprintf(fp, "\n");
+
+ int i;
+ for (i = 0; i < HMAX; i++) {
+ HNode *ptr = htable[i];
+ while (ptr) {
+ // filter rules are targeting ip address, the port number is disregarded,
+ // so we look only at the first instance of an address
+ if (ptr->ip_instance == 1) {
+ char *protocol = (ptr->protocol == 6) ? "tcp" : "udp";
+ fprintf(fp, "-A INPUT -s %d.%d.%d.%d -p %s -j ACCEPT\n",
+ PRINT_IP(ptr->ip_src),
+ protocol);
+ fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -p %s -j ACCEPT\n",
+ PRINT_IP(ptr->ip_src),
+ protocol);
+ fprintf(fp, "\n");
+ }
+ ptr = ptr->hnext;
+ }
+ }
+ fprintf(fp, "COMMIT\n");
+
+ return 0;
+}
+
+static char *flush_rules[] = {
+ "-P INPUT ACCEPT",
+// "-P FORWARD DENY",
+ "-P OUTPUT ACCEPT",
+ "-F",
+ "-X",
+// "-t nat -F",
+// "-t nat -X",
+// "-t mangle -F",
+// "-t mangle -X",
+// "iptables -t raw -F",
+// "-t raw -X",
+ NULL
+};
+
+static void deploy_netfilter(void) {
+ int rv;
+ char *cmd;
+ int i;
+
+ if (dlist == NULL) {
+ logprintf("Sorry, no network traffic was detected. The firewall was not configured.\n");
+ return;
+ }
+ // find iptables command
+ char *iptables = NULL;
+ char *iptables_restore = NULL;
+ if (access("/sbin/iptables", X_OK) == 0) {
+ iptables = "/sbin/iptables";
+ iptables_restore = "/sbin/iptables-restore";
+ }
+ else if (access("/usr/sbin/iptables", X_OK) == 0) {
+ iptables = "/usr/sbin/iptables";
+ iptables_restore = "/usr/sbin/iptables-restore";
+ }
+ if (iptables == NULL || iptables_restore == NULL) {
+ fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
+ exit(1);
+ }
+
+ // flush all netfilter rules
+ i = 0;
+ while (flush_rules[i]) {
+ char *cmd;
+ if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
+ errExit("asprintf");
+ int rv = system(cmd);
+ (void) rv;
+ free(cmd);
+ i++;
+ }
+
+ // create temporary file
+ char fname[] = "/tmp/firejail-XXXXXX";
+ int fd = mkstemp(fname);
+ if (fd == -1) {
+ fprintf(stderr, "Error: cannot create temporary configuration file\n");
+ exit(1);
+ }
+
+ FILE *fp = fdopen(fd, "w");
+ if (!fp) {
+ rv = unlink(fname);
+ (void) rv;
+ fprintf(stderr, "Error: cannot create temporary configuration file\n");
+ exit(1);
+ }
+ print_filter(fp);
+ fclose(fp);
+
+ logprintf("\n\n");
+ logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+ if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
+ errExit("asprintf");
+ rv = system(cmd);
+ (void) rv;
+ free(cmd);
+
+ if (asprintf(&cmd, "cat %s", fname) == -1)
+ errExit("asprintf");
+ rv = system(cmd);
+ (void) rv;
+ free(cmd);
+ logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+
+ // configuring
+ if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
+ errExit("asprintf");
+ rv = system(cmd);
+ if (rv)
+ fprintf(stdout, "Warning: possible netfilter problem!");
+ free(cmd);
+
+ rv = unlink(fname);
+ (void) rv;
+ logprintf("\nfirewall deployed\n");
+}
+
+void logprintf(char *fmt, ...) {
+ if (!arg_log)
+ return;
+
+ FILE *fp = fopen(arg_log, "a");
+ if (fp) { // disregard if error
+ va_list args;
+ va_start(args, fmt);
+ vfprintf(fp, fmt, args);
+ va_end(args);
+ fclose(fp);
+ }
+
+ va_list args;
+ va_start(args, fmt);
+ vfprintf(stdout, fmt, args);
+ va_end(args);
+}
+
+static void usage(void) {
+ printf("Usage: fnettrace [OPTIONS]\n");
+ printf("Options:\n");
+ printf(" --help, -? - this help screen\n");
+ printf(" --log=filename - netlocker logfile\n");
+ printf(" --netfilter - build the firewall rules and commit them.\n");
+ printf(" --tail - \"tail -f\" functionality\n");
+ printf("Examples:\n");
+ printf(" # fnettrace - traffic trace\n");
+ printf(" # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n");
+ printf(" # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n");
+ printf("\n");
+}
+
+int main(int argc, char **argv) {
+ int i;
+
+#ifdef DEBUG
+ // radix test
+ radix_add(0x09000000, 0xff000000, "IBM");
+ radix_add(0x09090909, 0xffffffff, "Quad9 DNS");
+ radix_add(0x09000000, 0xff000000, "IBM");
+ printf("This test should print \"IBM, Quad9 DNS, IBM\"\n");
+ char *name = radix_longest_prefix_match(0x09040404);
+ printf("%s, ", name);
+ name = radix_longest_prefix_match(0x09090909);
+ printf("%s, ", name);
+ name = radix_longest_prefix_match(0x09322209);
+ printf("%s\n", name);
+#endif
+
+ for (i = 1; i < argc; i++) {
+ if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+ usage();
+ return 0;
+ }
+ else if (strcmp(argv[i], "--netfilter") == 0)
+ arg_netfilter = 1;
+ else if (strcmp(argv[i], "--tail") == 0)
+ arg_tail = 1;
+ else if (strncmp(argv[i], "--log=", 6) == 0)
+ arg_log = argv[i] + 6;
+ else {
+ fprintf(stderr, "Error: invalid argument\n");
+ return 1;
+ }
+ }
+
+ // tail
+ if (arg_tail) {
+ if (!arg_log) {
+ fprintf(stderr, "Error: no log file\n");
+ usage();
+ exit(1);
+ }
+
+ tail(arg_log);
+ sleep(5);
+ exit(0);
+ }
+
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: you need to be root to run this program\n");
+ return 1;
+ }
+
+ // kill the process if the parent died
+ prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+ ansi_clrscr();
+ if (arg_netfilter)
+ logprintf("starting network lockdown\n");
+ else {
+ char *fname = LIBDIR "/firejail/static-ip-map";
+ load_hostnames(fname);
+ }
+
+ run_trace();
+ if (arg_netfilter) {
+ // TCP path MTU discovery will not work properly since the firewall drops all ICMP packets
+ // Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel
+ int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing");
+ (void) rv;
+
+ deploy_netfilter();
+ sleep(3);
+ if (arg_log)
+ unlink(arg_log);
+ }
+
+ return 0;
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/radix.c
^
|
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <assert.h>
+#include "radix.h"
+#include "fnettrace.h"
+
+typedef struct rnode_t {
+ struct rnode_t *zero;
+ struct rnode_t *one;
+ char *name;
+} RNode;
+
+RNode *head = 0;
+int radix_nodes = 0;
+
+// get rid of the malloc overhead
+#define RNODE_MAX_MALLOC 128
+static RNode *rnode_unused = NULL;
+static int rnode_malloc_cnt = 0;
+static RNode *rmalloc(void) {
+ if (rnode_unused == NULL || rnode_malloc_cnt >= RNODE_MAX_MALLOC) {
+ rnode_unused = malloc(sizeof(RNode) * RNODE_MAX_MALLOC);
+ if (!rnode_unused)
+ errExit("malloc");
+ memset(rnode_unused, 0, sizeof(RNode) * RNODE_MAX_MALLOC);
+ rnode_malloc_cnt = 0;
+ }
+
+ rnode_malloc_cnt++;
+ return rnode_unused + rnode_malloc_cnt - 1;
+}
+
+
+static inline char *duplicate_name(const char *name) {
+ assert(name);
+
+ if (strcmp(name, "United States") == 0)
+ return "United States";
+ else if (strcmp(name, "Amazon") == 0)
+ return "Amazon";
+ return strdup(name);
+}
+
+static inline RNode *addOne(RNode *ptr, char *name) {
+ assert(ptr);
+ if (ptr->one)
+ return ptr->one;
+ RNode *node = rmalloc();
+ assert(node);
+ if (name) {
+ node->name = duplicate_name(name);
+ if (!node->name)
+ errExit("duplicate name");
+ }
+
+ ptr->one = node;
+ return node;
+}
+
+static inline RNode *addZero(RNode *ptr, char *name) {
+ assert(ptr);
+ if (ptr->zero)
+ return ptr->zero;
+ RNode *node = rmalloc();
+ assert(node);
+ if (name) {
+ node->name = duplicate_name(name);
+ if (!node->name)
+ errExit("duplicate name");
+ }
+
+ ptr->zero = node;
+ return node;
+}
+
+
+// add to radix tree
+char *radix_add(uint32_t ip, uint32_t mask, char *name) {
+ assert(name);
+ uint32_t m = 0x80000000;
+ uint32_t lastm = 0;
+ if (head == 0) {
+ head = malloc(sizeof(RNode));
+ memset(head, 0, sizeof(RNode));
+ }
+ RNode *ptr = head;
+ radix_nodes++;
+
+ int i;
+ for (i = 0; i < 32; i++, m >>= 1) {
+ if (!(m & mask))
+ break;
+
+ lastm |= m;
+ int valid = (lastm == mask)? 1: 0;
+ if (m & ip)
+ ptr = addOne(ptr, (valid)? name: NULL);
+ else
+ ptr = addZero(ptr, (valid)? name: NULL);
+ }
+ assert(ptr);
+ if (!ptr->name) {
+ ptr->name = duplicate_name(name);
+ if (!ptr->name)
+ errExit("duplicate_name");
+ }
+
+ return ptr->name;
+}
+
+// find last match
+char *radix_longest_prefix_match(uint32_t ip) {
+ if (!head)
+ return NULL;
+
+ uint32_t m = 0x80000000;
+ RNode *ptr = head;
+ RNode *rv = NULL;
+
+ int i;
+ for (i = 0; i < 32; i++, m >>= 1) {
+ if (m & ip)
+ ptr = ptr->one;
+ else
+ ptr = ptr->zero;
+ if (!ptr)
+ break;
+ if (ptr->name)
+ rv = ptr;
+ }
+
+ return (rv)? rv->name: NULL;
+}
+
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/radix.h
^
|
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef RADIX_H
+#define RADIX_H
+
+extern int radix_nodes;
+char *radix_longest_prefix_match(uint32_t ip);
+char *radix_add(uint32_t ip, uint32_t mask, char *name);
+
+#endif
\ No newline at end of file
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/static-ip-map
^
|
@@ -0,0 +1,5403 @@
+#
+# Copyright (C) 2014-2022 Firejail Authors
+#
+# This file is part of firejail project
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+# Static Internet Map
+#
+# Unfortunately we cannot do a hostname lookup. This will leak a lot of
+# information about what network resources we access.
+# A static map, helped out by geoip package available on all Linux distros,
+# will have to do it for now!
+#
+# Format:
+# CIDR-IPv4-address-range hostname
+# a single space between address and hostname
+# use '#' for comments
+# example: 9.9.9.0/24 Quad9 DNS
+#
+#
+
+#
+# The following list of addresses was compiled from various public sources.
+#
+
+
+# local network addresses
+192.168.0.0/16 local network
+10.0.0.0/8 local network
+172.16.0.0/16 local network
+169.254.0.0/16 local link
+
+# huge address ranges
+4.0.0.0/9 Level 3
+6.0.0.0/8 US Army
+7.0.0.0/8 US Army
+8.0.0.0/9 Level 3
+9.0.0.0/8 IBM
+11.0.0.0/8 US Army
+17.0.0.0/8 Apple
+19.0.0.0/8 Ford
+21.0.0.0/8 US Army
+22.0.0.0/8 US Army
+26.0.0.0/8 US Army
+28.0.0.0/8 US Army
+29.0.0.0/8 US Army
+30.0.0.0/8 US Army
+33.0.0.0/8 US Army
+48.0.0.0/8 Prudential US
+55.0.0.0/8 US Army
+56.0.0.0/8 US Postal Service
+214.0.0.0/8 US Army
+215.0.0.0/8 US Army
+
+# DNS
+1.1.1.0/24 Cloudflare DNS
+1.0.0.0/24 Cloudflare DNS
+4.2.2.1/32 Level3 DNS
+4.2.2.2/32 Level3 DNS
+4.2.2.3/32 Level3 DNS
+4.2.2.4/32 Level3 DNS
+8.8.4.0/24 Google DNS
+8.8.8.0/24 Google DNS
+9.9.9.0/24 Quad9 DNS
+45.90.28.0/22 NextDNS
+149.112.112.0/24 Quad9 DNS
+149.112.120.0/21 CIRA DNS Canada
+146.255.56.96/29 Applied Privacy
+176.103.128.0/19 Adguard DNS
+185.228.168.0/24 Cleanbrowsing DNS
+208.67.216.0/21 OpenDNS
+
+# whois
+193.0.0.0/21 whois.ripe.net Netherlands
+199.5.26.0/24 whois.arin.net US
+199.15.80.0/21 whois.publicinterestregistry.net Canada
+199.15.88.0/24 whois.publicinterestregistry.net Canada
+199.71.0.0/24 whois.arin.net US
+199.212.0.0/24 whois.arin.net US
+200.3.12.0/22 whois.lacnic.net Uruguay
+201.159.220.0/22 whois.lacnic.net Ecuador
+
+# some popular websites
+23.160.0.0/24 Twitch
+23.246.0.0/18 Netflix
+31.13.24.0/21 Facebook
+31.13.64.0/18 Facebook
+37.77.184.0/21 Netflix
+45.57.0.0/17 Netflix
+45.58.64.0/20 Dropbox
+45.113.128.0/22 Twitch
+47.88.0.0/14 Alibaba
+52.223.192.0/18 Twitch
+63.245.208.0/23 Mozilla
+64.63.0.0/18 Twitter
+64.112.13.0/24 Dropbox
+64.120.128.0/17 Netflix
+66.197.128.0/17 Netflix
+69.53.224.0/19 Netflix
+69.171.224.0/19 Facebook
+91.105.192.0/23 Telegram
+91.108.4.0/22 Telegram
+91.108.8.0/21 Telegram
+91.108.16.0/21 Telegram
+91.108.56.0/22 Telegram
+91.189.88.0/24 Ubuntu One
+91.189.90.0/23 Ubuntu One
+91.189.92.0/23 Ubuntu One
+91.189.94.0/24 Ubuntu One
+95.161.64.0/20 Telegram
+99.181.64.0/18 Twitch
+103.53.48.0/23 Twitch
+104.244.40.0/21 Twitter
+103.10.124.0/23 Steam
+103.28.54.0/24 Steam
+108.160.160.0/20 Dropbox
+108.175.32.0/20 Netflix
+129.134.0.0/16 Facebook
+140.82.112.0/20 GitHub
+143.55.64.0/20 Github
+146.66.152.0/24 Steam
+146.66.155.0/24 Steam
+149.154.160.0/20 Telegram
+153.254.86.0/24 Steam
+155.133.224.0/22 Steam
+155.133.230.0/24 Steam
+155.133.232.0/23 Steam
+155.133.234.0/24 Steam
+155.133.236.0/22 Steam
+155.133.240.0/23 Steam
+155.133.245.0/24 Steam
+155.133.246.0/24 Steam
+155.133.248.0/21 Steam
+157.240.0.0/16 Facebook
+162.125.0.0/16 Dropbox
+162.213.32.0/22 Ubuntu One
+162.254.192.0/21 Steam
+172.98.56.0/22 Rumble
+185.2.220.0/22 Netflix
+185.9.188.0/22 Netflix
+185.25.182.0/23 Steam
+185.42.204.0/22 Twitch
+185.45.8.0/22 Dropbox
+185.70.40.0/22 ProtonMail
+185.76.151.0/24 Telegram
+185.105.164.0/24 Dropbox
+185.125.188.0/22 Ubuntu One
+185.199.108.0/22 GitHub
+185.205.69.0/24 Tutanota
+188.64.224.0/21 Twitter
+190.217.33.0/24 Steam
+192.0.64.0/18 Wordpress
+192.16.64.0/21 Twitch
+192.30.252.0/22 GitHub
+192.69.96.0/22 Steam
+192.108.239.0/24 Twitch
+192.173.64.0/18 Netflix
+192.189.200.0/23 Dropbox
+194.169.254.0/24 Ubuntu One
+198.38.96.0/19 Netflix
+198.45.48.0/20 Netflix
+199.9.248.0/21 Twitch
+199.16.156.0/22 Twitter
+199.59.148.0/22 Twitter
+205.185.194.0/24 Steam
+205.196.6.0/24 Steam
+207.45.72.0/22 Netflix
+208.64.200.0/22 Steam
+208.75.76.0/22 Netflix
+208.78.164.0/22 Steam
+208.80.152.0/22 Wikipedia
+
+# WholeSale Internet
+69.30.192.0/18 WholeSale Internet
+69.197.128.0/18 WholeSale Internet
+173.208.128.0/17 WholeSale Internet
+204.12.192.0/18 WholeSale Internet
+208.67.0.0/21 WholeSale Internet
+208.110.64.0/19 WholeSale Internet
+208.110.91.0/24 WholeSale Internet
+
+# StackPath
+69.16.173.0/24 StackPath
+69.16.174.0/23 StackPath
+69.16.176.0/20 StackPath
+151.139.0.0/16 StackPath
+
+# Linode
+103.29.68.0/22 Linode
+104.200.16.0/21 Linode
+104.200.24.0/22 Linode
+104.200.25.0/24 Linode
+104.200.26.0/24 Linode
+104.200.27.0/24 Linode
+104.200.28.0/22 Linode
+104.237.128.0/21 Linode
+104.237.136.0/21 Linode
+104.237.144.0/21 Linode
+104.237.152.0/21 Linode
+104.237.152.0/24 Linode
+104.237.153.0/24 Linode
+104.237.154.0/24 Linode
+104.237.155.0/24 Linode
+104.237.156.0/24 Linode
+104.237.157.0/24 Linode
+104.237.158.0/24 Linode
+104.237.159.0/24 Linode
+109.237.24.0/22 Linode
+109.74.192.0/20 Linode
+139.144.0.0/20 Linode
+139.144.104.0/21 Linode
+139.144.112.0/20 Linode
+139.144.128.0/21 Linode
+139.144.136.0/21 Linode
+139.144.144.0/20 Linode
+139.144.160.0/22 Linode
+139.144.16.0/20 Linode
+139.144.164.0/22 Linode
+139.144.168.0/21 Linode
+139.144.176.0/21 Linode
+139.144.184.0/21 Linode
+139.144.192.0/19 Linode
+139.144.224.0/21 Linode
+139.144.232.0/21 Linode
+139.144.240.0/22 Linode
+139.144.32.0/21 Linode
+139.144.40.0/21 Linode
+139.144.48.0/20 Linode
+139.144.64.0/20 Linode
+139.144.80.0/21 Linode
+139.144.88.0/21 Linode
+139.144.96.0/21 Linode
+139.162.0.0/19 Linode
+139.162.128.0/19 Linode
+139.162.160.0/19 Linode
+139.162.192.0/19 Linode
+139.162.224.0/19 Linode
+139.162.32.0/19 Linode
+139.162.64.0/19 Linode
+139.162.96.0/19 Linode
+139.177.176.0/21 Linode
+139.177.184.0/21 Linode
+139.177.192.0/21 Linode
+139.177.200.0/21 Linode
+151.236.216.0/21 Linode
+162.216.16.0/22 Linode
+170.187.128.0/24 Linode
+170.187.129.0/24 Linode
+170.187.131.0/24 Linode
+170.187.132.0/24 Linode
+170.187.134.0/23 Linode
+170.187.136.0/21 Linode
+170.187.144.0/20 Linode
+170.187.160.0/21 Linode
+170.187.168.0/21 Linode
+170.187.176.0/21 Linode
+170.187.184.0/21 Linode
+170.187.192.0/22 Linode
+170.187.196.0/22 Linode
+170.187.200.0/21 Linode
+170.187.208.0/20 Linode
+170.187.224.0/21 Linode
+170.187.232.0/21 Linode
+170.187.240.0/21 Linode
+170.187.248.0/21 Linode
+172.104.0.0/15 Linode
+172.104.128.0/19 Linode
+172.104.160.0/19 Linode
+172.104.192.0/21 Linode
+172.104.200.0/23 Linode
+172.104.202.0/23 Linode
+172.104.205.0/24 Linode
+172.104.206.0/24 Linode
+172.104.207.0/24 Linode
+172.104.208.0/20 Linode
+172.104.220.0/24 Linode
+172.104.224.0/19 Linode
+172.104.32.0/19 Linode
+172.104.4.0/22 Linode
+172.104.64.0/19 Linode
+172.104.8.0/21 Linode
+172.104.96.0/19 Linode
+172.105.0.0/19 Linode
+172.105.112.0/20 Linode
+172.105.128.0/23 Linode
+
+# Akamai
+23.0.0.0/12 Akamai
+23.32.0.0/11 Akamai
+23.64.0.0/14 Akamai
+23.72.0.0/13 Akamai
+23.192.0.0/11 Akamai
+72.246.0.0/15 Akamai
+96.6.0.0/15 Akamai
+96.16.0.0/15 Akamai
+104.64.0.0/10 Akamai
+184.24.0.0/13 Akamai
+184.50.0.0/15 Akamai
+184.84.0.0/14 Akamai
+
+# Fastly
+23.235.32.0/20 Fastly
+43.249.72.0/22 Fastly
+103.244.50.0/24 Fastly
+103.245.222.0/23 Fastly
+103.245.224.0/24 Fastly
+104.156.80.0/20 Fastly
+146.75.0.0/16 Fastly
+151.101.0.0/16 Fastly
+157.52.64.0/18 Fastly
+167.82.0.0/17 Fastly
+167.82.128.0/20 Fastly
+167.82.160.0/20 Fastly
+167.82.224.0/20 Fastly
+172.111.64.0/18 Fastly
+185.31.16.0/22 Fastly
+199.27.72.0/21 Fastly
+199.232.0.0/16 Fastly
+
+# MCI/Verizon
+72.21.80.0/20 MCI
+108.29.0.0/16 MCI
+108.30.0.0/16 MCI
+108.31.0.0/16 MCI
+108.3.128.0/17 MCI
+108.32.0.0/17 MCI
+108.32.128.0/17 MCI
+108.33.254.0/24 MCI
+108.33.255.0/24 MCI
+108.34.128.0/17 MCI
+108.34.16.0/20 MCI
+108.34.32.0/19 MCI
+108.34.64.0/18 MCI
+108.35.0.0/16 MCI
+108.36.0.0/16 MCI
+108.3.64.0/18 MCI
+108.37.0.0/16 MCI
+108.39.0.0/17 MCI
+108.39.128.0/17 MCI
+108.40.0.0/17 MCI
+108.4.0.0/17 MCI
+108.41.0.0/16 MCI
+108.4.128.0/19 MCI
+108.4.160.0/19 MCI
+108.4.192.0/18 MCI
+108.44.0.0/18 MCI
+108.44.128.0/17 MCI
+108.44.64.0/18 MCI
+108.45.0.0/16 MCI
+108.46.0.0/16 MCI
+192.229.128.0/17 MCI
+
+# Microsoft
+40.76.0.0/14 Microsoft
+40.96.0.0/12 Microsoft
+40.112.0.0/13 Microsoft
+40.124.0.0/16 Microsoft
+40.74.0.0/15 Microsoft
+40.80.0.0/12 Microsoft
+40.120.0.0/14 Microsoft
+40.125.0.0/17 Microsoft
+52.145.0.0/16 Microsoft
+52.148.0.0/14 Microsoft
+52.152.0.0/13 Microsoft
+52.146.0.0/15 Microsoft
+52.160.0.0/11 Microsoft
+
+# Yahoo
+63.250.192.0/19 Yahoo
+66.196.64.0/18 Yahoo
+67.195.0.0/16 Yahoo
+69.147.64.0/18 Yahoo
+76.13.0.0/16 Yahoo
+98.136.0.0/14 Yahoo
+206.190.32.0/19 Yahoo
+209.73.160.0/19 Yahoo
+209.191.64.0/18 Yahoo
+216.115.96.0/20 Yahoo
+
+# Google
+# from https://support.google.com/a/answer/10026322?hl=en
+# last update January 5, 2022
+8.34.208.0/20 Google
+8.35.192.0/20 Google
+23.236.48.0/20 Google
+23.251.128.0/19 Google
+34.64.0.0/10 Google
+34.128.0.0/10 Google
+35.184.0.0/13 Google
+35.192.0.0/14 Google
+35.196.0.0/15 Google
+35.198.0.0/16 Google
+35.199.0.0/17 Google
+35.199.128.0/18 Google
+35.200.0.0/13 Google
+35.208.0.0/12 Google
+35.224.0.0/12 Google
+35.240.0.0/13 Google
+64.15.112.0/20 Google
+64.233.160.0/19 Google
+66.102.0.0/20 Google
+66.249.64.0/19 Google
+70.32.128.0/19 Google
+72.14.192.0/18 Google
+74.114.24.0/21 Google
+74.125.0.0/16 Google
+104.154.0.0/15 Google
+104.196.0.0/14 Google
+104.237.160.0/19 Google
+107.167.160.0/19 Google
+107.178.192.0/18 Google
+108.59.80.0/20 Google
+108.170.192.0/18 Google
+108.177.0.0/17 Google
+130.211.0.0/16 Google
+136.112.0.0/12 Google
+142.250.0.0/15 Google
+146.148.0.0/17 Google
+162.216.148.0/22 Google
+162.222.176.0/21 Google
+172.110.32.0/21 Google
+172.217.0.0/16 Google
+172.253.0.0/16 Google
+173.194.0.0/16 Google
+173.255.112.0/20 Google
+192.158.28.0/22 Google
+192.178.0.0/15 Google
+193.186.4.0/24 Google
+199.36.154.0/23 Google
+199.36.156.0/24 Google
+199.192.112.0/22 Google
+199.223.232.0/21 Google
+207.223.160.0/20 Google
+208.65.152.0/22 Google
+208.68.108.0/22 Google
+208.81.188.0/22 Google
+208.117.224.0/19 Google
+209.85.128.0/17 Google
+216.58.192.0/19 Google
+216.73.80.0/20 Google
+216.239.32.0/19 Google
+
+
+#Cloudflare
+# from https://www.cloudflare.com/ips/
+# update April 8, 2021
+103.21.244.0/22 Cloudflare
+103.22.200.0/22 Cloudflare
+103.31.4.0/22 Cloudflare
+104.16.0.0/13 Cloudflare
+104.24.0.0/14 Cloudflare
+108.162.192.0/18 Cloudflare
+131.0.72.0/22 Cloudflare
+141.101.64.0/18 Cloudflare
+162.158.0.0/15 Cloudflare
+172.64.0.0/13 Cloudflare
+173.245.48.0/20 Cloudflare
+188.114.96.0/20 Cloudflare
+190.93.240.0/20 Cloudflare
+197.234.240.0/22 Cloudflare
+198.41.128.0/17 Cloudflare
+
+# Amazon
+# from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
+# update January 6, 2022
+3.0.0.0/15 Amazon
+3.2.0.0/24 Amazon
+3.2.2.0/24 Amazon
+3.2.3.0/24 Amazon
+3.2.8.0/21 Amazon
+3.3.0.0/23 Amazon
+3.3.5.0/24 Amazon
+3.3.6.0/23 Amazon
+3.3.8.0/21 Amazon
+3.3.16.0/21 Amazon
+3.3.24.0/22 Amazon
+3.3.28.0/22 Amazon
+3.4.0.0/24 Amazon
+3.4.1.0/24 Amazon
+3.4.2.0/24 Amazon
+3.4.3.0/24 Amazon
+3.4.4.0/24 Amazon
+3.4.6.0/24 Amazon
+3.4.7.0/24 Amazon
+3.4.16.0/21 Amazon
+3.4.24.0/21 Amazon
+3.5.0.0/19 Amazon
+3.5.32.0/22 Amazon
+3.5.36.0/22 Amazon
+3.5.40.0/22 Amazon
+3.5.44.0/22 Amazon
+3.5.48.0/22 Amazon
+3.5.52.0/22 Amazon
+3.5.64.0/21 Amazon
+3.5.72.0/23 Amazon
+3.5.76.0/22 Amazon
+3.5.80.0/21 Amazon
+3.5.128.0/22 Amazon
+3.5.132.0/23 Amazon
+3.5.134.0/23 Amazon
+3.5.136.0/22 Amazon
+3.5.140.0/22 Amazon
+3.5.144.0/23 Amazon
+3.5.146.0/23 Amazon
+3.5.148.0/22 Amazon
+3.5.152.0/21 Amazon
+3.5.160.0/22 Amazon
+3.5.164.0/22 Amazon
+3.5.168.0/23 Amazon
+3.5.208.0/22 Amazon
+3.5.212.0/23 Amazon
+3.5.216.0/22 Amazon
+3.5.220.0/22 Amazon
+3.5.224.0/22 Amazon
+3.5.228.0/22 Amazon
+3.5.232.0/22 Amazon
+3.5.236.0/22 Amazon
+3.5.240.0/22 Amazon
+3.5.244.0/22 Amazon
+3.5.248.0/22 Amazon
+3.5.252.0/22 Amazon
+3.6.0.0/15 Amazon
+3.8.0.0/14 Amazon
+3.12.0.0/16 Amazon
+3.13.0.0/16 Amazon
+3.14.0.0/15 Amazon
+3.16.0.0/14 Amazon
+3.20.0.0/14 Amazon
+3.24.0.0/14 Amazon
+3.28.0.0/15 Amazon
+3.30.0.0/15 Amazon
+3.32.0.0/16 Amazon
+3.33.34.0/24 Amazon
+3.33.35.0/24 Amazon
+3.33.128.0/17 Amazon
+3.34.0.0/15 Amazon
+3.36.0.0/14 Amazon
+3.48.0.0/12 Amazon
+3.64.0.0/12 Amazon
+3.80.0.0/12 Amazon
+3.96.0.0/15 Amazon
+3.98.0.0/15 Amazon
+3.100.0.0/16 Amazon
+3.101.0.0/16 Amazon
+3.104.0.0/14 Amazon
+3.108.0.0/14 Amazon
+3.112.0.0/14 Amazon
+3.116.0.0/14 Amazon
+3.120.0.0/14 Amazon
+3.124.0.0/14 Amazon
+3.128.0.0/15 Amazon
+3.130.0.0/16 Amazon
+3.131.0.0/16 Amazon
+3.132.0.0/14 Amazon
+3.136.0.0/13 Amazon
+3.144.0.0/13 Amazon
+3.152.0.0/13 Amazon
+3.208.0.0/12 Amazon
+3.224.0.0/12 Amazon
+3.240.0.0/13 Amazon
+3.248.0.0/13 Amazon
+13.32.0.0/15 Amazon
+13.34.0.128/27 Amazon
+13.34.0.160/27 Amazon
+13.34.1.0/27 Amazon
+13.34.1.32/27 Amazon
+13.34.3.128/27 Amazon
+13.34.3.160/27 Amazon
+13.34.3.192/27 Amazon
+13.34.3.224/27 Amazon
+13.34.4.64/27 Amazon
+13.34.4.96/27 Amazon
+13.34.5.12/32 Amazon
+13.34.5.13/32 Amazon
+13.34.5.14/32 Amazon
+13.34.5.15/32 Amazon
+13.34.5.16/32 Amazon
+13.34.5.17/32 Amazon
+13.34.5.44/32 Amazon
+13.34.5.45/32 Amazon
+13.34.5.46/32 Amazon
+13.34.5.47/32 Amazon
+13.34.5.48/32 Amazon
+13.34.5.49/32 Amazon
+13.34.5.78/32 Amazon
+13.34.5.79/32 Amazon
+13.34.5.80/32 Amazon
+13.34.5.81/32 Amazon
+13.34.5.110/32 Amazon
+13.34.5.111/32 Amazon
+13.34.5.112/32 Amazon
+13.34.5.113/32 Amazon
+13.34.5.128/27 Amazon
+13.34.5.160/27 Amazon
+13.34.5.192/27 Amazon
+13.34.5.224/27 Amazon
+13.34.6.192/27 Amazon
+13.34.6.224/27 Amazon
+13.34.7.64/27 Amazon
+13.34.7.96/27 Amazon
+13.34.8.64/27 Amazon
+13.34.8.96/27 Amazon
+13.34.9.0/27 Amazon
+13.34.9.32/27 Amazon
+13.34.10.128/27 Amazon
+13.34.10.160/27 Amazon
+13.34.11.0/27 Amazon
+13.34.11.32/27 Amazon
+13.34.11.128/27 Amazon
+13.34.11.160/27 Amazon
+13.34.12.64/27 Amazon
+13.34.12.96/27 Amazon
+13.34.12.192/27 Amazon
+13.34.12.242/32 Amazon
+13.34.12.243/32 Amazon
+13.34.12.244/32 Amazon
+13.34.12.245/32 Amazon
+13.34.13.18/32 Amazon
+13.34.13.19/32 Amazon
+13.34.13.20/32 Amazon
+13.34.13.21/32 Amazon
+13.34.13.50/32 Amazon
+13.34.13.51/32 Amazon
+13.34.13.52/32 Amazon
+13.34.13.53/32 Amazon
+13.34.14.128/27 Amazon
+13.34.14.160/27 Amazon
+13.34.14.192/27 Amazon
+13.34.14.224/27 Amazon
+13.34.15.0/27 Amazon
+13.34.15.32/27 Amazon
+13.34.16.64/27 Amazon
+13.34.16.96/27 Amazon
+13.34.16.192/27 Amazon
+13.34.17.24/29 Amazon
+13.34.17.64/27 Amazon
+13.34.17.96/27 Amazon
+13.34.18.192/27 Amazon
+13.34.18.224/27 Amazon
+13.34.19.192/27 Amazon
+13.34.19.224/27 Amazon
+13.34.20.0/27 Amazon
+13.34.20.32/27 Amazon
+13.34.20.64/27 Amazon
+13.34.20.96/27 Amazon
+13.34.21.64/27 Amazon
+13.34.21.96/27 Amazon
+13.34.22.88/29 Amazon
+13.34.22.160/27 Amazon
+13.34.22.192/27 Amazon
+13.34.22.224/27 Amazon
+13.34.23.0/27 Amazon
+13.34.23.32/27 Amazon
+13.34.23.64/27 Amazon
+13.34.23.96/27 Amazon
+13.34.23.128/27 Amazon
+13.34.23.160/27 Amazon
+13.34.23.192/27 Amazon
+13.34.23.224/27 Amazon
+13.34.24.64/27 Amazon
+13.34.24.96/27 Amazon
+13.34.24.128/27 Amazon
+13.34.24.160/27 Amazon
+13.34.24.192/27 Amazon
+13.34.25.64/27 Amazon
+13.34.25.96/27 Amazon
+13.34.25.128/27 Amazon
+13.34.25.160/27 Amazon
+13.34.25.192/27 Amazon
+13.34.25.248/29 Amazon
+13.34.26.0/27 Amazon
+13.34.26.32/27 Amazon
+13.34.26.64/27 Amazon
+13.34.26.96/27 Amazon
+13.34.26.128/27 Amazon
+13.34.26.160/27 Amazon
+13.34.26.192/27 Amazon
+13.34.26.224/27 Amazon
+13.34.27.16/32 Amazon
+13.34.27.17/32 Amazon
+13.34.27.32/27 Amazon
+13.34.27.64/27 Amazon
+13.34.27.96/27 Amazon
+13.34.27.128/27 Amazon
+13.34.28.0/27 Amazon
+13.34.28.32/27 Amazon
+13.34.28.64/27 Amazon
+13.34.28.96/27 Amazon
+13.34.28.128/27 Amazon
+13.34.28.160/27 Amazon
+13.34.28.192/27 Amazon
+13.34.28.224/27 Amazon
+13.34.29.0/27 Amazon
+13.34.29.32/27 Amazon
+13.34.29.64/27 Amazon
+13.34.29.96/27 Amazon
+13.34.29.128/27 Amazon
+13.34.29.160/27 Amazon
+13.34.29.192/27 Amazon
+13.34.29.224/27 Amazon
+13.34.30.0/27 Amazon
+13.34.30.32/27 Amazon
+13.34.30.64/27 Amazon
+13.34.30.96/27 Amazon
+13.34.30.128/27 Amazon
+13.34.30.160/27 Amazon
+13.34.30.192/27 Amazon
+13.34.30.224/27 Amazon
+13.34.31.0/27 Amazon
+13.34.31.32/27 Amazon
+13.34.31.64/27 Amazon
+13.34.31.96/27 Amazon
+13.34.31.128/27 Amazon
+13.34.31.160/27 Amazon
+13.34.31.192/27 Amazon
+13.34.31.224/27 Amazon
+13.34.32.0/27 Amazon
+13.34.32.32/27 Amazon
+13.34.32.64/27 Amazon
+13.34.32.96/27 Amazon
+13.34.32.128/27 Amazon
+13.34.32.160/27 Amazon
+13.34.33.0/27 Amazon
+13.34.33.32/27 Amazon
+13.34.33.64/27 Amazon
+13.34.33.96/27 Amazon
+13.34.33.128/27 Amazon
+13.34.33.160/27 Amazon
+13.34.33.192/27 Amazon
+13.34.33.224/27 Amazon
+13.34.34.0/27 Amazon
+13.34.34.32/27 Amazon
+13.34.34.64/27 Amazon
+13.34.34.96/27 Amazon
+13.34.34.128/27 Amazon
+13.34.34.160/27 Amazon
+13.34.34.192/27 Amazon
+13.34.34.224/27 Amazon
+13.34.35.0/27 Amazon
+13.34.35.32/27 Amazon
+13.34.35.64/27 Amazon
+13.34.35.96/27 Amazon
+13.34.35.128/27 Amazon
+13.34.35.160/27 Amazon
+13.34.35.192/27 Amazon
+13.34.35.224/27 Amazon
+13.34.36.0/27 Amazon
+13.34.36.32/27 Amazon
+13.34.36.64/27 Amazon
+13.34.36.96/27 Amazon
+13.34.36.128/27 Amazon
+13.34.36.160/27 Amazon
+13.34.36.192/27 Amazon
+13.34.36.224/27 Amazon
+13.34.37.0/27 Amazon
+13.34.37.32/27 Amazon
+13.34.37.64/27 Amazon
+13.34.37.96/27 Amazon
+13.34.37.128/27 Amazon
+13.34.37.160/27 Amazon
+13.34.37.192/27 Amazon
+13.34.37.224/27 Amazon
+13.34.38.0/27 Amazon
+13.34.38.32/27 Amazon
+13.34.38.64/27 Amazon
+13.34.38.96/27 Amazon
+13.34.38.128/27 Amazon
+13.34.38.160/27 Amazon
+13.34.39.0/27 Amazon
+13.34.39.32/27 Amazon
+13.34.39.64/27 Amazon
+13.34.39.96/27 Amazon
+13.34.39.128/27 Amazon
+13.34.39.160/27 Amazon
+13.34.39.192/27 Amazon
+13.34.39.224/27 Amazon
+13.34.40.0/27 Amazon
+13.34.40.32/27 Amazon
+13.34.40.64/27 Amazon
+13.34.40.96/27 Amazon
+13.34.40.128/27 Amazon
+13.34.40.160/27 Amazon
+13.34.40.192/27 Amazon
+13.34.40.224/27 Amazon
+13.34.41.0/27 Amazon
+13.34.41.32/27 Amazon
+13.34.41.64/27 Amazon
+13.34.41.96/27 Amazon
+13.34.41.128/27 Amazon
+13.34.41.160/27 Amazon
+13.34.41.192/27 Amazon
+13.34.41.224/27 Amazon
+13.34.42.0/27 Amazon
+13.34.42.32/27 Amazon
+13.34.42.64/27 Amazon
+13.34.42.96/27 Amazon
+13.34.42.128/27 Amazon
+13.34.42.160/27 Amazon
+13.34.42.192/27 Amazon
+13.34.42.224/27 Amazon
+13.34.43.0/27 Amazon
+13.34.43.32/27 Amazon
+13.34.43.64/27 Amazon
+13.34.43.96/27 Amazon
+13.34.43.128/27 Amazon
+13.34.43.160/27 Amazon
+13.34.43.192/27 Amazon
+13.34.43.224/27 Amazon
+13.34.44.0/27 Amazon
+13.34.44.32/27 Amazon
+13.34.44.64/27 Amazon
+13.34.44.96/27 Amazon
+13.34.44.128/27 Amazon
+13.34.44.160/27 Amazon
+13.34.44.192/27 Amazon
+13.34.44.224/27 Amazon
+13.34.45.0/27 Amazon
+13.34.45.32/27 Amazon
+13.34.45.64/27 Amazon
+13.34.45.96/27 Amazon
+13.34.45.128/27 Amazon
+13.34.45.160/27 Amazon
+13.34.45.192/27 Amazon
+13.34.45.224/27 Amazon
+13.34.46.0/27 Amazon
+13.34.46.32/27 Amazon
+13.34.46.64/27 Amazon
+13.34.46.96/27 Amazon
+13.34.46.128/27 Amazon
+13.34.46.160/27 Amazon
+13.34.46.192/27 Amazon
+13.34.46.224/27 Amazon
+13.34.47.0/27 Amazon
+13.34.47.32/27 Amazon
+13.34.47.64/27 Amazon
+13.34.47.96/27 Amazon
+13.34.47.128/27 Amazon
+13.34.47.160/27 Amazon
+13.34.47.192/27 Amazon
+13.34.47.224/27 Amazon
+13.34.48.0/27 Amazon
+13.34.48.32/27 Amazon
+13.34.48.64/27 Amazon
+13.34.48.96/27 Amazon
+13.34.48.128/27 Amazon
+13.34.48.160/27 Amazon
+13.34.48.192/27 Amazon
+13.34.48.224/27 Amazon
+13.34.49.0/27 Amazon
+13.34.49.32/27 Amazon
+13.34.49.64/27 Amazon
+13.34.49.96/27 Amazon
+13.34.49.128/27 Amazon
+13.34.49.160/27 Amazon
+13.34.49.192/27 Amazon
+13.34.49.224/27 Amazon
+13.34.50.0/27 Amazon
+13.34.50.32/27 Amazon
+13.34.50.64/27 Amazon
+13.34.50.96/27 Amazon
+13.34.50.128/27 Amazon
+13.34.50.160/27 Amazon
+13.34.50.192/27 Amazon
+13.34.50.224/27 Amazon
+13.34.51.0/27 Amazon
+13.34.51.32/27 Amazon
+13.34.51.64/27 Amazon
+13.34.51.96/27 Amazon
+13.34.51.128/27 Amazon
+13.34.51.160/27 Amazon
+13.34.51.192/27 Amazon
+13.34.51.224/27 Amazon
+13.34.52.0/27 Amazon
+13.34.52.32/27 Amazon
+13.34.52.64/27 Amazon
+13.34.52.96/27 Amazon
+13.34.52.128/27 Amazon
+13.34.52.160/27 Amazon
+13.34.52.192/27 Amazon
+13.34.52.224/27 Amazon
+13.34.53.0/27 Amazon
+13.34.53.32/27 Amazon
+13.34.53.64/27 Amazon
+13.34.53.96/27 Amazon
+13.34.53.128/27 Amazon
+13.34.53.160/27 Amazon
+13.34.53.192/27 Amazon
+13.34.53.224/27 Amazon
+13.34.54.0/27 Amazon
+13.34.54.32/27 Amazon
+13.34.54.64/27 Amazon
+13.34.54.96/27 Amazon
+13.34.54.128/27 Amazon
+13.34.54.160/27 Amazon
+13.34.54.192/27 Amazon
+13.34.54.224/27 Amazon
+13.34.55.0/27 Amazon
+13.34.55.32/27 Amazon
+13.34.55.64/27 Amazon
+13.34.55.96/27 Amazon
+13.34.55.128/27 Amazon
+13.34.55.160/27 Amazon
+13.34.55.192/27 Amazon
+13.34.55.224/27 Amazon
+13.34.56.0/27 Amazon
+13.34.56.32/27 Amazon
+13.34.56.64/27 Amazon
+13.34.56.96/27 Amazon
+13.34.56.128/27 Amazon
+13.34.56.160/27 Amazon
+13.34.56.192/27 Amazon
+13.34.56.224/27 Amazon
+13.34.57.0/27 Amazon
+13.34.57.32/27 Amazon
+13.34.57.64/27 Amazon
+13.34.57.96/27 Amazon
+13.34.57.128/27 Amazon
+13.34.57.160/27 Amazon
+13.34.57.192/27 Amazon
+13.34.57.224/27 Amazon
+13.34.58.0/27 Amazon
+13.34.58.32/27 Amazon
+13.34.58.64/27 Amazon
+13.34.58.96/27 Amazon
+13.34.58.128/27 Amazon
+13.34.58.160/27 Amazon
+13.34.58.192/27 Amazon
+13.34.58.224/27 Amazon
+13.34.59.0/27 Amazon
+13.34.59.32/27 Amazon
+13.34.59.64/27 Amazon
+13.34.59.96/27 Amazon
+13.34.59.128/27 Amazon
+13.34.59.160/27 Amazon
+13.34.59.192/27 Amazon
+13.34.59.224/27 Amazon
+13.34.60.0/27 Amazon
+13.34.60.32/27 Amazon
+13.34.60.64/27 Amazon
+13.34.60.96/27 Amazon
+13.34.60.128/27 Amazon
+13.34.60.160/27 Amazon
+13.34.60.192/27 Amazon
+13.34.60.224/27 Amazon
+13.34.61.0/27 Amazon
+13.34.61.32/27 Amazon
+13.34.61.64/27 Amazon
+13.34.61.96/27 Amazon
+13.34.61.128/27 Amazon
+13.34.61.160/27 Amazon
+13.34.61.192/27 Amazon
+13.34.61.224/27 Amazon
+13.34.62.0/27 Amazon
+13.34.62.32/27 Amazon
+13.34.62.128/27 Amazon
+13.34.62.160/27 Amazon
+13.34.62.192/27 Amazon
+13.34.62.224/27 Amazon
+13.34.63.0/27 Amazon
+13.34.63.32/27 Amazon
+13.34.63.64/27 Amazon
+13.34.63.96/27 Amazon
+13.34.63.128/27 Amazon
+13.34.63.160/27 Amazon
+13.35.0.0/16 Amazon
+13.36.0.0/14 Amazon
+13.40.0.0/14 Amazon
+13.44.0.0/14 Amazon
+13.48.0.0/15 Amazon
+13.50.0.0/16 Amazon
+13.51.0.0/16 Amazon
+13.52.0.0/16 Amazon
+13.53.0.0/16 Amazon
+13.54.0.0/15 Amazon
+13.56.0.0/16 Amazon
+13.57.0.0/16 Amazon
+13.58.0.0/15 Amazon
+13.112.0.0/14 Amazon
+13.124.0.0/16 Amazon
+13.125.0.0/16 Amazon
+13.126.0.0/15 Amazon
+13.200.0.0/13 Amazon
+13.208.0.0/16 Amazon
+13.209.0.0/16 Amazon
+13.210.0.0/15 Amazon
+13.212.0.0/15 Amazon
+13.214.0.0/15 Amazon
+13.224.0.0/14 Amazon
+13.228.0.0/15 Amazon
+13.230.0.0/15 Amazon
+13.232.0.0/14 Amazon
+13.236.0.0/14 Amazon
+13.244.0.0/15 Amazon
+13.246.0.0/16 Amazon
+13.247.0.0/16 Amazon
+13.248.0.0/20 Amazon
+13.248.16.0/21 Amazon
+13.248.24.0/22 Amazon
+13.248.28.0/22 Amazon
+13.248.32.0/20 Amazon
+13.248.48.0/21 Amazon
+13.248.56.0/22 Amazon
+13.248.60.0/22 Amazon
+13.248.64.0/24 Amazon
+13.248.65.0/24 Amazon
+13.248.66.0/24 Amazon
+13.248.67.0/24 Amazon
+13.248.68.0/24 Amazon
+13.248.69.0/24 Amazon
+13.248.70.0/24 Amazon
+13.248.71.0/24 Amazon
+13.248.96.0/24 Amazon
+13.248.97.0/24 Amazon
+13.248.98.0/24 Amazon
+13.248.99.0/24 Amazon
+13.248.100.0/24 Amazon
+13.248.101.0/24 Amazon
+13.248.102.0/24 Amazon
+13.248.103.0/24 Amazon
+13.248.104.0/24 Amazon
+13.248.105.0/24 Amazon
+13.248.106.0/24 Amazon
+13.248.107.0/24 Amazon
+13.248.108.0/24 Amazon
+13.248.109.0/24 Amazon
+13.248.111.0/24 Amazon
+13.248.112.0/24 Amazon
+13.248.113.0/24 Amazon
+13.248.114.0/24 Amazon
+13.248.115.0/24 Amazon
+13.248.116.0/24 Amazon
+13.248.117.0/24 Amazon
+13.248.118.0/24 Amazon
+13.248.119.0/24 Amazon
+13.248.120.0/24 Amazon
+13.248.121.0/24 Amazon
+13.248.122.0/24 Amazon
+13.248.123.0/24 Amazon
+13.248.124.0/24 Amazon
+13.248.125.0/24 Amazon
+13.248.126.0/24 Amazon
+13.248.127.0/24 Amazon
+13.248.128.0/17 Amazon
+13.249.0.0/16 Amazon
+13.250.0.0/15 Amazon
+15.152.0.0/16 Amazon
+15.156.0.0/15 Amazon
+15.158.0.0/16 Amazon
+15.160.0.0/16 Amazon
+15.161.0.0/16 Amazon
+15.164.0.0/15 Amazon
+15.168.0.0/16 Amazon
+15.177.0.0/18 Amazon
+15.177.64.0/23 Amazon
+15.177.66.0/23 Amazon
+15.177.68.0/23 Amazon
+15.177.70.0/23 Amazon
+15.177.72.0/24 Amazon
+15.177.73.0/24 Amazon
+15.177.74.0/24 Amazon
+15.177.75.0/24 Amazon
+15.177.76.0/24 Amazon
+15.177.77.0/24 Amazon
+15.177.78.0/24 Amazon
+15.177.79.0/24 Amazon
+15.177.80.0/24 Amazon
+15.177.81.0/24 Amazon
+15.177.82.0/24 Amazon
+15.177.83.0/24 Amazon
+15.177.84.0/24 Amazon
+15.177.85.0/24 Amazon
+15.177.86.0/24 Amazon
+15.177.87.0/24 Amazon
+15.177.88.0/24 Amazon
+15.177.89.0/24 Amazon
+15.177.90.0/24 Amazon
+15.177.91.0/24 Amazon
+15.177.92.0/24 Amazon
+15.181.0.0/20 Amazon
+15.181.16.0/20 Amazon
+15.181.32.0/21 Amazon
+15.181.40.0/21 Amazon
+15.181.48.0/20 Amazon
+15.181.64.0/20 Amazon
+15.181.80.0/20 Amazon
+15.181.96.0/20 Amazon
+15.181.112.0/22 Amazon
+15.181.116.0/22 Amazon
+15.181.120.0/21 Amazon
+15.181.128.0/20 Amazon
+15.181.144.0/20 Amazon
+15.181.160.0/20 Amazon
+15.181.176.0/20 Amazon
+15.181.192.0/19 Amazon
+15.181.224.0/21 Amazon
+15.181.232.0/21 Amazon
+15.181.240.0/24 Amazon
+15.181.241.0/24 Amazon
+15.181.242.0/24 Amazon
+15.181.243.0/24 Amazon
+15.181.244.0/24 Amazon
+15.181.245.0/24 Amazon
+15.181.246.0/24 Amazon
+15.181.247.0/24 Amazon
+15.181.248.0/24 Amazon
+15.181.249.0/24 Amazon
+15.181.250.0/24 Amazon
+15.181.251.0/24 Amazon
+15.181.252.0/24 Amazon
+15.181.253.0/24 Amazon
+15.181.254.0/24 Amazon
+15.184.0.0/16 Amazon
+15.185.0.0/16 Amazon
+15.188.0.0/16 Amazon
+15.191.0.0/16 Amazon
+15.193.0.0/19 Amazon
+15.197.0.0/23 Amazon
+15.197.2.0/24 Amazon
+15.197.3.0/24 Amazon
+15.197.4.0/22 Amazon
+15.197.8.0/22 Amazon
+15.197.12.0/22 Amazon
+15.197.16.0/23 Amazon
+15.197.18.0/23 Amazon
+15.197.20.0/22 Amazon
+15.197.24.0/22 Amazon
+15.197.28.0/23 Amazon
+15.197.30.0/23 Amazon
+15.197.32.0/23 Amazon
+15.197.128.0/17 Amazon
+15.200.0.0/16 Amazon
+15.205.0.0/16 Amazon
+15.206.0.0/15 Amazon
+15.220.0.0/20 Amazon
+15.220.16.0/20 Amazon
+15.220.220.0/23 Amazon
+15.220.222.0/23 Amazon
+15.220.224.0/23 Amazon
+15.220.226.0/24 Amazon
+15.220.250.0/23 Amazon
+15.220.252.0/22 Amazon
+15.221.0.0/24 Amazon
+15.221.1.0/24 Amazon
+15.221.2.0/24 Amazon
+15.221.3.0/24 Amazon
+15.221.4.0/23 Amazon
+15.221.6.0/24 Amazon
+15.221.7.0/24 Amazon
+15.221.8.0/21 Amazon
+15.221.16.0/22 Amazon
+15.221.20.0/22 Amazon
+15.221.24.0/21 Amazon
+15.221.33.0/24 Amazon
+15.221.34.0/24 Amazon
+15.221.35.0/24 Amazon
+15.221.36.0/22 Amazon
+15.221.40.0/21 Amazon
+15.221.48.0/24 Amazon
+15.221.49.0/24 Amazon
+15.221.50.0/24 Amazon
+15.221.51.0/24 Amazon
+15.221.52.0/24 Amazon
+15.221.53.0/24 Amazon
+15.222.0.0/15 Amazon
+15.228.0.0/15 Amazon
+15.230.0.4/32 Amazon
+15.230.0.5/32 Amazon
+15.230.0.6/31 Amazon
+15.230.0.12/31 Amazon
+15.230.0.14/32 Amazon
+15.230.4.19/32 Amazon
+15.230.4.152/31 Amazon
+15.230.4.154/31 Amazon
+15.230.4.156/31 Amazon
+15.230.4.158/31 Amazon
+15.230.4.160/31 Amazon
+15.230.4.162/31 Amazon
+15.230.4.176/28 Amazon
+15.230.5.0/24 Amazon
+15.230.6.0/24 Amazon
+15.230.14.12/32 Amazon
+15.230.14.18/31 Amazon
+15.230.14.20/31 Amazon
+15.230.14.252/31 Amazon
+15.230.16.0/32 Amazon
+15.230.16.12/32 Amazon
+15.230.16.17/32 Amazon
+15.230.16.18/31 Amazon
+15.230.16.20/31 Amazon
+15.230.16.252/31 Amazon
+15.230.18.0/24 Amazon
+15.230.21.0/24 Amazon
+15.230.22.0/24 Amazon
+15.230.23.0/24 Amazon
+15.230.24.0/22 Amazon
+15.230.28.0/24 Amazon
+15.230.29.0/24 Amazon
+15.230.30.0/24 Amazon
+15.230.31.0/24 Amazon
+15.230.32.0/24 Amazon
+15.230.35.0/24 Amazon
+15.230.36.0/23 Amazon
+15.230.38.0/24 Amazon
+15.230.39.0/31 Amazon
+15.230.39.2/31 Amazon
+15.230.39.4/31 Amazon
+15.230.39.6/31 Amazon
+15.230.39.8/31 Amazon
+15.230.39.10/31 Amazon
+15.230.39.12/31 Amazon
+15.230.39.14/31 Amazon
+15.230.39.16/31 Amazon
+15.230.39.18/31 Amazon
+15.230.39.20/31 Amazon
+15.230.39.22/31 Amazon
+15.230.39.24/31 Amazon
+15.230.39.26/31 Amazon
+15.230.39.28/31 Amazon
+15.230.39.30/31 Amazon
+15.230.39.32/31 Amazon
+15.230.39.34/31 Amazon
+15.230.39.36/31 Amazon
+15.230.39.38/31 Amazon
+15.230.39.40/31 Amazon
+15.230.39.42/31 Amazon
+15.230.39.44/31 Amazon
+15.230.39.46/31 Amazon
+15.230.39.48/31 Amazon
+15.230.39.50/31 Amazon
+15.230.39.52/31 Amazon
+15.230.39.54/31 Amazon
+15.230.39.56/31 Amazon
+15.230.39.58/31 Amazon
+15.230.39.60/31 Amazon
+15.230.39.62/31 Amazon
+15.230.39.64/31 Amazon
+15.230.39.66/31 Amazon
+15.230.39.68/31 Amazon
+15.230.39.70/31 Amazon
+15.230.39.72/31 Amazon
+15.230.39.74/31 Amazon
+15.230.39.76/31 Amazon
+15.230.39.78/31 Amazon
+15.230.39.80/31 Amazon
+15.230.39.82/31 Amazon
+15.230.39.84/31 Amazon
+15.230.39.86/31 Amazon
+15.230.39.88/31 Amazon
+15.230.39.90/31 Amazon
+15.230.39.92/31 Amazon
+15.230.39.94/31 Amazon
+15.230.39.96/31 Amazon
+15.230.39.98/31 Amazon
+15.230.39.100/31 Amazon
+15.230.39.102/31 Amazon
+15.230.39.104/31 Amazon
+15.230.39.106/31 Amazon
+15.230.39.108/31 Amazon
+15.230.39.110/31 Amazon
+15.230.39.112/31 Amazon
+15.230.39.114/31 Amazon
+15.230.39.116/31 Amazon
+15.230.39.118/31 Amazon
+15.230.39.120/31 Amazon
+15.230.39.122/31 Amazon
+15.230.39.124/31 Amazon
+15.230.39.126/31 Amazon
+15.230.39.128/31 Amazon
+15.230.39.130/31 Amazon
+15.230.39.132/31 Amazon
+15.230.39.134/31 Amazon
+15.230.39.136/31 Amazon
+15.230.39.138/31 Amazon
+15.230.39.140/31 Amazon
+15.230.39.142/31 Amazon
+15.230.39.144/31 Amazon
+15.230.39.146/31 Amazon
+15.230.39.148/31 Amazon
+15.230.39.150/31 Amazon
+15.230.39.152/31 Amazon
+15.230.39.154/31 Amazon
+15.230.39.156/31 Amazon
