Changes - SailfishOS Open Build Service

Changes of Revision 2

[-] [+]	Changed	_service:tar_git:firejail.changes
@@ -1,3 +1,6 @@ +* Wed Mar 22 2023 Tomi Leppänen <tomi.leppanen@jolla.com> - 0.9.72+git1 +- [firejail] Updated upstream to 0.9.72 Fixes JB#59121 + * Fri Nov 19 2021 Simo Piiroinen <simo.piiroinen@jolla.com> - 0.9.66+git3 - [libtrace] Add xstat() tracing and optionally log only failing calls Fixes JB#55650 - [libtrace] Add xstat() tracing and optionally log only failing calls. Fixes JB#55650
[-] [+]	Changed	_service:tar_git:firejail.spec ^
@@ -1,5 +1,5 @@ Name: firejail -Version: 0.9.66+git3 +Version: 0.9.72+git1 Release: 1 Summary: Linux namepaces sandbox program License: GPLv2+ @@ -11,6 +11,7 @@ Patch4: 0004-Implement-template-addition-for-replacing-keys-in-pr.patch Patch5: 0005-Retain-symlink-chains.patch Patch6: 0006-Add-xstat-tracing-and-optionally-log-only-failing-ca.patch +Patch7: 0007-Revert-deprecating-shell-3-5196.patch URL: https://github.com/sailfishos/firejail @@ -54,7 +55,7 @@ %defattr(-,root,root,-) %attr(4755, -, -) %{_bindir}/%{name} %{_bindir}/firemon -%exclude %{_libdir}/%{name}/firecfg.config +%exclude %{_sysconfdir}/%{name}/firecfg.config %{_libdir}/%{name} %dir %{_sysconfdir}/%{name} %config %{_sysconfdir}/%{name}/.config @@ -64,7 +65,7 @@ %files profiles %{_bindir}/firecfg %{_bindir}/jailcheck -%{_libdir}/%{name}/firecfg.config +%{_sysconfdir}/%{name}/firecfg.config %exclude %{_sysconfdir}/%{name}/.config %exclude %{_sysconfdir}/%{name}/disable-.inc %exclude %{_sysconfdir}/%{name}/whitelist-.inc
[-] [+]	Changed	_service:tar_git:0001-Preserve-process-effective-group-for-privileged-grou.patch ^
@@ -8,7 +8,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/include/euid_common.h b/src/include/euid_common.h -index 8d8dd95f..94ae8d24 100644 +index f40cbb9de..63352dfaa 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -53,7 +53,7 @@ static inline void EUID_PRINT(void) { @@ -20,6 +20,3 @@ } #endif --- -2.31.1 -
[-] [+]	Changed	_service:tar_git:0002-Implement-Sailfish-OS-specific-privileged-data-optio.patch ^
@@ -30,22 +30,22 @@ Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> --- - src/firejail/firejail.h \| 5 +- + src/firejail/firejail.h \| 4 + src/firejail/macros.c \| 9 +++ - src/firejail/main.c \| 112 +++++++++++++++++++++----------------- - src/firejail/profile.c \| 31 +++++++++++ - src/firejail/sandbox.c \| 76 ++++++++++++++++++++++++++ + src/firejail/main.c \| 161 +++++++++++++++----------------------- + src/firejail/profile.c \| 31 ++++++++ + src/firejail/sandbox.c \| 76 ++++++++++++++++++ src/firejail/usage.c \| 1 + - src/firejail/util.c \| 23 +++++--- - src/include/euid_common.h \| 86 ++++++++++++++++++++++------- + src/firejail/util.c \| 27 ++++++- + src/include/euid_common.h \| 86 +++++++++++++++----- src/include/rundefs.h \| 1 + - 9 files changed, 266 insertions(+), 78 deletions(-) + 9 files changed, 277 insertions(+), 119 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h -index 9971d30b..1ea82329 100644 +index 13ee573ad..e922e9593 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h -@@ -163,6 +163,7 @@ typedef struct config_t { +@@ -168,6 +168,7 @@ typedef struct config_t { char home_private_keep; // keep list for private home directory char etc_private_keep; // keep list for private etc directory char opt_private_keep; // keep list for private opt directory @@ -53,7 +53,7 @@ char srv_private_keep; // keep list for private srv directory char bin_private_keep; // keep list for private bin directory char bin_private_lib; // executable list sent by private-bin to private-lib -@@ -455,6 +456,7 @@ int profile_check_line(char ptr, int lineno, const char fname); +@@ -466,6 +467,7 @@ int profile_check_line(char ptr, int lineno, const char fname); // add a profile entry in cfg.profile list; use str to populate the list void profile_add(char str); void profile_add_ignore(const char str); @@ -61,21 +61,19 @@ char profile_list_normalize(char list); char profile_list_compress(char list); void profile_list_augment(char *list, const char items); -@@ -527,7 +529,8 @@ void update_map(char mapping, char map_file); - void wait_for_other(int fd); +@@ -560,6 +562,7 @@ void wait_for_other(int fd); void notify_other(int fd); uid_t pid_get_uid(pid_t pid); --uid_t get_group_id(const char group); -+gid_t get_group_id(const char group); + gid_t get_group_id(const char groupname); +uid_t get_user_id(const char user); - int remove_overlay_directory(void); void flush_stdin(void); int create_empty_dir_as_user(const char dir, mode_t mode); + void create_empty_dir_as_root(const char dir, mode_t mode); diff --git a/src/firejail/macros.c b/src/firejail/macros.c -index cd29d8f8..895ec93a 100644 +index 3f9460041..ac42a77ed 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c -@@ -241,6 +241,13 @@ char expand_macros(const char path) { +@@ -243,6 +243,13 @@ char expand_macros(const char path) { EUID_ROOT(); return new_name; } @@ -89,7 +87,7 @@ else { char directory = resolve_macro(path); if (directory) { -@@ -296,6 +303,8 @@ void invalid_filename(const char fname, int globbing) { +@@ -276,6 +283,8 @@ void invalid_filename(const char fname, int globbing) { ptr = fname + 7; else if (strncmp(ptr, "${RUNUSER}", 10) == 0) ptr = fname + 10; @@ -99,10 +97,10 @@ int id = macro_id(fname); if (id != -1) diff --git a/src/firejail/main.c b/src/firejail/main.c -index 7a0d5283..d42791fc 100644 +index 18e9ae651..129fa9d72 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c -@@ -54,8 +54,7 @@ int __clone2(int (fn)(void ), +@@ -55,8 +55,7 @@ int __clone2(int (fn)(void ), / pid_t ptid, struct user_desc tls, pid_t ctid / ); #endif @@ -112,16 +110,16 @@ #define STACK_SIZE (1024 * 1024) #define STACK_ALIGNMENT 16 -@@ -1000,7 +999,7 @@ int main(int argc, char argv, char envp) { - fix_std_streams(); +@@ -1061,7 +1060,7 @@ int main(int argc, char argv, char envp) { + orig_umask = umask(022); // drop permissions by default and rise them when required - EUID_INIT(); + EUID_INIT(argv); EUID_USER(); - // argument count should be larger than 0 -@@ -2006,6 +2005,12 @@ int main(int argc, char argv, char envp) { + // check standard streams before opening any file +@@ -2083,6 +2082,12 @@ int main(int argc, char argv, char envp) { else exit_err_feature("private-opt"); } @@ -134,14 +132,14 @@ else if (strncmp(argv[i], "--private-srv=", 14) == 0) { if (checkcfg(CFG_PRIVATE_SRV)) { // extract private srv list -@@ -3061,71 +3066,76 @@ int main(int argc, char argv, char envp) { +@@ -3143,124 +3148,88 @@ int main(int argc, char argv, char envp) { - if (arg_noroot) { - // update the UID and GID maps in the new child user namespace + if (arg_noroot) { + // update the UID and GID maps in the new child user namespace - // uid -- char map_path; -- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) -- errExit("asprintf"); +- char map_path; +- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) +- errExit("asprintf"); + / NB: In Linux 4.14 and earlier, id mapping data can have at + * maximum 5 lines - see user_namespaces (7) for details. / + const int id_max = 5; @@ -166,10 +164,7 @@ + } + } + } - -- char map; -- uid_t uid = getuid(); -- if (asprintf(&map, "%d %d 1", uid, uid) == -1) ++ + auto char id_map(void) { + char ptr = map_data; + for (int i = 0; i < id_cnt; ++i) { @@ -180,90 +175,151 @@ + id_cnt = 0; + return map_data; + } -+ + +- char map; +- uid_t uid = getuid(); +- if (asprintf(&map, "%d %d 1", uid, uid) == -1) + // UIDs + if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) - errExit("asprintf"); -- EUID_ROOT(); -- update_map(map, map_path); + errExit("asprintf"); + id_add(0); + id_add(euid_data.uid); + id_add(euid_data.privileged_uid); -+ EUID_ROOT(); + EUID_ROOT(); +- update_map(map, map_path); + update_map(id_map(), map_path); - EUID_USER(); -- free(map); - free(map_path); + EUID_USER(); +- free(map); + free(map_path); -- // gid file +- // gid file + // GIDs if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1) errExit("asprintf"); -- char gidmap[1024]; -- char ptr = gidmap; -- ptr = '\0'; +- char gidmap[1024]; +- char ptr = gidmap; +- ptr = '\0'; - -- // add user group -- gid_t gid = getgid(); -- sprintf(ptr, "%d %d 1\n", gid, gid); -- ptr += strlen(ptr); +- // add user group +- gid_t gid = getgid(); +- sprintf(ptr, "%d %d 1\n", gid, gid); +- ptr += strlen(ptr); +- gid_t g; + id_add(0); + id_add(euid_data.gid); + id_add(euid_data.primary_gid); + id_add(euid_data.privileged_gid); - if (!arg_nogroups) { - // add firejail group -- gid_t g = get_group_id("firejail"); -- if (g) { -- sprintf(ptr, "%d %d 1\n", g, g); -- ptr += strlen(ptr); -- } + if (!arg_nogroups \|\| !check_can_drop_all_groups()) { + // add audio group + if (!arg_nosound) { +- g = get_group_id("audio"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } ++ id_add(get_group_id("audio")); + } - -+ id_add(get_group_id("firejail")); - // add tty group -- g = get_group_id("tty"); -- if (g) { -- sprintf(ptr, "%d %d 1\n", g, g); -- ptr += strlen(ptr); -- } + // add video group + if (!arg_novideo) { +- g = get_group_id("video"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } ++ id_add(get_group_id("video")); + } ++ // We don't use the groups render/vglusers, cdrom/optical ++ // or lp (printers). See JB#59121 for details. - -+ id_add(get_group_id("tty")); - // add audio group -- g = get_group_id("audio"); -- if (g) { -- sprintf(ptr, "%d %d 1\n", g, g); -- ptr += strlen(ptr); -- } +- // add render/vglusers group +- if (!arg_no3d) { +- g = get_group_id("render"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } +- g = get_group_id("vglusers"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } +- } +- +- // add lp group +- if (!arg_noprinters) { +- g = get_group_id("lp"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } +- } +- +- // add cdrom/optical groups +- if (!arg_nodvd) { +- g = get_group_id("cdrom"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } +- g = get_group_id("optical"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } +- } +- + // add input group + if (!arg_noinput) { +- g = get_group_id("input"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } ++ id_add(get_group_id("input")); + } + } +- + if (!arg_nogroups) { +- // add firejail group +- g = get_group_id("firejail"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } - -+ id_add(get_group_id("audio")); - // add video group -- g = get_group_id("video"); -- if (g) { -- sprintf(ptr, "%d %d 1\n", g, g); -- ptr += strlen(ptr); -- } +- // add tty group +- g = get_group_id("tty"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- ptr += strlen(ptr); +- } - -+ id_add(get_group_id("video")); - // add games group -- g = get_group_id("games"); -- if (g) { -- sprintf(ptr, "%d %d 1\n", g, g); -- } +- // add games group +- g = get_group_id("games"); +- if (g) { +- sprintf(ptr, "%d %d 1\n", g, g); +- } ++ // add firejail group ++ id_add(get_group_id("firejail")); ++ // add tty group ++ id_add(get_group_id("tty")); ++ // add games group + id_add(get_group_id("games")); - } + } - EUID_ROOT(); -- update_map(gidmap, map_path); + EUID_ROOT(); +- update_map(gidmap, map_path); + update_map(id_map(), map_path); - EUID_USER(); - free(map_path); - } + EUID_USER(); + free(map_path); + } diff --git a/src/firejail/profile.c b/src/firejail/profile.c -index e52bdc6e..2c226168 100644 +index acf206da6..c5dd43521 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c -@@ -1311,6 +1311,15 @@ int profile_check_line(char ptr, int lineno, const char fname) { +@@ -1382,6 +1382,15 @@ int profile_check_line(char ptr, int lineno, const char fname) { return 0; } @@ -279,7 +335,7 @@ // private /srv list of files and directories if (strncmp(ptr, "private-srv ", 12) == 0) { if (checkcfg(CFG_PRIVATE_SRV)) { -@@ -1808,6 +1817,28 @@ void profile_read(const char fname) { +@@ -1864,6 +1873,28 @@ void profile_read(const char fname) { fclose(fp); } @@ -309,10 +365,10 @@ { / Remove redundant commas. diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c -index fd359c39..5c1676dc 100644 +index 77fe73174..0377293de 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c -@@ -860,6 +860,82 @@ int sandbox(void* sandbox_arg) { +@@ -912,6 +912,82 @@ int sandbox(void* sandbox_arg) { if (arg_private_dev) fs_private_dev(); @@ -396,31 +452,31 @@ if (cfg.chrootdir) fwarning("private-opt feature is disabled in chroot\n"); diff --git a/src/firejail/usage.c b/src/firejail/usage.c -index 888a6ffe..098bf696 100644 +index 0a4c8a483..5b376dc3c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c -@@ -195,6 +195,7 @@ static char usage_str = +@@ -210,6 +210,7 @@ static char usage_str = " --private-cwd=directory - set working directory inside jail.\n" " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" + " --privileged-data=directory - whitelist privileged user data directory.\n" " --profile=filename\|profile_name - use a custom profile.\n" " --profile.print=name\|pid - print the name of profile file.\n" - " --profile-path=directory - use this directory to look for profile files.\n" + " --protocol=protocol,protocol,protocol - enable protocol filter.\n" diff --git a/src/firejail/util.c b/src/firejail/util.c -index de31ebdd..110a61da 100644 +index a01290cf2..147e5d22d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c -@@ -132,7 +132,7 @@ static void clean_supplementary_groups(gid_t gid) { - int i = 0; - while (allowed[i]) { - gid_t g = get_group_id(allowed[i]); -- if (g) { -+ if (g != -1) { - int j; - for (j = 0; j < ngroups; j++) { - if (g == groups[j]) { -@@ -188,9 +188,9 @@ void drop_privs(int nogroups) { +@@ -160,7 +160,7 @@ + } + + gid_t g = get_group_id(groupname); +- if (g && find_group(g, groups, ngroups) >= 0) { ++ if (g != INVALID_GID && find_group(g, groups, ngroups) >= 0) { + new_groups[new_ngroups] = g; + (new_ngroups)++; + } +@@ -281,9 +292,9 @@ void drop_privs(int force_nogroups) { clean_supplementary_groups(gid); // set uid/gid @@ -432,7 +488,7 @@ errExit("setresuid"); } -@@ -851,6 +851,9 @@ void update_map(char mapping, char map_file) { +@@ -871,6 +882,9 @@ void update_map(char mapping, char map_file) { if (mapping[j] == ',') mapping[j] = '\n'; @@ -442,16 +498,10 @@ fd = open(map_file, O_RDWR\|O_CLOEXEC); if (fd == -1) { fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno)); -@@ -976,16 +979,22 @@ uid_t pid_get_uid(pid_t pid) { - - - --uid_t get_group_id(const char group) { -- // find tty group id +@@ -955,11 +969,18 @@ gid_t get_group_id(const char groupname) { - gid_t gid = 0; -+gid_t get_group_id(const char group) { + gid_t gid = INVALID_GID; - struct group g = getgrnam(group); + struct group g = getgrnam(groupname); if (g) gid = g->gr_gid; - @@ -467,10 +517,10 @@ +} + - static int remove_callback(const char fpath, const struct stat sb, int typeflag, struct FTW ftwbuf) { - (void) sb; + // flush stdin if it is connected to a tty and has input + void flush_stdin(void) { diff --git a/src/include/euid_common.h b/src/include/euid_common.h -index 94ae8d24..7e966be5 100644 +index 63352dfaa..29ceaa1bb 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -24,36 +24,84 @@ @@ -578,7 +628,7 @@ #endif diff --git a/src/include/rundefs.h b/src/include/rundefs.h -index 3db750da..59530eb1 100644 +index 079670f10..5aedcb32b 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h @@ -45,6 +45,7 @@ @@ -589,6 +639,3 @@ #define RUN_SRV_DIR RUN_MNT_DIR "/srv" #define RUN_BIN_DIR RUN_MNT_DIR "/bin" #define RUN_PULSE_DIR RUN_MNT_DIR "/pulse" --- -2.31.1 -
[-] [+]	Changed	_service:tar_git:0003-Add-profile-files-to-a-list-when-processing-argument.patch ^
@@ -16,10 +16,10 @@ 3 files changed, 85 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h -index 1ea82329..28c1d81e 100644 +index e922e9593..4848c3516 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h -@@ -460,6 +460,7 @@ char profile_list_slice(char pos, char *ppos); +@@ -471,6 +471,7 @@ char profile_list_slice(char pos, char ppos); char profile_list_normalize(char list); char profile_list_compress(char list); void profile_list_augment(char list, const char items); @@ -28,10 +28,10 @@ // list.c void list(void); diff --git a/src/firejail/main.c b/src/firejail/main.c -index d42791fc..5d92df2d 100644 +index 129fa9d72..6bebf3143 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c -@@ -2761,6 +2761,9 @@ int main(int argc, char argv, char envp) { +@@ -2846,6 +2846,9 @@ int main(int argc, char argv, char envp) { break; } } @@ -42,12 +42,12 @@ // exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line diff --git a/src/firejail/profile.c b/src/firejail/profile.c -index 2c226168..2c172ad1 100644 +index c5dd43521..4ca9bc2cd 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c -@@ -28,6 +28,18 @@ extern char xephyr_screen; - - #define MAX_READ 8192 // line buffer for profile files +@@ -29,6 +29,18 @@ extern char xephyr_screen; + #define MAX_READ 8192 // line buffer for profile files + #define MAX_LIST 16384 // size limit for argument lists +typedef struct profile_file_name_t { + char fname; @@ -64,7 +64,7 @@ // find and read the profile specified by name from dir directory // return 1 if a profile was found static int profile_find(const char name, const char dir, int add_ext) { -@@ -1678,6 +1690,27 @@ void profile_add(char str) { +@@ -1722,6 +1734,27 @@ void profile_add(char str) { ptr->next = prf; } @@ -92,7 +92,7 @@ // read a profile file static int include_level = 0; void profile_read(const char fname) { -@@ -1726,6 +1759,11 @@ void profile_read(const char fname) { +@@ -1770,6 +1803,11 @@ void profile_read(const char fname) { } } @@ -104,7 +104,7 @@ // open profile file: FILE fp = fopen(fname, "re"); if (fp == NULL) { -@@ -1817,6 +1855,49 @@ void profile_read(const char fname) { +@@ -1873,6 +1911,49 @@ void profile_read(const char fname) { fclose(fp); } @@ -154,6 +154,3 @@ char profile_list_slice(char pos, char ppos) { / Extract token from comma separated list. --- -2.31.1 -
[-] [+]	Changed	_service:tar_git:0004-Implement-template-addition-for-replacing-keys-in-pr.patch ^
@@ -1,8 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jussi Laakkonen <jussi.laakkonen@jolla.com> Date: Fri, 7 May 2021 18:29:29 +0300 -Subject: [PATCH] Implement template addition for replacing keys in profile - files +Subject: [PATCH] Implement template addition for replacing keys in profile files Implement template addition to pass templates as key value pairs as cmd line parameters to replace the keys in read profile file lines to allow @@ -78,7 +77,7 @@ create mode 100644 src/firejail/template.c diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c -index 9a4cb2e6..80385376 100644 +index 66738bd4b..8160bc6be 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -41,7 +41,7 @@ @@ -91,11 +90,11 @@ static pid_t dbus_proxy_pid = 0; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h -index 28c1d81e..77e5a830 100644 +index 4848c3516..c245e40e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h -@@ -888,6 +888,8 @@ void set_x11_run_file(pid_t pid, int display); - void set_profile_run_file(pid_t pid, const char fname); +@@ -922,6 +922,8 @@ void set_sandbox_run_file(pid_t pid, pid_t child); + void release_sandbox_lock(void); // dbus.c +#define DBUS_MAX_NAME_LENGTH 255 @@ -103,9 +102,9 @@ int dbus_check_name(const char name); int dbus_check_call_rule(const char name); void dbus_check_profile(void); -@@ -906,4 +908,10 @@ void dhcp_start(void); - // selinux.c - void selinux_relabel_path(const char path, const char inside_path); +@@ -946,4 +948,10 @@ void run_ids(int argc, char argv); + // oom.c + void oom_set(const char oom_string); +// template.c +void check_template(char arg); @@ -115,10 +114,10 @@ +void template_cleanup(); #endif diff --git a/src/firejail/main.c b/src/firejail/main.c -index 5d92df2d..252371be 100644 +index 6bebf3143..3edfbb09a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c -@@ -2649,6 +2649,11 @@ int main(int argc, char argv, char envp) { +@@ -2764,6 +2764,11 @@ int main(int argc, char argv, char envp) { exit_err_feature("networking"); } #endif @@ -130,7 +129,7 @@ //********************************** // command //********************************* -@@ -2762,6 +2767,9 @@ int main(int argc, char argv, char envp) { +@@ -2847,6 +2852,9 @@ int main(int argc, char argv, char envp) { } } @@ -140,7 +139,7 @@ profile_read_file_list(); EUID_ASSERT(); -@@ -2893,6 +2901,9 @@ int main(int argc, char argv, char envp) { +@@ -2972,6 +2980,9 @@ int main(int argc, char argv, char *envp) { } EUID_ASSERT(); @@ -151,10 +150,10 @@ if (arg_x11_block) x11_block(); diff --git a/src/firejail/profile.c b/src/firejail/profile.c -index 2c172ad1..9f0e5baf 100644 +index 4ca9bc2cd..55b11eb50 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c -@@ -1812,6 +1812,40 @@ void profile_read(const char fname) { +@@ -1868,6 +1868,40 @@ void profile_read(const char fname) { msg_printed = 1; } @@ -197,7 +196,7 @@ include_level++; diff --git a/src/firejail/template.c b/src/firejail/template.c new file mode 100644 -index 00000000..64bcef5e +index 000000000..64bcef5e4 --- /dev/null +++ b/src/firejail/template.c @@ -0,0 +1,504 @@ @@ -706,22 +705,22 @@ + return new_string; +} diff --git a/src/firejail/usage.c b/src/firejail/usage.c -index 098bf696..4598f3c7 100644 +index 5b376dc3c..00af44687 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c -@@ -239,6 +239,7 @@ static char usage_str = - " --shell=none - run the program directly without a user shell.\n" - " --shell=program - set default user shell.\n" +@@ -256,6 +256,7 @@ static char *usage_str = " --shutdown=name\|pid - shutdown the sandbox identified by name or PID.\n" + " --tab - enable shell tab completion in sandboxes using private or\n" + "\twhitelisted home directories.\n" + " --template=KEY:VALUE - set a template KEY with VALUE usable as ${KEY} in profiles\n" " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" "\thas elapsed.\n" " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt -index db58e091..b0ff631b 100644 +index 5b16179ac..5544b471f 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt -@@ -965,6 +965,20 @@ Always exit firejail with the first child's exit status. The default behavior is +@@ -1013,6 +1013,20 @@ Always shut down the sandbox after the first child has terminated. The default b Join the sandbox identified by name or start a new one. Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". @@ -743,12 +742,12 @@ .TP \fB/etc/firejail/appname.profile diff --git a/src/man/firejail.txt b/src/man/firejail.txt -index 0462705c..d6036605 100644 +index e5020e37e..1d9e9b16a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt -@@ -2573,6 +2573,23 @@ $ firejail \-\-list +@@ -2870,6 +2870,23 @@ Enable shell tab completion in sandboxes using private or whitelisted home direc .br - $ firejail \-\-shutdown=3272 + $ firejail \-\-private --tab .TP +\fB\-\-template=KEY:VALUE +Define a template \fBKEY\fR with \fBVALUE\fR to have application specific \fB${KEY}\fRs in the profile files replaced with the given value. This is useful, for example, with D-Bus name ownership to make a generic ownership rule to be application specific. See \fB\&\flfirejail-profile\fR\\|(5)\fR for information on how to use the template keys in profile files. Internal macros cannot be overridden with this, in such case firejail quits with an error message. @@ -770,6 +769,3 @@ \fB\-\-timeout=hh:mm:ss Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. .br --- -2.31.1 -
[-] [+]	Changed	_service:tar_git:0005-Retain-symlink-chains.patch ^