+15.230.39.158/31 Amazon
+15.230.39.160/31 Amazon
+15.230.39.162/31 Amazon
+15.230.39.164/31 Amazon
+15.230.39.166/31 Amazon
+15.230.39.168/31 Amazon
+15.230.39.170/31 Amazon
+15.230.39.172/31 Amazon
+15.230.39.174/31 Amazon
+15.230.39.176/31 Amazon
+15.230.39.178/31 Amazon
+15.230.39.180/31 Amazon
+15.230.39.182/31 Amazon
+15.230.39.184/31 Amazon
+15.230.39.186/31 Amazon
+15.230.39.188/31 Amazon
+15.230.39.190/31 Amazon
+15.230.39.192/31 Amazon
+15.230.39.194/31 Amazon
+15.230.39.196/31 Amazon
+15.230.39.198/31 Amazon
+15.230.39.200/31 Amazon
+15.230.39.202/31 Amazon
+15.230.39.204/31 Amazon
+15.230.39.206/31 Amazon
+15.230.39.208/31 Amazon
+15.230.39.210/31 Amazon
+15.230.39.212/31 Amazon
+15.230.39.214/31 Amazon
+15.230.39.216/31 Amazon
+15.230.39.218/31 Amazon
+15.230.39.220/31 Amazon
+15.230.39.222/31 Amazon
+15.230.39.224/31 Amazon
+15.230.39.226/31 Amazon
+15.230.39.228/31 Amazon
+15.230.39.230/31 Amazon
+15.230.39.232/31 Amazon
+15.230.39.234/31 Amazon
+15.230.39.236/31 Amazon
+15.230.39.238/31 Amazon
+15.230.39.240/31 Amazon
+15.230.39.242/31 Amazon
+15.230.39.244/31 Amazon
+15.230.39.246/31 Amazon
+15.230.39.248/31 Amazon
+15.230.39.250/31 Amazon
+15.230.39.252/31 Amazon
+15.230.39.254/31 Amazon
+15.230.40.0/24 Amazon
+15.230.41.0/24 Amazon
+15.230.42.0/24 Amazon
+15.230.43.0/24 Amazon
+15.230.49.0/24 Amazon
+15.230.50.0/24 Amazon
+15.230.51.0/24 Amazon
+15.230.52.0/24 Amazon
+15.230.53.0/24 Amazon
+15.230.54.0/24 Amazon
+15.230.55.0/24 Amazon
+15.230.56.0/24 Amazon
+15.230.57.0/24 Amazon
+15.230.58.0/24 Amazon
+15.230.59.0/24 Amazon
+15.230.60.0/24 Amazon
+15.230.61.0/24 Amazon
+15.230.64.192/26 Amazon
+15.230.65.0/26 Amazon
+15.230.65.64/26 Amazon
+15.230.65.128/25 Amazon
+15.230.66.0/25 Amazon
+15.230.66.128/25 Amazon
+15.230.67.0/26 Amazon
+15.230.67.64/26 Amazon
+15.230.67.128/26 Amazon
+15.230.67.192/26 Amazon
+15.230.68.0/26 Amazon
+15.230.68.64/26 Amazon
+15.230.68.128/26 Amazon
+15.230.68.192/26 Amazon
+15.230.69.0/26 Amazon
+15.230.69.64/26 Amazon
+15.230.69.128/26 Amazon
+15.230.69.192/26 Amazon
+15.230.70.0/26 Amazon
+15.230.70.64/26 Amazon
+15.230.70.128/26 Amazon
+15.230.70.192/26 Amazon
+15.230.71.0/26 Amazon
+15.230.71.64/26 Amazon
+15.230.71.128/26 Amazon
+15.230.71.192/26 Amazon
+15.230.72.0/26 Amazon
+15.230.72.64/26 Amazon
+15.230.72.128/26 Amazon
+15.230.72.192/26 Amazon
+15.230.73.0/26 Amazon
+15.230.73.64/26 Amazon
+15.230.73.128/26 Amazon
+15.230.73.192/26 Amazon
+15.230.74.0/26 Amazon
+15.230.74.64/26 Amazon
+15.230.74.128/26 Amazon
+15.230.74.192/26 Amazon
+15.230.75.0/26 Amazon
+15.230.75.64/26 Amazon
+15.230.75.128/26 Amazon
+15.230.75.192/26 Amazon
+15.230.76.0/26 Amazon
+15.230.76.64/26 Amazon
+15.230.76.128/26 Amazon
+15.230.76.192/26 Amazon
+15.230.77.0/26 Amazon
+15.230.77.64/26 Amazon
+15.230.77.128/26 Amazon
+15.230.77.192/26 Amazon
+15.230.78.0/26 Amazon
+15.230.78.64/26 Amazon
+15.230.78.128/26 Amazon
+15.230.78.192/26 Amazon
+15.230.79.0/26 Amazon
+15.230.79.64/26 Amazon
+15.230.79.128/26 Amazon
+15.230.80.0/24 Amazon
+15.230.81.0/24 Amazon
+15.230.82.0/24 Amazon
+15.230.83.0/24 Amazon
+15.230.84.0/24 Amazon
+15.230.85.0/24 Amazon
+15.230.86.0/24 Amazon
+15.230.87.0/24 Amazon
+15.230.88.0/24 Amazon
+15.230.89.0/24 Amazon
+15.230.90.0/24 Amazon
+15.230.91.0/24 Amazon
+15.230.92.0/24 Amazon
+15.230.93.0/24 Amazon
+15.230.94.0/24 Amazon
+15.230.129.0/24 Amazon
+15.230.130.0/24 Amazon
+15.230.131.0/32 Amazon
+15.230.131.1/32 Amazon
+15.230.131.2/32 Amazon
+15.230.131.3/32 Amazon
+15.230.131.4/32 Amazon
+15.230.131.5/32 Amazon
+15.230.131.6/32 Amazon
+15.230.131.7/32 Amazon
+15.230.131.8/32 Amazon
+15.230.131.9/32 Amazon
+15.230.131.10/31 Amazon
+15.230.131.12/31 Amazon
+15.230.131.14/32 Amazon
+15.230.131.15/32 Amazon
+15.230.131.16/28 Amazon
+15.230.131.32/28 Amazon
+15.230.131.48/28 Amazon
+15.230.131.64/28 Amazon
+15.230.131.80/28 Amazon
+15.230.131.96/28 Amazon
+15.230.131.112/28 Amazon
+15.230.131.128/28 Amazon
+15.230.131.144/28 Amazon
+15.230.131.160/31 Amazon
+15.230.131.162/31 Amazon
+15.230.131.164/31 Amazon
+15.230.131.166/31 Amazon
+15.230.131.168/31 Amazon
+15.230.131.170/31 Amazon
+15.230.131.172/31 Amazon
+15.230.131.174/31 Amazon
+15.230.132.0/24 Amazon
+15.230.133.0/28 Amazon
+15.230.133.16/32 Amazon
+15.230.133.17/32 Amazon
+15.230.133.18/31 Amazon
+15.230.133.20/31 Amazon
+15.230.133.22/31 Amazon
+15.230.133.24/32 Amazon
+15.230.133.26/31 Amazon
+15.230.133.28/31 Amazon
+15.230.134.0/24 Amazon
+15.230.135.0/24 Amazon
+15.230.136.0/24 Amazon
+15.230.137.0/24 Amazon
+15.230.138.0/24 Amazon
+15.230.140.0/24 Amazon
+15.230.141.0/24 Amazon
+15.230.142.0/24 Amazon
+15.230.143.0/24 Amazon
+15.230.144.0/24 Amazon
+15.230.145.0/24 Amazon
+15.230.148.0/24 Amazon
+15.230.149.0/31 Amazon
+15.230.149.2/31 Amazon
+15.230.149.4/31 Amazon
+15.230.149.8/31 Amazon
+15.230.149.10/32 Amazon
+15.230.149.11/32 Amazon
+15.230.150.0/23 Amazon
+15.230.152.0/24 Amazon
+15.230.153.0/24 Amazon
+15.230.154.0/23 Amazon
+15.230.156.0/24 Amazon
+15.230.157.0/24 Amazon
+15.230.158.0/23 Amazon
+15.230.160.0/24 Amazon
+15.230.161.0/24 Amazon
+15.230.162.0/24 Amazon
+15.230.163.0/24 Amazon
+15.230.164.0/24 Amazon
+15.230.165.0/24 Amazon
+15.230.166.0/24 Amazon
+15.230.170.0/23 Amazon
+15.230.173.0/24 Amazon
+15.230.174.0/24 Amazon
+15.230.176.0/24 Amazon
+15.230.177.0/31 Amazon
+15.230.177.2/31 Amazon
+15.230.178.0/24 Amazon
+15.230.179.0/29 Amazon
+15.230.179.8/29 Amazon
+15.230.179.16/29 Amazon
+15.230.181.0/24 Amazon
+15.230.182.0/24 Amazon
+15.230.183.0/24 Amazon
+15.230.184.0/24 Amazon
+15.230.185.0/24 Amazon
+15.230.186.0/24 Amazon
+15.230.188.0/25 Amazon
+15.230.188.128/25 Amazon
+15.230.189.0/25 Amazon
+15.230.189.128/25 Amazon
+15.230.190.0/25 Amazon
+15.230.190.128/25 Amazon
+15.230.192.0/24 Amazon
+15.230.193.0/24 Amazon
+15.230.195.0/24 Amazon
+15.230.196.0/24 Amazon
+15.230.197.0/24 Amazon
+15.230.198.0/24 Amazon
+15.230.199.0/28 Amazon
+15.230.200.0/24 Amazon
+15.230.201.0/24 Amazon
+15.230.202.0/30 Amazon
+15.230.203.0/24 Amazon
+15.230.204.0/32 Amazon
+15.230.204.1/32 Amazon
+15.230.204.2/32 Amazon
+15.230.204.3/32 Amazon
+15.230.205.0/24 Amazon
+15.230.206.0/24 Amazon
+15.230.207.0/24 Amazon
+15.231.0.0/16 Amazon
+15.236.0.0/15 Amazon
+15.248.8.0/22 Amazon
+15.248.16.0/22 Amazon
+15.248.20.0/22 Amazon
+15.248.24.0/22 Amazon
+15.248.28.0/22 Amazon
+15.248.32.0/22 Amazon
+15.248.36.0/22 Amazon
+15.248.40.0/22 Amazon
+15.251.0.0/32 Amazon
+15.251.0.1/32 Amazon
+15.251.0.2/32 Amazon
+15.251.0.3/32 Amazon
+15.251.0.4/32 Amazon
+15.251.0.5/32 Amazon
+15.251.0.6/32 Amazon
+15.251.0.7/32 Amazon
+15.251.0.8/32 Amazon
+15.251.0.9/32 Amazon
+15.251.0.10/32 Amazon
+15.251.0.11/32 Amazon
+15.251.0.12/32 Amazon
+15.251.0.13/32 Amazon
+15.251.0.14/32 Amazon
+15.251.0.15/32 Amazon
+15.253.0.0/16 Amazon
+15.254.0.0/16 Amazon
+16.12.0.0/23 Amazon
+16.12.2.0/24 Amazon
+16.12.4.0/23 Amazon
+16.12.6.0/23 Amazon
+16.12.8.0/24 Amazon
+16.16.0.0/16 Amazon
+16.50.0.0/15 Amazon
+16.62.0.0/15 Amazon
+16.162.0.0/15 Amazon
+16.168.0.0/15 Amazon
+16.170.0.0/15 Amazon
+18.32.0.0/11 Amazon
+18.60.0.0/15 Amazon
+18.64.0.0/10 Amazon
+18.100.0.0/15 Amazon
+18.102.0.0/16 Amazon
+18.116.0.0/14 Amazon
+18.128.0.0/9 Amazon
+18.130.0.0/16 Amazon
+18.132.0.0/14 Amazon
+18.136.0.0/16 Amazon
+18.138.0.0/15 Amazon
+18.140.0.0/15 Amazon
+18.142.0.0/15 Amazon
+18.144.0.0/15 Amazon
+18.148.0.0/14 Amazon
+18.153.0.0/16 Amazon
+18.156.0.0/14 Amazon
+18.162.0.0/16 Amazon
+18.163.0.0/16 Amazon
+18.166.0.0/15 Amazon
+18.168.0.0/14 Amazon
+18.175.0.0/16 Amazon
+18.176.0.0/15 Amazon
+18.178.0.0/16 Amazon
+18.179.0.0/16 Amazon
+18.180.0.0/15 Amazon
+18.182.0.0/16 Amazon
+18.183.0.0/16 Amazon
+18.184.0.0/15 Amazon
+18.186.0.0/15 Amazon
+18.188.0.0/16 Amazon
+18.189.0.0/16 Amazon
+18.190.0.0/16 Amazon
+18.191.0.0/16 Amazon
+18.192.0.0/15 Amazon
+18.194.0.0/15 Amazon
+18.196.0.0/15 Amazon
+18.198.0.0/15 Amazon
+18.200.0.0/16 Amazon
+18.201.0.0/16 Amazon
+18.202.0.0/15 Amazon
+18.204.0.0/14 Amazon
+18.208.0.0/13 Amazon
+18.216.0.0/14 Amazon
+18.220.0.0/14 Amazon
+18.224.0.0/14 Amazon
+18.228.0.0/16 Amazon
+18.229.0.0/16 Amazon
+18.230.0.0/16 Amazon
+18.231.0.0/16 Amazon
+18.232.0.0/14 Amazon
+18.236.0.0/15 Amazon
+18.246.0.0/16 Amazon
+18.252.0.0/16 Amazon
+18.253.0.0/16 Amazon
+18.254.0.0/16 Amazon
+23.20.0.0/14 Amazon
+27.0.0.0/22 Amazon
+34.192.0.0/12 Amazon
+34.208.0.0/12 Amazon
+34.224.0.0/12 Amazon
+34.240.0.0/13 Amazon
+34.248.0.0/13 Amazon
+35.71.64.0/22 Amazon
+35.71.96.0/24 Amazon
+35.71.97.0/24 Amazon
+35.71.128.0/17 Amazon
+35.72.0.0/13 Amazon
+35.80.0.0/12 Amazon
+35.96.0.0/12 Amazon
+35.152.0.0/16 Amazon
+35.153.0.0/16 Amazon
+35.154.0.0/16 Amazon
+35.155.0.0/16 Amazon
+35.156.0.0/14 Amazon
+35.160.0.0/13 Amazon
+35.168.0.0/13 Amazon
+35.176.0.0/15 Amazon
+35.178.0.0/15 Amazon
+35.180.0.0/16 Amazon
+35.181.0.0/16 Amazon
+35.182.0.0/15 Amazon
+36.103.232.0/25 Amazon
+36.103.232.128/26 Amazon
+43.192.0.0/15 Amazon
+43.194.0.0/16 Amazon
+43.195.0.0/16 Amazon
+43.196.0.0/15 Amazon
+43.198.0.0/15 Amazon
+43.200.0.0/14 Amazon
+43.204.0.0/15 Amazon
+43.206.0.0/15 Amazon
+43.224.76.0/30 Amazon
+43.224.76.4/30 Amazon
+43.224.76.8/30 Amazon
+43.224.76.12/30 Amazon
+43.224.76.16/30 Amazon
+43.224.76.20/30 Amazon
+43.224.76.24/30 Amazon
+43.224.76.28/30 Amazon
+43.224.76.32/30 Amazon
+43.224.76.36/30 Amazon
+43.224.76.40/30 Amazon
+43.224.76.44/30 Amazon
+43.224.76.48/30 Amazon
+43.224.76.52/30 Amazon
+43.224.76.56/30 Amazon
+43.224.76.60/30 Amazon
+43.224.76.64/30 Amazon
+43.224.76.68/30 Amazon
+43.224.76.72/30 Amazon
+43.224.76.76/30 Amazon
+43.224.76.80/30 Amazon
+43.224.76.84/30 Amazon
+43.224.76.88/30 Amazon
+43.224.76.92/30 Amazon
+43.224.76.96/30 Amazon
+43.224.76.100/30 Amazon
+43.224.76.104/30 Amazon
+43.224.76.108/30 Amazon
+43.224.76.112/30 Amazon
+43.224.76.116/30 Amazon
+43.224.76.120/30 Amazon
+43.224.76.124/30 Amazon
+43.224.76.128/30 Amazon
+43.224.76.132/30 Amazon
+43.224.76.136/30 Amazon
+43.224.76.140/30 Amazon
+43.224.76.144/30 Amazon
+43.224.76.148/30 Amazon
+43.224.76.152/30 Amazon
+43.224.76.156/30 Amazon
+43.224.76.160/30 Amazon
+43.224.76.164/30 Amazon
+43.224.76.168/30 Amazon
+43.224.76.172/30 Amazon
+43.224.76.176/30 Amazon
+43.224.76.180/30 Amazon
+43.224.76.184/30 Amazon
+43.224.76.188/30 Amazon
+43.224.76.192/30 Amazon
+43.224.76.196/30 Amazon
+43.224.76.200/30 Amazon
+43.224.76.204/30 Amazon
+43.224.76.208/30 Amazon
+43.224.76.212/30 Amazon
+43.224.76.216/30 Amazon
+43.224.76.220/30 Amazon
+43.224.76.224/30 Amazon
+43.224.76.228/30 Amazon
+43.224.76.232/30 Amazon
+43.224.76.236/30 Amazon
+43.224.76.240/30 Amazon
+43.224.76.244/30 Amazon
+43.224.76.248/30 Amazon
+43.224.77.0/29 Amazon
+43.224.77.8/29 Amazon
+43.224.77.24/30 Amazon
+43.224.77.28/30 Amazon
+43.224.77.32/30 Amazon
+43.224.77.36/30 Amazon
+43.224.77.40/30 Amazon
+43.224.77.44/30 Amazon
+43.224.77.76/30 Amazon
+43.224.77.80/30 Amazon
+43.224.77.84/30 Amazon
+43.224.77.88/30 Amazon
+43.224.77.92/30 Amazon
+43.224.77.96/30 Amazon
+43.224.77.100/30 Amazon
+43.224.77.104/30 Amazon
+43.224.77.108/30 Amazon
+43.224.77.112/30 Amazon
+43.224.77.116/30 Amazon
+43.224.77.120/30 Amazon
+43.224.77.124/30 Amazon
+43.224.77.128/30 Amazon
+43.224.77.132/30 Amazon
+43.224.77.136/30 Amazon
+43.224.77.140/30 Amazon
+43.224.77.144/30 Amazon
+43.224.77.148/30 Amazon
+43.224.77.152/30 Amazon
+43.224.77.156/30 Amazon
+43.224.77.168/30 Amazon
+43.224.77.172/30 Amazon
+43.224.77.176/30 Amazon
+43.224.77.180/30 Amazon
+43.224.77.184/30 Amazon
+43.224.77.188/30 Amazon
+43.224.77.192/30 Amazon
+43.224.77.208/30 Amazon
+43.224.77.212/30 Amazon
+43.224.79.26/31 Amazon
+43.224.79.28/31 Amazon
+43.224.79.30/31 Amazon
+43.224.79.32/31 Amazon
+43.224.79.34/31 Amazon
+43.224.79.36/31 Amazon
+43.224.79.38/31 Amazon
+43.224.79.40/31 Amazon
+43.224.79.42/31 Amazon
+43.224.79.44/31 Amazon
+43.224.79.46/31 Amazon
+43.224.79.48/31 Amazon
+43.224.79.50/31 Amazon
+43.224.79.52/31 Amazon
+43.224.79.54/31 Amazon
+43.224.79.56/31 Amazon
+43.224.79.58/31 Amazon
+43.224.79.60/31 Amazon
+43.224.79.62/31 Amazon
+43.224.79.64/31 Amazon
+43.224.79.66/31 Amazon
+43.224.79.68/31 Amazon
+43.224.79.70/31 Amazon
+43.224.79.72/31 Amazon
+43.224.79.74/31 Amazon
+43.224.79.76/31 Amazon
+43.224.79.78/31 Amazon
+43.224.79.80/31 Amazon
+43.224.79.82/31 Amazon
+43.224.79.84/31 Amazon
+43.224.79.90/31 Amazon
+43.224.79.92/31 Amazon
+43.224.79.94/31 Amazon
+43.224.79.96/31 Amazon
+43.224.79.98/31 Amazon
+43.224.79.100/31 Amazon
+43.224.79.102/31 Amazon
+43.224.79.104/31 Amazon
+43.224.79.106/31 Amazon
+43.224.79.108/31 Amazon
+43.224.79.110/31 Amazon
+43.224.79.112/31 Amazon
+43.224.79.114/31 Amazon
+43.224.79.116/31 Amazon
+43.224.79.118/31 Amazon
+43.224.79.120/31 Amazon
+43.224.79.122/31 Amazon
+43.224.79.124/31 Amazon
+43.224.79.126/31 Amazon
+43.224.79.128/31 Amazon
+43.224.79.130/31 Amazon
+43.224.79.136/31 Amazon
+43.224.79.138/31 Amazon
+43.224.79.140/31 Amazon
+43.224.79.142/31 Amazon
+43.224.79.144/31 Amazon
+43.224.79.154/31 Amazon
+43.224.79.156/31 Amazon
+43.224.79.158/31 Amazon
+43.224.79.160/31 Amazon
+43.224.79.162/31 Amazon
+43.224.79.164/31 Amazon
+43.224.79.166/31 Amazon
+43.224.79.168/31 Amazon
+43.224.79.174/31 Amazon
+43.224.79.176/31 Amazon
+43.224.79.178/31 Amazon
+43.224.79.180/31 Amazon
+43.224.79.182/31 Amazon
+43.224.79.184/31 Amazon
+43.224.79.186/31 Amazon
+43.224.79.188/31 Amazon
+43.224.79.190/31 Amazon
+43.224.79.192/31 Amazon
+43.224.79.194/31 Amazon
+43.224.79.196/31 Amazon
+43.224.79.198/31 Amazon
+43.224.79.200/31 Amazon
+43.224.79.202/31 Amazon
+43.224.79.204/31 Amazon
+43.224.79.206/31 Amazon
+43.224.79.208/31 Amazon
+43.224.79.210/31 Amazon
+43.224.79.212/31 Amazon
+43.224.79.214/31 Amazon
+43.224.79.216/31 Amazon
+43.224.79.218/31 Amazon
+43.224.79.220/31 Amazon
+43.224.79.222/31 Amazon
+43.224.79.224/31 Amazon
+43.224.79.226/31 Amazon
+43.224.79.228/31 Amazon
+43.224.79.230/31 Amazon
+43.224.79.232/31 Amazon
+43.224.79.234/31 Amazon
+43.224.79.236/31 Amazon
+43.224.79.238/31 Amazon
+43.224.79.240/31 Amazon
+43.224.79.242/31 Amazon
+43.224.79.244/31 Amazon
+43.224.79.246/31 Amazon
+43.224.79.248/31 Amazon
+43.224.79.250/31 Amazon
+43.224.79.252/31 Amazon
+43.224.79.254/31 Amazon
+43.249.45.0/24 Amazon
+43.249.46.0/24 Amazon
+43.249.47.0/24 Amazon
+43.250.192.0/24 Amazon
+43.250.193.0/24 Amazon
+44.192.0.0/11 Amazon
+44.224.0.0/11 Amazon
+46.51.128.0/18 Amazon
+46.51.192.0/20 Amazon
+46.51.208.0/22 Amazon
+46.51.216.0/21 Amazon
+46.51.224.0/19 Amazon
+46.137.0.0/17 Amazon
+46.137.128.0/18 Amazon
+46.137.192.0/19 Amazon
+46.137.224.0/19 Amazon
+50.16.0.0/15 Amazon
+50.18.0.0/16 Amazon
+50.19.0.0/16 Amazon
+50.112.0.0/16 Amazon
+51.20.0.0/14 Amazon
+52.0.0.0/15 Amazon
+52.2.0.0/15 Amazon
+52.4.0.0/14 Amazon
+52.8.0.0/16 Amazon
+52.9.0.0/16 Amazon
+52.10.0.0/15 Amazon
+52.12.0.0/15 Amazon
+52.14.0.0/16 Amazon
+52.15.0.0/16 Amazon
+52.16.0.0/15 Amazon
+52.18.0.0/15 Amazon
+52.20.0.0/14 Amazon
+52.24.0.0/14 Amazon
+52.28.0.0/16 Amazon
+52.29.0.0/16 Amazon
+52.30.0.0/15 Amazon
+52.32.0.0/14 Amazon
+52.36.0.0/14 Amazon
+52.40.0.0/14 Amazon
+52.44.0.0/15 Amazon
+52.46.0.0/18 Amazon
+52.46.64.0/20 Amazon
+52.46.80.0/21 Amazon
+52.46.88.0/22 Amazon
+52.46.92.0/22 Amazon
+52.46.96.0/19 Amazon
+52.46.128.0/19 Amazon
+52.46.164.0/23 Amazon
+52.46.166.0/23 Amazon
+52.46.168.0/23 Amazon
+52.46.170.0/23 Amazon
+52.46.172.0/22 Amazon
+52.46.176.0/22 Amazon
+52.46.180.0/22 Amazon
+52.46.184.0/22 Amazon
+52.46.188.24/30 Amazon
+52.46.188.28/30 Amazon
+52.46.188.36/30 Amazon
+52.46.188.40/30 Amazon
+52.46.188.44/30 Amazon
+52.46.188.48/30 Amazon
+52.46.188.52/30 Amazon
+52.46.188.56/30 Amazon
+52.46.188.60/30 Amazon
+52.46.188.64/30 Amazon
+52.46.188.68/30 Amazon
+52.46.188.72/30 Amazon
+52.46.188.76/30 Amazon
+52.46.188.80/30 Amazon
+52.46.188.84/30 Amazon
+52.46.188.88/30 Amazon
+52.46.188.92/30 Amazon
+52.46.188.96/30 Amazon
+52.46.188.108/30 Amazon
+52.46.188.120/30 Amazon
+52.46.188.132/30 Amazon
+52.46.188.136/30 Amazon
+52.46.188.140/30 Amazon
+52.46.188.144/30 Amazon
+52.46.188.148/30 Amazon
+52.46.188.152/30 Amazon
+52.46.188.156/30 Amazon
+52.46.188.160/30 Amazon
+52.46.188.164/30 Amazon
+52.46.188.168/30 Amazon
+52.46.188.172/30 Amazon
+52.46.188.176/30 Amazon
+52.46.188.180/30 Amazon
+52.46.188.184/30 Amazon
+52.46.188.188/30 Amazon
+52.46.188.192/30 Amazon
+52.46.188.204/30 Amazon
+52.46.188.208/30 Amazon
+52.46.188.216/30 Amazon
+52.46.188.224/30 Amazon
+52.46.188.228/30 Amazon
+52.46.188.232/30 Amazon
+52.46.188.236/30 Amazon
+52.46.188.240/30 Amazon
+52.46.188.244/30 Amazon
+52.46.188.248/30 Amazon
+52.46.188.252/30 Amazon
+52.46.189.0/30 Amazon
+52.46.189.4/30 Amazon
+52.46.189.8/30 Amazon
+52.46.189.12/30 Amazon
+52.46.189.16/30 Amazon
+52.46.189.32/30 Amazon
+52.46.189.36/30 Amazon
+52.46.189.40/30 Amazon
+52.46.189.44/30 Amazon
+52.46.189.48/30 Amazon
+52.46.189.52/30 Amazon
+52.46.189.56/30 Amazon
+52.46.189.60/30 Amazon
+52.46.189.64/30 Amazon
+52.46.189.68/30 Amazon
+52.46.189.72/30 Amazon
+52.46.189.76/30 Amazon
+52.46.189.80/30 Amazon
+52.46.189.84/30 Amazon
+52.46.189.88/30 Amazon
+52.46.189.92/30 Amazon
+52.46.189.96/30 Amazon
+52.46.189.100/30 Amazon
+52.46.189.104/30 Amazon
+52.46.189.108/30 Amazon
+52.46.189.112/30 Amazon
+52.46.189.124/30 Amazon
+52.46.189.128/30 Amazon
+52.46.189.132/30 Amazon
+52.46.189.136/30 Amazon
+52.46.189.140/30 Amazon
+52.46.189.156/30 Amazon
+52.46.189.160/30 Amazon
+52.46.189.168/30 Amazon
+52.46.189.172/30 Amazon
+52.46.189.176/30 Amazon
+52.46.189.180/30 Amazon
+52.46.189.192/30 Amazon
+52.46.189.196/30 Amazon
+52.46.189.200/30 Amazon
+52.46.189.204/30 Amazon
+52.46.189.216/30 Amazon
+52.46.189.220/30 Amazon
+52.46.189.224/30 Amazon
+52.46.189.228/30 Amazon
+52.46.189.240/30 Amazon
+52.46.189.244/30 Amazon
+52.46.189.248/30 Amazon
+52.46.189.252/30 Amazon
+52.46.190.0/30 Amazon
+52.46.190.4/30 Amazon
+52.46.190.8/30 Amazon
+52.46.190.12/30 Amazon
+52.46.190.32/30 Amazon
+52.46.190.36/30 Amazon
+52.46.190.40/30 Amazon
+52.46.190.44/30 Amazon
+52.46.190.52/30 Amazon
+52.46.190.56/30 Amazon
+52.46.190.60/30 Amazon
+52.46.190.64/30 Amazon
+52.46.190.68/30 Amazon
+52.46.190.72/30 Amazon
+52.46.190.76/30 Amazon
+52.46.190.92/30 Amazon
+52.46.190.96/30 Amazon
+52.46.190.100/30 Amazon
+52.46.190.104/30 Amazon
+52.46.190.108/30 Amazon
+52.46.190.120/30 Amazon
+52.46.190.124/30 Amazon
+52.46.190.144/30 Amazon
+52.46.190.148/30 Amazon
+52.46.190.152/30 Amazon
+52.46.190.164/30 Amazon
+52.46.190.168/30 Amazon
+52.46.190.180/31 Amazon
+52.46.190.182/31 Amazon
+52.46.190.188/31 Amazon
+52.46.190.190/31 Amazon
+52.46.190.192/31 Amazon
+52.46.190.202/31 Amazon
+52.46.190.204/31 Amazon
+52.46.190.206/31 Amazon
+52.46.190.208/31 Amazon
+52.46.190.210/31 Amazon
+52.46.190.212/31 Amazon
+52.46.190.214/31 Amazon
+52.46.190.216/31 Amazon
+52.46.190.222/31 Amazon
+52.46.190.224/31 Amazon
+52.46.190.226/31 Amazon
+52.46.190.228/31 Amazon
+52.46.190.230/31 Amazon
+52.46.190.232/31 Amazon
+52.46.190.234/31 Amazon
+52.46.190.236/31 Amazon
+52.46.190.238/31 Amazon
+52.46.190.240/31 Amazon
+52.46.190.242/31 Amazon
+52.46.190.244/31 Amazon
+52.46.190.254/31 Amazon
+52.46.191.0/31 Amazon
+52.46.191.2/31 Amazon
+52.46.191.4/31 Amazon
+52.46.191.6/31 Amazon
+52.46.191.8/31 Amazon
+52.46.191.10/31 Amazon
+52.46.191.12/31 Amazon
+52.46.191.18/31 Amazon
+52.46.191.20/31 Amazon
+52.46.191.22/31 Amazon
+52.46.191.24/31 Amazon
+52.46.191.26/31 Amazon
+52.46.191.28/31 Amazon
+52.46.191.34/31 Amazon
+52.46.191.36/31 Amazon
+52.46.191.42/31 Amazon
+52.46.191.44/31 Amazon
+52.46.191.46/31 Amazon
+52.46.191.48/31 Amazon
+52.46.191.52/31 Amazon
+52.46.191.54/31 Amazon
+52.46.191.60/31 Amazon
+52.46.191.62/31 Amazon
+52.46.191.64/31 Amazon
+52.46.191.66/31 Amazon
+52.46.191.68/31 Amazon
+52.46.191.70/31 Amazon
+52.46.191.72/31 Amazon
+52.46.191.76/31 Amazon
+52.46.191.78/31 Amazon
+52.46.191.80/31 Amazon
+52.46.191.82/31 Amazon
+52.46.191.84/31 Amazon
+52.46.191.86/31 Amazon
+52.46.191.88/31 Amazon
+52.46.191.90/31 Amazon
+52.46.191.92/31 Amazon
+52.46.191.94/31 Amazon
+52.46.191.96/31 Amazon
+52.46.191.98/31 Amazon
+52.46.191.100/31 Amazon
+52.46.191.102/31 Amazon
+52.46.191.104/31 Amazon
+52.46.191.106/31 Amazon
+52.46.191.108/31 Amazon
+52.46.191.110/31 Amazon
+52.46.191.120/31 Amazon
+52.46.191.122/31 Amazon
+52.46.191.124/31 Amazon
+52.46.191.126/31 Amazon
+52.46.191.128/31 Amazon
+52.46.191.130/31 Amazon
+52.46.191.132/31 Amazon
+52.46.191.134/31 Amazon
+52.46.191.136/31 Amazon
+52.46.191.140/31 Amazon
+52.46.191.142/31 Amazon
+52.46.191.144/31 Amazon
+52.46.191.148/31 Amazon
+52.46.191.150/31 Amazon
+52.46.191.152/31 Amazon
+52.46.191.156/31 Amazon
+52.46.191.158/31 Amazon
+52.46.191.164/31 Amazon
+52.46.191.166/31 Amazon
+52.46.191.168/31 Amazon
+52.46.191.170/31 Amazon
+52.46.191.172/31 Amazon
+52.46.191.174/31 Amazon
+52.46.191.176/31 Amazon
+52.46.191.178/31 Amazon
+52.46.191.180/31 Amazon
+52.46.191.182/31 Amazon
+52.46.191.184/31 Amazon
+52.46.191.186/31 Amazon
+52.46.191.188/31 Amazon
+52.46.191.190/31 Amazon
+52.46.191.192/31 Amazon
+52.46.191.194/31 Amazon
+52.46.191.200/31 Amazon
+52.46.191.202/31 Amazon
+52.46.191.210/31 Amazon
+52.46.191.212/31 Amazon
+52.46.191.214/31 Amazon
+52.46.191.216/31 Amazon
+52.46.191.218/31 Amazon
+52.46.191.220/31 Amazon
+52.46.191.222/31 Amazon
+52.46.191.224/31 Amazon
+52.46.191.226/31 Amazon
+52.46.191.228/31 Amazon
+52.46.191.230/31 Amazon
+52.46.191.232/31 Amazon
+52.46.191.234/31 Amazon
+52.46.191.236/31 Amazon
+52.46.191.238/31 Amazon
+52.46.191.240/31 Amazon
+52.46.192.0/20 Amazon
+52.46.208.0/21 Amazon
+52.46.216.0/22 Amazon
+52.46.220.0/22 Amazon
+52.46.224.0/20 Amazon
+52.46.240.0/22 Amazon
+52.46.249.0/24 Amazon
+52.46.250.0/23 Amazon
+52.46.252.0/22 Amazon
+52.47.0.0/16 Amazon
+52.48.0.0/14 Amazon
+52.52.0.0/15 Amazon
+52.54.0.0/15 Amazon
+52.56.0.0/16 Amazon
+52.57.0.0/16 Amazon
+52.58.0.0/15 Amazon
+52.60.0.0/16 Amazon
+52.61.0.0/16 Amazon
+52.62.0.0/15 Amazon
+52.64.0.0/17 Amazon
+52.64.128.0/17 Amazon
+52.65.0.0/16 Amazon
+52.66.0.0/16 Amazon
+52.67.0.0/16 Amazon
+52.68.0.0/15 Amazon
+52.70.0.0/15 Amazon
+52.72.0.0/15 Amazon
+52.74.0.0/16 Amazon
+52.75.0.0/16 Amazon
+52.76.0.0/17 Amazon
+52.76.128.0/17 Amazon
+52.77.0.0/16 Amazon
+52.78.0.0/16 Amazon
+52.79.0.0/16 Amazon
+52.80.0.0/16 Amazon
+52.81.0.0/16 Amazon
+52.82.0.0/17 Amazon
+52.82.128.0/19 Amazon
+52.82.160.0/22 Amazon
+52.82.164.0/22 Amazon
+52.82.168.0/24 Amazon
+52.82.169.0/28 Amazon
+52.82.169.16/28 Amazon
+52.82.176.0/22 Amazon
+52.82.180.0/22 Amazon
+52.82.184.0/23 Amazon
+52.82.187.0/24 Amazon
+52.82.188.0/22 Amazon
+52.82.192.0/18 Amazon
+52.83.0.0/16 Amazon
+52.84.0.0/15 Amazon
+52.86.0.0/15 Amazon
+52.88.0.0/15 Amazon
+52.90.0.0/15 Amazon
+52.92.0.0/17 Amazon
+52.92.128.0/17 Amazon
+52.93.0.0/24 Amazon
+52.93.1.0/24 Amazon
+52.93.2.0/24 Amazon
+52.93.3.0/24 Amazon
+52.93.4.0/24 Amazon
+52.93.5.0/24 Amazon
+52.93.8.0/22 Amazon
+52.93.12.12/32 Amazon
+52.93.12.13/32 Amazon
+52.93.14.18/32 Amazon
+52.93.14.19/32 Amazon
+52.93.16.0/24 Amazon
+52.93.17.0/24 Amazon
+52.93.18.178/32 Amazon
+52.93.18.179/32 Amazon
+52.93.19.236/32 Amazon
+52.93.19.237/32 Amazon
+52.93.20.0/24 Amazon
+52.93.21.14/32 Amazon
+52.93.21.15/32 Amazon
+52.93.32.176/32 Amazon
+52.93.32.179/32 Amazon
+52.93.32.180/32 Amazon
+52.93.34.40/32 Amazon
+52.93.34.42/32 Amazon
+52.93.34.56/32 Amazon
+52.93.34.57/32 Amazon
+52.93.34.120/31 Amazon
+52.93.34.122/31 Amazon
+52.93.34.124/31 Amazon
+52.93.34.126/31 Amazon
+52.93.35.212/32 Amazon
+52.93.35.213/32 Amazon
+52.93.37.222/32 Amazon
+52.93.37.223/32 Amazon
+52.93.38.0/24 Amazon
+52.93.43.0/24 Amazon
+52.93.48.0/24 Amazon
+52.93.50.128/32 Amazon
+52.93.50.129/32 Amazon
+52.93.50.130/32 Amazon
+52.93.50.131/32 Amazon
+52.93.50.132/31 Amazon
+52.93.50.134/31 Amazon
+52.93.50.136/31 Amazon
+52.93.50.138/31 Amazon
+52.93.50.140/31 Amazon
+52.93.50.142/31 Amazon
+52.93.50.144/31 Amazon
+52.93.50.146/31 Amazon
+52.93.50.148/31 Amazon
+52.93.50.150/31 Amazon
+52.93.50.152/31 Amazon
+52.93.50.154/31 Amazon
+52.93.50.156/31 Amazon
+52.93.50.158/31 Amazon
+52.93.50.160/31 Amazon
+52.93.50.162/31 Amazon
+52.93.50.164/31 Amazon
+52.93.50.166/31 Amazon
+52.93.50.168/31 Amazon
+52.93.50.170/31 Amazon
+52.93.50.172/31 Amazon
+52.93.50.174/31 Amazon
+52.93.50.176/31 Amazon
+52.93.50.178/31 Amazon
+52.93.50.180/31 Amazon
+52.93.50.182/31 Amazon
+52.93.50.184/31 Amazon
+52.93.50.186/31 Amazon
+52.93.50.188/31 Amazon
+52.93.50.190/31 Amazon
+52.93.50.192/31 Amazon
+52.93.50.194/31 Amazon
+52.93.51.28/32 Amazon
+52.93.51.29/32 Amazon
+52.93.55.144/31 Amazon
+52.93.55.146/31 Amazon
+52.93.55.148/31 Amazon
+52.93.55.152/31 Amazon
+52.93.55.154/31 Amazon
+52.93.55.156/31 Amazon
+52.93.55.158/31 Amazon
+52.93.55.160/31 Amazon
+52.93.55.162/31 Amazon
+52.93.55.164/31 Amazon
+52.93.55.166/31 Amazon
+52.93.56.0/24 Amazon
+52.93.57.0/24 Amazon
+52.93.58.32/28 Amazon
+52.93.59.0/24 Amazon
+52.93.60.0/24 Amazon
+52.93.62.0/24 Amazon
+52.93.63.0/24 Amazon
+52.93.64.0/24 Amazon
+52.93.66.0/24 Amazon
+52.93.67.0/24 Amazon
+52.93.69.0/24 Amazon
+52.93.71.37/32 Amazon
+52.93.73.0/26 Amazon
+52.93.75.0/24 Amazon
+52.93.76.0/24 Amazon
+52.93.78.0/24 Amazon
+52.93.80.0/24 Amazon
+52.93.81.0/24 Amazon
+52.93.87.96/27 Amazon
+52.93.91.96/32 Amazon
+52.93.91.97/32 Amazon
+52.93.91.98/32 Amazon
+52.93.91.99/32 Amazon
+52.93.91.100/32 Amazon
+52.93.91.101/32 Amazon
+52.93.91.102/32 Amazon
+52.93.91.103/32 Amazon
+52.93.91.104/32 Amazon
+52.93.91.105/32 Amazon
+52.93.91.106/32 Amazon
+52.93.91.107/32 Amazon
+52.93.91.108/32 Amazon
+52.93.91.109/32 Amazon
+52.93.91.110/32 Amazon
+52.93.91.111/32 Amazon
+52.93.91.112/32 Amazon
+52.93.91.113/32 Amazon
+52.93.91.114/32 Amazon
+52.93.91.115/32 Amazon
+52.93.92.64/31 Amazon
+52.93.92.66/31 Amazon
+52.93.92.68/31 Amazon
+52.93.92.70/31 Amazon
+52.93.92.72/31 Amazon
+52.93.92.74/31 Amazon
+52.93.96.0/24 Amazon
+52.93.97.0/24 Amazon
+52.93.98.0/24 Amazon
+52.93.99.0/24 Amazon
+52.93.112.0/24 Amazon
+52.93.120.176/32 Amazon
+52.93.120.177/32 Amazon
+52.93.120.178/32 Amazon
+52.93.120.179/32 Amazon
+52.93.121.187/32 Amazon
+52.93.121.188/32 Amazon
+52.93.121.189/32 Amazon
+52.93.121.190/32 Amazon
+52.93.121.195/32 Amazon
+52.93.121.196/32 Amazon
+52.93.121.197/32 Amazon
+52.93.121.198/32 Amazon
+52.93.122.131/32 Amazon
+52.93.122.202/32 Amazon
+52.93.122.203/32 Amazon
+52.93.122.218/32 Amazon
+52.93.122.255/32 Amazon
+52.93.123.6/32 Amazon
+52.93.123.11/32 Amazon
+52.93.123.98/32 Amazon
+52.93.123.99/32 Amazon
+52.93.123.136/32 Amazon
+52.93.123.255/32 Amazon
+52.93.124.14/32 Amazon
+52.93.124.15/32 Amazon
+52.93.124.96/32 Amazon
+52.93.124.97/32 Amazon
+52.93.124.210/32 Amazon
+52.93.124.211/32 Amazon
+52.93.124.212/32 Amazon
+52.93.124.213/32 Amazon
+52.93.125.42/32 Amazon
+52.93.125.43/32 Amazon
+52.93.126.76/32 Amazon
+52.93.126.122/32 Amazon
+52.93.126.123/32 Amazon
+52.93.126.132/32 Amazon
+52.93.126.133/32 Amazon
+52.93.126.134/32 Amazon
+52.93.126.135/32 Amazon
+52.93.126.136/32 Amazon
+52.93.126.137/32 Amazon
+52.93.126.138/32 Amazon
+52.93.126.139/32 Amazon
+52.93.126.144/32 Amazon
+52.93.126.145/32 Amazon
+52.93.126.146/32 Amazon
+52.93.126.147/32 Amazon
+52.93.126.198/32 Amazon
+52.93.126.199/32 Amazon
+52.93.126.204/32 Amazon
+52.93.126.205/32 Amazon
+52.93.126.206/32 Amazon
+52.93.126.207/32 Amazon
+52.93.126.212/32 Amazon
+52.93.126.213/32 Amazon
+52.93.126.214/32 Amazon
+52.93.126.215/32 Amazon
+52.93.126.234/32 Amazon
+52.93.126.235/32 Amazon
+52.93.126.244/32 Amazon
+52.93.126.245/32 Amazon
+52.93.126.250/32 Amazon
+52.93.126.251/32 Amazon
+52.93.127.17/32 Amazon
+52.93.127.18/32 Amazon
+52.93.127.19/32 Amazon
+52.93.127.24/32 Amazon
+52.93.127.25/32 Amazon
+52.93.127.26/32 Amazon
+52.93.127.27/32 Amazon
+52.93.127.68/32 Amazon
+52.93.127.69/32 Amazon
+52.93.127.70/32 Amazon
+52.93.127.71/32 Amazon
+52.93.127.92/32 Amazon
+52.93.127.93/32 Amazon
+52.93.127.94/32 Amazon
+52.93.127.95/32 Amazon
+52.93.127.96/32 Amazon
+52.93.127.97/32 Amazon
+52.93.127.98/32 Amazon
+52.93.127.99/32 Amazon
+52.93.127.100/32 Amazon
+52.93.127.101/32 Amazon
+52.93.127.102/32 Amazon
+52.93.127.103/32 Amazon
+52.93.127.104/32 Amazon
+52.93.127.105/32 Amazon
+52.93.127.106/32 Amazon
+52.93.127.107/32 Amazon
+52.93.127.108/32 Amazon
+52.93.127.109/32 Amazon
+52.93.127.110/32 Amazon
+52.93.127.111/32 Amazon
+52.93.127.112/32 Amazon
+52.93.127.113/32 Amazon
+52.93.127.114/32 Amazon
+52.93.127.115/32 Amazon
+52.93.127.116/32 Amazon
+52.93.127.117/32 Amazon
+52.93.127.118/32 Amazon
+52.93.127.119/32 Amazon
+52.93.127.120/32 Amazon
+52.93.127.121/32 Amazon
+52.93.127.122/32 Amazon
+52.93.127.123/32 Amazon
+52.93.127.124/32 Amazon
+52.93.127.125/32 Amazon
+52.93.127.126/32 Amazon
+52.93.127.127/32 Amazon
+52.93.127.128/32 Amazon
+52.93.127.129/32 Amazon
+52.93.127.130/32 Amazon
+52.93.127.131/32 Amazon
+52.93.127.132/32 Amazon
+52.93.127.133/32 Amazon
+52.93.127.138/32 Amazon
+52.93.127.139/32 Amazon
+52.93.127.146/32 Amazon
+52.93.127.147/32 Amazon
+52.93.127.148/32 Amazon
+52.93.127.149/32 Amazon
+52.93.127.152/32 Amazon
+52.93.127.153/32 Amazon
+52.93.127.154/32 Amazon
+52.93.127.155/32 Amazon
+52.93.127.156/32 Amazon
+52.93.127.157/32 Amazon
+52.93.127.158/32 Amazon
+52.93.127.159/32 Amazon
+52.93.127.160/32 Amazon
+52.93.127.161/32 Amazon
+52.93.127.162/32 Amazon
+52.93.127.163/32 Amazon
+52.93.127.164/32 Amazon
+52.93.127.165/32 Amazon
+52.93.127.166/32 Amazon
+52.93.127.167/32 Amazon
+52.93.127.168/32 Amazon
+52.93.127.169/32 Amazon
+52.93.127.172/32 Amazon
+52.93.127.173/32 Amazon
+52.93.127.174/32 Amazon
+52.93.127.175/32 Amazon
+52.93.127.176/32 Amazon
+52.93.127.177/32 Amazon
+52.93.127.178/32 Amazon
+52.93.127.179/32 Amazon
+52.93.127.180/32 Amazon
+52.93.127.181/32 Amazon
+52.93.127.182/32 Amazon
+52.93.127.183/32 Amazon
+52.93.127.184/32 Amazon
+52.93.127.185/32 Amazon
+52.93.127.194/32 Amazon
+52.93.127.195/32 Amazon
+52.93.127.196/32 Amazon
+52.93.127.197/32 Amazon
+52.93.127.198/32 Amazon
+52.93.127.199/32 Amazon
+52.93.127.200/32 Amazon
+52.93.127.201/32 Amazon
+52.93.127.202/32 Amazon
+52.93.127.203/32 Amazon
+52.93.127.204/32 Amazon
+52.93.127.205/32 Amazon
+52.93.127.206/32 Amazon
+52.93.127.207/32 Amazon
+52.93.127.216/32 Amazon
+52.93.127.217/32 Amazon
+52.93.127.218/32 Amazon
+52.93.127.219/32 Amazon
+52.93.127.220/32 Amazon
+52.93.127.221/32 Amazon
+52.93.127.232/32 Amazon
+52.93.127.237/32 Amazon
+52.93.127.238/32 Amazon
+52.93.127.239/32 Amazon
+52.93.127.244/32 Amazon
+52.93.127.245/32 Amazon
+52.93.127.246/32 Amazon
+52.93.127.247/32 Amazon
+52.93.127.248/32 Amazon
+52.93.127.249/32 Amazon
+52.93.127.250/32 Amazon
+52.93.127.251/32 Amazon
+52.93.127.252/32 Amazon
+52.93.127.253/32 Amazon
+52.93.127.254/32 Amazon
+52.93.127.255/32 Amazon
+52.93.129.95/32 Amazon
+52.93.131.217/32 Amazon
+52.93.133.127/32 Amazon
+52.93.133.129/32 Amazon
+52.93.133.131/32 Amazon
+52.93.133.133/32 Amazon
+52.93.133.153/32 Amazon
+52.93.133.155/32 Amazon
+52.93.133.175/32 Amazon
+52.93.133.177/32 Amazon
+52.93.133.179/32 Amazon
+52.93.133.181/32 Amazon
+52.93.134.181/32 Amazon
+52.93.135.195/32 Amazon
+52.93.137.0/24 Amazon
+52.93.138.252/32 Amazon
+52.93.138.253/32 Amazon
+52.93.139.252/32 Amazon
+52.93.139.253/32 Amazon
+52.93.141.212/32 Amazon
+52.93.141.213/32 Amazon
+52.93.141.214/31 Amazon
+52.93.141.216/31 Amazon
+52.93.141.218/31 Amazon
+52.93.141.220/31 Amazon
+52.93.141.222/31 Amazon
+52.93.141.224/31 Amazon
+52.93.141.226/31 Amazon
+52.93.141.228/31 Amazon
+52.93.141.230/31 Amazon
+52.93.141.232/31 Amazon
+52.93.141.234/31 Amazon
+52.93.141.236/31 Amazon
+52.93.141.238/31 Amazon
+52.93.141.240/31 Amazon
+52.93.141.242/31 Amazon
+52.93.141.244/31 Amazon
+52.93.146.5/32 Amazon
+52.93.149.0/24 Amazon
+52.93.150.0/24 Amazon
+52.93.151.0/24 Amazon
+52.93.153.80/32 Amazon
+52.93.153.148/32 Amazon
+52.93.153.149/32 Amazon
+52.93.153.168/32 Amazon
+52.93.153.169/32 Amazon
+52.93.153.170/32 Amazon
+52.93.153.171/32 Amazon
+52.93.153.172/32 Amazon
+52.93.153.173/32 Amazon
+52.93.153.174/32 Amazon
+52.93.153.175/32 Amazon
+52.93.153.176/32 Amazon
+52.93.153.177/32 Amazon
+52.93.153.178/32 Amazon
+52.93.153.179/32 Amazon
+52.93.156.0/22 Amazon
+52.93.178.128/32 Amazon
+52.93.178.129/32 Amazon
+52.93.178.130/32 Amazon
+52.93.178.131/32 Amazon
+52.93.178.132/32 Amazon
+52.93.178.133/32 Amazon
+52.93.178.134/32 Amazon
+52.93.178.135/32 Amazon
+52.93.178.136/32 Amazon
+52.93.178.137/32 Amazon
+52.93.178.138/32 Amazon
+52.93.178.139/32 Amazon
+52.93.178.140/32 Amazon
+52.93.178.141/32 Amazon
+52.93.178.142/32 Amazon
+52.93.178.143/32 Amazon
+52.93.178.144/32 Amazon
+52.93.178.145/32 Amazon
+52.93.178.146/32 Amazon
+52.93.178.147/32 Amazon
+52.93.178.148/32 Amazon
+52.93.178.149/32 Amazon
+52.93.178.150/32 Amazon
+52.93.178.151/32 Amazon
+52.93.178.152/32 Amazon
+52.93.178.153/32 Amazon
+52.93.178.154/32 Amazon
+52.93.178.155/32 Amazon
+52.93.178.156/32 Amazon
+52.93.178.157/32 Amazon
+52.93.178.158/32 Amazon
+52.93.178.159/32 Amazon
+52.93.178.160/32 Amazon
+52.93.178.161/32 Amazon
+52.93.178.162/32 Amazon
+52.93.178.163/32 Amazon
+52.93.178.164/32 Amazon
+52.93.178.165/32 Amazon
+52.93.178.166/32 Amazon
+52.93.178.167/32 Amazon
+52.93.178.168/32 Amazon
+52.93.178.169/32 Amazon
+52.93.178.170/32 Amazon
+52.93.178.171/32 Amazon
+52.93.178.172/32 Amazon
+52.93.178.173/32 Amazon
+52.93.178.174/32 Amazon
+52.93.178.175/32 Amazon
+52.93.178.176/32 Amazon
+52.93.178.177/32 Amazon
+52.93.178.178/32 Amazon
+52.93.178.179/32 Amazon
+52.93.178.180/32 Amazon
+52.93.178.181/32 Amazon
+52.93.178.182/32 Amazon
+52.93.178.183/32 Amazon
+52.93.178.184/32 Amazon
+52.93.178.185/32 Amazon
+52.93.178.186/32 Amazon
+52.93.178.187/32 Amazon
+52.93.178.188/32 Amazon
+52.93.178.189/32 Amazon
+52.93.178.190/32 Amazon
+52.93.178.191/32 Amazon
+52.93.178.192/32 Amazon
+52.93.178.193/32 Amazon
+52.93.178.194/32 Amazon
+52.93.178.195/32 Amazon
+52.93.178.196/32 Amazon
+52.93.178.197/32 Amazon
+52.93.178.198/32 Amazon
+52.93.178.199/32 Amazon
+52.93.178.200/32 Amazon
+52.93.178.201/32 Amazon
+52.93.178.202/32 Amazon
+52.93.178.203/32 Amazon
+52.93.178.204/32 Amazon
+52.93.178.205/32 Amazon
+52.93.178.206/32 Amazon
+52.93.178.207/32 Amazon
+52.93.178.208/32 Amazon
+52.93.178.209/32 Amazon
+52.93.178.210/32 Amazon
+52.93.178.211/32 Amazon
+52.93.178.212/32 Amazon
+52.93.178.213/32 Amazon
+52.93.178.214/32 Amazon
+52.93.178.215/32 Amazon
+52.93.178.216/32 Amazon
+52.93.178.217/32 Amazon
+52.93.178.218/32 Amazon
+52.93.178.219/32 Amazon
+52.93.178.220/32 Amazon
+52.93.178.221/32 Amazon
+52.93.178.222/32 Amazon
+52.93.178.223/32 Amazon
+52.93.178.224/32 Amazon
+52.93.178.225/32 Amazon
+52.93.178.226/32 Amazon
+52.93.178.227/32 Amazon
+52.93.178.228/32 Amazon
+52.93.178.229/32 Amazon
+52.93.178.230/32 Amazon
+52.93.178.231/32 Amazon
+52.93.178.232/32 Amazon
+52.93.178.233/32 Amazon
+52.93.178.234/32 Amazon
+52.93.178.235/32 Amazon
+52.93.193.192/32 Amazon
+52.93.193.193/32 Amazon
+52.93.193.194/32 Amazon
+52.93.193.195/32 Amazon
+52.93.193.196/32 Amazon
+52.93.193.197/32 Amazon
+52.93.193.198/32 Amazon
+52.93.193.199/32 Amazon
+52.93.193.200/32 Amazon
+52.93.193.201/32 Amazon
+52.93.193.202/32 Amazon
+52.93.193.203/32 Amazon
+52.93.198.0/25 Amazon
+52.93.229.148/32 Amazon
+52.93.229.149/32 Amazon
+52.93.236.0/24 Amazon
+52.93.237.0/24 Amazon
+52.93.240.146/31 Amazon
+52.93.240.148/31 Amazon
+52.93.240.150/31 Amazon
+52.93.240.152/31 Amazon
+52.93.240.154/31 Amazon
+52.93.240.156/31 Amazon
+52.93.240.158/31 Amazon
+52.93.240.160/31 Amazon
+52.93.240.162/31 Amazon
+52.93.240.164/31 Amazon
+52.93.240.166/31 Amazon
+52.93.240.168/31 Amazon
+52.93.240.170/31 Amazon
+52.93.240.172/31 Amazon
+52.93.240.174/31 Amazon
+52.93.240.176/31 Amazon
+52.93.240.178/31 Amazon
+52.93.240.180/31 Amazon
+52.93.240.182/31 Amazon
+52.93.240.184/31 Amazon
+52.93.240.186/31 Amazon
+52.93.240.188/31 Amazon
+52.93.240.190/31 Amazon
+52.93.240.192/31 Amazon
+52.93.240.194/31 Amazon
+52.93.240.196/31 Amazon
+52.93.240.198/31 Amazon
+52.93.240.200/31 Amazon
+52.93.240.202/31 Amazon
+52.93.240.204/31 Amazon
+52.93.245.0/24 Amazon
+52.93.247.0/25 Amazon
+52.93.248.0/24 Amazon
+52.93.249.0/24 Amazon
+52.93.250.0/23 Amazon
+52.93.254.0/24 Amazon
+52.94.0.0/22 Amazon
+52.94.4.0/24 Amazon
+52.94.5.0/24 Amazon
+52.94.6.0/24 Amazon
+52.94.7.0/24 Amazon
+52.94.8.0/24 Amazon
+52.94.9.0/24 Amazon
+52.94.10.0/24 Amazon
+52.94.11.0/24 Amazon
+52.94.12.0/24 Amazon
+52.94.13.0/24 Amazon
+52.94.14.0/24 Amazon
+52.94.15.0/24 Amazon
+52.94.16.0/24 Amazon
+52.94.17.0/24 Amazon
+52.94.18.0/24 Amazon
+52.94.19.0/24 Amazon
+52.94.20.0/24 Amazon
+52.94.22.0/24 Amazon
+52.94.23.0/24 Amazon
+52.94.24.0/23 Amazon
+52.94.26.0/23 Amazon
+52.94.28.0/23 Amazon
+52.94.30.0/24 Amazon
+52.94.32.0/20 Amazon
+52.94.48.0/20 Amazon
+52.94.64.0/22 Amazon
+52.94.68.0/24 Amazon
+52.94.69.0/24 Amazon
+52.94.72.0/22 Amazon
+52.94.76.0/22 Amazon
+52.94.80.0/20 Amazon
+52.94.96.0/20 Amazon
+52.94.112.0/22 Amazon
+52.94.116.0/22 Amazon
+52.94.120.0/22 Amazon
+52.94.124.0/22 Amazon
+52.94.128.0/22 Amazon
+52.94.132.0/22 Amazon
+52.94.136.0/21 Amazon
+52.94.148.0/22 Amazon
+52.94.152.3/32 Amazon
+52.94.152.9/32 Amazon
+52.94.152.11/32 Amazon
+52.94.152.12/32 Amazon
+52.94.152.44/32 Amazon
+52.94.152.60/32 Amazon
+52.94.152.61/32 Amazon
+52.94.152.62/32 Amazon
+52.94.152.63/32 Amazon
+52.94.152.64/32 Amazon
+52.94.152.65/32 Amazon
+52.94.152.66/32 Amazon
+52.94.152.67/32 Amazon
+52.94.152.68/32 Amazon
+52.94.152.69/32 Amazon
+52.94.160.0/20 Amazon
+52.94.176.0/20 Amazon
+52.94.192.0/22 Amazon
+52.94.196.0/24 Amazon
+52.94.197.0/24 Amazon
+52.94.198.0/28 Amazon
+52.94.198.16/28 Amazon
+52.94.198.32/28 Amazon
+52.94.198.48/28 Amazon
+52.94.198.64/28 Amazon
+52.94.198.80/28 Amazon
+52.94.198.96/28 Amazon
+52.94.198.112/28 Amazon
+52.94.198.128/28 Amazon
+52.94.198.144/28 Amazon
+52.94.199.0/24 Amazon
+52.94.200.0/24 Amazon
+52.94.201.0/26 Amazon
+52.94.204.0/23 Amazon
+52.94.206.0/23 Amazon
+52.94.208.0/21 Amazon
+52.94.216.0/21 Amazon
+52.94.224.0/20 Amazon
+52.94.240.0/22 Amazon
+52.94.244.0/22 Amazon
+52.94.248.0/28 Amazon
+52.94.248.16/28 Amazon
+52.94.248.32/28 Amazon
+52.94.248.48/28 Amazon
+52.94.248.64/28 Amazon
+52.94.248.80/28 Amazon
+52.94.248.96/28 Amazon
+52.94.248.112/28 Amazon
+52.94.248.128/28 Amazon
+52.94.248.144/28 Amazon
+52.94.248.160/28 Amazon
+52.94.248.176/28 Amazon
+52.94.248.192/28 Amazon
+52.94.248.208/28 Amazon
+52.94.248.224/28 Amazon
+52.94.249.32/28 Amazon
+52.94.249.48/28 Amazon
+52.94.249.64/28 Amazon
+52.94.249.80/28 Amazon