@@ -1,4 +1,4 @@ -From 8ad599674872d433f8410e3ebd5f2d6793f431fd Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Simo Piiroinen <simo.piiroinen@jolla.com> Date: Tue, 19 Oct 2021 11:43:31 +0300 Subject: [PATCH] Retain symlink chains @@ -25,11 +25,11 @@ Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> --- - src/fcopy/main.c \| 136 +++++++++++++++++++---------------------------- - 1 file changed, 56 insertions(+), 80 deletions(-) + src/fcopy/main.c \| 125 +++++++++++++++++++---------------------------- + 1 file changed, 50 insertions(+), 75 deletions(-) diff --git a/src/fcopy/main.c b/src/fcopy/main.c -index 31810de9..a5421500 100644 +index b0b7f7024..c99b56b7e 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -22,6 +22,7 @@ @@ -40,7 +40,7 @@ #include <fcntl.h> #ifndef O_PATH -@@ -180,77 +181,58 @@ static void mkdir_attr(const char fname, mode_t mode, uid_t uid, gid_t gid) { +@@ -181,78 +182,58 @@ static void mkdir_attr(const char fname, mode_t mode, uid_t uid, gid_t gid) { } } @@ -48,7 +48,10 @@ - assert(target); - char use_target = 0; - char proc_pid = 0; -- ++void copy_link(const char target, const char linkpath) { ++ int failed = 1; ++ char linkdata = NULL; + - if (!(use_target = realpath(target, NULL))) - goto done; - @@ -56,53 +59,82 @@ - static const char proc[] = "/proc/"; - if (strncmp(use_target, proc, sizeof(proc) - 1)) - goto done; -- ++ // if the link is already there, don't create it ++ struct stat s; ++ if (lstat(linkpath, &s) == 0) ++ goto success; + - int digit = use_target[sizeof(proc) - 1]; - if (digit < '1' \|\| digit > '9') - goto done; -- ++ // read source symlink ++ if (lstat(target, &s) == -1) ++ goto failure; + - // check where /proc/self points to - static const char proc_self[] = "/proc/self"; -- if (!(proc_pid = realpath(proc_self, NULL))) +- proc_pid = realpath(proc_self, NULL); +- if (proc_pid == NULL) - goto done; -- ++ if (!S_ISLNK(s.st_mode)) ++ goto failure; + - // redirect /proc/PID/xxx -> /proc/self/XXX - size_t pfix = strlen(proc_pid); - if (strncmp(use_target, proc_pid, pfix)) - goto done; -- ++ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX; ++ if (!(linkdata = malloc(linksize))) ++ goto failure; + - if (use_target[pfix] != 0 && use_target[pfix] != '/') - goto done; -- ++ ssize_t rc = readlink(target, linkdata, linksize); ++ if (rc < 0) { ++ if (!arg_quiet) ++ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target); ++ goto failure; ++ } + - char tmp; - if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) { - if (arg_debug) - fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp); - free(use_target); - use_target = tmp; -- } ++ if (rc >= linksize) { ++ if (!arg_quiet) ++ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target); ++ goto failure; + } - else - errExit("asprintf"); -- + -done: - if (proc_pid) - free(proc_pid); - return use_target; -} -- ++ linkdata[rc] = 0; + -void copy_link(const char target, const char linkpath, mode_t mode, uid_t uid, gid_t gid) { - (void) mode; - (void) uid; - (void) gid; -+void copy_link(const char target, const char linkpath) { -+ int failed = 1; -+ char linkdata = NULL; ++ // duplicate at the given path ++ if (symlink(linkdata, linkpath) == -1) { ++ if (!arg_quiet) ++ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath); ++ goto failure; ++ } - // if the link is already there, don't create it - struct stat s; - if (lstat(linkpath, &s) == 0) +- // if the link is already there, don't create it +- struct stat s; +- if (lstat(linkpath, &s) == 0) - return; -- ++ if (arg_debug) ++ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata); + - char rp = proc_pid_to_self(target); - if (rp) { - if (symlink(rp, linkpath) == -1) { @@ -110,61 +142,24 @@ - goto errout; - } - free(rp); -+ goto success; -+ -+ // read source symlink -+ if (lstat(target, &s) == -1) -+ goto failure; -+ -+ if (!S_ISLNK(s.st_mode)) -+ goto failure; -+ -+ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX; -+ if (!(linkdata = malloc(linksize))) -+ goto failure; -+ -+ ssize_t rc = readlink(target, linkdata, linksize); -+ if (rc < 0) { -+ if (!arg_quiet) -+ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target); -+ goto failure; -+ } -+ -+ if (rc >= linksize) { -+ if (!arg_quiet) -+ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target); -+ goto failure; - } +- } - else - goto errout; - -- return; --errout: -- if (!arg_quiet) -- fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); -+ linkdata[rc] = 0; -+ -+ // duplicate at the given path -+ if (symlink(linkdata, linkpath) == -1) { -+ if (!arg_quiet) -+ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath); -+ goto failure; -+ } -+ -+ if (arg_debug) -+ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata); -+ +success: + failed = 0; +failure: + if (failed && !arg_quiet) + fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", linkpath); -+ + +- return; +-errout: +- if (!arg_quiet) +- fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); + free(linkdata); } -@@ -310,7 +292,7 @@ static int fs_copydir(const char infname, const struct stat st, int ftype, str +@@ -310,7 +291,7 @@ static int fs_copydir(const char infname, const struct stat st, int ftype, str mkdir_attr(outfname, mode, uid, gid); } else if (ftype == FTW_SL) { @@ -173,7 +168,7 @@ } out: free(outfname); -@@ -396,22 +378,16 @@ static void duplicate_file(const char src, const char dest, struct stat s) { +@@ -396,22 +377,16 @@ static void duplicate_file(const char src, const char dest, struct stat s) { static void duplicate_link(const char src, const char dest, struct stat s) { char rsrc = check(src); // we drop the result and use the original name char rdest = check(dest); @@ -188,6 +183,9 @@ - ptr++; - if (asprintf(&name, "%s/%s", rdest, ptr) == -1) - errExit("asprintf"); +- +- // copy +- copy_link(rsrc, name, mode, uid, gid); + const char linkname = strrchr(src, '/'); + if (linkname++) { + char *linkpath = NULL; @@ -197,13 +195,7 @@ + free(linkpath); + } -- // copy -- copy_link(rsrc, name, mode, uid, gid); -- - free(name); free(rsrc); free(rdest); } --- -2.17.1 -
[-] [+]	Changed	_service:tar_git:0006-Add-xstat-tracing-and-optionally-log-only-failing-ca.patch ^
@@ -1,4 +1,4 @@ -From 9a868fc4de943a4ce25d137a56357ca365cfd234 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Simo Piiroinen <simo.piiroinen@jolla.com> Date: Tue, 9 Nov 2021 16:08:37 +0200 Subject: [PATCH] Add xstat() tracing and optionally log only failing calls @@ -22,15 +22,15 @@ Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> --- - src/libtrace/libtrace.c \| 860 ++++++++++++++++++++++++---------------- - 1 file changed, 509 insertions(+), 351 deletions(-) + src/libtrace/libtrace.c \| 863 ++++++++++++++++++++++++---------------- + 1 file changed, 524 insertions(+), 339 deletions(-) diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c -index d88512b0..d78c6d76 100644 +index aa37bb758..bce5460fa 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c -@@ -20,6 +20,8 @@ - #define _GNU_SOURCE +@@ -21,6 +21,8 @@ + #include <errno.h> #include <stdio.h> #include <stdlib.h> +#include <stdarg.h> @@ -38,7 +38,7 @@ #include <string.h> #include <dlfcn.h> #include <sys/types.h> -@@ -30,90 +32,79 @@ +@@ -30,6 +32,9 @@ #include <arpa/inet.h> #include <sys/un.h> #include <sys/stat.h> @@ -48,26 +48,10 @@ #include <syslog.h> #include <dirent.h> #include "../include/rundefs.h" - --#define tprintf(fp, args...) \ -- do { \ -- if (!fp)\ -- init(); \ -- fprintf(fp, args); \ -- } while(0) -- --// break recursivity on fopen call --typedef FILE (orig_fopen_t)(const char pathname, const char mode); --static orig_fopen_t orig_fopen = NULL; --typedef FILE (orig_fopen64_t)(const char pathname, const char mode); --static orig_fopen64_t orig_fopen64 = NULL; --typedef int (orig_access_t)(const char pathname, int mode); --static orig_access_t orig_access = NULL; -- --// --// library constructor/destructor --// --// Using fprintf to /dev/tty instead of printf in order to fix #561 +@@ -51,67 +56,72 @@ static orig_access_t orig_access = NULL; + // library constructor/destructor + // + // Using fprintf to /dev/tty instead of printf in order to fix #561 +static bool verbose = true; static FILE ftty = NULL; static pid_t mypid = 0; @@ -78,16 +62,10 @@ -void init(void) { - if (ftty) - return; -+static FILE output(void); - +- - orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); - orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); -+__attribute__((format(printf, 1, 2))) static void message(const char fmt, ...) { -+ // We need to ensure that trace logging does not -+ // interfere with errno that application code gets -+ // to see -+ int saved = errno; - +- - // allow environment variable to override defaults - char logfile = getenv("FIREJAIL_TRACEFILE"); - if (!logfile) { @@ -97,57 +75,38 @@ - // else log to associated tty - logfile = "/dev/tty"; - } -+ char text = NULL; -+ va_list va; -+ va_start(va, fmt); -+ if (vasprintf(&text, fmt, va) < 0) -+ text = NULL; -+ va_end(va); - +- - // logfile - unsigned cnt = 0; - while ((ftty = orig_fopen(logfile, "a")) == NULL) { - if (++cnt > 10) { // 10 sec - perror("Cannot open trace log file"); - exit(1); -- } -- sleep(1); -- } -- // line buffered stream -- setvbuf(ftty, NULL, _IOLBF, BUFSIZ); ++static FILE output(void); ++ ++__attribute__((format(printf, 1, 2))) static void message(const char fmt, ...) { ++ // We need to ensure that trace logging does not ++ // interfere with errno that application code gets ++ // to see ++ int saved = errno; ++ ++ char text = NULL; ++ va_list va; ++ va_start(va, fmt); ++ if (vasprintf(&text, fmt, va) < 0) ++ text = NULL; ++ va_end(va); ++ + // As the 1st output() call evaluates mypid & myname, + // it needs to be done before using those variables + FILE file = output() ?: stderr; - -- // pid -- mypid = getpid(); ++ + fprintf(file, "%u:%s:%s\n", mypid, myname, text ?: fmt); + free(text); - -- // process name -- char fname; -- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) { -- FILE fp = orig_fopen(fname, "r"); -- free(fname); -- if (fp) { -- if (fgets(myname, MAXNAME, fp) == NULL) -- strcpy(myname, "unknown"); -- fclose(fp); -- } -- } -- -- // clean '\n' -- char ptr = strchr(myname, '\n'); -- if (ptr) -- ptr = '\0'; -- --// tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); ++ + errno = saved; - } - --static void fini(void) __attribute__((destructor)); --void fini(void) { -- fclose(ftty); ++} ++ +static void lookup(const char name) { + // Map internally used "silent" wrappers to actual + // functions, for example: silent_fopen() -> fopen() @@ -164,7 +123,24 @@ + if (write(STDERR_FILENO, txt, strlen(txt)) < 0) { + // dontcare + } -+ } + } +- sleep(1); +- } +- // line buffered stream +- setvbuf(ftty, NULL, _IOLBF, BUFSIZ); +- +- // pid +- mypid = getpid(); +- +- // process name +- char fname; +- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) { +- FILE fp = orig_fopen(fname, "r"); +- free(fname); +- if (fp) { +- if (fgets(myname, MAXNAME, fp) == NULL) +- strcpy(myname, "unknown"); +- fclose(fp); + auto void dump_num(unsigned num) { + char stk[16]; + size_t sp = sizeof stk; @@ -173,7 +149,7 @@ + stk[--sp] = '0' + num % 10u; + } while ((num /= 10u) && sp > 0); + dump_str(stk + sp); -+ } + } + dump_num(mypid); + dump_str(":"); + dump_str(myname); @@ -181,12 +157,24 @@ + dump_str(name); + dump_str("'\n"); + abort(); -+ } + } +- +- // clean '\n' +- char ptr = strchr(myname, '\n'); +- if (ptr) +- ptr = '\0'; +- +-// tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); +-} +- +-static void fini(void) __attribute__((destructor)); +-void fini(void) { +- fclose(ftty); + return addr; } // -@@ -257,459 +248,626 @@ static char translate(XTable table, int val) { +@@ -255,87 +265,164 @@ static char translate(XTable table, int val) { return NULL; } @@ -218,8 +206,11 @@ + snprintf(buff, size, "family %d", addr->sa_family); } + return buff; -+} -+ + } + +-// +-// syscalls +-// +static char socket_repr(int domain, int type, int protocol, char buff, size_t size) { + char domain_buf[16]; + char type_buf[16]; @@ -227,12 +218,21 @@ + const char domain_str; + const char type_str; + const char protocol_str; -+ + +-// open +-typedef int (orig_open_t)(const char pathname, int flags, mode_t mode); +-static orig_open_t orig_open = NULL; +-int open(const char pathname, int flags, mode_t mode) { +- if (!orig_open) +- orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); + if (!(domain_str = translate(socket_domain, domain))) { + snprintf(domain_buf, sizeof domain_buf, "%d", domain); + domain_str = domain_buf; + } -+ + +- int rv = orig_open(pathname, flags, mode); +- tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv); +- return rv; + // glibc uses higher bits for various other purposes +# ifdef SOCK_CLOEXEC + type &= ~SOCK_CLOEXEC; @@ -257,10 +257,17 @@ + return buff; } - // - // syscalls - // +-typedef int (orig_open64_t)(const char pathname, int flags, mode_t mode); +-static orig_open64_t orig_open64 = NULL; +-int open64(const char pathname, int flags, mode_t mode) { +- if (!orig_open64) +- orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); ++// ++// syscalls ++// +- int rv = orig_open64(pathname, flags, mode); +- tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv); +#define REAL(TYPE, ARGS...)\ + static TYPE (real)(ARGS) = NULL;\ + do {\ @@ -269,15 +276,7 @@ + }\ + } while (0) + - // open --typedef int (orig_open_t)(const char pathname, int flags, mode_t mode); --static orig_open_t orig_open = NULL; --int open(const char pathname, int flags, mode_t mode) { -- if (!orig_open) -- orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); -- -- int rv = orig_open(pathname, flags, mode); -- tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv); ++// open +int open(const char pathname, int flags, ...) { + REAL(int, const char pathname, int flags, mode_t mode); + mode_t mode = 0; @@ -292,17 +291,9 @@ + message("%s %s %d %#3o:%d (errno=%d)", __func__, pathname, flags, mode, rv, errno); + else if (verbose) + message("%s %s %d %#3o:%d", __func__, pathname, flags, mode, rv); - return rv; - } - --typedef int (orig_open64_t)(const char pathname, int flags, mode_t mode); --static orig_open64_t orig_open64 = NULL; --int open64(const char pathname, int flags, mode_t mode) { -- if (!orig_open64) -- orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); -- -- int rv = orig_open64(pathname, flags, mode); -- tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv); ++ return rv; ++} ++ +int open64(const char pathname, int flags, ...) { + REAL(int, const char pathname, int flags, mode_t mode); + mode_t mode = 0; @@ -345,17 +336,9 @@ + message("%s %d %s %d %#3o:%d (errno=%d)", __func__, dirfd, pathname, flags, mode, rv, errno); + else if (verbose) + message("%s %d %s %d %#3o:%d", __func__, dirfd, pathname, flags, mode, rv); - return rv; - } - --typedef int (orig_openat64_t)(int dirfd, const char pathname, int flags, mode_t mode); --static orig_openat64_t orig_openat64 = NULL; --int openat64(int dirfd, const char pathname, int flags, mode_t mode) { -- if (!orig_openat64) -- orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); -- -- int rv = orig_openat64(dirfd, pathname, flags, mode); -- tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv); ++ return rv; ++} ++ +int openat64(int dirfd, const char pathname, int flags, ...) { + REAL(int, int dirfd, const char pathname, int flags, mode_t mode); + mode_t mode = 0; @@ -373,14 +356,23 @@ return rv; } +-typedef int (orig_openat64_t)(int dirfd, const char pathname, int flags, mode_t mode); +-static orig_openat64_t orig_openat64 = NULL; +-int openat64(int dirfd, const char pathname, int flags, mode_t mode) { +- if (!orig_openat64) +- orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); - - // fopen +- int rv = orig_openat64(dirfd, pathname, flags, mode); +- tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv); ++// fopen +static FILE silent_fopen(const char pathname, const char mode) { + REAL(FILE , const char pathname, const char mode); + FILE rv = real(pathname, mode); -+ return rv; -+} -+ + return rv; + } + +- +-// fopen FILE fopen(const char pathname, const char mode) { - if (!orig_fopen) - orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); @@ -395,7 +387,9 @@ return rv; } - #ifdef __GLIBC__ +@@ -343,377 +430,475 @@ FILE fopen(const char pathname, const char mode) { + typedef FILE (orig_fopen64_t)(const char pathname, const char mode); + static orig_fopen64_t orig_fopen64 = NULL; FILE fopen64(const char pathname, const char mode) { - if (!orig_fopen64) - orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); @@ -410,7 +404,7 @@ + message("%s %s %s:%p", __func__, pathname, mode, rv); return rv; } - #endif / __GLIBC__ / + #endif - // freopen @@ -431,9 +425,11 @@ return rv; } - #ifdef __GLIBC__ --typedef FILE (orig_freopen64_t)(const char pathname, const char mode, FILE stream); --static orig_freopen64_t orig_freopen64 = NULL; + #ifndef freopen64 + typedef FILE (orig_freopen64_t)(const char pathname, const char mode, FILE stream); + static orig_freopen64_t orig_freopen64 = NULL; ++#endif ++#ifdef __GLIBC__ FILE freopen64(const char pathname, const char mode, FILE stream) { - if (!orig_freopen64) - orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); @@ -448,7 +444,7 @@ + message("%s %s %s %p:%p", __func__, pathname, mode, stream, rv); return rv; } - #endif / __GLIBC__ / + #endif // unlink -typedef int (orig_unlink_t)(const char pathname); @@ -555,9 +551,11 @@ return rv; } - #ifdef __GLIBC__ --typedef int (orig_stat64_t)(const char pathname, struct stat64 statbuf); --static orig_stat64_t orig_stat64 = NULL; + #ifndef stat64 + typedef int (orig_stat64_t)(const char pathname, struct stat64 statbuf); + static orig_stat64_t orig_stat64 = NULL; ++#endif ++#ifdef __GLIBC__ int stat64(const char pathname, struct stat64 statbuf) { - if (!orig_stat64) - orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); @@ -572,7 +570,7 @@ + message("%s %s %p:%d", __func__, pathname, statbuf, rv); return rv; } - #endif / __GLIBC__ / + #endif // lstat -typedef int (orig_lstat_t)(const char pathname, struct stat statbuf); @@ -592,9 +590,11 @@ return rv; } - #ifdef __GLIBC__ --typedef int (orig_lstat64_t)(const char pathname, struct stat64 statbuf); --static orig_lstat64_t orig_lstat64 = NULL; + #ifndef lstat64 + typedef int (orig_lstat64_t)(const char pathname, struct stat64 statbuf); + static orig_lstat64_t orig_lstat64 = NULL; ++#endif ++#ifdef __GLIBC__ int lstat64(const char pathname, struct stat64 statbuf) { - if (!orig_lstat64) - orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); @@ -607,9 +607,7 @@ + return rv; +} +#endif /* __GLIBC__ / - -- int rv = orig_lstat64(pathname, statbuf); -- tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); ++ +int fstatat(int dirfd, const char pathname, struct stat statbuf, int flags) { + REAL(int, int dirfd, const char pathname, struct stat statbuf, int flags); + int rv = real(dirfd, pathname, statbuf, flags); @@ -660,7 +658,9 @@ + message("%s %d %s %p:%d", __func__, vers, pathname, statbuf, rv); + return rv; +} -+ + +- int rv = orig_lstat64(pathname, statbuf); +- tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); +int __lxstat64(int vers, const char pathname, struct stat64 statbuf) { + REAL(int, int vers, const char pathname, struct stat64 statbuf); + int rv = real(vers, pathname, statbuf); @@ -690,7 +690,7 @@ + message("%s %d %d %s %p %d:%d", __func__, vers, dirfd, pathname, statbuf, flags, rv); return rv; } - #endif / __GLIBC__ / + #endif // opendir -typedef DIR (orig_opendir_t)(const char pathname); @@ -711,27 +711,27 @@ } // access -+static int silent_access(const char pathname, int mode) { -+ REAL(int, const char pathname, int mode); -+ int rv = real(pathname, mode); -+ return rv; -+} -+ - int access(const char pathname, int mode) { +-int access(const char pathname, int mode) { - if (!orig_access) - orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); - - int rv = orig_access(pathname, mode); - tprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv); ++static int silent_access(const char pathname, int mode) { ++ REAL(int, const char pathname, int mode); ++ int rv = real(pathname, mode); + return rv; + } + ++int access(const char pathname, int mode) { + int rv = silent_access(pathname, mode); + if (rv == -1) + message("%s %s %d:%d (errno=%d)", __func__, pathname, mode, rv, errno); + else if (verbose) + message("%s %s %d:%d", __func__, pathname, mode, rv); - return rv; - } ++ return rv; ++} -- // connect -typedef int (orig_connect_t)(int sockfd, const struct sockaddr addr, socklen_t addrlen); -static orig_connect_t orig_connect = NULL; @@ -994,19 +994,17 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { - if (!orig_setresgid) - orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid"); -- -- int rv = orig_setresgid(rgid, egid, sgid); -- tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv); -- + REAL(int, gid_t rgid, gid_t egid, gid_t sgid); + int rv = real(rgid, egid, sgid); + if (rv == -1) + message("%s %d %d %d:%d (errno=%d)", __func__, rgid, egid, sgid, rv, errno); + else if (verbose) + message("%s %d %d %d:%d", __func__, rgid, egid, sgid, rv); - return rv; - } ++ return rv; ++} +- int rv = orig_setresgid(rgid, egid, sgid); +- tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv); +// +// library constructor/destructor +// @@ -1016,31 +1014,35 @@ + exit(EXIT_FAILURE); + message("=== tracelib init() === "); +} -+ + +- return rv; +__attribute__((destructor)) static void fini(void) { + message("=== tracelib fini() === "); + if (ftty) { + fclose(ftty); + ftty = NULL; + } -+} -+ + } + // every time a new process is started, this gets called // it can be used to build things like private-bin -__attribute__((constructor)) -static void log_exec(int argc, char* argv) { - (void) argc; - (void) argv; +- char *buf = realpath("/proc/self/exe", NULL); +- if (buf == NULL) { +- if (errno == ENOMEM) { +- tprintf(ftty, "realpath: %s\n", strerror(errno)); +- exit(1); +__attribute__((constructor)) static void log_exec(void) { - static char buf[PATH_MAX + 1]; - int rv = readlink("/proc/self/exe", buf, PATH_MAX); - if (rv != -1) { -- buf[rv] = '\0'; // readlink does not add a '\0' at the end -- tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); ++ static char buf[PATH_MAX + 1]; ++ int rv = readlink("/proc/self/exe", buf, PATH_MAX); ++ if (rv != -1) { + buf[rv] = '\0'; // readlink does not add a '\0' at the end + message("exec %s:0", buf); - } - } ++ } ++} + +// +// Determining output file @@ -1092,10 +1094,10 @@ + else { + // line buffered stream + setvbuf(ftty, NULL, _IOLBF, BUFSIZ); -+ } -+ } + } +- } else { +- tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); +- free(buf); + } + return ftty; -+} --- -2.17.1 - + }
[-] [+]	Added	_service:tar_git:0007-Revert-deprecating-shell-3-5196.patch ^