+52.94.249.96/28 Amazon
+52.94.249.112/28 Amazon
+52.94.249.128/28 Amazon
+52.94.249.144/28 Amazon
+52.94.249.160/28 Amazon
+52.94.249.176/28 Amazon
+52.94.249.192/28 Amazon
+52.94.249.208/28 Amazon
+52.94.249.224/28 Amazon
+52.94.249.240/28 Amazon
+52.94.250.0/28 Amazon
+52.94.250.16/28 Amazon
+52.94.252.0/23 Amazon
+52.94.254.0/23 Amazon
+52.95.0.0/20 Amazon
+52.95.16.0/21 Amazon
+52.95.24.0/22 Amazon
+52.95.28.0/24 Amazon
+52.95.29.0/26 Amazon
+52.95.30.0/23 Amazon
+52.95.34.0/24 Amazon
+52.95.35.0/24 Amazon
+52.95.36.0/22 Amazon
+52.95.40.0/24 Amazon
+52.95.41.0/24 Amazon
+52.95.42.0/24 Amazon
+52.95.48.0/22 Amazon
+52.95.52.0/22 Amazon
+52.95.56.0/22 Amazon
+52.95.60.0/24 Amazon
+52.95.61.0/24 Amazon
+52.95.62.0/24 Amazon
+52.95.63.0/24 Amazon
+52.95.64.0/20 Amazon
+52.95.80.0/20 Amazon
+52.95.96.0/22 Amazon
+52.95.100.0/22 Amazon
+52.95.104.0/22 Amazon
+52.95.108.0/23 Amazon
+52.95.110.0/24 Amazon
+52.95.111.0/24 Amazon
+52.95.112.0/20 Amazon
+52.95.128.0/21 Amazon
+52.95.136.0/23 Amazon
+52.95.138.0/24 Amazon
+52.95.139.0/24 Amazon
+52.95.140.0/23 Amazon
+52.95.142.0/23 Amazon
+52.95.144.0/24 Amazon
+52.95.145.0/24 Amazon
+52.95.146.0/23 Amazon
+52.95.148.0/23 Amazon
+52.95.150.0/24 Amazon
+52.95.151.0/24 Amazon
+52.95.152.0/23 Amazon
+52.95.154.0/23 Amazon
+52.95.156.0/24 Amazon
+52.95.157.0/24 Amazon
+52.95.158.0/23 Amazon
+52.95.160.0/23 Amazon
+52.95.162.0/24 Amazon
+52.95.163.0/24 Amazon
+52.95.164.0/23 Amazon
+52.95.166.0/23 Amazon
+52.95.168.0/24 Amazon
+52.95.169.0/24 Amazon
+52.95.170.0/23 Amazon
+52.95.172.0/23 Amazon
+52.95.174.0/24 Amazon
+52.95.175.0/24 Amazon
+52.95.176.0/24 Amazon
+52.95.177.0/24 Amazon
+52.95.178.0/23 Amazon
+52.95.180.0/24 Amazon
+52.95.181.0/24 Amazon
+52.95.182.0/23 Amazon
+52.95.184.0/23 Amazon
+52.95.186.0/24 Amazon
+52.95.187.0/24 Amazon
+52.95.188.0/23 Amazon
+52.95.190.0/24 Amazon
+52.95.192.0/20 Amazon
+52.95.208.0/22 Amazon
+52.95.212.0/22 Amazon
+52.95.216.0/22 Amazon
+52.95.224.0/24 Amazon
+52.95.225.0/24 Amazon
+52.95.226.0/24 Amazon
+52.95.227.0/24 Amazon
+52.95.228.0/24 Amazon
+52.95.229.0/24 Amazon
+52.95.230.0/24 Amazon
+52.95.235.0/24 Amazon
+52.95.239.0/24 Amazon
+52.95.240.0/24 Amazon
+52.95.241.0/24 Amazon
+52.95.242.0/24 Amazon
+52.95.243.0/24 Amazon
+52.95.244.0/24 Amazon
+52.95.245.0/24 Amazon
+52.95.246.0/24 Amazon
+52.95.247.0/24 Amazon
+52.95.248.0/24 Amazon
+52.95.249.0/24 Amazon
+52.95.250.0/24 Amazon
+52.95.251.0/24 Amazon
+52.95.252.0/24 Amazon
+52.95.253.0/24 Amazon
+52.95.254.0/24 Amazon
+52.95.255.0/28 Amazon
+52.95.255.16/28 Amazon
+52.95.255.32/28 Amazon
+52.95.255.48/28 Amazon
+52.95.255.64/28 Amazon
+52.95.255.80/28 Amazon
+52.95.255.96/28 Amazon
+52.95.255.112/28 Amazon
+52.95.255.128/28 Amazon
+52.95.255.144/28 Amazon
+52.119.128.0/20 Amazon
+52.119.144.0/21 Amazon
+52.119.152.0/22 Amazon
+52.119.156.0/22 Amazon
+52.119.160.0/20 Amazon
+52.119.176.0/21 Amazon
+52.119.184.0/22 Amazon
+52.119.188.0/22 Amazon
+52.119.192.0/22 Amazon
+52.119.196.0/22 Amazon
+52.119.205.0/24 Amazon
+52.119.206.0/23 Amazon
+52.119.208.0/23 Amazon
+52.119.210.0/23 Amazon
+52.119.212.0/23 Amazon
+52.119.214.0/23 Amazon
+52.119.216.0/21 Amazon
+52.119.224.0/21 Amazon
+52.119.232.0/21 Amazon
+52.119.240.0/21 Amazon
+52.119.248.0/24 Amazon
+52.119.249.0/24 Amazon
+52.119.252.0/22 Amazon
+52.124.128.0/17 Amazon
+52.144.133.32/27 Amazon
+52.144.192.0/26 Amazon
+52.144.192.64/26 Amazon
+52.144.192.128/26 Amazon
+52.144.192.192/26 Amazon
+52.144.193.0/26 Amazon
+52.144.193.64/26 Amazon
+52.144.193.128/26 Amazon
+52.144.194.0/26 Amazon
+52.144.194.64/26 Amazon
+52.144.194.128/26 Amazon
+52.144.194.192/26 Amazon
+52.144.195.0/26 Amazon
+52.144.196.192/26 Amazon
+52.144.197.128/26 Amazon
+52.144.197.192/26 Amazon
+52.144.199.128/26 Amazon
+52.144.200.64/26 Amazon
+52.144.200.128/26 Amazon
+52.144.201.64/26 Amazon
+52.144.201.128/26 Amazon
+52.144.205.0/26 Amazon
+52.144.208.0/31 Amazon
+52.144.208.2/31 Amazon
+52.144.208.64/26 Amazon
+52.144.208.128/26 Amazon
+52.144.208.192/26 Amazon
+52.144.209.0/26 Amazon
+52.144.209.64/26 Amazon
+52.144.209.128/26 Amazon
+52.144.209.192/26 Amazon
+52.144.210.0/26 Amazon
+52.144.210.64/26 Amazon
+52.144.210.128/26 Amazon
+52.144.210.192/26 Amazon
+52.144.211.0/26 Amazon
+52.144.211.64/26 Amazon
+52.144.211.128/26 Amazon
+52.144.211.192/31 Amazon
+52.144.211.194/31 Amazon
+52.144.211.196/31 Amazon
+52.144.211.198/31 Amazon
+52.144.211.200/31 Amazon
+52.144.211.202/31 Amazon
+52.144.212.64/26 Amazon
+52.144.212.192/26 Amazon
+52.144.213.64/26 Amazon
+52.144.214.128/26 Amazon
+52.144.215.0/31 Amazon
+52.144.215.2/31 Amazon
+52.144.215.192/31 Amazon
+52.144.215.194/31 Amazon
+52.144.215.196/31 Amazon
+52.144.215.198/31 Amazon
+52.144.215.200/31 Amazon
+52.144.215.202/31 Amazon
+52.144.216.0/31 Amazon
+52.144.216.2/31 Amazon
+52.144.216.4/31 Amazon
+52.144.216.6/31 Amazon
+52.144.216.8/31 Amazon
+52.144.216.10/31 Amazon
+52.144.218.0/26 Amazon
+52.144.218.64/26 Amazon
+52.144.223.64/26 Amazon
+52.144.223.128/26 Amazon
+52.144.224.64/26 Amazon
+52.144.224.128/26 Amazon
+52.144.224.192/26 Amazon
+52.144.225.0/26 Amazon
+52.144.225.64/26 Amazon
+52.144.225.128/26 Amazon
+52.144.227.64/26 Amazon
+52.144.227.192/26 Amazon
+52.144.228.0/31 Amazon
+52.144.228.2/31 Amazon
+52.144.228.64/26 Amazon
+52.144.228.128/26 Amazon
+52.144.228.192/26 Amazon
+52.144.229.0/26 Amazon
+52.144.229.64/26 Amazon
+52.144.230.0/26 Amazon
+52.144.231.64/26 Amazon
+52.144.233.64/31 Amazon
+52.144.233.66/31 Amazon
+52.144.233.68/31 Amazon
+52.144.233.70/31 Amazon
+52.144.233.128/31 Amazon
+52.144.233.130/31 Amazon
+52.144.233.132/31 Amazon
+52.144.233.134/31 Amazon
+52.144.233.192/26 Amazon
+52.192.0.0/15 Amazon
+52.194.0.0/15 Amazon
+52.196.0.0/14 Amazon
+52.200.0.0/13 Amazon
+52.208.0.0/13 Amazon
+52.216.0.0/15 Amazon
+52.218.0.0/17 Amazon
+52.218.128.0/17 Amazon
+52.219.0.0/20 Amazon
+52.219.16.0/22 Amazon
+52.219.24.0/21 Amazon
+52.219.32.0/21 Amazon
+52.219.40.0/22 Amazon
+52.219.44.0/22 Amazon
+52.219.56.0/22 Amazon
+52.219.60.0/23 Amazon
+52.219.62.0/23 Amazon
+52.219.64.0/22 Amazon
+52.219.68.0/22 Amazon
+52.219.72.0/22 Amazon
+52.219.80.0/20 Amazon
+52.219.96.0/20 Amazon
+52.219.112.0/21 Amazon
+52.219.120.0/22 Amazon
+52.219.124.0/22 Amazon
+52.219.128.0/22 Amazon
+52.219.132.0/22 Amazon
+52.219.136.0/22 Amazon
+52.219.140.0/24 Amazon
+52.219.141.0/24 Amazon
+52.219.142.0/24 Amazon
+52.219.143.0/24 Amazon
+52.219.144.0/22 Amazon
+52.219.148.0/23 Amazon
+52.219.152.0/22 Amazon
+52.219.156.0/22 Amazon
+52.219.160.0/23 Amazon
+52.219.164.0/22 Amazon
+52.219.168.0/24 Amazon
+52.219.169.0/24 Amazon
+52.219.170.0/23 Amazon
+52.219.172.0/22 Amazon
+52.219.176.0/22 Amazon
+52.219.180.0/22 Amazon
+52.219.184.0/21 Amazon
+52.219.192.0/23 Amazon
+52.219.194.0/24 Amazon
+52.219.195.0/24 Amazon
+52.219.196.0/22 Amazon
+52.219.200.0/24 Amazon
+52.219.202.0/23 Amazon
+52.219.204.0/22 Amazon
+52.220.0.0/15 Amazon
+52.222.0.0/17 Amazon
+52.222.128.0/17 Amazon
+52.223.0.0/17 Amazon
+54.64.0.0/15 Amazon
+54.66.0.0/16 Amazon
+54.67.0.0/16 Amazon
+54.68.0.0/14 Amazon
+54.72.0.0/15 Amazon
+54.74.0.0/15 Amazon
+54.76.0.0/15 Amazon
+54.78.0.0/16 Amazon
+54.79.0.0/16 Amazon
+54.80.0.0/13 Amazon
+54.88.0.0/14 Amazon
+54.92.0.0/17 Amazon
+54.92.128.0/17 Amazon
+54.93.0.0/16 Amazon
+54.94.0.0/16 Amazon
+54.95.0.0/16 Amazon
+54.144.0.0/14 Amazon
+54.148.0.0/15 Amazon
+54.150.0.0/16 Amazon
+54.151.0.0/17 Amazon
+54.151.128.0/17 Amazon
+54.152.0.0/16 Amazon
+54.153.0.0/17 Amazon
+54.153.128.0/17 Amazon
+54.154.0.0/16 Amazon
+54.155.0.0/16 Amazon
+54.156.0.0/14 Amazon
+54.160.0.0/13 Amazon
+54.168.0.0/16 Amazon
+54.169.0.0/16 Amazon
+54.170.0.0/15 Amazon
+54.172.0.0/15 Amazon
+54.174.0.0/15 Amazon
+54.176.0.0/15 Amazon
+54.178.0.0/16 Amazon
+54.179.0.0/16 Amazon
+54.180.0.0/15 Amazon
+54.182.0.0/16 Amazon
+54.183.0.0/16 Amazon
+54.184.0.0/13 Amazon
+54.192.0.0/16 Amazon
+54.193.0.0/16 Amazon
+54.194.0.0/15 Amazon
+54.196.0.0/15 Amazon
+54.198.0.0/16 Amazon
+54.199.0.0/16 Amazon
+54.200.0.0/15 Amazon
+54.202.0.0/15 Amazon
+54.204.0.0/15 Amazon
+54.206.0.0/16 Amazon
+54.207.0.0/16 Amazon
+54.208.0.0/15 Amazon
+54.210.0.0/15 Amazon
+54.212.0.0/15 Amazon
+54.214.0.0/16 Amazon
+54.215.0.0/16 Amazon
+54.216.0.0/15 Amazon
+54.218.0.0/16 Amazon
+54.219.0.0/16 Amazon
+54.220.0.0/16 Amazon
+54.221.0.0/16 Amazon
+54.222.0.0/19 Amazon
+54.222.32.0/22 Amazon
+54.222.36.0/22 Amazon
+54.222.48.0/22 Amazon
+54.222.52.0/22 Amazon
+54.222.57.0/24 Amazon
+54.222.58.0/28 Amazon
+54.222.58.32/28 Amazon
+54.222.58.48/28 Amazon
+54.222.59.0/24 Amazon
+54.222.64.0/23 Amazon
+54.222.66.0/23 Amazon
+54.222.68.0/23 Amazon
+54.222.70.0/24 Amazon
+54.222.71.0/24 Amazon
+54.222.76.0/22 Amazon
+54.222.80.0/21 Amazon
+54.222.128.0/17 Amazon
+54.223.0.0/16 Amazon
+54.224.0.0/15 Amazon
+54.226.0.0/15 Amazon
+54.228.0.0/16 Amazon
+54.229.0.0/16 Amazon
+54.230.0.0/17 Amazon
+54.230.128.0/18 Amazon
+54.230.192.0/21 Amazon
+54.230.200.0/21 Amazon
+54.230.208.0/20 Amazon
+54.230.224.0/19 Amazon
+54.231.0.0/16 Amazon
+54.232.0.0/16 Amazon
+54.233.0.0/18 Amazon
+54.233.64.0/18 Amazon
+54.233.128.0/17 Amazon
+54.234.0.0/15 Amazon
+54.236.0.0/15 Amazon
+54.238.0.0/16 Amazon
+54.239.0.0/28 Amazon
+54.239.0.16/28 Amazon
+54.239.0.32/28 Amazon
+54.239.0.48/28 Amazon
+54.239.0.64/28 Amazon
+54.239.0.80/28 Amazon
+54.239.0.96/28 Amazon
+54.239.0.112/28 Amazon
+54.239.0.128/28 Amazon
+54.239.0.144/28 Amazon
+54.239.0.160/28 Amazon
+54.239.0.176/28 Amazon
+54.239.0.192/28 Amazon
+54.239.0.208/28 Amazon
+54.239.0.224/28 Amazon
+54.239.0.240/28 Amazon
+54.239.1.0/28 Amazon
+54.239.1.16/28 Amazon
+54.239.1.32/28 Amazon
+54.239.1.48/28 Amazon
+54.239.1.64/28 Amazon
+54.239.1.80/28 Amazon
+54.239.1.96/28 Amazon
+54.239.1.112/28 Amazon
+54.239.1.128/28 Amazon
+54.239.1.144/28 Amazon
+54.239.1.160/28 Amazon
+54.239.1.176/28 Amazon
+54.239.1.192/28 Amazon
+54.239.1.208/28 Amazon
+54.239.1.224/28 Amazon
+54.239.2.0/23 Amazon
+54.239.4.0/22 Amazon
+54.239.8.0/21 Amazon
+54.239.16.0/20 Amazon
+54.239.32.0/21 Amazon
+54.239.40.152/29 Amazon
+54.239.48.0/22 Amazon
+54.239.52.0/23 Amazon
+54.239.54.0/23 Amazon
+54.239.56.0/21 Amazon
+54.239.64.0/21 Amazon
+54.239.96.0/24 Amazon
+54.239.98.0/24 Amazon
+54.239.99.0/24 Amazon
+54.239.100.0/23 Amazon
+54.239.102.162/31 Amazon
+54.239.102.232/31 Amazon
+54.239.102.234/31 Amazon
+54.239.102.236/31 Amazon
+54.239.104.0/23 Amazon
+54.239.106.0/23 Amazon
+54.239.108.0/22 Amazon
+54.239.112.0/24 Amazon
+54.239.113.0/24 Amazon
+54.239.115.0/25 Amazon
+54.239.116.0/22 Amazon
+54.239.120.0/21 Amazon
+54.239.128.0/18 Amazon
+54.239.192.0/19 Amazon
+54.240.17.0/24 Amazon
+54.240.128.0/18 Amazon
+54.240.192.0/22 Amazon
+54.240.196.0/24 Amazon
+54.240.197.0/24 Amazon
+54.240.198.0/24 Amazon
+54.240.199.0/24 Amazon
+54.240.200.0/24 Amazon
+54.240.202.0/24 Amazon
+54.240.203.0/24 Amazon
+54.240.204.0/22 Amazon
+54.240.208.0/22 Amazon
+54.240.212.0/22 Amazon
+54.240.216.0/22 Amazon
+54.240.220.0/22 Amazon
+54.240.225.0/24 Amazon
+54.240.226.0/24 Amazon
+54.240.227.0/24 Amazon
+54.240.228.0/23 Amazon
+54.240.230.0/23 Amazon
+54.240.232.0/22 Amazon
+54.240.236.1/32 Amazon
+54.240.236.2/32 Amazon
+54.240.236.5/32 Amazon
+54.240.236.6/32 Amazon
+54.240.236.9/32 Amazon
+54.240.236.10/32 Amazon
+54.240.236.13/32 Amazon
+54.240.236.14/32 Amazon
+54.240.236.17/32 Amazon
+54.240.236.18/32 Amazon
+54.240.236.21/32 Amazon
+54.240.236.22/32 Amazon
+54.240.236.25/32 Amazon
+54.240.236.26/32 Amazon
+54.240.236.29/32 Amazon
+54.240.236.30/32 Amazon
+54.240.236.33/32 Amazon
+54.240.236.34/32 Amazon
+54.240.236.37/32 Amazon
+54.240.236.38/32 Amazon
+54.240.236.41/32 Amazon
+54.240.236.42/32 Amazon
+54.240.236.45/32 Amazon
+54.240.236.46/32 Amazon
+54.240.236.49/32 Amazon
+54.240.236.50/32 Amazon
+54.240.236.53/32 Amazon
+54.240.236.54/32 Amazon
+54.240.236.57/32 Amazon
+54.240.236.58/32 Amazon
+54.240.236.61/32 Amazon
+54.240.236.62/32 Amazon
+54.240.236.65/32 Amazon
+54.240.236.66/32 Amazon
+54.240.236.69/32 Amazon
+54.240.236.70/32 Amazon
+54.240.236.73/32 Amazon
+54.240.236.74/32 Amazon
+54.240.236.77/32 Amazon
+54.240.236.78/32 Amazon
+54.240.236.81/32 Amazon
+54.240.236.82/32 Amazon
+54.240.236.85/32 Amazon
+54.240.236.86/32 Amazon
+54.240.236.89/32 Amazon
+54.240.236.90/32 Amazon
+54.240.236.93/32 Amazon
+54.240.236.94/32 Amazon
+54.240.241.0/24 Amazon
+54.240.244.0/22 Amazon
+54.240.248.0/21 Amazon
+54.241.0.0/16 Amazon
+54.242.0.0/15 Amazon
+54.244.0.0/16 Amazon
+54.245.0.0/16 Amazon
+54.246.0.0/16 Amazon
+54.247.0.0/16 Amazon
+54.248.0.0/15 Amazon
+54.250.0.0/16 Amazon
+54.251.0.0/16 Amazon
+54.252.0.0/16 Amazon
+54.253.0.0/16 Amazon
+54.254.0.0/16 Amazon
+54.255.0.0/16 Amazon
+58.254.138.0/25 Amazon
+58.254.138.128/26 Amazon
+63.32.0.0/14 Amazon
+63.246.112.0/24 Amazon
+63.246.113.0/24 Amazon
+63.246.114.0/23 Amazon
+63.246.119.0/24 Amazon
+64.187.128.0/20 Amazon
+64.252.64.0/18 Amazon
+64.252.128.0/18 Amazon
+65.0.0.0/14 Amazon
+65.8.0.0/16 Amazon
+65.9.0.0/17 Amazon
+65.9.128.0/18 Amazon
+67.202.0.0/18 Amazon
+67.220.224.0/20 Amazon
+67.220.240.0/20 Amazon
+68.66.112.0/20 Amazon
+68.79.0.0/18 Amazon
+69.107.3.176/29 Amazon
+69.107.3.184/29 Amazon
+69.107.6.112/29 Amazon
+69.107.6.120/29 Amazon
+69.107.6.160/29 Amazon
+69.107.6.168/29 Amazon
+69.107.6.200/29 Amazon
+69.107.6.208/29 Amazon
+69.107.6.216/29 Amazon
+69.107.6.224/29 Amazon
+69.107.7.0/29 Amazon
+69.107.7.8/29 Amazon
+69.107.7.16/29 Amazon
+69.107.7.32/29 Amazon
+69.107.7.40/29 Amazon
+69.107.7.48/29 Amazon
+69.107.7.56/29 Amazon
+69.107.7.64/29 Amazon
+69.107.7.72/29 Amazon
+69.107.7.80/29 Amazon
+69.107.7.88/29 Amazon
+69.107.7.96/29 Amazon
+69.107.7.104/29 Amazon
+69.107.7.112/29 Amazon
+69.107.7.120/29 Amazon
+69.107.7.128/29 Amazon
+69.107.7.136/29 Amazon
+69.230.192.0/18 Amazon
+69.231.128.0/18 Amazon
+69.234.192.0/18 Amazon
+69.235.128.0/18 Amazon
+70.132.0.0/18 Amazon
+70.224.192.0/18 Amazon
+70.232.64.0/20 Amazon
+70.232.80.0/21 Amazon
+70.232.88.0/22 Amazon
+70.232.92.0/22 Amazon
+70.232.96.0/20 Amazon
+70.232.112.0/21 Amazon
+70.232.120.0/22 Amazon
+70.232.124.0/22 Amazon
+71.131.192.0/18 Amazon
+71.132.0.0/18 Amazon
+71.137.0.0/22 Amazon
+71.137.4.0/24 Amazon
+71.137.8.0/22 Amazon
+71.152.0.0/17 Amazon
+72.21.192.0/19 Amazon
+72.41.0.0/20 Amazon
+72.44.32.0/19 Amazon
+75.2.0.0/17 Amazon
+75.101.128.0/17 Amazon
+76.223.0.0/17 Amazon
+79.125.0.0/17 Amazon
+87.238.80.0/21 Amazon
+96.127.0.0/17 Amazon
+99.77.0.0/20 Amazon
+99.77.16.0/21 Amazon
+99.77.24.0/22 Amazon
+99.77.28.0/22 Amazon
+99.77.32.0/20 Amazon
+99.77.48.0/21 Amazon
+99.77.56.0/21 Amazon
+99.77.128.0/18 Amazon
+99.77.247.0/24 Amazon
+99.77.250.0/24 Amazon
+99.77.253.0/24 Amazon
+99.77.254.0/24 Amazon
+99.78.128.0/20 Amazon
+99.78.144.0/21 Amazon
+99.78.152.0/22 Amazon
+99.78.156.0/22 Amazon
+99.78.160.0/21 Amazon
+99.78.168.0/23 Amazon
+99.78.170.0/23 Amazon
+99.78.172.0/24 Amazon
+99.78.176.0/21 Amazon
+99.78.184.0/22 Amazon
+99.78.188.0/22 Amazon
+99.78.192.0/22 Amazon
+99.78.196.0/22 Amazon
+99.78.208.0/22 Amazon
+99.78.212.0/22 Amazon
+99.78.216.0/22 Amazon
+99.78.220.0/22 Amazon
+99.78.228.0/22 Amazon
+99.78.232.0/21 Amazon
+99.78.240.0/20 Amazon
+99.79.0.0/16 Amazon
+99.80.0.0/15 Amazon
+99.82.128.0/20 Amazon
+99.82.144.0/21 Amazon
+99.82.152.0/22 Amazon
+99.82.156.0/22 Amazon
+99.82.160.0/24 Amazon
+99.82.161.0/24 Amazon
+99.82.162.0/24 Amazon
+99.82.163.0/24 Amazon
+99.82.164.0/24 Amazon
+99.82.165.0/24 Amazon
+99.82.166.0/24 Amazon
+99.82.167.0/24 Amazon
+99.82.168.0/24 Amazon
+99.82.169.0/24 Amazon
+99.82.170.0/24 Amazon
+99.82.171.0/24 Amazon
+99.82.172.0/24 Amazon
+99.82.173.0/24 Amazon
+99.82.174.0/24 Amazon
+99.82.175.0/24 Amazon
+99.82.176.0/21 Amazon
+99.82.184.0/22 Amazon
+99.82.188.0/22 Amazon
+99.83.64.0/21 Amazon
+99.83.72.0/22 Amazon
+99.83.76.0/22 Amazon
+99.83.80.0/22 Amazon
+99.83.84.0/22 Amazon
+99.83.88.0/21 Amazon
+99.83.96.0/24 Amazon
+99.83.97.0/24 Amazon
+99.83.98.0/24 Amazon
+99.83.99.0/24 Amazon
+99.83.100.0/24 Amazon
+99.83.101.0/24 Amazon
+99.83.112.0/21 Amazon
+99.83.120.0/22 Amazon
+99.83.128.0/17 Amazon
+99.84.0.0/16 Amazon
+99.86.0.0/16 Amazon
+99.87.0.0/22 Amazon
+99.87.4.0/22 Amazon
+99.87.8.0/21 Amazon
+99.87.16.0/20 Amazon
+99.87.32.0/22 Amazon
+99.150.0.0/21 Amazon
+99.150.8.0/21 Amazon
+99.150.16.0/21 Amazon
+99.150.24.0/21 Amazon
+99.150.32.0/21 Amazon
+99.150.40.0/21 Amazon
+99.150.48.0/21 Amazon
+99.150.56.0/21 Amazon
+99.150.64.0/21 Amazon
+99.150.72.0/21 Amazon
+99.150.80.0/21 Amazon
+99.150.88.0/21 Amazon
+99.150.96.0/21 Amazon
+99.150.104.0/21 Amazon
+99.150.112.0/21 Amazon
+99.150.120.0/21 Amazon
+99.151.64.0/21 Amazon
+99.151.72.0/21 Amazon
+99.151.80.0/21 Amazon
+99.151.88.0/21 Amazon
+99.151.96.0/21 Amazon
+99.151.104.0/21 Amazon
+99.151.112.0/21 Amazon
+99.151.120.0/21 Amazon
+99.151.128.0/21 Amazon
+99.151.136.0/21 Amazon
+99.151.144.0/21 Amazon
+100.20.0.0/14 Amazon
+100.24.0.0/13 Amazon
+103.4.8.0/21 Amazon
+103.8.172.0/22 Amazon
+103.246.148.0/23 Amazon
+103.246.150.0/23 Amazon
+104.255.56.11/32 Amazon
+104.255.56.12/32 Amazon
+104.255.59.81/32 Amazon
+104.255.59.82/32 Amazon
+104.255.59.83/32 Amazon
+104.255.59.85/32 Amazon
+104.255.59.86/32 Amazon
+104.255.59.87/32 Amazon
+104.255.59.88/32 Amazon
+104.255.59.91/32 Amazon
+104.255.59.101/32 Amazon
+104.255.59.102/32 Amazon
+104.255.59.103/32 Amazon
+104.255.59.104/32 Amazon
+104.255.59.105/32 Amazon
+104.255.59.106/32 Amazon
+104.255.59.114/32 Amazon
+104.255.59.115/32 Amazon
+104.255.59.118/32 Amazon
+104.255.59.119/32 Amazon
+104.255.59.122/32 Amazon
+104.255.59.130/32 Amazon
+104.255.59.131/32 Amazon
+104.255.59.132/32 Amazon
+104.255.59.133/32 Amazon
+104.255.59.134/32 Amazon
+104.255.59.135/32 Amazon
+104.255.59.136/32 Amazon
+104.255.59.137/32 Amazon
+104.255.59.138/32 Amazon
+104.255.59.139/32 Amazon
+107.20.0.0/14 Amazon
+107.176.0.0/15 Amazon
+108.128.0.0/13 Amazon
+108.136.0.0/15 Amazon
+108.138.0.0/15 Amazon
+108.156.0.0/14 Amazon
+108.166.224.0/21 Amazon
+108.166.232.0/21 Amazon
+108.166.240.0/21 Amazon
+108.166.248.0/21 Amazon
+108.175.48.0/22 Amazon
+108.175.52.0/22 Amazon
+108.175.56.0/22 Amazon
+108.175.60.0/22 Amazon
+116.129.226.0/25 Amazon
+116.129.226.128/26 Amazon
+118.193.97.64/26 Amazon
+118.193.97.128/25 Amazon
+119.147.182.0/25 Amazon
+119.147.182.128/26 Amazon
+120.52.12.64/26 Amazon
+120.52.22.96/27 Amazon
+120.52.39.128/27 Amazon
+120.52.153.192/26 Amazon
+120.232.236.0/25 Amazon
+120.232.236.128/26 Amazon
+120.253.240.192/26 Amazon
+120.253.241.160/27 Amazon
+120.253.245.128/26 Amazon
+120.253.245.192/27 Amazon
+122.248.192.0/18 Amazon
+130.176.0.0/17 Amazon
+130.176.128.0/18 Amazon
+130.176.192.0/19 Amazon
+130.176.224.0/20 Amazon
+130.176.254.0/24 Amazon
+130.176.255.0/24 Amazon
+140.179.0.0/16 Amazon
+142.4.160.0/29 Amazon
+142.4.160.8/29 Amazon
+142.4.160.16/29 Amazon
+142.4.160.24/29 Amazon
+142.4.160.32/29 Amazon
+142.4.160.40/29 Amazon
+142.4.160.48/29 Amazon
+142.4.160.56/29 Amazon
+142.4.160.64/29 Amazon
+142.4.160.72/29 Amazon
+142.4.160.80/29 Amazon
+142.4.160.88/29 Amazon
+142.4.160.96/29 Amazon
+142.4.160.104/29 Amazon
+142.4.160.112/29 Amazon
+143.204.0.0/16 Amazon
+144.220.0.0/16 Amazon
+150.222.0.16/32 Amazon
+150.222.0.17/32 Amazon
+150.222.0.18/32 Amazon
+150.222.0.19/32 Amazon
+150.222.2.0/24 Amazon
+150.222.3.176/32 Amazon
+150.222.3.177/32 Amazon
+150.222.3.178/32 Amazon
+150.222.3.179/32 Amazon
+150.222.3.180/32 Amazon
+150.222.3.181/32 Amazon
+150.222.3.182/32 Amazon
+150.222.3.183/32 Amazon
+150.222.3.184/32 Amazon
+150.222.3.185/32 Amazon
+150.222.3.186/32 Amazon
+150.222.3.187/32 Amazon
+150.222.3.188/32 Amazon
+150.222.3.189/32 Amazon
+150.222.3.190/32 Amazon
+150.222.3.191/32 Amazon
+150.222.3.192/31 Amazon
+150.222.3.194/31 Amazon
+150.222.3.196/31 Amazon
+150.222.3.198/31 Amazon
+150.222.3.200/31 Amazon
+150.222.3.202/31 Amazon
+150.222.3.204/31 Amazon
+150.222.3.206/31 Amazon
+150.222.3.208/31 Amazon
+150.222.3.210/31 Amazon
+150.222.3.212/31 Amazon
+150.222.3.214/31 Amazon
+150.222.3.216/31 Amazon
+150.222.3.218/31 Amazon
+150.222.3.220/31 Amazon
+150.222.3.222/31 Amazon
+150.222.3.224/31 Amazon
+150.222.3.226/31 Amazon
+150.222.3.228/31 Amazon
+150.222.3.230/31 Amazon
+150.222.3.232/31 Amazon
+150.222.3.234/31 Amazon
+150.222.3.236/31 Amazon
+150.222.3.238/31 Amazon
+150.222.3.240/31 Amazon
+150.222.3.242/31 Amazon
+150.222.3.244/31 Amazon
+150.222.3.246/31 Amazon
+150.222.3.248/31 Amazon
+150.222.3.250/31 Amazon
+150.222.3.252/31 Amazon
+150.222.3.254/31 Amazon
+150.222.5.0/24 Amazon
+150.222.6.0/24 Amazon
+150.222.7.0/24 Amazon
+150.222.10.0/24 Amazon
+150.222.11.0/31 Amazon
+150.222.11.74/31 Amazon
+150.222.11.76/31 Amazon
+150.222.11.78/31 Amazon
+150.222.11.80/31 Amazon
+150.222.11.84/31 Amazon
+150.222.11.86/31 Amazon
+150.222.11.88/31 Amazon
+150.222.11.90/31 Amazon
+150.222.11.92/31 Amazon
+150.222.11.94/31 Amazon
+150.222.11.96/31 Amazon
+150.222.12.0/24 Amazon
+150.222.13.0/24 Amazon
+150.222.14.72/31 Amazon
+150.222.15.124/32 Amazon
+150.222.15.125/32 Amazon
+150.222.15.126/32 Amazon
+150.222.15.127/32 Amazon
+150.222.15.128/31 Amazon
+150.222.15.130/31 Amazon
+150.222.28.17/32 Amazon
+150.222.28.18/31 Amazon
+150.222.28.104/32 Amazon
+150.222.28.105/32 Amazon
+150.222.28.106/31 Amazon
+150.222.28.108/31 Amazon
+150.222.28.110/31 Amazon
+150.222.28.112/31 Amazon
+150.222.28.114/31 Amazon
+150.222.28.116/31 Amazon
+150.222.28.118/31 Amazon
+150.222.28.120/31 Amazon
+150.222.28.122/31 Amazon
+150.222.28.124/31 Amazon
+150.222.28.126/31 Amazon
+150.222.28.128/31 Amazon
+150.222.28.130/31 Amazon
+150.222.28.132/31 Amazon
+150.222.28.134/31 Amazon
+150.222.28.136/31 Amazon
+150.222.28.138/31 Amazon
+150.222.28.140/31 Amazon
+150.222.28.142/31 Amazon
+150.222.66.0/24 Amazon
+150.222.67.0/24 Amazon
+150.222.69.0/24 Amazon
+150.222.70.0/24 Amazon
+150.222.71.0/24 Amazon
+150.222.72.0/24 Amazon
+150.222.73.0/24 Amazon
+150.222.74.0/24 Amazon
+150.222.75.0/24 Amazon
+150.222.76.0/24 Amazon
+150.222.77.0/24 Amazon
+150.222.78.0/24 Amazon
+150.222.79.0/24 Amazon
+150.222.80.0/24 Amazon
+150.222.81.0/24 Amazon
+150.222.82.0/24 Amazon
+150.222.83.0/24 Amazon
+150.222.84.0/24 Amazon
+150.222.85.0/24 Amazon
+150.222.87.0/24 Amazon
+150.222.88.0/24 Amazon
+150.222.89.0/24 Amazon
+150.222.90.0/24 Amazon
+150.222.91.0/24 Amazon
+150.222.92.0/22 Amazon
+150.222.96.0/24 Amazon
+150.222.97.0/24 Amazon
+150.222.98.0/24 Amazon
+150.222.99.0/24 Amazon
+150.222.100.0/24 Amazon
+150.222.101.0/24 Amazon
+150.222.102.0/24 Amazon
+150.222.104.0/24 Amazon
+150.222.105.0/24 Amazon
+150.222.106.0/24 Amazon
+150.222.108.0/24 Amazon
+150.222.109.0/24 Amazon
+150.222.110.0/24 Amazon
+150.222.112.0/24 Amazon
+150.222.113.0/24 Amazon
+150.222.114.0/24 Amazon
+150.222.115.0/24 Amazon
+150.222.116.0/24 Amazon
+150.222.117.0/24 Amazon
+150.222.118.0/24 Amazon
+150.222.119.0/24 Amazon
+150.222.120.20/31 Amazon
+150.222.120.62/31 Amazon
+150.222.120.224/31 Amazon
+150.222.120.226/31 Amazon
+150.222.120.228/31 Amazon
+150.222.120.230/31 Amazon
+150.222.120.232/31 Amazon
+150.222.120.234/31 Amazon
+150.222.120.240/31 Amazon
+150.222.120.242/31 Amazon
+150.222.120.244/31 Amazon
+150.222.120.246/31 Amazon
+150.222.120.248/31 Amazon
+150.222.120.250/31 Amazon
+150.222.120.252/32 Amazon
+150.222.120.255/32 Amazon
+150.222.121.0/24 Amazon
+150.222.122.92/31 Amazon
+150.222.122.94/31 Amazon
+150.222.122.96/31 Amazon
+150.222.122.98/31 Amazon
+150.222.122.100/31 Amazon
+150.222.122.102/31 Amazon
+150.222.122.104/31 Amazon
+150.222.122.106/31 Amazon
+150.222.122.108/31 Amazon
+150.222.122.110/31 Amazon
+150.222.122.112/31 Amazon
+150.222.122.114/31 Amazon
+150.222.122.116/31 Amazon
+150.222.129.19/32 Amazon
+150.222.129.20/31 Amazon
+150.222.129.62/31 Amazon
+150.222.129.64/31 Amazon
+150.222.129.66/31 Amazon
+150.222.129.69/32 Amazon
+150.222.129.110/31 Amazon
+150.222.129.112/31 Amazon
+150.222.129.114/31 Amazon
+150.222.129.116/31 Amazon
+150.222.129.118/31 Amazon
+150.222.129.120/31 Amazon
+150.222.129.122/31 Amazon
+150.222.129.124/31 Amazon
+150.222.129.126/31 Amazon
+150.222.129.128/31 Amazon
+150.222.129.130/31 Amazon
+150.222.129.132/31 Amazon
+150.222.129.134/31 Amazon
+150.222.129.136/31 Amazon
+150.222.129.138/31 Amazon
+150.222.129.140/31 Amazon
+150.222.129.142/31 Amazon
+150.222.129.144/31 Amazon
+150.222.129.146/31 Amazon
+150.222.129.152/31 Amazon
+150.222.129.154/31 Amazon
+150.222.129.156/31 Amazon
+150.222.129.158/31 Amazon
+150.222.129.240/31 Amazon
+150.222.129.242/31 Amazon
+150.222.129.244/31 Amazon
+150.222.129.246/31 Amazon
+150.222.129.248/31 Amazon
+150.222.129.250/31 Amazon
+150.222.129.252/32 Amazon
+150.222.129.255/32 Amazon
+150.222.133.0/24 Amazon
+150.222.134.0/24 Amazon
+150.222.135.0/24 Amazon
+150.222.136.0/24 Amazon
+150.222.138.0/24 Amazon
+150.222.139.116/30 Amazon
+150.222.139.120/30 Amazon
+150.222.139.124/30 Amazon
+150.222.140.0/24 Amazon
+150.222.141.0/24 Amazon
+150.222.142.0/24 Amazon
+150.222.143.0/24 Amazon
+150.222.164.208/31 Amazon
+150.222.164.210/32 Amazon
+150.222.164.211/32 Amazon
+150.222.164.220/31 Amazon
+150.222.164.222/32 Amazon
+150.222.176.0/22 Amazon
+150.222.180.0/24 Amazon
+150.222.196.0/24 Amazon
+150.222.199.0/25 Amazon
+150.222.202.0/24 Amazon
+150.222.203.0/24 Amazon
+150.222.204.0/24 Amazon
+150.222.205.0/24 Amazon
+150.222.206.0/24 Amazon
+150.222.207.0/24 Amazon
+150.222.208.64/32 Amazon
+150.222.208.65/32 Amazon
+150.222.208.66/31 Amazon
+150.222.208.68/31 Amazon
+150.222.208.70/31 Amazon
+150.222.208.72/31 Amazon
+150.222.208.74/31 Amazon
+150.222.208.76/31 Amazon
+150.222.208.78/31 Amazon
+150.222.208.80/31 Amazon
+150.222.208.82/31 Amazon
+150.222.208.84/31 Amazon
+150.222.208.86/31 Amazon
+150.222.208.88/31 Amazon
+150.222.208.90/31 Amazon
+150.222.208.92/31 Amazon
+150.222.208.94/31 Amazon
+150.222.208.96/31 Amazon
+150.222.210.0/24 Amazon
+150.222.212.0/24 Amazon
+150.222.213.40/32 Amazon
+150.222.213.41/32 Amazon
+150.222.214.0/24 Amazon
+150.222.215.0/24 Amazon
+150.222.217.17/32 Amazon
+150.222.217.226/31 Amazon
+150.222.217.228/30 Amazon
+150.222.217.232/31 Amazon
+150.222.217.234/31 Amazon
+150.222.217.248/31 Amazon
+150.222.217.250/31 Amazon
+150.222.218.0/24 Amazon
+150.222.219.0/24 Amazon
+150.222.220.0/24 Amazon
+150.222.221.0/24 Amazon
+150.222.222.0/24 Amazon
+150.222.223.0/24 Amazon
+150.222.224.0/24 Amazon
+150.222.226.0/24 Amazon
+150.222.227.0/24 Amazon
+150.222.228.0/24 Amazon
+150.222.229.0/24 Amazon
+150.222.230.92/32 Amazon
+150.222.230.93/32 Amazon
+150.222.230.94/31 Amazon
+150.222.230.96/31 Amazon
+150.222.230.98/31 Amazon
+150.222.230.100/31 Amazon
+150.222.230.102/31 Amazon
+150.222.230.104/31 Amazon
+150.222.230.106/31 Amazon
+150.222.230.108/31 Amazon
+150.222.230.110/31 Amazon
+150.222.230.112/31 Amazon
+150.222.230.114/31 Amazon
+150.222.230.116/31 Amazon
+150.222.230.118/31 Amazon
+150.222.230.120/31 Amazon
+150.222.230.122/31 Amazon
+150.222.230.124/31 Amazon
+150.222.231.0/24 Amazon
+150.222.232.51/32 Amazon
+150.222.232.88/32 Amazon
+150.222.232.94/31 Amazon
+150.222.232.96/28 Amazon
+150.222.232.112/31 Amazon
+150.222.232.114/31 Amazon
+150.222.232.116/31 Amazon
+150.222.232.118/31 Amazon
+150.222.232.120/31 Amazon
+150.222.233.0/24 Amazon
+150.222.234.0/32 Amazon
+150.222.234.1/32 Amazon
+150.222.234.2/32 Amazon
+150.222.234.3/32 Amazon
+150.222.234.4/32 Amazon
+150.222.234.5/32 Amazon
+150.222.234.6/31 Amazon
+150.222.234.8/31 Amazon
+150.222.234.10/31 Amazon
+150.222.234.12/31 Amazon
+150.222.234.14/31 Amazon
+150.222.234.16/31 Amazon
+150.222.234.18/31 Amazon
+150.222.234.20/31 Amazon
+150.222.234.22/31 Amazon
+150.222.234.24/31 Amazon
+150.222.234.26/31 Amazon
+150.222.234.28/31 Amazon
+150.222.234.30/31 Amazon
+150.222.234.32/31 Amazon
+150.222.234.34/31 Amazon
+150.222.234.36/31 Amazon
+150.222.234.38/31 Amazon
+150.222.234.40/31 Amazon
+150.222.234.42/31 Amazon
+150.222.234.44/31 Amazon
+150.222.234.46/31 Amazon
+150.222.234.48/31 Amazon
+150.222.234.50/31 Amazon
+150.222.234.52/31 Amazon
+150.222.234.54/31 Amazon
+150.222.234.56/31 Amazon
+150.222.234.58/31 Amazon
+150.222.234.60/31 Amazon
+150.222.234.62/31 Amazon
+150.222.234.64/31 Amazon
+150.222.234.66/31 Amazon
+150.222.234.68/31 Amazon
+150.222.234.70/31 Amazon
+150.222.234.72/31 Amazon
+150.222.234.74/31 Amazon
+150.222.234.76/31 Amazon
+150.222.234.78/31 Amazon
+150.222.234.80/31 Amazon
+150.222.234.82/31 Amazon
+150.222.234.84/31 Amazon
+150.222.234.86/31 Amazon
+150.222.234.96/31 Amazon
+150.222.234.98/31 Amazon
+150.222.234.100/31 Amazon
+150.222.234.102/32 Amazon
+150.222.234.103/32 Amazon
+150.222.234.104/31 Amazon
+150.222.234.106/31 Amazon
+150.222.234.108/31 Amazon
+150.222.234.110/31 Amazon
+150.222.234.112/31 Amazon
+150.222.234.114/31 Amazon
+150.222.234.116/31 Amazon
+150.222.234.118/31 Amazon
+150.222.234.120/31 Amazon
+150.222.234.122/31 Amazon
+150.222.234.124/31 Amazon
+150.222.234.126/31 Amazon
+150.222.234.128/31 Amazon
+150.222.234.130/31 Amazon
+150.222.234.132/31 Amazon
+150.222.234.134/31 Amazon
+150.222.234.136/31 Amazon
+150.222.234.138/31 Amazon
+150.222.234.140/31 Amazon
+150.222.234.142/31 Amazon
+150.222.235.0/24 Amazon
+150.222.236.0/24 Amazon
+150.222.237.0/24 Amazon
+150.222.239.0/24 Amazon
+150.222.240.131/32 Amazon
+150.222.240.135/32 Amazon
+150.222.240.137/32 Amazon
+150.222.240.161/32 Amazon
+150.222.240.207/32 Amazon
+150.222.240.237/32 Amazon
+150.222.240.245/32 Amazon
+150.222.240.247/32 Amazon
+150.222.240.249/32 Amazon
+150.222.240.251/32 Amazon
+150.222.242.84/31 Amazon
+150.222.242.97/32 Amazon
+150.222.242.99/32 Amazon
+150.222.242.214/31 Amazon
+150.222.242.227/32 Amazon
+150.222.242.229/32 Amazon
+150.222.242.231/32 Amazon
+150.222.242.233/32 Amazon
+150.222.243.9/32 Amazon
+150.222.243.11/32 Amazon
+150.222.243.13/32 Amazon
+150.222.243.15/32 Amazon
+150.222.243.17/32 Amazon
+150.222.243.19/32 Amazon
+150.222.243.33/32 Amazon
+150.222.243.35/32 Amazon
+150.222.243.37/32 Amazon
+150.222.243.39/32 Amazon
+150.222.243.41/32 Amazon
+150.222.243.43/32 Amazon
+150.222.243.45/32 Amazon
+150.222.243.47/32 Amazon
+150.222.243.51/32 Amazon
+150.222.243.53/32 Amazon
+150.222.243.55/32 Amazon
+150.222.243.57/32 Amazon
+150.222.243.59/32 Amazon
+150.222.243.177/32 Amazon
+150.222.244.35/32 Amazon
+150.222.244.37/32 Amazon
+150.222.245.122/31 Amazon
+150.222.252.244/31 Amazon
+150.222.252.246/31 Amazon
+150.222.252.248/31 Amazon
+150.222.252.250/31 Amazon
+157.175.0.0/16 Amazon
+157.241.0.0/16 Amazon
+160.1.0.0/16 Amazon
+161.188.128.0/23 Amazon
+161.188.130.0/23 Amazon
+161.188.132.0/23 Amazon
+161.188.134.0/23 Amazon
+161.188.136.0/23 Amazon
+161.188.138.0/23 Amazon
+161.188.140.0/23 Amazon
+161.188.142.0/23 Amazon
+161.188.144.0/23 Amazon
+161.188.146.0/23 Amazon
+161.188.148.0/23 Amazon
+161.188.150.0/23 Amazon
+161.188.152.0/23 Amazon
+161.188.154.0/23 Amazon
+161.188.156.0/23 Amazon
+161.188.158.0/23 Amazon
+161.188.160.0/23 Amazon
+161.189.0.0/16 Amazon
+162.213.232.0/24 Amazon
+162.213.233.0/24 Amazon
+162.213.234.0/23 Amazon
+162.222.148.0/22 Amazon
+162.250.236.0/24 Amazon
+162.250.237.0/24 Amazon
+162.250.238.0/23 Amazon
+172.96.97.0/24 Amazon
+172.96.98.0/24 Amazon
+172.96.110.0/24 Amazon
+174.129.0.0/16 Amazon
+175.41.128.0/18 Amazon
+175.41.192.0/18 Amazon
+176.32.64.0/19 Amazon
+176.32.96.0/21 Amazon
+176.32.104.0/21 Amazon
+176.32.112.0/21 Amazon
+176.32.120.0/22 Amazon
+176.32.124.128/25 Amazon
+176.32.125.0/25 Amazon
+176.32.125.128/26 Amazon
+176.32.125.192/27 Amazon
+176.32.125.224/31 Amazon
+176.32.125.226/31 Amazon
+176.32.125.228/31 Amazon
+176.32.125.230/31 Amazon
+176.32.125.232/31 Amazon
+176.32.125.234/31 Amazon
+176.32.125.236/31 Amazon
+176.32.125.238/31 Amazon
+176.32.125.240/31 Amazon
+176.32.125.242/31 Amazon
+176.32.125.244/31 Amazon
+176.32.125.246/31 Amazon
+176.32.125.248/31 Amazon
+176.32.125.250/31 Amazon
+176.32.125.252/31 Amazon
+176.32.125.254/31 Amazon
+176.34.0.0/19 Amazon
+176.34.32.0/19 Amazon
+176.34.64.0/18 Amazon
+176.34.128.0/17 Amazon
+177.71.128.0/17 Amazon
+177.72.240.0/21 Amazon
+178.236.0.0/20 Amazon
+180.163.57.0/25 Amazon
+180.163.57.128/26 Amazon
+184.72.0.0/18 Amazon
+184.72.64.0/18 Amazon
+184.72.128.0/17 Amazon
+184.73.0.0/16 Amazon
+184.169.128.0/17 Amazon
+185.48.120.0/22 Amazon
+185.143.16.0/24 Amazon
+195.17.0.0/24 Amazon
+198.99.2.0/24 Amazon
+199.127.232.0/22 Amazon
+203.83.220.0/22 Amazon
+204.45.0.0/16 Amazon
+204.236.128.0/18 Amazon
+204.236.192.0/18 Amazon
+204.246.160.0/22 Amazon
+204.246.164.0/22 Amazon
+204.246.168.0/22 Amazon
+204.246.172.0/24 Amazon
+204.246.173.0/24 Amazon
+204.246.174.0/23 Amazon
+204.246.176.0/20 Amazon
+205.251.192.0/21 Amazon
+205.251.200.0/21 Amazon
+205.251.208.0/20 Amazon
+205.251.224.0/22 Amazon
+205.251.228.0/22 Amazon
+205.251.232.0/22 Amazon
+205.251.236.0/22 Amazon
+205.251.240.0/22 Amazon
+205.251.244.0/23 Amazon
+205.251.246.0/24 Amazon
+205.251.247.0/24 Amazon
+205.251.248.0/24 Amazon
+205.251.249.0/24 Amazon
+205.251.250.0/23 Amazon
+205.251.252.0/23 Amazon
+205.251.254.0/24 Amazon
+207.171.160.0/20 Amazon
+207.171.176.0/20 Amazon
+208.86.88.0/23 Amazon
+208.86.90.0/23 Amazon
+208.110.48.0/20 Amazon
+209.54.176.0/21 Amazon
+209.54.184.0/21 Amazon
+216.137.32.0/19 Amazon
+216.182.224.0/21 Amazon
+216.182.232.0/22 Amazon
+216.182.236.0/23 Amazon
+216.182.238.0/23 Amazon
+223.71.11.0/27 Amazon
+223.71.71.96/27 Amazon
+223.71.71.128/25 Amazon
+
+
+# Digital Ocean
+# from https://docs.digitalocean.com/products/platform/
+# last update Sept 2022
+5.101.96.0/21 Digital Ocean
+5.101.104.0/22 Digital Ocean
+24.199.64.0/22 Digital Ocean
+24.199.68.0/22 Digital Ocean
+37.139.0.0/19 Digital Ocean
+45.55.0.0/19 Digital Ocean
+45.55.32.0/19 Digital Ocean
+45.55.64.0/19 Digital Ocean
+45.55.96.0/22 Digital Ocean
+45.55.100.0/22 Digital Ocean
+45.55.104.0/22 Digital Ocean
+45.55.108.0/22 Digital Ocean
+45.55.112.0/22 Digital Ocean
+45.55.116.0/22 Digital Ocean
+45.55.120.0/22 Digital Ocean
+45.55.124.0/22 Digital Ocean
+45.55.128.0/18 Digital Ocean
+45.55.192.0/18 Digital Ocean
+46.101.0.0/18 Digital Ocean
+46.101.64.0/22 Digital Ocean
+46.101.68.0/22 Digital Ocean
+46.101.72.0/21 Digital Ocean
+46.101.80.0/20 Digital Ocean
+46.101.96.0/20 Digital Ocean
+46.101.112.0/20 Digital Ocean
+46.101.124.0/22 Digital Ocean
+46.101.128.0/18 Digital Ocean
+46.101.192.0/18 Digital Ocean
+64.225.0.0/20 Digital Ocean
+64.225.16.0/20 Digital Ocean
+64.225.32.0/20 Digital Ocean
+64.225.48.0/20 Digital Ocean
+64.225.64.0/20 Digital Ocean
+64.225.80.0/22 Digital Ocean
+64.225.84.0/22 Digital Ocean
+64.225.88.0/22 Digital Ocean
+64.225.92.0/22 Digital Ocean
+64.225.96.0/20 Digital Ocean
+64.225.112.0/20 Digital Ocean
+64.227.0.0/20 Digital Ocean
+64.227.16.0/20 Digital Ocean
+64.227.32.0/20 Digital Ocean
+64.227.48.0/20 Digital Ocean
+64.227.64.0/20 Digital Ocean
+64.227.80.0/20 Digital Ocean
+64.227.96.0/20 Digital Ocean
+64.227.112.0/20 Digital Ocean
+64.227.128.0/19 Digital Ocean
+64.227.160.0/20 Digital Ocean
+64.227.176.0/20 Digital Ocean
+67.205.128.0/20 Digital Ocean
+67.205.144.0/20 Digital Ocean
+67.205.160.0/20 Digital Ocean
+67.205.176.0/20 Digital Ocean
+67.207.68.0/22 Digital Ocean
+67.207.72.0/22 Digital Ocean
+67.207.76.0/22 Digital Ocean
+67.207.80.0/20 Digital Ocean
+68.183.0.0/20 Digital Ocean
+68.183.16.0/20 Digital Ocean
+68.183.32.0/20 Digital Ocean
+68.183.48.0/20 Digital Ocean
+68.183.64.0/20 Digital Ocean
+68.183.80.0/20 Digital Ocean
+68.183.96.0/20 Digital Ocean
+68.183.112.0/20 Digital Ocean
+68.183.128.0/20 Digital Ocean
+68.183.144.0/20 Digital Ocean
+68.183.160.0/20 Digital Ocean
+68.183.176.0/20 Digital Ocean
+68.183.192.0/20 Digital Ocean
+68.183.208.0/20 Digital Ocean
+68.183.224.0/20 Digital Ocean
+68.183.240.0/22 Digital Ocean
+68.183.244.0/22 Digital Ocean
+68.183.248.0/22 Digital Ocean
+68.183.252.0/22 Digital Ocean
+69.55.49.0/24 Digital Ocean
+69.55.54.0/24 Digital Ocean
+69.55.55.0/24 Digital Ocean
+69.55.59.64/26 Digital Ocean
+69.55.59.128/26 Digital Ocean
+69.55.59.192/27 Digital Ocean
+69.55.60.96/27 Digital Ocean
+69.55.60.128/26 Digital Ocean
+69.55.61.64/26 Digital Ocean
+69.55.62.0/26 Digital Ocean
+80.240.128.0/20 Digital Ocean
+82.196.0.0/20 Digital Ocean
+95.85.1.0/24 Digital Ocean
+95.85.2.0/24 Digital Ocean
+95.85.3.0/24 Digital Ocean
+95.85.4.0/24 Digital Ocean
+95.85.5.0/24 Digital Ocean
+95.85.6.0/24 Digital Ocean
+95.85.7.0/24 Digital Ocean
+95.85.8.0/24 Digital Ocean
+95.85.9.0/24 Digital Ocean
+95.85.10.0/24 Digital Ocean
+95.85.11.0/24 Digital Ocean
+95.85.12.0/24 Digital Ocean
+95.85.13.0/24 Digital Ocean
+95.85.14.0/24 Digital Ocean
+95.85.15.0/24 Digital Ocean
+95.85.16.0/24 Digital Ocean
+95.85.17.0/24 Digital Ocean
+95.85.18.0/24 Digital Ocean
+95.85.19.0/24 Digital Ocean
+95.85.20.0/24 Digital Ocean
+95.85.21.0/24 Digital Ocean
+95.85.22.0/24 Digital Ocean
+95.85.23.0/24 Digital Ocean
+95.85.24.0/24 Digital Ocean
+95.85.25.0/24 Digital Ocean
+95.85.26.0/24 Digital Ocean
+95.85.27.0/24 Digital Ocean
+95.85.28.0/24 Digital Ocean
+95.85.29.0/24 Digital Ocean
+95.85.30.0/24 Digital Ocean
+95.85.31.0/24 Digital Ocean
+95.85.32.0/24 Digital Ocean
+95.85.33.0/24 Digital Ocean
+95.85.34.0/24 Digital Ocean
+95.85.35.0/24 Digital Ocean
+95.85.36.0/24 Digital Ocean
+95.85.37.0/24 Digital Ocean
+95.85.38.0/24 Digital Ocean
+95.85.39.0/24 Digital Ocean
+95.85.40.0/24 Digital Ocean
+95.85.41.0/24 Digital Ocean
+95.85.42.0/24 Digital Ocean
+95.85.43.0/24 Digital Ocean
+95.85.44.0/24 Digital Ocean
+95.85.45.0/24 Digital Ocean
+95.85.46.0/24 Digital Ocean
+95.85.47.0/24 Digital Ocean
+95.85.48.0/24 Digital Ocean
+95.85.49.0/24 Digital Ocean
+95.85.50.0/24 Digital Ocean
+95.85.51.0/24 Digital Ocean
+95.85.52.0/24 Digital Ocean
+95.85.53.0/24 Digital Ocean
+95.85.54.0/24 Digital Ocean
+95.85.55.0/24 Digital Ocean
+95.85.56.0/24 Digital Ocean
+95.85.57.0/24 Digital Ocean
+95.85.58.0/24 Digital Ocean
+95.85.59.0/24 Digital Ocean
+95.85.60.0/24 Digital Ocean
+95.85.61.0/24 Digital Ocean
+95.85.62.0/24 Digital Ocean
+95.85.63.0/24 Digital Ocean
+103.253.145.0/24 Digital Ocean
+103.253.146.0/24 Digital Ocean
+103.253.147.0/24 Digital Ocean
+104.131.0.0/18 Digital Ocean
+104.131.64.0/18 Digital Ocean
+104.131.128.0/20 Digital Ocean
+104.131.144.0/20 Digital Ocean
+104.131.160.0/20 Digital Ocean
+104.131.176.0/20 Digital Ocean
+104.131.192.0/19 Digital Ocean
+104.131.224.0/19 Digital Ocean
+104.236.0.0/18 Digital Ocean
+104.236.64.0/18 Digital Ocean
+104.236.128.0/18 Digital Ocean
+104.236.192.0/18 Digital Ocean
+104.248.0.0/20 Digital Ocean
+104.248.16.0/20 Digital Ocean
+104.248.32.0/20 Digital Ocean
+104.248.48.0/20 Digital Ocean
+104.248.64.0/20 Digital Ocean
+104.248.80.0/20 Digital Ocean
+104.248.96.0/22 Digital Ocean
+104.248.100.0/22 Digital Ocean
+104.248.104.0/22 Digital Ocean
+104.248.108.0/22 Digital Ocean
+104.248.112.0/20 Digital Ocean
+104.248.128.0/20 Digital Ocean
+104.248.144.0/20 Digital Ocean
+104.248.160.0/20 Digital Ocean
+104.248.176.0/20 Digital Ocean
+104.248.192.0/20 Digital Ocean
+104.248.208.0/20 Digital Ocean
+104.248.224.0/20 Digital Ocean
+104.248.240.0/20 Digital Ocean
+107.170.0.0/18 Digital Ocean
+107.170.64.0/20 Digital Ocean
+107.170.80.0/20 Digital Ocean
+107.170.96.0/20 Digital Ocean
+107.170.112.0/20 Digital Ocean
+107.170.128.0/19 Digital Ocean
+107.170.160.0/19 Digital Ocean
+107.170.192.0/20 Digital Ocean
+107.170.208.0/20 Digital Ocean
+107.170.224.0/24 Digital Ocean
+107.170.225.0/24 Digital Ocean
+107.170.226.0/24 Digital Ocean
+107.170.227.0/24 Digital Ocean
+107.170.228.0/24 Digital Ocean
+107.170.229.0/24 Digital Ocean
+107.170.230.0/24 Digital Ocean
+107.170.231.0/24 Digital Ocean
+107.170.232.0/24 Digital Ocean
+107.170.233.0/24 Digital Ocean
+107.170.234.0/24 Digital Ocean
+107.170.235.0/24 Digital Ocean
+107.170.236.0/24 Digital Ocean
+107.170.237.0/24 Digital Ocean
+107.170.238.0/24 Digital Ocean
+107.170.239.0/24 Digital Ocean
+107.170.240.0/24 Digital Ocean
+107.170.241.0/24 Digital Ocean
+107.170.242.0/24 Digital Ocean
+107.170.243.0/24 Digital Ocean
+107.170.244.0/24 Digital Ocean
+107.170.245.0/24 Digital Ocean
+107.170.246.0/24 Digital Ocean
+107.170.247.0/24 Digital Ocean
+107.170.248.0/24 Digital Ocean
+107.170.249.0/24 Digital Ocean
+107.170.250.0/24 Digital Ocean
+107.170.251.0/24 Digital Ocean
+107.170.252.0/24 Digital Ocean
+107.170.253.0/24 Digital Ocean
+107.170.254.0/24 Digital Ocean
+107.170.255.0/24 Digital Ocean
+128.199.0.0/20 Digital Ocean
+128.199.16.0/20 Digital Ocean
+128.199.32.0/19 Digital Ocean
+128.199.64.0/18 Digital Ocean
+128.199.128.0/18 Digital Ocean
+128.199.192.0/18 Digital Ocean
+134.122.0.0/20 Digital Ocean
+134.122.16.0/20 Digital Ocean
+134.122.32.0/20 Digital Ocean
+134.122.48.0/20 Digital Ocean
+134.122.64.0/20 Digital Ocean
+134.122.80.0/20 Digital Ocean
+134.122.96.0/20 Digital Ocean
+134.122.112.0/20 Digital Ocean
+134.209.0.0/20 Digital Ocean
+134.209.16.0/20 Digital Ocean
+134.209.32.0/20 Digital Ocean
+134.209.48.0/20 Digital Ocean
+134.209.64.0/20 Digital Ocean
+134.209.80.0/20 Digital Ocean
+134.209.96.0/20 Digital Ocean
+134.209.112.0/20 Digital Ocean
+134.209.128.0/22 Digital Ocean
+134.209.132.0/22 Digital Ocean
+134.209.136.0/22 Digital Ocean
+134.209.140.0/22 Digital Ocean
+134.209.144.0/20 Digital Ocean
+134.209.160.0/20 Digital Ocean
+134.209.176.0/20 Digital Ocean
+134.209.192.0/20 Digital Ocean
+134.209.208.0/20 Digital Ocean
+134.209.224.0/20 Digital Ocean
+134.209.240.0/20 Digital Ocean
+137.184.0.0/20 Digital Ocean
+137.184.16.0/20 Digital Ocean
+137.184.32.0/20 Digital Ocean
+137.184.48.0/20 Digital Ocean
+137.184.64.0/20 Digital Ocean
+137.184.80.0/20 Digital Ocean
+137.184.96.0/20 Digital Ocean
+137.184.112.0/20 Digital Ocean
+137.184.128.0/20 Digital Ocean
+137.184.144.0/20 Digital Ocean
+137.184.160.0/20 Digital Ocean
+137.184.176.0/20 Digital Ocean
+137.184.192.0/20 Digital Ocean
+137.184.208.0/20 Digital Ocean
+137.184.224.0/20 Digital Ocean
+137.184.240.0/22 Digital Ocean
+137.184.244.0/22 Digital Ocean
+137.184.248.0/22 Digital Ocean
+137.184.254.0/24 Digital Ocean
+138.68.0.0/20 Digital Ocean
+138.68.16.0/20 Digital Ocean
+138.68.36.0/22 Digital Ocean
+138.68.40.0/21 Digital Ocean
+138.68.48.0/20 Digital Ocean
+138.68.64.0/20 Digital Ocean
+138.68.80.0/20 Digital Ocean
+138.68.96.0/20 Digital Ocean
+138.68.112.0/22 Digital Ocean
+138.68.116.0/22 Digital Ocean
+138.68.120.0/23 Digital Ocean
+138.68.122.0/23 Digital Ocean
+138.68.124.0/22 Digital Ocean
+138.68.128.0/20 Digital Ocean
+138.68.144.0/20 Digital Ocean
+138.68.160.0/20 Digital Ocean
+138.68.176.0/20 Digital Ocean
+138.68.192.0/22 Digital Ocean
+138.68.196.0/22 Digital Ocean
+138.68.200.0/22 Digital Ocean
+138.68.204.0/22 Digital Ocean
+138.68.208.0/20 Digital Ocean
+138.68.224.0/20 Digital Ocean
+138.68.240.0/20 Digital Ocean
+138.197.0.0/20 Digital Ocean
+138.197.16.0/20 Digital Ocean
+138.197.32.0/20 Digital Ocean
+138.197.48.0/22 Digital Ocean
+138.197.52.0/22 Digital Ocean
+138.197.56.0/22 Digital Ocean
+138.197.60.0/22 Digital Ocean
+138.197.64.0/20 Digital Ocean
+138.197.80.0/20 Digital Ocean
+138.197.96.0/20 Digital Ocean
+138.197.112.0/20 Digital Ocean
+138.197.128.0/20 Digital Ocean
+138.197.144.0/20 Digital Ocean
+138.197.160.0/20 Digital Ocean
+138.197.176.0/20 Digital Ocean
+138.197.192.0/20 Digital Ocean
+138.197.208.0/20 Digital Ocean
+138.197.224.0/22 Digital Ocean
+138.197.228.0/22 Digital Ocean
+138.197.232.0/22 Digital Ocean
+138.197.236.0/22 Digital Ocean
+138.197.240.0/22 Digital Ocean
+138.197.252.0/22 Digital Ocean
+139.59.0.0/20 Digital Ocean
+139.59.16.0/20 Digital Ocean
+139.59.32.0/20 Digital Ocean
+139.59.48.0/22 Digital Ocean
+139.59.52.0/22 Digital Ocean
+139.59.56.0/21 Digital Ocean
+139.59.64.0/20 Digital Ocean
+139.59.80.0/20 Digital Ocean
+139.59.96.0/20 Digital Ocean
+139.59.112.0/20 Digital Ocean
+139.59.128.0/20 Digital Ocean
+139.59.144.0/20 Digital Ocean
+139.59.160.0/20 Digital Ocean
+139.59.176.0/20 Digital Ocean
+139.59.192.0/22 Digital Ocean
+139.59.196.0/22 Digital Ocean
+139.59.200.0/22 Digital Ocean
+139.59.204.0/22 Digital Ocean
+139.59.208.0/21 Digital Ocean
+139.59.216.0/22 Digital Ocean
+139.59.220.0/22 Digital Ocean
+139.59.224.0/20 Digital Ocean
+139.59.240.0/20 Digital Ocean
+141.0.169.0/24 Digital Ocean
+141.0.170.0/24 Digital Ocean
+142.93.0.0/20 Digital Ocean
+142.93.16.0/20 Digital Ocean
+142.93.32.0/20 Digital Ocean
+142.93.48.0/20 Digital Ocean
+142.93.64.0/20 Digital Ocean
+142.93.80.0/20 Digital Ocean
+142.93.96.0/20 Digital Ocean
+142.93.112.0/20 Digital Ocean
+142.93.128.0/20 Digital Ocean
+142.93.144.0/20 Digital Ocean
+142.93.160.0/20 Digital Ocean
+142.93.176.0/20 Digital Ocean
+142.93.192.0/20 Digital Ocean
+142.93.208.0/20 Digital Ocean
+142.93.224.0/20 Digital Ocean
+142.93.240.0/20 Digital Ocean
+143.110.128.0/20 Digital Ocean
+143.110.144.0/20 Digital Ocean
+143.110.160.0/20 Digital Ocean
+143.110.176.0/20 Digital Ocean
+143.110.192.0/20 Digital Ocean
+143.110.208.0/20 Digital Ocean
+143.110.224.0/20 Digital Ocean
+143.110.240.0/20 Digital Ocean
+143.198.0.0/20 Digital Ocean
+143.198.16.0/20 Digital Ocean
+143.198.32.0/20 Digital Ocean
+143.198.48.0/20 Digital Ocean
+143.198.64.0/20 Digital Ocean
+143.198.80.0/20 Digital Ocean
+143.198.96.0/20 Digital Ocean
+143.198.112.0/20 Digital Ocean
+143.198.128.0/20 Digital Ocean
+143.198.144.0/20 Digital Ocean
+143.198.160.0/20 Digital Ocean
+143.198.176.0/20 Digital Ocean
+143.198.192.0/20 Digital Ocean
+143.198.208.0/20 Digital Ocean
+143.198.224.0/20 Digital Ocean
+143.198.240.0/22 Digital Ocean
+143.198.244.0/22 Digital Ocean
+143.198.248.0/22 Digital Ocean
+143.244.128.0/20 Digital Ocean
+143.244.144.0/20 Digital Ocean
+143.244.160.0/20 Digital Ocean
+143.244.176.0/20 Digital Ocean
+143.244.196.0/22 Digital Ocean
+143.244.200.0/22 Digital Ocean
+143.244.204.0/22 Digital Ocean
+143.244.208.0/22 Digital Ocean
+143.244.212.0/22 Digital Ocean
+143.244.218.0/24 Digital Ocean
+143.244.220.0/22 Digital Ocean
+144.126.192.0/20 Digital Ocean
+144.126.208.0/20 Digital Ocean
+144.126.224.0/20 Digital Ocean
+144.126.240.0/22 Digital Ocean
+144.126.244.0/22 Digital Ocean
+144.126.248.0/22 Digital Ocean
+144.126.252.0/22 Digital Ocean
+146.185.128.0/24 Digital Ocean
+146.185.129.0/24 Digital Ocean
+146.185.130.0/24 Digital Ocean
+146.185.131.0/24 Digital Ocean
+146.185.132.0/24 Digital Ocean
+146.185.133.0/24 Digital Ocean
+146.185.134.0/24 Digital Ocean
+146.185.135.0/24 Digital Ocean
+146.185.136.0/24 Digital Ocean
+146.185.137.0/24 Digital Ocean
+146.185.138.0/24 Digital Ocean
+146.185.139.0/24 Digital Ocean
+146.185.140.0/24 Digital Ocean
+146.185.141.0/24 Digital Ocean
+146.185.142.0/24 Digital Ocean
+146.185.143.0/24 Digital Ocean
+146.185.144.0/24 Digital Ocean
+146.185.145.0/24 Digital Ocean
+146.185.146.0/24 Digital Ocean
+146.185.147.0/24 Digital Ocean
+146.185.148.0/24 Digital Ocean
+146.185.149.0/24 Digital Ocean
+146.185.150.0/24 Digital Ocean
+146.185.151.0/24 Digital Ocean
+146.185.152.0/24 Digital Ocean
+146.185.153.0/24 Digital Ocean
+146.185.154.0/24 Digital Ocean
+146.185.155.0/24 Digital Ocean
+146.185.156.0/24 Digital Ocean
+146.185.157.0/24 Digital Ocean
+146.185.158.0/24 Digital Ocean
+146.185.159.0/24 Digital Ocean
+146.185.160.0/24 Digital Ocean
+146.185.161.0/24 Digital Ocean
+146.185.162.0/24 Digital Ocean
+146.185.163.0/24 Digital Ocean
+146.185.164.0/24 Digital Ocean
+146.185.165.0/24 Digital Ocean
+146.185.166.0/24 Digital Ocean
+146.185.167.0/24 Digital Ocean
+146.185.168.0/24 Digital Ocean
+146.185.169.0/24 Digital Ocean
+146.185.170.0/24 Digital Ocean
+146.185.171.0/24 Digital Ocean
+146.185.172.0/24 Digital Ocean
+146.185.173.0/24 Digital Ocean
+146.185.174.0/24 Digital Ocean
+146.185.175.0/24 Digital Ocean
+146.185.176.0/24 Digital Ocean
+146.185.177.0/24 Digital Ocean
+146.185.178.0/24 Digital Ocean
+146.185.179.0/24 Digital Ocean
+146.185.180.0/24 Digital Ocean
+146.185.181.0/24 Digital Ocean
+146.185.182.0/24 Digital Ocean
+146.185.183.0/24 Digital Ocean
+146.185.184.0/21 Digital Ocean
+146.190.0.0/22 Digital Ocean
+146.190.4.0/22 Digital Ocean
+146.190.8.0/22 Digital Ocean
+146.190.12.0/22 Digital Ocean
+146.190.16.0/20 Digital Ocean
+146.190.32.0/19 Digital Ocean
+146.190.192.0/22 Digital Ocean
+146.190.224.0/20 Digital Ocean
+146.190.240.0/20 Digital Ocean
+147.182.128.0/20 Digital Ocean
+147.182.144.0/20 Digital Ocean
+147.182.160.0/20 Digital Ocean
+147.182.176.0/20 Digital Ocean
+147.182.192.0/20 Digital Ocean
+147.182.208.0/20 Digital Ocean
+147.182.224.0/20 Digital Ocean
+147.182.240.0/20 Digital Ocean
+157.230.0.0/20 Digital Ocean
+157.230.16.0/20 Digital Ocean
+157.230.32.0/20 Digital Ocean
+157.230.48.0/20 Digital Ocean
+157.230.64.0/22 Digital Ocean
+157.230.68.0/22 Digital Ocean
+157.230.72.0/22 Digital Ocean
+157.230.76.0/22 Digital Ocean
+157.230.80.0/20 Digital Ocean
+157.230.96.0/20 Digital Ocean
+157.230.112.0/20 Digital Ocean
+157.230.128.0/20 Digital Ocean
+157.230.144.0/20 Digital Ocean
+157.230.160.0/20 Digital Ocean
+157.230.176.0/20 Digital Ocean
+157.230.192.0/22 Digital Ocean
+157.230.196.0/22 Digital Ocean
+157.230.200.0/22 Digital Ocean
+157.230.204.0/22 Digital Ocean
+157.230.208.0/20 Digital Ocean
+157.230.224.0/20 Digital Ocean
+157.230.240.0/20 Digital Ocean
+157.245.0.0/20 Digital Ocean
+157.245.16.0/22 Digital Ocean
+157.245.20.0/22 Digital Ocean
+157.245.24.0/22 Digital Ocean
+157.245.28.0/22 Digital Ocean
+157.245.32.0/20 Digital Ocean
+157.245.48.0/20 Digital Ocean
+157.245.64.0/20 Digital Ocean
+157.245.80.0/20 Digital Ocean
+157.245.96.0/20 Digital Ocean
+157.245.112.0/20 Digital Ocean
+157.245.128.0/20 Digital Ocean
+157.245.144.0/20 Digital Ocean
+157.245.160.0/20 Digital Ocean
+157.245.176.0/20 Digital Ocean
+157.245.192.0/20 Digital Ocean
+157.245.208.0/20 Digital Ocean
+157.245.224.0/20 Digital Ocean
+157.245.240.0/20 Digital Ocean
+159.65.0.0/20 Digital Ocean
+159.65.16.0/20 Digital Ocean
+159.65.32.0/20 Digital Ocean
+159.65.48.0/20 Digital Ocean
+159.65.64.0/20 Digital Ocean
+159.65.80.0/20 Digital Ocean
+159.65.96.0/20 Digital Ocean
+159.65.112.0/20 Digital Ocean
+159.65.128.0/20 Digital Ocean
+159.65.144.0/20 Digital Ocean
+159.65.160.0/20 Digital Ocean
+159.65.176.0/20 Digital Ocean
+159.65.192.0/20 Digital Ocean
+159.65.208.0/22 Digital Ocean
+159.65.212.0/22 Digital Ocean
+159.65.216.0/21 Digital Ocean
+159.65.224.0/20 Digital Ocean
+159.65.240.0/20 Digital Ocean
+159.89.0.0/20 Digital Ocean
+159.89.16.0/20 Digital Ocean
+159.89.32.0/20 Digital Ocean
+159.89.48.0/21 Digital Ocean
+159.89.64.0/20 Digital Ocean
+159.89.80.0/20 Digital Ocean
+159.89.96.0/20 Digital Ocean
+159.89.112.0/20 Digital Ocean
+159.89.128.0/20 Digital Ocean
+159.89.144.0/20 Digital Ocean
+159.89.160.0/20 Digital Ocean
+159.89.176.0/20 Digital Ocean
+159.89.192.0/20 Digital Ocean
+159.89.208.0/22 Digital Ocean
+159.89.212.0/22 Digital Ocean
+159.89.216.0/22 Digital Ocean
+159.89.220.0/22 Digital Ocean
+159.89.224.0/20 Digital Ocean
+159.89.240.0/22 Digital Ocean
+159.89.244.0/22 Digital Ocean
+159.89.248.0/22 Digital Ocean
+159.89.252.0/22 Digital Ocean
+159.203.0.0/20 Digital Ocean
+159.203.16.0/20 Digital Ocean
+159.203.32.0/20 Digital Ocean
+159.203.48.0/22 Digital Ocean
+159.203.52.0/22 Digital Ocean
+159.203.56.0/21 Digital Ocean
+159.203.64.0/20 Digital Ocean
+159.203.80.0/20 Digital Ocean
+159.203.96.0/20 Digital Ocean
+159.203.112.0/20 Digital Ocean
+159.203.128.0/20 Digital Ocean
+159.203.144.0/22 Digital Ocean
+159.203.148.0/22 Digital Ocean
+159.203.152.0/22 Digital Ocean
+159.203.156.0/22 Digital Ocean
+159.203.160.0/20 Digital Ocean
+159.203.176.0/20 Digital Ocean
+159.203.192.0/20 Digital Ocean
+159.203.208.0/20 Digital Ocean
+159.203.224.0/20 Digital Ocean
+159.203.240.0/20 Digital Ocean
+159.223.0.0/20 Digital Ocean
+159.223.16.0/20 Digital Ocean
+159.223.32.0/20 Digital Ocean
+159.223.48.0/20 Digital Ocean
+159.223.64.0/20 Digital Ocean
+159.223.80.0/20 Digital Ocean
+159.223.96.0/20 Digital Ocean
+159.223.112.0/20 Digital Ocean
+159.223.128.0/20 Digital Ocean
+159.223.144.0/20 Digital Ocean
+159.223.160.0/19 Digital Ocean
+159.223.192.0/20 Digital Ocean
+159.223.208.0/20 Digital Ocean
+159.223.224.0/20 Digital Ocean
+161.35.0.0/20 Digital Ocean
+161.35.16.0/20 Digital Ocean
+161.35.32.0/20 Digital Ocean
+161.35.48.0/20 Digital Ocean
+161.35.64.0/20 Digital Ocean
+161.35.80.0/20 Digital Ocean
+161.35.96.0/20 Digital Ocean
+161.35.112.0/20 Digital Ocean
+161.35.128.0/20 Digital Ocean
+161.35.144.0/20 Digital Ocean
+161.35.160.0/20 Digital Ocean
+161.35.176.0/20 Digital Ocean
+161.35.192.0/20 Digital Ocean
+161.35.208.0/20 Digital Ocean
+161.35.224.0/20 Digital Ocean
+161.35.240.0/22 Digital Ocean
+161.35.244.0/22 Digital Ocean
+161.35.248.0/22 Digital Ocean
+161.35.252.0/22 Digital Ocean
+162.243.0.0/16 Digital Ocean
+163.47.8.0/22 Digital Ocean
+164.90.128.0/20 Digital Ocean
+164.90.144.0/20 Digital Ocean
+164.90.160.0/20 Digital Ocean
+164.90.176.0/20 Digital Ocean
+164.90.192.0/20 Digital Ocean
+164.90.208.0/20 Digital Ocean
+164.90.224.0/20 Digital Ocean
+164.90.240.0/22 Digital Ocean
+164.90.244.0/22 Digital Ocean
+164.90.252.0/22 Digital Ocean
+164.92.64.0/19 Digital Ocean
+164.92.96.0/19 Digital Ocean
+164.92.128.0/20 Digital Ocean
+164.92.144.0/20 Digital Ocean
+164.92.160.0/20 Digital Ocean
+164.92.176.0/20 Digital Ocean
+164.92.192.0/20 Digital Ocean
+164.92.208.0/20 Digital Ocean
+164.92.224.0/20 Digital Ocean
+164.92.240.0/20 Digital Ocean
+165.22.0.0/20 Digital Ocean
+165.22.16.0/20 Digital Ocean
+165.22.32.0/20 Digital Ocean
+165.22.48.0/20 Digital Ocean
+165.22.64.0/20 Digital Ocean
+165.22.80.0/20 Digital Ocean
+165.22.96.0/20 Digital Ocean
+165.22.112.0/20 Digital Ocean
+165.22.128.0/20 Digital Ocean
+165.22.144.0/20 Digital Ocean
+165.22.160.0/20 Digital Ocean
+165.22.176.0/20 Digital Ocean
+165.22.192.0/20 Digital Ocean
+165.22.208.0/20 Digital Ocean
+165.22.224.0/20 Digital Ocean
+165.22.240.0/20 Digital Ocean
+165.227.0.0/20 Digital Ocean
+165.227.16.0/20 Digital Ocean
+165.227.32.0/20 Digital Ocean
+165.227.48.0/20 Digital Ocean
+165.227.64.0/20 Digital Ocean
+165.227.80.0/20 Digital Ocean
+165.227.96.0/20 Digital Ocean
+165.227.112.0/20 Digital Ocean
+165.227.128.0/20 Digital Ocean
+165.227.144.0/20 Digital Ocean
+165.227.160.0/20 Digital Ocean
+165.227.176.0/20 Digital Ocean
+165.227.192.0/20 Digital Ocean
+165.227.208.0/20 Digital Ocean
+165.227.224.0/20 Digital Ocean
+165.227.240.0/22 Digital Ocean
+165.227.244.0/22 Digital Ocean
+165.227.248.0/22 Digital Ocean
+165.227.252.0/22 Digital Ocean
+165.232.32.0/20 Digital Ocean
+165.232.48.0/20 Digital Ocean
+165.232.64.0/20 Digital Ocean
+165.232.80.0/20 Digital Ocean
+165.232.96.0/20 Digital Ocean
+165.232.112.0/20 Digital Ocean
+165.232.128.0/20 Digital Ocean
+165.232.144.0/20 Digital Ocean
+165.232.160.0/20 Digital Ocean
+165.232.176.0/20 Digital Ocean
+167.71.0.0/20 Digital Ocean
+167.71.16.0/20 Digital Ocean
+167.71.32.0/20 Digital Ocean
+167.71.48.0/20 Digital Ocean
+167.71.64.0/20 Digital Ocean
+167.71.80.0/20 Digital Ocean
+167.71.96.0/20 Digital Ocean
+167.71.112.0/20 Digital Ocean
+167.71.128.0/20 Digital Ocean
+167.71.144.0/20 Digital Ocean
+167.71.160.0/20 Digital Ocean
+167.71.176.0/20 Digital Ocean
+167.71.192.0/20 Digital Ocean
+167.71.208.0/20 Digital Ocean
+167.71.224.0/20 Digital Ocean
+167.71.240.0/20 Digital Ocean
+167.99.0.0/20 Digital Ocean
+167.99.16.0/22 Digital Ocean
+167.99.20.0/22 Digital Ocean
+167.99.24.0/22 Digital Ocean
+167.99.28.0/22 Digital Ocean
+167.99.32.0/20 Digital Ocean
+167.99.48.0/20 Digital Ocean
+167.99.64.0/20 Digital Ocean
+167.99.80.0/20 Digital Ocean
+167.99.96.0/20 Digital Ocean
+167.99.112.0/20 Digital Ocean
+167.99.128.0/20 Digital Ocean
+167.99.144.0/20 Digital Ocean
+167.99.160.0/20 Digital Ocean
+167.99.176.0/20 Digital Ocean
+167.99.192.0/20 Digital Ocean
+167.99.208.0/20 Digital Ocean
+167.99.224.0/20 Digital Ocean
+167.99.240.0/20 Digital Ocean
+167.172.0.0/22 Digital Ocean
+167.172.4.0/22 Digital Ocean
+167.172.8.0/22 Digital Ocean
+167.172.12.0/22 Digital Ocean
+167.172.16.0/20 Digital Ocean
+167.172.32.0/20 Digital Ocean
+167.172.48.0/20 Digital Ocean
+167.172.64.0/20 Digital Ocean
+167.172.80.0/20 Digital Ocean
+167.172.96.0/20 Digital Ocean
+167.172.112.0/20 Digital Ocean
+167.172.128.0/20 Digital Ocean
+167.172.144.0/20 Digital Ocean
+167.172.160.0/20 Digital Ocean
+167.172.176.0/20 Digital Ocean
+167.172.192.0/20 Digital Ocean
+167.172.208.0/20 Digital Ocean
+167.172.224.0/20 Digital Ocean
+167.172.240.0/20 Digital Ocean
+170.64.128.0/19 Digital Ocean
+170.64.248.0/21 Digital Ocean
+174.138.0.0/20 Digital Ocean
+174.138.16.0/20 Digital Ocean
+174.138.32.0/20 Digital Ocean
+174.138.48.0/20 Digital Ocean
+174.138.64.0/20 Digital Ocean
+174.138.80.0/20 Digital Ocean
+174.138.96.0/22 Digital Ocean
+174.138.100.0/22 Digital Ocean
+174.138.104.0/22 Digital Ocean
+174.138.108.0/22 Digital Ocean
+174.138.112.0/22 Digital Ocean
+174.138.116.0/22 Digital Ocean
+174.138.120.0/22 Digital Ocean
+174.138.124.0/22 Digital Ocean
+178.62.0.0/18 Digital Ocean
+178.62.64.0/18 Digital Ocean
+178.62.128.0/18 Digital Ocean
+178.62.192.0/18 Digital Ocean
+178.128.0.0/20 Digital Ocean
+178.128.16.0/20 Digital Ocean
+178.128.32.0/20 Digital Ocean
+178.128.48.0/20 Digital Ocean
+178.128.64.0/20 Digital Ocean
+178.128.80.0/20 Digital Ocean
+178.128.96.0/20 Digital Ocean
+178.128.112.0/20 Digital Ocean
+178.128.128.0/22 Digital Ocean
+178.128.132.0/22 Digital Ocean
+178.128.136.0/22 Digital Ocean
+178.128.140.0/22 Digital Ocean
+178.128.144.0/20 Digital Ocean
+178.128.160.0/20 Digital Ocean
+178.128.176.0/20 Digital Ocean
+178.128.192.0/20 Digital Ocean
+178.128.208.0/20 Digital Ocean
+178.128.224.0/20 Digital Ocean
+178.128.240.0/20 Digital Ocean
+185.14.184.0/24 Digital Ocean
+185.14.185.0/24 Digital Ocean
+185.14.186.0/24 Digital Ocean
+185.14.187.0/24 Digital Ocean
+188.166.0.0/18 Digital Ocean
+188.166.64.0/18 Digital Ocean
+188.166.128.0/22 Digital Ocean
+188.166.132.0/22 Digital Ocean
+188.166.136.0/22 Digital Ocean
+188.166.140.0/22 Digital Ocean
+188.166.144.0/20 Digital Ocean
+188.166.160.0/21 Digital Ocean
+188.166.168.0/21 Digital Ocean
+188.166.176.0/20 Digital Ocean
+188.166.192.0/22 Digital Ocean
+188.166.196.0/22 Digital Ocean
+188.166.200.0/22 Digital Ocean
+188.166.204.0/22 Digital Ocean
+188.166.208.0/20 Digital Ocean
+188.166.224.0/20 Digital Ocean
+188.166.240.0/20 Digital Ocean
+188.226.128.0/24 Digital Ocean
+188.226.129.0/24 Digital Ocean
+188.226.130.0/24 Digital Ocean
+188.226.131.0/24 Digital Ocean
+188.226.132.0/24 Digital Ocean
+188.226.133.0/24 Digital Ocean
+188.226.134.0/24 Digital Ocean
+188.226.135.0/24 Digital Ocean
+188.226.136.0/24 Digital Ocean
+188.226.137.0/24 Digital Ocean
+188.226.138.0/24 Digital Ocean
+188.226.139.0/24 Digital Ocean
+188.226.140.0/24 Digital Ocean
+188.226.141.0/24 Digital Ocean
+188.226.142.0/24 Digital Ocean
+188.226.143.0/24 Digital Ocean
+188.226.144.0/24 Digital Ocean
+188.226.145.0/24 Digital Ocean
+188.226.146.0/24 Digital Ocean
+188.226.147.0/24 Digital Ocean
+188.226.148.0/24 Digital Ocean
+188.226.149.0/24 Digital Ocean
+188.226.150.0/24 Digital Ocean
+188.226.151.0/24 Digital Ocean
+188.226.152.0/24 Digital Ocean
+188.226.153.0/24 Digital Ocean
+188.226.154.0/24 Digital Ocean
+188.226.155.0/24 Digital Ocean
+188.226.156.0/24 Digital Ocean
+188.226.157.0/24 Digital Ocean
+188.226.158.0/24 Digital Ocean
+188.226.159.0/24 Digital Ocean
+188.226.160.0/24 Digital Ocean
+188.226.161.0/24 Digital Ocean
+188.226.162.0/24 Digital Ocean
+188.226.163.0/24 Digital Ocean
+188.226.164.0/24 Digital Ocean
+188.226.165.0/24 Digital Ocean
+188.226.166.0/24 Digital Ocean
+188.226.167.0/24 Digital Ocean
+188.226.168.0/24 Digital Ocean
+188.226.169.0/24 Digital Ocean
+188.226.170.0/24 Digital Ocean
+188.226.171.0/24 Digital Ocean
+188.226.172.0/24 Digital Ocean
+188.226.173.0/24 Digital Ocean
+188.226.174.0/24 Digital Ocean
+188.226.175.0/24 Digital Ocean
+188.226.176.0/24 Digital Ocean
+188.226.177.0/24 Digital Ocean
+188.226.178.0/24 Digital Ocean
+188.226.179.0/24 Digital Ocean
+188.226.180.0/24 Digital Ocean
+188.226.181.0/24 Digital Ocean
+188.226.182.0/24 Digital Ocean
+188.226.183.0/24 Digital Ocean
+188.226.184.0/24 Digital Ocean
+188.226.185.0/24 Digital Ocean
+188.226.186.0/24 Digital Ocean
+188.226.187.0/24 Digital Ocean
+188.226.188.0/24 Digital Ocean
+188.226.189.0/24 Digital Ocean
+188.226.190.0/24 Digital Ocean
+188.226.191.0/24 Digital Ocean
+188.226.192.0/20 Digital Ocean
+188.226.208.0/20 Digital Ocean
+188.226.224.0/20 Digital Ocean
+188.226.240.0/20 Digital Ocean
+192.34.56.0/24 Digital Ocean
+192.34.57.0/24 Digital Ocean
+192.34.58.0/24 Digital Ocean
+192.34.59.0/24 Digital Ocean
+192.34.60.0/24 Digital Ocean
+192.34.61.0/24 Digital Ocean
+192.34.62.0/24 Digital Ocean
+192.34.63.0/24 Digital Ocean
+192.81.208.0/24 Digital Ocean
+192.81.209.0/24 Digital Ocean
+192.81.210.0/24 Digital Ocean
+192.81.211.0/24 Digital Ocean
+192.81.212.0/24 Digital Ocean
+192.81.213.0/24 Digital Ocean
+192.81.214.0/24 Digital Ocean
+192.81.215.0/24 Digital Ocean
+192.81.216.0/24 Digital Ocean
+192.81.217.0/24 Digital Ocean
+192.81.218.0/24 Digital Ocean
+192.81.219.0/24 Digital Ocean
+192.81.220.0/24 Digital Ocean
+192.81.221.0/24 Digital Ocean
+192.81.222.0/24 Digital Ocean
+192.81.223.0/24 Digital Ocean
+192.241.128.0/24 Digital Ocean
+192.241.129.0/24 Digital Ocean
+192.241.130.0/24 Digital Ocean
+192.241.131.0/24 Digital Ocean
+192.241.132.0/24 Digital Ocean
+192.241.133.0/24 Digital Ocean
+192.241.134.0/24 Digital Ocean
+192.241.135.0/24 Digital Ocean
+192.241.136.0/24 Digital Ocean
+192.241.137.0/24 Digital Ocean
+192.241.138.0/24 Digital Ocean
+192.241.139.0/24 Digital Ocean
+192.241.140.0/24 Digital Ocean
+192.241.141.0/24 Digital Ocean
+192.241.142.0/24 Digital Ocean
+192.241.143.0/24 Digital Ocean
+192.241.144.0/24 Digital Ocean
+192.241.145.0/24 Digital Ocean
+192.241.146.0/24 Digital Ocean
+192.241.147.0/24 Digital Ocean
+192.241.148.0/24 Digital Ocean
+192.241.149.0/24 Digital Ocean
+192.241.150.0/24 Digital Ocean
+192.241.151.0/24 Digital Ocean
+192.241.152.0/24 Digital Ocean
+192.241.153.0/24 Digital Ocean
+192.241.154.0/24 Digital Ocean
+192.241.155.0/24 Digital Ocean
+192.241.156.0/24 Digital Ocean
+192.241.157.0/24 Digital Ocean
+192.241.158.0/24 Digital Ocean
+192.241.159.0/24 Digital Ocean
+192.241.160.0/24 Digital Ocean
+192.241.161.0/24 Digital Ocean
+192.241.162.0/24 Digital Ocean
+192.241.163.0/24 Digital Ocean
+192.241.165.0/24 Digital Ocean
+192.241.166.0/24 Digital Ocean
+192.241.167.0/24 Digital Ocean
+192.241.168.0/24 Digital Ocean
+192.241.169.0/24 Digital Ocean
+192.241.170.0/24 Digital Ocean
+192.241.171.0/24 Digital Ocean
+192.241.172.0/24 Digital Ocean
+192.241.173.0/24 Digital Ocean
+192.241.174.0/24 Digital Ocean
+192.241.175.0/24 Digital Ocean
+192.241.176.0/24 Digital Ocean
+192.241.177.0/24 Digital Ocean
+192.241.178.0/24 Digital Ocean
+192.241.179.0/24 Digital Ocean
+192.241.180.0/24 Digital Ocean
+192.241.181.0/24 Digital Ocean
+192.241.182.0/24 Digital Ocean
+192.241.183.0/24 Digital Ocean
+192.241.184.0/24 Digital Ocean
+192.241.185.0/24 Digital Ocean
+192.241.186.0/24 Digital Ocean
+192.241.187.0/24 Digital Ocean
+192.241.188.0/24 Digital Ocean
+192.241.189.0/24 Digital Ocean
+192.241.190.0/24 Digital Ocean
+192.241.191.0/24 Digital Ocean
+192.241.192.0/24 Digital Ocean
+192.241.193.0/24 Digital Ocean
+192.241.194.0/24 Digital Ocean
+192.241.195.0/24 Digital Ocean
+192.241.196.0/24 Digital Ocean
+192.241.197.0/24 Digital Ocean
+192.241.198.0/24 Digital Ocean
+192.241.199.0/24 Digital Ocean
+192.241.200.0/24 Digital Ocean
+192.241.201.0/24 Digital Ocean
+192.241.202.0/24 Digital Ocean
+192.241.203.0/24 Digital Ocean
+192.241.204.0/24 Digital Ocean
+192.241.205.0/24 Digital Ocean
+192.241.206.0/24 Digital Ocean
+192.241.207.0/24 Digital Ocean
+192.241.208.0/24 Digital Ocean
+192.241.209.0/24 Digital Ocean
+192.241.210.0/24 Digital Ocean
+192.241.211.0/24 Digital Ocean
+192.241.212.0/24 Digital Ocean
+192.241.213.0/24 Digital Ocean
+192.241.214.0/24 Digital Ocean
+192.241.215.0/24 Digital Ocean
+192.241.216.0/24 Digital Ocean
+192.241.217.0/24 Digital Ocean
+192.241.218.0/24 Digital Ocean
+192.241.219.0/24 Digital Ocean
+192.241.220.0/24 Digital Ocean
+192.241.221.0/24 Digital Ocean
+192.241.222.0/24 Digital Ocean
+192.241.223.0/24 Digital Ocean
+192.241.224.0/24 Digital Ocean
+192.241.225.0/24 Digital Ocean
+192.241.226.0/24 Digital Ocean
+192.241.227.0/24 Digital Ocean
+192.241.228.0/24 Digital Ocean
+192.241.229.0/24 Digital Ocean
+192.241.230.0/24 Digital Ocean
+192.241.231.0/24 Digital Ocean
+192.241.232.0/24 Digital Ocean
+192.241.233.0/24 Digital Ocean
+192.241.234.0/24 Digital Ocean
+192.241.235.0/24 Digital Ocean
+192.241.236.0/24 Digital Ocean
+192.241.237.0/24 Digital Ocean
+192.241.238.0/24 Digital Ocean
+192.241.239.0/24 Digital Ocean
+192.241.240.0/24 Digital Ocean
+192.241.241.0/24 Digital Ocean
+192.241.242.0/24 Digital Ocean
+192.241.243.0/24 Digital Ocean
+192.241.244.0/24 Digital Ocean
+192.241.245.0/24 Digital Ocean
+192.241.246.0/24 Digital Ocean
+192.241.247.0/24 Digital Ocean
+192.241.248.0/24 Digital Ocean
+192.241.249.0/24 Digital Ocean
+192.241.250.0/24 Digital Ocean
+192.241.251.0/24 Digital Ocean
+192.241.252.0/24 Digital Ocean
+192.241.253.0/24 Digital Ocean
+192.241.254.0/24 Digital Ocean
+192.241.255.0/24 Digital Ocean
+198.199.64.0/24 Digital Ocean
+198.199.65.0/24 Digital Ocean
+198.199.66.0/24 Digital Ocean
+198.199.67.0/24 Digital Ocean
+198.199.68.0/24 Digital Ocean
+198.199.69.0/24 Digital Ocean
+198.199.70.0/24 Digital Ocean
+198.199.71.0/24 Digital Ocean
+198.199.72.0/24 Digital Ocean
+198.199.73.0/24 Digital Ocean
+198.199.74.0/24 Digital Ocean
+198.199.75.0/24 Digital Ocean
+198.199.76.0/24 Digital Ocean
+198.199.77.0/24 Digital Ocean
+198.199.78.0/24 Digital Ocean
+198.199.79.0/24 Digital Ocean
+198.199.80.0/24 Digital Ocean
+198.199.81.0/24 Digital Ocean
+198.199.82.0/24 Digital Ocean
+198.199.83.0/24 Digital Ocean
+198.199.84.0/24 Digital Ocean
+198.199.85.0/24 Digital Ocean
+198.199.86.0/24 Digital Ocean
+198.199.87.0/24 Digital Ocean
+198.199.88.0/24 Digital Ocean
+198.199.89.0/24 Digital Ocean
+198.199.90.0/24 Digital Ocean
+198.199.91.0/24 Digital Ocean
+198.199.92.0/24 Digital Ocean
+198.199.93.0/24 Digital Ocean
+198.199.94.0/24 Digital Ocean
+198.199.95.0/24 Digital Ocean
+198.199.96.0/24 Digital Ocean
+198.199.97.0/24 Digital Ocean
+198.199.98.0/24 Digital Ocean
+198.199.100.0/24 Digital Ocean
+198.199.101.0/24 Digital Ocean
+198.199.102.0/24 Digital Ocean
+198.199.103.0/24 Digital Ocean
+198.199.104.0/24 Digital Ocean
+198.199.105.0/24 Digital Ocean
+198.199.106.0/24 Digital Ocean
+198.199.107.0/24 Digital Ocean
+198.199.108.0/24 Digital Ocean
+198.199.109.0/24 Digital Ocean
+198.199.110.0/24 Digital Ocean
+198.199.111.0/24 Digital Ocean
+198.199.112.0/24 Digital Ocean
+198.199.113.0/24 Digital Ocean
+198.199.114.0/24 Digital Ocean
+198.199.115.0/24 Digital Ocean
+198.199.116.0/24 Digital Ocean
+198.199.117.0/24 Digital Ocean
+198.199.118.0/24 Digital Ocean
+198.199.119.0/24 Digital Ocean
+198.199.120.0/24 Digital Ocean
+198.199.121.0/24 Digital Ocean
+198.199.122.0/24 Digital Ocean
+198.199.123.0/24 Digital Ocean
+198.199.124.0/24 Digital Ocean
+198.199.125.0/24 Digital Ocean
+198.199.126.0/24 Digital Ocean
+198.199.127.0/24 Digital Ocean
+198.211.96.0/24 Digital Ocean
+198.211.97.0/24 Digital Ocean
+198.211.98.0/24 Digital Ocean
+198.211.99.0/24 Digital Ocean
+198.211.100.0/24 Digital Ocean
+198.211.101.0/24 Digital Ocean
+198.211.102.0/24 Digital Ocean
+198.211.103.0/24 Digital Ocean
+198.211.104.0/24 Digital Ocean
+198.211.105.0/24 Digital Ocean
+198.211.106.0/24 Digital Ocean
+198.211.107.0/24 Digital Ocean
+198.211.108.0/24 Digital Ocean
+198.211.109.0/24 Digital Ocean
+198.211.110.0/24 Digital Ocean
+198.211.112.0/24 Digital Ocean
+198.211.113.0/24 Digital Ocean
+198.211.114.0/24 Digital Ocean
+198.211.115.0/24 Digital Ocean
+198.211.116.0/24 Digital Ocean
+198.211.117.0/24 Digital Ocean
+198.211.118.0/24 Digital Ocean
+198.211.119.0/24 Digital Ocean
+198.211.120.0/24 Digital Ocean
+198.211.121.0/24 Digital Ocean
+198.211.122.0/24 Digital Ocean
+198.211.123.0/24 Digital Ocean
+198.211.124.0/24 Digital Ocean
+198.211.125.0/24 Digital Ocean
+198.211.126.0/24 Digital Ocean
+198.211.127.0/24 Digital Ocean
+204.48.16.0/20 Digital Ocean
+206.81.0.0/20 Digital Ocean
+206.81.16.0/20 Digital Ocean
+206.189.0.0/20 Digital Ocean
+206.189.16.0/20 Digital Ocean
+206.189.32.0/20 Digital Ocean
+206.189.48.0/20 Digital Ocean
+206.189.64.0/20 Digital Ocean
+206.189.80.0/20 Digital Ocean
+206.189.96.0/20 Digital Ocean
+206.189.112.0/20 Digital Ocean
+206.189.128.0/20 Digital Ocean
+206.189.144.0/20 Digital Ocean
+206.189.160.0/20 Digital Ocean
+206.189.176.0/20 Digital Ocean
+206.189.192.0/20 Digital Ocean
+206.189.208.0/20 Digital Ocean
+206.189.224.0/20 Digital Ocean
+206.189.240.0/22 Digital Ocean
+206.189.244.0/22 Digital Ocean
+206.189.248.0/22 Digital Ocean
+206.189.252.0/22 Digital Ocean
+207.154.192.0/20 Digital Ocean
+207.154.208.0/20 Digital Ocean
+207.154.224.0/20 Digital Ocean
+207.154.240.0/20 Digital Ocean
+208.68.36.0/24 Digital Ocean
+208.68.37.0/24 Digital Ocean
+208.68.38.0/24 Digital Ocean
+208.68.39.0/24 Digital Ocean
+209.97.128.0/20 Digital Ocean
+209.97.144.0/20 Digital Ocean
+209.97.160.0/20 Digital Ocean
+209.97.176.0/20 Digital Ocean
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/tail.c
^
|
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+
+void tail(const char *logfile) {
+ assert(logfile);
+
+ // wait for no more than 5 seconds for the logfile to appear in the filesystem
+ int cnt = 5;
+ while (access(logfile, R_OK) && cnt > 0)
+ cnt--;
+ if (cnt == 0)
+ exit(1);
+
+ off_t last_size = 0;
+
+ while (1) {
+ int fd = open(logfile, O_RDONLY);
+ if (fd == -1)
+ return;
+
+ off_t size = lseek(fd, 0, SEEK_END);
+ if (size < 0) {
+ close(fd);
+ return;
+ }
+
+ char *content = NULL;
+ int mmapped = 0;
+ if (size && size != last_size) {
+ content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+ close(fd);
+ if (content != MAP_FAILED)
+ mmapped = 1;
+ }
+
+ if (mmapped) {
+ printf("%.*s", (int) (size - last_size), content + last_size);
+ fflush(0);
+ munmap(content, size);
+ last_size = size;
+ }
+
+ sleep(1);
+ }
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fsec-optimize
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o ../lib/errno.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/fsec_optimize.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/optimizer.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fsec-print
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/fsec_print.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/print.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fseccomp
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/fseccomp.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -61,6 +61,10 @@
void memory_deny_write_execute(const char *fname);
void memory_deny_write_execute_32(const char *fname);
+// namespaces.c
+void deny_ns(const char *fname, const char *list);
+void deny_ns_32(const char *fname, const char *list);
+
// seccomp_print
void filter_print(const char *fname);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -48,6 +48,8 @@
printf("\tfseccomp keep32 file1 file2 list\n");
printf("\tfseccomp memory-deny-write-execute file\n");
printf("\tfseccomp memory-deny-write-execute.32 file\n");
+ printf("\tfseccomp restrict-namespaces file list\n");
+ printf("\tfseccomp restrict-namespaces.32 file list\n");
}
int main(int argc, char **argv) {
@@ -135,6 +137,10 @@
memory_deny_write_execute(argv[2]);
else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute.32") == 0)
memory_deny_write_execute_32(argv[2]);
+ else if (argc == 4 && strcmp(argv[1], "restrict-namespaces") == 0)
+ deny_ns(argv[2], argv[3]);
+ else if (argc == 4 && strcmp(argv[1], "restrict-namespaces.32") == 0)
+ deny_ns_32(argv[2], argv[3]);
else {
fprintf(stderr, "Error fseccomp: invalid arguments\n");
return 1;
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/namespaces.c
^
|
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#define _GNU_SOURCE
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+
+#include <sched.h>
+#ifndef CLONE_NEWCGROUP
+#define CLONE_NEWCGROUP 0x02000000
+#endif
+#ifndef CLONE_NEWTIME
+#define CLONE_NEWTIME 0x00000080
+#endif
+
+// 64-bit architectures
+#if INTPTR_MAX == INT64_MAX
+#if defined __x86_64__
+// i386 syscalls
+#define clone_32 120
+#define clone3_32 435
+#define unshare_32 310
+#define setns_32 346
+#else
+#warning 32 bit namespaces filter not implemented yet for your architecture
+#endif
+#endif
+
+
+static int build_ns_mask(const char *list) {
+ int mask = 0;
+
+ char *dup = strdup(list);
+ if (!dup)
+ errExit("strdup");
+
+ char *token = strtok(dup, ",");
+ while (token) {
+ if (strcmp(token, "cgroup") == 0)
+ mask |= CLONE_NEWCGROUP;
+ else if (strcmp(token, "ipc") == 0)
+ mask |= CLONE_NEWIPC;
+ else if (strcmp(token, "net") == 0)
+ mask |= CLONE_NEWNET;
+ else if (strcmp(token, "mnt") == 0)
+ mask |= CLONE_NEWNS;
+ else if (strcmp(token, "pid") == 0)
+ mask |= CLONE_NEWPID;
+ else if (strcmp(token, "time") == 0)
+ mask |= CLONE_NEWTIME;
+ else if (strcmp(token, "user") == 0)
+ mask |= CLONE_NEWUSER;
+ else if (strcmp(token, "uts") == 0)
+ mask |= CLONE_NEWUTS;
+ else {
+ fprintf(stderr, "Error fseccomp: %s is not a valid namespace\n", token);
+ exit(1);
+ }
+
+ token = strtok(NULL, ",");
+ }
+
+ free(dup);
+ return mask;
+}
+
+void deny_ns(const char *fname, const char *list) {
+ int mask = build_ns_mask(list);
+ // CLONE_NEWTIME means something different for clone
+ // create a second mask without it
+ int clone_mask = mask & ~CLONE_NEWTIME;
+
+ // open file
+ int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ if (fd < 0) {
+ fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+ exit(1);
+ }
+
+ filter_init(fd, true);
+
+ // build filter
+ struct sock_filter filter[] = {
+#ifdef SYS_clone
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_clone, 0, 4),
+ // s390 has first and second argument flipped
+#if defined __s390__
+ EXAMINE_ARGUMENT(1),
+#else
+ EXAMINE_ARGUMENT(0),
+#endif
+ BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, clone_mask, 0, 1),
+ KILL_OR_RETURN_ERRNO,
+ RETURN_ALLOW,
+#endif
+#ifdef SYS_clone3
+ // cannot inspect clone3 argument because
+ // seccomp does not dereference pointers
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_clone3, 0, 1),
+ RETURN_ERRNO(ENOSYS), // hint to use clone instead
+#endif
+#ifdef SYS_unshare
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_unshare, 0, 4),
+ EXAMINE_ARGUMENT(0),
+ BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1),
+ KILL_OR_RETURN_ERRNO,
+ RETURN_ALLOW,
+#endif
+#ifdef SYS_setns
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_setns, 0, 4),
+ EXAMINE_ARGUMENT(1),
+ // always fail if argument is zero
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 1, 0),
+ BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1),
+ KILL_OR_RETURN_ERRNO,
+ RETURN_ALLOW
+#endif
+ };
+ if (sizeof(filter))
+ write_to_file(fd, filter, sizeof(filter));
+
+ filter_end_blacklist(fd);
+
+ // close file
+ close(fd);
+}
+
+void deny_ns_32(const char *fname, const char *list) {
+ int mask = build_ns_mask(list);
+ // CLONE_NEWTIME means something different for clone
+ // create a second mask without it
+ int clone_mask = mask & ~CLONE_NEWTIME;
+
+ // open file
+ int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ if (fd < 0) {
+ fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+ exit(1);
+ }
+
+ filter_init(fd, false);
+
+ // build filter
+ struct sock_filter filter[] = {
+#ifdef clone_32
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, clone_32, 0, 4),
+ EXAMINE_ARGUMENT(0),
+ BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, clone_mask, 0, 1),
+ KILL_OR_RETURN_ERRNO,
+ RETURN_ALLOW,
+#endif
+#ifdef clone3_32
+ // cannot inspect clone3 argument because
+ // seccomp does not dereference pointers
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, clone3_32, 0, 1),
+ RETURN_ERRNO(ENOSYS), // hint to use clone instead
+#endif
+#ifdef unshare_32
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, unshare_32, 0, 4),
+ EXAMINE_ARGUMENT(0),
+ BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1),
+ KILL_OR_RETURN_ERRNO,
+ RETURN_ALLOW,
+#endif
+#ifdef setns_32
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, setns_32, 0, 4),
+ EXAMINE_ARGUMENT(1),
+ // always fail if argument is zero
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 1, 0),
+ BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1),
+ KILL_OR_RETURN_ERRNO,
+ RETURN_ALLOW
+#endif
+ };
+
+ // For Debian 10 and older, the size of the filter[] array will be 0.