@@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Suni <daniel.suni@jolla.com> +Date: Fri, 17 Feb 2023 11:48:56 +0200 +Subject: [PATCH] Revert "deprecating --shell (3) (#5196)" + +This reverts commit 7ad735deafa80114a17b20790de63f7e973b1bb4. + +This commit makes firejail attempt to use /bin/bash to launch every process +that uses a "--" argument. Sailjail uses this, but we do not want shell +execution, since it will fail. + +There are a number of bug reports in firejail upstream with regards to this +very odd feature - see e.g. https://github.com/netblue30/firejail/issues/5659 +so for now we will revert the offending commit until the dust settles upstream. +--- + src/firejail/sandbox.c \| 6 +++--- + test/filters/noroot.exp \| 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c +index 0377293de..2a3934807 100644 +--- a/src/firejail/sandbox.c ++++ b/src/firejail/sandbox.c +@@ -537,7 +537,7 @@ void start_application(int no_sandbox, int fd, char set_sandbox_status) { + //************************************* + // start the program without using a shell + //************************************** +- else if (!arg_appimage && !arg_doubledash) { ++ else if (!arg_appimage) { + if (arg_debug) { + int i; + for (i = cfg.original_program_index; i < cfg.original_argc; i++) { +@@ -569,9 +569,9 @@ void start_application(int no_sandbox, int fd, char set_sandbox_status) { + execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); + } + //************************************* +- // start the program using a shell ++ // start the program using a shell (appimages) + //************************************** +- else { // appimage or double-dash ++ else { // appimage + char *arg[5]; + int index = 0; + assert(cfg.usershell); +diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp +index 942aedbcb..66e1e4e27 100755 +--- a/test/filters/noroot.exp ++++ b/test/filters/noroot.exp +@@ -81,11 +81,11 @@ spawn $env(SHELL) + send -- "firejail --debug --join=test\r" + expect { + timeout {puts "TESTING ERROR 13\n";exit} +- "Joining user namespace" ++ "User namespace detected" + } + expect { + timeout {puts "TESTING ERROR 14\n";exit} +- "Child process initialized" ++ "Joining user namespace" + } + sleep 1 +
[-] [+]	Changed	_service ^
@@ -6,7 +6,7 @@ <service name="tar_git"> <param name="url">https://github.com/sailfishos/firejail.git</param> <param name="branch">master</param> - <param name="revision"/> + <param name="revision">45dc642442355edece4d629a01e7d28df20f6e17</param> <param name="token"/> <param name="debian">N</param> <param name="dumb">N</param>
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/.github/workflows/sort.yml ^
@@ -1,22 +0,0 @@ -name: sort.py - -on: - push: - branches: [ master ] - paths: - - 'etc/' - - 'contrib/sort.py' - pull_request: - branches: [ master ] - paths: - - 'etc/' - - 'contrib/sort.py' - -jobs: - profile-sort: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - name: check profiles - run: ./contrib/sort.py etc//{.inc,*.profile} -
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/Makefile.in ^
@@ -1,295 +0,0 @@ -prefix=@prefix@ -exec_prefix=@exec_prefix@ -bindir=@bindir@ -libdir=@libdir@ -datarootdir=@datarootdir@ -mandir=@mandir@ -sysconfdir=@sysconfdir@ - -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -PACKAGE_TARNAME=@PACKAGE_TARNAME@ -DOCDIR=@docdir@ -HAVE_APPARMOR=@HAVE_APPARMOR@ -HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ -BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ -HAVE_SUID=@HAVE_SUID@ -HAVE_MAN=@HAVE_MAN@ - -ifneq ($(HAVE_MAN),no) -MAN_TARGET = man -MAN_SRC = src/man -endif - -COMPLETIONDIRS = src/zsh_completion src/bash_completion - -.PHONY: all -all: all_items mydirs $(MAN_TARGET) filters -APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck -SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee -SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter -MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) -MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so -COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion -MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 -SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp -SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 -ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) - -.PHONY: all_items $(ALL_ITEMS) -all_items: $(ALL_ITEMS) -$(ALL_ITEMS): $(MYDIRS) - $(MAKE) -C $(dir $@) - -.PHONY: mydirs $(MYDIRS) -mydirs: $(MYDIRS) -$(MYDIRS): - $(MAKE) -C $@ - -$(MANPAGES): src/man - ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ - -man: $(MANPAGES) - -filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) -seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize - src/fseccomp/fseccomp default seccomp - src/fsec-optimize/fsec-optimize seccomp - -seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize - src/fseccomp/fseccomp default seccomp.debug allow-debuggers - src/fsec-optimize/fsec-optimize seccomp.debug - -seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize - src/fseccomp/fseccomp secondary 32 seccomp.32 - src/fsec-optimize/fsec-optimize seccomp.32 - -seccomp.block_secondary: src/fseccomp/fseccomp - src/fseccomp/fseccomp secondary block seccomp.block_secondary - -seccomp.mdwx: src/fseccomp/fseccomp - src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx - -seccomp.mdwx.32: src/fseccomp/fseccomp - src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 - -.PHONY: clean -clean: - for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ - $(MAKE) -C $$dir clean; \ - done - $(MAKE) -C test clean - rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail.rpm - rm -f $(SECCOMP_FILTERS) - rm -f test/utils/index.html - rm -f test/utils/wget-log - rm -f test/utils/lstesting - rm -f test/environment/index.html* - rm -f test/environment/wget-log* - rm -fr test/environment/-testdir - rm -f test/environment/logfile* - rm -f test/environment/index.html - rm -f test/environment/wget-log - rm -f test/sysutils/firejail_t* - cd test/compile; ./compile.sh --clean; cd ../.. - -.PHONY: distclean -distclean: clean - for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ - $(MAKE) -C $$dir distclean; \ - done - $(MAKE) -C test distclean - rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh - -realinstall: - # firejail executable - install -m 0755 -d $(DESTDIR)$(bindir) - install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir) -ifeq ($(HAVE_SUID),yes) - chmod u+s $(DESTDIR)$(bindir)/firejail -endif - # firemon executable - install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) - # firecfg executable - install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) - # jailcheck executable - install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) - # libraries and plugins - install -m 0755 -d $(DESTDIR)$(libdir)/firejail - install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config - install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) - # plugins w/o read permission (non-dumpable) - install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) - install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh -ifeq ($(HAVE_CONTRIB_INSTALL),yes) - # contrib scripts - install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/.py contrib/.sh - # vim syntax - install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect - install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax - install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect - install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax -endif - # documents - install -m 0755 -d $(DESTDIR)$(DOCDIR) - install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/* - # profiles and settings - install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail - install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/.profile etc/profile-m-z/.profile etc/inc/.inc etc/net/.net etc/firejail.config - sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" -ifeq ($(BUSYBOX_WORKAROUND),yes) - ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc -endif -ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) - # install apparmor profile - sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" - install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d - sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" - # install apparmor profile customization file - sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" -endif -ifneq ($(HAVE_MAN),no) - # man pages - install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 - for man in $(MANPAGES); do \ - rm -f $$man.gz; \ - gzip -9n $$man; \ - case "$$man" in \ - .1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \ - .5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \ - esac; \ - done - rm -f $(MANPAGES) $(MANPAGES:%=%.gz) -endif - # bash completion - install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions - install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail - install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon - install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg - # zsh completion - install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions - install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ - -install: all - $(MAKE) realinstall - -install-strip: all - strip $(ALL_ITEMS) - $(MAKE) realinstall - -uninstall: - rm -f $(DESTDIR)$(bindir)/firejail - rm -f $(DESTDIR)$(bindir)/firemon - rm -f $(DESTDIR)$(bindir)/firecfg - rm -fr $(DESTDIR)$(libdir)/firejail - rm -fr $(DESTDIR)$(libdir)/jailcheck - rm -fr $(DESTDIR)$(datarootdir)/doc/firejail - for man in $(MANPAGES); do \ - rm -f $(DESTDIR)$(mandir)/man5/$$man; \ - rm -f $(DESTDIR)$(mandir)/man1/$$man; \ - done - rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail - rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon - rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg - @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." - -DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" -DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot" - -dist: - mv config.status config.status.old - mv mkdeb.sh mkdeb.sh.old - make distclean - mv mkdeb.sh.old mkdeb.sh - mv config.status.old config.status - rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz - mkdir -p $(NAME)-$(VERSION)/test - cp -a "$(DISTFILES)" $(NAME)-$(VERSION) - cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test - rm -rf $(NAME)-$(VERSION)/src/tools - find $(NAME)-$(VERSION) -name .svn -delete - tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION) - rm -fr $(NAME)-$(VERSION) - -asc:; ./mkasc.sh $(VERSION) - -deb: dist - ./mkdeb.sh - -deb-apparmor: dist - ./mkdeb.sh -apparmor - -test-compile: dist - cd test/compile; ./compile.sh $(NAME)-$(VERSION) - -.PHONY: rpms -rpms: src/man - ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) - -extras: all - $(MAKE) -C extras/firetools - -cppcheck: clean - cppcheck --force --error-exitcode=1 --enable=warning,performance . - -scan-build: clean - NO_EXTRA_CFLAGS="yes" scan-build make - -# -# make test -# - -TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter -TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) - -$(TEST_TARGETS): - $(MAKE) -C test $(subst test-,,$@) - -test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters - echo "TEST COMPLETE" - -test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters - echo "TEST COMPLETE" - -test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment - echo "TEST COMPLETE" - -########################################## -# Individual tests, some of them require root access -# The tests are very intrusive, by the time you are done -# with them you will need to restart your computer. -########################################## - -# a firejail-test account is required, public/private key setup -test-ssh: - $(MAKE) -C test $(subst test-,,$@) - -# requires root access -test-chroot: - $(MAKE) -C test $(subst test-,,$@) - -# Huge appimage files, not included in "make dist" archive -test-appimage: - $(MAKE) -C test $(subst test-,,$@) - -# Root access, network devices are created before the test -# restart your computer to get rid of these devices -test-network: - $(MAKE) -C test $(subst test-,,$@) - -# requires the same setup as test-network -test-stress: - $(MAKE) -C test $(subst test-,,$@) - -# Tests running a root user -test-root: - $(MAKE) -C test $(subst test-,,$@) - -# OverlayFS is not available on all platforms -test-overlay: - $(MAKE) -C test $(subst test-,,$@) - -# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" - -test-all: test-root test-chroot test-network test-appimage test-overlay - echo "TEST COMPLETE"
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/contrib/firejail-welcome.sh ^
@@ -1,128 +0,0 @@ -#!/bin/bash - -# This file is part of Firejail project -# Copyright (C) 2020-2021 Firejail Authors -# License GPL v2 - -if ! command -v zenity >/dev/null; then - echo "Please install zenity." - exit 1 -fi -if ! command -v sudo >/dev/null; then - echo "Please install sudo." - exit 1 -fi - -export LANG=en_US.UTF8 - -zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM -Welcome to firejail! - -This is a quick setup guide for newbies. - -Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named -<profile-name>.local in ~/.config/firejal. - -Firejail's own configuration can be found at /etc/firejail/firejail.config. - -Please note that running this script a second time can set new options, but does not unset options -set in a previous run. - -Website: https://firejail.wordpress.com -Bug-Tracker: https://github.com/netblue30/firejail/issues -Documentation: -- https://github.com/netblue30/firejail/wiki -- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions -- https://firejail.wordpress.com/documentation-2 -- man:firejail(1) and man:firejail-profile(5) - -PS: If you have any improvements for this script, open an issue or pull request. -EOM -[[ $? -eq 1 ]] && exit 0 - -sed_scripts=() - -read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM -<big><b>Should browsers be allowed to access u2f hardware?</b></big> -EOM - -read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM -<big><b>Should browsers be able to play DRM content?</b></big> - -\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME, -is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary -DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to -allow their execution. Clearly, this may help an attacker to start malicious code. - -NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME. - -HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs. -EOM - -read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM -You maybe want to set some of these advanced options. -EOM - -read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM -<big><b>Should most programs be started in firejail by default?</b></big> -EOM - -read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM -In order to apply these changes, root privileges are required. -You will now be asked to enter your password. -EOM - -read -r -d $'\0' MSG_I_FINISH <<EOM -🥳 -EOM - -if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then - sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/") -fi - -if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then - sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/") -fi - -advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \ - --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \ - --column="" --column=Option --column=Description <<EOM - -force-nonewprivs -Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore. - -restricted-network -Restrict all network related commands except 'net none' to root only. - -seccomp-error-action=kill -Kill programs which violate seccomp rules (default: return a error). -EOM -) - -if [[ $advanced_options == force-nonewprivs ]]; then - sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/") -fi -if [[ $advanced_options == restricted-network ]]; then - sed_scripts+=("-e s/# restricted-network no/restricted-network yes/") -fi -if [[ $advanced_options == seccomp-error-action=kill ]]; then - sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/") -fi - -if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then - run_firecfg=true -fi - -zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED" - -passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK) -if [[ -n "${sed_scripts[*]}" ]]; then - sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; }; -fi -if [[ "$run_firecfg" == "true" ]]; then - sudo -S -p "" -- firecfg <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; }; -fi -sudo -k -unset passwd - -zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/inc/disable-passwdmgr.inc ^
@@ -1,19 +0,0 @@ -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include disable-passwdmgr.local - -blacklist ${HOME}/.config/Bitwarden -blacklist ${HOME}/.config/KeePass -blacklist ${HOME}/.config/keepass -blacklist ${HOME}/.config/keepassx -blacklist ${HOME}/.config/keepassxc -blacklist ${HOME}/.config/KeePassXCrc -blacklist ${HOME}/.config/Sinew Software Systems -blacklist ${HOME}/.fpm -blacklist ${HOME}/.keepass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.keepassxc -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.local/share/KeePass -blacklist ${HOME}/.local/share/keepass -blacklist ${HOME}/.password-store
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/profile-a-l/sway.profile ^
@@ -1,19 +0,0 @@ -# Firejail profile for Sway -# Description: i3-compatible Wayland compositor -# This file is overwritten after every install/update -# Persistent local customizations -include sway.local -# Persistent global definitions -include globals.local - -# all applications started in sway will run in this profile -noblacklist ${HOME}/.config/sway -# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway -noblacklist ${HOME}/.config/i3 -include disable-common.inc - -caps.drop all -netfilter -noroot -protocol unix,inet,inet6 -seccomp
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/profile-m-z/nvm.profile ^
@@ -1,13 +0,0 @@ -# Firejail profile for nvm -# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions -quiet -# This file is overwritten after every install/update -# Persistent local customizations -include nvm.local -# Persistent global definitions -include globals.local - -ignore noroot - -# Redirect -include nodejs-common.profile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/etc/profile-m-z/xlinks2 ^
@@ -1,20 +0,0 @@ -# Firejail profile for xlinks2 -# Description: Text WWW browser (X11) -# This file is overwritten after every install/update -# Persistent local customizations -include xlinks2.local -# Persistent global definitions -# added by included profile -#include globals.local - -noblacklist /tmp/.X11-unix - -include whitelist-common.inc - -# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' -# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line -private-bin xlinks2 -private-etc fonts - -# Redirect -include links2.profile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/mkdeb.sh.in ^
@@ -1,70 +0,0 @@ -#!/bin/sh -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -# based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ -# a code archive should already be available - -set -e -NAME=@PACKAGE_NAME@ -VERSION=@PACKAGE_VERSION@ -PACKAGE_TARNAME=@PACKAGE_TARNAME@ -HAVE_APPARMOR=@HAVE_APPARMOR@ -HAVE_SELINUX=@HAVE_SELINUX@ -EXTRA_VERSION=$1 - -CONFIG_ARGS="--prefix=/usr" -if [ -n "$HAVE_APPARMOR" ]; then - CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor" -fi -if [ -n "$HAVE_SELINUX" ]; then - CONFIG_ARGS="$CONFIG_ARGS --enable-selinux" -fi - -TOP=`pwd` -CODE_ARCHIVE="$NAME-$VERSION.tar.xz" -CODE_DIR="$NAME-$VERSION" -INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" -DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" - -echo "***************************************" -echo "code archive: $CODE_ARCHIVE" -echo "code directory: $CODE_DIR" -echo "install directory: $INSTALL_DIR" -echo "debian control directory: $DEBIAN_CTRL_DIR" -echo "*************************************" - -tar -xJvf $CODE_ARCHIVE -#mkdir -p $INSTALL_DIR -cd $CODE_DIR -./configure $CONFIG_ARGS -make -j2 -mkdir debian -DESTDIR=debian make install-strip - -cd .. -echo "*************************************" -SIZE=`du -s $INSTALL_DIR` -echo "install size $SIZE" -echo "***************************************" - -mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian -gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian -rm $INSTALL_DIR/usr/share/doc/firejail/COPYING -install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. -mkdir -p $DEBIAN_CTRL_DIR -sed "s/FIREJAILVER/$VERSION/g" $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control - -mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ -install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail - -find $INSTALL_DIR/etc -type f \| sed "s,^$INSTALL_DIR,," \| LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles -chmod 644 $DEBIAN_CTRL_DIR/conffiles -find $INSTALL_DIR -type d \| xargs chmod 755 -cd $CODE_DIR -fakeroot dpkg-deb --build debian -lintian --no-tag-display-limit debian.deb -mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb -cd .. -rm -fr $CODE_DIR
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/bash_completion/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: firejail.bash_completion - -include ../common.mk - -firejail.bash_completion: firejail.bash_completion.in - gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp - sed "s\|_SYSCONFDIR_\|$(sysconfdir)\|" < $@.tmp > $@ - rm $@.tmp - -.PHONY: clean -clean: - rm -fr firejail.bash_completion - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/common.mk.in ^
@@ -1,54 +0,0 @@ -# common definitions for all makefiles - -CC=@CC@ -prefix=@prefix@ -exec_prefix=@exec_prefix@ -bindir=@bindir@ -libdir=@libdir@ -sysconfdir=@sysconfdir@ - -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -HAVE_CHROOT=@HAVE_CHROOT@ -HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ -HAVE_NETWORK=@HAVE_NETWORK@ -HAVE_USERNS=@HAVE_USERNS@ -HAVE_X11=@HAVE_X11@ -HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ -HAVE_WHITELIST=@HAVE_WHITELIST@ -HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ -HAVE_APPARMOR=@HAVE_APPARMOR@ -HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ -HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ -HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ -HAVE_GCOV=@HAVE_GCOV@ -HAVE_SELINUX=@HAVE_SELINUX@ -ifeq (@HAVE_SUID@, yes) -HAVE_SUID=-DHAVE_SUID -else -HAVE_SUID= -endif -HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ -HAVE_USERTMPFS=@HAVE_USERTMPFS@ -HAVE_OUTPUT=@HAVE_OUTPUT@ -HAVE_LTS=@HAVE_LTS@ -HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ - -H_FILE_LIST = $(sort $(wildcard .h)) -C_FILE_LIST = $(sort $(wildcard .c)) -OBJS = $(C_FILE_LIST:.c=.o) -BINOBJS = $(foreach file, $(OBJS), $file) - -CFLAGS = @CFLAGS@ -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) -CFLAGS += $(MANFLAGS) -CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ - -ifdef NO_EXTRA_CFLAGS -else -EXTRA_CFLAGS +=@EXTRA_CFLAGS@ -endif
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fbuilder/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fbuilder - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fbuilder: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fbuilder .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fcopy/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fcopy - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fcopy: $(OBJS) ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fcopy .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fgit/fgit-install.sh ^
@@ -1,24 +0,0 @@ -#!/bin/sh -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 -# -# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. -# - -set -e # exit immediately if one of the commands fails -cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp -git clone --depth=1 https://www.github.com/netblue30/firejail.git -cd firejail -./configure --enable-git-install -make -sudo make install-strip -echo "********************************************************************" -echo "Mainline git Firejail version was installed in /usr/local." -echo "If you want to remove it, run" -echo -echo " firejail --git-uninstall" -echo -echo "********************************************************************" -cd .. -rm -rf firejail