+ // The following filter will end up being generated:
+ //
+ // FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32
+ // line OP JT JF K
+ // =================================
+ // 0000: 20 00 00 00000004 ld data.architecture
+ // 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002)
+ // 0002: 06 00 00 7fff0000 ret ALLOW
+ // 0003: 20 00 00 00000000 ld data.syscall-number
+ // 0004: 06 00 00 7fff0000 ret ALLOW
+ //
+ if (sizeof(filter))
+ write_to_file(fd, filter, sizeof(filter));
+
+ filter_end_blacklist(fd);
+
+ // close file
+ close(fd);
+}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/protocol.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -132,15 +132,18 @@
EXAMINE_SYSCALL, // 1
// checking SYS_socket only: filtering SYS_socketcall not possible with seccomp
ONLY(359), // 1 + 2
- BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1
+ BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 3 + 2), 0, 0), // 1 + 2 + 1
#else
#warning 32 bit protocol filter not implemented yet for your architecture
#endif
VALIDATE_ARCHITECTURE, // 3
EXAMINE_SYSCALL, // 3 + 1
- ONLY(SYS_socket), // 3 + 1 + 2
+#if defined __x86_64__
+ HANDLE_X32, // 3 + 1 + 3
+#endif
+ ONLY(SYS_socket), // 3 + 1 (+ 3) + 2
- EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1
+ EXAMINE_ARGUMENT(0) // 3 + 1 (+ 3) + 2 + 1
};
memcpy(ptr, &filter_start[0], sizeof(filter_start));
ptr += sizeof(filter_start);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/seccomp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/seccomp_file.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/seccomp_secondary.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fshaper/fshaper.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
TCFILE=""
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/ftee/Makefile
^
|
@@ -0,0 +1,7 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = ftee
+TARGET = $(PROG)
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/ftee/ftee.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/ftee/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fzenity/Makefile
^
|
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = fzenity
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fzenity/main.c
^
|
@@ -0,0 +1,176 @@
+#include "../include/common.h"
+#include <sys/ioctl.h>
+
+static char *arg_title = NULL;
+static char *arg_text = NULL;
+static int arg_info = 0;
+static int arg_question = 0;
+
+static inline void ansi_topleft(void) {
+ char str[] = {0x1b, '[', '1', ';', '1', 'H', '\0'};
+ printf("%s", str);
+ fflush(0);
+}
+
+static inline void ansi_clrscr(void) {
+ ansi_topleft();
+ char str[] = {0x1b, '[', '0', 'J', '\0'};
+ printf("%s", str);
+ fflush(0);
+}
+
+char *remove_markup(char *in) {
+ char *out = malloc(strlen(in) + 1);
+ if (!out)
+ errExit("malloc");
+ memset(out, 0, strlen(in) + 1);
+
+ char *ptr = in;
+ char *outptr = out;
+ while (*ptr != '\0') {
+ // skip <> markup
+ if (*ptr == '<') {
+ while (*ptr != '\0' && *ptr != '>')
+ ptr++;
+ if (*ptr == '\0') {
+ fprintf(stderr, "Error: invalid markup\n");
+ exit(0);
+ }
+ ptr++;
+ }
+ // replace literal \n with char '\n'
+ else if (*ptr == '\\' && *(ptr + 1) == 'n') {
+ ptr += 2;
+ *outptr++ = '\n';
+ continue;
+ }
+ // replace '/n' with ' '
+ else if (*ptr == '\n') {
+ if (*(ptr + 1) == '\n') {
+ *outptr++ = '\n';
+ *outptr++ = '\n';
+ ptr += 2;
+ }
+ else {
+ *outptr++ = ' ';
+ ptr++;
+ }
+ }
+ else
+ *outptr++ = *ptr++;
+ }
+
+ return out;
+}
+
+char *print_line(char *in, int col) {
+ char *ptr = in;
+ int i = 0;
+ while (*ptr != '\n' && *ptr != '\0' && i < col) {
+ ptr++;
+ i++;
+ }
+
+ if (*ptr == '\n') {
+ *ptr++ = '\0';
+ printf("%s\n", in);
+ return ptr;
+ }
+ else if (i == col) {
+ while (*ptr != ' ' && ptr != in)
+ ptr--;
+ *ptr++ = '\0';
+ printf("%s\n", in);
+ return ptr;
+ }
+ assert(0);
+ return NULL;
+}
+
+void paginate(char *in) {
+ struct winsize w;
+ unsigned col = 80;
+ if (ioctl(0, TIOCGWINSZ, &w) == 0)
+ col = w.ws_col;
+
+ char *ptr = in;
+ while (*ptr != '\0') {
+ if (strlen(ptr) < col) {
+ printf("%s", ptr);
+ return;
+ }
+ ptr =print_line(ptr, col);
+ }
+
+ return;
+}
+
+static void info(void) {
+ ansi_clrscr();
+ if (arg_text == NULL) {
+ fprintf(stderr, "Error: --text argument required\n");
+ exit(1);
+ }
+
+ if (arg_title)
+ printf("%s\n\n", arg_title);
+
+ char *ptr = strstr(arg_text, "Press OK to continue");
+ if (ptr)
+ *ptr = '\0';
+ char *out = remove_markup(arg_text);
+ paginate(out);
+ free(out);
+
+ printf("\nContinue? (Y/N): ");
+
+ int c = getchar();
+ if (c == 'y' || c == 'Y')
+ exit(0);
+ exit(1);
+}
+
+static void question(void) {
+ ansi_clrscr();
+ if (arg_text == NULL) {
+ fprintf(stderr, "Error: --text argument required\n");
+ exit(1);
+ }
+
+ if (arg_title)
+ printf("%s\n\n", arg_title);
+
+ char *ptr = strstr(arg_text, "Press OK to continue");
+ if (ptr)
+ *ptr = '\0';
+ char *out = remove_markup(arg_text);
+ paginate(out);
+ free(out);
+
+ printf("\n\n(Y/N): ");
+
+ int c = getchar();
+ if (c == 'y' || c == 'Y')
+ exit(0);
+ exit(1);
+}
+
+int main(int argc, char **argv) {
+ int i;
+ for (i = 1; i < argc; i++) {
+//printf("argv %d: #%s#\n", i, argv[i]);
+ if (strcmp(argv[i], "--info") == 0)
+ arg_info = 1;
+ else if (strcmp(argv[i], "--question") == 0)
+ arg_question = 1;
+ else if (strncmp(argv[i], "--text=", 7) == 0)
+ arg_text = argv[i] + 7;
+ }
+
+ if (arg_question)
+ question();
+ else if (arg_info)
+ info();
+
+ return 0;
+}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/common.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -73,6 +73,25 @@
return 0;
}
+// read an IPv4 address in CIDR format, for example 192.168.1.0/24
+static inline int atocidr(const char *str, uint32_t *ip, uint32_t *mask) {
+ unsigned a, b, c, d, e;
+
+ // extract ip
+ int rv = sscanf(str, "%u.%u.%u.%u/%u", &a, &b, &c, &d, &e);
+ if (rv != 5 || a > 255 || b > 255 || c > 255 || d > 255 || e > 32)
+ return 1;
+ *ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d;
+
+ // extract mask
+ uint32_t tmp;
+ unsigned i;
+ for (i = 0, *mask = 0, tmp = 0x80000000; i < e; i++, tmp >>= 1) {
+ *mask |= tmp;
+ }
+ return 0;
+}
+
// verify an ip address is in the network range given by ifip and mask
static inline char *in_netrange(uint32_t ip, uint32_t ifip, uint32_t ifmask) {
if ((ip & ifmask) != (ifip & ifmask))
@@ -115,12 +134,19 @@
void timetrace_start(void);
float timetrace_end(void);
-int join_namespace(pid_t pid, char *type);
+int join_namespace_by_fd(int dirfd, char *typestr);
+int join_namespace(pid_t pid, char *typestr);
int name2pid(const char *name, pid_t *pid);
char *pid_proc_comm(const pid_t pid);
char *pid_proc_cmdline(const pid_t pid);
int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
int pid_hidepid(void);
+char *do_replace_cntrl_chars(char *str, char c);
+char *replace_cntrl_chars(const char *str, char c);
+int has_cntrl_chars(const char *str);
+void reject_cntrl_chars(const char *fname);
+void reject_meta_chars(const char *fname, int globbing);
void warn_dumpable(void);
const char *gnu_basename(const char *path);
+int *str_to_int_array(const char *str, size_t *sz);
#endif
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/euid_common.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/firejail_user.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/gcov_wrapper.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2021 Firejail Authors
+ * Copyright (C) 2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -21,7 +21,7 @@
#ifndef GCOV_WRAPPER_H
#define GCOV_WRAPPER_H
-#ifdef HAS_GCOV
+#ifdef HAVE_GCOV
#include <gcov.h>
/*
@@ -41,6 +41,6 @@
#define __gcov_dump() ((void)0)
#define __gcov_reset() ((void)0)
#define __gcov_flush() ((void)0)
-#endif /* HAS_GCOV */
+#endif /* HAVE_GCOV */
#endif /* GCOV_WRAPPER_H */
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/ldd_utils.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/pid.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -31,14 +31,23 @@
unsigned char zombie;
pid_t parent;
uid_t uid;
- char *user;
- char *cmd;
- unsigned utime;
- unsigned stime;
- unsigned long long rx; // network rx, bytes
- unsigned long long tx; // networking tx, bytes
- unsigned rx_delta;
- unsigned tx_delta;
+
+ union {
+ struct event_t {
+ char *user;
+ char *cmd;
+ } event;
+
+ struct top_t {
+ unsigned utime;
+ unsigned stime;
+ } top;
+
+ struct netstats_t {
+ unsigned long long rx; // network rx, bytes
+ unsigned long long tx; // networking tx, bytes
+ } netstats;
+ } option;
} Process;
//extern Process pids[max_pids];
extern Process *pids;
@@ -52,7 +61,6 @@
// print functions
void pid_print_tree(unsigned index, unsigned parent, int nowrap);
void pid_print_list(unsigned index, int nowrap);
-void pid_store_cpu(unsigned index, unsigned parent, unsigned *utime, unsigned *stime);
void pid_read(pid_t mon_pid);
#endif
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/rundefs.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -23,6 +23,7 @@
// filesystem
#define RUN_FIREJAIL_BASEDIR "/run"
#define RUN_FIREJAIL_DIR RUN_FIREJAIL_BASEDIR "/firejail"
+#define RUN_FIREJAIL_SANDBOX_DIR RUN_FIREJAIL_DIR "/sandbox"
#define RUN_FIREJAIL_APPIMAGE_DIR RUN_FIREJAIL_DIR "/appimage"
#define RUN_FIREJAIL_NAME_DIR RUN_FIREJAIL_DIR "/name" // also used in src/lib/pid.c - todo: move it in a common place
#define RUN_FIREJAIL_LIB_DIR RUN_FIREJAIL_DIR "/lib"
@@ -36,7 +37,6 @@
#define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir"
#define RUN_RO_FILE RUN_FIREJAIL_DIR "/firejail.ro.file"
#define RUN_MNT_DIR RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_CGROUP_CFG RUN_MNT_DIR "/cgroup"
#define RUN_CPU_CFG RUN_MNT_DIR "/cpu"
#define RUN_GROUPS_CFG RUN_MNT_DIR "/groups"
#define RUN_PROTOCOL_CFG RUN_MNT_DIR "/protocol"
@@ -68,6 +68,8 @@
#define RUN_SECCOMP_32 RUN_SECCOMP_DIR "/seccomp.32" // 32bit arch filter installed on 64bit architectures
#define RUN_SECCOMP_MDWX RUN_SECCOMP_DIR "/seccomp.mdwx" // filter for memory-deny-write-execute
#define RUN_SECCOMP_MDWX_32 RUN_SECCOMP_DIR "/seccomp.mdwx.32"
+#define RUN_SECCOMP_NS RUN_SECCOMP_DIR "/seccomp.namespaces"
+#define RUN_SECCOMP_NS_32 RUN_SECCOMP_DIR "/seccomp.namespaces.32"
#define RUN_SECCOMP_BLOCK_SECONDARY RUN_SECCOMP_DIR "/seccomp.block_secondary" // secondary arch blocking filter
#define RUN_SECCOMP_POSTEXEC RUN_SECCOMP_DIR "/seccomp.postexec" // filter for post-exec library
#define RUN_SECCOMP_POSTEXEC_32 RUN_SECCOMP_DIR "/seccomp.postexec32" // filter for post-exec library
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/seccomp.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -250,6 +250,9 @@
#define RETURN_ALLOW \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+#define RETURN_KILL \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+
#define RETURN_ERRNO(nr) \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall_armeabi.h
^
|
@@ -1,355 +1,401 @@
-{ "accept", 285 },
-{ "accept4", 366 },
-{ "access", 33 },
-{ "acct", 51 },
-{ "add_key", 309 },
-{ "adjtimex", 124 },
-{ "alarm", 27 },
-{ "arm_fadvise64_64", 270 },
-{ "arm_sync_file_range", 341 },
-{ "bdflush", 134 },
-{ "bind", 282 },
-{ "bpf", 386 },
-{ "brk", 45 },
-{ "capget", 184 },
-{ "capset", 185 },
+{ "exit", 1 },
+{ "fork", 2 },
+{ "read", 3 },
+{ "write", 4 },
+{ "open", 5 },
+{ "close", 6 },
+{ "creat", 8 },
+{ "link", 9 },
+{ "unlink", 10 },
+{ "execve", 11 },
{ "chdir", 12 },
+{ "mknod", 14 },
{ "chmod", 15 },
-{ "chown", 182 },
-{ "chown32", 212 },
+{ "lchown", 16 },
+{ "lseek", 19 },
+{ "getpid", 20 },
+{ "mount", 21 },
+{ "setuid", 23 },
+{ "getuid", 24 },
+{ "ptrace", 26 },
+{ "pause", 29 },
+{ "access", 33 },
+{ "nice", 34 },
+{ "sync", 36 },
+{ "kill", 37 },
+{ "rename", 38 },
+{ "mkdir", 39 },
+{ "rmdir", 40 },
+{ "dup", 41 },
+{ "pipe", 42 },
+{ "times", 43 },
+{ "brk", 45 },
+{ "setgid", 46 },
+{ "getgid", 47 },
+{ "geteuid", 49 },
+{ "getegid", 50 },
+{ "acct", 51 },
+{ "umount2", 52 },
+{ "ioctl", 54 },
+{ "fcntl", 55 },
+{ "setpgid", 57 },
+{ "umask", 60 },
{ "chroot", 61 },
-{ "clock_adjtime", 372 },
-{ "clock_getres", 264 },
-{ "clock_gettime", 263 },
-{ "clock_nanosleep", 265 },
-{ "clock_settime", 262 },
-{ "clone", 120 },
-{ "close", 6 },
-{ "connect", 283 },
-{ "creat", 8 },
-{ "delete_module", 129 },
+{ "ustat", 62 },
{ "dup2", 63 },
-{ "dup3", 358 },
-{ "dup", 41 },
-{ "epoll_create1", 357 },
-{ "epoll_create", 250 },
-{ "epoll_ctl", 251 },
-{ "epoll_pwait", 346 },
-{ "epoll_wait", 252 },
-{ "eventfd2", 356 },
-{ "eventfd", 351 },
-{ "execve", 11 },
-{ "exit", 1 },
-{ "exit_group", 248 },
-{ "faccessat", 334 },
-{ "faccessat2", 439 },
-{ "fallocate", 352 },
-{ "fanotify_init", 367 },
-{ "fanotify_mark", 368 },
-{ "fchdir", 133 },
+{ "getppid", 64 },
+{ "getpgrp", 65 },
+{ "setsid", 66 },
+{ "sigaction", 67 },
+{ "setreuid", 70 },
+{ "setregid", 71 },
+{ "sigsuspend", 72 },
+{ "sigpending", 73 },
+{ "sethostname", 74 },
+{ "setrlimit", 75 },
+{ "getrusage", 77 },
+{ "gettimeofday", 78 },
+{ "settimeofday", 79 },
+{ "getgroups", 80 },
+{ "setgroups", 81 },
+{ "symlink", 83 },
+{ "readlink", 85 },
+{ "uselib", 86 },
+{ "swapon", 87 },
+{ "reboot", 88 },
+{ "munmap", 91 },
+{ "truncate", 92 },
+{ "ftruncate", 93 },
{ "fchmod", 94 },
-{ "fchmodat", 333 },
-{ "fchown32", 207 },
{ "fchown", 95 },
-{ "fchownat", 325 },
-{ "fcntl", 55 },
-{ "fcntl64", 221 },
-{ "fdatasync", 148 },
-{ "fgetxattr", 231 },
-{ "finit_module", 379 },
-{ "flistxattr", 234 },
-{ "flock", 143 },
-{ "fork", 2 },
-{ "fremovexattr", 237 },
-{ "fsetxattr", 228 },
-{ "fstat", 108 },
-{ "fstat64", 197 },
-{ "fstatat64", 327 },
+{ "getpriority", 96 },
+{ "setpriority", 97 },
+{ "statfs", 99 },
{ "fstatfs", 100 },
-{ "fstatfs64", 267 },
-{ "fsync", 118 },
-{ "ftruncate64", 194 },
-{ "ftruncate", 93 },
-{ "futex", 240 },
-{ "futimesat", 326 },
-{ "getcpu", 345 },
-{ "getcwd", 183 },
-{ "getdents", 141 },
-{ "getdents64", 217 },
-{ "getegid32", 202 },
-{ "getegid", 50 },
-{ "geteuid32", 201 },
-{ "geteuid", 49 },
-{ "getgid32", 200 },
-{ "getgid", 47 },
-{ "getgroups32", 205 },
-{ "getgroups", 80 },
+{ "syslog", 103 },
+{ "setitimer", 104 },
{ "getitimer", 105 },
-{ "get_mempolicy", 320 },
-{ "getpeername", 287 },
-{ "getpgid", 132 },
-{ "getpgrp", 65 },
-{ "getpid", 20 },
-{ "getppid", 64 },
-{ "getpriority", 96 },
-{ "getrandom", 384 },
-{ "getresgid", 171 },
-{ "getresgid32", 211 },
-{ "getresuid", 165 },
-{ "getresuid32", 209 },
-{ "getrlimit", 76 },
-{ "get_robust_list", 339 },
-{ "getrusage", 77 },
-{ "getsid", 147 },
-{ "getsockname", 286 },
-{ "getsockopt", 295 },
-{ "gettid", 224 },
-{ "gettimeofday", 78 },
-{ "getuid", 24 },
-{ "getuid32", 199 },
-{ "getxattr", 229 },
-{ "init_module", 128 },
-{ "inotify_add_watch", 317 },
-{ "inotify_init1", 360 },
-{ "inotify_init", 316 },
-{ "inotify_rm_watch", 318 },
-{ "io_cancel", 247 },
-{ "ioctl", 54 },
-{ "io_destroy", 244 },
-{ "io_getevents", 245 },
-{ "ioprio_get", 315 },
-{ "ioprio_set", 314 },
-{ "io_setup", 243 },
-{ "io_submit", 246 },
-{ "ipc", 117 },
-{ "kcmp", 378 },
-{ "kexec_load", 347 },
-{ "keyctl", 311 },
-{ "kill", 37 },
-{ "lchown", 16 },
-{ "lchown32", 198 },
-{ "lgetxattr", 230 },
-{ "link", 9 },
-{ "linkat", 330 },
-{ "listen", 284 },
-{ "listxattr", 232 },
-{ "llistxattr", 233 },
-{ "_llseek", 140 },
-{ "lookup_dcookie", 249 },
-{ "lremovexattr", 236 },
-{ "lseek", 19 },
-{ "lsetxattr", 227 },
+{ "stat", 106 },
{ "lstat", 107 },
-{ "lstat64", 196 },
-{ "madvise", 220 },
-{ "mbind", 319 },
-{ "memfd_create", 385 },
-{ "mincore", 219 },
-{ "mkdir", 39 },
-{ "mkdirat", 323 },
-{ "mknod", 14 },
-{ "mknodat", 324 },
-{ "mlock", 150 },
-{ "mlockall", 152 },
-{ "mmap2", 192 },
-{ "mmap", 90 },
-{ "mount", 21 },
-{ "move_pages", 344 },
+{ "fstat", 108 },
+{ "vhangup", 111 },
+{ "wait4", 114 },
+{ "swapoff", 115 },
+{ "sysinfo", 116 },
+{ "fsync", 118 },
+{ "sigreturn", 119 },
+{ "clone", 120 },
+{ "setdomainname", 121 },
+{ "uname", 122 },
+{ "adjtimex", 124 },
{ "mprotect", 125 },
-{ "mq_getsetattr", 279 },
-{ "mq_notify", 278 },
-{ "mq_open", 274 },
-{ "mq_timedreceive", 277 },
-{ "mq_timedsend", 276 },
-{ "mq_unlink", 275 },
-{ "mremap", 163 },
-{ "msgctl", 304 },
-{ "msgget", 303 },
-{ "msgrcv", 302 },
-{ "msgsnd", 301 },
+{ "sigprocmask", 126 },
+{ "init_module", 128 },
+{ "delete_module", 129 },
+{ "quotactl", 131 },
+{ "getpgid", 132 },
+{ "fchdir", 133 },
+{ "bdflush", 134 },
+{ "sysfs", 135 },
+{ "personality", 136 },
+{ "setfsuid", 138 },
+{ "setfsgid", 139 },
+{ "_llseek", 140 },
+{ "getdents", 141 },
+{ "_newselect", 142 },
+{ "flock", 143 },
{ "msync", 144 },
+{ "readv", 145 },
+{ "writev", 146 },
+{ "getsid", 147 },
+{ "fdatasync", 148 },
+{ "_sysctl", 149 },
+{ "mlock", 150 },
{ "munlock", 151 },
+{ "mlockall", 152 },
{ "munlockall", 153 },
-{ "munmap", 91 },
-{ "name_to_handle_at", 370 },
+{ "sched_setparam", 154 },
+{ "sched_getparam", 155 },
+{ "sched_setscheduler", 156 },
+{ "sched_getscheduler", 157 },
+{ "sched_yield", 158 },
+{ "sched_get_priority_max", 159 },
+{ "sched_get_priority_min", 160 },
+{ "sched_rr_get_interval", 161 },
{ "nanosleep", 162 },
-{ "_newselect", 142 },
-{ "nfsservctl", 169 },
-{ "nice", 34 },
-{ "open", 5 },
-{ "openat", 322 },
-{ "open_by_handle_at", 371 },
-{ "pause", 29 },
-{ "pciconfig_iobase", 271 },
-{ "pciconfig_read", 272 },
-{ "pciconfig_write", 273 },
-{ "perf_event_open", 364 },
-{ "personality", 136 },
-{ "pipe2", 359 },
-{ "pipe", 42 },
-{ "pivot_root", 218 },
+{ "mremap", 163 },
+{ "setresuid", 164 },
+{ "getresuid", 165 },
{ "poll", 168 },
-{ "ppoll", 336 },
+{ "nfsservctl", 169 },
+{ "setresgid", 170 },
+{ "getresgid", 171 },
{ "prctl", 172 },
-{ "pread64", 180 },
-{ "preadv", 361 },
-{ "prlimit64", 369 },
-{ "process_vm_readv", 376 },
-{ "process_vm_writev", 377 },
-{ "pselect6", 335 },
-{ "ptrace", 26 },
-{ "pwrite64", 181 },
-{ "pwritev", 362 },
-{ "quotactl", 131 },
-{ "read", 3 },
-{ "readahead", 225 },
-{ "readdir", 89 },
-{ "readlink", 85 },
-{ "readlinkat", 332 },
-{ "readv", 145 },
-{ "reboot", 88 },
-{ "recv", 291 },
-{ "recvfrom", 292 },
-{ "recvmmsg", 365 },
-{ "recvmsg", 297 },
-{ "remap_file_pages", 253 },
-{ "removexattr", 235 },
-{ "rename", 38 },
-{ "renameat2", 382 },
-{ "renameat", 329 },
-{ "request_key", 310 },
-{ "rmdir", 40 },
+{ "rt_sigreturn", 173 },
{ "rt_sigaction", 174 },
-{ "rt_sigpending", 176 },
{ "rt_sigprocmask", 175 },
+{ "rt_sigpending", 176 },
+{ "rt_sigtimedwait", 177 },
{ "rt_sigqueueinfo", 178 },
-{ "rt_sigreturn", 173 },
{ "rt_sigsuspend", 179 },
-{ "rt_sigtimedwait", 177 },
-{ "rt_tgsigqueueinfo", 363 },
-{ "sched_getaffinity", 242 },
-{ "sched_getattr", 381 },
-{ "sched_getparam", 155 },
-{ "sched_get_priority_max", 159 },
-{ "sched_get_priority_min", 160 },
-{ "sched_getscheduler", 157 },
-{ "sched_rr_get_interval", 161 },
-{ "sched_setaffinity", 241 },
-{ "sched_setattr", 380 },
-{ "sched_setparam", 154 },
-{ "sched_setscheduler", 156 },
-{ "sched_yield", 158 },
-{ "seccomp", 383 },
-{ "select", 82 },
-{ "semctl", 300 },
-{ "semget", 299 },
-{ "semop", 298 },
-{ "semtimedop", 312 },
-{ "send", 289 },
+{ "pread64", 180 },
+{ "pwrite64", 181 },
+{ "chown", 182 },
+{ "getcwd", 183 },
+{ "capget", 184 },
+{ "capset", 185 },
+{ "sigaltstack", 186 },
{ "sendfile", 187 },
-{ "sendfile64", 239 },
-{ "sendmmsg", 374 },
-{ "sendmsg", 296 },
-{ "sendto", 290 },
-{ "setdomainname", 121 },
-{ "setfsgid", 139 },
-{ "setfsgid32", 216 },
-{ "setfsuid", 138 },
-{ "setfsuid32", 215 },
-{ "setgid32", 214 },
-{ "setgid", 46 },
-{ "setgroups32", 206 },
-{ "setgroups", 81 },
-{ "sethostname", 74 },
-{ "setitimer", 104 },
-{ "set_mempolicy", 321 },
-{ "setns", 375 },
-{ "setpgid", 57 },
-{ "setpriority", 97 },
+{ "vfork", 190 },
+{ "ugetrlimit", 191 },
+{ "mmap2", 192 },
+{ "truncate64", 193 },
+{ "ftruncate64", 194 },
+{ "stat64", 195 },
+{ "lstat64", 196 },
+{ "fstat64", 197 },
+{ "lchown32", 198 },
+{ "getuid32", 199 },
+{ "getgid32", 200 },
+{ "geteuid32", 201 },
+{ "getegid32", 202 },
+{ "setreuid32", 203 },
{ "setregid32", 204 },
-{ "setregid", 71 },
-{ "setresgid", 170 },
-{ "setresgid32", 210 },
-{ "setresuid", 164 },
+{ "getgroups32", 205 },
+{ "setgroups32", 206 },
+{ "fchown32", 207 },
{ "setresuid32", 208 },
-{ "setreuid32", 203 },
-{ "setreuid", 70 },
-{ "setrlimit", 75 },
-{ "set_robust_list", 338 },
-{ "setsid", 66 },
-{ "setsockopt", 294 },
-{ "set_tid_address", 256 },
-{ "settimeofday", 79 },
-{ "setuid", 23 },
+{ "getresuid32", 209 },
+{ "setresgid32", 210 },
+{ "getresgid32", 211 },
+{ "chown32", 212 },
{ "setuid32", 213 },
+{ "setgid32", 214 },
+{ "setfsuid32", 215 },
+{ "setfsgid32", 216 },
+{ "getdents64", 217 },
+{ "pivot_root", 218 },
+{ "mincore", 219 },
+{ "madvise", 220 },
+{ "fcntl64", 221 },
+{ "gettid", 224 },
+{ "readahead", 225 },
{ "setxattr", 226 },
+{ "lsetxattr", 227 },
+{ "fsetxattr", 228 },
+{ "getxattr", 229 },
+{ "lgetxattr", 230 },
+{ "fgetxattr", 231 },
+{ "listxattr", 232 },
+{ "llistxattr", 233 },
+{ "flistxattr", 234 },
+{ "removexattr", 235 },
+{ "lremovexattr", 236 },
+{ "fremovexattr", 237 },
+{ "tkill", 238 },
+{ "sendfile64", 239 },
+{ "futex", 240 },
+{ "sched_setaffinity", 241 },
+{ "sched_getaffinity", 242 },
+{ "io_setup", 243 },
+{ "io_destroy", 244 },
+{ "io_getevents", 245 },
+{ "io_submit", 246 },
+{ "io_cancel", 247 },
+{ "exit_group", 248 },
+{ "lookup_dcookie", 249 },
+{ "epoll_create", 250 },
+{ "epoll_ctl", 251 },
+{ "epoll_wait", 252 },
+{ "remap_file_pages", 253 },
+{ "set_tid_address", 256 },
+{ "timer_create", 257 },
+{ "timer_settime", 258 },
+{ "timer_gettime", 259 },
+{ "timer_getoverrun", 260 },
+{ "timer_delete", 261 },
+{ "clock_settime", 262 },
+{ "clock_gettime", 263 },
+{ "clock_getres", 264 },
+{ "clock_nanosleep", 265 },
+{ "statfs64", 266 },
+{ "fstatfs64", 267 },
+{ "tgkill", 268 },
+{ "utimes", 269 },
+{ "arm_fadvise64_64", 270 },
+{ "pciconfig_iobase", 271 },
+{ "pciconfig_read", 272 },
+{ "pciconfig_write", 273 },
+{ "mq_open", 274 },
+{ "mq_unlink", 275 },
+{ "mq_timedsend", 276 },
+{ "mq_timedreceive", 277 },
+{ "mq_notify", 278 },
+{ "mq_getsetattr", 279 },
+{ "waitid", 280 },
+{ "socket", 281 },
+{ "bind", 282 },
+{ "connect", 283 },
+{ "listen", 284 },
+{ "accept", 285 },
+{ "getsockname", 286 },
+{ "getpeername", 287 },
+{ "socketpair", 288 },
+{ "send", 289 },
+{ "sendto", 290 },
+{ "recv", 291 },
+{ "recvfrom", 292 },
+{ "shutdown", 293 },
+{ "setsockopt", 294 },
+{ "getsockopt", 295 },
+{ "sendmsg", 296 },
+{ "recvmsg", 297 },
+{ "semop", 298 },
+{ "semget", 299 },
+{ "semctl", 300 },
+{ "msgsnd", 301 },
+{ "msgrcv", 302 },
+{ "msgget", 303 },
+{ "msgctl", 304 },
{ "shmat", 305 },
-{ "shmctl", 308 },
{ "shmdt", 306 },
{ "shmget", 307 },
-{ "shutdown", 293 },
-{ "sigaction", 67 },
-{ "sigaltstack", 186 },
-{ "signalfd", 349 },
-{ "signalfd4", 355 },
-{ "sigpending", 73 },
-{ "sigprocmask", 126 },
-{ "sigreturn", 119 },
-{ "sigsuspend", 72 },
-{ "socket", 281 },
-{ "socketcall", 102 },
-{ "socketpair", 288 },
-{ "splice", 340 },
-{ "stat", 106 },
-{ "stat64", 195 },
-{ "statfs64", 266 },
-{ "statfs", 99 },
-{ "stime", 25 },
-{ "swapoff", 115 },
-{ "swapon", 87 },
-{ "symlink", 83 },
+{ "shmctl", 308 },
+{ "add_key", 309 },
+{ "request_key", 310 },
+{ "keyctl", 311 },
+{ "semtimedop", 312 },
+{ "vserver", 313 },
+{ "ioprio_set", 314 },
+{ "ioprio_get", 315 },
+{ "inotify_init", 316 },
+{ "inotify_add_watch", 317 },
+{ "inotify_rm_watch", 318 },
+{ "mbind", 319 },
+{ "get_mempolicy", 320 },
+{ "set_mempolicy", 321 },
+{ "openat", 322 },
+{ "mkdirat", 323 },
+{ "mknodat", 324 },
+{ "fchownat", 325 },
+{ "futimesat", 326 },
+{ "fstatat64", 327 },
+{ "unlinkat", 328 },
+{ "renameat", 329 },
+{ "linkat", 330 },
{ "symlinkat", 331 },
-{ "sync", 36 },
-{ "sync_file_range2", 341 },
-{ "syncfs", 373 },
-{ "syscall", 113 },
-{ "_sysctl", 149 },
-{ "sysfs", 135 },
-{ "sysinfo", 116 },
-{ "syslog", 103 },
+{ "readlinkat", 332 },
+{ "fchmodat", 333 },
+{ "faccessat", 334 },
+{ "pselect6", 335 },
+{ "ppoll", 336 },
+{ "unshare", 337 },
+{ "set_robust_list", 338 },
+{ "get_robust_list", 339 },
+{ "splice", 340 },
+{ "arm_sync_file_range", 341 },
{ "tee", 342 },
-{ "tgkill", 268 },
-{ "time", 13 },
-{ "timer_create", 257 },
-{ "timer_delete", 261 },
+{ "vmsplice", 343 },
+{ "move_pages", 344 },
+{ "getcpu", 345 },
+{ "epoll_pwait", 346 },
+{ "kexec_load", 347 },
+{ "utimensat", 348 },
+{ "signalfd", 349 },
{ "timerfd_create", 350 },
-{ "timerfd_gettime", 354 },
+{ "eventfd", 351 },
+{ "fallocate", 352 },
{ "timerfd_settime", 353 },
-{ "timer_getoverrun", 260 },
-{ "timer_gettime", 259 },
-{ "timer_settime", 258 },
-{ "times", 43 },
-{ "tkill", 238 },
-{ "truncate64", 193 },
-{ "truncate", 92 },
-{ "ugetrlimit", 191 },
-{ "umask", 60 },
-{ "umount", 22 },
-{ "umount2", 52 },
-{ "uname", 122 },
-{ "unlink", 10 },
-{ "unlinkat", 328 },
-{ "unshare", 337 },
-{ "uselib", 86 },
-{ "ustat", 62 },
-{ "utime", 30 },
-{ "utimensat", 348 },
-{ "utimes", 269 },
-{ "vfork", 190 },
-{ "vhangup", 111 },
-{ "vmsplice", 343 },
-{ "vserver", 313 },
-{ "wait4", 114 },
-{ "waitid", 280 },
-{ "write", 4 },
-{ "writev", 146 },
+{ "timerfd_gettime", 354 },
+{ "signalfd4", 355 },
+{ "eventfd2", 356 },
+{ "epoll_create1", 357 },
+{ "dup3", 358 },
+{ "pipe2", 359 },
+{ "inotify_init1", 360 },
+{ "preadv", 361 },
+{ "pwritev", 362 },
+{ "rt_tgsigqueueinfo", 363 },
+{ "perf_event_open", 364 },
+{ "recvmmsg", 365 },
+{ "accept4", 366 },
+{ "fanotify_init", 367 },
+{ "fanotify_mark", 368 },
+{ "prlimit64", 369 },
+{ "name_to_handle_at", 370 },
+{ "open_by_handle_at", 371 },
+{ "clock_adjtime", 372 },
+{ "syncfs", 373 },
+{ "sendmmsg", 374 },
+{ "setns", 375 },
+{ "process_vm_readv", 376 },
+{ "process_vm_writev", 377 },
+{ "kcmp", 378 },
+{ "finit_module", 379 },
+{ "sched_setattr", 380 },
+{ "sched_getattr", 381 },
+{ "renameat2", 382 },
+{ "seccomp", 383 },
+{ "getrandom", 384 },
+{ "memfd_create", 385 },
+{ "bpf", 386 },
+{ "execveat", 387 },
+{ "userfaultfd", 388 },
+{ "membarrier", 389 },
+{ "mlock2", 390 },
+{ "copy_file_range", 391 },
+{ "preadv2", 392 },
+{ "pwritev2", 393 },
+{ "pkey_mprotect", 394 },
+{ "pkey_alloc", 395 },
+{ "pkey_free", 396 },
+{ "statx", 397 },
+{ "rseq", 398 },
+{ "io_pgetevents", 399 },
+{ "migrate_pages", 400 },
+{ "kexec_file_load", 401 },
+{ "clock_gettime64", 403 },
+{ "clock_settime64", 404 },
+{ "clock_adjtime64", 405 },
+{ "clock_getres_time64", 406 },
+{ "clock_nanosleep_time64", 407 },
+{ "timer_gettime64", 408 },
+{ "timer_settime64", 409 },
+{ "timerfd_gettime64", 410 },
+{ "timerfd_settime64", 411 },
+{ "utimensat_time64", 412 },
+{ "pselect6_time64", 413 },
+{ "ppoll_time64", 414 },
+{ "io_pgetevents_time64", 416 },
+{ "recvmmsg_time64", 417 },
+{ "mq_timedsend_time64", 418 },
+{ "mq_timedreceive_time64", 419 },
+{ "semtimedop_time64", 420 },
+{ "rt_sigtimedwait_time64", 421 },
+{ "futex_time64", 422 },
+{ "sched_rr_get_interval_time64", 423 },
+{ "pidfd_send_signal", 424 },
+{ "io_uring_setup", 425 },
+{ "io_uring_enter", 426 },
+{ "io_uring_register", 427 },
+{ "open_tree", 428 },
+{ "move_mount", 429 },
+{ "fsopen", 430 },
+{ "fsconfig", 431 },
+{ "fsmount", 432 },
+{ "fspick", 433 },
+{ "pidfd_open", 434 },
+{ "clone3", 435 },
+{ "close_range", 436 },
+{ "openat2", 437 },
+{ "pidfd_getfd", 438 },
+{ "faccessat2", 439 },
+{ "process_madvise", 440 },
+{ "epoll_pwait2", 441 },
+{ "mount_setattr", 442 },
+{ "quotactl_fd", 443 },
+{ "landlock_create_ruleset", 444 },
+{ "landlock_add_rule", 445 },
+{ "landlock_restrict_self", 446 },
+{ "process_mrelease", 448 },
+{ "futex_waitv", 449 },
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall_i386.h
^
|
@@ -1,426 +1,429 @@
-{ "_llseek", 140 },
-{ "_newselect", 142 },
-{ "_sysctl", 149 },
-{ "accept4", 364 },
-{ "access", 33 },
-{ "acct", 51 },
-{ "add_key", 286 },
-{ "adjtimex", 124 },
-{ "afs_syscall", 137 },
-{ "alarm", 27 },
-{ "arch_prctl", 384 },
-{ "bdflush", 134 },
-{ "bind", 361 },
-{ "bpf", 357 },
-{ "break", 17 },
-{ "brk", 45 },
-{ "capget", 184 },
-{ "capset", 185 },
-{ "chdir", 12 },
-{ "chmod", 15 },
-{ "chown", 182 },
-{ "chown32", 212 },
-{ "chroot", 61 },
-{ "clock_adjtime", 343 },
-{ "clock_adjtime64", 405 },
-{ "clock_getres", 266 },
-{ "clock_getres_time64", 406 },
-{ "clock_gettime", 265 },
-{ "clock_gettime64", 403 },
-{ "clock_nanosleep", 267 },
-{ "clock_nanosleep_time64", 407 },
-{ "clock_settime", 264 },
-{ "clock_settime64", 404 },
-{ "clone", 120 },
-{ "clone3", 435 },
+{ "exit", 1 },
+{ "fork", 2 },
+{ "read", 3 },
+{ "write", 4 },
+{ "open", 5 },
{ "close", 6 },
-{ "connect", 362 },
-{ "copy_file_range", 377 },
+{ "waitpid", 7 },
{ "creat", 8 },
-{ "create_module", 127 },
-{ "delete_module", 129 },
+{ "link", 9 },
+{ "unlink", 10 },
+{ "execve", 11 },
+{ "chdir", 12 },
+{ "time", 13 },
+{ "mknod", 14 },
+{ "chmod", 15 },
+{ "lchown", 16 },
+{ "break", 17 },
+{ "oldstat", 18 },
+{ "lseek", 19 },
+{ "getpid", 20 },
+{ "mount", 21 },
+{ "umount", 22 },
+{ "setuid", 23 },
+{ "getuid", 24 },
+{ "stime", 25 },
+{ "ptrace", 26 },
+{ "alarm", 27 },
+{ "oldfstat", 28 },
+{ "pause", 29 },
+{ "utime", 30 },
+{ "stty", 31 },
+{ "gtty", 32 },
+{ "access", 33 },
+{ "nice", 34 },
+{ "ftime", 35 },
+{ "sync", 36 },
+{ "kill", 37 },
+{ "rename", 38 },
+{ "mkdir", 39 },
+{ "rmdir", 40 },
{ "dup", 41 },
+{ "pipe", 42 },
+{ "times", 43 },
+{ "prof", 44 },
+{ "brk", 45 },
+{ "setgid", 46 },
+{ "getgid", 47 },
+{ "signal", 48 },
+{ "geteuid", 49 },
+{ "getegid", 50 },
+{ "acct", 51 },
+{ "umount2", 52 },
+{ "lock", 53 },
+{ "ioctl", 54 },
+{ "fcntl", 55 },
+{ "mpx", 56 },
+{ "setpgid", 57 },
+{ "ulimit", 58 },
+{ "oldolduname", 59 },
+{ "umask", 60 },
+{ "chroot", 61 },
+{ "ustat", 62 },
{ "dup2", 63 },
-{ "dup3", 330 },
-{ "epoll_create", 254 },
-{ "epoll_create1", 329 },
-{ "epoll_ctl", 255 },
-{ "epoll_pwait", 319 },
-{ "epoll_wait", 256 },
-{ "eventfd", 323 },
-{ "eventfd2", 328 },
-{ "execve", 11 },
-{ "execveat", 358 },
-{ "exit", 1 },
-{ "exit_group", 252 },
-{ "faccessat", 307 },
-{ "faccessat2", 439 },
-{ "fadvise64", 250 },
-{ "fadvise64_64", 272 },
-{ "fallocate", 324 },
-{ "fanotify_init", 338 },
-{ "fanotify_mark", 339 },
-{ "fchdir", 133 },
+{ "getppid", 64 },
+{ "getpgrp", 65 },
+{ "setsid", 66 },
+{ "sigaction", 67 },
+{ "sgetmask", 68 },
+{ "ssetmask", 69 },
+{ "setreuid", 70 },
+{ "setregid", 71 },
+{ "sigsuspend", 72 },
+{ "sigpending", 73 },
+{ "sethostname", 74 },
+{ "setrlimit", 75 },
+{ "getrlimit", 76 },
+{ "getrusage", 77 },
+{ "gettimeofday", 78 },
+{ "settimeofday", 79 },
+{ "getgroups", 80 },
+{ "setgroups", 81 },
+{ "select", 82 },
+{ "symlink", 83 },
+{ "oldlstat", 84 },
+{ "readlink", 85 },
+{ "uselib", 86 },
+{ "swapon", 87 },
+{ "reboot", 88 },
+{ "readdir", 89 },
+{ "mmap", 90 },
+{ "munmap", 91 },
+{ "truncate", 92 },
+{ "ftruncate", 93 },
{ "fchmod", 94 },
-{ "fchmodat", 306 },
{ "fchown", 95 },
-{ "fchown32", 207 },
-{ "fchownat", 298 },
-{ "fcntl", 55 },
-{ "fcntl64", 221 },
-{ "fdatasync", 148 },
-{ "fgetxattr", 231 },
-{ "finit_module", 350 },
-{ "flistxattr", 234 },
-{ "flock", 143 },
-{ "fork", 2 },
-{ "fremovexattr", 237 },
-{ "fsconfig", 431 },
-{ "fsetxattr", 228 },
-{ "fsmount", 432 },
-{ "fsopen", 430 },
-{ "fspick", 433 },
-{ "fstat", 108 },
-{ "fstat64", 197 },
-{ "fstatat64", 300 },
+{ "getpriority", 96 },
+{ "setpriority", 97 },
+{ "profil", 98 },
+{ "statfs", 99 },
{ "fstatfs", 100 },
-{ "fstatfs64", 269 },
+{ "ioperm", 101 },
+{ "socketcall", 102 },
+{ "syslog", 103 },
+{ "setitimer", 104 },
+{ "getitimer", 105 },
+{ "stat", 106 },
+{ "lstat", 107 },
+{ "fstat", 108 },
+{ "olduname", 109 },
+{ "iopl", 110 },
+{ "vhangup", 111 },
+{ "idle", 112 },
+{ "vm86old", 113 },
+{ "wait4", 114 },
+{ "swapoff", 115 },
+{ "sysinfo", 116 },
+{ "ipc", 117 },
{ "fsync", 118 },
-{ "ftime", 35 },
-{ "ftruncate", 93 },
-{ "ftruncate64", 194 },
-{ "futex", 240 },
-{ "futex_time64", 422 },
-{ "futimesat", 299 },
+{ "sigreturn", 119 },
+{ "clone", 120 },
+{ "setdomainname", 121 },
+{ "uname", 122 },
+{ "modify_ldt", 123 },
+{ "adjtimex", 124 },
+{ "mprotect", 125 },
+{ "sigprocmask", 126 },
+{ "create_module", 127 },
+{ "init_module", 128 },
+{ "delete_module", 129 },
{ "get_kernel_syms", 130 },
-{ "get_mempolicy", 275 },
-{ "get_robust_list", 312 },
-{ "get_thread_area", 244 },
-{ "getcpu", 318 },
-{ "getcwd", 183 },
+{ "quotactl", 131 },
+{ "getpgid", 132 },
+{ "fchdir", 133 },
+{ "bdflush", 134 },
+{ "sysfs", 135 },
+{ "personality", 136 },
+{ "afs_syscall", 137 },
+{ "setfsuid", 138 },
+{ "setfsgid", 139 },
+{ "_llseek", 140 },
{ "getdents", 141 },
-{ "getdents64", 220 },
-{ "getegid", 50 },
-{ "getegid32", 202 },
-{ "geteuid", 49 },
-{ "geteuid32", 201 },
-{ "getgid", 47 },
+{ "_newselect", 142 },
+{ "flock", 143 },
+{ "msync", 144 },
+{ "readv", 145 },
+{ "writev", 146 },
+{ "getsid", 147 },
+{ "fdatasync", 148 },
+{ "_sysctl", 149 },
+{ "mlock", 150 },
+{ "munlock", 151 },
+{ "mlockall", 152 },
+{ "munlockall", 153 },
+{ "sched_setparam", 154 },
+{ "sched_getparam", 155 },
+{ "sched_setscheduler", 156 },
+{ "sched_getscheduler", 157 },
+{ "sched_yield", 158 },
+{ "sched_get_priority_max", 159 },
+{ "sched_get_priority_min", 160 },
+{ "sched_rr_get_interval", 161 },
+{ "nanosleep", 162 },
+{ "mremap", 163 },
+{ "setresuid", 164 },
+{ "getresuid", 165 },
+{ "vm86", 166 },
+{ "query_module", 167 },
+{ "poll", 168 },
+{ "nfsservctl", 169 },
+{ "setresgid", 170 },
+{ "getresgid", 171 },
+{ "prctl", 172 },
+{ "rt_sigreturn", 173 },
+{ "rt_sigaction", 174 },
+{ "rt_sigprocmask", 175 },
+{ "rt_sigpending", 176 },
+{ "rt_sigtimedwait", 177 },
+{ "rt_sigqueueinfo", 178 },
+{ "rt_sigsuspend", 179 },
+{ "pread64", 180 },
+{ "pwrite64", 181 },
+{ "chown", 182 },
+{ "getcwd", 183 },
+{ "capget", 184 },
+{ "capset", 185 },
+{ "sigaltstack", 186 },
+{ "sendfile", 187 },
+{ "getpmsg", 188 },
+{ "putpmsg", 189 },
+{ "vfork", 190 },
+{ "ugetrlimit", 191 },
+{ "mmap2", 192 },
+{ "truncate64", 193 },
+{ "ftruncate64", 194 },
+{ "stat64", 195 },
+{ "lstat64", 196 },
+{ "fstat64", 197 },
+{ "lchown32", 198 },
+{ "getuid32", 199 },
{ "getgid32", 200 },
-{ "getgroups", 80 },
+{ "geteuid32", 201 },
+{ "getegid32", 202 },
+{ "setreuid32", 203 },
+{ "setregid32", 204 },
{ "getgroups32", 205 },
-{ "getitimer", 105 },
-{ "getpeername", 368 },
-{ "getpgid", 132 },
-{ "getpgrp", 65 },
-{ "getpid", 20 },
-{ "getpmsg", 188 },
-{ "getppid", 64 },
-{ "getpriority", 96 },
-{ "getrandom", 355 },
-{ "getresgid", 171 },
-{ "getresgid32", 211 },
-{ "getresuid", 165 },
+{ "setgroups32", 206 },
+{ "fchown32", 207 },
+{ "setresuid32", 208 },
{ "getresuid32", 209 },
-{ "getrlimit", 76 },
-{ "getrusage", 77 },
-{ "getsid", 147 },
-{ "getsockname", 367 },
-{ "getsockopt", 365 },
+{ "setresgid32", 210 },
+{ "getresgid32", 211 },
+{ "chown32", 212 },
+{ "setuid32", 213 },
+{ "setgid32", 214 },
+{ "setfsuid32", 215 },
+{ "setfsgid32", 216 },
+{ "pivot_root", 217 },
+{ "mincore", 218 },
+{ "madvise", 219 },
+{ "getdents64", 220 },
+{ "fcntl64", 221 },
{ "gettid", 224 },
-{ "gettimeofday", 78 },
-{ "getuid", 24 },
-{ "getuid32", 199 },
+{ "readahead", 225 },
+{ "setxattr", 226 },
+{ "lsetxattr", 227 },
+{ "fsetxattr", 228 },
{ "getxattr", 229 },
-{ "gtty", 32 },
-{ "idle", 112 },
-{ "init_module", 128 },
-{ "inotify_add_watch", 292 },
-{ "inotify_init", 291 },
-{ "inotify_init1", 332 },
-{ "inotify_rm_watch", 293 },
-{ "io_cancel", 249 },
-{ "io_destroy", 246 },
-{ "io_getevents", 247 },
-{ "io_pgetevents", 385 },
-{ "io_pgetevents_time64", 416 },
-{ "io_setup", 245 },
-{ "io_submit", 248 },
-{ "io_uring_enter", 426 },
-{ "io_uring_register", 427 },
-{ "io_uring_setup", 425 },
-{ "ioctl", 54 },
-{ "ioperm", 101 },
-{ "iopl", 110 },
-{ "ioprio_get", 290 },
-{ "ioprio_set", 289 },
-{ "ipc", 117 },
-{ "kcmp", 349 },
-{ "kexec_load", 283 },
-{ "keyctl", 288 },
-{ "kill", 37 },
-{ "lchown", 16 },
-{ "lchown32", 198 },
{ "lgetxattr", 230 },
-{ "link", 9 },
-{ "linkat", 303 },
-{ "listen", 363 },
+{ "fgetxattr", 231 },
{ "listxattr", 232 },
{ "llistxattr", 233 },
-{ "lock", 53 },
-{ "lookup_dcookie", 253 },
+{ "flistxattr", 234 },
+{ "removexattr", 235 },
{ "lremovexattr", 236 },
-{ "lseek", 19 },
-{ "lsetxattr", 227 },
-{ "lstat", 107 },
-{ "lstat64", 196 },
-{ "madvise", 219 },
+{ "fremovexattr", 237 },
+{ "tkill", 238 },
+{ "sendfile64", 239 },
+{ "futex", 240 },
+{ "sched_setaffinity", 241 },
+{ "sched_getaffinity", 242 },
+{ "set_thread_area", 243 },
+{ "get_thread_area", 244 },
+{ "io_setup", 245 },
+{ "io_destroy", 246 },
+{ "io_getevents", 247 },
+{ "io_submit", 248 },
+{ "io_cancel", 249 },
+{ "fadvise64", 250 },
+{ "exit_group", 252 },
+{ "lookup_dcookie", 253 },
+{ "epoll_create", 254 },
+{ "epoll_ctl", 255 },
+{ "epoll_wait", 256 },
+{ "remap_file_pages", 257 },
+{ "set_tid_address", 258 },
+{ "timer_create", 259 },
+{ "timer_settime", 260 },
+{ "timer_gettime", 261 },
+{ "timer_getoverrun", 262 },
+{ "timer_delete", 263 },
+{ "clock_settime", 264 },
+{ "clock_gettime", 265 },
+{ "clock_getres", 266 },
+{ "clock_nanosleep", 267 },
+{ "statfs64", 268 },
+{ "fstatfs64", 269 },
+{ "tgkill", 270 },
+{ "utimes", 271 },
+{ "fadvise64_64", 272 },
+{ "vserver", 273 },
{ "mbind", 274 },
-{ "membarrier", 375 },
-{ "memfd_create", 356 },
+{ "get_mempolicy", 275 },
+{ "set_mempolicy", 276 },
+{ "mq_open", 277 },
+{ "mq_unlink", 278 },
+{ "mq_timedsend", 279 },
+{ "mq_timedreceive", 280 },
+{ "mq_notify", 281 },
+{ "mq_getsetattr", 282 },
+{ "kexec_load", 283 },
+{ "waitid", 284 },
+{ "add_key", 286 },
+{ "request_key", 287 },
+{ "keyctl", 288 },
+{ "ioprio_set", 289 },
+{ "ioprio_get", 290 },
+{ "inotify_init", 291 },
+{ "inotify_add_watch", 292 },
+{ "inotify_rm_watch", 293 },
{ "migrate_pages", 294 },
-{ "mincore", 218 },
-{ "mkdir", 39 },
+{ "openat", 295 },
{ "mkdirat", 296 },
-{ "mknod", 14 },
{ "mknodat", 297 },
-{ "mlock", 150 },
-{ "mlock2", 376 },
-{ "mlockall", 152 },
-{ "mmap", 90 },
-{ "mmap2", 192 },
-{ "modify_ldt", 123 },
-{ "mount", 21 },
-{ "move_mount", 429 },
+{ "fchownat", 298 },
+{ "futimesat", 299 },
+{ "fstatat64", 300 },
+{ "unlinkat", 301 },
+{ "renameat", 302 },
+{ "linkat", 303 },
+{ "symlinkat", 304 },
+{ "readlinkat", 305 },
+{ "fchmodat", 306 },
+{ "faccessat", 307 },
+{ "pselect6", 308 },
+{ "ppoll", 309 },
+{ "unshare", 310 },
+{ "set_robust_list", 311 },
+{ "get_robust_list", 312 },
+{ "splice", 313 },
+{ "sync_file_range", 314 },
+{ "tee", 315 },
+{ "vmsplice", 316 },
{ "move_pages", 317 },
-{ "mprotect", 125 },
-{ "mpx", 56 },
-{ "mq_getsetattr", 282 },
-{ "mq_notify", 281 },
-{ "mq_open", 277 },
-{ "mq_timedreceive", 280 },
-{ "mq_timedreceive_time64", 419 },
-{ "mq_timedsend", 279 },
-{ "mq_timedsend_time64", 418 },
-{ "mq_unlink", 278 },
-{ "mremap", 163 },
-{ "msgctl", 402 },
-{ "msgget", 399 },
-{ "msgrcv", 401 },
-{ "msgsnd", 400 },
-{ "msync", 144 },
-{ "munlock", 151 },
-{ "munlockall", 153 },
-{ "munmap", 91 },
-{ "name_to_handle_at", 341 },
-{ "nanosleep", 162 },
-{ "nfsservctl", 169 },
-{ "nice", 34 },
-{ "oldfstat", 28 },
-{ "oldlstat", 84 },
-{ "oldolduname", 59 },
-{ "oldstat", 18 },
-{ "olduname", 109 },
-{ "open", 5 },
-{ "open_by_handle_at", 342 },
-{ "open_tree", 428 },
-{ "openat", 295 },
-{ "pause", 29 },
-{ "perf_event_open", 336 },
-{ "personality", 136 },
-{ "pidfd_open", 434 },
-{ "pidfd_send_signal", 424 },
-{ "pipe", 42 },
+{ "getcpu", 318 },
+{ "epoll_pwait", 319 },
+{ "utimensat", 320 },
+{ "signalfd", 321 },
+{ "timerfd_create", 322 },
+{ "eventfd", 323 },
+{ "fallocate", 324 },
+{ "timerfd_settime", 325 },
+{ "timerfd_gettime", 326 },
+{ "signalfd4", 327 },
+{ "eventfd2", 328 },
+{ "epoll_create1", 329 },
+{ "dup3", 330 },
{ "pipe2", 331 },
-{ "pivot_root", 217 },
-{ "pkey_alloc", 381 },
-{ "pkey_free", 382 },
-{ "pkey_mprotect", 380 },
-{ "poll", 168 },
-{ "ppoll", 309 },
-{ "ppoll_time64", 414 },
-{ "prctl", 172 },
-{ "pread64", 180 },
+{ "inotify_init1", 332 },
{ "preadv", 333 },
-{ "preadv2", 378 },
+{ "pwritev", 334 },
+{ "rt_tgsigqueueinfo", 335 },
+{ "perf_event_open", 336 },
+{ "recvmmsg", 337 },
+{ "fanotify_init", 338 },
+{ "fanotify_mark", 339 },
{ "prlimit64", 340 },
+{ "name_to_handle_at", 341 },
+{ "open_by_handle_at", 342 },
+{ "clock_adjtime", 343 },
+{ "syncfs", 344 },
+{ "sendmmsg", 345 },
+{ "setns", 346 },
{ "process_vm_readv", 347 },
{ "process_vm_writev", 348 },
-{ "prof", 44 },
-{ "profil", 98 },
-{ "pselect6", 308 },
-{ "pselect6_time64", 413 },
-{ "ptrace", 26 },
-{ "putpmsg", 189 },
-{ "pwrite64", 181 },
-{ "pwritev", 334 },
-{ "pwritev2", 379 },
-{ "query_module", 167 },
-{ "quotactl", 131 },
-{ "read", 3 },
-{ "readahead", 225 },
-{ "readdir", 89 },
-{ "readlink", 85 },
-{ "readlinkat", 305 },
-{ "readv", 145 },
-{ "reboot", 88 },
+{ "kcmp", 349 },
+{ "finit_module", 350 },
+{ "sched_setattr", 351 },
+{ "sched_getattr", 352 },
+{ "renameat2", 353 },
+{ "seccomp", 354 },
+{ "getrandom", 355 },
+{ "memfd_create", 356 },
+{ "bpf", 357 },
+{ "execveat", 358 },
+{ "socket", 359 },
+{ "socketpair", 360 },
+{ "bind", 361 },
+{ "connect", 362 },
+{ "listen", 363 },
+{ "accept4", 364 },
+{ "getsockopt", 365 },
+{ "setsockopt", 366 },
+{ "getsockname", 367 },
+{ "getpeername", 368 },
+{ "sendto", 369 },
+{ "sendmsg", 370 },
{ "recvfrom", 371 },
-{ "recvmmsg", 337 },
-{ "recvmmsg_time64", 417 },
{ "recvmsg", 372 },
-{ "remap_file_pages", 257 },
-{ "removexattr", 235 },
-{ "rename", 38 },
-{ "renameat", 302 },
-{ "renameat2", 353 },
-{ "request_key", 287 },
-{ "restart_syscall", 0 },
-{ "rmdir", 40 },
+{ "shutdown", 373 },
+{ "userfaultfd", 374 },
+{ "membarrier", 375 },
+{ "mlock2", 376 },
+{ "copy_file_range", 377 },
+{ "preadv2", 378 },
+{ "pwritev2", 379 },
+{ "pkey_mprotect", 380 },
+{ "pkey_alloc", 381 },
+{ "pkey_free", 382 },
+{ "statx", 383 },
+{ "arch_prctl", 384 },
+{ "io_pgetevents", 385 },
{ "rseq", 386 },
-{ "rt_sigaction", 174 },
-{ "rt_sigpending", 176 },
-{ "rt_sigprocmask", 175 },
-{ "rt_sigqueueinfo", 178 },
-{ "rt_sigreturn", 173 },
-{ "rt_sigsuspend", 179 },
-{ "rt_sigtimedwait", 177 },
-{ "rt_sigtimedwait_time64", 421 },
-{ "rt_tgsigqueueinfo", 335 },
-{ "sched_get_priority_max", 159 },
-{ "sched_get_priority_min", 160 },
-{ "sched_getaffinity", 242 },
-{ "sched_getattr", 352 },
-{ "sched_getparam", 155 },
-{ "sched_getscheduler", 157 },
-{ "sched_rr_get_interval", 161 },
-{ "sched_rr_get_interval_time64", 423 },
-{ "sched_setaffinity", 241 },
-{ "sched_setattr", 351 },
-{ "sched_setparam", 154 },
-{ "sched_setscheduler", 156 },
-{ "sched_yield", 158 },
-{ "seccomp", 354 },
-{ "select", 82 },
-{ "semctl", 394 },
{ "semget", 393 },
-{ "semtimedop_time64", 420 },
-{ "sendfile", 187 },
-{ "sendfile64", 239 },
-{ "sendmmsg", 345 },
-{ "sendmsg", 370 },
-{ "sendto", 369 },
-{ "set_mempolicy", 276 },
-{ "set_robust_list", 311 },
-{ "set_thread_area", 243 },
-{ "set_tid_address", 258 },
-{ "setdomainname", 121 },
-{ "setfsgid", 139 },
-{ "setfsgid32", 216 },
-{ "setfsuid", 138 },
-{ "setfsuid32", 215 },
-{ "setgid", 46 },
-{ "setgid32", 214 },
-{ "setgroups", 81 },
-{ "setgroups32", 206 },
-{ "sethostname", 74 },
-{ "setitimer", 104 },
-{ "setns", 346 },
-{ "setpgid", 57 },
-{ "setpriority", 97 },
-{ "setregid", 71 },
-{ "setregid32", 204 },
-{ "setresgid", 170 },
-{ "setresgid32", 210 },
-{ "setresuid", 164 },
-{ "setresuid32", 208 },
-{ "setreuid", 70 },
-{ "setreuid32", 203 },
-{ "setrlimit", 75 },
-{ "setsid", 66 },
-{ "setsockopt", 366 },
-{ "settimeofday", 79 },
-{ "setuid", 23 },
-{ "setuid32", 213 },
-{ "setxattr", 226 },
-{ "sgetmask", 68 },
-{ "shmat", 397 },
+{ "semctl", 394 },
+{ "shmget", 395 },
{ "shmctl", 396 },
+{ "shmat", 397 },
{ "shmdt", 398 },
-{ "shmget", 395 },
-{ "shutdown", 373 },
-{ "sigaction", 67 },
-{ "sigaltstack", 186 },
-{ "signal", 48 },
-{ "signalfd", 321 },
-{ "signalfd4", 327 },
-{ "sigpending", 73 },
-{ "sigprocmask", 126 },
-{ "sigreturn", 119 },
-{ "sigsuspend", 72 },
-{ "socket", 359 },
-{ "socketcall", 102 },
-{ "socketpair", 360 },
-{ "splice", 313 },
-{ "ssetmask", 69 },
-{ "stat", 106 },
-{ "stat64", 195 },
-{ "statfs", 99 },
-{ "statfs64", 268 },
-{ "statx", 383 },
-{ "stime", 25 },
-{ "stty", 31 },
-{ "swapoff", 115 },
-{ "swapon", 87 },
-{ "symlink", 83 },
-{ "symlinkat", 304 },
-{ "sync", 36 },
-{ "sync_file_range", 314 },
-{ "syncfs", 344 },
-{ "sysfs", 135 },
-{ "sysinfo", 116 },
-{ "syslog", 103 },
-{ "tee", 315 },
-{ "tgkill", 270 },
-{ "time", 13 },
-{ "timer_create", 259 },
-{ "timer_delete", 263 },
-{ "timer_getoverrun", 262 },
-{ "timer_gettime", 261 },
+{ "msgget", 399 },
+{ "msgsnd", 400 },
+{ "msgrcv", 401 },
+{ "msgctl", 402 },
+{ "clock_gettime64", 403 },
+{ "clock_settime64", 404 },
+{ "clock_adjtime64", 405 },
+{ "clock_getres_time64", 406 },
+{ "clock_nanosleep_time64", 407 },
{ "timer_gettime64", 408 },
-{ "timer_settime", 260 },
{ "timer_settime64", 409 },
-{ "timerfd_create", 322 },
-{ "timerfd_gettime", 326 },
{ "timerfd_gettime64", 410 },
-{ "timerfd_settime", 325 },
{ "timerfd_settime64", 411 },
-{ "times", 43 },
-{ "tkill", 238 },
-{ "truncate", 92 },
-{ "truncate64", 193 },
-{ "ugetrlimit", 191 },
-{ "ulimit", 58 },
-{ "umask", 60 },
-{ "umount", 22 },
-{ "umount2", 52 },
-{ "uname", 122 },
-{ "unlink", 10 },
-{ "unlinkat", 301 },
-{ "unshare", 310 },
-{ "uselib", 86 },
-{ "userfaultfd", 374 },
-{ "ustat", 62 },
-{ "utime", 30 },
-{ "utimensat", 320 },
{ "utimensat_time64", 412 },
-{ "utimes", 271 },
-{ "vfork", 190 },
-{ "vhangup", 111 },
-{ "vm86", 166 },
-{ "vm86old", 113 },
-{ "vmsplice", 316 },
-{ "vserver", 273 },
-{ "wait4", 114 },
-{ "waitid", 284 },
-{ "waitpid", 7 },
-{ "write", 4 },
-{ "writev", 146 },
+{ "pselect6_time64", 413 },
+{ "ppoll_time64", 414 },
+{ "io_pgetevents_time64", 416 },
+{ "recvmmsg_time64", 417 },
+{ "mq_timedsend_time64", 418 },
+{ "mq_timedreceive_time64", 419 },
+{ "semtimedop_time64", 420 },
+{ "rt_sigtimedwait_time64", 421 },
+{ "futex_time64", 422 },
+{ "sched_rr_get_interval_time64", 423 },
+{ "pidfd_send_signal", 424 },
+{ "io_uring_setup", 425 },
+{ "io_uring_enter", 426 },
+{ "io_uring_register", 427 },
+{ "open_tree", 428 },
+{ "move_mount", 429 },
+{ "fsopen", 430 },
+{ "fsconfig", 431 },
+{ "fsmount", 432 },
+{ "fspick", 433 },
+{ "pidfd_open", 434 },
+{ "clone3", 435 },
+{ "close_range", 436 },
+{ "openat2", 437 },
+{ "pidfd_getfd", 438 },
+{ "faccessat2", 439 },
+{ "process_madvise", 440 },
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall_x86_64.h
^
|
@@ -1,348 +1,352 @@
-{ "_sysctl", 156 },
-{ "accept", 43 },
-{ "accept4", 288 },
+{ "read", 0 },
+{ "write", 1 },
+{ "open", 2 },
+{ "close", 3 },
+{ "stat", 4 },
+{ "fstat", 5 },
+{ "lstat", 6 },
+{ "poll", 7 },
+{ "lseek", 8 },
+{ "mmap", 9 },
+{ "mprotect", 10 },
+{ "munmap", 11 },
+{ "brk", 12 },
+{ "rt_sigaction", 13 },
+{ "rt_sigprocmask", 14 },
+{ "rt_sigreturn", 15 },
+{ "ioctl", 16 },
+{ "pread64", 17 },
+{ "pwrite64", 18 },
+{ "readv", 19 },
+{ "writev", 20 },
{ "access", 21 },
-{ "acct", 163 },
-{ "add_key", 248 },
-{ "adjtimex", 159 },
-{ "afs_syscall", 183 },
+{ "pipe", 22 },
+{ "select", 23 },
+{ "sched_yield", 24 },
+{ "mremap", 25 },
+{ "msync", 26 },
+{ "mincore", 27 },
+{ "madvise", 28 },
+{ "shmget", 29 },
+{ "shmat", 30 },
+{ "shmctl", 31 },
+{ "dup", 32 },
+{ "dup2", 33 },
+{ "pause", 34 },
+{ "nanosleep", 35 },
+{ "getitimer", 36 },
{ "alarm", 37 },
-{ "arch_prctl", 158 },
+{ "setitimer", 38 },
+{ "getpid", 39 },
+{ "sendfile", 40 },
+{ "socket", 41 },
+{ "connect", 42 },
+{ "accept", 43 },
+{ "sendto", 44 },
+{ "recvfrom", 45 },
+{ "sendmsg", 46 },
+{ "recvmsg", 47 },
+{ "shutdown", 48 },
{ "bind", 49 },
-{ "bpf", 321 },
-{ "brk", 12 },
-{ "capget", 125 },
-{ "capset", 126 },
-{ "chdir", 80 },
-{ "chmod", 90 },
-{ "chown", 92 },
-{ "chroot", 161 },
-{ "clock_adjtime", 305 },
-{ "clock_getres", 229 },
-{ "clock_gettime", 228 },
-{ "clock_nanosleep", 230 },
-{ "clock_settime", 227 },
+{ "listen", 50 },
+{ "getsockname", 51 },
+{ "getpeername", 52 },
+{ "socketpair", 53 },
+{ "setsockopt", 54 },
+{ "getsockopt", 55 },
{ "clone", 56 },
-{ "clone3", 435 },
-{ "close", 3 },
-{ "connect", 42 },
-{ "copy_file_range", 326 },
-{ "creat", 85 },
-{ "create_module", 174 },
-{ "delete_module", 176 },
-{ "dup", 32 },
-{ "dup2", 33 },
-{ "dup3", 292 },
-{ "epoll_create", 213 },
-{ "epoll_create1", 291 },
-{ "epoll_ctl", 233 },
-{ "epoll_ctl_old", 214 },
-{ "epoll_pwait", 281 },
-{ "epoll_wait", 232 },
-{ "epoll_wait_old", 215 },
-{ "eventfd", 284 },
-{ "eventfd2", 290 },
+{ "fork", 57 },
+{ "vfork", 58 },
{ "execve", 59 },
-{ "execveat", 322 },
{ "exit", 60 },
-{ "exit_group", 231 },
-{ "faccessat", 269 },
-{ "faccessat2", 439 },
-{ "fadvise64", 221 },
-{ "fallocate", 285 },
-{ "fanotify_init", 300 },
-{ "fanotify_mark", 301 },
-{ "fchdir", 81 },
-{ "fchmod", 91 },
-{ "fchmodat", 268 },
-{ "fchown", 93 },
-{ "fchownat", 260 },
+{ "wait4", 61 },
+{ "kill", 62 },
+{ "uname", 63 },
+{ "semget", 64 },
+{ "semop", 65 },
+{ "semctl", 66 },
+{ "shmdt", 67 },
+{ "msgget", 68 },
+{ "msgsnd", 69 },
+{ "msgrcv", 70 },
+{ "msgctl", 71 },
{ "fcntl", 72 },
-{ "fdatasync", 75 },
-{ "fgetxattr", 193 },
-{ "finit_module", 313 },
-{ "flistxattr", 196 },
{ "flock", 73 },
-{ "fork", 57 },
-{ "fremovexattr", 199 },
-{ "fsconfig", 431 },
-{ "fsetxattr", 190 },
-{ "fsmount", 432 },
-{ "fsopen", 430 },
-{ "fspick", 433 },
-{ "fstat", 5 },
-{ "fstatfs", 138 },
{ "fsync", 74 },
+{ "fdatasync", 75 },
+{ "truncate", 76 },
{ "ftruncate", 77 },
-{ "futex", 202 },
-{ "futimesat", 261 },
-{ "get_kernel_syms", 177 },
-{ "get_mempolicy", 239 },
-{ "get_robust_list", 274 },
-{ "get_thread_area", 211 },
-{ "getcpu", 309 },
-{ "getcwd", 79 },
{ "getdents", 78 },
-{ "getdents64", 217 },
-{ "getegid", 108 },
-{ "geteuid", 107 },
+{ "getcwd", 79 },
+{ "chdir", 80 },
+{ "fchdir", 81 },
+{ "rename", 82 },
+{ "mkdir", 83 },
+{ "rmdir", 84 },
+{ "creat", 85 },
+{ "link", 86 },
+{ "unlink", 87 },
+{ "symlink", 88 },
+{ "readlink", 89 },
+{ "chmod", 90 },
+{ "fchmod", 91 },
+{ "chown", 92 },
+{ "fchown", 93 },
+{ "lchown", 94 },
+{ "umask", 95 },
+{ "gettimeofday", 96 },
+{ "getrlimit", 97 },
+{ "getrusage", 98 },
+{ "sysinfo", 99 },
+{ "times", 100 },
+{ "ptrace", 101 },
+{ "getuid", 102 },
+{ "syslog", 103 },
{ "getgid", 104 },
-{ "getgroups", 115 },
-{ "getitimer", 36 },
-{ "getpeername", 52 },
-{ "getpgid", 121 },
-{ "getpgrp", 111 },
-{ "getpid", 39 },
-{ "getpmsg", 181 },
+{ "setuid", 105 },
+{ "setgid", 106 },
+{ "geteuid", 107 },
+{ "getegid", 108 },
+{ "setpgid", 109 },
{ "getppid", 110 },
-{ "getpriority", 140 },
-{ "getrandom", 318 },
-{ "getresgid", 120 },
+{ "getpgrp", 111 },
+{ "setsid", 112 },
+{ "setreuid", 113 },
+{ "setregid", 114 },
+{ "getgroups", 115 },
+{ "setgroups", 116 },
+{ "setresuid", 117 },
{ "getresuid", 118 },
-{ "getrlimit", 97 },
-{ "getrusage", 98 },
+{ "setresgid", 119 },
+{ "getresgid", 120 },
+{ "getpgid", 121 },
+{ "setfsuid", 122 },
+{ "setfsgid", 123 },
{ "getsid", 124 },
-{ "getsockname", 51 },
-{ "getsockopt", 55 },
-{ "gettid", 186 },
-{ "gettimeofday", 96 },
-{ "getuid", 102 },
-{ "getxattr", 191 },
-{ "init_module", 175 },
-{ "inotify_add_watch", 254 },
-{ "inotify_init", 253 },
-{ "inotify_init1", 294 },
-{ "inotify_rm_watch", 255 },
-{ "io_cancel", 210 },
-{ "io_destroy", 207 },
-{ "io_getevents", 208 },
-{ "io_pgetevents", 333 },
-{ "io_setup", 206 },
-{ "io_submit", 209 },
-{ "io_uring_enter", 426 },
-{ "io_uring_register", 427 },
-{ "io_uring_setup", 425 },
-{ "ioctl", 16 },
-{ "ioperm", 173 },
-{ "iopl", 172 },
-{ "ioprio_get", 252 },
-{ "ioprio_set", 251 },
-{ "kcmp", 312 },
-{ "kexec_file_load", 320 },
-{ "kexec_load", 246 },
-{ "keyctl", 250 },
-{ "kill", 62 },
-{ "lchown", 94 },
-{ "lgetxattr", 192 },
-{ "link", 86 },
-{ "linkat", 265 },
-{ "listen", 50 },
-{ "listxattr", 194 },
-{ "llistxattr", 195 },
-{ "lookup_dcookie", 212 },
-{ "lremovexattr", 198 },
-{ "lseek", 8 },
-{ "lsetxattr", 189 },
-{ "lstat", 6 },
-{ "madvise", 28 },
-{ "mbind", 237 },
-{ "membarrier", 324 },
-{ "memfd_create", 319 },
-{ "migrate_pages", 256 },
-{ "mincore", 27 },
-{ "mkdir", 83 },
-{ "mkdirat", 258 },
+{ "capget", 125 },
+{ "capset", 126 },
+{ "rt_sigpending", 127 },
+{ "rt_sigtimedwait", 128 },
+{ "rt_sigqueueinfo", 129 },
+{ "rt_sigsuspend", 130 },
+{ "sigaltstack", 131 },
+{ "utime", 132 },
{ "mknod", 133 },
-{ "mknodat", 259 },
+{ "uselib", 134 },
+{ "personality", 135 },
+{ "ustat", 136 },
+{ "statfs", 137 },
+{ "fstatfs", 138 },
+{ "sysfs", 139 },
+{ "getpriority", 140 },
+{ "setpriority", 141 },
+{ "sched_setparam", 142 },
+{ "sched_getparam", 143 },
+{ "sched_setscheduler", 144 },
+{ "sched_getscheduler", 145 },
+{ "sched_get_priority_max", 146 },
+{ "sched_get_priority_min", 147 },
+{ "sched_rr_get_interval", 148 },
{ "mlock", 149 },
-{ "mlock2", 325 },
-{ "mlockall", 151 },
-{ "mmap", 9 },
-{ "modify_ldt", 154 },
-{ "mount", 165 },
-{ "move_mount", 429 },
-{ "move_pages", 279 },
-{ "mprotect", 10 },
-{ "mq_getsetattr", 245 },
-{ "mq_notify", 244 },
-{ "mq_open", 240 },
-{ "mq_timedreceive", 243 },
-{ "mq_timedsend", 242 },
-{ "mq_unlink", 241 },
-{ "mremap", 25 },
-{ "msgctl", 71 },
-{ "msgget", 68 },
-{ "msgrcv", 70 },
-{ "msgsnd", 69 },
-{ "msync", 26 },
{ "munlock", 150 },
+{ "mlockall", 151 },
{ "munlockall", 152 },
-{ "munmap", 11 },
-{ "name_to_handle_at", 303 },
-{ "nanosleep", 35 },
-{ "newfstatat", 262 },
-{ "nfsservctl", 180 },
-{ "open", 2 },
-{ "open_by_handle_at", 304 },
-{ "open_tree", 428 },
-{ "openat", 257 },
-{ "pause", 34 },
-{ "perf_event_open", 298 },
-{ "personality", 135 },
-{ "pidfd_open", 434 },
-{ "pidfd_send_signal", 424 },
-{ "pipe", 22 },
-{ "pipe2", 293 },
+{ "vhangup", 153 },
+{ "modify_ldt", 154 },
{ "pivot_root", 155 },
-{ "pkey_alloc", 330 },
-{ "pkey_free", 331 },
-{ "pkey_mprotect", 329 },
-{ "poll", 7 },
-{ "ppoll", 271 },
+{ "_sysctl", 156 },
{ "prctl", 157 },
-{ "pread64", 17 },
-{ "preadv", 295 },
-{ "preadv2", 327 },
-{ "prlimit64", 302 },
-{ "process_vm_readv", 310 },
-{ "process_vm_writev", 311 },
-{ "pselect6", 270 },
-{ "ptrace", 101 },
-{ "putpmsg", 182 },
-{ "pwrite64", 18 },
-{ "pwritev", 296 },
-{ "pwritev2", 328 },
+{ "arch_prctl", 158 },
+{ "adjtimex", 159 },
+{ "setrlimit", 160 },
+{ "chroot", 161 },
+{ "sync", 162 },
+{ "acct", 163 },
+{ "settimeofday", 164 },
+{ "mount", 165 },
+{ "umount2", 166 },
+{ "swapon", 167 },
+{ "swapoff", 168 },
+{ "reboot", 169 },
+{ "sethostname", 170 },
+{ "setdomainname", 171 },
+{ "iopl", 172 },
+{ "ioperm", 173 },
+{ "create_module", 174 },
+{ "init_module", 175 },
+{ "delete_module", 176 },
+{ "get_kernel_syms", 177 },
{ "query_module", 178 },
{ "quotactl", 179 },
-{ "read", 0 },
+{ "nfsservctl", 180 },
+{ "getpmsg", 181 },
+{ "putpmsg", 182 },
+{ "afs_syscall", 183 },
+{ "tuxcall", 184 },
+{ "security", 185 },
+{ "gettid", 186 },
{ "readahead", 187 },
-{ "readlink", 89 },
-{ "readlinkat", 267 },
-{ "readv", 19 },
-{ "reboot", 169 },
-{ "recvfrom", 45 },
-{ "recvmmsg", 299 },
-{ "recvmsg", 47 },
-{ "remap_file_pages", 216 },
+{ "setxattr", 188 },
+{ "lsetxattr", 189 },
+{ "fsetxattr", 190 },
+{ "getxattr", 191 },
+{ "lgetxattr", 192 },
+{ "fgetxattr", 193 },
+{ "listxattr", 194 },
+{ "llistxattr", 195 },
+{ "flistxattr", 196 },
{ "removexattr", 197 },
-{ "rename", 82 },
-{ "renameat", 264 },
-{ "renameat2", 316 },
-{ "request_key", 249 },
-{ "restart_syscall", 219 },
-{ "rmdir", 84 },
-{ "rseq", 334 },
-{ "rt_sigaction", 13 },
-{ "rt_sigpending", 127 },
-{ "rt_sigprocmask", 14 },
-{ "rt_sigqueueinfo", 129 },
-{ "rt_sigreturn", 15 },
-{ "rt_sigsuspend", 130 },
-{ "rt_sigtimedwait", 128 },
-{ "rt_tgsigqueueinfo", 297 },
-{ "sched_get_priority_max", 146 },
-{ "sched_get_priority_min", 147 },
-{ "sched_getaffinity", 204 },
-{ "sched_getattr", 315 },
-{ "sched_getparam", 143 },
-{ "sched_getscheduler", 145 },
-{ "sched_rr_get_interval", 148 },
+{ "lremovexattr", 198 },
+{ "fremovexattr", 199 },
+{ "tkill", 200 },
+{ "time", 201 },
+{ "futex", 202 },
{ "sched_setaffinity", 203 },
-{ "sched_setattr", 314 },
-{ "sched_setparam", 142 },
-{ "sched_setscheduler", 144 },
-{ "sched_yield", 24 },
-{ "seccomp", 317 },
-{ "security", 185 },
-{ "select", 23 },
-{ "semctl", 66 },
-{ "semget", 64 },
-{ "semop", 65 },
+{ "sched_getaffinity", 204 },
+{ "set_thread_area", 205 },
+{ "io_setup", 206 },
+{ "io_destroy", 207 },
+{ "io_getevents", 208 },
+{ "io_submit", 209 },
+{ "io_cancel", 210 },
+{ "get_thread_area", 211 },
+{ "lookup_dcookie", 212 },
+{ "epoll_create", 213 },
+{ "epoll_ctl_old", 214 },
+{ "epoll_wait_old", 215 },