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fgit/fgit-uninstall.sh ^
@@ -1,20 +0,0 @@ -#!/bin/sh -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 -# -# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. -# - -set -e # exit immediately if one of the commands fails -cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp -git clone --depth=1 https://www.github.com/netblue30/firejail.git -cd firejail -./configure --enable-git-install -sudo make uninstall -echo "********************************************************************" -echo "Firejail mainline git version uninstalled from /usr/local" -echo -echo "********************************************************************" -cd .. -rm -rf firejail
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firecfg/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: firecfg - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o firecfg .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firejail/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: firejail - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall_i386.h ../include/syscall_x86_64.h ../include/firejail_user.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o firejail .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firejail/cgroup.c ^
@@ -1,119 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -/ -#include "firejail.h" -#include <sys/stat.h> - -#define MAXBUF 4096 - -void save_cgroup(void) { - if (cfg.cgroup == NULL) - return; - - FILE fp = fopen(RUN_CGROUP_CFG, "wxe"); - if (fp) { - fprintf(fp, "%s", cfg.cgroup); - fflush(0); - SET_PERMS_STREAM(fp, 0, 0, 0644); - if (fclose(fp)) - goto errout; - } - else - goto errout; - - return; - -errout: - fprintf(stderr, "Error: cannot save cgroup\n"); - exit(1); -} - -void load_cgroup(const char fname) { - if (!fname) - return; - - FILE fp = fopen(fname, "re"); - if (fp) { - char buf[MAXBUF]; - if (fgets(buf, MAXBUF, fp)) { - cfg.cgroup = strdup(buf); - if (!cfg.cgroup) - errExit("strdup"); - } - else - goto errout; - - fclose(fp); - return; - } -errout: - fwarning("cannot load control group\n"); - if (fp) - fclose(fp); -} - - -void set_cgroup(const char path) { - EUID_ASSERT(); - - invalid_filename(path, 0); // no globbing - - // path starts with /sys/fs/cgroup - if (strncmp(path, "/sys/fs/cgroup", 14) != 0) - goto errout; - - // path ends in tasks - char ptr = strstr(path, "tasks"); - if (!ptr) - goto errout; - if ((ptr + 5) != '\0') - goto errout; - - // no .. traversal - ptr = strstr(path, ".."); - if (ptr) - goto errout; - - // tasks file exists - FILE fp = fopen(path, "ae"); - if (!fp) - goto errout; - // task file belongs to the user running the sandbox - int fd = fileno(fp); - if (fd == -1) - errExit("fileno"); - struct stat s; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (s.st_uid != getuid() && s.st_gid != getgid()) - goto errout2; - // add the task to cgroup - pid_t pid = getpid(); - int rv = fprintf(fp, "%d\n", pid); - (void) rv; - fclose(fp); - return; - -errout: - fprintf(stderr, "Error: invalid cgroup\n"); - exit(1); -errout2: - fprintf(stderr, "Error: you don't have permissions to use this control group\n"); - exit(1); -}
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firemon/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: firemon - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -firemon: $(OBJS) ../lib/common.o ../lib/pid.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o firemon .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/firemon/cgroup.c ^
@@ -1,63 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -/ -#include "firemon.h" -#define MAXBUF 4098 - -static void print_cgroup(int pid) { - char file; - if (asprintf(&file, "/proc/%d/cgroup", pid) == -1) { - errExit("asprintf"); - exit(1); - } - - FILE *fp = fopen(file, "r"); - if (!fp) { - printf(" Error: cannot open %s\n", file); - free(file); - return; - } - - char buf[MAXBUF]; - if (fgets(buf, MAXBUF, fp)) { - printf(" %s", buf); - fflush(0); - } - - fclose(fp); - free(file); -} - -void cgroup(pid_t pid, int print_procs) { - pid_read(pid); - - // print processes - printf(" cgroup: "); - int i; - for (i = 0; i < max_pids; i++) { - if (pids[i].level == 1) { - if (print_procs \|\| pid == 0) - pid_print_list(i, arg_wrap); - int child = find_child(i); - if (child != -1) - print_cgroup(child); - } - } - printf("\n"); -}
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fldd/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fldd - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fldd .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fnet/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fnet - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fnet .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fnetfilter/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fnetfilter - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fnetfilter: $(OBJS) ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fnetfilter .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fsec-optimize/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fsec-optimize - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fsec-optimize .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fsec-print/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fsec-print - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fsec-print .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/fseccomp/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: fseccomp - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o fseccomp .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/ftee/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: ftee - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -ftee: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o ftee .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/jailcheck/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: jailcheck - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -jailcheck: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o jailcheck .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/lib/Makefile.in ^
@@ -1,14 +0,0 @@ -include ../common.mk - -.PHONY: all -all: $(OBJS) - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -.PHONY: clean -clean:; rm -fr $(OBJS) .gcov .gcda .gcno .plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/libpostexecseccomp/Makefile.in ^
@@ -1,28 +0,0 @@ -CC=@CC@ -PREFIX=@prefix@ -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ - -H_FILE_LIST = $(sort $(wildcard .h)) -C_FILE_LIST = $(sort $(wildcard .c)) -OBJS = $(C_FILE_LIST:.c=.o) -BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now - -.PHONY: all -all: libpostexecseccomp.so - -%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h - $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ - -libpostexecseccomp.so: $(OBJS) - $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - -.PHONY: clean -clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/libtrace/Makefile.in ^
@@ -1,28 +0,0 @@ -CC=@CC@ -PREFIX=@prefix@ -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ - -H_FILE_LIST = $(sort $(wildcard .h)) -C_FILE_LIST = $(sort $(wildcard .c)) -OBJS = $(C_FILE_LIST:.c=.o) -BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now - -.PHONY: all -all: libtrace.so - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ - -libtrace.so: $(OBJS) - $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - -.PHONY: clean -clean:; rm -fr $(OBJS) libtrace.so *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/libtracelog/Makefile.in ^
@@ -1,28 +0,0 @@ -CC=@CC@ -PREFIX=@prefix@ -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ - -H_FILE_LIST = $(sort $(wildcard .h)) -C_FILE_LIST = $(sort $(wildcard .c)) -OBJS = $(C_FILE_LIST:.c=.o) -BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now - -.PHONY: all -all: libtracelog.so - -%.o : %.c $(H_FILE_LIST) ../include/rundefs.h - $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ - -libtracelog.so: $(OBJS) - $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - -.PHONY: clean -clean:; rm -fr $(OBJS) libtracelog.so *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/man/Makefile.in ^
@@ -1,14 +0,0 @@ -.PHONY: all -all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man - -include ../common.mk - -%.man: %.txt - gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ - -.PHONY: clean -clean:; rm -fr *.man - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/profstats/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: profstats - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -profstats: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -.PHONY: clean -clean:; rm -fr .o profstats .gcov .gcda .gcno *.plist - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/src/zsh_completion/Makefile.in ^
@@ -1,17 +0,0 @@ -.PHONY: all -all: _firejail - -include ../common.mk - -_firejail: _firejail.in - gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp - sed "s\|_SYSCONFDIR_\|$(sysconfdir)\|" < $@.tmp > $@ - rm $@.tmp - -.PHONY: clean -clean: - rm -fr _firejail - -.PHONY: distclean -distclean: clean - rm -fr Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/Makefile.in ^
@@ -1,14 +0,0 @@ -TESTS=$(patsubst %/,%,$(wildcard */)) - -.PHONY: $(TESTS) -$(TESTS): - cd $@ && ./$@.sh 2>&1 \| tee $@.log - cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log - -.PHONY: clean -clean: - for test in $(TESTS); do rm -f "$$test/$$test.log"; done - -.PHONY: distclean -distclean: clean - rm -f Makefile
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/csh.exp ^
@@ -1,34 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -set timeout 10 -cd /home -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --shell=/bin/csh\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "env \| grep SHELL;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "SHELL" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "/bin/csh" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -send -- "exit\r" -after 100 - -puts "\nall done\n"
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/dash.exp ^
@@ -1,44 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -set timeout 10 -cd /home -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --tracelog --shell=/bin/dash\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -#send -- "ls -al;pwd\r" -#expect { -# timeout {puts "TESTING ERROR 1\n";exit} -# ".zshrc" -#} -#expect { -# timeout {puts "TESTING ERROR 1.1\n";exit} -# "home" -#} - -send -- "env \| grep SHELL;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "SHELL" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "/bin/dash" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "home" -} -send -- "exit\r" -after 100 - -puts "\n"
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/shell-none.exp ^
@@ -1,47 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --shell=none\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "shell=none configured, but no program specified" -} -sleep 1 - -send -- "firejail --profile=shell-none.profile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "shell=none configured, but no program specified" -} -after 100 - -send -- "firejail --shell=none ls\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "environment.sh" -} -after 100 - -send -- "firejail --profile=shell-none.profile ls\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "environment.sh" -} -after 100 - - -puts "\nall done\n"
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/environment/zsh.exp ^
@@ -1,34 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -set timeout 10 -cd /home -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --shell=/bin/zsh\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "env \| grep SHELL;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "SHELL" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "/bin/zsh" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -send -- "exit\r" -after 100 - -puts "\nall done\n"
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fcopy/src/dircopy.exp ^
-(symlink to ../dircopy.exp)
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/seccomp-dualfilter.exp ^
@@ -1,55 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -set timeout 1 -spawn $env(SHELL) -match_max 100000 - -send -- "./syscall_test\r" -expect { - timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit} - "Usage" -} - -send -- "./syscall_test32\r" -expect { - timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit} - "Usage" -} - -set timeout 10 -send -- "firejail ./syscall_test mount\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "before mount" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "after mount" {puts "TESTING ERROR 3\n";exit} - "Parent is shutting down" -} -sleep 1 - -send -- "firejail ./syscall_test32 mount\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "before mount" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "after mount" {puts "TESTING ERROR 7\n";exit} - "Parent is shutting down" -} - -after 100 -puts "\nall done\n"
	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/syscall_test ^
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/syscall_test.c ^
@@ -1,82 +0,0 @@ -// This file is part of Firejail project -// Copyright (C) 2014-2021 Firejail Authors -// License GPL v2 - -#include <stdlib.h> -#include <stdio.h> -#include <unistd.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <linux/netlink.h> -#include <net/ethernet.h> -#include <sys/mount.h> - -int main(int argc, char **argv) { - if (argc != 2) { - printf("Usage: test [sleep\|socket\|mkdir\|mount]\n"); - return 1; - } - - if (strcmp(argv[1], "sleep") == 0) { - printf("before sleep\n"); - sleep(1); - printf("after sleep\n"); - } - else if (strcmp(argv[1], "socket") == 0) { - int sock; - - printf("testing socket AF_INET\n"); - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - perror("socket"); - } - else - close(sock); - - printf("testing socket AF_INET6\n"); - if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) { - perror("socket"); - } - else - close(sock); - - printf("testing socket AF_NETLINK\n"); - if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) { - perror("socket"); - } - else - close(sock); - - printf("testing socket AF_UNIX\n"); - if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { - perror("socket"); - } - else - close(sock); - - // root needed to be able to handle this - printf("testing socket AF_PACKETX\n"); - if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) { - perror("socket"); - } - else - close(sock); - printf("after socket\n"); - } - else if (strcmp(argv[1], "mkdir") == 0) { - printf("before mkdir\n"); - mkdir("tmp", 0777); - printf("after mkdir\n"); - } - else if (strcmp(argv[1], "mount") == 0) { - printf("before mount\n"); - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME, "mode=755,gid=0") < 0) { - perror("mount"); - } - printf("after mount\n"); - } - else { - fprintf(stderr, "Error: invalid argument\n"); - return 1; - } - return 0; -}
	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/filters/syscall_test32 ^
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/private-lib.exp ^
@@ -1,48 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -after 100 -send -- "stty -echo\r" -after 100 - -send -- "cd /bin; find .\; echo done\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} -# "grep" {puts "TESTING ERROR 3\n";exit} - "rm" {puts "TESTING ERROR 3\n";exit} - "cp" {puts "TESTING ERROR 4\n";exit} - "done" -} -after 100 - -send -- "cd /lib; find .\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "./modules" {puts "TESTING ERROR 6\n";exit} - "./firmware" {puts "TESTING ERROR 7\n";exit} - "libc.so" -} -after 100 - -send -- "cd /usr/lib; find .\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "grub" {puts "TESTING ERROR 9\n";exit} - "mozilla" {puts "TESTING ERROR 10\n";exit} - "libdl.so" -} -after 100 - -puts "\nall done\n"
	Changed	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/testdir1/.directory/file ^
	Changed	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/testdir1/.file ^
	Changed	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/fs/testfile1 ^
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/root/cgroup.exp ^
@@ -1,61 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -set timeout 10 -cd /home -spawn $env(SHELL) -match_max 100000 - - -send -- "mkdir /sys/fs/cgroup/systemd/firejail\r" -sleep 1 -send -- "ls /sys/fs/cgroup/systemd/firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "tasks" -} - -send -- "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "3" -} - -spawn $env(SHELL) -send -- "firejail --join=\"join testing\"\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Switching to pid" -} -sleep 1 -send -- "ps aux\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "/bin/bash" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "/bin/bash" -} - -after 100 - -spawn $env(SHELL) -send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "3" -} -after 100 - -puts "\nall done\n"
[-] [+]	Deleted	_service:tar_git:firejail-0.9.66+git3.tar.bz2/upstream/test/utils/firemon-cgroup.exp ^
@@ -1,40 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test1\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=test2\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --cgroup\r" -sleep 4 -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} - "name=test1" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "name=test2" -} - -after 100 - -puts "\nall done\n"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.git-blame-ignore-revs ^
@@ -0,0 +1,35 @@ +# Note: Entries (and sections) should be listed in topological order (that is, +# in the same order that is shown by `git log --oneline`) and they can be +# generated with one of the following commands: +# +# TZ=UTC0 git show --date='format-local:%Y-%m-%d' --pretty='%H # %cd \| %s' -s +# [<commit>...] +# +# TZ=UTC0 git log --date='format-local:%Y-%m-%d' --pretty='%H # %cd \| %s' +# [<revision-range>] + +# Landlock v1 +97874c3bf923798b0e3ab119d169aaa9b1314221 # 2022-09-05 \| Revert "Merge pull request #5315 from ChrysoliteAzalea/landlock" +b900bdc87463d79568aef46cb7e3b373fbff84b1 # 2022-09-05 \| Revert "compile fix" +bfcacff665b750ae7b9fc984496df26fcd7cc53d # 2022-09-05 \| Revert "tracelog disabled by default in /etc/firejail/firejail.config file" +2a79f3a2689711e6151187063bb55a6af3160b6f # 2022-09-05 \| Revert "README/README.md" +67348ac9c2cdf9d30efbf9fd13eaf0a4adc3be00 # 2022-09-05 \| Revert "typos" +0cd20b7e81a7815f57055b38f0746ef14fed2cd0 # 2022-09-05 \| Revert "fix syntax in configure.ac" +26c74796f3c76b8f0ea0b95a863eb707ecced195 # 2022-09-05 \| Revert "landlock: check for landlock support in glibc" +5b206611c01e42a6d63c596be45bcf085832b035 # 2022-09-05 \| Revert "landlock: support in firejail --version" +2f3c19a87dd49b220f69f27f8c14c627277355d6 # 2022-09-04 \| landlock: support in firejail --version +c5a052ffa4e2ccaf240635db116a49986808a2b6 # 2022-09-04 \| landlock: check for landlock support in glibc +2d885e5a091f847d7c2128506947b0f67dd2edab # 2022-09-04 \| fix syntax in configure.ac +0594c5d3d0f1ddc4049cf2ed38676a1cdc8d6843 # 2022-08-30 \| typos +796fa09636195d8751a7bbc1e1bc88bf8c3ac95a # 2022-08-30 \| README/README.md +6e687c30110a52f267c1779c4eeab82bded9cb77 # 2022-08-29 \| tracelog disabled by default in /etc/firejail/firejail.config file +836ffe37ff891886f15243eacc70963368d57a3f # 2022-08-29 \| compile fix +c6d7474c138f92b3cb3992b5c57750af89eb3b77 # 2022-08-16 \| tinyLL has been removed as it's no longer needed +460fa7a6f98cc1e7aec2953e6523f32677d546c7 # 2022-08-16 \| Proposed fixes. +877fc99d541af83a9486dfff43580e33dedd8b4c # 2022-08-15 \| Update quotation marks in src/zsh_completion/_firejail.in +ba828befe06b99b7dc2d504085cb40aa2d710998 # 2022-08-15 \| Landlock functions are added to the code of Firejail, removing the dependency on tinyLL +61b15442898eeb1db2d23b6b2eb72a705ceb368a # 2022-08-15 \| Landlock support has been added. + +# "move whitelist/blacklist to allow/deny" +f43382f1e9707b4fd5e63c7bfe881912aa4ee994 # 2021-07-18 \| Revert "move whitelist/blacklist to allow/deny" +fe0f975f447d59977d90c3226cc8c623b31b20b3 # 2021-07-05 \| move whitelist/blacklist to allow/deny
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.gitattributes ^
@@ -0,0 +1 @@ +/etc/inc/*.inc linguist-language=text
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/ISSUE_TEMPLATE/bug_report.md ^
@@ -6,44 +6,88 @@ assignees: '' --- -Write clear, concise and in textual form. -Bug and expected behavior -- Describe the bug. -- What did you expect to happen? - -No profile and disabling firejail -- What changed calling `firejail --noprofile /path/to/program` in a terminal? -- What changed calling the program by path (e.g. `/usr/bin/vlc`)? - -Reproduce -Steps to reproduce the behavior: -1. Run in bash `firejail PROGRAM` -2. See error `ERROR` -3. Click on '....' -4. Scroll down to '....' - -Environment - - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) - - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) - -Additional context -Other context about the problem like related errors to understand the problem. - -Checklist - - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). - - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - - [ ] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. +<!-- +See the following links for help with formatting: +https://guides.github.com/features/mastering-markdown/ +https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax +--> -<details><summary> debug output </summary> +### Description + +_Describe the bug_ + +### Steps to Reproduce + +_Steps to reproduce the behavior_ + +1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) +2. Click on '....' +3. Scroll down to '....' +4. See error `ERROR` + +### Expected behavior + +_What you expected to happen_ + +### Actual behavior + +_What actually happened_ + +### Behavior without a profile + +_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ + +### Additional context + +_Any other detail that may help to understand/debug the problem_ + +### Environment + +- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") +- Firejail version (`firejail --version`). +- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). + +### Checklist + +<!-- +Note: Items are checked with an "x", like so: + +- [x] This is a checked item. +--> + +- [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). +- [ ] I can reproduce the issue without custom modifications (e.g. globals.local). +- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) +- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). +- [ ] I have performed a short search for similar issues (to avoid opening a duplicate). + - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. +- [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) + +### Log + +<details> +<summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> +<p> + +``` +output goes here +``` + +</p> +</details> + +<details> +<summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> +<p> + +<!-- If the output is too long to embed it into the comment, + create a secret gist at https://gist.github.com/ and link it here. --> ``` -OUTPUT OF `firejail --debug PROGRAM` +output goes here ``` +</p> </details>
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/ISSUE_TEMPLATE/config.yml ^
@@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Question + url: https://github.com/netblue30/firejail/discussions + about: For questions you should use GitHub Discussions.
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/ISSUE_TEMPLATE/feature_request.md ^
@@ -0,0 +1,23 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' +--- + +### Is your feature request related to a problem? Please describe. + +_A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_ + +### Describe the solution you'd like + +_A clear and concise description of what you want to happen._ + +### Describe alternatives you've considered + +_A clear and concise description of any alternative solutions or features you've considered._ + +### Additional context + +_Add any other context or screenshots about the feature request here._
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/dependabot.yml ^
@@ -0,0 +1,7 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/pull_request_template.md ^
@@ -1,4 +1,3 @@ - If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. If you submit a PR for new profiles or changing profiles, please do the following:
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/workflows/build-extra.yml ^
@@ -4,51 +4,118 @@ push: branches: [ master ] paths-ignore: + - '.github/ISSUE_TEMPLATE/' + - 'etc/' + - 'contrib/gtksourceview-5/' + - 'contrib/vim/' + - 'src/man/.txt' + - .git-blame-ignore-revs + - .github/dependabot.yml + - .github/pull_request_template.md + - .github/workflows/codeql-analysis.yml + - .github/workflows/profile-checks.yml + - .gitignore + - .gitlab-ci.yml - CONTRIBUTING.md + - COPYING - README - README.md - RELNOTES - SECURITY.md - - 'etc/*' - - 'src/firecfg/firecfg.config' - - '.github/ISSUE_TEMPLATE/' - - '.github/pull_request_template.md' + - src/firecfg/firecfg.config pull_request: branches: [ master ] paths-ignore: + - '.github/ISSUE_TEMPLATE/' + - 'etc/' + - 'contrib/gtksourceview-5/' + - 'contrib/vim/' + - 'src/man/.txt' + - .git-blame-ignore-revs + - .github/dependabot.yml + - .github/pull_request_template.md + - .github/workflows/codeql-analysis.yml + - .github/workflows/profile-checks.yml + - .gitignore + - .gitlab-ci.yml - CONTRIBUTING.md + - COPYING - README - README.md - RELNOTES - SECURITY.md - - 'etc/*' - - 'src/firecfg/firecfg.config' - - '.github/ISSUE_TEMPLATE/' - - '.github/pull_request_template.md' + - src/firecfg/firecfg.config + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read jobs: build-clang: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2 + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + - name: install dependencies + run: sudo apt-get install libapparmor-dev libselinux1-dev - name: configure - run: CC=clang-11 ./configure --enable-fatal-warnings + run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux - name: make run: make + - name: make install + run: sudo make install + - name: print version + run: command -V firejail && firejail --version scan-build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2 - - name: install clang-tools-11 - run: sudo apt-get install clang-tools-11 + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + - name: install clang-tools-14 and dependencies + run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev - name: configure - run: CC=clang-11 ./configure --enable-fatal-warnings + run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux - name: scan-build - run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make + run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make cppcheck: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + - name: install cppcheck + run: sudo apt-get install cppcheck + - name: cppcheck + run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c . + # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also + # with older cppcheck version from ubuntu 20.04. + cppcheck_old: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: install cppcheck run: sudo apt-get install cppcheck - name: cppcheck
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/workflows/build.yml ^
@@ -4,7 +4,16 @@ push: branches: [ master ] paths-ignore: + - '.github/ISSUE_TEMPLATE/' + - .git-blame-ignore-revs + - .github/dependabot.yml + - .github/pull_request_template.md + - .github/workflows/codeql-analysis.yml + - .github/workflows/profile-checks.yml + - .gitignore + - .gitlab-ci.yml - CONTRIBUTING.md + - COPYING - README - README.md - RELNOTES @@ -12,24 +21,53 @@ pull_request: branches: [ master ] paths-ignore: + - '.github/ISSUE_TEMPLATE/' + - .git-blame-ignore-revs + - .github/dependabot.yml + - .github/pull_request_template.md + - .github/workflows/codeql-analysis.yml + - .github/workflows/profile-checks.yml + - .gitignore + - .gitlab-ci.yml - CONTRIBUTING.md + - COPYING - README - README.md - RELNOTES - SECURITY.md +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: build_and_test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2 + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + debian.org:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + www.debian.org:443 + www.debian.org:80 + yahoo.com:1025 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + - name: update package information + run: sudo apt-get update - name: install dependencies - run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec + run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec - name: configure - run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr + run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr - name: make run: make - name: make install run: sudo make install + - name: print version + run: command -V firejail && firejail --version - name: run tests run: SHELL=/bin/bash make test-github
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/workflows/codeql-analysis.yml ^
@@ -9,27 +9,58 @@ push: branches: [ master ] paths-ignore: + - '.github/ISSUE_TEMPLATE/' + - 'etc/' + - 'contrib/gtksourceview-5/' + - 'contrib/vim/' + - 'src/man/.txt' + - .git-blame-ignore-revs + - .github/dependabot.yml + - .github/pull_request_template.md + - .github/workflows/profile-checks.yml + - .gitignore + - .gitlab-ci.yml - CONTRIBUTING.md + - COPYING - README - README.md - RELNOTES - SECURITY.md - - 'etc/*' + - src/firecfg/firecfg.config pull_request: # The branches below must be a subset of the branches above branches: [ master ] paths-ignore: + - '.github/ISSUE_TEMPLATE/' + - 'etc/' + - 'contrib/gtksourceview-5/' + - 'contrib/vim/*' + - 'src/man/.txt' + - .git-blame-ignore-revs + - .github/dependabot.yml + - .github/pull_request_template.md + - .github/workflows/profile-checks.yml + - .gitignore + - .gitlab-ci.yml - CONTRIBUTING.md + - COPYING - README - README.md - RELNOTES - SECURITY.md - - 'etc/*' + - src/firecfg/firecfg.config schedule: - cron: '0 7 * 2' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest @@ -42,12 +73,22 @@ # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -58,7 +99,7 @@ # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -72,4 +113,4 @@ # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.github/workflows/profile-checks.yml ^
@@ -0,0 +1,44 @@ +name: Profile Checks + +on: + push: + branches: [ master ] + paths: + - 'ci/check/profiles/' + - 'etc/' + - .github/workflows/profile-checks.yml + - contrib/sort.py + - src/firecfg/firecfg.config + pull_request: + branches: [ master ] + paths: + - 'ci/check/profiles/' + - 'etc/' + - .github/workflows/profile-checks.yml + - contrib/sort.py + - src/firecfg/firecfg.config + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + profile-checks: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + - name: sort.py + run: ./ci/check/profiles/sort.py etc/inc/.inc etc/{profile-a-l,profile-m-z}/.profile + - name: private-etc-always-required.sh + run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/.inc etc/{profile-a-l,profile-m-z}/.profile + - name: sort-disable-programs.sh + run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc + - name: sort-firecfg.config.sh + run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.gitignore ^
@@ -10,9 +10,11 @@ .directory .man .vscode -Makefile +/firejail-/ autom4te.cache/ config.log +config.mk +config.sh config.status firejail-.tar.xz firejail-login.5 @@ -22,12 +24,15 @@ firejail.1 firemon.1 firecfg.1 -jailcheck.5 -mkdeb.sh +jailcheck.1 +src/fnettrace-dns/fnettrace-dns +src/fnettrace-sni/fnettrace-sni +src/fnettrace-icmp/fnettrace-icmp src/firejail/firejail src/firemon/firemon src/firecfg/firecfg src/ftee/ftee +src/fids/fids src/tags src/faudit/faudit src/fnet/fnet @@ -42,6 +47,8 @@ src/bash_completion/firejail.bash_completion src/zsh_completion/_firejail src/jailcheck/jailcheck +src/fnettrace/fnettrace +src/fzenity/fzenity uids.h seccomp seccomp.debug @@ -50,7 +57,6 @@ seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 -src/common.mk aclocal.m4 __pycache__ .pyc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/.gitlab-ci.yml ^
@@ -11,6 +11,7 @@ - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 gawk - ./configure --prefix=/usr && make deb && dpkg -i firejail.deb + - command -V firejail && firejail --version - python3 contrib/sort.py etc/profile-/.profile etc/inc/.inc build_debian_package: @@ -19,13 +20,15 @@ - apt-get update -qq - apt-get install -y -qq build-essential lintian pkg-config gawk - ./configure --prefix=/usr && make deb && dpkg -i firejail.deb + - command -V firejail && firejail --version build_redhat_package: - image: centos:latest + image: almalinux:latest script: - dnf update -y - dnf install -y rpm-build gcc make - ./configure --prefix=/usr && make rpms && rpm -i firejail.rpm + - command -V firejail && firejail --version build_fedora_package: image: fedora:latest @@ -33,6 +36,7 @@ - dnf update -y - dnf install -y rpm-build gcc make - ./configure --prefix=/usr && make rpms && rpm -i firejail.rpm + - command -V firejail && firejail --version - python3 contrib/sort.py etc/profile-/.profile etc/inc/.inc build_src_package: @@ -42,6 +46,7 @@ - apk upgrade - apk add build-base linux-headers python3 gawk - ./configure --prefix=/usr && make && make install-strip + - command -V firejail && firejail --version # - python3 contrib/sort.py etc/.{profile,inc} build_apparmor: @@ -49,7 +54,9 @@ script: - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk - - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail.deb + - ./configure && make deb-apparmor && dpkg -i firejail*.deb + - command -V firejail && firejail --version + - firejail --version \| grep -F 'AppArmor support is enabled' debian_ci: image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/CONTRIBUTING.md ^
@@ -34,6 +34,14 @@ [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). If you have already written a profile, please make sure it follows the rules described in the template. +If you add a new command, here's the checklist: + + - [ ] Update manpages: firejail(1) and firejail-profile(5) + - [ ] Update shell completions + - [ ] Update vim syntax files + - [ ] Update gtksourceview language specs + - [ ] Update --help + # Editing the wiki You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/COPYING ^
@@ -1,12 +1,12 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. - Preamble + Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public @@ -15,7 +15,7 @@ General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to +the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not @@ -55,8 +55,8 @@ The precise terms and conditions for copying, distribution and modification follow. - - GNU GENERAL PUBLIC LICENSE + + GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains @@ -110,7 +110,7 @@ License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) - + These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in @@ -168,7 +168,7 @@ access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. - + 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is @@ -225,7 +225,7 @@ This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. - + 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License @@ -255,7 +255,7 @@ of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. - NO WARRANTY + NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN @@ -277,4 +277,63 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - END OF TERMS AND CONDITIONS + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License.
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/Makefile ^
@@ -0,0 +1,327 @@ +ROOT = . +-include config.mk + +ifneq ($(HAVE_MAN),no) +MAN_TARGET = man +MAN_SRC = src/man +endif + +COMPLETIONDIRS = src/zsh_completion src/bash_completion + +APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck +SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids +SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity +SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp +SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni +SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp +MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) +MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so +COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion +MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 +SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 +ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) + +.PHONY: all +all: all_items mydirs $(MAN_TARGET) filters + +config.mk config.sh: + printf 'run ./configure to generate %s\n' "$@" >&2 + false + +.PHONY: all_items $(ALL_ITEMS) +all_items: $(ALL_ITEMS) +$(ALL_ITEMS): $(MYDIRS) + $(MAKE) -C $(dir $@) + +.PHONY: mydirs $(MYDIRS) +mydirs: $(MYDIRS) +$(MYDIRS): + $(MAKE) -C $@ + +$(MANPAGES): src/man config.mk + ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ + +man: $(MANPAGES) + +filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) +seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize + src/fseccomp/fseccomp default seccomp + src/fsec-optimize/fsec-optimize seccomp + +seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize + src/fseccomp/fseccomp default seccomp.debug allow-debuggers + src/fsec-optimize/fsec-optimize seccomp.debug + +seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize + src/fseccomp/fseccomp secondary 32 seccomp.32 + src/fsec-optimize/fsec-optimize seccomp.32 + +seccomp.block_secondary: src/fseccomp/fseccomp + src/fseccomp/fseccomp secondary block seccomp.block_secondary + +seccomp.mdwx: src/fseccomp/fseccomp + src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx + +seccomp.mdwx.32: src/fseccomp/fseccomp + src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 + +.PHONY: clean +clean: + for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ + $(MAKE) -C $$dir clean; \ + done + $(MAKE) -C test clean + rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail.rpm + rm -f $(SECCOMP_FILTERS) + rm -f test/utils/index.html + rm -f test/utils/wget-log + rm -f test/utils/firejail-test-file* + rm -f test/utils/lstesting + rm -f test/environment/index.html* + rm -f test/environment/wget-log* + rm -fr test/environment/-testdir + rm -f test/environment/logfile* + rm -f test/environment/index.html + rm -f test/environment/wget-log + rm -f test/sysutils/firejail_t* + cd test/compile; ./compile.sh --clean; cd ../.. + +.PHONY: distclean +distclean: clean + for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ + $(MAKE) -C $$dir distclean; \ + done + $(MAKE) -C test distclean + rm -fr autom4te.cache config.log config.mk config.sh config.status + +realinstall: config.mk + # firejail executable + install -m 0755 -d $(DESTDIR)$(bindir) + install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir) +ifeq ($(HAVE_SUID),-DHAVE_SUID) + chmod u+s $(DESTDIR)$(bindir)/firejail +endif + # firemon executable + install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) + # firecfg executable + install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) + # jailcheck executable + install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) + # libraries and plugins + install -m 0755 -d $(DESTDIR)$(libdir)/firejail + install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh + install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) + install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) + install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats + # plugins w/o read permission (non-dumpable) + install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) + install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh + install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map +ifeq ($(HAVE_CONTRIB_INSTALL),yes) + # contrib scripts + install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/.py contrib/.sh + # vim syntax + install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect + install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax + install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect + install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax + # gtksourceview-5 language-specs + install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs + install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs +endif + # documents + install -m 0755 -d $(DESTDIR)$(docdir) + install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* + # profiles and settings + install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail + install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config + install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/.profile etc/profile-m-z/.profile etc/inc/.inc etc/net/.net etc/firejail.config + sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" +ifeq ($(HAVE_IDS),-DHAVE_IDS) + install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config +endif +ifeq ($(BUSYBOX_WORKAROUND),yes) + ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc +endif +ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) + # install apparmor profile + sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" + install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d + # install apparmor profile customization file + sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" + sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" + # install apparmor base abstraction drop-in + sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;" + sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;" + install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d +endif +ifneq ($(HAVE_MAN),no) + # man pages + install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 + for man in $(MANPAGES); do \ + rm -f $$man.gz; \ + gzip -9n $$man; \ + case "$$man" in \ + .1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \ + .5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \ + esac; \ + done + rm -f $(MANPAGES) $(MANPAGES:%=%.gz) +endif + # bash completion + install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions + install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail + install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon + install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg + # zsh completion + install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions + install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ + +install: all + $(MAKE) realinstall + +install-strip: all + strip $(ALL_ITEMS) + $(MAKE) realinstall + +uninstall: config.mk + rm -f $(DESTDIR)$(bindir)/firejail + rm -f $(DESTDIR)$(bindir)/firemon + rm -f $(DESTDIR)$(bindir)/firecfg + rm -f $(DESTDIR)$(bindir)/jailcheck + rm -fr $(DESTDIR)$(libdir)/firejail + rm -fr $(DESTDIR)$(datarootdir)/doc/firejail + for man in $(MANPAGES); do \ + rm -f $(DESTDIR)$(mandir)/man5/$$man; \ + rm -f $(DESTDIR)$(mandir)/man1/$$man; \ + done + rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail + rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon + rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg + rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail + rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim + rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim + @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." + +DISTFILES = \ +COPYING \ +Makefile \ +README \ +RELNOTES \ +config.mk.in \ +config.sh.in \ +configure \ +configure.ac \ +contrib \ +etc \ +install.sh \ +m4 \ +mkdeb.sh \ +mketc.sh \ +mkman.sh \ +platform \ +src + +DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot + +dist: config.mk + mv config.sh config.sh.old + mv config.status config.status.old + make distclean + mv config.status.old config.status + mv config.sh.old config.sh + rm -fr $(TARNAME)-$(VERSION) $(TARNAME)-$(VERSION).tar.xz + mkdir -p $(TARNAME)-$(VERSION)/test + cp -a $(DISTFILES) $(TARNAME)-$(VERSION) + cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test + rm -rf $(TARNAME)-$(VERSION)/src/tools + find $(TARNAME)-$(VERSION) -name .svn -delete + tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION) + rm -fr $(TARNAME)-$(VERSION) + +asc: config.mk + ./mkasc.sh $(VERSION) + +deb: dist config.sh + ./mkdeb.sh + +deb-apparmor: dist config.sh + ./mkdeb.sh -apparmor --enable-apparmor + +test-compile: dist config.mk + cd test/compile; ./compile.sh $(TARNAME)-$(VERSION) + +.PHONY: rpms +rpms: src/man config.mk + ./platform/rpm/mkrpm.sh $(TARNAME) $(VERSION) + +extras: all + $(MAKE) -C extras/firetools + +cppcheck: clean + cppcheck --force --error-exitcode=1 --enable=warning,performance . + +scan-build: clean + NO_EXTRA_CFLAGS="yes" scan-build make + +# +# make test +# + +TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter +TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) + +$(TEST_TARGETS): + $(MAKE) -C test $(subst test-,,$@) + +test: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters + echo "TEST COMPLETE" + +test-noprofiles: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters + echo "TEST COMPLETE" + +test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment + echo "TEST COMPLETE" + +########################################## +# Individual tests, some of them require root access +# The tests are very intrusive, by the time you are done +# with them you will need to restart your computer. +########################################## +# private-lib is disabled by default in /etc/firejail/firejail.config +test-private-lib: + $(MAKE) -C test $(subst test-,,$@) + +# a firejail-test account is required, public/private key setup +test-ssh: + $(MAKE) -C test $(subst test-,,$@) + +# requires root access +test-chroot: + $(MAKE) -C test $(subst test-,,$@) + +# Huge appimage files, not included in "make dist" archive +test-appimage: + $(MAKE) -C test $(subst test-,,$@) + +# Root access, network devices are created before the test +# restart your computer to get rid of these devices +test-network: + $(MAKE) -C test $(subst test-,,$@) + +# requires the same setup as test-network +test-stress: + $(MAKE) -C test $(subst test-,,$@) + +# Tests running a root user +test-root: + $(MAKE) -C test $(subst test-,,$@) + +# OverlayFS is not available on all platforms +test-overlay: + $(MAKE) -C test $(subst test-,,$@) + +# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" + +test-all: test-root test-chroot test-network test-appimage test-overlay + echo "TEST COMPLETE"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/README ^