+{ "remap_file_pages", 216 },
+{ "getdents64", 217 },
+{ "set_tid_address", 218 },
+{ "restart_syscall", 219 },
{ "semtimedop", 220 },
-{ "sendfile", 40 },
-{ "sendmmsg", 307 },
-{ "sendmsg", 46 },
-{ "sendto", 44 },
+{ "fadvise64", 221 },
+{ "timer_create", 222 },
+{ "timer_settime", 223 },
+{ "timer_gettime", 224 },
+{ "timer_getoverrun", 225 },
+{ "timer_delete", 226 },
+{ "clock_settime", 227 },
+{ "clock_gettime", 228 },
+{ "clock_getres", 229 },
+{ "clock_nanosleep", 230 },
+{ "exit_group", 231 },
+{ "epoll_wait", 232 },
+{ "epoll_ctl", 233 },
+{ "tgkill", 234 },
+{ "utimes", 235 },
+{ "vserver", 236 },
+{ "mbind", 237 },
{ "set_mempolicy", 238 },
+{ "get_mempolicy", 239 },
+{ "mq_open", 240 },
+{ "mq_unlink", 241 },
+{ "mq_timedsend", 242 },
+{ "mq_timedreceive", 243 },
+{ "mq_notify", 244 },
+{ "mq_getsetattr", 245 },
+{ "kexec_load", 246 },
+{ "waitid", 247 },
+{ "add_key", 248 },
+{ "request_key", 249 },
+{ "keyctl", 250 },
+{ "ioprio_set", 251 },
+{ "ioprio_get", 252 },
+{ "inotify_init", 253 },
+{ "inotify_add_watch", 254 },
+{ "inotify_rm_watch", 255 },
+{ "migrate_pages", 256 },
+{ "openat", 257 },
+{ "mkdirat", 258 },
+{ "mknodat", 259 },
+{ "fchownat", 260 },
+{ "futimesat", 261 },
+{ "newfstatat", 262 },
+{ "unlinkat", 263 },
+{ "renameat", 264 },
+{ "linkat", 265 },
+{ "symlinkat", 266 },
+{ "readlinkat", 267 },
+{ "fchmodat", 268 },
+{ "faccessat", 269 },
+{ "pselect6", 270 },
+{ "ppoll", 271 },
+{ "unshare", 272 },
{ "set_robust_list", 273 },
-{ "set_thread_area", 205 },
-{ "set_tid_address", 218 },
-{ "setdomainname", 171 },
-{ "setfsgid", 123 },
-{ "setfsuid", 122 },
-{ "setgid", 106 },
-{ "setgroups", 116 },
-{ "sethostname", 170 },
-{ "setitimer", 38 },
-{ "setns", 308 },
-{ "setpgid", 109 },
-{ "setpriority", 141 },
-{ "setregid", 114 },
-{ "setresgid", 119 },
-{ "setresuid", 117 },
-{ "setreuid", 113 },
-{ "setrlimit", 160 },
-{ "setsid", 112 },
-{ "setsockopt", 54 },
-{ "settimeofday", 164 },
-{ "setuid", 105 },
-{ "setxattr", 188 },
-{ "shmat", 30 },
-{ "shmctl", 31 },
-{ "shmdt", 67 },
-{ "shmget", 29 },
-{ "shutdown", 48 },
-{ "sigaltstack", 131 },
-{ "signalfd", 282 },
-{ "signalfd4", 289 },
-{ "socket", 41 },
-{ "socketpair", 53 },
+{ "get_robust_list", 274 },
{ "splice", 275 },
-{ "stat", 4 },
-{ "statfs", 137 },
-{ "statx", 332 },
-{ "swapoff", 168 },
-{ "swapon", 167 },
-{ "symlink", 88 },
-{ "symlinkat", 266 },
-{ "sync", 162 },
-{ "sync_file_range", 277 },
-{ "syncfs", 306 },
-{ "sysfs", 139 },
-{ "sysinfo", 99 },
-{ "syslog", 103 },
{ "tee", 276 },
-{ "tgkill", 234 },
-{ "time", 201 },
-{ "timer_create", 222 },
-{ "timer_delete", 226 },
-{ "timer_getoverrun", 225 },
-{ "timer_gettime", 224 },
-{ "timer_settime", 223 },
+{ "sync_file_range", 277 },
+{ "vmsplice", 278 },
+{ "move_pages", 279 },
+{ "utimensat", 280 },
+{ "epoll_pwait", 281 },
+{ "signalfd", 282 },
{ "timerfd_create", 283 },
-{ "timerfd_gettime", 287 },
+{ "eventfd", 284 },
+{ "fallocate", 285 },
{ "timerfd_settime", 286 },
-{ "times", 100 },
-{ "tkill", 200 },
-{ "truncate", 76 },
-{ "tuxcall", 184 },
-{ "umask", 95 },
-{ "umount2", 166 },
-{ "uname", 63 },
-{ "unlink", 87 },
-{ "unlinkat", 263 },
-{ "unshare", 272 },
-{ "uselib", 134 },
+{ "timerfd_gettime", 287 },
+{ "accept4", 288 },
+{ "signalfd4", 289 },
+{ "eventfd2", 290 },
+{ "epoll_create1", 291 },
+{ "dup3", 292 },
+{ "pipe2", 293 },
+{ "inotify_init1", 294 },
+{ "preadv", 295 },
+{ "pwritev", 296 },
+{ "rt_tgsigqueueinfo", 297 },
+{ "perf_event_open", 298 },
+{ "recvmmsg", 299 },
+{ "fanotify_init", 300 },
+{ "fanotify_mark", 301 },
+{ "prlimit64", 302 },
+{ "name_to_handle_at", 303 },
+{ "open_by_handle_at", 304 },
+{ "clock_adjtime", 305 },
+{ "syncfs", 306 },
+{ "sendmmsg", 307 },
+{ "setns", 308 },
+{ "getcpu", 309 },
+{ "process_vm_readv", 310 },
+{ "process_vm_writev", 311 },
+{ "kcmp", 312 },
+{ "finit_module", 313 },
+{ "sched_setattr", 314 },
+{ "sched_getattr", 315 },
+{ "renameat2", 316 },
+{ "seccomp", 317 },
+{ "getrandom", 318 },
+{ "memfd_create", 319 },
+{ "kexec_file_load", 320 },
+{ "bpf", 321 },
+{ "execveat", 322 },
{ "userfaultfd", 323 },
-{ "ustat", 136 },
-{ "utime", 132 },
-{ "utimensat", 280 },
-{ "utimes", 235 },
-{ "vfork", 58 },
-{ "vhangup", 153 },
-{ "vmsplice", 278 },
-{ "vserver", 236 },
-{ "wait4", 61 },
-{ "waitid", 247 },
-{ "write", 1 },
-{ "writev", 20 },
+{ "membarrier", 324 },
+{ "mlock2", 325 },
+{ "copy_file_range", 326 },
+{ "preadv2", 327 },
+{ "pwritev2", 328 },
+{ "pkey_mprotect", 329 },
+{ "pkey_alloc", 330 },
+{ "pkey_free", 331 },
+{ "statx", 332 },
+{ "io_pgetevents", 333 },
+{ "rseq", 334 },
+{ "pidfd_send_signal", 424 },
+{ "io_uring_setup", 425 },
+{ "io_uring_enter", 426 },
+{ "io_uring_register", 427 },
+{ "open_tree", 428 },
+{ "move_mount", 429 },
+{ "fsopen", 430 },
+{ "fsconfig", 431 },
+{ "fsmount", 432 },
+{ "fspick", 433 },
+{ "pidfd_open", 434 },
+{ "clone3", 435 },
+{ "close_range", 436 },
+{ "openat2", 437 },
+{ "pidfd_getfd", 438 },
+{ "faccessat2", 439 },
+{ "process_madvise", 440 },
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/Makefile
^
|
@@ -0,0 +1,10 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = jailcheck
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h ../include/pid.h
+MOD_OBJS = ../lib/common.o ../lib/pid.o
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/access.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/apparmor.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/jailcheck.h
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -61,4 +61,4 @@
int find_child(pid_t pid);
pid_t switch_to_child(pid_t pid);
-#endif
\ No newline at end of file
+#endif
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/network.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -40,6 +40,7 @@
for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
if (strcmp(ifa->ifa_name, "lo") == 0)
continue;
+
found = 1;
break;
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/noexec.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -110,4 +110,4 @@
wait(&status);
int rv = unlink(fname);
(void) rv;
-}
\ No newline at end of file
+}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/seccomp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/sysfiles.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/utils.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/virtual.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/Makefile
^
|
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+TARGET = lib
+
+include $(ROOT)/src/prog.mk
+
+.PHONY: lib
+lib: $(OBJS)
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/common.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -22,7 +22,6 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
-#include <fcntl.h>
#include <sys/syscall.h>
#include <errno.h>
#include <unistd.h>
@@ -31,32 +30,95 @@
#include <dirent.h>
#include <string.h>
#include <time.h>
+#include <limits.h>
+#include <sched.h>
#include "../include/common.h"
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#include <sys/ioctl.h>
+#ifndef NSIO
+#define NSIO 0xb7
+#endif
+#ifndef NS_GET_USERNS
+#define NS_GET_USERNS _IO(NSIO, 0x1)
+#endif
+
#define BUFLEN 4096
-int join_namespace(pid_t pid, char *type) {
+
+int join_namespace_by_fd(int dirfd, char *typestr) {
+ int type;
+ if (strcmp(typestr, "net") == 0)
+ type = CLONE_NEWNET;
+ else if (strcmp(typestr, "mnt") == 0)
+ type = CLONE_NEWNS;
+ else if (strcmp(typestr, "ipc") == 0)
+ type = CLONE_NEWIPC;
+ else if (strcmp(typestr, "pid") == 0)
+ type = CLONE_NEWPID;
+ else if (strcmp(typestr, "uts") == 0)
+ type = CLONE_NEWUTS;
+ else if (strcmp(typestr, "user") == 0)
+ type = CLONE_NEWUSER;
+ else
+ assert(0);
+
char *path;
- if (asprintf(&path, "/proc/%u/ns/%s", pid, type) == -1)
+ if (asprintf(&path, "ns/%s", typestr) == -1)
errExit("asprintf");
- int fd = open(path, O_RDONLY);
+ int fd = openat(dirfd, path, O_RDONLY|O_CLOEXEC);
+ free(path);
if (fd < 0)
goto errout;
- if (syscall(__NR_setns, fd, 0) < 0) {
+ // require that target namespace is owned by
+ // the current user namespace (Linux >= 4.9)
+ struct stat self_userns;
+ if (stat("/proc/self/ns/user", &self_userns) == 0) {
+ int usernsfd = ioctl(fd, NS_GET_USERNS);
+ if (usernsfd != -1) {
+ struct stat dest_userns;
+ if (fstat(usernsfd, &dest_userns) < 0)
+ errExit("fstat");
+ close(usernsfd);
+ if (dest_userns.st_ino != self_userns.st_ino ||
+ dest_userns.st_dev != self_userns.st_dev) {
+ close(fd);
+ goto errout;
+ }
+ }
+ }
+
+ if (syscall(__NR_setns, fd, type) < 0) {
close(fd);
goto errout;
}
close(fd);
- free(path);
return 0;
errout:
- free(path);
- fprintf(stderr, "Error: cannot join namespace %s\n", type);
+ fprintf(stderr, "Error: cannot join namespace %s\n", typestr);
return -1;
+}
+
+int join_namespace(pid_t pid, char *typestr) {
+ char path[64];
+ snprintf(path, sizeof(path), "/proc/%d", pid);
+ int fd = open(path, O_PATH|O_CLOEXEC);
+ if (fd < 0) {
+ fprintf(stderr, "Error: cannot open %s: %s\n", path, strerror(errno));
+ exit(1);
+ }
+ int rv = join_namespace_by_fd(fd, typestr);
+ close(fd);
+ return rv;
}
// return 1 if error
@@ -320,6 +382,115 @@
return last_slash+1;
}
+char *do_replace_cntrl_chars(char *str, char c) {
+ if (str) {
+ size_t i;
+ for (i = 0; str[i]; i++) {
+ if (iscntrl((unsigned char) str[i]))
+ str[i] = c;
+ }
+ }
+ return str;
+}
+
+char *replace_cntrl_chars(const char *str, char c) {
+ assert(str);
+
+ char *rv = strdup(str);
+ if (!rv)
+ errExit("strdup");
+
+ do_replace_cntrl_chars(rv, c);
+ return rv;
+}
+
+int has_cntrl_chars(const char *str) {
+ assert(str);
+
+ size_t i;
+ for (i = 0; str[i]; i++) {
+ if (iscntrl((unsigned char) str[i]))
+ return 1;
+ }
+ return 0;
+}
+
+void reject_cntrl_chars(const char *fname) {
+ assert(fname);
+
+ if (has_cntrl_chars(fname)) {
+ char *fname_print = replace_cntrl_chars(fname, '?');
+
+ fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters are allowed\n", fname_print);
+ exit(1);
+ }
+}
+
+void reject_meta_chars(const char *fname, int globbing) {
+ assert(fname);
+
+ reject_cntrl_chars(fname);
+
+ const char *reject = "\\&!?\"<>%^{};,*[]";
+ if (globbing)
+ reject = "\\&!\"<>%^{};,"; // file globbing ('*?[]') is allowed
+
+ const char *c = strpbrk(fname, reject);
+ if (c) {
+ fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
+ exit(1);
+ }
+}
+
+// takes string with comma separated int values, returns int array
+int *str_to_int_array(const char *str, size_t *sz) {
+ assert(str && sz);
+
+ size_t curr_sz = 0;
+ size_t arr_sz = 16;
+ int *rv = malloc(arr_sz * sizeof(int));
+ if (!rv)
+ errExit("malloc");
+
+ char *dup = strdup(str);
+ if (!dup)
+ errExit("strdup");
+ char *tok = strtok(dup, ",");
+ if (!tok) {
+ free(dup);
+ free(rv);
+ goto errout;
+ }
+
+ while (tok) {
+ char *end;
+ long val = strtol(tok, &end, 10);
+ if (end == tok || *end != '\0' || val < INT_MIN || val > INT_MAX) {
+ free(dup);
+ free(rv);
+ goto errout;
+ }
+
+ if (curr_sz == arr_sz) {
+ arr_sz *= 2;
+ rv = realloc(rv, arr_sz * sizeof(int));
+ if (!rv)
+ errExit("realloc");
+ }
+ rv[curr_sz++] = val;
+
+ tok = strtok(NULL, ",");
+ }
+ free(dup);
+
+ *sz = curr_sz;
+ return rv;
+
+errout:
+ *sz = 0;
+ return NULL;
+}
+
//**************************
// time trace based on getticks function
//**************************
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/errno.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -31,7 +31,7 @@
static ErrnoEntry errnolist[] = {
//
-// code generated using tools/extract-errnos
+// code generated using ../tools/extract_errnos.sh
//
{"EPERM", EPERM},
{"ENOENT", ENOENT},
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/firejail_user.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/ldd_utils.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -47,7 +47,7 @@
if (fd < 0)
return 0;
- unsigned char buf[EI_NIDENT];
+ unsigned char buf[EI_NIDENT] = {0};
ssize_t len = 0;
while (len < EI_NIDENT) {
ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/pid.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -30,7 +30,7 @@
#define PIDS_BUFLEN 4096
//Process pids[max_pids];
Process *pids = NULL;
-int max_pids=32769;
+int max_pids=32769; // recalculated for every read_pid() call
// get the memory associated with this pid
void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
@@ -74,8 +74,14 @@
if (fgets(line, PIDS_BUFLEN - 1, fp)) {
char *ptr = line;
// jump 13 fields
+
+ // end of comm string
+ ptr = strchr(ptr, ')');
+ if (ptr == NULL)
+ goto myexit;
+
int i;
- for (i = 0; i < 13; i++) {
+ for (i = 0; i < 11; i++) {
while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
ptr++;
if (*ptr == '\0')
@@ -273,51 +279,27 @@
print_elem(index, nowrap);
}
-// recursivity!!!
-void pid_store_cpu(unsigned index, unsigned parent, unsigned *utime, unsigned *stime) {
- if (pids[index].level == 1) {
- *utime = 0;
- *stime = 0;
- }
-
- // Remove unused parameter warning
- (void)parent;
-
- unsigned utmp = 0;
- unsigned stmp = 0;
- pid_get_cpu_time(index, &utmp, &stmp);
- *utime += utmp;
- *stime += stmp;
-
- unsigned i;
- for (i = index + 1; i < (unsigned)max_pids; i++) {
- if (pids[i].parent == (pid_t)index)
- pid_store_cpu(i, index, utime, stime);
- }
-
- if (pids[index].level == 1) {
- pids[index].utime = *utime;
- pids[index].stime = *stime;
- }
-}
-
// mon_pid: pid of sandbox to be monitored, 0 if all sandboxes are included
void pid_read(pid_t mon_pid) {
- if (pids == NULL) {
- FILE *fp = fopen("/proc/sys/kernel/pid_max", "r");
- if (fp) {
- int val;
- if (fscanf(fp, "%d", &val) == 1) {
- if (val >= max_pids)
- max_pids = val + 1;
- }
- fclose(fp);
+ unsigned old_max_pids = max_pids;
+ FILE *fp = fopen("/proc/sys/kernel/pid_max", "r");
+ if (fp) {
+ int val;
+ if (fscanf(fp, "%d", &val) == 1) {
+ if (val >= max_pids)
+ max_pids = val + 1;
}
+ fclose(fp);
+ }
+
+ if (pids == NULL) {
+ old_max_pids = max_pids;
pids = malloc(sizeof(Process) * max_pids);
if (pids == NULL)
errExit("malloc");
}
- memset(pids, 0, sizeof(Process) * max_pids);
+
+ memset(pids, 0, sizeof(Process) * old_max_pids);
pid_t mypid = getpid();
DIR *dir;
@@ -332,9 +314,12 @@
struct dirent *entry;
char *end;
+ pid_t new_max_pids = 0;
while ((entry = readdir(dir))) {
pid_t pid = strtol(entry->d_name, &end, 10);
pid %= max_pids;
+ if (pid > new_max_pids)
+ new_max_pids = pid;
if (end == entry->d_name || *end)
continue;
if (pid == mypid)
@@ -418,6 +403,9 @@
}
closedir(dir);
+ // update max_pid
+ max_pids = new_max_pids + 1;
+
pid_t pid;
for (pid = 0; pid < max_pids; pid++) {
int parent = pids[pid].parent;
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/syscall.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -92,7 +92,16 @@
"io_setup,"
#endif
#ifdef SYS_io_submit
- "io_submit"
+ "io_submit,"
+#endif
+#ifdef SYS_io_uring_enter
+ "io_uring_enter,"
+#endif
+#ifdef SYS_io_uring_register
+ "io_uring_register,"
+#endif
+#ifdef SYS_io_uring_setup
+ "io_uring_setup"
#endif
},
{ .name = "@basic-io", .list =
@@ -102,6 +111,9 @@
#ifdef SYS_close
"close,"
#endif
+#ifdef SYS_close_range
+ "close_range,"
+#endif
#ifdef SYS_dup
"dup,"
#endif
@@ -212,6 +224,9 @@
#ifdef SYS_perf_event_open
"perf_event_open,"
#endif
+#ifdef SYS_pidfd_getfd
+ "pidfd_getfd,"
+#endif
#ifdef SYS_process_vm_writev
"process_vm_writev,"
#endif
@@ -290,7 +305,7 @@
"remap_file_pages,"
#endif
#ifdef SYS_set_mempolicy
- "set_mempolicy"
+ "set_mempolicy,"
#endif
#ifdef SYS_vmsplice
"vmsplice,"
@@ -350,6 +365,9 @@
#ifdef SYS_close
"close,"
#endif
+#ifdef SYS_close_range
+ "close_range,"
+#endif
#ifdef SYS_creat
"creat,"
#endif
@@ -503,6 +521,9 @@
#ifdef SYS_openat
"openat,"
#endif
+#ifdef SYS_openat2
+ "openat2,"
+#endif
#ifdef SYS_readlink
"readlink,"
#endif
@@ -657,6 +678,9 @@
#ifdef SYS_pipe2
"pipe2,"
#endif
+#ifdef SYS_process_madvise
+ "process_madvise,"
+#endif
#ifdef SYS_process_vm_readv
"process_vm_readv,"
#endif
@@ -731,9 +755,27 @@
#ifdef SYS_chroot
"chroot,"
#endif
+#ifdef SYS_fsconfig
+ "fsconfig,"
+#endif
+#ifdef SYS_fsmount
+ "fsmount,"
+#endif
+#ifdef SYS_fsopen
+ "fsopen,"
+#endif
+#ifdef SYS_fspick
+ "fspick,"
+#endif
#ifdef SYS_mount
"mount,"
#endif
+#ifdef SYS_move_mount
+ "move_mount,"
+#endif
+#ifdef SYS_open_tree
+ "open_tree,"
+#endif
#ifdef SYS_pivot_root
"pivot_root,"
#endif
@@ -985,6 +1027,9 @@
#ifdef SYS_clone
"clone,"
#endif
+#ifdef SYS_clone3
+ "clone3,"
+#endif
#ifdef SYS_execveat
"execveat,"
#endif
@@ -997,6 +1042,9 @@
#ifdef SYS_kill
"kill,"
#endif
+#ifdef SYS_pidfd_open
+ "pidfd_open,"
+#endif
#ifdef SYS_pidfd_send_signal
"pidfd_send_signal,"
#endif
@@ -1678,14 +1726,14 @@
sl.postlist = NULL;
syscall_check_list(list, syscall_in_list, 0, 0, &sl, native);
if (!arg_quiet) {
- printf("Seccomp list in: %s,", list);
+ fprintf(stderr, "Seccomp list in: %s,", list);
if (sl.slist)
- printf(" check list: %s,", sl.slist);
+ fprintf(stderr, " check list: %s,", sl.slist);
if (sl.prelist)
- printf(" prelist: %s,", sl.prelist);
+ fprintf(stderr, " prelist: %s,", sl.prelist);
if (sl.postlist)
- printf(" postlist: %s", sl.postlist);
- printf("\n");
+ fprintf(stderr, " postlist: %s", sl.postlist);
+ fprintf(stderr, "\n");
}
*prelist = sl.prelist;
*postlist = sl.postlist;
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libpostexecseccomp/Makefile
^
|
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+SO = libpostexecseccomp.so
+TARGET = $(SO)
+
+MOD_HDRS = ../include/seccomp.h ../include/rundefs.h
+
+include $(ROOT)/src/so.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libpostexecseccomp/libpostexecseccomp.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -55,6 +55,10 @@
};
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+#ifdef SECCOMP_FILTER_FLAG_LOG
+ syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &prog);
+#else
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
+#endif
munmap(filter, size);
}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtrace/Makefile
^
|
@@ -0,0 +1,7 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+SO = libtrace.so
+TARGET = $(SO)
+
+include $(ROOT)/src/so.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtrace/libtrace.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -18,12 +18,12 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#define _GNU_SOURCE
+#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <sys/types.h>
-#include <limits.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
@@ -44,8 +44,6 @@
// break recursivity on fopen call
typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
static orig_fopen_t orig_fopen = NULL;
-typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
-static orig_fopen64_t orig_fopen64 = NULL;
typedef int (*orig_access_t)(const char *pathname, int mode);
static orig_access_t orig_access = NULL;
@@ -341,7 +339,9 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef fopen64
+typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
+static orig_fopen64_t orig_fopen64 = NULL;
FILE *fopen64(const char *pathname, const char *mode) {
if (!orig_fopen64)
orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
@@ -350,7 +350,7 @@
tprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
// freopen
@@ -365,7 +365,7 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef freopen64
typedef FILE *(*orig_freopen64_t)(const char *pathname, const char *mode, FILE *stream);
static orig_freopen64_t orig_freopen64 = NULL;
FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
@@ -376,7 +376,7 @@
tprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
// unlink
typedef int (*orig_unlink_t)(const char *pathname);
@@ -447,7 +447,7 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef stat64
typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf);
static orig_stat64_t orig_stat64 = NULL;
int stat64(const char *pathname, struct stat64 *statbuf) {
@@ -458,7 +458,7 @@
tprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
// lstat
typedef int (*orig_lstat_t)(const char *pathname, struct stat *statbuf);
@@ -472,7 +472,7 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef lstat64
typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf);
static orig_lstat64_t orig_lstat64 = NULL;
int lstat64(const char *pathname, struct stat64 *statbuf) {
@@ -483,7 +483,7 @@
tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
// opendir
typedef DIR *(*orig_opendir_t)(const char *pathname);
@@ -706,10 +706,14 @@
static void log_exec(int argc, char** argv) {
(void) argc;
(void) argv;
- static char buf[PATH_MAX + 1];
- int rv = readlink("/proc/self/exe", buf, PATH_MAX);
- if (rv != -1) {
- buf[rv] = '\0'; // readlink does not add a '\0' at the end
+ char *buf = realpath("/proc/self/exe", NULL);
+ if (buf == NULL) {
+ if (errno == ENOMEM) {
+ tprintf(ftty, "realpath: %s\n", strerror(errno));
+ exit(1);
+ }
+ } else {
tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
+ free(buf);
}
}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtracelog/Makefile
^
|
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+SO = libtracelog.so
+TARGET = $(SO)
+
+MOD_HDRS = ../include/rundefs.h
+
+include $(ROOT)/src/so.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtracelog/libtracelog.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -39,8 +39,6 @@
// break recursivity on fopen call
typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
static orig_fopen_t orig_fopen = NULL;
-typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
-static orig_fopen64_t orig_fopen64 = NULL;
//
// blacklist storage
@@ -405,7 +403,9 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef fopen64
+typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
+static orig_fopen64_t orig_fopen64 = NULL;
FILE *fopen64(const char *pathname, const char *mode) {
#ifdef DEBUG
printf("%s %s\n", __FUNCTION__, pathname);
@@ -420,7 +420,7 @@
FILE *rv = orig_fopen64(pathname, mode);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
// freopen
@@ -441,7 +441,7 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef freopen64
typedef FILE *(*orig_freopen64_t)(const char *pathname, const char *mode, FILE *stream);
static orig_freopen64_t orig_freopen64 = NULL;
FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
@@ -458,7 +458,7 @@
FILE *rv = orig_freopen64(pathname, mode, stream);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
// unlink
typedef int (*orig_unlink_t)(const char *pathname);
@@ -565,7 +565,7 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef stat64
typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf);
static orig_stat64_t orig_stat64 = NULL;
int stat64(const char *pathname, struct stat64 *buf) {
@@ -582,7 +582,7 @@
int rv = orig_stat64(pathname, buf);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf);
static orig_lstat_t orig_lstat = NULL;
@@ -601,7 +601,7 @@
return rv;
}
-#ifdef __GLIBC__
+#ifndef lstat64
typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf);
static orig_lstat64_t orig_lstat64 = NULL;
int lstat64(const char *pathname, struct stat64 *buf) {
@@ -618,7 +618,7 @@
int rv = orig_lstat64(pathname, buf);
return rv;
}
-#endif /* __GLIBC__ */
+#endif
// access
typedef int (*orig_access_t)(const char *pathname, int mode);
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/Makefile
^
|
@@ -0,0 +1,14 @@
+.PHONY: all
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
+
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+%.man: %.txt $(ROOT)/config.mk
+ gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
+
+.PHONY: clean
+clean:; rm -fr *.man
+
+.PHONY: distclean
+distclean: clean
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firecfg.txt
^
|
@@ -27,7 +27,7 @@
To set it up, run "sudo firecfg" after installing Firejail software.
The same command should also be run after
installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
+will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
.SH DEFAULT ACTIONS
@@ -82,6 +82,16 @@
reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run
"firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes.
.TP
+\fB\-\-guide
+Guided configuration for new users.
+.br
+
+.br
+Example:
+.br
+$ sudo firecfg --guide
+.br
+.TP
\fB\-\-debug
Print debug messages.
.TP
@@ -136,3 +146,4 @@
.BR firejail-login (5),
.BR firejail-users (5),
.BR jailcheck (1)
+.\" vim: set filetype=groff :
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail-login.txt
^
|
@@ -40,3 +40,4 @@
.BR firejail-profile (5),
.BR firejail-users (5),
.BR jailcheck (1)
+.\" vim: set filetype=groff :
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail-profile.txt
^
|
@@ -14,7 +14,7 @@
.br
Example:
.br
-$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
+$ firejail --appimage --profile=/etc/firejail/kdenlive.profile kdenlive.appimage
.br
.br
@@ -25,7 +25,7 @@
.br
Example:
.br
-$ firejail --profile=kdenlive --appimage kdenlive.appimage
+$ firejail --appimage --profile=kdenlive kdenlive.appimage
.br
.br
@@ -78,7 +78,7 @@
Several command line options can be passed to the program using
profile files. Firejail chooses the profile file as follows:
-\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
+\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
Example:
.PP
.RS
@@ -174,11 +174,16 @@
This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
can be enabled or disabled globally in Firejail's configuration file.
The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
+Note: When using one or more conditionals and \fB--profile\fR, it is
+recommended that the relevant option(s) (such as \fB--appimage\fR) be specified
+before \fB--profile\fR, so that their respective conditional(s) (such as
+\fB?HAS_APPIMAGE\fR) inside of the profile evaluate to true.
+
.TP
\fBinclude other.profile
Include other.profile file.
@@ -324,16 +329,16 @@
#ifdef HAVE_OVERLAYFS
.TP
\fBoverlay
-Mount a filesystem overlay on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/<PID> directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/<PID> directory.
.TP
\fBoverlay-named name
-Mount a filesystem overlay on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/name directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/name directory.
.TP
\fBoverlay-tmpfs
-Mount a filesystem overlay on top of the current filesystem.
-All filesystem modifications are discarded when the sandbox is closed.
+Mount a filesystem overlay on top of the current filesystem.
+All filesystem modifications are discarded when the sandbox is closed.
#endif
.TP
\fBprivate
@@ -343,12 +348,25 @@
.TP
\fBprivate directory
Use directory as user home.
+--private and --private=directory cannot be used together.
+.br
+
+.br
+Bug: Even with this enabled, some commands (such as mkdir, mkfile and
+private-cache) will still operate on the original home directory.
+Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
+and "ignore mkfile".
+For details, see
+.UR https://github.com/netblue30/firejail/issues/903
+#903
+.UE
.TP
\fBprivate-bin file,file
Build a new /bin in a temporary filesystem, and copy the programs in the list.
The files in the list must be expressed as relative to the /bin,
/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
+Multiple private-bin commands are allowed and they accumulate.
.TP
\fBprivate-cache
Mount an empty temporary filesystem on top of the .cache directory in user home. All
@@ -358,7 +376,7 @@
Set working directory inside jail to the home directory, and failing that, the root directory.
.TP
\fBprivate-cwd directory
-Set working directory inside the jail.
+Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed.
.TP
\fBprivate-dev
Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx,
@@ -374,6 +392,7 @@
(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
expressed as foo/bar -- is disallowed).
All modifications are discarded when the sandbox is closed.
+Multiple private-etc commands are allowed and they accumulate.
#ifdef HAVE_PRIVATE_HOME
.TP
\fBprivate-home file,directory
@@ -436,6 +455,11 @@
.br
Symbolic link handling: with the exception of user home, both the link and the real file should be in
the same top directory. For user home, both the link and the real file should be owned by the user.
+
+.TP
+\fBwhitelist-ro file_or_directory
+Equivalent to "whitelist file_or_directory" followed by "read-only file_or_directory"
+
.TP
\fBwritable-etc
Mount /etc directory read-write.
@@ -459,11 +483,16 @@
#ifdef HAVE_APPARMOR
.TP
\fBapparmor
-Enable AppArmor confinement.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+.TP
+\fBapparmor profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that the profile in question must already be loaded into the kernel.
#endif
.TP
\fBcaps
Enable default Linux capabilities filter.
+See capabilities(7) for details.
.TP
\fBcaps.drop capability,capability,capability
Blacklist given Linux capabilities.
@@ -484,17 +513,27 @@
cannot acquire new privileges using execve(2); in particular,
this means that calling a suid binary (or one with file capabilities)
does not result in an increase of privilege.
+.TP
+\fBnoprinters
+Disable printers.
#ifdef HAVE_USERNS
.TP
\fBnoroot
-Use this command to enable an user namespace. The namespace has only one user, the current user.
+Use this command to enable an user namespace. The namespace has only one user, the current user.
There is no root account (uid 0) defined in the namespace.
#endif
.TP
\fBprotocol protocol1,protocol2,protocol3
-Enable protocol filter. The filter is based on seccomp and checks the
+Enable protocol filter. The filter is based on seccomp and checks the
first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.
+Multiple protocol commands are allowed and they accumulate.
+.TP
+\fBrestrict-namespaces
+Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+.TP
+\fBrestrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts
+Install a seccomp filter that blocks attempts to create any of the specified namespaces.
.TP
\fBseccomp
Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
@@ -606,7 +645,7 @@
Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
.TP
\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
.TP
\fBdbus-user filter
Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -659,18 +698,14 @@
.br
[...]
#endif
-.SH Resource limits, CPU affinity, Control Groups
+.SH Resource limits, CPU affinity
These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command
-configures the CPU cores available, and \fBcgroup\fR command
-place the sandbox in an existing control group.
+configures the CPU cores available.
Examples:
.TP
-\fBcgroup /sys/fs/cgroup/g1/tasks
-The sandbox is placed in g1 control group.
-.TP
\fBcpu 0,1,2
Use only CPU cores 0, 1 and 2.
.TP
@@ -716,6 +751,11 @@
.TP
\fBipc-namespace
Enable IPC namespace.
+
+.TP
+\fBkeep-fd
+Inherit open file descriptors to sandbox.
+
.TP
\fBname sandboxname
Set sandbox name. Example:
@@ -752,6 +792,9 @@
\fBnovideo
Disable video capture devices.
.TP
+\fBmachine-id
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
+.TP
\fBshell none
Run the program directly, without a shell.
@@ -870,8 +913,8 @@
.TP
\fBiprange address,address
-Assign an IP address in the provided range to the last network
-interface defined by a net command. A default gateway is assigned by default.
+Assign an IP address in the provided range to the last network
+interface defined by a net command. A default gateway is assigned by default.
.br
.br
@@ -889,10 +932,6 @@
Assign MAC addresses to the last network interface defined by a net command.
.TP
-\fBmachine-id
-Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
-
-.TP
\fBmtu number
Assign a MTU value to the last network interface defined by a net command.
@@ -938,6 +977,10 @@
\fBnetfilter filename
If a new network namespace is created, enabled the network filter in filename.
+.TP
+\fBnetlock
+Generate a custom network filter and enable it.
+
.TP
\fBnetmask address
@@ -955,12 +998,17 @@
Use this name for the interface connected to the bridge for --net=bridge_interface commands,
instead of the default one.
#endif
+
.SH Other
.TP
\fBdeterministic-exit-code
Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
.TP
+\fBdeterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+
+.TP
\fBjoin-or-start sandboxname
Join the sandbox identified by name or start a new one.
Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
@@ -996,3 +1044,4 @@
.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
.UE
+.\" vim: set filetype=groff :
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail-users.txt
^
|
@@ -60,3 +60,4 @@
.BR firejail-profile (5),
.BR firejail-login (5),
.BR jailcheck (1)
+.\" vim: set filetype=groff :
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail.txt
^
|
@@ -11,7 +11,7 @@
Start an AppImage program:
.PP
.RS
-firejail [OPTIONS] --appimage [appimage-file and arguments]
+firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and arguments]
.RE
.PP
#ifdef HAVE_FILE_TRANSFER
@@ -45,7 +45,7 @@
#ifdef HAVE_LTS
This is Firejail long-term support (LTS), an enterprise focused version of the software,
LTS is usually supported for two or three years.
-During this time only bugs and the occasional documentation problems are fixed.
+During this time only bugs and the occasional documentation problems are fixed.
The attack surface of the SUID executable was greatly reduced by removing some of the features.
.br
@@ -67,6 +67,17 @@
Each profile defines a set of permissions for a specific application or group
of applications. The software includes security profiles for a number of more common
Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.\" TODO: Explain the security/usability tradeoffs from #4601.
+.PP
+Firejail is currently implemented as an SUID binary, which means that if a
+malicious or compromised user account manages to exploit a bug in Firejail,
+that could ultimately lead to a privilege escalation to root.
+To mitigate this, it is recommended to only allow trusted users to run firejail
+(see firejail-users(5) for details on how to achieve that).
+For more details on the security/usability tradeoffs of Firejail, see:
+.UR https://github.com/netblue30/firejail/discussions/4601
+#4601
+.UE
.PP
Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
are not supported. Snap and flatpak packages have their own native management tools and will
@@ -109,7 +120,7 @@
.br
Example:
.br
-$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
.TP
\fB\-\-allusers
All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -122,7 +133,13 @@
#ifdef HAVE_APPARMOR
.TP
\fB\-\-apparmor
-Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-apparmor=profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that profile in question must already be loaded into the kernel.
+For more information, please see \fBAPPARMOR\fR section below.
.TP
\fB\-\-apparmor.print=name|pid
Print the AppArmor confinement status for the sandbox identified by name or by PID.
@@ -149,13 +166,20 @@
.br
$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
.br
-$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage
+$ firejail --quiet --appimage --private --profile=krita krita-3.0-x86_64.appimage
.br
#ifdef HAVE_X11
$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage
#endif
-.TP
+.br
+
+.br
+Note: When using both \fB--appimage\fR and \fB--profile\fR, it is recommended
+to always specify the former before the latter, so that any \fB?HAS_APPIMAGE\fR
+conditionals inside of the profile evaluate to true (see \fB?CONDITIONAL\fR in
+firejail-profile(5)).
#ifdef HAVE_NETWORK
+.TP
\fB\-\-bandwidth=name|pid
Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
#endif
@@ -174,6 +198,13 @@
.br
.br
+Symbolic link handling: Blacklisting a path that is a symbolic link will also
+blacklist the path that it points to.
+For example, if ~/foo is blacklisted and it points to /bar, then /bar will also
+be blacklisted.
+.br
+
+.br
Example:
.br
$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
@@ -185,28 +216,27 @@
$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
.TP
\fB\-\-build
-The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+The command builds a whitelisted profile. The profile is printed on the screen. The program is run in a very relaxed sandbox, with only \-\-caps.drop=all and \-\-seccomp=!chroot. Programs that raise user privileges are not supported.
.br
.br
Example:
.br
-$ firejail --build vlc ~/Videos/test.mp4
+$ firejail \-\-build vlc ~/Videos/test.mp4
+.br
+$ firejail \-\-build \-\-appimage ~/Downloads/Subsurface.AppImage
.TP
\fB\-\-build=profile-file
-The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+The command builds a whitelisted profile, and saves it in profile-file. The program is run in a very relaxed sandbox,
+with only \-\-caps.drop=all and \-\-seccomp=!chroot. Programs that raise user privileges are not supported.
.br
.br
Example:
.br
-$ firejail --build=vlc.profile vlc ~/Videos/test.mp4
+$ firejail \-\-build=vlc.profile vlc ~/Videos/test.mp4
+.br
+$ firejail \-\-build=Subsurface.profile \-\-appimage ~/Downloads/Subsurface.AppImage
.TP
\fB\-c
Login shell compatibility option. This option is use by some login programs when executing
@@ -217,6 +247,7 @@
Linux capabilities is a kernel feature designed to split up the root privilege into a set of distinct privileges.
These privileges can be enabled or disabled independently, thus restricting what a process running
as root can do in the system.
+See capabilities(7) for details.
By default root programs run with all capabilities enabled. \-\-caps option disables the following capabilities:
CAP_SYS_MODULE, CAP_SYS_RAWIO,
@@ -289,15 +320,6 @@
\fB\-\-cat=name|pid filename
Print content of file from sandbox container, see FILE TRANSFER section for more details.
#endif
-.TP
-\fB\-\-cgroup=tasks-file
-Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
-.br
-
-.br
-Example:
-.br
-# firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks
#ifdef HAVE_CHROOT
.TP
\fB\-\-chroot=dirname
@@ -310,6 +332,16 @@
Example:
.br
$ firejail \-\-chroot=/media/ubuntu warzone2100
+.br
+
+.br
+For automatic mounting of X11 and PulseAudio sockets set environment variables
+FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
+.br
+
+.br
+Note: Support for this command is controlled in firejail.config with the
+\fBchroot\fR option.
#endif
.TP
\fB\-\-cpu=cpu-number,cpu-number,cpu-number
@@ -390,7 +422,7 @@
.TP
\fB\-\-dbus-system.broadcast=name=[member][@path]
-Allows the application to receive broadcast signals from theindicated interface
+Allows the application to receive broadcast signals from the indicated interface
member at the indicated object path exposed by the indicated bus name on the
system DBus.
The name may have a .* suffix to match all names underneath it, including
@@ -517,7 +549,7 @@
.TP
\fB\-\-dbus-user.broadcast=name=[member][@path]
-Allows the application to receive broadcast signals from theindicated interface
+Allows the application to receive broadcast signals from the indicated interface
member at the indicated object path exposed by the indicated bus name on the
session DBus.
The name may have a .* suffix to match all names underneath it, including
@@ -697,10 +729,17 @@
.br
$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
#endif
+
.TP
\fB\-\-deterministic-exit-code
Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
.br
+
+.TP
+\fB\-\-deterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+.br
+
.TP
\fB\-\-disable-mnt
Blacklist /mnt, /media, /run/mount and /run/media access.
@@ -747,6 +786,48 @@
.br
$ firejail \-\-dns.print=3272
+#ifdef HAVE_NETWORK
+.TP
+\fB\-\-dnstrace[=name|pid]
+Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --dnstrace
+.br
+11:31:43 9.9.9.9 linux.com (type 1)
+.br
+11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
+.br
+11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
+.br
+11:31:45 9.9.9.9 www.linux.com (type 1)
+.br
+11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
+.br
+11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
+.br
+11:32:05 9.9.9.9 secure.gravatar.com (type 1)
+.br
+11:32:06 9.9.9.9 secure.gravatar.com (type 1)
+.br
+11:32:08 9.9.9.9 taikai.network (type 1)
+.br
+11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1)
+.br
+11:32:08 9.9.9.9 taikai.azureedge.net (type 1)
+.br
+11:32:08 9.9.9.9 www.youtube.com (type 1)
+.br
+#endif
+
.TP
\fB\-\-env=name=value
Set environment variable in the new sandbox.
@@ -809,6 +890,28 @@
.br
$ firejail \-\-hosts-file=~/myhosts firefox
+#ifdef HAVE_IDS
+.TP
+\fB\-\-ids-check
+Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-ids-check
+
+.TP
+\fB\-\-ids-init
+Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-ids-init
+#endif
+
.TP
\fB\-\-ignore=command
Ignore command in profile file.
@@ -817,12 +920,40 @@
.br
Example:
.br
-$ firejail \-\-ignore=shell --ignore=seccomp firefox
+$ firejail --ignore=seccomp --ignore=caps firefox
#ifdef HAVE_NETWORK
.br
$ firejail \-\-ignore="net eth0" firefox
#endif
+#ifdef HAVE_NETWORK
+.TP
+\fB\-\-icmptrace[=name|pid]
+Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+Example
+.br
+$ sudo firejail --icmptrace
+.br
+20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
+.br
+#endif
+
.TP
\fB\-\-\include=file.profile
Include a profile file before the regular profiles are used.
@@ -947,7 +1078,7 @@
.TP
\fB\-\-ipc-namespace
-Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
+Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
for sandboxes started as root.
.br
@@ -961,7 +1092,7 @@
Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
all security filters are configured for the new process the same they are configured in the sandbox.
-If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
+If \-\-join command is issued as root, the security filters and cpus configurations are not applied
to the process joining the sandbox.
.br
@@ -986,13 +1117,13 @@
\fB\-\-join-filesystem=name|pid
Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
+Security filters and cpus configurations are not applied to the process joining the sandbox.
#ifdef HAVE_NETWORK
.TP
\fB\-\-join-network=name|pid
Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
+Security filters and cpus configurations are not applied to the process joining the sandbox. Example:
.br
.br
@@ -1014,7 +1145,7 @@
.br
.br
-# verify IP addresses
+# verify IP addresses
.br
$ sudo firejail --join-network=browser ip addr
.br
@@ -1073,6 +1204,26 @@
$ firejail --keep-dev-shm --private-dev
.TP
+\fB\-\-keep-fd=all
+Inherit all open file descriptors to the sandbox. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-fd=all
+
+.TP
+\fB\-\-keep-fd=file_descriptor
+Don't close specified open file descriptors. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-fd=3,4,5
+
+.TP
\fB\-\-keep-var-tmp
/var/tmp directory is untouched.
.br
@@ -1225,7 +1376,7 @@
.TP
\fB\-\-net=ethernet_interface|wireless_interface
Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan|ipvaln
+to this ethernet interface using the standard Linux macvlan|ipvlan
driver. Unless specified with option \-\-ip and \-\-defaultgw, an
IP address and a default gateway will be assigned automatically
to the sandbox. The IP address is verified using ARP before
@@ -1412,6 +1563,30 @@
$ firejail --netfilter6.print=browser
.TP
+\fB\-\-netlock
+Several type of programs (email clients, multiplayer games etc.) talk to a very small
+number of IP addresses. But the best example is tor browser. It only talks to a guard node,
+and there are two or three more on standby in case the main one fails.
+During startup, the browser contacts all of them, after that it keeps talking to the main
+one... for weeks!
+
+Use the network locking feature to build and deploy a custom network firewall in your sandbox.
+The firewall allows only the traffic to the IP addresses detected during the program
+startup. Traffic to any other address is quietly dropped. By default the network monitoring
+time is one minute.
+
+A network namespace (\-\-net=eth0) is required for this feature to work. Example:
+.br
+
+.br
+$ firejail --net=eth0 --netlock \\
+.br
+--private=~/tor-browser_en-US ./start-tor-browser.desktop
+.br
+
+.br
+
+.TP
\fB\-\-netmask=address
Use this option when you want to assign an IP address in a new namespace and
the parent interface specified by --net is not configured. An IP address and
@@ -1448,6 +1623,40 @@
1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox
.br
7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission
+.TP
+\fB\-\-nettrace[=name|pid]
+Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --nettrace
+.br
+ 95 KB/s geoip 457, IP database 4436
+.br
+ 52 KB/s *********** 64.222.84.207:443 United States
+.br
+ 33 KB/s ******* 89.147.74.105:63930 Hungary
+.br
+ 0 B/s 45.90.28.0:443 NextDNS
+.br
+ 0 B/s 94.70.122.176:52309(UDP) Greece
+.br
+ 339 B/s 104.26.7.35:443 Cloudflare
+.br
+
+.br
+If /usr/bin/geoiplookup is installed (geoip-bin package in Debian),
+the country the traffic originates from is added to the trace.
+We also use the static IP map in /usr/lib/firejail/static-ip-map
+to print the domain names for some of the more common websites and cloud platforms.
+No external services are contacted for reverse IP lookup.
#endif
.TP
\fB\-\-nice=value
@@ -1580,6 +1789,10 @@
is enabled by default if seccomp filter is activated.
.TP
+\fB\-\-noprinters
+Disable printers.
+
+.TP
\fB\-\-noprofile
Do not use a security profile.
.br
@@ -1670,6 +1883,17 @@
\fB\-\-nowhitelist=dirname_or_filename
Disable whitelist for this directory or file.
+.TP
+\fB\-\-oom=value
+Configure kernel's OutOfMemory-killer score for this sandbox. The acceptable score values are between 0 and 1000
+for regular users, and -1000 to 1000 for root. For more information on OOM kernel feature see \fBman choom\fR.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-oom=300 firefox
+
#ifdef HAVE_OUTPUT
.TP
\fB\-\-output=logfile
@@ -1793,6 +2017,17 @@
Example:
.br
$ firejail \-\-private=/home/netblue/firefox-home firefox
+.br
+
+.br
+Bug: Even with this enabled, some commands (such as mkdir, mkfile and
+private-cache) will still operate on the original home directory.
+Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
+and "ignore mkfile".
+For details, see
+.UR https://github.com/netblue30/firejail/issues/903
+#903
+.UE
.TP
\fB\-\-private-bin=file,file
@@ -1801,8 +2036,9 @@
/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
If no listed files are found, /bin directory will be empty.
The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
-All modifications are discarded when the sandbox is closed. File globbing is supported,
-see \fBFILE GLOBBING\fR section for more details.
+All modifications are discarded when the sandbox is closed.
+Multiple private-bin commands are allowed and they accumulate.
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
.br
.br
@@ -1832,7 +2068,6 @@
.TP
\fB\-\-private-cwd
Set working directory inside jail to the home directory, and failing that, the root directory.
-.br
Does not impact working directory of profile include paths.
.br
@@ -1853,7 +2088,7 @@
.TP
\fB\-\-private-cwd=directory
Set working directory inside the jail.
-.br
+Full directory path is required. Symbolic links are not allowed.
Does not impact working directory of profile include paths.
.br
@@ -1899,6 +2134,7 @@
the /etc directory (e.g., /etc/foo must be expressed as foo).
If no listed file is found, /etc directory will be empty.
All modifications are discarded when the sandbox is closed.
+Multiple private-etc commands are allowed and they accumulate.
.br
.br
@@ -1976,6 +2212,9 @@
$
.br
+.br
+Note: Support for this command is controlled in firejail.config with the
+\fBprivate-lib\fR option.
.TP
\fB\-\-private-opt=file,directory
Build a new /opt in a temporary
@@ -2057,7 +2296,8 @@
.TP
\fB\-\-protocol=protocol,protocol,protocol
Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture.
+Multiple protocol commands are allowed and they accumulate.
.br
.br
@@ -2127,6 +2367,29 @@
.TP
+\fB\-\-restrict-namespaces
+Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-restrict-namespaces
+
+.TP
+\fB\-\-restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
+Install a seccomp filter that blocks attempts to create any of the specified namespaces. The filter examines
+the arguments of clone, unshare and setns system calls and returns error EPERM to the process
+(or kills it or logs the attempt, see \-\-seccomp-error-action below) if necessary. Note that the filter is not
+able to examine the arguments of clone3 system calls, and always responds to these calls with error ENOSYS.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-restrict-namespaces=user,net
+
+.TP
\fB\-\-rlimit-as=number
Set the maximum size of the process's virtual memory (address space) in bytes.
Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
@@ -2134,7 +2397,7 @@
.TP
\fB\-\-rlimit-cpu=number
Set the maximum limit, in seconds, for the amount of CPU time each
-sandboxed process can consume. When the limit is reached, the processes are killed.
+sandboxed process can consume. When the limit is reached, the processes are killed.
The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2178,7 +2441,7 @@
.TP
\fB\-\-seccomp
Enable seccomp filter and blacklist the syscalls in the default list,
-which is @default-nodebuggers unless \-\-allow-debuggers is specified,
+which is @default-nodebuggers unless \-\-allow-debuggers is specified,
then it is @default.
.br
@@ -2192,6 +2455,11 @@
.br
.br
+The default list can be customized, see \-\-seccomp= for a description.
+It can be customized also globally in /etc/firejail/firejail.config file.
+.br
+
+.br
System architecture is strictly imposed only if flag
\-\-seccomp.block-secondary is used. The filter is applied at run time
only if the correct architecture was detected. For the case of I386
@@ -2206,11 +2474,7 @@
Example:
.br
$ firejail \-\-seccomp
-.br
-.br
-The default list can be customized, see \-\-seccomp= for a description. It can be customized
-also globally in /etc/firejail/firejail.config file.
.TP
\fB\-\-seccomp=syscall,@group,!syscall2
@@ -2274,7 +2538,7 @@
.br
Example:
.br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
+$ firejail \-\-noprofile \-\-seccomp=execve sh
.br
Parent pid 32751, child pid 32752
.br
@@ -2351,7 +2615,7 @@
.br
Example:
.br
-$ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk
+$ firejail \-\-seccomp.keep=poll,select,[...] transmission-gtk
.TP
\fB\-\-seccomp.print=name|pid
@@ -2533,45 +2797,78 @@
.br
.TP
-\fB\-\-shell=none
-Run the program directly, without a user shell.
+\fB\-\-shutdown=name|pid
+Shutdown the sandbox identified by name or PID.
.br
.br
Example:
.br
-$ firejail \-\-shell=none script.sh
-.TP
-\fB\-\-shell=program
-Set default user shell. Use this shell to run the application using \-c shell option.
-For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default the user's preferred shell is used.
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+$ firejail \-\-shutdown=mygame
.br
.br
Example:
-$firejail \-\-shell=/bin/dash script.sh
+.br
+$ firejail \-\-list
+.br
+3272:netblue::firejail \-\-private firefox
+.br
+$ firejail \-\-shutdown=3272
+
+#ifdef HAVE_NETWORK
.TP
-\fB\-\-shutdown=name|pid
-Shutdown the sandbox identified by name or PID.
+\fB\-\-snitrace[=name|pid]
+Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
.br
.br
Example:
.br
-$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+$ sudo firejail --snitrace
.br
-$ firejail \-\-shutdown=mygame
+07:49:51 23.185.0.3 linux.com
.br
-
+07:49:51 23.185.0.3 www.linux.com
.br
-Example:
+07:50:05 192.0.73.2 secure.gravatar.com
.br
-$ firejail \-\-list
+07:52:35 172.67.68.93 www.howtoforge.com
.br
-3272:netblue::firejail \-\-private firefox
+07:52:37 13.225.103.59 sf.ezoiccdn.com
.br
-$ firejail \-\-shutdown=3272
+07:52:42 142.250.176.3 www.gstatic.com
+.br
+07:53:03 173.236.250.32 www.linuxlinks.com
+.br
+07:53:05 192.0.77.37 c0.wp.com
+.br
+07:53:08 192.0.78.32 jetpack.wordpress.com
+.br
+07:53:09 192.0.77.32 s0.wp.com
+.br
+07:53:09 192.0.77.2 i0.wp.com
+.br
+07:53:10 192.0.77.2 i0.wp.com
+.br
+07:53:11 192.0.73.2 1.gravatar.com
+.br
+#endif
+
+.TP
+\fB\-\-tab
+Enable shell tab completion in sandboxes using private or whitelisted home directories.
+.br
+
+.br
+$ firejail \-\-private --tab
.TP
\fB\-\-timeout=hh:mm:ss
Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
@@ -2651,6 +2948,11 @@
Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot
.br
[...]
+.br
+
+.br
+Note: Support for this command is controlled in firejail.config with the
+\fBtracelog\fR option.
.TP
\fB\-\-tree
Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details.
@@ -2743,8 +3045,14 @@
.br
.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
+Symbolic link handling: Whitelisting a path that is a symbolic link will also
+whitelist the path that it points to.
+For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will
+also be whitelisted.
+Restrictions: With the exception of the user home directory, both the link and
+the real file should be in the same top directory.
+For symbolic links in the user home directory, both the link and the real file
+should be owned by the user.
.br
.br
@@ -2756,7 +3064,7 @@
.br
$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
.br
-$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
+$ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null
.br
$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
.br
@@ -2865,7 +3173,7 @@
connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
contents of other clients, stealing input events, etc.
-The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
+The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
Firefox and transmission-gtk seem to be working fine.
A network namespace is not required for this option.
@@ -3196,6 +3504,67 @@
$ firejail \-\-cat=mybrowser ~/.bashrc
.br
#endif
+
+#ifdef HAVE_IDS
+.SH INTRUSION DETECTION SYSTEM (IDS)
+The host-based intrusion detection system tracks down and audits user and system file modifications.
+The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
+where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
+
+As a regular user, initialize the database:
+.br
+
+.br
+$ firejail --ids-init
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500 2000
+.br
+2466 files scanned
+.br
+IDS database initialized
+.br
+
+.br
+The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
+such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
+.br
+
+.br
+Run --ids-check to audit the system:
+.br
+
+.br
+$ firejail --ids-check
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500
+.br
+Warning: modified /home/netblue/.bashrc
+.br
+2000
+.br
+2466 files scanned: modified 1, permissions 0, new 0, removed 0
+.br
+
+.br
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+
+Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
+#endif
+
.SH MONITORING
Option \-\-list prints a list of all sandboxes. The format
for each process entry is as follows:
@@ -3256,7 +3625,7 @@
.SH RESTRICTED SHELL
To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
/etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail in adduser command:
+you can specify /usr/bin/firejail in adduser command:
adduser \-\-shell /usr/bin/firejail username
@@ -3266,7 +3635,7 @@
Several command line options can be passed to the program using
profile files. Firejail chooses the profile file as follows:
-1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
+1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
Example:
.PP
.RS
@@ -3388,3 +3757,4 @@
.UE ,
.UR https://github.com/netblue30/firejail
.UE
+.\" vim: set filetype=groff :
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firemon.txt
^
|
@@ -21,9 +21,6 @@
\fB\-\-caps
Print capabilities configuration for each sandbox.
.TP
-\fB\-\-cgroup
-Print control group information for each sandbox.
-.TP
\fB\-\-cpu
Print CPU affinity for each sandbox.
.TP
@@ -56,7 +53,7 @@
Print seccomp configuration for each sandbox.
.TP
\fB\-\-top
-Monitor the most CPU-intensive sandboxes. This command is similar to
+Monitor the most CPU-intensive sandboxes. This command is similar to
the regular UNIX top command, however it applies only to sandboxes.