@@ -1,18 +1,18 @@ -Firejail is a SUID sandbox program that reduces the risk of security -breaches by restricting the running environment of untrusted applications +Firejail is a SUID sandbox program that reduces the risk of security +breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It includes sandbox profiles for Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat. -Firejail also expands the restricted shell facility found in bash by adding -Linux namespace support. It supports sandboxing specific users upon login. +Firejail also expands the restricted shell facility found in bash by adding +Linux namespace support. It supports sandboxing specific users upon login. Download: https://sourceforge.net/projects/firejail/files/ Build and install: ./configure && make && sudo make install Documentation and support: https://firejail.wordpress.com/ -Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA +Video Channel: https://www.brighteon.com/channels/netblue30 Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ Development: https://github.com/netblue30/firejail License: GPL v2 @@ -33,18 +33,24 @@ For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). +We build our release firejail.tar.xz and firejail.deb packages using the following command: +$ make distclean && ./configure && make deb-apparmor + + Maintainer: - netblue30 (netblue30@protonmail.com) Committers - chiraag-nataraj (https://github.com/chiraag-nataraj) - crass (https://github.com/crass) +- ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) - curiosityseeker (https://github.com/curiosityseeker) - glitsj16 (https://github.com/glitsj16) - Fred-Barclay (https://github.com/Fred-Barclay) - Kelvin M. Klann (https://github.com/kmk3) - Kristóf Marussy (https://github.com/kris7t) - Neo00001 (https://github.com/Neo00001) +- pirate486743186 (https://github.com/pirate486743186) - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) - rusty-snake (https://github.com/rusty-snake) - smitsohu (https://github.com/smitsohu) @@ -62,16 +68,23 @@ 0x7969 (https://github.com/0x7969) - fix wire-desktop.profile - add ferdi.profile +0x9fff00 (https://github.com/0x9fff00) + - add Colossal Order to steam.profile 7twin (https://github.com/7twin_) - fix typos - fix flameshot raw screenshots 1dnrr (https://github.com/1dnrr) - add pybitmessage profile +a1346054 (https://github.com/a1346054) + - add missing final newlines in various files + - Remove deprecated syntax and modernize shell test scripts Ádler Jonas Gross (https://github.com/adgross) - AppArmor fix Adrian L. Shaw (https://github.com/adrianlshaw) - add profanity profile - add barrirer profile + - add profile for Beyond All Reason + - RPCS3 profile Aidan Gauland (https://github.com/aidalgol) - added electron, riot-web and npm profiles - whitelist Bohemia Interactive config dir for Steam @@ -107,11 +120,16 @@ - profile updates Alexander Stein (https://github.com/ajstein) - added profile for qutebrowser +alkim0 (https://github.com/alkim0) + - warn when encountering EIO during remount + - Add profile for chafa Amin Vakil (https://github.com/aminvakil) - whois profile fix - added profile for strawberry - w3m profile fix - disable seccomp in wireshark profile +Ammon Smith (https://github.com/ammongit) + - Add DBus filter rules specific to firefox-developer-edition Andreas Hunkeler (https://github.com/Karneades) - Add profile for offical Linux Teams application Andrey Alekseenko (https://github.com/al42and) @@ -127,6 +145,9 @@ - evince profile fix Anton Shestakov (https://github.com/antonv6) - add whitelist items for uim + - allow /etc/vulkan in steam profile + - allow ~/.cache/wine in lutris and wine profile + - support MangoHud in steam profile Antonio Russo (https://github.com/aerusso) - enumerate root directories in apparmor profile - fix join-or-start @@ -146,6 +167,9 @@ - unbound profile update Avi Lumelsky (https://github.com/avilum) - syscall.sh improvements +avallach2000 (https://github.com/avallach2000( + - fix qbittorrent profile + - support for changing appearance of the Qt6 apps with qt6ct avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix @@ -161,6 +185,8 @@ - added mcabber profile - fixed mpv profile - various other fixes +Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) + - add support for custom AppArmor profiles (--apparmor=) backspac (https://github.com/backspac) - firecfg fixes - add steam-runtime alias @@ -170,6 +196,8 @@ - fixed riot-desktop Barış Ekin Yıldırım (https://github.com/circuitshaker) - removing net none from code.profile +Bart Bakker (https://github.com/bjpbakker) + - multimc5: fix exec of LWJGL libraries bbhtt (https://github.com/bbhtt) - improvements to balsa,fractal,gajim,trojita profiles - improvements to nheko, spectral, feh, links, lynx, smplayer profiles @@ -180,6 +208,8 @@ - email clients whitelisting and fixes Benjamin Kampmann (https://github.com/ligthyear) - Forward exit code from child process +BeautyYuYanli (https://github.com/BeautyYuYanli) + - add linuxqq and qq profiles bitfreak25 (https://github.com/bitfreak25) - added PlayOnLinux profile - minetest profile fix @@ -207,6 +237,9 @@ - add gradio profile - update virtualbox.profile - Quodlibet profile + - update apparmor firejail-local for Brave + ipfs +bymoz089 (https://github.com/bymoz089) + - add timezone access to make libical functional BytesTuner (https://github.com/BytesTuner) - provided keepassxc profile caoliver (https://github.com/caoliver) @@ -215,8 +248,13 @@ - fixed udiskie profile - Allow mbind syscall for GIMP - fixed simple-scan +Case_Of (https://github.com/CaseOf) + - added Seafile profile Cat (https://github.com/ecat3) - prevent tmux connecting to an existing session +cayday (https://github.com/caydey) + - added ~/Private blacklist in disable-common.inc + - added quiet to some CLI profiles Christian Pinedo (https://github.com/chrpinedo) - added nicotine profile - allow python3 in totem profile @@ -242,6 +280,14 @@ - extract_command_name fixes - update appimage size calculation to newest code from libappimage - firejail should look for processes with names exactly named +croket (https://github.com/crocket) + - fix librewolf profile + - added profiles for imv, retroarch, and torbrowser + - fix dino profile + - fix wireshark profile + - prevent emptty /usr/share in google-chrome profiles +cubercsl (https://github.com/cubercsl) + - add linuxqq and qq profiles curiosity-seeker (https://github.com/curiosity-seeker - old) curiosityseeker (https://github.com/curiosityseeker - new) - tightening unbound and dnscrypt-proxy profiles @@ -283,6 +329,8 @@ - steam.profile: correctly blacklist unneeded directories in user's home - minetest fixes - map /dev/input with "--private-dev", add "--no-input" option to disable it + - whitelist /usr/share/TelegramDesktop in telegram.profile + - allow access to ~/.cache/winetricks David Hyrule (https://github.com/Svaag) - remove nou2f in ssh profile Deelvesh Bunjun (https://github.com/DeelveshBunjun) @@ -299,9 +347,15 @@ - fix qt5ct colour schemes and QSS Disconnect3d (https://github.com/disconnect3d) - code cleanup +dm9pZCAq (https://github.com/dm9pZCAq) + - fix for compilation under musl dmfreemon (https://github.com/dmfreemon) - add sandbox name or name of private directory to the window title when xpra is used - handle malloc() failures; use gnu_basename() instead of basenaem() +Dmitriy Chestnykh (https://github.com/chestnykh) + - add ability to disable user profiles at compile time +Dpeta (https://github.com/Dpeta) + - add Chatterino profile dshmgh (https://github.com/dshmgh) - overlayfs fix for systems with /home mounted on a separate partition Duncan Overbruck (https://github.com/Duncaen) @@ -311,6 +365,8 @@ Eduard Tolosa (https://github.com/Edu4rdSHL) - fixed and hardened qpdfview.profile - fixed gajim.profile +Eklektisk (https://github.com/Eklektisk) + - update librewolf.profile: use new d-bus message bus emacsomancer (https://github.com/emacsomancer) - added profile for Conkeror browser Emil Gedda (https://github.com/EmilGedda) @@ -326,6 +382,7 @@ - --private-etc fix fenuks (https://github.com/fenuks) - fix sound in games using FMOD + - allow /opt/tor-browser for Tor Browser profile Florian Begusch (https://github.com/florianbegusch) - (la)tex profiles - fixed transmission-common.profile @@ -333,6 +390,8 @@ - fix jailprober.py floxo (https://github.com/floxo) - fixed qml disk cache issue +Foemass (https://github.com/Foemass) + - documentation Franco (nextime) Lanza (https://github.com/nextime) - added --private-template/--private-home František Polášek (https://github.com/fandaa) @@ -449,9 +508,16 @@ Helmut Grohne (https://github.com/helmutg) - compiler support in the build system - Debian bug #869707 hhzek0014 (https://github.com/hhzek0014) - - updated bibletime.profile + - updated bibletime.profile +hknaack (https://github.com/hknaack) + - Kate profile fixes + - seamonkey.profile: support enigmail/gpg + - Avidemux tools support hlein (https://github.com/hlein) - strip out \r's from jail prober + - make env/arg sanity check failure messages more useful + - relocate firecfg.config to /etc/firejail/ + - fix display profile for Gentoo distribution Holger Heinz (https://github.com/hheinz) - manpage work Haowei Yu (https://github.com/sfc-gh-hyu) @@ -485,6 +551,13 @@ - removed shell none from ssh-agent configuration, fixing the infinite loop - added gcloud profile - blacklist sensitive cloud provider files in disable-common +Jan-Niclas (https://github.com/0x6a61) + - moved rules from firefox-common.profile to firefox.profile + - blacklist /firefox except for firefox itself + - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox +Jan Sonntag (https://github.com/jmetrius) + - added OpenStego profile + - allow common access to EGL External platform configuration directory Jean Lucas (https://github.com/flacks) - fix Discord profile - add AnyDesk profile @@ -521,6 +594,9 @@ Jonas Heinrich (https://github.com/onny) - added signal-desktop profile - fixed franz profile + - remove /etc/hosts is_link check for NixOS + - whitelist for NixOS to resolve binary paths in user environment + - NixOS fix OpenGL app support Jose Riha (https://github.com/jose1711) - added meteo-qt profile - created qgis, links, xlinks profiles @@ -531,6 +607,12 @@ - Add profile for udiskie - fix udiskie.profile - improve hints for allowing browser access to Gnome extensions connector + - fix warshow, jumpnbump, tremulous, blobwars profile fixes + - drop noinput for games with gampad/joystick support + - goldendict profile fix + - whitelist /usr/share/nextcloud to allow access to translation files + - fix clipgrab profile + - fix Hugin profile jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile @@ -541,6 +623,8 @@ - fixed Kdenlive, Shotcut profiles - new profiles for Cinelerra, Cliqz, Bluefish - profile hardening +k4leg (https://github.com/k4leg) + - fix PyCharm profiles Kaan Genç (https://github.com/SeriousBug) - dynamic allocation of noblacklist buffer Karoshi42 (https://github.com/karoshi42) @@ -563,7 +647,7 @@ - added falkon profile - kxmlgui fixes - okular profile fixes - - jitsi-meet-desktop profile + - jitsi-meet-desktop profile - konversatin profile fix - added Neochat profile - added whitelist-1793-workaround.inc @@ -571,6 +655,7 @@ - added symlink fixer fix_private-bin.py in contrib section - update fix_private-bin.py - fix meld + - temporary fix to the bug caused by apparmor profiles stacking kortewegdevries (https://github.com/kortewegdevries) - a whole bunch of new profiles and fixes - whitelisting evolution, kmail @@ -590,6 +675,9 @@ - fixed test for shell interpreter in chroots LaurentGH (https://github.com/LaurentGH) - allow private-bin parameters to be absolute paths +lecso7 (https://github.com/lecso7) + - added goldendict profile + - allow evince to read .cbz file format Loïc Damien (https://github.com/dzamlo) - small fixes Liorst4 (https://github.com/Liorst4) @@ -603,6 +691,8 @@ - fixed parsing of --keep-var-tmp luzpaz (https://github.com/luzpaz) - code spelling fixes +lxeiqr (https://github.com/lxeiqr) + - fix sndio support Mace Muilman (https://github.com/mace015) - google-chrome{,beta,unstable} flags maces (https://github.com/maces) @@ -620,6 +710,10 @@ Martin Dosch (spam-debian@mdosch.de) - support for gnome-shell integration addon in Firefox (Bug-Debian: https://bugs.debian.org/872720) +Martin Sandsmark (https://github.com/sandsmark) + - songrec profile +Martynas Janonis (https://github.com/mjanonis) + - update wrc for Arch Linux Matt Parnell (https://github.com/ilikenwf) - whitelisting for core firefox related functionality Mattias Wadman (https://github.com/wader) @@ -643,10 +737,16 @@ - added support for subdirs in private-etc Mike Frysinger (vapier@gentoo.org) - Gentoo compile patch +minus7 (https://github.com/minus7) + - fix hanging arp_check mirabellette (https://github.com/mirabellette) - add comment to thunderbird.profile to allow Firefox to load profiles mjudtmann (https://github.com/mjudtmann) - lock firejail configuration in disable-mgmt.inc +m00nwtchr (https://github.com/m00nwtchr) + - Whitelist electron-flags.conf for all versions of electron + - electron profile updates + - Fix glob pattern and update other profiles/includes (electron profile) mustaqimM (https://github.com/mustaqimM) - added profile for Nylas Mail n1trux (https://github.com/n1trux) @@ -663,6 +763,7 @@ - add kdiff3 profile NetSysFire (https://github.com/NetSysFire) - update weechat profile + - update megaglest profile Nick Fox (https://github.com/njfox) - add a profile alias for code-oss - add code-oss config directory @@ -690,7 +791,7 @@ OndrejMalek (https://github.com/OndrejMalek) - various manpage fixes Ondřej Nový (https://github.com/onovy) - - allow video for Signal profile + - allow video for Signal profile - added Mattermost desktop profile - hardened Zoom profile - hardened Signal desktop profile @@ -707,7 +808,7 @@ Paul Moore <pmoore@redhat.com> -src/fsec-print/print.c extracted from libseccomp software package Paupiah Yash (https://github.com/CaffeinatedStud) - - gzip profile + - gzip profile Pawel (https://github.com/grimskies) - make --join return exit code of the invoked program Peter Millerchip (https://github.com/pmillerchip) @@ -758,6 +859,7 @@ - added profile for torbrowser-launcher - added profile for sayonara and qmmp - remove tracelog from Firefox profile + - fix welcome.sh polyzen (https://github.com/polyzen) - fixed wusc issue with mpv/Vulkan probonopd (https://github.com/probonopd) @@ -770,11 +872,15 @@ -uGet profile pwnage-pineapple (https://github.com/pwnage-pineapple) - update Okular profile +Quentin Retornaz (https://github.com/qretornaz-adapei42) + - microsoft-edge profiles fixes Quentin Minster (https://github.com/laomaiweng) - propagate --quiet to children Firejail'ed processes - nodbus enhancements/bugfixes - added vim syntax and ftdetect files - Allow exec from /usr/libexec & co. with AppArmor +ra1nb0w (https://github.com/ra1nb0w) + - fix vmware profile Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Rahiel Kasim (https://github.com/rahiel) @@ -792,6 +898,11 @@ - zoom profile fixes realaltffour (https://github.com/realaltffour) - add lynx support to newsboat profile +Reed Riley (https://github.com/reedriley) + - cointop profile + - 1password profile + - blacklist rclone, 1Password, Ledger Live and cointop + - allow Signal to open links in Firefox Reiner Herrmann (https://github.com/reinerh) - a number of build patches - man page fixes @@ -831,6 +942,7 @@ - added sort.py to contrib sak96 (https://github.com/sak96) - discord profile fixes + - Fix Firefox 'Profile not found' for psd (v6.45) Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) - fixed ktorrent profile sarneaud (https://github.com/sarneaud) @@ -842,9 +954,13 @@ Senemu (https://github.com/Senemu) - protection for .pythonrc.py - fixed evince +Seonwoo Lee (https://github.com/seonwoolee) + - fix teams ignoring input sources e.g. microphones Sergey Alirzaev (https://github.com/l29ah) - firejail.h enum fix - firefox-common-addons.inc: + tridactyl +Serphentas (https://github.com/Serphentas) + - add Paradox Launcher to Steam profile Slava Monich (https://github.com/monich) - added configure option to disable man pages Tobias Schmidl (https://github.com/schtobia) @@ -861,6 +977,10 @@ - Jolla/SailfishOS patches slowpeek (https://github.com/slowpeek) - refine appimage example in docs + - allow resolution of .local names with avahi-daemon in the apparmor profile + - allow access to avahi-daemon in apparmor/firejail-default + - make appimage examples consistent with --appimage option short description + - blacklist google-drive-ocamlfuse config smitsohu (https://github.com/smitsohu) - read-only kde4 services directory - enhanced mediathekview profile @@ -912,6 +1032,8 @@ - hardern /var - profile standard layout - Spotify and itch.io profile fixes +Spacewalker2 (https://github.com/Spacewalker2) + - fix MediathekView profile sshirokov (https://sourceforge.net/u/yshirokov/profile/) - Patch to output "Reading profile" to stderr instead of stdout SYN-cook (https://github.com/SYN-cook) @@ -935,7 +1057,7 @@ - gnome-calculator changes startx2017 (https://github.com/startx2017) - syscall list update - - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, + - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old - enable/disable join support in /etc/firejail/firejail.config - firecfg fix: create ~/.local/share/applications directory if it doesn't exist @@ -953,6 +1075,9 @@ - Fix libx265 encoding in ffmpeg profile - Fix Firefox profile - Profile tweaks +TheOneric (https://github.com/TheOneric) + - Fix newest Steam client and Proton ≥ 5.13 + - Fix black window in Steam client thewisenerd (https://github.com/thewisenerd) - allow multiple private-home commands - use $SHELL variable if the shell is not specified @@ -986,10 +1111,14 @@ - improve loading of seccomp filter and memory-deny-write-execute feature - private-lib feature - make --nodbus block also system D-Bus socket -Ted Robertson (https://github.com/tredondo) +Ted Robertson (https://github.com/tredondo) - webstorm profile fixes - added bcompare profile - various documentation fixes + - blacklist Exodus wallet + - blacklist monero-project directory +Tus1688 (https://github.com/Tus1688) + - added neovim profile user1024 (user1024@tut.by) - electron profile whitelisting - fixed Rocket.Chat profile @@ -1041,11 +1170,14 @@ - apparmor enhancements Vincent Blillault (https://github.com/Feandil) - fix mumble profile +Vincent Lefèvre (https://github.com/vinc17fr) + - blacklist rxvt after the blacklist of Perl + - Noblacklist rxvt in allow-perl.inc vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - claws-mail, mutt, git, emacs, vim profiles - lots of profile fixes - - support for truecrypt and zuluCrypt + - support for truecrypt and zuluCrypt viq (https://github.com/viq) - discord-canary profile Vladimir Gorelov (https://github.com/larkvirtual) @@ -1053,12 +1185,21 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20) - apparmor profile enhancements - various KDE profile enhancements - read-only kde5 services directory + - read-only kde5 services directory Vladislav Nepogodin (https://github.com/vnepogodin) - added Librewolf profiles - added Sway profile + - fix CLion profile + - fixes for disable-programs.inc + - CachyBrowser profile +Hugo Osvaldo Barrera (https://github.com/WhyNotHugo) + - Skype profile tweaks + - whitelist-ro command xee5ch (https://github.com/xee5ch) - skypeforlinux profile +York Zhao (https://github.com/YorkZ) + - tor browser profile fix + - allow telegram to open hyperlinks Ypnose (https://github.com/Ypnose) - disable-shell.inc: add mksh shell yumkam (https://github.com/yumkam) @@ -1086,4 +1227,4 @@ zupatisc (https://github.com/zupatisc) - patch-util fix -Copyright (C) 2014-2021 Firejail Authors +Copyright (C) 2014-2022 Firejail Authors
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/README.md ^
@@ -22,47 +22,29 @@ <table><tr> <td> -<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U -" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg" -alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a> +<a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank"> +<img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" +alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a> </td> <td> -<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU -" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" -alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a> +<a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank"> +<img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png" +alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a> </td> <td> -<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 -" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" -alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a> +<a href="https://odysee.com/@netblue30:9/divested:2" target="_blank"> +<img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png" +alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a> </td> - -</tr><tr> -<td> -<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w -" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" -alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a> - -</td> -<td> -<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ -" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" -alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a> - -</td> -<td> -<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o -" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg" -alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a> - -</td> </tr></table> Project webpage: https://firejail.wordpress.com/ +IRC: https://web.libera.chat/#firejail + Download and Installation: https://firejail.wordpress.com/download-2/ Features: https://firejail.wordpress.com/features-3/ @@ -75,7 +57,7 @@ GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ -Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA +Video Channel: https://odysee.com/@netblue30:9?order=new Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ @@ -83,40 +65,47 @@ We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com -````` -Security Advisory - Feb 8, 2021 +## Installing -Summary: A vulnerability resulting in root privilege escalation was discovered in -Firejail's OverlayFS code, +### Debian -Versions affected: Firejail software versions starting with 0.9.30. -Long Term Support (LTS) Firejail branch is not affected by this bug. +Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. -Workaround: Disable overlayfs feature at runtime. -In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no". +### Ubuntu - $ grep overlayfs /etc/firejail/firejail.config - # Enable or disable overlayfs features, default enabled. - overlayfs no +For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are strongly advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). -Fix: The bug is fixed in Firejail version 0.9.64.4 +How to add and install from the PPA: -GitHub commit: (file configure.ac) -https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b +```sh +sudo add-apt-repository ppa:deki/firejail +sudo apt-get update +sudo apt-get install firejail firejail-profiles +``` -Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability. -Functional PoC exploit code was provided to Firejail development team. -A description of the problem is here on Roman's blog: +Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad: -https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt -https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ -````` +* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) -## Installing +See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: + +> What software is supported by the Ubuntu Security team? +> +> Ubuntu is currently divided into four components: main, restricted, universe +> and multiverse. All binary packages in main and restricted are supported by +> the Ubuntu Security team for the life of an Ubuntu release, while binary +> packages in universe and multiverse are supported by the Ubuntu community. + +Additionally, the PPA version is likely to be more recent and to contain more profile fixes. + +See the following discussions for details: + +* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666) +* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663) -Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. +### Other -The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package. +Firejail is included in a large number of Linux distributions. You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: @@ -170,7 +159,7 @@ Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are about 250 default applications in current Firejail version, and the number goes up with every new release. -We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. +We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. ## Security profiles @@ -189,149 +178,168 @@ We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. -## Latest released version: 0.9.64 +## Latest released version: 0.9.70 -## Current development version: 0.9.65 +## Current development version: 0.9.71 Milestone page: https://github.com/netblue30/firejail/milestone/1 -Release discussion: https://github.com/netblue30/firejail/issues/3696 - -### jailcheck -````` -JAILCHECK(1) JAILCHECK man page JAILCHECK(1) - -NAME - jailcheck - Simple utility program to test running sandboxes - -SYNOPSIS - sudo jailcheck [OPTIONS] [directory] - -DESCRIPTION - jailcheck attaches itself to all sandboxes started by the user and per‐ - forms some basic tests on the sandbox filesystem: - - 1. Virtual directories - jailcheck extracts a list with the main virtual directories in‐ - stalled by the sandbox. These directories are build by firejail - at startup using --private* and --whitelist commands. - 2. Noexec test - jailcheck inserts executable programs in /home/username, /tmp, - and /var/tmp directories and tries to run them from inside the - sandbox, thus testing if the directory is executable or not. +### Restrict namespaces - 3. Read access test - jailcheck creates test files in the directories specified by the - user and tries to read them from inside the sandbox. - - 4. AppArmor test - - 5. Seccomp test - - The program is started as root using sudo. - -OPTIONS - --debug - Print debug messages. - - -?, --help - Print options and exit. - - --version - Print program version and exit. - - [directory] - One or more directories in user home to test for read access. - ~/.ssh and ~/.gnupg are tested by default. - -OUTPUT - For each sandbox detected we print the following line: - - PID:USER:Sandbox Name:Command - - It is followed by relevant sandbox information, such as the virtual di‐ - rectories and various warnings. - -EXAMPLE - $ sudo jailcheck - 2014:netblue::firejail /usr/bin/gimp - Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, - Warning: I can run programs in /home/netblue - - 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net - Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, - Warning: I can read ~/.ssh - - 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ - pimage - Virtual dirs: /tmp, /var/tmp, /dev, - - 26090:netblue::/usr/bin/firejail /opt/firefox/firefox - Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, - /run/user/1000, - - 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor - Warning: AppArmor not enabled - Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, - /usr/share, /run/user/1000, - Warning: I can run programs in /home/netblue - -LICENSE - This program is free software; you can redistribute it and/or modify it - under the terms of the GNU General Public License as published by the - Free Software Foundation; either version 2 of the License, or (at your - option) any later version. - - Homepage: https://firejail.wordpress.com - -SEE ALSO - firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ - gin(5), firejail-users(5), - -0.9.65 May 2021 JAILCHECK(1) +````` + --restrict-namespaces + Install a seccomp filter that blocks attempts to create new + cgroup, ipc, net, mount, pid, time, user or uts namespaces. + + Example: + $ firejail --restrict-namespaces + + --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts + Install a seccomp filter that blocks attempts to create any of + the specified namespaces. The filter examines the arguments of + clone, unshare and setns system calls and returns error EPERM to + the process (or kills it or logs the attempt, see --seccomp-er‐ + ror-action below) if necessary. Note that the filter is not able + to examine the arguments of clone3 system calls, and always re‐ + sponds to these calls with error ENOSYS. + + Example: + $ firejail --restrict-namespaces=user,net +````` + +### Support for custom AppArmor profiles + +````` + --apparmor + Enable AppArmor confinement with the "firejail-default" AppArmor + profile. For more information, please see APPARMOR section be‐ + low. + + --apparmor=profile_name + Enable AppArmor confinement with a custom AppArmor profile. + Note that profile in question must already be loaded into the + kernel. For more information, please see APPARMOR section be‐ +````` + +### dnstrace +````` + --dnstrace[=name\|pid] + Monitor DNS queries. The sandbox can be specified by name or + pid. Only networked sandboxes created with --net are supported. + This option is only available when running the sandbox as root. + + Without a name/pid, Firejail will monitor the main system net‐ + work namespace. + + $ sudo firejail --dnstrace=browser + 11:31:43 9.9.9.9 linux.com (type 1) + 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN + 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN + 11:31:45 9.9.9.9 www.linux.com (type 1) + 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN + 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN + 11:32:05 9.9.9.9 secure.gravatar.com (type 1) + 11:32:06 9.9.9.9 secure.gravatar.com (type 1) + 11:32:08 9.9.9.9 taikai.network (type 1) + 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) + 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) + 11:32:08 9.9.9.9 www.youtube.com (type 1) +````` + +### snitrace +````` + --snitrace[=name\|pid] + Monitor Server Name Indication (TLS/SNI). The sandbox can be + specified by name or pid. Only networked sandboxes created with + --net are supported. This option is only available when running + the sandbox as root. + + Without a name/pid, Firejail will monitor the main system net‐ + work namespace. + + $ sudo firejail --snitrace=browser + 07:49:51 23.185.0.3 linux.com + 07:49:51 23.185.0.3 www.linux.com + 07:50:05 192.0.73.2 secure.gravatar.com + 07:52:35 172.67.68.93 www.howtoforge.com + 07:52:37 13.225.103.59 sf.ezoiccdn.com + 07:52:42 142.250.176.3 www.gstatic.com + 07:53:03 173.236.250.32 www.linuxlinks.com + 07:53:05 192.0.77.37 c0.wp.com + 07:53:08 192.0.78.32 jetpack.wordpress.com + 07:53:09 192.0.77.32 s0.wp.com + 07:53:09 192.0.77.2 i0.wp.com + 07:53:10 192.0.77.2 i0.wp.com + 07:53:11 192.0.73.2 1.gravatar.com +````` +### icmptrace +````` + --icmptrace[=name\|pid] + Monitor ICMP traffic. The sandbox can be specified by name or + pid. Only networked sandboxes created with --net are supported. + This option is only available when running the sandbox as root. + + Without a name/pid, Firejail will monitor the main system net‐ + work namespace. + + Example + $ sudo firejail --icmptrace + 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐ + quest/0 + 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐ + ply/0 + 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐ + quest/0 + 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐ + ply/0 + 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination un‐ + reachable/Port unreachable ````` ### Profile Statistics -A small tool to print profile statistics. Compile as usual and run in /etc/profiles: +A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. +Run it over the profiles in /etc/profiles: ``` -$ sudo cp src/profstats/profstats /etc/firejail/. -$ cd /etc/firejail -$ ./profstats .profile +$ /usr/lib/firejail/profstats /etc/firejail/.profile +No include .local found in /etc/firejail/noprofile.profile +Warning: multiple caps in /etc/firejail/transmission-daemon.profile + Stats: - profiles 1135 - include local profile 1135 (include profile-name.local) - include globals 1106 (include globals.local) - blacklist ~/.ssh 1009 (include disable-common.inc) - seccomp 1035 - capabilities 1130 - noexec 1011 (include disable-exec.inc) - noroot 944 - memory-deny-write-execute 242 - apparmor 667 - private-bin 635 - private-dev 992 - private-etc 508 - private-tmp 866 - whitelist home directory 542 - whitelist var 799 (include whitelist-var-common.inc) - whitelist run/user 597 (include whitelist-runuser-common.inc + profiles 1205 + include local profile 1204 (include profile-name.local) + include globals 1178 (include globals.local) + blacklist ~/.ssh 1076 (include disable-common.inc) + seccomp 1095 + capabilities 1199 + noexec 1084 (include disable-exec.inc) + noroot 1002 + memory-deny-write-execute 272 + restrict-namespaces 962 + apparmor 720 + private-bin 704 + private-dev 1055 + private-etc 546 + private-lib 71 + private-tmp 929 + whitelist home directory 581 + whitelist var 867 (include whitelist-var-common.inc) + whitelist run/user 1173 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 569 (include whitelist-usr-share-common.inc - net none 389 - dbus-user none 619 - dbus-user filter 105 - dbus-system none 770 - dbus-system filter 7 + whitelist usr/share 637 (include whitelist-usr-share-common.inc + net none 410 + dbus-user none 677 + dbus-user filter 137 + dbus-system none 848 + dbus-system filter 12 + ``` ### New profiles: -vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, -avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, -pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, -sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, -ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, -pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon, -neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr, -tin +onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, +cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp, +linuxqq, qq + + +
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/RELNOTES ^
@@ -1,3 +1,176 @@ +firejail (0.9.72) baseline; urgency=low + * feature: On failing to remount a fuse filesystem, give warning instead of + erroring out (#5240 #5242) + * feature: Update syscall tables and seccomp groups (#5188) + * feature: improve force-nonewprivs security guarantees (#5217 #5271) + * feature: add support for restricting the creation of Linux namespaces + (--restrict-namespaces, --restrict-namespaces=), implemented as a seccomp + filter for both 64 and 32 bit architectures (#4939 #5259) + * feature: add support for custom AppArmor profiles (--apparmor=) (#5274 + #5316 #5317 #5475) + * feature: add support for ICMP in nettrace + * feature: add --dnstrace, --icmptrace, and --snitrace commands + * feature: Add basic gtksourceview language-spec (file type detection/syntax + highlighting for profiles) (#5502) + * feature: add restrict-namespaces to (almost) all applicable profiles (#5440 + #5537) + * feature: add support for netlock in profile files + * modif: removed --cgroup= command (#5190 #5200) + * modif: set --shell=none as the default (#5190) + * modif: removed --shell= command (#5190 #5196 #5209) + * modif: disabled firetunnel by default in configure.ac (#5190) + * modif: disabled chroot by default in /etc/firejail/firejail.config (#5190) + * modif: disabled private-lib by default in /etc/firejail/firejail.config + (#5190 #5216) + * modif: disabled tracelog by default in /etc/firejail/firejail.config + (#5190) + * modif: removed grsecurity support + * modif: stop hiding blacklisted files in /etc by default and add a new + etc-hide-blacklisted option to firejail.config that enables the previous + behavior (disabled by default) (#5010 #5230 #5591 #5595) + * bugfix: Flood of seccomp audit log entries (#5207) + * bugfix: --netlock does not work (Error: no valid sandbox) (#5312) + * build: deduplicate configure-time vars into new config files (#5140 #5284) + * build: fix file mode of shell scripts (644 -> 755) (#5206) + * build: reduce autoconf input files from 32 to 2 (#5219) + * build: add dist build directory to .gitignore (#5248) + * build: add autoconf auto-generation comment to input files (#5251) + * build: Add files make uninstall forgot to remove (#5283) + * build: add and use TARNAME instead of NAME for paths (#5310) + * build: only install ids.config when --enable-ids is set (#5356 #5357) + * build: Remove deprecated syntax and modernize shell test scripts (#5370) + * build: Fix musl warnings (#5421 #5431) + * build: sort.py improvements (#5429) + * build: deduplicate makefiles (#5478) + * build: fix formatting and misc in configure (#5488) + * build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504) + * build: make shell commands more portable in firejail.vim (#5577) + * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) + * ci: ignore git-related paths and the project license (#5249) + * ci: Harden GitHub Actions (StepSecurity) (#5439) + * ci: sort and ignore more paths (#5481) + * ci: whitelist needed endpoints and block access to sudo (#5485) + * docs: fix typos (#5189 #5349) + * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 + #5290) + * docs: set vim filetype on man pages for syntax highlighting (#5296) + * docs: note that blacklist/whitelist follow symlinks (#5344) + * docs: Add IRC channel info to README.md (#5361) + * docs: man: Note that some commands can be disabled in firejail.config + (#5366) + * docs: Add gist note to bug_report.md (#5398) + * docs: clarify that --appimage should appear before --profile (#5402 #5451) + * docs: add more Firefox examples to the firejail-local AppArmor profile + (#5493) + * docs: Fix broken Restrict-DBus wiki link on profile.template (#5554) + * docs: Remove invalid --profile-path from --help (#5585 #5586) + * several new profiles + -- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500 + +firejail (0.9.70) baseline; urgency=low + * security: CVE-2022-31214 - root escalation in --join logic + Reported by Matthias Gerstner, working exploit code was provided to our + development team. In the same time frame, the problem was independently + reported by Birk Blechschmidt. Full working exploit code was also provided. + * feature: enable shell tab completion with --tab (#4936) + * feature: disable user profiles at compile time (#4990) + * feature: Allow resolution of .local names with avahi-daemon in the apparmor + profile (#5088) + * feature: always log seccomp errors (#5110) + * feature: firecfg --guide, guided user configuration (#5111) + * feature: --oom, kernel OutOfMemory-killer (#5122) + * modif: --ids feature needs to be enabled at compile time (#5155) + * modif: --nettrace only available to root user + * rework: whitelist restructuring (#4985) + * rework: firemon, speed up and lots of fixes + * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) + * bugfix: nogroups + wrc prints confusing messages (#4930 #4933) + * bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) + * bugfix: fix printing in evince (#5011) + * bugfix: gcov: fix gcov functions always declared as dummy (#5028) + * bugfix: Stop warning on safe supplementary group clean (#5114) + * build: remove ultimately unused INSTALL and RANLIB check macros (#5133) + * build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154) + * ci: replace centos (EOL) with almalinux (#4912) + * ci: fix --version not printing compile-time features (#5147) + * ci: print version after install & fix apparmor support on build_apparmor + (#5148) + * docs: Refer to firejail.config in configuration files (#4916) + * docs: firejail.config: add warning about allow-tray (#4946) + * docs: mention that the protocol command accumulates (#5043) + * docs: mention inconsistent homedir bug involving --private=dir (#5052) + * docs: mention capabilities(7) on --caps (#5078) + * new profiles: onionshare, onionshare-cli, opera-developer, songrec + * new profiles: node-gyp, npx, semver, ping-hardened + * removed profiles: nvm + -- netblue30 <netblue30@yahoo.com> Thu, 9 Jun 2022 09:00:00 -0500 + +firejail (0.9.68) baseline; urgency=low + * security: on Ubuntu, the PPA is now recommended over the distro package + (see README.md) (#4748) + * security: bugfix: private-cwd leaks access to the entire filesystem + (#4780); reported by Hugo Osvaldo Barrera + * feature: remove (some) environment variables with auth-tokens (#4157) + * feature: ALLOW_TRAY condition (#4510 #4599) + * feature: add basic Firejail support to AppArmor base abstraction (#3226 + #4628) + * feature: intrusion detection system (--ids-init, --ids-check) + * feature: deterministic shutdown command (--deterministic-exit-code, + --deterministic-shutdown) (#928 #3042 #4635) + * feature: noprinters command (#4607 #4827) + * feature: network monitor (--nettrace) + * feature: network locker (--netlock) (#4848) + * feature: whitelist-ro profile command (#4740) + * feature: disable pipewire with --nosound (#4855) + * feature: Unset TMP if it doesn't exist inside of sandbox (#4151) + * feature: Allow apostrophe in whitelist and blacklist (#4614) + * feature: AppImage support in --build command (#4878) + * modifs: exit code: distinguish fatal signals by adding 128 (#4533) + * modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669) + * modifs: close file descriptors greater than 2 (--keep-fd) (#4845) + * modifs: nogroups now stopped causing certain system groups to be dropped, + which are now controlled by the relevant "no" options instead (such as + nosound -> drop audio group), which fixes device access issues on systems + not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851) + * removal: --disable-whitelist at compile time + * removal: whitelist=yes/no in /etc/firejail/firejail.config + * bugfix: Fix sndio support (#4362 #4365) + * bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387) + * bugfix: --build clears the environment (#4460 #4467) + * bugfix: firejail hangs with net parameter (#3958 #4476) + * bugfix: Firejail does not work with a custom hosts file (#2758 #4560) + * bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586) + * bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606) + * bugfix: firejail symlinks are not skipped with private-bin + globs (#4626) + * bugfix: Firejail rejects empty arguments (#4395) + * bugfix: firecfg does not work with symlinks (discord.desktop) (#4235) + * bugfix: Seccomp list output goes to stdout instead of stderr (#4328) + * bugfix: private-etc does not work with symlinks (#4887) + * bugfix: Hardware key not detected on keepassxc (#4883) + * build: allow building with address sanitizer (#4594) + * build: Stop linking pthread (#4695) + * build: Configure cleanup and improvements (#4712) + * ci: add profile checks for sorting disable-programs.inc and + firecfg.config and for the required arguments in private-etc (#2739 #4643) + * ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774) + * docs: Add new command checklist to CONTRIBUTING.md (#4413) + * docs: Rework bug report issue template and add both a question and a + feature request template (#4479 #4515 #4561) + * docs: fix contradictory descriptions of machine-id ("preserves" vs + "spoofs") (#4689) + * docs: Document that private-bin and private-etc always accumulate (#4078) + * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462) + * new includes: disable-proc.inc (#4521) + * removed includes: disable-passwordmgr.inc (#4454 #4461) + * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim + * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl + * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake + * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego + * new profiles: imv, retroarch, torbrowser, CachyBrowser, + * new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd, + * new profiles: Seafile, neovim, com.github.tchx84.Flatseal + -- netblue30 <netblue30@yahoo.com> Sun, 6 Feb 2022 09:00:00 -0500 + firejail (0.9.66) baseline; urgency=low * deprecated --audit options, relpaced by jailcheck utility * deprecated follow-symlink-as-user from firejail.config @@ -47,7 +220,7 @@ firejail (0.9.64.2) baseline; urgency=low * allow --tmpfs inside $HOME for unprivileged users - * --disable-usertmpfs compile time option + * --disable-usertmpfs compile time option * allow AF_BLUETOOTH via --protocol=bluetooth * Setup guide for new users: contrib/firejail-welcome.sh * implement netns in profiles @@ -554,7 +727,7 @@ * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * feature: move files in sandbox (--put) - * feature: accept wildcard patterns in user name field of restricted + * feature: accept wildcard patterns in user name field of restricted shell login feature * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, @@ -596,7 +769,7 @@ * compile time: disable whitelisting (--disable-whitelist) * compile time: disable global config (--disable-globalcfg) * run time: enable/disable overlayfs (overlayfs yes/no) - * run time: enable/disable quiet as default (quiet-by-default yes/no) + * run time: enable/disable quiet as default (quiet-by-default yes/no) * run time: user-defined network filter (netfilter-default) * run time: enable/disable whitelisting (whitelist yes/no) * run time: enable/disable remounting of /proc and /sys @@ -694,7 +867,7 @@ -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 firejail (0.9.36) baseline; urgency=low - * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, + * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, parole and rtorrent profiles * Google Chrome profile rework * added google-chrome-stable profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/SECURITY.md ^