.TP
\fB\-\-tree
@@ -121,3 +118,4 @@
.BR firejail-login (5),
.BR firejail-users (5),
.BR jailcheck (1)
+.\" vim: set filetype=groff :
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/jailcheck.txt
^
|
@@ -115,3 +115,4 @@
.BR firejail-profile (5),
.BR firejail-login (5),
.BR firejail-users (5),
+.\" vim: set filetype=groff :
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/preproc.awk
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/gawk -E
-# Copyright (c) 2019-2021 rusty-snake
+# Copyright (c) 2019-2022 rusty-snake
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/profstats/Makefile
^
|
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = profstats
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/common.h
+
+include $(ROOT)/src/prog.mk
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/profstats/main.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
@@ -17,16 +17,15 @@
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
+
+#include "../include/common.h"
#define MAXBUF 2048
// stats
static int cnt_profiles = 0;
static int cnt_apparmor = 0;
static int cnt_seccomp = 0;
+static int cnt_restrict_namespaces = 0;
static int cnt_caps = 0;
static int cnt_dbus_system_none = 0;
static int cnt_dbus_user_none = 0;
@@ -40,6 +39,7 @@
static int cnt_privatedev = 0;
static int cnt_privatetmp = 0;
static int cnt_privateetc = 0;
+static int cnt_privatelib = 0;
static int cnt_whitelistvar = 0; // include whitelist-var-common.inc
static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc
static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc
@@ -58,6 +58,7 @@
static int arg_privatedev = 0;
static int arg_privatetmp = 0;
static int arg_privateetc = 0;
+static int arg_privatelib = 0;
static int arg_whitelistvar = 0;
static int arg_whitelistrunuser = 0;
static int arg_whitelistusrshare = 0;
@@ -67,19 +68,20 @@
static int arg_dbus_user_none = 0;
static int arg_whitelisthome = 0;
static int arg_noroot = 0;
-
+static int arg_print_blacklist = 0;
+static int arg_print_whitelist = 0;
+static int arg_restrict_namespaces = 0;
static char *profile = NULL;
-
static void usage(void) {
- printf("proftool - print profile statistics\n");
- printf("Usage: proftool [options] file[s]\n");
+ printf("profstats - print profile statistics\n");
+ printf("Usage: profstats [options] file[s]\n");
printf("Options:\n");
printf(" --apparmor - print profiles without apparmor\n");
printf(" --caps - print profiles without caps\n");
- printf(" --dbus-system-none - profiles without \"dbus-system none\"\n");
- printf(" --dbus-user-none - profiles without \"dbus-user none\"\n");
+ printf(" --dbus-system-none - print profiles without \"dbus-system none\"\n");
+ printf(" --dbus-user-none - print profiles without \"dbus-user none\"\n");
printf(" --ssh - print profiles without \"include disable-common.inc\"\n");
printf(" --noexec - print profiles without \"include disable-exec.inc\"\n");
printf(" --noroot - print profiles without \"noroot\"\n");
@@ -87,8 +89,11 @@
printf(" --private-dev - print profiles without private-dev\n");
printf(" --private-etc - print profiles without private-etc\n");
printf(" --private-tmp - print profiles without private-tmp\n");
+ printf(" --print-blacklist - print all --blacklist for a profile\n");
+ printf(" --print-whitelist - print all --private and --whitelist for a profile\n");
printf(" --seccomp - print profiles without seccomp\n");
- printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n");
+ printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n");
+ printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n");
printf(" --whitelist-home - print profiles whitelisting home directory\n");
printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
@@ -97,8 +102,9 @@
printf("\n");
}
-void process_file(const char *fname) {
+static void process_file(char *fname) {
assert(fname);
+ char *tmpfname = NULL;
if (arg_debug)
printf("processing #%s#\n", fname);
@@ -107,9 +113,19 @@
FILE *fp = fopen(fname, "r");
if (!fp) {
- fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
- level--;
- return;
+ // the file was not found in the current directory
+ // look for it in /etc/firejail directory
+ if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
+ errExit("asprintf");
+
+ fp = fopen(tmpfname, "r");
+ if (!fp) {
+ fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
+ free(tmpfname);
+ level--;
+ return;
+ }
+ fname = tmpfname;
}
int have_include_local = 0;
@@ -125,8 +141,22 @@
if (*ptr == '\n' || *ptr == '#')
continue;
+ if (arg_print_blacklist) {
+ if (strncmp(ptr, "blacklist", 9) == 0 ||
+ strncmp(ptr, "noblacklist", 11) == 0)
+ printf("%s: %s\n", fname, ptr);
+ }
+ else if (arg_print_whitelist) {
+ if (strncmp(ptr, "whitelist", 9) == 0 ||
+ strncmp(ptr, "nowhitelist", 11) == 0 ||
+ strncmp(ptr, "private", 7) == 0)
+ printf("%s: %s\n", fname, ptr);
+ }
+
if (strncmp(ptr, "seccomp", 7) == 0)
cnt_seccomp++;
+ if (strncmp(ptr, "restrict-namespaces", 19) == 0)
+ cnt_restrict_namespaces++;
else if (strncmp(ptr, "caps", 4) == 0)
cnt_caps++;
else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
@@ -158,6 +188,8 @@
cnt_privatetmp++;
else if (strncmp(ptr, "private-etc", 11) == 0)
cnt_privateetc++;
+ else if (strncmp(ptr, "private-lib", 11) == 0)
+ cnt_privatelib++;
else if (strncmp(ptr, "dbus-system none", 16) == 0)
cnt_dbus_system_none++;
else if (strncmp(ptr, "dbus-system", 11) == 0)
@@ -190,6 +222,8 @@
if (!have_include_local)
printf("No include .local found in %s\n", fname);
level--;
+ if (tmpfname)
+ free(tmpfname);
}
int main(int argc, char **argv) {
@@ -213,6 +247,8 @@
arg_caps = 1;
else if (strcmp(argv[i], "--seccomp") == 0)
arg_seccomp = 1;
+ else if (strcmp(argv[i], "--restrict-namespaces") == 0)
+ arg_restrict_namespaces = 1;
else if (strcmp(argv[i], "--memory-deny-write-execute") == 0)
arg_mdwx = 1;
else if (strcmp(argv[i], "--noexec") == 0)
@@ -227,6 +263,10 @@
arg_privatetmp = 1;
else if (strcmp(argv[i], "--private-etc") == 0)
arg_privateetc = 1;
+ else if (strcmp(argv[i], "--print-blacklist") == 0)
+ arg_print_blacklist = 1;
+ else if (strcmp(argv[i], "--print-whitelist") == 0)
+ arg_print_whitelist = 1;
else if (strcmp(argv[i], "--whitelist-home") == 0)
arg_whitelisthome = 1;
else if (strcmp(argv[i], "--whitelist-var") == 0)
@@ -258,7 +298,7 @@
for (i = start; i < argc; i++) {
cnt_profiles++;
- // watch seccomp
+ int restrict_namespaces = cnt_restrict_namespaces;
int seccomp = cnt_seccomp;
int caps = cnt_caps;
int apparmor = cnt_apparmor;
@@ -268,6 +308,7 @@
int privatetmp = cnt_privatetmp;
int privatedev = cnt_privatedev;
int privateetc = cnt_privateetc;
+ int privatelib = cnt_privatelib;
int dotlocal = cnt_dotlocal;
int globalsdotlocal = cnt_globalsdotlocal;
int whitelisthome = cnt_whitelisthome;
@@ -300,6 +341,8 @@
cnt_whitelistrunuser = whitelistrunuser + 1;
if (cnt_seccomp > (seccomp + 1))
cnt_seccomp = seccomp + 1;
+ if (cnt_restrict_namespaces > (restrict_namespaces + 1))
+ cnt_seccomp = restrict_namespaces + 1;
if (cnt_dbus_user_none > (dbususernone + 1))
cnt_dbus_user_none = dbususernone + 1;
if (cnt_dbus_user_filter > (dbususerfilter + 1))
@@ -319,6 +362,8 @@
printf("No caps found in %s\n", argv[i]);
if (arg_seccomp && seccomp == cnt_seccomp)
printf("No seccomp found in %s\n", argv[i]);
+ if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces)
+ printf("No restrict-namespaces found in %s\n", argv[i]);
if (arg_noexec && noexec == cnt_noexec)
printf("No include disable-exec.inc found in %s\n", argv[i]);
if (arg_noroot && noroot == cnt_noroot)
@@ -331,6 +376,8 @@
printf("No private-tmp found in %s\n", argv[i]);
if (arg_privateetc && privateetc == cnt_privateetc)
printf("No private-etc found in %s\n", argv[i]);
+ if (arg_privatelib && privatelib == cnt_privatelib)
+ printf("No private-lib found in %s\n", argv[i]);
if (arg_whitelisthome && whitelisthome == cnt_whitelisthome)
printf("Home directory not whitelisted in %s\n", argv[i]);
if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
@@ -347,6 +394,9 @@
assert(level == 0);
}
+ if (arg_print_blacklist || arg_print_whitelist)
+ return 0;
+
printf("\n");
printf("Stats:\n");
printf(" profiles\t\t\t%d\n", cnt_profiles);
@@ -358,10 +408,12 @@
printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec);
printf(" noroot\t\t\t%d\n", cnt_noroot);
printf(" memory-deny-write-execute\t%d\n", cnt_mdwx);
+ printf(" restrict-namespaces\t\t%d\n", cnt_restrict_namespaces);
printf(" apparmor\t\t\t%d\n", cnt_apparmor);
printf(" private-bin\t\t\t%d\n", cnt_privatebin);
printf(" private-dev\t\t\t%d\n", cnt_privatedev);
printf(" private-etc\t\t\t%d\n", cnt_privateetc);
+ printf(" private-lib\t\t\t%d\n", cnt_privatelib);
printf(" private-tmp\t\t\t%d\n", cnt_privatetmp);
printf(" whitelist home directory\t%d\n", cnt_whitelisthome);
printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar);
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/prog.mk
^
|
@@ -0,0 +1,37 @@
+# Common definitions for building C programs and non-shared objects.
+#
+# Note: $(ROOT)/config.mk must be included before this file.
+#
+# The includer should probably define PROG and TARGET and may also want to
+# define MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN.
+
+HDRS := $(sort $(wildcard *.h)) $(MOD_HDRS)
+SRCS := $(sort $(wildcard *.c)) $(MOD_SRCS)
+OBJS := $(SRCS:.c=.o) $(MOD_OBJS)
+
+PROG_CFLAGS = \
+ -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \
+ -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \
+ -fPIE \
+ -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' \
+ -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \
+ -DVARDIR='"/var/lib/firejail"' \
+ $(HAVE_GCOV) $(MANFLAGS) \
+ $(EXTRA_CFLAGS)
+
+PROG_LDFLAGS = -pie -fPIE -Wl,-z,relro -Wl,-z,now $(EXTRA_LDFLAGS)
+
+.PHONY: all
+all: $(TARGET)
+
+%.o : %.c $(HDRS) $(ROOT)/config.mk
+ $(CC) $(PROG_CFLAGS) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+$(PROG): $(OBJS) $(ROOT)/config.mk
+ $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
+
+.PHONY: clean
+clean:; rm -fr *.o $(PROG) *.gcov *.gcda *.gcno *.plist $(TOCLEAN)
+
+.PHONY: distclean
+distclean: clean; rm -fr $(TODISTCLEAN)
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/so.mk
^
|
@@ -0,0 +1,32 @@
+# Common definitions for making shared objects.
+#
+# Note: $(ROOT)/config.mk must be included before this file.
+#
+# The includer should probably define SO and TARGET and may also want to define
+# MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN.
+
+HDRS := $(sort $(wildcard *.h)) $(MOD_HDRS)
+SRCS := $(sort $(wildcard *.c)) $(MOD_SRCS)
+OBJS := $(SRCS:.c=.o) $(MOD_OBJS)
+
+SO_CFLAGS = \
+ -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \
+ -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \
+ -fPIC
+
+SO_LDFLAGS = -pie -fPIE -Wl,-z,relro -Wl,-z,now
+
+.PHONY: all
+all: $(TARGET)
+
+%.o : %.c $(HDRS) $(ROOT)/config.mk
+ $(CC) $(SO_CFLAGS) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+$(SO): $(OBJS) $(ROOT)/config.mk
+ $(CC) $(SO_LDFLAGS) -shared -fPIC -z relro $(LDFLAGS) -o $@ $(OBJS) -ldl
+
+.PHONY: clean
+clean:; rm -fr $(OBJS) $(SO) *.plist $(TOCLEAN)
+
+.PHONY: distclean
+distclean: clean; rm -fr $(TODISTCLEAN)
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/check-caps.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
if [ $# -eq 0 ]
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/mkcoverit.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
# unpack firejail archive
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/testuid.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/ttytest.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/unixsocket.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/zsh_completion/Makefile
^
|
@@ -0,0 +1,17 @@
+.PHONY: all
+all: _firejail
+
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+_firejail: _firejail.in $(ROOT)/config.mk
+ gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
+ sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
+ rm $@.tmp
+
+.PHONY: clean
+clean:
+ rm -fr _firejail
+
+.PHONY: distclean
+distclean: clean
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/zsh_completion/_firejail.in
^
|
@@ -62,6 +62,9 @@
'--tree[print a tree of all sandboxed processes]'
'--version[print program version and exit]'
+ '--ids-check[verify file system]'
+ '--ids-init[initialize IDS database]'
+
'--debug[print sandbox debug messages]'
'--debug-blacklists[debug blacklisting]'
'--debug-caps[print all recognized capabilities]'
@@ -88,9 +91,9 @@
'--caps.drop=all[drop all capabilities]'
'*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
'*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
- '--cgroup=-[place the sandbox in the specified control group]: :'
'--cpu=-[set cpu affinity]: :->cpus'
"--deterministic-exit-code[always exit with first child's status code]"
+ '--deterministic-shutdown[terminate orphan processes]'
'*--dns=-[set DNS server]: :'
'*--env=-[set environment variable]: :'
'--hostname=-[set sandbox hostname]: :'
@@ -100,8 +103,9 @@
'--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
'--keep-config-pulse[disable automatic ~/.config/pulse init]'
'--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+ '--keep-fd[inherit open file descriptors to sandbox]: :'
'--keep-var-tmp[/var/tmp directory is untouched]'
- '--machine-id[preserve /etc/machine-id]'
+ '--machine-id[spoof /etc/machine-id with a random id]'
'--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
'*--mkdir=-[create a directory]:'
'*--mkfile=-[create a file]:'
@@ -119,6 +123,7 @@
'--nogroups[disable supplementary groups]'
'--noinput[disable input devices]'
'--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+ '--noprinters[disable printers]'
'--nosound[disable sound system]'
'--nou2f[disable U2F devices]'
'--novideo[disable video devices]'
@@ -136,6 +141,8 @@
"--quiet[turn off Firejail's output.]"
'*--read-only=-[set directory or file read-only]: :_files'
'*--read-write=-[set directory or file read-write]: :_files'
+ '--restrict-namespaces[seccomp filter that blocks attempts to create new namespaces]'
+ '--restrict-namespaces=-[seccomp filter that blocks attempts to create specified namespaces]: :'
"--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :"
'--rlimit-cpu=-[set the maximum CPU time in seconds]: :'
'--rlimit-fsize=-[set the maximum file size that can be created by a process]: :'
@@ -164,7 +171,8 @@
'--writable-var-log[use the real /var/log directory, not a clone]'
#ifdef HAVE_APPARMOR
- '--apparmor[enable AppArmor confinement]'
+ '--apparmor[enable AppArmor confinement with the default profile]'
+ '--apparmor=-[enable AppArmor confinement with a custom profile]: :'
'--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
#endif
@@ -215,7 +223,7 @@
'--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
'--netfilter6=-[enable IPv6 firewall]: :'
'--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
- '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :'
+ '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :'
'--netns=-[Run the program in a named, persistent network namespace]: :'
'--netstats[monitor network statistics]'
'--interface=-[move interface in sandbox]: :'
@@ -251,10 +259,8 @@
'*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
#endif
-#ifdef HAVE_WHITELIST
'*--nowhitelist=-[disable whitelist for file or directory]: :_files'
'*--whitelist=-[whitelist directory or file]: :_files'
-#endif
#ifdef HAVE_X11
'--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/Makefile
^
|
@@ -0,0 +1,13 @@
+TESTS=$(patsubst %/,%,$(wildcard */))
+
+.PHONY: $(TESTS)
+$(TESTS):
+ cd $@ && ./$@.sh 2>&1 | tee $@.log
+ cd $@ && grep -a TESTING $@.log && ! grep -a -q "TESTING ERROR" $@.log
+
+.PHONY: clean
+clean:
+ for test in $(TESTS); do rm -f "$$test/$$test.log"; done
+
+.PHONY: distclean
+distclean: clean
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-args.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -23,7 +23,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -51,7 +51,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-trace.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
@@ -38,7 +38,7 @@
send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-v1.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -39,7 +39,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-v2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=appimage-test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -39,7 +39,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
@@ -13,7 +13,7 @@
echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
./appimage-v2.exp
-echo "TESTING: AppImage file name (test/appimage/filename.exp)";
+echo "TESTING: AppImage file name (test/appimage/filename.exp)"
./filename.exp
echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/filename.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/apps-x11-xorg.sh
^
|
@@ -1,14 +1,13 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-which firefox 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v firefox
then
echo "TESTING: firefox x11 xorg"
./firefox.exp
@@ -16,8 +15,7 @@
echo "TESTING SKIP: firefox not found"
fi
-which transmission-gtk 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v transmission-gtk
then
echo "TESTING: transmission-gtk x11 xorg"
./transmission-gtk.exp
@@ -25,8 +23,7 @@
echo "TESTING SKIP: transmission-gtk not found"
fi
-which transmission-qt 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v transmission-qt
then
echo "TESTING: transmission-qt x11 xorg"
./transmission-qt.exp
@@ -34,8 +31,7 @@
echo "TESTING SKIP: transmission-qt not found"
fi
-which thunderbird 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v thunderbird
then
echo "TESTING: thunderbird x11 xorg"
./thunderbird.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/firefox.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -36,7 +36,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/thunderbird.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/transmission-gtk.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/transmission-qt.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/apps-x11.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
@@ -10,49 +10,42 @@
echo "TESTING: no x11 (test/apps-x11/x11-none.exp)"
./x11-none.exp
-
-which xterm 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v xterm
then
echo "TESTING: xterm x11 xorg"
./xterm-xorg.exp
- which xpra 2>/dev/null
- if [ "$?" -eq 0 ];
+ if command -v xpra
then
- echo "TESTING: xterm x11 xpra"
- ./xterm-xpra.exp
+ echo "TESTING: xterm x11 xpra"
+ ./xterm-xpra.exp
fi
- which Xephyr 2>/dev/null
- if [ "$?" -eq 0 ];
+ if command -v Xephyr
then
- echo "TESTING: xterm x11 xephyr"
- ./xterm-xephyr.exp
+ echo "TESTING: xterm x11 xephyr"
+ ./xterm-xephyr.exp
fi
else
echo "TESTING SKIP: xterm not found"
fi
# check xpra/xephyr
-which xpra 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v xpra
then
- echo "xpra found"
+ echo "xpra found"
else
- echo "xpra not found"
- which Xephyr 2>/dev/null
- if [ "$?" -eq 0 ];
+ echo "xpra not found"
+ if command -v Xephyr
then
- echo "Xephyr found"
+ echo "Xephyr found"
else
- echo "TESTING SKIP: xpra and/or Xephyr not found"
+ echo "TESTING SKIP: xpra and/or Xephyr not found"
exit
fi
fi
-which firefox 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v firefox
then
echo "TESTING: firefox x11"
./firefox.exp
@@ -60,8 +53,7 @@
echo "TESTING SKIP: firefox not found"
fi
-which chromium 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v chromium
then
echo "TESTING: chromium x11"
./chromium.exp
@@ -69,8 +61,7 @@
echo "TESTING SKIP: chromium not found"
fi
-which transmission-gtk 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v transmission-gtk
then
echo "TESTING: transmission-gtk x11"
./transmission-gtk.exp
@@ -78,8 +69,7 @@
echo "TESTING SKIP: transmission-gtk not found"
fi
-which thunderbird 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v thunderbird
then
echo "TESTING: thunderbird x11"
./thunderbird.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/chromium.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -32,7 +32,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/firefox.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -36,7 +36,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/thunderbird.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/transmission-gtk.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/x11-none.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -17,7 +17,7 @@
send -- "firejail --name=test --net=none --x11=none\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/x11-xephyr.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test --x11=xephyr xterm\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
exit
@@ -28,7 +28,7 @@
send -- "firejail --name=test --net=none --x11=none\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/xterm-xephyr.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/xterm-xorg.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/xterm-xpra.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -33,7 +33,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/apps.sh
^
|
@@ -1,18 +1,16 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird "
-LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat"
+apps=(firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat)
-for app in $LIST; do
- which $app 2>/dev/null
- if [ "$?" -eq 0 ];
+for app in "${apps[@]}"; do
+ if command -v "$app"
then
echo "TESTING: $app"
./$app.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/chromium.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 10
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/deluge.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 10
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/fbreader.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/filezilla.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/firefox.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 10
@@ -47,7 +47,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/gnome-mplayer.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 5
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/gthumb.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/hexchat.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/kcalc.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/ktorrent.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/midori.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 5
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/opera.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 10
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/qbittorrent.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/thunderbird.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 5
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/transmission-qt.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/uget-gtk.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/vlc.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/wine.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/xchat.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/chroot.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
@@ -17,6 +17,4 @@
echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)"
sudo ./unchroot-as-root.exp
-
-
rm -f unchroot
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/configure
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
# build a very small chroot
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/fs_chroot.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
- "Child process initialized" {puts "chroot available\n"};
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"};
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/unchroot-as-root.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
- "Child process initialized" {puts "chroot available\n"};
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"};
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/unchroot.c
^
|
@@ -1,5 +1,5 @@
// This file is part of Firejail project
-// Copyright (C) 2014-2021 Firejail Authors
+// Copyright (C) 2014-2022 Firejail Authors
// License GPL v2
// simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/compile/compile.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
# not currently covered
@@ -31,6 +31,7 @@
arr[16]="TEST 16: compile disable manpages"
arr[17]="TEST 17: disable tmpfs as regular user"
arr[18]="TEST 18: disable private home"
+arr[19]="TEST 19: enable ids"
# remove previous reports and output file
cleanup() {
@@ -46,23 +47,23 @@
echo
echo
echo "**************************************************"
- echo $1
+ echo "$1"
echo "**************************************************"
}
DIST="$1"
-while [ $# -gt 0 ]; do # Until you run out of parameters . . .
- case "$1" in
- --clean)
- cleanup
- exit
- ;;
- --help)
- echo "./compile.sh [--clean|--help]"
- exit
- ;;
- esac
- shift # Check next set of parameters.
+while [[ $# -gt 0 ]]; do # Until you run out of parameters . . .
+ case "$1" in
+ --clean)
+ cleanup
+ exit
+ ;;
+ --help)
+ echo "./compile.sh [--clean|--help]"
+ exit
+ ;;
+ esac
+ shift # Check next set of parameters.
done
cleanup
@@ -75,8 +76,8 @@
#*****************************************************************
print_title "${arr[1]}"
echo "$DIST"
-tar -xJvf ../../$DIST.tar.xz
-mv $DIST firejail
+tar -xJvf ../../"$DIST.tar.xz"
+mv "$DIST" firejail
cd firejail
./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -88,7 +89,6 @@
cp output-make om1
rm output-configure output-make
-
#*****************************************************************
# TEST 2
#*****************************************************************
@@ -97,7 +97,7 @@
print_title "${arr[2]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test2
@@ -114,7 +114,7 @@
print_title "${arr[3]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test3
@@ -131,7 +131,7 @@
print_title "${arr[4]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test4
@@ -148,7 +148,7 @@
print_title "${arr[5]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test5
@@ -166,7 +166,7 @@
print_title "${arr[6]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test6
@@ -183,7 +183,7 @@
print_title "${arr[7]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test7
@@ -217,7 +217,7 @@
print_title "${arr[9]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test9
@@ -234,7 +234,7 @@
print_title "${arr[10]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test10
@@ -251,7 +251,7 @@
print_title "${arr[11]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test11
@@ -268,7 +268,7 @@
print_title "${arr[12]}"
cd firejail
make distclean
-./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test12
@@ -353,7 +353,7 @@
print_title "${arr[17]}"
cd firejail
make distclean
-./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test17
@@ -380,6 +380,23 @@
rm output-configure output-make
#*****************************************************************
+# TEST 19
+#*****************************************************************
+# - enable ids
+#*****************************************************************
+print_title "${arr[19]}"
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test19
+grep Error output-configure output-make >> ./report-test19
+cp output-configure oc19
+cp output-make om19
+rm output-configure output-make
+
+#*****************************************************************
# PRINT REPORTS
#*****************************************************************
echo
@@ -392,22 +409,23 @@
wc -l report-test*
echo
-echo "Legend:"
-echo ${arr[1]}
-echo ${arr[2]}
-echo ${arr[3]}
-echo ${arr[4]}
-echo ${arr[5]}
-echo ${arr[6]}
-echo ${arr[7]}
-echo ${arr[8]}
-echo ${arr[9]}
-echo ${arr[10]}
-echo ${arr[11]}
-echo ${arr[12]}
-echo ${arr[13]}
-echo ${arr[14]}
-echo ${arr[15]}
-echo ${arr[16]}
-echo ${arr[17]}
-echo ${arr[18]}
+echo "Legend:"
+echo "${arr[1]}"
+echo "${arr[2]}"
+echo "${arr[3]}"
+echo "${arr[4]}"
+echo "${arr[5]}"
+echo "${arr[6]}"
+echo "${arr[7]}"
+echo "${arr[8]}"
+echo "${arr[9]}"
+echo "${arr[10]}"
+echo "${arr[11]}"
+echo "${arr[12]}"
+echo "${arr[13]}"
+echo "${arr[14]}"
+echo "${arr[15]}"
+echo "${arr[16]}"
+echo "${arr[17]}"
+echo "${arr[18]}"
+echo "${arr[19]}"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/allow-debuggers.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --allow-debuggers\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized" { puts "\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" { puts "\n"}
"is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit }
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/deterministic-exit-code.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 4
@@ -10,7 +10,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -32,7 +32,7 @@
send -- "firejail --deterministic-exit-code\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/deterministic-shutdown.exp
^
|
@@ -0,0 +1,17 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --deterministic-shutdown bash -c \"sleep 100 & exec sleep 1\"\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ "Parent is shutting down, bye..."
+}
+after 100
+
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/dns.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -30,7 +30,7 @@
}
expect {
timeout {puts "TESTING ERROR 1.5\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 1.6\n";exit}
@@ -47,7 +47,7 @@
"DNS server 8.8.8.8" {puts "TESTING ERROR 2.3\n";exit}
"DNS server 4.2.2.1" {puts "TESTING ERROR 2.4\n";exit}
"DNS server ::2" {puts "TESTING ERROR 2.5\n";exit}
- "Child process initialized" {puts "TESTING ERROR 2.6\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "TESTING ERROR 2.6\n";exit}
"Parent is shutting down, bye..." {puts "TESTING ERROR 2.7\n";exit}
"root"
}
@@ -56,7 +56,7 @@
send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -85,7 +85,7 @@
send -- "firejail --profile=dns.profile\r"
expect {
timeout {puts "TESTING ERROR 5.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -110,23 +110,23 @@
send -- "exit\r"
sleep 1
-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
- timeout {puts "TESTING ERROR 6.1\n";exit}
- "connect"
-}
-expect {
- timeout {puts "TESTING ERROR 6.2\n";exit}
- "208.67.222.222"
-}
-expect {
- timeout {puts "TESTING ERROR 6.3\n";exit}
- "53"
-}
-after 100
+# test disabled, as Github CI uses systemd-resolved, which does not work
+# properly with --dns=, so curl does not use the specified nameserver
+#send -- "firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org\r"
+#expect {
+# timeout {puts "TESTING ERROR 6.1\n";exit}
+# "connect"
+#}
+#expect {
+# timeout {puts "TESTING ERROR 6.2\n";exit}
+# "208.67.222.222"
+#}
+#expect {
+# timeout {puts "TESTING ERROR 6.3\n";exit}
+# "53"
+#}
+#after 100
-send -- "rm index.html\r"
-after 100
send -- "exit\r"
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/doubledash.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail -- ls -- -testdir\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
@@ -26,7 +26,7 @@
send -- "firejail --name=testing -- -testdir/bash\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/env.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -37,7 +37,7 @@
send -- "firejail --profile=env.profile\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "env | grep LD_LIBRARY_PATH\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/environment.sh
^
|
@@ -1,13 +1,12 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-
echo "TESTING: timeout (test/environment/timeout.exp)"
./timeout.exp
@@ -36,46 +35,15 @@
echo "TESTING: environment variables (test/environment/env.exp)"
./env.exp
-echo "TESTING: shell none(test/environment/shell-none.exp)"
-./shell-none.exp
-
-which dash 2>/dev/null
-if [ "$?" -eq 0 ];
-then
- echo "TESTING: dash (test/environment/dash.exp)"
- ./dash.exp
-else
- echo "TESTING SKIP: dash not found"
-fi
-
-which csh 2>/dev/null
-if [ "$?" -eq 0 ];
-then
- echo "TESTING: csh (test/environment/csh.exp)"
- ./csh.exp
-else
- echo "TESTING SKIP: csh not found"
-fi
-
-which zsh 2>/dev/null
-if [ "$?" -eq 0 ];
-then
- echo "TESTING: zsh (test/environment/zsh.exp)"
- ./zsh.exp
-else
- echo "TESTING SKIP: zsh not found"
-fi
-
echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)"
./firejail-in-firejail.exp
-which aplay 2>/dev/null
-if [ "$?" -eq 0 ] && [ "$(aplay -l | grep -c "List of PLAYBACK")" -gt 0 ];
+if command -v aplay && [[ $(aplay -l | grep -c "List of PLAYBACK") -gt 0 ]]
then
- echo "TESTING: sound (test/environment/sound.exp)"
- ./sound.exp
+ echo "TESTING: sound (test/environment/sound.exp)"
+ ./sound.exp
else
- echo "TESTING SKIP: no aplay or sound card found"
+ echo "TESTING SKIP: no aplay or sound card found"
fi
echo "TESTING: nice (test/environment/nice.exp)"
@@ -84,26 +52,24 @@
echo "TESTING: quiet (test/environment/quiet.exp)"
./quiet.exp
-which strace 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v strace
then
- echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)"
- ./allow-debuggers.exp
+ echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)"
+ ./allow-debuggers.exp
else
- echo "TESTING SKIP: strace not found"
+ echo "TESTING SKIP: strace not found"
fi
# to install ibus:
# $ sudo apt-get install ibus-table-array30
# $ ibus-setup
-find ~/.config/ibus/bus | grep unix-0
-if [ "$?" -eq 0 ];
+if find ~/.config/ibus/bus | grep unix-0
then
echo "TESTING: ibus (test/environment/ibus.exp)"
./ibus.exp
else
- echo "TESTING SKIP: ibus not configured"
+ echo "TESTING SKIP: ibus not configured"
fi
echo "TESTING: rlimit (test/environment/rlimit.exp)"
@@ -112,14 +78,26 @@
echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
./rlimit-profile.exp
+echo "TESTING: rlimit join (test/environment/rlimit-join.exp)"
+./rlimit-join.exp
+
echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
./rlimit-bad.exp
echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
./rlimit-bad-profile.exp
-echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp"
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)"
./deterministic-exit-code.exp
-echo "TESTING: retain umask (test/environment/umask.exp"
+echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)"
+./deterministic-shutdown.exp
+
+echo "TESTING: keep fd (test/environment/keep-fd.exp)"
+./keep-fd.exp
+
+echo "TESTING: keep fd errors (test/environment/keep-fd-bad.exp)"
+./keep-fd-bad.exp
+
+echo "TESTING: retain umask (test/environment/umask.exp)"
(umask 123 && ./umask.exp)
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/extract_command.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/firejail-in-firejail.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/hostfile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
@@ -15,7 +15,7 @@
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/ibus.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/keep-fd-bad.exp
^
|
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --noprofile --keep-fd=\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=,,,\r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=dall\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=6,7,8,10b,11\r"
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ "Error: invalid keep-fd option"
+}
+after 100
+
+
+puts "\nall done\n"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/keep-fd.exp
^
|
@@ -0,0 +1,223 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+#
+# obtain some open file descriptors
+#
+send -- "exec {WRITE_FD}> blabla\r"
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ "/blabla"
+}
+after 100
+
+send -- "exec {READ_FD}< blabla\r"
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "/blabla"
+}
+after 100
+
+
+#
+# inherit environment variables
+#
+send -- "export READ_FD\r"
+send -- "export WRITE_FD\r"
+after 100
+
+
+#
+# close all file descriptors
+# 0, 1, 2 stay open
+#
+send -- "firejail --noprofile\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ "4"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 4\n";exit}
+ "No such file or directory"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "No such file or directory"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep one file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+ timeout {puts "TESTING ERROR 7\n";exit}
+ "5"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 8\n";exit}
+ "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 9\n";exit}
+ "No such file or directory"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep other file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 10\n";exit}
+ -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+ timeout {puts "TESTING ERROR 11\n";exit}
+ "5"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 12\n";exit}
+ "No such file or directory"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+ "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep both file descriptors
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD,\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 14\n";exit}
+ -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+ timeout {puts "TESTING ERROR 15\n";exit}
+ "6"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 16\n";exit}
+ "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 17\n";exit}
+ "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep all file descriptors
+#
+send -- "firejail --noprofile --keep-fd=all\r"
+expect {
+ timeout {puts "TESTING ERROR 18\n";exit}
+ -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 19\n";exit}
+ "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+ timeout {puts "TESTING ERROR 20\n";exit}
+ "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# cleanup
+#
+send -- "rm -f blabla\r"
+after 100
+
+
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/machineid.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
@@ -15,7 +15,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/nice.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --nice=15\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -39,7 +39,7 @@
send -- "firejail --profile=nice.profile\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -70,7 +70,7 @@
send -- "firejail --nice=-5\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/output.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/output.sh
^
|
@@ -1,12 +1,12 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
i="0"
-while [ $i -lt 150000 ]
+while [[ $i -lt 150000 ]]
do
- echo message number $i
- i=$[$i+1]
+ echo "message number $i"
+ i=$((i+1))
done
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/quiet.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 4
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-bad-profile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-bad.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-join.exp
^
|
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --noprofile --name=\"rlimit testing\"\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+spawn $env(SHELL)
+send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "Switching to pid"
+}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+send -- "cat /proc/self/limits\r"
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ "Max open files 1234 1234"
+}
+after 100
+
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-profile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --profile=rlimit.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=1234567890\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/sound.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
@@ -11,7 +11,7 @@
send -- "firejail --nosound speaker-test\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
@@ -22,7 +22,7 @@
send -- "firejail --nosound aplay -l\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
@@ -39,7 +39,7 @@
send -- "firejail --profile=sound.profile speaker-test\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
@@ -50,7 +50,7 @@
send -- "firejail --profile=sound.profile aplay -l\r"
expect {
timeout {puts "TESTING ERROR 13\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 14\n";exit}
@@ -67,7 +67,7 @@
send -- "firejail aplay -l\r"
expect {
timeout {puts "TESTING ERROR 23\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 24\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/timeout.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "time firejail --timeout=00:00:05\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/umask.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/cmdline.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -32,14 +32,22 @@
send -- "fcopy f%oo1 foo2\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "invalid source file name"
+ "Error:"
+}
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "is an invalid filename"
}
after 100
send -- "fcopy foo1 f,oo2\r"
expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "invalid dest file name"
+ timeout {puts "TESTING ERROR 6\n";exit}
+ "Error:"
+}
+expect {
+ timeout {puts "TESTING ERROR 7\n";exit}
+ "is an invalid filename"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/dircopy.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
@@ -12,9 +12,21 @@
send -- "rm -fr dest/*\r"
after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
send -- "fcopy src dest\r"
after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
send -- "find dest\r"
expect {
@@ -135,5 +147,7 @@
send -- "rm -fr dest/*\r"
after 100
+send -- "rm -f src/dircopy.exp\r"
+after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/fcopy.sh
^
|
@@ -1,13 +1,13 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-if [ -f /etc/debian_version ]; then
+if [[ -f /etc/debian_version ]]; then
libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
export PATH="$PATH:$libdir"
fi
@@ -19,13 +19,14 @@
echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)"
./cmdline.exp
-echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)"
-./dircopy.exp
-
echo "TESTING: fcopy file (test/fcopy/filecopy.exp)"
./filecopy.exp
echo "TESTING: fcopy link (test/fcopy/linkcopy.exp)"
./linkcopy.exp
+echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)"
+./dircopy.exp
+
rm -fr dest/*
+rm -f src/dircopy.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/filecopy.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/linkcopy.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
@@ -12,6 +12,12 @@
send -- "rm -fr dest/*\r"
after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
send -- "fcopy src/dircopy.exp dest\r"
after 100
@@ -19,7 +25,7 @@
send -- "find dest\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "dest/"
+ "dest"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
@@ -27,11 +33,11 @@
}
after 100
-
send -- "ls -al dest\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "lrwxrwxrwx"
+ "rwxr-xr-x" { puts "umask 0022\n" }
+ "rwxrwxr-x" { puts "umask 0002\n" }
}
after 100
send -- "stty -echo\r"
@@ -52,5 +58,7 @@
send -- "rm -fr dest/*\r"
after 100
+send -- "rm -f src/dircopy.exp\r"
+after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.1.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# disable /boot
@@ -18,7 +18,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -40,7 +40,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -61,7 +61,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.10.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# disable /selinux
@@ -18,7 +18,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -41,7 +41,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -63,7 +63,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# new /proc
@@ -18,7 +18,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -64,7 +64,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -105,7 +105,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.4.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# mask other users
@@ -18,7 +18,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -53,7 +53,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -86,7 +86,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.5.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# PID namespace
@@ -18,7 +18,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -40,7 +40,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -61,7 +61,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.6.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# new /var/log
@@ -18,7 +18,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -40,7 +40,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -61,7 +61,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.7.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# new /var/tmp
@@ -20,7 +20,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -42,7 +42,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -63,7 +63,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.8.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# disable /etc/firejail and ~/.config/firejail
@@ -19,7 +19,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -71,7 +71,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
send -- "ls ~/.config/firejail\r"
@@ -122,7 +122,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "ls ~/.config/firejail\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.1.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# hostname
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --hostname=bingo\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -56,7 +56,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -93,7 +93,7 @@
send -- "firejail --noprofile --hostname=bingo --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# DNS
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --dns=4.2.2.1\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -48,7 +48,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -77,7 +77,7 @@
send -- "firejail --noprofile --dns=4.2.2.1 --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.3.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# mac-vlan
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --net=eth0 --dns=8.8.8.8 --dns=8.8.4.4\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -62,7 +62,7 @@
send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --dns=8.8.8.8 --dns=8.8.4.4\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -111,7 +111,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -155,7 +155,7 @@
send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --overlay --dns=8.8.8.8 --dns=8.8.4.4\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -205,7 +205,7 @@
send -- "firejail --noprofile --net=eth0 --chroot=/tmp/chroot --dns=8.8.8.8 --dns=8.8.4.4\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -249,7 +249,7 @@
send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --chroot=/tmp/chroot --dns=8.8.8.8 --dns=8.8.4.4\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.4.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# bridge
@@ -19,7 +19,7 @@
send -- "firejail --noprofile --net=br0\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -56,7 +56,7 @@
send -- "firejail --noprofile --net=br0 --ip=10.10.20.4\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -99,7 +99,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -136,7 +136,7 @@
send -- "firejail --noprofile --net=br0 --ip=10.10.20.4 --overlay\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -179,7 +179,7 @@
send -- "firejail --noprofile --net=br0 --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -208,7 +208,7 @@
send -- "firejail --noprofile --net=br0 --ip=10.10.20.4 --chroot=/tmp/chroot\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.5.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# interface
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --interface=eth0.5\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -51,7 +51,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -84,7 +84,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --interface=eth0.7\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.6.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# default gateway
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -39,7 +39,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -60,7 +60,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.1.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# private
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -70,7 +70,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -120,7 +120,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --private\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.10.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# whitelist tmp
@@ -22,7 +22,7 @@
send -- "firejail --noprofile --whitelist=/tmp/test1dir\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -78,7 +78,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -136,7 +136,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/tmp/test1dir\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.11.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# mkdir
@@ -21,7 +21,7 @@
send -- "firejail --profile=3.11.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -73,7 +73,7 @@
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -127,7 +127,7 @@
send -- "firejail --profile=3.11.profile\r"
expect {
timeout {puts "TESTING ERROR 20\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# read-only
@@ -20,7 +20,7 @@
send -- "firejail --noprofile --read-only=/home/netblue/.config\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -41,7 +41,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -64,7 +64,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --read-only=/home/netblue/.config\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.3.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# blacklist
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --blacklist=/home/netblue/.config\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -40,7 +40,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -61,7 +61,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --blacklist=/home/netblue/.config\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.4.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# whitelist home
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --whitelist=/home/netblue/.config\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -83,7 +83,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -147,7 +147,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/home/netblue/.config\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.5.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# private-dev
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --private-dev\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -41,7 +41,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -64,7 +64,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --private-dev\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.6.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# private-etc
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -40,7 +40,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -68,7 +68,7 @@
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"chroot option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.7.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# private-tmp
@@ -22,7 +22,7 @@
send -- "firejail --noprofile --private-tmp\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -49,7 +49,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -76,7 +76,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --private-tmp\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.8.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# private-bin
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --private-bin=bash,cat,cp,ls,wc\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -41,7 +41,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -68,7 +68,7 @@
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.9.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# whitelist dev
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --whitelist=/dev/tty --whitelist=/dev/null\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -42,7 +42,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"overlay option is not available" {puts "grsecurity\n"; exit}
- "Child process initialized" {puts "normal system\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
}
sleep 1
@@ -65,7 +65,7 @@
send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/dev/tty --whitelist=/dev/null\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/test.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export LC_ALL=C
@@ -8,28 +8,25 @@
CHROOT="chroot"
NETWORK="network"
-while [ $# -gt 0 ]; do # Until you run out of parameters . . .
- case "$1" in
- --nooverlay)
- OVERLAY="none"
- ;;
- --nochroot)
- CHROOT="none"
- ;;
- --nonetwork)
- NETWORK="none"
- ;;
- --help)
- echo "./test.sh [--nooverlay|--nochroot|--nonetwork|--help] | grep TESTING"
- exit
- ;;
- esac
- shift # Check next set of parameters.
+while [[ $# -gt 0 ]]; do # Until you run out of parameters . . .
+ case "$1" in
+ --nooverlay)
+ OVERLAY="none"
+ ;;
+ --nochroot)
+ CHROOT="none"
+ ;;
+ --nonetwork)
+ NETWORK="none"
+ ;;
+ --help)
+ echo "./test.sh [--nooverlay|--nochroot|--nonetwork|--help] | grep TESTING"
+ exit
+ ;;
+ esac
+ shift # Check next set of parameters.
done
-
-
-
#
# Feature testing
#
@@ -38,85 +35,85 @@
# Default features
####################
echo "TESTING: 1.1 disable /boot"
-./1.1.exp $OVERLAY $CHROOT
+./1.1.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 1.2 new /proc"
-./1.2.exp $OVERLAY $CHROOT
+./1.2.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 1.4 mask other users"
-./1.4.exp $OVERLAY $CHROOT
+./1.4.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 1.5 PID namespace"
-./1.5.exp $OVERLAY $CHROOT
+./1.5.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 1.6 new /var/log"
-./1.6.exp $OVERLAY $CHROOT
+./1.6.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 1.7 new /var/tmp"
-./1.7.exp $OVERLAY $CHROOT
+./1.7.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 1.8 disable firejail config and run time information"
-./1.8.exp $OVERLAY $CHROOT
+./1.8.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 1.10 disable /selinux"
-./1.10.exp $OVERLAY $CHROOT
+./1.10.exp "$OVERLAY" "$CHROOT"
####################
# networking features
####################
-if [ $NETWORK == "network" ]
+if [[ $NETWORK == "network" ]]
then
echo "TESTING: 2.1 hostname"
- ./2.1.exp $OVERLAY $CHROOT
+ ./2.1.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 2.2 DNS"
- ./2.2.exp $OVERLAY $CHROOT
+ ./2.2.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 2.3 mac-vlan"
- ./2.3.exp $OVERLAY $CHROOT
+ ./2.3.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 2.4 bridge"
- ./2.4.exp $OVERLAY $CHROOT
+ ./2.4.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 2.5 interface"
- ./2.5.exp $OVERLAY $CHROOT
+ ./2.5.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 2.6 Default gateway"
- ./2.6.exp $OVERLAY $CHROOT
+ ./2.6.exp "$OVERLAY" "$CHROOT"
fi
####################
# filesystem features
####################
echo "TESTING: 3.1 private (fails on OpenSUSE)"
-./3.1.exp $OVERLAY $CHROOT
+./3.1.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.2 read-only"
-./3.2.exp $OVERLAY $CHROOT
+./3.2.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.3 blacklist"
-./3.3.exp $OVERLAY $CHROOT
+./3.3.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.4 whitelist home (fails on OpenSUSE)"
-./3.4.exp $OVERLAY $CHROOT
+./3.4.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.5 private-dev"
-./3.5.exp $OVERLAY $CHROOT
+./3.5.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.6 private-etc"
-./3.6.exp notworking $CHROOT
+./3.6.exp notworking "$CHROOT"
echo "TESTING: 3.7 private-tmp"
-./3.7.exp $OVERLAY $CHROOT
+./3.7.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.8 private-bin"
./3.8.exp notworking notworking
echo "TESTING: 3.9 whitelist dev"
-./3.9.exp $OVERLAY $CHROOT
+./3.9.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.10 whitelist tmp"
-./3.10.exp $OVERLAY $CHROOT
+./3.10.exp "$OVERLAY" "$CHROOT"
echo "TESTING: 3.11 mkdir"
-./3.11.exp $OVERLAY $CHROOT
+./3.11.exp "$OVERLAY" "$CHROOT"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/apparmor.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test1 --apparmor\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --name=test2 --apparmor\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -30,7 +30,7 @@
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "AppArmor: firejail-default enforce"
+ "AppArmor: firejail-default//&unconfined enforce"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
@@ -38,21 +38,21 @@
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "AppArmor: firejail-default enforce"
+ "AppArmor: firejail-default//&unconfined enforce"
}
after 100
send -- "firejail --apparmor.print=test1\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
- "AppArmor: firejail-default enforce"
+ "AppArmor: firejail-default//&unconfined enforce"
}
after 100
send -- "firejail --apparmor.print=test2\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "AppArmor: firejail-default enforce"
+ "AppArmor: firejail-default//&unconfined enforce"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/caps-join.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -20,7 +20,7 @@
send -- "firejail --name=jointesting\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -44,7 +44,7 @@
send -- "firejail --name=jointesting --noprofile\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -76,7 +76,7 @@
send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
expect {
timeout {puts "TESTING ERROR20\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/caps-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -42,7 +42,7 @@
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/caps.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --caps.keep=chown,fowner --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -29,7 +29,7 @@
send -- "firejail --caps.drop=all --noprofile\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -48,7 +48,7 @@
send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -81,7 +81,7 @@
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"Drop CAP_" {puts "TESTING ERROR 14\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
@@ -93,7 +93,7 @@
#send -- "firejail --profile=caps2.profile\r"
#expect {
# timeout {puts "TESTING ERROR 15\n";exit}
-# "Child process initialized"
+# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
#}
#after 100
#
@@ -113,7 +113,7 @@
send -- "firejail --profile=caps3.profile\r"
expect {
timeout {puts "TESTING ERROR 18\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/debug.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/filters.sh
^
|
@@ -1,40 +1,54 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-if [ -f /etc/debian_version ]; then
+if [[ -f /etc/debian_version ]]; then
libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)")
export PATH="$PATH:$libdir"
fi
export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
-if [ -f /sys/kernel/security/apparmor/profiles ]; then
+if [[ -f /sys/kernel/security/apparmor/profiles ]]; then
echo "TESTING: apparmor (test/filters/apparmor.exp)"
./apparmor.exp
else
echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)"
fi
-if [ "$(uname -m)" = "x86_64" ]; then
- echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)"
- ./memwrexe.exp
-elif [ "$(uname -m)" = "i686" ]; then
- echo "TESTING: memory-deny-write-execute (test/filters/memwrexe-32.exp)"
- ./memwrexe-32.exp
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)"
+ ./memwrexe.exp
+elif [[ $(uname -m) == "i686" ]]; then
+ echo "TESTING: memory-deny-write-execute (test/filters/memwrexe-32.exp)"
+ ./memwrexe-32.exp
+else
+ echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686."
+fi
+
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)"
+ ./namespaces.exp
+elif [[ $(uname -m) == "i686" ]]; then
+ echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)"
+ ./namespaces-32.exp
else
- echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686."
+ echo "TESTING SKIP: namespaces binary only running on x86_64 and i686."
fi
echo "TESTING: debug options (test/filters/debug.exp)"
./debug.exp
-echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
-./seccomp-run-files.exp
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
+ ./seccomp-run-files.exp
+else
+ echo "TESTING SKIP: seccomp-run-files test implemented only for x86_64."
+fi
echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
./seccomp-postexec.exp
@@ -57,33 +71,33 @@
./caps-join.exp
rm -f seccomp-test-file
-if [ "$(uname -m)" = "x86_64" ]; then
- echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
- ./fseccomp.exp
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
+ ./fseccomp.exp
else
- echo "TESTING SKIP: fseccomp test implemented only for x86_64"
+ echo "TESTING SKIP: fseccomp test implemented only for x86_64"
fi
rm -f seccomp-test-file
-if [ "$(uname -m)" = "x86_64" ]; then
- echo "TESTING: protocol (test/filters/protocol.exp)"
- ./protocol.exp
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: protocol (test/filters/protocol.exp)"
+ ./protocol.exp
else
- echo "TESTING SKIP: protocol, running only on x86_64"
+ echo "TESTING SKIP: protocol, running only on x86_64"
fi
echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
./seccomp-bad-empty.exp
-if [ "$(uname -m)" = "x86_64" ]; then
- echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)"
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)"
./seccomp-debug.exp
-elif [ "$(uname -m)" = "i686" ]; then
- echo "TESTING: seccomp debug (test/filters/seccomp-debug-32.exp)"
+elif [[ $(uname -m) == "i686" ]]; then
+ echo "TESTING: seccomp debug (test/filters/seccomp-debug-32.exp)"
./seccomp-debug-32.exp
else
- echo "TESTING SKIP: protocol, running only on x86_64 and i686"
+ echo "TESTING SKIP: protocol, running only on x86_64 and i686"
fi
echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
@@ -92,12 +106,11 @@
echo "TESTING: seccomp su (test/filters/seccomp-su.exp)"
./seccomp-su.exp
-which strace 2>/dev/null
-if [ $? -eq 0 ]; then
- echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)"
- ./seccomp-ptrace.exp
+if command -v strace; then
+ echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)"
+ ./seccomp-ptrace.exp
else
- echo "TESTING SKIP: ptrace, strace not found"
+ echo "TESTING SKIP: ptrace, strace not found"
fi
echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)"
@@ -111,19 +124,16 @@
echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
./seccomp-empty.exp
-echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)"
-./seccomp-numeric.exp
-
-if [ "$(uname -m)" = "x86_64" ]; then
- echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
- ./seccomp-dualfilter.exp
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)"
+ ./seccomp-numeric.exp
else
- echo "TESTING SKIP: seccomp dual, not running on x86_64"
+ echo "TESTING SKIP: seccomp numeric test implemented only for x86_64"
fi
-if [ "$(uname -m)" = "x86_64" ]; then
- echo "TESTING: seccomp join (test/filters/seccomp-join.exp)"
- ./seccomp-join.exp
+if [[ $(uname -m) == "x86_64" ]]; then
+ echo "TESTING: seccomp join (test/filters/seccomp-join.exp)"
+ ./seccomp-join.exp
else
- echo "TESTING SKIP: seccomp join test implemented only for x86_64"
+ echo "TESTING SKIP: seccomp join test implemented only for x86_64"
fi
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/fseccomp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -111,7 +111,7 @@
}
expect {
timeout {puts "TESTING ERROR 9.3\n";exit}
- "ret KILL"
+ "ret ERRNO"
}
|
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe
^
|
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe-32
^
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe-32.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --memory-deny-write-execute ./memwrexe-32 mmap\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
@@ -22,7 +22,7 @@
send -- "firejail --memory-deny-write-execute ./memwrexe-32 mprotect\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
@@ -34,7 +34,7 @@
send -- "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
expect {
timeout {puts "TESTING ERROR 20\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 21\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe.c
^
|
@@ -1,5 +1,5 @@
// This file is part of Firejail project
-// Copyright (C) 2014-2021 Firejail Authors
+// Copyright (C) 2014-2022 Firejail Authors
// License GPL v2
#include <stdio.h>
@@ -42,6 +42,11 @@
}
void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0);
+ if (p == MAP_FAILED) {
+ printf("mmap failed\n");
+ return 0;
+ }
+
printf("mmap successful\n");
// wait for expect to timeout
@@ -70,7 +75,12 @@
return 1;
}
- mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+ int rv = mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+ if (rv) {
+ printf("mprotect failed\n");
+ return 1;
+ }
+
printf("mprotect successful\n");
// wait for expect to timeout
@@ -82,7 +92,7 @@
else if (strcmp(argv[1], "memfd_create") == 0) {
int fd = syscall(SYS_memfd_create, "memfd_create", 0);
if (fd == -1) {
- fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
+ printf("memfd_create failed\n");
return 1;
}
printf("memfd_create successful\n");
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --memory-deny-write-execute ./memwrexe mmap\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
@@ -22,7 +22,7 @@
send -- "firejail --memory-deny-write-execute ./memwrexe mprotect\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
@@ -34,7 +34,7 @@
send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
expect {
timeout {puts "TESTING ERROR 20\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 21\n";exit}
|
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces
^
|
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces-32
^
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces-32.exp
^
|
@@ -0,0 +1,173 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+#
+# clone
+#
+
+send -- "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "clone successful"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r"
+expect {
+ timeout {puts "TESTING ERROR 4\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 7\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r"
+expect {
+ timeout {puts "TESTING ERROR 8\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 9\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r"
+expect {
+ timeout {puts "TESTING ERROR 10\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 11\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 12\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+ "clone successful"
+}
+after 100
+
+#
+# unshare
+#
+
+send -- "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 14\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 15\n";exit}
+ "unshare successful"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r"
+expect {
+ timeout {puts "TESTING ERROR 16\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 17\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r"
+expect {
+ timeout {puts "TESTING ERROR 18\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 19\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 20\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 21\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r"
+expect {
+ timeout {puts "TESTING ERROR 22\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 23\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r"
+expect {
+ timeout {puts "TESTING ERROR 24\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 25\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 26\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 27\n";exit}
+ "unshare successful"
+}
+
+
+after 100
+puts "\nall done\n"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces.c
^
|
@@ -0,0 +1,96 @@
+#define _GNU_SOURCE
+#include <errno.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#ifndef CLONE_NEWTIME
+#define CLONE_NEWTIME 0x00000080
+#endif
+
+#define STACK_SIZE 1024 * 1024
+
+static int usage() {
+ fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n");
+ exit(1);
+}
+
+static void die(const char *msg) {
+ fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno));
+ exit(1);
+}
+
+static int ns_flags(const char *list) {
+ int flags = 0;
+
+ char *dup = strdup(list);
+ if (!dup)
+ die("cannot allocate memory");
+
+ char *token = strtok(dup, ",");
+ while (token) {
+ if (strcmp(token, "cgroup") == 0)
+ flags |= CLONE_NEWCGROUP;
+ else if (strcmp(token, "ipc") == 0)
+ flags |= CLONE_NEWIPC;
+ else if (strcmp(token, "net") == 0)
+ flags |= CLONE_NEWNET;
+ else if (strcmp(token, "mnt") == 0)
+ flags |= CLONE_NEWNS;
+ else if (strcmp(token, "pid") == 0)
+ flags |= CLONE_NEWPID;
+ else if (strcmp(token, "time") == 0)
+ flags |= CLONE_NEWTIME;
+ else if (strcmp(token, "user") == 0)
+ flags |= CLONE_NEWUSER;
+ else if (strcmp(token, "uts") == 0)
+ flags |= CLONE_NEWUTS;
+ else
+ usage();
+
+ token = strtok(NULL, ",");
+ }
+
+ free(dup);
+ return flags;
+}
+
+static int child(void *arg) {
+ (void) arg;
+
+ fprintf(stderr, "clone successful\n");
+ return 0;
+}
+
+int main (int argc, char **argv) {
+ if (argc != 3)
+ usage();
+
+ int flags = ns_flags(argv[2]);
+ if (getuid() != 0)
+ flags |= CLONE_NEWUSER;
+
+ if (strcmp(argv[1], "clone") == 0) {
+ void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ if (stack == MAP_FAILED)
+ die("mmap");
+
+ if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0)
+ die("clone");
+ }
+ else if (strcmp(argv[1], "unshare") == 0) {
+ if (unshare(flags))
+ die("unshare");
+
+ fprintf(stderr, "unshare successful\n");
+ }
+ else
+ usage();
+
+ return 0;
+}
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces.exp
^
|
@@ -0,0 +1,173 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+#
+# clone
+#
+
+send -- "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "clone successful"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r"
+expect {
+ timeout {puts "TESTING ERROR 4\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 7\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r"
+expect {
+ timeout {puts "TESTING ERROR 8\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 9\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r"
+expect {
+ timeout {puts "TESTING ERROR 10\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 11\n";exit}
+ "Error: clone: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 12\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+ "clone successful"
+}
+after 100
+
+#
+# unshare
+#
+
+send -- "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 14\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 15\n";exit}
+ "unshare successful"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r"
+expect {
+ timeout {puts "TESTING ERROR 16\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 17\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r"
+expect {
+ timeout {puts "TESTING ERROR 18\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 19\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 20\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 21\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r"
+expect {
+ timeout {puts "TESTING ERROR 22\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 23\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r"
+expect {
+ timeout {puts "TESTING ERROR 24\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 25\n";exit}
+ "Error: unshare: Operation not permitted"
+}
+after 100
+
+send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r"
+expect {
+ timeout {puts "TESTING ERROR 26\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 27\n";exit}
+ "unshare successful"
+}
+
+
+after 100
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/noroot.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test --noroot --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -72,7 +72,7 @@
send -- "cat /proc/self/gid_map | wc -l\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
- "5"
+ "9"
}
@@ -81,11 +81,11 @@
send -- "firejail --debug --join=test\r"
expect {
timeout {puts "TESTING ERROR 13\n";exit}
- "User namespace detected"
+ "Joining user namespace"
}
expect {
timeout {puts "TESTING ERROR 14\n";exit}
- "Joining user namespace"
+ "Child process initialized"
}
sleep 1
@@ -104,7 +104,7 @@
send -- "cat /proc/self/gid_map | wc -l\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
- "5"
+ "9"
}
# check seccomp disabled and all caps enabled
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/protocol.exp
^
|
@@ -1,185 +1,97 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
-send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r"
+send -- "firejail --noprofile --protocol=unix --debug\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
- "Child process initialized"
+ "0009: 20 00 00 00000000"
}
expect {
- timeout {puts "TESTING ERROR 1.1\n";exit}
- "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
- "socket AF_INET"
-}
-expect {
- timeout {puts "TESTING ERROR 1.2\n";exit}
- "Operation not supported"
-}
-expect {
- timeout {puts "TESTING ERROR 1.3\n";exit}
- "socket AF_INET6"
-}
-expect {
- timeout {puts "TESTING ERROR 1.4\n";exit}
- "Operation not supported"
-}
-expect {
- timeout {puts "TESTING ERROR 1.5\n";exit}
- "socket AF_NETLINK"
-}
-expect {
- timeout {puts "TESTING ERROR 1.6\n";exit}
- "Operation not supported"
-}
-expect {
- timeout {puts "TESTING ERROR 1.7\n";exit}
- "socket AF_UNIX"
-}
-expect {
- timeout {puts "TESTING ERROR 1.8\n";exit}
- "socket AF_PACKETX"
-}
-expect {
- timeout {puts "TESTING ERROR 1.9\n";exit}
- "Operation not supported"
-}
-sleep 1
-
-send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r"
-expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
-}
-expect {
- timeout {puts "TESTING ERROR 2.1\n";exit}
- "socket AF_INET"
-}
-expect {
- timeout {puts "TESTING ERROR 2.2\n";exit}
- "Operation not supported"
-}
-expect {
- timeout {puts "TESTING ERROR 2.3\n";exit}
- "socket AF_INET6"
-}
-expect {
- timeout {puts "TESTING ERROR 2.4\n";exit}
- "socket AF_NETLINK"
-}
-expect {
- timeout {puts "TESTING ERROR 2.5\n";exit}
- "Operation not supported"
+ "000f: 20 00 00 00000010"
}
expect {
- timeout {puts "TESTING ERROR 2.6\n";exit}
- "socket AF_UNIX"
-}
-expect {
- timeout {puts "TESTING ERROR 2.7\n";exit}
- "Operation not supported"
+ timeout {puts "TESTING ERROR 3\n";exit}
+ "0010: 15 00 01 00000001"
}
expect {
- timeout {puts "TESTING ERROR 2.8\n";exit}
- "socket AF_PACKETX"
+ timeout {puts "TESTING ERROR 4\n";exit}
+ "0011: 06 00 00 7fff0000"
}
expect {
- timeout {puts "TESTING ERROR 2.9\n";exit}
- "after socket"
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "0012: 06 00 00 0005005f"
}
+
+after 100
+send -- "exit\r"
sleep 1
-# profile testing
-send -- "firejail --profile=protocol1.profile ./syscall_test socket\r"
-expect {
- timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
-}
-expect {
- timeout {puts "TESTING ERROR 3.1\n";exit}
- "socket AF_INET"
-}
-expect {
- timeout {puts "TESTING ERROR 3.2\n";exit}
- "Operation not supported"
-}
-expect {
- timeout {puts "TESTING ERROR 3.3\n";exit}
- "socket AF_INET6"
-}
+send -- "firejail --noprofile --protocol=bluetooth --debug\r"
expect {
- timeout {puts "TESTING ERROR 3.4\n";exit}
- "Operation not supported"
+ timeout {puts "TESTING ERROR 11\n";exit}
+ "0009: 20 00 00 00000000"
}
expect {
- timeout {puts "TESTING ERROR 3.5\n";exit}
- "socket AF_NETLINK"
+ timeout {puts "TESTING ERROR 12\n";exit}
+ "000f: 20 00 00 00000010"
}
expect {
- timeout {puts "TESTING ERROR 3.6\n";exit}
- "Operation not supported"
+ timeout {puts "TESTING ERROR 13\n";exit}
+ "0010: 15 00 01 0000001f"
}
expect {
- timeout {puts "TESTING ERROR 3.7\n";exit}
- "socket AF_UNIX"
+ timeout {puts "TESTING ERROR 14\n";exit}
+ "0011: 06 00 00 7fff0000"
}
expect {
- timeout {puts "TESTING ERROR 3.8\n";exit}
- "socket AF_PACKETX"
-}
-expect {
- timeout {puts "TESTING ERROR 3.9\n";exit}
- "Operation not supported"
+ timeout {puts "TESTING ERROR1 5\n";exit}
+ "0012: 06 00 00 0005005f"
}
+
+after 100
+send -- "exit\r"
sleep 1
-send -- "firejail --profile=protocol2.profile ./syscall_test socket\r"
-expect {
- timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
-}
+send -- "firejail --noprofile --protocol=inet,inet6 --debug\r"
expect {
- timeout {puts "TESTING ERROR 4.1\n";exit}
- "socket AF_INET"
+ timeout {puts "TESTING ERROR 31\n";exit}
+ "0009: 20 00 00 00000000"
}
expect {
- timeout {puts "TESTING ERROR 4.2\n";exit}
- "Operation not supported"
+ timeout {puts "TESTING ERROR 32\n";exit}
+ "000f: 20 00 00 00000010"
}
expect {
- timeout {puts "TESTING ERROR 4.3\n";exit}
- "socket AF_INET6"
+ timeout {puts "TESTING ERROR 33\n";exit}
+ "0010: 15 00 01 00000002"
}
expect {
- timeout {puts "TESTING ERROR 4.4\n";exit}
- "socket AF_NETLINK"
+ timeout {puts "TESTING ERROR 34\n";exit}
+ "0011: 06 00 00 7fff0000"
}
expect {
- timeout {puts "TESTING ERROR 4.5\n";exit}
- "Operation not supported"
+ timeout {puts "TESTING ERROR1 35\n";exit}
+ "0012: 15 00 01 0000000a"
}
expect {
- timeout {puts "TESTING ERROR 4.6\n";exit}
- "socket AF_UNIX"
+ timeout {puts "TESTING ERROR 36\n";exit}
+ "0013: 06 00 00 7fff0000"
}
expect {
- timeout {puts "TESTING ERROR 4.7\n";exit}
- "Operation not supported"
-}
-expect {
- timeout {puts "TESTING ERROR 4.8\n";exit}
- "socket AF_PACKETX"
-}
-expect {
- timeout {puts "TESTING ERROR 4.9\n";exit}
- "after socket"
+ timeout {puts "TESTING ERROR 37\n";exit}
+ "0014: 06 00 00 0005005f"
}
+
after 100
+send -- "exit\r"
+
+after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-bad-empty.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-chmod-profile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --profile=seccomp.profile --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-chmod.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-chown.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-debug-32.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -13,19 +13,15 @@
send -- "firejail --debug sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "SECCOMP Filter"
-}
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "BLACKLIST"
+ "seccomp entries in /run/firejail/mnt/seccomp/seccomp"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "open_by_handle_at"
+ "jeq open_by_handle_at"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
@@ -34,58 +30,30 @@
after 100
-# i686 architecture
-send -- "firejail --debug sleep 1; echo done\r"
-expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
-}
-expect {
- timeout {puts "TESTING ERROR 6\n";exit}
- "Installing /run/firejail/mnt/seccomp seccomp filter"
-}
-expect {
- timeout {puts "TESTING ERROR 7\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
-}
-expect {
- timeout {puts "TESTING ERROR 9\n";exit}
- "done"
-}
-after 100
-
-# i686 architecture - ignore seccomp
+# 64 bit architecture - ignore seccomp
send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
- "Child process initialized"
+ "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
+ "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
- timeout {puts "TESTING ERROR 13\n";exit}
- "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
+ timeout {puts "TESTING ERROR 16\n";exit}
"done"
}
after 100
-# i686 architecture - ignore protocol
+# 64 bit architecture - ignore protocol
send -- "firejail --debug --ignore=protocol sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
- "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 19\n";exit}
- "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
- "Installing /run/firejail/mnt/seccomp seccomp filter"
-}
-expect {
- timeout {puts "TESTING ERROR 21\n";exit}
- "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
+ "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
+ "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
@@ -97,11 +65,11 @@
send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 24\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 25\n";exit}
- "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+ "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 26\n";exit}
@@ -109,17 +77,22 @@
}
-# i686 architecture - seccomp.block-secondary
+# 64 bit architecture - seccomp.block-secondary
send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 27\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
- "Child process initialized"
+ "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 29\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
- "Installing /run/firejail/mnt/seccomp seccomp filter"
+ "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
+ "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+ timeout {puts "TESTING ERROR 31\n";exit}
+ "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
+ "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 33\n";exit}
@@ -127,17 +100,17 @@
}
after 100
-# i686 architecture - seccomp.block-secondary, profile
+# 64 bit architecture - seccomp.block-secondary, profile
send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 33\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
- "Child process initialized"
+ "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 35\n";exit}
- "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
- "Installing /run/firejail/mnt/seccomp seccomp filter"
+ "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+ "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 37\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-debug.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -21,7 +21,7 @@
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
@@ -34,7 +34,7 @@
send -- "firejail --debug sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
@@ -60,7 +60,7 @@
timeout {puts "TESTING ERROR 10\n";exit}
"Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
"Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
@@ -79,7 +79,7 @@
expect {
timeout {puts "TESTING ERROR 17\n";exit}
"Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 19\n";exit}
@@ -101,7 +101,7 @@
send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 24\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 25\n";exit}
@@ -118,7 +118,7 @@
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 29\n";exit}
@@ -141,7 +141,7 @@
expect {
timeout {puts "TESTING ERROR 33\n";exit}
"Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 35\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-empty.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -42,7 +42,7 @@
}
expect {
timeout {puts "TESTING ERROR 0.7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "exit\r"
@@ -78,7 +78,7 @@
}
expect {
timeout {puts "TESTING ERROR 1.7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "exit\r"
@@ -120,7 +120,7 @@
}
expect {
timeout {puts "TESTING ERROR 2.7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "exit\r"
@@ -156,7 +156,7 @@
}
expect {
timeout {puts "TESTING ERROR 3.7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-errno.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -31,7 +31,7 @@
send -- "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "rm seccomp-test-file\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-join.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-numeric.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-postexec.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,20 +14,17 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "data.architecture"
-}
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
"monitoring pid"
}
+sleep 1
+
+send -- "ls\r"
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
- "Sandbox monitor: waitpid"
-}
-expect {
- timeout {puts "TESTING ERROR 4\n";exit}
- "Parent is shutting down"
+ timeout {puts "TESTING ERROR 2\n";exit}
+ "not permitted"
}
-sleep 1
+
+send -- "exit\r"
+after 100
puts "all done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-ptrace.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,15 +10,14 @@
send -- "firejail --noprofile --seccomp\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "strace ls\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Bad system call" {puts "version 1\n";}
- " unexpected signal 31" {puts "version 2\n"}
+ "not permitted"
}
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-run-files.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -24,7 +24,7 @@
send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "6"
+ "8"
}
send -- "exit\r"
sleep 1
@@ -90,7 +90,7 @@
send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
expect {
timeout {puts "TESTING ERROR 18\n";exit}
- "8"
+ "10"
}
send -- "exit\r"
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-su.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --noprofile --seccomp\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/cmdline.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/copy.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/default.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -31,9 +31,14 @@
send -- "fnetfilter test1.net,33\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "cannot open test1.net,33"
+ "Error:"
+}
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "is an invalid filename"
}
after 100
+
send -- "rm outfile\r"
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/fnetfilter.sh
^
|
@@ -1,13 +1,13 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-if [ -f /etc/debian_version ]; then
+if [[ -f /etc/debian_version ]]; then
libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
export PATH="$PATH:$libdir"
fi
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/template.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -66,13 +66,17 @@
send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
- "cannot open test2.net,"
+ "Error:"
+}
+expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+ "is an invalid filename"
}
after 100
send -- "fnetfilter test3.net,44 outfile\r"
expect {
- timeout {puts "TESTING ERROR 13\n";exit}
+ timeout {puts "TESTING ERROR 14\n";exit}
"invalid template argument on line 1"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
@@ -10,25 +10,31 @@
# These directories are required by some tests:
mkdir -p ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Videos
+echo "TESTING: tab completion (test/fs/tab.exp)"
+./tab.exp
+
rm -fr ~/_firejail_test_*
echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)"
./mkdir_mkfile.exp
rm -fr ~/_firejail_test_*
-mkdir ~/_firejail_test_dir
-touch ~/_firejail_test_dir/a
-mkdir ~/_firejail_test_dir/test1
-touch ~/_firejail_test_dir/test1/b
+echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
+./mkdir.exp
+rm -fr ~/_firejail_test_*
+rm -fr /tmp/_firejail_test_*
+
echo "TESTING: read/write (test/fs/read-write.exp)"
./read-write.exp
+rm -fr ~/_firejail_test_dir
+
echo "TESTING: whitelist readonly (test/fs/whitelist-readonly.exp)"
./whitelist-readonly.exp
-rm -fr ~/_firejail_test_*
+rm -f ~/_firejail_test_dir
echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
./sys_fs.exp
-if [ -c /dev/kmsg ]; then
+if [[ -c /dev/kmsg ]]; then
echo "TESTING: kmsg access (test/fs/kmsg.exp)"
./kmsg.exp
else
@@ -37,18 +43,18 @@
echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)"
./fs_var_tmp.exp
-
-echo "TESTING: private-lib (test/fs/private-lib.exp)"
-./private-lib.exp
+rm -f /var/tmp/_firejail_test_file
echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)"
./fs_var_lock.exp
+rm -f /var/lock/_firejail_test_file
-if [ -w /dev/shm ]; then
- echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
- ./fs_dev_shm.exp
+if [[ -w /dev/shm ]]; then
+ echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
+ ./fs_dev_shm.exp
+ rm -f /dev/shm/_firejail_test_file
else
- echo "TESTING SKIP: /dev/shm not writable"
+ echo "TESTING SKIP: /dev/shm not writable"
fi
echo "TESTING: private (test/fs/private.exp)"
@@ -56,12 +62,23 @@
echo "TESTING: private home (test/fs/private-home.exp)"
./private-home.exp
+rm -f ~/_firejail_test_file1
+rm -f ~/_firejail_test_file2
+rm -fr ~/_firejail_test_dir1
+rm -f ~/_firejail_test_link1
+rm -f ~/_firejail_test_link2
echo "TESTING: private home dir (test/fs/private-home-dir.exp)"
./private-home-dir.exp
+rm -fr ~/_firejail_test_dir1
echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)"
./private-homedir.exp
+rm -f ~/_firejail_test_file1
+rm -f ~/_firejail_test_file2
+rm -fr ~/_firejail_test_dir1
+rm -f ~/_firejail_test_link1
+rm -f ~/_firejail_test_link2
echo "TESTING: private-etc (test/fs/private-etc.exp)"
./private-etc.exp
@@ -74,6 +91,7 @@
echo "TESTING: private-cache (test/fs/private-cache.exp)"
./private-cache.exp
+rm -f ~/.cache/abcdefg
echo "TESTING: private-cwd (test/fs/private-cwd.exp)"
./private-cwd.exp
@@ -83,6 +101,12 @@
echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)"
./whitelist-empty.exp
+rm -f ~/Videos/_firejail_test_fil
+rm -f ~/Pictures/_firejail_test_file
+rm -f ~/Music/_firejail_test_file
+rm -f ~/Downloads/_firejail_test_file
+rm -f ~/Documents/_firejail_test_file
+rm -f ~/Desktop/_firejail_test_file
echo "TESTING: private whitelist (test/fs/private-whitelist.exp)"
./private-whitelist.exp
@@ -95,9 +119,11 @@
echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)"
./option_blacklist_file.exp
+rm -fr ~/_firejail_test_dir
echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)"
./option_blacklist_glob.exp
+rm -fr ~/_firejail_test_dir
echo "TESTING: noblacklist blacklist noexec (test/fs/noblacklist-blacklist-noexec.exp)"
./noblacklist-blacklist-noexec.exp
@@ -108,17 +134,17 @@
echo "TESTING: bind as user (test/fs/option_bind_user.exp)"
./option_bind_user.exp
-echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
-./mkdir.exp
-
echo "TESTING: double whitelist (test/fs/whitelist-double.exp)"
./whitelist-double.exp
+rm -f /tmp/_firejail_test_file
echo "TESTING: whitelist (test/fs/whitelist.exp)"
./whitelist.exp
+rm -fr ~/_firejail_test_*
-echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)"
-./whitelist-dev.exp
+# TODO: whitelist /dev broken in 0.9.72
+#echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)"
+#./whitelist-dev.exp
echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)"
./whitelist-noexec.exp
@@ -131,6 +157,8 @@
echo "TESTING: fscheck --tmpfs non root (test/fs/fscheck-tmpfs.exp)"
./fscheck-tmpfs.exp
+rm -fr ~/_firejail_test_dir
+rm -fr /tmp/_firejail_test_dir
echo "TESTING: fscheck --private= (test/fs/fscheck-private.exp)"
./fscheck-private.exp
@@ -139,10 +167,4 @@
./fscheck-readonly.exp
#cleanup
-rm -fr ~/fjtest-dir
-rm -fr ~/fjtest-dir-lnk
-rm -f ~/fjtest-file
-rm -f ~/fjtest-file-lnk
-rm -f /tmp/fjtest-file
-rm -fr /tmp/fjtest-dir
-rm -fr ~/_firejail_test_*
+rm -fr ~/_firejail_test*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs_dev_shm.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,18 +11,18 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "stty -echo\r"
-send -- "echo mytest > /dev/shm/ttt;echo done\r"
+send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"done"
}
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"mytest"
@@ -32,13 +32,13 @@
"done"
}
-send -- "rm /dev/shm/ttt;echo done\r"
+send -- "rm /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"done"
}
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"mytest" {puts "TESTING ERROR 6\n";exit}
@@ -52,18 +52,18 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "stty -echo\r"
-send -- "echo mytest > /dev/shm/ttt;echo done\r"
+send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"done"
}
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"mytest"
@@ -73,13 +73,13 @@
"done"
}
-send -- "rm /dev/shm/ttt;echo done\r"
+send -- "rm /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"done"
}
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"mytest" {puts "TESTING ERROR 13\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs_var_lock.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "stty -echo\r"
@@ -53,7 +53,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "stty -echo\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs_var_tmp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,18 +11,18 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "stty -echo\r"
-send -- "echo mytest > /var/tmp/ttt;echo done\r"
+send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"done"
}
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"mytest"
@@ -32,13 +32,13 @@
"done"
}
-send -- "rm /var/tmp/ttt;echo done\r"
+send -- "rm /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"done"
}
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"mytest" {puts "TESTING ERROR 6\n";exit}
@@ -53,18 +53,18 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "stty -echo\r"
-send -- "echo mytest > /var/tmp/ttt;echo done\r"
+send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"done"
}
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"mytest"
@@ -74,13 +74,13 @@
"done"
}
-send -- "rm /var/tmp/ttt;echo done\r"
+send -- "rm /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"done"
}
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"mytest" {puts "TESTING ERROR 13\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-bindnoroot.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-private.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-readonly.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-tmpfs.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -24,7 +24,7 @@
send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 500
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/invalid_filename.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -18,28 +18,6 @@
}
after 100
-send -- "firejail --noprofile --cgroup=\"bla&&bla\"\r"
-expect {
- timeout {puts "TESTING ERROR 2.2\n";exit}
- "Error:"
-}
-expect {
- timeout {puts "TESTING ERROR 2.3\n";exit}
- "is an invalid filename"
-}
-after 100
-
-send -- "firejail --noprofile --chroot=\"bla&&bla\"\r"
-expect {
- timeout {puts "TESTING ERROR 3.2\n";exit}
- "Error:"
-}
-expect {
- timeout {puts "TESTING ERROR 3.3\n";exit}
- "is an invalid filename"
-}
-after 100
-
send -- "firejail --noprofile --netfilter=\"bla&&bla\"\r"
expect {
timeout {puts "TESTING ERROR 4.2\n";exit}
@@ -124,18 +102,6 @@
}
after 100
-send -- "firejail --shell=\"bla&&bla\"\r"
-expect {
- timeout {puts "TESTING ERROR 12.2\n";exit}
- "Error:"
-}
-expect {
- timeout {puts "TESTING ERROR 12.3\n";exit}
- "is an invalid filename"
-}
-after 100
-
-
send -- "firejail --whitelist=\"bla&&bla\"\r"
expect {
timeout {puts "TESTING ERROR 14.2\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/kmsg.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/macro.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --profile=macro-whitelist.profile ls ~\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
@@ -42,7 +42,7 @@
send -- "firejail --profile=macro-blacklist.profile ls ~/Desktop\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
@@ -53,7 +53,7 @@
send -- "firejail --profile=macro-blacklist.profile ls ~/Documents\r"
expect {
timeout {puts "TESTING ERROR 9n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 10\n";exit}
@@ -64,7 +64,7 @@
send -- "firejail --profile=macro-blacklist.profile ls ~/Downloads\r"
expect {
timeout {puts "TESTING ERROR 11n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 12n";exit}
@@ -75,7 +75,7 @@
send -- "firejail --profile=macro-blacklist.profile ls ~/Music\r"
expect {
timeout {puts "TESTING ERROR 13\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 14\n";exit}
@@ -86,7 +86,7 @@
send -- "firejail --profile=macro-blacklist.profile ls ~/Pictures\r"
expect {
timeout {puts "TESTING ERROR 15\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 16\n";exit}
@@ -97,7 +97,7 @@
send -- "firejail --profile=macro-blacklist.profile ls ~/Videos\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 18\n";exit}
@@ -108,7 +108,7 @@
send -- "firejail --profile=macro-readonly.profile touch ~/Desktop/blablabla\r"
expect {
timeout {puts "TESTING ERROR 19\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 20\n";exit}
@@ -119,7 +119,7 @@
send -- "firejail --profile=macro-readonly.profile touch ~/Documents/blablabla\r"
expect {
timeout {puts "TESTING ERROR 21\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 22\n";exit}
@@ -130,7 +130,7 @@
send -- "firejail --profile=macro-readonly.profile touch ~/Downloads/blablabla\r"
expect {
timeout {puts "TESTING ERROR 23\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 24\n";exit}
@@ -141,7 +141,7 @@
send -- "firejail --profile=macro-readonly.profile touch ~/Music/blablabla\r"
expect {
timeout {puts "TESTING ERROR 25\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 26\n";exit}
@@ -152,7 +152,7 @@
send -- "firejail --profile=macro-readonly.profile touch ~/Pictures/blablabla\r"
expect {
timeout {puts "TESTING ERROR 27\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 28\n";exit}
@@ -163,7 +163,7 @@
send -- "firejail --profile=macro-readonly.profile touch ~/Videos/blablabla\r"
expect {
timeout {puts "TESTING ERROR 29\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 30\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/mkdir.exp
^
|
@@ -1,40 +1,40 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 3
spawn $env(SHELL)
match_max 100000
-send -- "rm -fr ~/.firejail_test\r"
+send -- "rm -fr ~/_firejail_test_dir\r"
after 100
-send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r"
+send -- "firejail --profile=mkdir.profile find ~/_firejail_test_dir\r"
expect {
timeout {puts "TESTING ERROR 1.1\n";exit}
- ".firejail_test/a/b/c/d.txt"
+ "_firejail_test_dir/_firejail_test_file"
}
-send -- "rm -rf ~/.firejail_test\r"
+send -- "rm -rf ~/_firejail_test_dir\r"
after 100
-send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r"
+send -- "firejail --profile=mkdir.profile find /tmp/_firejail_test_dir\r"
expect {
timeout {puts "TESTING ERROR 2.1\n";exit}
- "/tmp/.firejail_test/a/b/c/d.txt"
+ "_firejail_test_dir/_firejail_test_file"
}
-send -- "rm -rf /tmp/.firejail_test\r"
+send -- "rm -rf /tmp/_firejail_test_dir\r"
after 100
set UID [exec id -u]
set fexist [file exist /run/user/$UID]
if { $fexist } {
- send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
+ send -- "firejail --profile=mkdir.profile find /run/user/$UID/_firejail_test_dir\r"
expect {
timeout {puts "TESTING ERROR 3.1\n";exit}
- "/run/user/$UID/.firejail_test/a/b/c/d.txt"
+ "_firejail_test_dir/_firejail_test_file"
}
- send -- "rm -rf /run/user/$UID/.firejail_test\r"
+ send -- "rm -rf /run/user/$UID/_firejail_test_dir\r"
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/mkdir.profile
^
|
@@ -1,6 +1,6 @@
-mkdir ~/.firejail_test/a/b/c
-mkfile ~/.firejail_test/a/b/c/d.txt
-mkdir /tmp/.firejail_test/a/b/c
-mkfile /tmp/.firejail_test/a/b/c/d.txt
-mkdir ${RUNUSER}/.firejail_test/a/b/c
-mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt
+mkdir ~/_firejail_test_dir
+mkfile ~/_firejail_test_dir/_firejail_test_file
+mkdir /tmp/_firejail_test_dir
+mkfile /tmp/_firejail_test_dir/_firejail_test_file
+mkdir ${RUNUSER}/_firejail_test_dir
+mkfile ${RUNUSER}/_firejail_test_dir/_firejail_test_file
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/mkdir_mkfile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
send -- "firejail --private --profile=mkdir_mkfile.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/noblacklist-blacklist-noexec.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
send -- "firejail --noprofile --noblacklist=$PWD --blacklist=$PWD --noexec=$PWD\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/noblacklist-blacklist-readonly.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --noprofile --noblacklist=~ --blacklist=~ --read-only=~\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_bind_user.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_blacklist.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --blacklist=/var\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "stty -echo\r"
@@ -35,4 +35,4 @@
}
after 100
-puts "\n"
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_blacklist_file.exp
^
|
@@ -1,16 +1,21 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
-send -- "firejail --blacklist=/etc/passwd\r"
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+
+send -- "firejail --blacklist=/etc/passwd --blacklist=~/_firejail_test_dir\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -24,5 +29,21 @@
"done"
}
after 100
+send -- "cat ~/_firejail_test_dir/a;echo done\r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "Permission denied"
+}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ "done"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
-puts "\n"
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_blacklist_glob.exp
^
|
@@ -1,32 +1,47 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
-send -- "firejail --blacklist=testdir1/*\r"
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
+
+send -- "firejail --blacklist=~/_firejail_test_dir/*\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
-send -- "cd testdir1\r"
+send -- "cd ~/_firejail_test_dir\r"
sleep 1
-send -- "cat .file\r"
+send -- "cat a\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Permission denied"
}
-send -- "ls .directory\r"
+send -- "ls test1\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"Permission denied"
}
after 100
-puts "\n"
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
+
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-bin.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --private-bin=bash,ls,sh\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -40,7 +40,7 @@
send -- "firejail --profile=private-bin.profile\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-cache.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -21,7 +21,7 @@
send -- "firejail --noprofile --private-cache\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-cwd.exp
^
|
@@ -1,52 +1,54 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
-send -- "cd /tmp\r"
-after 100
-
-# testing profile and private
-send -- "firejail --private-cwd\r"
+send -- "firejail --private-cwd pwd\r"
expect {
- timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "$env(HOME)"
}
sleep 1
-send -- "pwd\r"
+send -- "firejail --private-cwd=/etc pwd\r"
expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "$env(HOME)"
+ timeout {puts "TESTING ERROR 2\n";exit}
+ "/etc"
}
-after 100
-
-send -- "exit\r"
sleep 1
-send -- "cd /\r"
-after 100
-
-# testing profile and private
-send -- "firejail --private-cwd=/tmp\r"
+send -- "firejail --private --private-cwd=. pwd\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ "invalid private working directory"
}
sleep 1
-send -- "pwd\r"
+after 100
+send -- "firejail --private-cwd='\${HOME}' pwd\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "/tmp"
+ "$env(HOME)"
}
-after 100
+sleep 1
-send -- "exit\r"
+after 100
+send -- "firejail --private-cwd=\"\${HOME}\" pwd\r"
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "$env(HOME)"
+}
sleep 1
+send -- "firejail --profile=private-cwd.profile pwd\r"
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ "$env(HOME)"
+}
+after 100
+
puts "all done\n"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-cwd.profile
^
|
@@ -0,0 +1 @@
+private-cwd ${HOME}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-etc-empty.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --private-etc=blablabla\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -26,7 +26,7 @@
send -- "firejail --profile=private-etc-empty.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-etc.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -64,9 +64,6 @@
}
after 100
-
-
-
-
+send -- "exit\r"
after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-home-dir.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -21,16 +21,16 @@
send -- "touch ~/.Xauthority\r"
}
after 100
-send -- "rm -fr ~/_firejail_test_dir_\r"
+send -- "rm -fr ~/_firejail_test_dir1_\r"
after 100
-send -- "mkdir ~/_firejail_test_dir_\r"
+send -- "mkdir ~/_firejail_test_dir1_\r"
sleep 1
# testing profile and private
-send -- "firejail --private=~/_firejail_test_dir_\r"
+send -- "firejail --private=~/_firejail_test_dir1_\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -67,12 +67,12 @@
"private directory is not owned by the current user"
}
sleep 1
-send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+send -- "mkdir ~/_firejail_test_dir1_/test_dir_2\r"
after 100
-send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+send -- "touch ~/_firejail_test_dir1_/test_dir_2/testfile\r"
sleep 1
-send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir1_\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"Disable"
@@ -83,7 +83,7 @@
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -98,7 +98,8 @@
send "exit\r"
sleep 1
-send -- "rm -fr ~/_firejail_test_dir_\r"
+send -- "rm -fr ~/_firejail_test_dir1\r"
after 100
+
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-home.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -26,7 +26,7 @@
send -- "firejail --private-home=_firejail_test_file1,_firejail_test_file2,_firejail_test_dir1\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -86,7 +86,7 @@
send -- "firejail --private-home=_firejail_test_link2\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "file ~/_firejail_test_link2\r"
@@ -95,8 +95,19 @@
"broken symbolic link"
}
send -- "exit\r"
+sleep 1
-send -- "rm -f ~/_firejail_test*\r"
+send -- "echo cleanup\r"
+after 100
+send -- "rm -f ~/_firejail_test_file1\r"
+after 100
+send -- "rm -f ~/_firejail_test_file2\r"
+after 100
+send -- "rm -fr ~/_firejail_test_dir1\r"
+after 100
+send -- "rm -f ~/_firejail_test_link1\r"
+after 100
+send -- "rm -f ~/_firejail_test_link2\r"
after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-homedir.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --private=~\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-whitelist.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --private --whitelist=/tmp/.X11-unix\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -26,7 +26,7 @@
send -- "firejail --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/read-write.exp
^
|
@@ -1,17 +1,25 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -32,4 +40,9 @@
}
after 100
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/sys_fs.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -27,7 +27,7 @@
send -- "firejail --noblacklist=/sys/fs\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/tab.exp
^
|
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --private ls -al\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ ".inputrc"
+}
+sleep 1
+
+send -- "firejail --private --tab ls -al\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ ".inputrc" {puts "TESTING ERROR 4\n";exit}
+ "Parent is shutting down"
+}
+sleep 1
+
+send -- "firejail --private --profile=tab.profile ls -al\r"
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ ".inputrc" {puts "TESTING ERROR 7\n";exit}
+ "Parent is shutting down"
+}
+sleep 1
+
+puts "\nall done\n"
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/tab.profile
^
|
@@ -0,0 +1 @@
+tab
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-dev.exp
^
|
@@ -1,16 +1,16 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
-send -- "firejail --whitelist=/dev/null --debug\r"
+send -- "firejail --whitelist=/dev/null\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -26,7 +26,7 @@
send -- "firejail --whitelist=/dev/null --whitelist=/dev/random\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -42,7 +42,7 @@
send -- "firejail --private-dev --debug\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -61,6 +61,9 @@
"19" {puts "OK\n"}
"20" {puts "OK\n"}
"21" {puts "OK\n"}
+ "22" {puts "OK\n"}
+ "23" {puts "OK\n"}
+ "24" {puts "OK\n"}
}
after 100
@@ -94,7 +97,7 @@
send -- "firejail --private-dev --nosound ls /dev\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
@@ -111,7 +114,7 @@
send -- "firejail --private-dev --nodvd ls /dev\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
@@ -132,7 +135,7 @@
send -- "firejail --private-dev --no3d ls /dev\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 18\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-double.exp
^
|
@@ -1,23 +1,23 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
-send -- "echo 123 > /tmp/firejal-deleteme\r"
+send -- "echo 123 > /tmp/_firejail_test_file\r"
sleep 1
-send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r"
+send -- "firejail --whitelist=/tmp/_firejail_test_file --whitelist=/tmp/_firejail_test_file\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
-send -- "cat /tmp/firejal-deleteme\r"
+send -- "cat /tmp/_firejail_test_file\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"123"
@@ -26,13 +26,13 @@
send -- "exit\r"
sleep 1
-send -- "cat /tmp/firejal-deleteme\r"
+send -- "cat /tmp/_firejail_test_file\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"123"
}
-send -- "rm -v /tmp/firejal-deleteme\r"
+send -- "rm -v /tmp/_firejail_test_file\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"removed"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-empty.exp
^
|
@@ -1,16 +1,16 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 30
spawn $env(SHELL)
match_max 100000
-send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r"
+send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/opt/blablabla\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-noexec.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
send -- "firejail --noprofile --whitelist=$PWD --noexec=$PWD\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-readonly.exp
^
|
@@ -1,17 +1,25 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
send -- "firejail --noprofile --whitelist=~/_firejail_test_dir --read-only=~\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -25,4 +33,6 @@
send -- "exit\r"
sleep 1
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-whitespace.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -13,7 +13,7 @@
send -- "firejail --noprofile --whitelist=~/filewith\\\ \\\ many\\\ whitespaces\\\ \r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -36,7 +36,7 @@
send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -73,7 +73,7 @@
send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -98,7 +98,7 @@
send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
expect {
timeout {puts "TESTING ERROR 20\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/4bridges_arp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -27,7 +27,7 @@
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -53,7 +53,7 @@
}
expect {
timeout {puts "TESTING ERROR 1.4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -80,7 +80,7 @@
}
expect {
timeout {puts "TESTING ERROR 2.4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -108,7 +108,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -137,7 +137,7 @@
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/4bridges_ip.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -27,7 +27,7 @@
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -53,7 +53,7 @@
}
expect {
timeout {puts "TESTING ERROR 1.4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -80,7 +80,7 @@
}
expect {
timeout {puts "TESTING ERROR 2.4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -108,7 +108,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -137,7 +137,7 @@
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
# check default gateway
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/bandwidth.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test --net=br0\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/configure
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
brctl addbr br0
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/dns-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/firemon-arp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -17,7 +17,7 @@
send -- "firejail --name=test1\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -25,7 +25,7 @@
send -- "firejail --name=test2\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/firemon-interfaces.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --net=eth0 --name=test1\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --net=eth0 --name=test2\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/firemon-route.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test1\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --name=test2\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/hostname.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --hostname=bingo --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "stty -echo\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/interface.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
#
# interface
@@ -20,7 +20,7 @@
send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/ip6.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -23,7 +23,7 @@
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -64,7 +64,7 @@
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -90,7 +90,7 @@
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"Installing IPv6 firewall" {puts "TESTING ERROR 12\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/iprange.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -27,7 +27,7 @@
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
@@ -53,7 +53,7 @@
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_arp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,27 +10,27 @@
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
# will fail
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_badip.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_defaultgw.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -27,7 +27,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_defaultgw2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -15,7 +15,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_defaultgw3.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_ip.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -27,7 +27,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -53,7 +53,7 @@
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_local.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -15,7 +15,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -25,7 +25,7 @@
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_mac.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -31,7 +31,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "exit\r"
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_macvlan2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -30,7 +30,7 @@
}
expect {
timeout {puts "TESTING ERROR 0.6\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_mtu.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --net=br0 --mtu=1000 --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_netfilter.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -27,7 +27,7 @@
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -41,7 +41,7 @@
"Chain INPUT (policy DROP" {puts "TESTING ERROR 5.1\n";exit}
"ACCEPT all -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit}
"ACCEPT icmp -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -55,7 +55,7 @@
}
expect {
timeout {puts "TESTING ERROR 6.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "ping -c 1 -w 3 10.10.20.1\r"
@@ -75,7 +75,7 @@
}
expect {
timeout {puts "TESTING ERROR 7.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "ping -c 1 -w 3 10.10.20.1\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_noip.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0" {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_noip2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0" {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_none.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0" {puts "TESTING ERROR 0.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -47,7 +47,7 @@
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"eth0" {puts "TESTING ERROR 3.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_profile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -31,7 +31,7 @@
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_scan.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -23,7 +23,7 @@
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -43,7 +43,7 @@
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -63,7 +63,7 @@
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_unconfigured.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0" {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
@@ -53,7 +53,7 @@
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"eth0" {puts "TESTING ERROR 8\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
@@ -93,7 +93,7 @@
expect {
timeout {puts "TESTING ERROR 14\n";exit}
"eth0" {puts "TESTING ERROR 15\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
@@ -133,7 +133,7 @@
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"eth0" {puts "TESTING ERROR 22\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
@@ -180,7 +180,7 @@
}
expect {
timeout {puts "TESTING ERROR 30\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_veth.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -42,7 +42,7 @@
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
@@ -119,7 +119,7 @@
}
expect {
timeout {puts "TESTING ERROR 27\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/netfilter-template.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -18,7 +18,7 @@
send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5555 ./tcpserver 5555\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/netns.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --netns=red --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/netstats.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --net=eth0 --name=test1\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --net=eth0 --name=test2\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/network.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/tcpserver.c
^
|
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/veth-name.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -23,7 +23,7 @@
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -55,7 +55,7 @@
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/firefox-x11-xorg.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -36,7 +36,7 @@
send -- "firejail --overlay --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/firefox-x11.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -36,7 +36,7 @@
send -- "firejail --name=blablabla --overlay\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/firefox.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 10
@@ -47,7 +47,7 @@
send -- "firejail --name=blablabla --overlay\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/fs-named.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
timeout {puts "TESTING ERROR 2\n";exit}
"not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
"Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
- "Child process initialized" {puts "found\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
}
sleep 1
send -- "stty -echo\r"
@@ -52,7 +52,7 @@
timeout {puts "TESTING ERROR 2\n";exit}
"not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
"Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
- "Child process initialized" {puts "found\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/fs-tmpfs.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -21,7 +21,7 @@
timeout {puts "TESTING ERROR 1\n";exit}
"not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
"Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
- "Child process initialized" {puts "found\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
}
sleep 1
send -- "stty -echo\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/fs.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
timeout {puts "TESTING ERROR 2\n";exit}
"not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
"Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
- "Child process initialized" {puts "found\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/overlay.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
@@ -22,8 +22,7 @@
./fs-tmpfs.exp
rm -fr ~/_firejail_test_*
-which firefox 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v firefox
then
echo "TESTING: overlay firefox"
./firefox.exp
@@ -31,8 +30,7 @@
echo "TESTING SKIP: firefox not found"
fi
-which firefox 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v firefox
then
echo "TESTING: overlay firefox x11 xorg"
./firefox.exp
@@ -40,26 +38,22 @@
echo "TESTING SKIP: firefox not found"
fi
-
# check xpra/xephyr
-which xpra 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v xpra
then
- echo "xpra found"
+ echo "xpra found"
else
- echo "xpra not found"
- which Xephyr 2>/dev/null
- if [ "$?" -eq 0 ];
+ echo "xpra not found"
+ if command -v Xephyr
then
- echo "Xephyr found"
+ echo "Xephyr found"
else
- echo "TESTING SKIP: xpra and/or Xephyr not found"
+ echo "TESTING SKIP: xpra and/or Xephyr not found"
exit
fi
fi
-which firefox 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v firefox
then
echo "TESTING: overlay firefox x11"
./firefox-x11.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/atril.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/dig.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/eog.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/eom.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/evince.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/galculator.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gedit.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-calculator.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -16,7 +16,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -43,7 +43,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-logs.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-nettool.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-system-log.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gpicview.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/leafpad.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/mousepad.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/pavucontrol.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/pluma.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/private-lib.exp
^
|
@@ -0,0 +1,48 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+after 100
+send -- "stty -echo\r"
+after 100
+
+send -- "cd /bin; find .\; echo done\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+# "grep" {puts "TESTING ERROR 3\n";exit}
+ "rm" {puts "TESTING ERROR 3\n";exit}
+ "cp" {puts "TESTING ERROR 4\n";exit}
+ "done"
+}
+after 100
+
+send -- "cd /lib; find .\r"
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ "./modules" {puts "TESTING ERROR 6\n";exit}
+ "./firmware" {puts "TESTING ERROR 7\n";exit}
+ "libc.so"
+}
+after 100
+
+send -- "cd /usr/lib; find .\r"
+expect {
+ timeout {puts "TESTING ERROR 8\n";exit}
+ "grub" {puts "TESTING ERROR 9\n";exit}
+ "mozilla" {puts "TESTING ERROR 10\n";exit}
+ "libdl.so"
+}
+after 100
+
+puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/private-lib.sh
^
|
@@ -1,18 +1,16 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3g
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
+apps=(gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog)
-
-for app in $LIST; do
- which $app 2>/dev/null
- if [ "$?" -eq 0 ];
+for app in "${apps[@]}"; do
+ if command -v "$app"
then
echo "TESTING: private-lib $app"
./$app.exp
@@ -20,3 +18,15 @@
echo "TESTING SKIP: $app not found"
fi
done
+
+if [[ $(uname -m) == "x86_64" ]]; then
+ fjconfig=/etc/firejail/firejail.config
+ printf 'private-lib yes\n' | sudo tee -a "$fjconfig" >/dev/null
+ echo "TESTING: private-lib (test/fs/private-lib.exp)"
+ ./private-lib.exp
+ printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" |
+ sudo tee "$fjconfig" >/dev/null
+else
+ echo "TESTING SKIP: private-lib test implemented only for x86_64."
+fi
+
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/transmission-gtk.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/whois.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/xcalc.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 3
@@ -41,7 +41,7 @@
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Added |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/all-profiles.sh
^
|
@@ -0,0 +1,47 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+echo "TESTING: profile comments (test/profiles/profilecomment.exp)"
+./profile_comment.exp
+
+echo "TESTING: profile conditional (test/profiles/conditional.exp)"
+./conditional.exp
+
+echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)"
+./profile_recursivity.exp
+
+echo "TESTING: profile application name (test/profiles/profile_appname.exp)"
+./profile_appname.exp
+
+echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
+./profile_syntax.exp
+
+echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
+./profile_syntax2.exp
+
+echo "TESTING: ignore command (test/profiles/ignore.exp)"
+./ignore.exp
+
+echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
+./profile_readonly.exp
+
+echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
+./profile_followlnk.exp
+
+echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
+./profile_noperm.exp
+
+profiles=( /etc/firejail/*.profile )
+echo "TESTING: default profiles installed in /etc"
+
+for profile in "${profiles[@]}"
+do
+ echo "TESTING: $profile"
+ ./test-profile.exp "$profile"
+done
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/conditional.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
@@ -24,7 +24,7 @@
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"conditional HAS_NODBUS, private" {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/ignore.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -17,7 +17,7 @@
expect {
timeout {puts "TESTING ERROR 1\n";exit}
BLACKLIST {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
@@ -26,7 +26,7 @@
send -- "firejail --ignore=seccomp --ignore=shell --profile=ignore.profile \r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -42,7 +42,7 @@
send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -59,7 +59,7 @@
expect {
timeout {puts "TESTING ERROR 7\n";exit}
BLACKLIST {puts "TESTING ERROR 8\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -69,7 +69,7 @@
send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_appname.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -16,10 +16,6 @@
timeout {puts "TESTING ERROR 1\n";exit}
"Reading profile /etc/firejail/firefox-common.profile"
}
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "shell=none configured, but no program specified"
-}
after 100
puts "\nall done\n"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_followlnk.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -16,7 +16,7 @@
send -- "firejail --profile=readonly-lnk.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "ls > /tmp/firejailtestdirlnk/ttt\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_noperm.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_readonly.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
send -- "firejail --profile=readonly.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_recursivity.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_syntax.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --profile=test.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -22,7 +22,7 @@
}
sleep 1
-send -- "ls -l /etc/shadow\r"
+send -- "ls -l /dev/console\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"root root"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_syntax2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profiles.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
@@ -37,18 +37,11 @@
echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
./profile_noperm.exp
-# GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles.
-UID=`id -u`
-if [ -d "/run/user/$UID" ]; then
- PROFILES=`ls /etc/firejail/*.profile`
- echo "TESTING: default profiles installed in /etc"
-else
- PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
- echo "TESTING: small number of default profiles installed in /etc"
-fi
+profiles=( /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile )
+echo "TESTING: small number of default profiles installed in /etc"
-for PROFILE in $PROFILES
+for profile in "${profiles[@]}"
do
- echo "TESTING: $PROFILE"
- ./test-profile.exp $PROFILE
+ echo "TESTING: $profile"
+ ./test-profile.exp "$profile"
done
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/test-profile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/test.profile
^
|
@@ -1,5 +1,5 @@
blacklist /sbin/iptables
-blacklist /etc/shadow
+blacklist /dev/console
blacklist /bin/rmdir
blacklist ${PATH}/umount
blacklist ${PATH}/mount
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/apache2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 5
@@ -10,7 +10,7 @@
send -- "firejail --name=apache /etc/init.d/apache2 start\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/checkcfg.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/firecfg.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/firemon-events.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -18,7 +18,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
# get messages on firemon
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/isc-dhcp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 5
@@ -10,7 +10,7 @@
send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/join.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=jointesting --cpu=0 --nice=2\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -21,14 +21,18 @@
timeout {puts "TESTING ERROR 1\n";exit}
"Switching to pid"
}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
sleep 1
send -- "ps aux\r"
expect {
- timeout {puts "TESTING ERROR 2\n";exit}
+ timeout {puts "TESTING ERROR 3\n";exit}
"/bin/bash"
}
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
+ timeout {puts "TESTING ERROR 4\n";exit}
"/bin/bash"
}
@@ -36,15 +40,15 @@
sleep 1
send -- "firejail --join-network=jointesting\r"
expect {
- timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ timeout {puts "TESTING ERROR 5\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "exit\r"
sleep 1
send -- "firejail --join-filesystem=jointesting\r"
expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ timeout {puts "TESTING ERROR 6\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/login_nobody.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "su - nobody -s /usr/bin/firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/nginx.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 5
@@ -10,7 +10,7 @@
send -- "firejail --name=nginx /etc/init.d/nginx start\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/option_bind_directory.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --bind=/tmp/chroot,mntpoint\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/option_bind_file.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --bind=tmpfile,/etc/passwd\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/option_tmpfs.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --tmpfs=/var\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/private.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -42,7 +42,7 @@
send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -57,7 +57,7 @@
send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 3.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -80,7 +80,7 @@
send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -95,7 +95,7 @@
send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 5.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/profile_tmpfs.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --profile=tmpfs.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/root.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
# set a new firejail config file
@@ -11,8 +11,7 @@
#********************************
# firecfg
#********************************
-which less 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v less
then
echo "TESTING: firecfg (test/root/firecfg.exp)"
mv /home/netblue/.local/share/applications /home/netblue/.local/share/applications-store
@@ -25,24 +24,24 @@
#********************************
# servers
#********************************
-if [ -f /etc/init.d/snmpd ]
+if [[ -f /etc/init.d/snmpd ]]
then
echo "TESTING: snmpd (test/root/snmpd.exp)"
./snmpd.exp
else
- echo "TESTING SKIP: snmpd not found"
+ echo "TESTING SKIP: snmpd not found"
fi
-if [ -f /etc/init.d/apache2 ]
+if [[ -f /etc/init.d/apache2 ]]
then
echo "TESTING: apache2 (test/root/apache2.exp)"
./apache2.exp
else
- echo "TESTING SKIP: apache2 not found"
+ echo "TESTING SKIP: apache2 not found"
fi
-if [ -f /etc/init.d/isc-dhcp-server ]
+if [[ -f /etc/init.d/isc-dhcp-server ]]
then
echo "TESTING: isc dhcp server (test/root/isc-dhscp.exp)"
./isc-dhcp.exp
@@ -50,20 +49,20 @@
echo "TESTING SKIP: isc dhcp server not found"
fi
-if [ -f /etc/init.d/unbound ]
+if [[ -f /etc/init.d/unbound ]]
then
echo "TESTING: unbound (test/root/unbound.exp)"
./unbound.exp
else
- echo "TESTING SKIP: unbound not found"
+ echo "TESTING SKIP: unbound not found"
fi
-if [ -f /etc/init.d/nginx ]
+if [[ -f /etc/init.d/nginx ]]
then
echo "TESTING: nginx (test/root/nginx.exp)"
./nginx.exp
else
- echo "TESTING SKIP: nginx not found"
+ echo "TESTING SKIP: nginx not found"
fi
#********************************
@@ -103,9 +102,6 @@
./checkcfg.exp
cp ../../etc/firejail.config /etc/firejail/.
-echo "TESTING: cgroup (test/root/cgroup.exp)"
-./cgroup.exp
-
echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"
./option_tmpfs.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/seccomp-chmod.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/seccomp-chown.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/seccomp-umount.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --seccomp --noprofile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/snmpd.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 5
@@ -10,7 +10,7 @@
send -- "firejail --name=snmpd /etc/init.d/snmpd start\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/unbound.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 5
@@ -10,7 +10,7 @@
send -- "firejail --name=unbound unbound\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/whitelist.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -16,7 +16,7 @@
send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -39,7 +39,7 @@
send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -61,7 +61,7 @@
send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -78,7 +78,7 @@
send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -100,7 +100,7 @@
send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/login.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "ssh firejail-test@0\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized" {puts "OK\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
"an existing sandbox was detected" {puts "OK\n"}
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/scp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "ssh firejail-test@0\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized" {puts "OK\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
"an existing sandbox was detected" {puts "OK\n"}
}
sleep 1
@@ -33,7 +33,7 @@
send -- "ssh firejail-test@0\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized" {puts "OK\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
"an existing sandbox was detected" {puts "OK\n"}
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/sftp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "ssh firejail-test@0\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized" {puts "OK\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
"an existing sandbox was detected" {puts "OK\n"}
}
sleep 1
@@ -45,7 +45,7 @@
send -- "ssh firejail-test@0\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized" {puts "OK\n"}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
"an existing sandbox was detected" {puts "OK\n"}
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/ssh.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/blacklist.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
send -- "firejail --profile=blacklist.profile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
while { $i <= $MAXi } {
@@ -36,7 +36,7 @@
send -- "firejail --profile=noblacklist.profile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
while { $i <= $MAXi } {
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/env.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --profile=env.profile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "env | grep FJSTRESS77\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/net_macvlan.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -15,7 +15,7 @@
send -- "firejail --net=eth0 --ip=192.168.1.$i\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
incr i
after 100
@@ -30,7 +30,7 @@
send -- "firejail --net=eth0 --iprange=192.168.1.201,192.168.1.220\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
puts "************ $i ******************\n"
incr i
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/stress.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
@@ -14,7 +14,7 @@
rm blacklist.profile
rm noblacklist.profile
rm env.profile
-for i in `seq 1 100`;
+for i in {1..100}
do
echo "hello" > ~/fj-stress-test/testfile$i
echo "blacklist ~/fj-stress-test/testfile$i" >> blacklist.profile
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/cpio.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/file.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/gzip.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/less.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,6 +11,7 @@
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+ "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
"MALLOC_CHECK"
}
expect {
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/ping.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/strings.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/sysutils.sh
^
|
@@ -1,14 +1,13 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-which cpio 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v cpio
then
echo "TESTING: cpio"
./cpio.exp
@@ -16,8 +15,7 @@
echo "TESTING SKIP: cpio not found"
fi
-#which strings
-#if [ "$?" -eq 0 ];
+#if command -v strings
#then
# echo "TESTING: strings"
# ./strings.exp
@@ -25,8 +23,7 @@
# echo "TESTING SKIP: strings not found"
#fi
-which gzip 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v gzip
then
echo "TESTING: gzip"
./gzip.exp
@@ -34,8 +31,7 @@
echo "TESTING SKIP: gzip not found"
fi
-which xzdec 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v xzdec
then
echo "TESTING: xzdec"
./xzdec.exp
@@ -43,8 +39,7 @@
echo "TESTING SKIP: xzdec not found"
fi
-which xz 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v xz
then
echo "TESTING: xz"
./xz.exp
@@ -52,8 +47,7 @@
echo "TESTING SKIP: xz not found"
fi
-which less 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v less
then
echo "TESTING: less"
./less.exp
@@ -61,8 +55,7 @@
echo "TESTING SKIP: less not found"
fi
-which file 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v file
then
echo "TESTING: file"
./file.exp
@@ -70,8 +63,7 @@
echo "TESTING SKIP: file not found"
fi
-which tar 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v tar
then
echo "TESTING: tar"
./tar.exp
@@ -79,8 +71,7 @@
echo "TESTING SKIP: tar not found"
fi
-which ping 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v ping
then
echo "TESTING: ping"
./ping.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/tar.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/xz.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 60
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/xzdec.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/build.exp
^
|
@@ -1,19 +1,19 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
-send -- "echo testing > ~/firejail-test-file-7699\r"
+send -- "echo testing > ~/_firejail-test-file\r"
after 100
-send -- "firejail --build cat ~/firejail-test-file-7699\r"
+send -- "firejail --build cat ~/_firejail-test-file\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "whitelist $\{HOME\}/firejail-test-file-7699"
+ "whitelist $\{HOME\}/_firejail-test-file"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
@@ -77,7 +77,8 @@
}
after 100
-
+send -- "rm -f ~/_firejail-test-file\r"
+after 100
send -- "firejail --build cat /etc/passwd\r"
expect {
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/caps-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/catchsignal-master.sh
^
|
@@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
./catchsignal.sh &
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/catchsignal.sh
^
|
@@ -1,23 +1,23 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
_term() {
- echo "Caught Signal"
- echo 1
- sleep 1
- echo 2
- sleep 1
- echo 3
- sleep 1
- echo 4
- sleep 1
- echo 5
- sleep 1
+ echo "Caught Signal"
+ echo 1
+ sleep 1
+ echo 2
+ sleep 1
+ echo 3
+ sleep 1
+ echo 4
+ sleep 1
+ echo 5
+ sleep 1
- kill $pid
- exit
+ kill $pid
+ exit
}
trap _term SIGTERM
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/catchsignal2.sh
^
|
@@ -1,45 +1,45 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
_term() {
- echo "Caught Signal"
- echo 1
- sleep 1
- echo 2
- sleep 1
- echo 3
- sleep 1
- echo 4
- sleep 1
- echo 5
- sleep 1
+ echo "Caught Signal"
+ echo 1
+ sleep 1
+ echo 2
+ sleep 1
+ echo 3
+ sleep 1
+ echo 4
+ sleep 1
+ echo 5
+ sleep 1
- echo 10
- sleep 1
- echo 20
- sleep 1
- echo 30
- sleep 1
- echo 40
- sleep 1
- echo 50
- sleep 1
+ echo 10
+ sleep 1
+ echo 20
+ sleep 1
+ echo 30
+ sleep 1
+ echo 40
+ sleep 1
+ echo 50
+ sleep 1
- echo 100
- sleep 1
- echo 200
- sleep 1
- echo 300
- sleep 1
- echo 400
- sleep 1
- echo 500
- sleep 1
+ echo 100
+ sleep 1
+ echo 200
+ sleep 1
+ echo 300
+ sleep 1
+ echo 400
+ sleep 1
+ echo 500
+ sleep 1
- kill $pid
- exit
+ kill $pid
+ exit
}
trap _term SIGTERM
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/command.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/cpu-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test --cpu=0\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "cat /proc/self/status | grep Cpus\r"
@@ -30,7 +30,7 @@
send -- "firejail --name=test --cpu=1\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/dns-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test --dns=1.2.3.4 --dns=::2\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-caps.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=bingo1 --noprofile --caps\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --name=bingo2 --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -26,7 +26,7 @@
send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -34,7 +34,7 @@
send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -42,7 +42,7 @@
send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -50,7 +50,7 @@
send -- "firejail --name=bingo6 --profile=caps1.profile\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -58,7 +58,7 @@
send -- "firejail --name=bingo7 --profile=caps2.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-cpu.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test1\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --name=test2\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-interface.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-name.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-seccomp.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --noprofile --name=bingo1 --seccomp\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --noprofile --name=bingo2\r"
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-version.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/fs-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/help.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join-profile.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --profile=name.profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -21,14 +21,18 @@
timeout {puts "TESTING ERROR 1\n";exit}
"Switching to pid"
}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
sleep 1
send -- "ps aux\r"
expect {
- timeout {puts "TESTING ERROR 2\n";exit}
+ timeout {puts "TESTING ERROR 3\n";exit}
"/bin/bash"
}
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
+ timeout {puts "TESTING ERROR 4\n";exit}
"/bin/bash"
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,32 +11,28 @@
send -- "firejail --name=jointesting --cpu=0 --nice=2\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
spawn $env(SHELL)
-send -- "firejail --shell=none --join=jointesting\r"
-expect {
- timeout {puts "TESTING ERROR 1\n";exit}
- "shell=none set, but no command specified"
-}
-after 100
-
-
send -- "firejail --join=jointesting\r"
expect {
- timeout {puts "TESTING ERROR 1\n";exit}
+ timeout {puts "TESTING ERROR 2\n";exit}
"Switching to pid"
}
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
sleep 1
send -- "ps aux\r"
expect {
- timeout {puts "TESTING ERROR 2\n";exit}
+ timeout {puts "TESTING ERROR 4\n";exit}
"/bin/bash"
}
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
+ timeout {puts "TESTING ERROR 5\n";exit}
"/bin/bash"
}
@@ -44,13 +40,13 @@
sleep 1
send -- "firejail --join-network=jointesting\r"
expect {
- timeout {puts "TESTING ERROR 4\n";exit}
+ timeout {puts "TESTING ERROR 6\n";exit}
"is only available to root user"
}
after 100
send -- "firejail --join-filesystem=jointesting\r"
expect {
- timeout {puts "TESTING ERROR 5\n";exit}
+ timeout {puts "TESTING ERROR 7\n";exit}
"is only available to root user"
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=\"join testing\"\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -21,14 +21,18 @@
timeout {puts "TESTING ERROR 1\n";exit}
"Switching to pid"
}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
sleep 1
send -- "ps aux\r"
expect {
- timeout {puts "TESTING ERROR 2\n";exit}
+ timeout {puts "TESTING ERROR 3\n";exit}
"/bin/bash"
}
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
+ timeout {puts "TESTING ERROR 4\n";exit}
"/bin/bash"
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join3.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=join\\ testing\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -21,14 +21,18 @@
timeout {puts "TESTING ERROR 1\n";exit}
"Switching to pid"
}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
sleep 1
send -- "ps aux\r"
expect {
- timeout {puts "TESTING ERROR 2\n";exit}
+ timeout {puts "TESTING ERROR 3\n";exit}
"/bin/bash"
}
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
+ timeout {puts "TESTING ERROR 4\n";exit}
"/bin/bash"
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join4.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=123test\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -21,14 +21,18 @@
timeout {puts "TESTING ERROR 1\n";exit}
"Switching to pid"
}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
sleep 1
send -- "ps aux\r"
expect {
- timeout {puts "TESTING ERROR 2\n";exit}
+ timeout {puts "TESTING ERROR 3\n";exit}
"/bin/bash"
}
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
+ timeout {puts "TESTING ERROR 4\n";exit}
"/bin/bash"
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join5.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -9,8 +9,8 @@
send -- "firejail --name=test123 --profile=join5.profile\r"
expect {
- timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ timeout {puts "TESTING ERROR 0\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
@@ -19,14 +19,18 @@
timeout {puts "TESTING ERROR 1\n";exit}
"Switching to pid"
}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
sleep 1
send -- "ps aux\r"
expect {
- timeout {puts "TESTING ERROR 2\n";exit}
+ timeout {puts "TESTING ERROR 3\n";exit}
"/bin/bash"
}
expect {
- timeout {puts "TESTING ERROR 3\n";exit}
+ timeout {puts "TESTING ERROR 4\n";exit}
"/bin/bash"
}
@@ -35,11 +39,11 @@
send -- "firejail --protocol.print=test123\r"
expect {
- timeout {puts "TESTING ERROR 4\n";exit}
+ timeout {puts "TESTING ERROR 5\n";exit}
"Switching to pid"
}
expect {
- timeout {puts "TESTING ERROR 5\n";exit}
+ timeout {puts "TESTING ERROR 6\n";exit}
"unix"
}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/list.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -18,7 +18,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -26,7 +26,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/ls.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -14,7 +14,7 @@
send -- "firejail --private --name=test\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "echo my_testing > ~/lstesting\r"
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/man.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,6 +11,7 @@
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+ "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
"Linux namespaces sandbox program"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/name.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -19,7 +19,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -27,7 +27,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -35,7 +35,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -43,7 +43,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -51,7 +51,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -59,7 +59,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -67,7 +67,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -75,7 +75,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -83,7 +83,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -91,7 +91,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -99,7 +99,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/profile_print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -11,7 +11,7 @@
send -- "firejail --name=ftest\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/protocol-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/seccomp-print.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 15
@@ -11,7 +11,7 @@
send -- "firejail --name=shutdowntesting\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
@@ -44,7 +44,7 @@
send -- "firejail --shutdown=1\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
- "this is not a firejail sandbox"
+ "Error: no valid sandbox"
}
after 100
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown2.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
send -- "firejail --name=shutdowntesting ./catchsignal.sh\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown3.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
send -- "firejail --name=shutdowntesting ./catchsignal-master.sh\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown4.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -12,7 +12,7 @@
send -- "firejail --name=shutdowntesting ./catchsignal2.sh\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/top.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail --name=test1\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
@@ -18,7 +18,7 @@
send -- "firejail --name=test2\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/trace.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 30
@@ -10,7 +10,7 @@
send -- "firejail --trace mkdir ttt\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
@@ -21,7 +21,7 @@
send -- "firejail --trace rmdir ttt\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
@@ -32,7 +32,7 @@
send -- "firejail --trace touch ttt\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
@@ -44,7 +44,7 @@
send -- "firejail --trace rm ttt\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
@@ -55,7 +55,7 @@
send -- "firejail --trace wget -q debian.org\r"
#expect {
# timeout {puts "TESTING ERROR 8.1\n";exit}
-# "Child process initialized"
+# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
#}
#expect {
# timeout {puts "TESTING ERROR 8.2\n";exit}
@@ -68,10 +68,6 @@
"wget:fopen /etc/wgetrc" {puts "OK\n";}
}
expect {
- timeout {puts "TESTING ERROR 8.4\n";exit}
- "wget:fopen /etc/hosts"
-}
-expect {
timeout {puts "TESTING ERROR 8.5\n";exit}
"wget:connect"
}
@@ -86,7 +82,7 @@
send -- "firejail --trace rm index.html\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 10\n";exit}
@@ -98,7 +94,7 @@
send -- "firejail --trace\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/tree.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
@@ -10,7 +10,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -18,7 +18,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
@@ -26,7 +26,7 @@
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
- "Child process initialized"
+ -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/utils.sh
^
|
@@ -1,13 +1,13 @@
#!/bin/bash
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
-if [ -f /etc/debian_version ]; then
+if [[ -f /etc/debian_version ]]; then
libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
export PATH="$PATH:$libdir"
fi
@@ -15,8 +15,8 @@
echo "TESTING: build (test/utils/build.exp)"
./build.exp
-rm -f ~/firejail-test-file-7699
-rm -f firejail-test-file-4388
+rm -f ~/_firejail-test-file
+rm -f _firejail-test-file
echo "TESTING: name (test/utils/name.exp)"
./name.exp
@@ -33,13 +33,12 @@
echo "TESTING: help (test/utils/help.exp)"
./help.exp
-which man 2>/dev/null
-if [ "$?" -eq 0 ];
+if command -v man
then
- echo "TESTING: man (test/utils/man.exp)"
- ./man.exp
+ echo "TESTING: man (test/utils/man.exp)"
+ ./man.exp
else
- echo "TESTING SKIP: man not found"
+ echo "TESTING SKIP: man not found"
fi
echo "TESTING: list (test/utils/list.exp)"
@@ -48,12 +47,12 @@
echo "TESTING: tree (test/utils/tree.exp)"
./tree.exp
-if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ];
+if [[ $(grep -c ^processor /proc/cpuinfo) -gt 1 ]]
then
- echo "TESTING: cpu.print (test/utils/cpu-print.exp)"
- ./cpu-print.exp
+ echo "TESTING: cpu.print (test/utils/cpu-print.exp)"
+ ./cpu-print.exp
else
- echo "TESTING SKIP: cpu.print, not enough CPUs"
+ echo "TESTING SKIP: cpu.print, not enough CPUs"
fi
echo "TESTING: fs.print (test/utils/fs-print.exp)"
@@ -129,9 +128,6 @@
echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"
./firemon-cpu.exp
-echo "TESTING: firemon cgroup (test/utils/firemon-cgroup.exp)"
-./firemon-cgroup.exp
-
echo "TESTING: firemon version (test/utils/firemon-version.exp)"
./firemon-version.exp
|
[-]
[+]
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/version.exp
^
|
@@ -1,6 +1,6 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
|