@@ -2,23 +2,26 @@ ## Supported Versions -\| Version \| Supported by us \| EOL \| Supported by distribution \| -\| ------- \| ------------------ \| ---- \| --------------------------- -\| 0.9.64 \| :heavy_check_mark: \| \| :white_check_mark: Debian 10 backports, Debian 11 backports, Debian 12 (testing/unstable) -\| 0.9.62 \| :x: \| \| :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 -\| 0.9.60 \| :x: \| 29 Dec 2019 \| -\| 0.9.58 \| :x: \| \| :white_check_mark: Debian 9 backports, Debian 10 -\| 0.9.56 \| :x: \| 27 Jan 2019 \| -\| 0.9.54 \| :x: \| 18 Sep 2018 \| -\| 0.9.52 \| :x: \| \| :white_check_mark: Ubuntu 18.04 LTS -\| 0.9.50 \| :x: \| 12 Dec 2017 \| -\| 0.9.48 \| :x: \| 09 Sep 2017 \| -\| 0.9.46 \| :x: \| 12 Jun 2017 \| -\| 0.9.44 \| :x: \| \| :white_check_mark: Debian 9 -\| 0.9.42 \| :x: \| 22 Oct 2016 \| -\| 0.9.40 \| :x: \| 09 Sep 2016 \| -\| 0.9.38 \| :x: \| \| :white_check_mark: Ubuntu 16.04 LTS -\| <0.9.38 \| :x: \| Before 05 Feb 2016 \| +\| Version \| Supported by us \| EOL \| Supported by distribution \| +\| ------- \| ------------------ \| ------------------ \| --------------------------------------------------------------------------------- \| +\| 0.9.70 \| :heavy_check_mark: \| \| \| +\| 0.9.68 \| :x: \| \| \| +\| 0.9.66 \| :x: \| \| :white_check_mark: Debian 11 backports, Debian 12 (testing/unstable) \| +\| 0.9.64 \| :x: \| \| :white_check_mark: Debian 10 backports, Debian 11, Ubuntu 21.10 \| +\| 0.9.62 \| :x: \| \| :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 \| +\| 0.9.60 \| :x: \| 29 Dec 2019 \| \| +\| 0.9.58 \| :x: \| \| :white_check_mark: Debian 9 backports, Debian 10 \| +\| 0.9.56 \| :x: \| 27 Jan 2019 \| \| +\| 0.9.54 \| :x: \| 18 Sep 2018 \| \| +\| 0.9.52 \| :x: \| \| :white_check_mark: Ubuntu 18.04 LTS \| +\| 0.9.50 \| :x: \| 12 Dec 2017 \| \| +\| 0.9.48 \| :x: \| 09 Sep 2017 \| \| +\| 0.9.46 \| :x: \| 12 Jun 2017 \| \| +\| 0.9.44 \| :x: \| \| :white_check_mark: Debian 9 \| +\| 0.9.42 \| :x: \| 22 Oct 2016 \| \| +\| 0.9.40 \| :x: \| 09 Sep 2016 \| \| +\| 0.9.38 \| :x: \| 31 May 2016 \| \| +\| <0.9.38 \| :x: \| Before 05 Feb 2016 \| \| ## Security vulnerabilities
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/private-etc-always-required.sh ^
@@ -0,0 +1,15 @@ +#!/bin/bash + +ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload) + +error=0 +while IFS=: read -r profile private_etc; do + for required in "${ALWAYS_REQUIRED[@]}"; do + if grep -q -v -E "( \|,)$required(,\|$)" <<<"$private_etc"; then + printf '%s misses %s\n' "$profile" "$required" >&2 + error=1 + fi + done +done < <(grep "^private-etc " "$@") + +exit "$error"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/sort-disable-programs.sh ^
@@ -0,0 +1,2 @@ +#!/bin/sh +tail -n +5 "$1" \| LC_ALL=C sort -c -u
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/sort-firecfg.config.sh ^
@@ -0,0 +1,2 @@ +#!/bin/sh +tail -n +4 "$1" \| sed 's/^# /#/' \| LC_ALL=C sort -c -d
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/ci/check/profiles/sort.py ^
+(symlink to ../../../contrib/sort.py)
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/config.mk.in ^
@@ -0,0 +1,69 @@ +# @configure_input@ +# +# Configure-time variable definitions and any other common definition that can +# be safely included by all makefiles. +# +# Note: Do not define any targets on this file, as that could potentially end +# up overriding the includer's intended default target (which by default is the +# first target encountered). + +NAME=@PACKAGE_NAME@ +TARNAME=@PACKAGE_TARNAME@ +PACKAGE_TARNAME=@PACKAGE_TARNAME@ # needed by docdir +VERSION=@PACKAGE_VERSION@ + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +libdir=@libdir@ +datarootdir=@datarootdir@ +docdir=@docdir@ +mandir=@mandir@ +sysconfdir=@sysconfdir@ + +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ +BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ +HAVE_SUID=@HAVE_SUID@ +HAVE_MAN=@HAVE_MAN@ + +HAVE_CHROOT=@HAVE_CHROOT@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_NETWORK=@HAVE_NETWORK@ +HAVE_USERNS=@HAVE_USERNS@ +HAVE_X11=@HAVE_X11@ +HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ +HAVE_IDS=@HAVE_IDS@ +HAVE_GCOV=@HAVE_GCOV@ +HAVE_SELINUX=@HAVE_SELINUX@ +HAVE_SUID=@HAVE_SUID@ +HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ +HAVE_USERTMPFS=@HAVE_USERTMPFS@ +HAVE_OUTPUT=@HAVE_OUTPUT@ +HAVE_LTS=@HAVE_LTS@ +HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ +HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ + +MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) + +# User variables - should not be modified in the code (as they are reserved for +# the user building the package); see the following for details: +# https://www.gnu.org/software/automake/manual/1.16.5/html_node/User-Variables.html +CC=@CC@ +CFLAGS=@CFLAGS@ +LDFLAGS=@LDFLAGS@ + +# Project variables +LIBS=@LIBS@ + +ifdef NO_EXTRA_CFLAGS +else +EXTRA_CFLAGS +=@EXTRA_CFLAGS@ +endif + +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/config.sh.in ^
@@ -0,0 +1,8 @@ +# @configure_input@ +# +# shellcheck shell=sh +# shellcheck disable=SC2034 + +NAME="@PACKAGE_NAME@" +TARNAME="@PACKAGE_TARNAME@" +VERSION="@PACKAGE_VERSION@"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/configure ^
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.66. +# Generated by GNU Autoconf 2.69 for firejail 0.9.72. # # Report bugs to <netblue30@protonmail.com>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.66' -PACKAGE_STRING='firejail 0.9.66' +PACKAGE_VERSION='0.9.72' +PACKAGE_STRING='firejail 0.9.72' PACKAGE_BUGREPORT='netblue30@protonmail.com' PACKAGE_URL='https://firejail.wordpress.com' @@ -628,13 +628,13 @@ GREP CPP HAVE_LTS +HAVE_ONLY_SYSCFG_PROFILES HAVE_FORCE_NONEWPRIVS HAVE_CONTRIB_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND HAVE_FATAL_WARNINGS HAVE_SUID -HAVE_WHITELIST HAVE_FILE_TRANSFER HAVE_X11 HAVE_USERNS @@ -652,16 +652,13 @@ EXTRA_LDFLAGS EXTRA_CFLAGS HAVE_SELINUX -HAVE_APPARMOR AA_LIBS AA_CFLAGS PKG_CONFIG_LIBDIR PKG_CONFIG_PATH PKG_CONFIG -RANLIB -INSTALL_DATA -INSTALL_SCRIPT -INSTALL_PROGRAM +HAVE_APPARMOR +HAVE_IDS OBJEXT EXEEXT ac_ct_CC @@ -712,6 +709,8 @@ ac_user_opts=' enable_option_checking enable_analyzer +enable_sanitizer +enable_ids enable_apparmor enable_selinux enable_dbusproxy @@ -726,13 +725,13 @@ enable_userns enable_x11 enable_file_transfer -enable_whitelist enable_suid enable_fatal_warnings enable_busybox_workaround enable_gcov enable_contrib_install enable_force_nonewprivs +enable_only_syscfg_profiles enable_lts ' ac_precious_vars='build_alias @@ -1299,7 +1298,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.66 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.72 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1361,7 +1360,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short \| recursive ) echo "Configuration of firejail 0.9.66:";; + short \| recursive ) echo "Configuration of firejail 0.9.72:";; esac cat <<\_ACEOF @@ -1370,22 +1369,24 @@ --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-analyzer enable GCC static analyzer + --enable-sanitizer=[address \| memory \| undefined] + enable a compiler-based sanitizer (debug) + --enable-ids enable ids --enable-apparmor enable apparmor --enable-selinux SELinux labeling support --disable-dbusproxy disable dbus proxy --disable-output disable --output logging --disable-usertmpfs disable tmpfs as regular user --disable-man disable man pages - --disable-firetunnel disable firetunnel + --enable-firetunnel enable firetunnel --disable-private-home disable private home feature --disable-chroot disable chroot - --disable-globalcfg if the global config file firejail.cfg is not + --disable-globalcfg if the global config file firejail.config is not present, continue the program using defaults --disable-network disable network --disable-userns disable user namespace --disable-x11 disable X11 sandboxing support --disable-file-transfer disable file transfer - --disable-whitelist disable whitelist --disable-suid install as a non-SUID executable --enable-fatal-warnings -W -Wall -Werror --enable-busybox-workaround @@ -1395,6 +1396,8 @@ install contrib scripts --enable-force-nonewprivs enable force nonewprivs + --enable-only-syscfg-profiles + disable profiles in $HOME/.config/firejail --enable-lts enable long-term support software version (LTS) Some influential environment variables: @@ -1481,7 +1484,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.66 +firejail configure 0.9.72 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1533,52 +1536,6 @@ } # ac_fn_c_try_compile -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - \" \| \` \| \\) ac_try_echo=\$ac_try;; - ) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ +' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" \|\| - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes \|\| - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/\| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link - # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. @@ -1783,7 +1740,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.66, which was +It was created by firejail $as_me 0.9.72, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2924,220 +2881,6 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu -ac_aux_dir= -for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do - if test -f "$ac_dir/install-sh"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install-sh -c" - break - elif test -f "$ac_dir/install.sh"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install.sh -c" - break - elif test -f "$ac_dir/shtool"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/shtool install -c" - break - fi -done -if test -z "$ac_aux_dir"; then - as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 -fi - -# These three variables are undocumented and unsupported, -# and are intended to be withdrawn in a future Autoconf release. -# They can cause serious problems if a builder's source tree is in a directory -# whose full name contains unusual characters. -ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. -ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. -ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. - - -# Find a good install program. We prefer a C program (faster), -# so one script is as good as another. But avoid the broken or -# incompatible versions: -# SysV /etc/install, /usr/sbin/install -# SunOS /usr/etc/install -# IRIX /sbin/install -# AIX /bin/install -# AmigaOS /C/install, which installs bootblocks on floppy discs -# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag -# AFS /usr/afsws/bin/install, which mishandles nonexistent args -# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" -# OS/2's system install, which has a completely different semantic -# ./install, which can be erroneously created by make from ./install.sh. -# Reject install programs that cannot install multiple files. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 -$as_echo_n "checking for a BSD-compatible install... " >&6; } -if test -z "$INSTALL"; then -if ${ac_cv_path_install+:} false; then : - $as_echo_n "(cached) " >&6 -else - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - # Account for people who put trailing slashes in PATH elements. -case $as_dir/ in #(( - ./ \| .// \| /[cC]/* \| \ - /etc/* \| /usr/sbin/* \| /usr/etc/* \| /sbin/* \| /usr/afsws/bin/* \| \ - ?:[\\/]os2[\\/]install[\\/]* \| ?:[\\/]OS2[\\/]INSTALL[\\/]* \| \ - /usr/ucb/* ) ;; - ) - # OSF1 and SCO ODT 3.0 have their own names for install. - # Don't use installbsd from OSF since it installs stuff as root - # by default. - for ac_prog in ginstall scoinst install; do - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then - if test $ac_prog = install && - grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # AIX install. It has an incompatible calling convention. - : - elif test $ac_prog = install && - grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # program-specific install script used by HP pwplus--don't use. - : - else - rm -rf conftest.one conftest.two conftest.dir - echo one > conftest.one - echo two > conftest.two - mkdir conftest.dir - if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && - test -s conftest.one && test -s conftest.two && - test -s conftest.dir/conftest.one && - test -s conftest.dir/conftest.two - then - ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" - break 3 - fi - fi - fi - done - done - ;; -esac - - done -IFS=$as_save_IFS - -rm -rf conftest.one conftest.two conftest.dir - -fi - if test "${ac_cv_path_install+set}" = set; then - INSTALL=$ac_cv_path_install - else - # As a last resort, use the slow shell script. Don't cache a - # value for INSTALL within a source directory, because that will - # break other packages using the cache if that directory is - # removed, or if the value is a relative name. - INSTALL=$ac_install_sh - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 -$as_echo "$INSTALL" >&6; } - -# Use test -z because SunOS4 sh mishandles braces in ${var-val}. -# It thinks the first close brace ends the variable substitution. -test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' - -test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' - -test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' - -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. -set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_RANLIB+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$RANLIB"; then - ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -RANLIB=$ac_cv_prog_RANLIB -if test -n "$RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 -$as_echo "$RANLIB" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -fi -if test -z "$ac_cv_prog_RANLIB"; then - ac_ct_RANLIB=$RANLIB - # Extract the first word of "ranlib", so it can be a program name with args. -set dummy ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ac_ct_RANLIB"; then - ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_RANLIB="ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB -if test -n "$ac_ct_RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 -$as_echo "$ac_ct_RANLIB" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - if test "x$ac_ct_RANLIB" = x; then - RANLIB=":" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - RANLIB=$ac_ct_RANLIB - fi -else - RANLIB="$ac_cv_prog_RANLIB" -fi - HAVE_SPECTRE="no" @@ -3171,7 +2914,9 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5 $as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; } if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" + + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" else : @@ -3207,7 +2952,9 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5 $as_echo "$ax_cv_check_cflags___mretpoline" >&6; } if test "x$ax_cv_check_cflags___mretpoline" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" + + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" else : @@ -3243,7 +2990,9 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5 $as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; } if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" + + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" else : @@ -3279,7 +3028,9 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 $as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; } if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" + + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" else : @@ -3297,7 +3048,73 @@ fi +# Check whether --enable-sanitizer was given. +if test "${enable_sanitizer+set}" = set; then : + enableval=$enable_sanitizer; +else + enable_sanitizer=no +fi + +if test "x$enable_sanitizer" != "xno" ; then : + + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" \| $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5 +$as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fsanitize=$enable_sanitizer" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/ end confdefs.h. / + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : + + EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer" + EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer" + +else + as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5 +fi + + +fi + +HAVE_IDS="" + +# Check whether --enable-ids was given. +if test "${enable_ids+set}" = set; then : + enableval=$enable_ids; +fi + +if test "x$enable_ids" = "xyes"; then : + + HAVE_IDS="-DHAVE_IDS" + +fi + HAVE_APPARMOR="" + # Check whether --enable-apparmor was given. if test "${enable_apparmor+set}" = set; then : enableval=$enable_apparmor; @@ -3428,8 +3245,8 @@ HAVE_APPARMOR="-DHAVE_APPARMOR" pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5 -$as_echo_n "checking for AA... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5 +$as_echo_n "checking for libapparmor... " >&6; } if test -n "$AA_CFLAGS"; then pkg_cv_AA_CFLAGS="$AA_CFLAGS" @@ -3469,7 +3286,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -3496,7 +3313,7 @@ and AA_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} @@ -3515,13 +3332,16 @@ AA_LIBS=$pkg_cv_AA_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS" -fi + EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" + LIBS="$LIBS $AA_LIBS" + +fi fi HAVE_SELINUX="" + # Check whether --enable-selinux was given. if test "${enable_selinux+set}" = set; then : enableval=$enable_selinux; @@ -3530,16 +3350,15 @@ if test "x$enable_selinux" = "xyes"; then : HAVE_SELINUX="-DHAVE_SELINUX" - EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux " - + LIBS="$LIBS -lselinux" fi - HAVE_DBUSPROXY="" + # Check whether --enable-dbusproxy was given. if test "${enable_dbusproxy+set}" = set; then : enableval=$enable_dbusproxy; @@ -3549,21 +3368,19 @@ HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" - fi -# overlayfs features temporarely disabled pending fixes +# overlayfs features temporarily disabled pending fixes HAVE_OVERLAYFS="" -# #AC_ARG_ENABLE([overlayfs], -# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) +# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])]) #AS_IF([test "x$enable_overlayfs" != "xno"], [ # HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" -# AC_SUBST(HAVE_OVERLAYFS) #]) HAVE_OUTPUT="" + # Check whether --enable-output was given. if test "${enable_output+set}" = set; then : enableval=$enable_output; @@ -3573,10 +3390,10 @@ HAVE_OUTPUT="-DHAVE_OUTPUT" - fi HAVE_USERTMPFS="" + # Check whether --enable-usertmpfs was given. if test "${enable_usertmpfs+set}" = set; then : enableval=$enable_usertmpfs; @@ -3586,10 +3403,10 @@ HAVE_USERTMPFS="-DHAVE_USERTMPFS" - fi HAVE_MAN="no" + # Check whether --enable-man was given. if test "${enable_man+set}" = set; then : enableval=$enable_man; @@ -3598,7 +3415,6 @@ if test "x$enable_man" != "xno"; then : HAVE_MAN="-DHAVE_MAN" - # Extract the first word of "gawk", so it can be a program name with args. set dummy gawk; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 @@ -3638,25 +3454,26 @@ if test "x$HAVE_GAWK" != "xyes"; then : - as_fn_error $? "\" gawk not found \"" "$LINENO" 5 + as_fn_error $? " gawk not found " "$LINENO" 5 fi fi HAVE_FIRETUNNEL="" + # Check whether --enable-firetunnel was given. if test "${enable_firetunnel+set}" = set; then : enableval=$enable_firetunnel; fi -if test "x$enable_firetunnel" != "xno"; then : +if test "x$enable_firetunnel" = "xyes"; then : HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" - fi -HAVE_PRIVATEHOME="" +HAVE_PRIVATE_HOME="" + # Check whether --enable-private-home was given. if test "${enable_private_home+set}" = set; then : enableval=$enable_private_home; @@ -3666,10 +3483,10 @@ HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" - fi HAVE_CHROOT="" + # Check whether --enable-chroot was given. if test "${enable_chroot+set}" = set; then : enableval=$enable_chroot; @@ -3679,10 +3496,10 @@ HAVE_CHROOT="-DHAVE_CHROOT" - fi HAVE_GLOBALCFG="" + # Check whether --enable-globalcfg was given. if test "${enable_globalcfg+set}" = set; then : enableval=$enable_globalcfg; @@ -3692,10 +3509,10 @@ HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" - fi HAVE_NETWORK="" + # Check whether --enable-network was given. if test "${enable_network+set}" = set; then : enableval=$enable_network; @@ -3705,10 +3522,10 @@ HAVE_NETWORK="-DHAVE_NETWORK" - fi HAVE_USERNS="" + # Check whether --enable-userns was given. if test "${enable_userns+set}" = set; then : enableval=$enable_userns; @@ -3718,10 +3535,10 @@ HAVE_USERNS="-DHAVE_USERNS" - fi HAVE_X11="" + # Check whether --enable-x11 was given. if test "${enable_x11+set}" = set; then : enableval=$enable_x11; @@ -3731,10 +3548,10 @@ HAVE_X11="-DHAVE_X11" - fi HAVE_FILE_TRANSFER="" + # Check whether --enable-file-transfer was given. if test "${enable_file_transfer+set}" = set; then : enableval=$enable_file_transfer; @@ -3744,37 +3561,23 @@ HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" - -fi - -HAVE_WHITELIST="" -# Check whether --enable-whitelist was given. -if test "${enable_whitelist+set}" = set; then : - enableval=$enable_whitelist; -fi - -if test "x$enable_whitelist" != "xno"; then : - - HAVE_WHITELIST="-DHAVE_WHITELIST" - - fi HAVE_SUID="" + # Check whether --enable-suid was given. if test "${enable_suid+set}" = set; then : enableval=$enable_suid; fi -if test "x$enable_suid" = "xno"; then : - HAVE_SUID="no" -else - HAVE_SUID="yes" +if test "x$enable_suid" != "xno"; then : -fi + HAVE_SUID="-DHAVE_SUID" +fi HAVE_FATAL_WARNINGS="" + # Check whether --enable-fatal_warnings was given. if test "${enable_fatal_warnings+set}" = set; then : enableval=$enable_fatal_warnings; @@ -3784,10 +3587,10 @@ HAVE_FATAL_WARNINGS="-W -Wall -Werror" - fi BUSYBOX_WORKAROUND="no" + # Check whether --enable-busybox-workaround was given. if test "${enable_busybox_workaround+set}" = set; then : enableval=$enable_busybox_workaround; @@ -3797,11 +3600,10 @@ BUSYBOX_WORKAROUND="yes" - fi - HAVE_GCOV="" + # Check whether --enable-gcov was given. if test "${enable_gcov+set}" = set; then : enableval=$enable_gcov; @@ -3809,27 +3611,27 @@ if test "x$enable_gcov" = "xyes"; then : - HAVE_GCOV="--coverage -DHAVE_GCOV " - EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage " - + HAVE_GCOV="--coverage -DHAVE_GCOV" + EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage" + LIBS="$LIBS -lgcov" fi HAVE_CONTRIB_INSTALL="yes" + # Check whether --enable-contrib-install was given. if test "${enable_contrib_install+set}" = set; then : enableval=$enable_contrib_install; fi if test "x$enable_contrib_install" = "xno"; then : - HAVE_CONTRIB_INSTALL="no" -else - HAVE_CONTRIB_INSTALL="yes" -fi + HAVE_CONTRIB_INSTALL="no" +fi HAVE_FORCE_NONEWPRIVS="" + # Check whether --enable-force-nonewprivs was given. if test "${enable_force_nonewprivs+set}" = set; then : enableval=$enable_force_nonewprivs; @@ -3839,10 +3641,23 @@ HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" +fi + +HAVE_ONLY_SYSCFG_PROFILES="" + +# Check whether --enable-only-syscfg-profiles was given. +if test "${enable_only_syscfg_profiles+set}" = set; then : + enableval=$enable_only_syscfg_profiles; +fi + +if test "x$enable_only_syscfg_profiles" = "xyes"; then : + + HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" fi HAVE_LTS="" + # Check whether --enable-lts was given. if test "${enable_lts+set}" = set; then : enableval=$enable_lts; @@ -3851,98 +3666,23 @@ if test "x$enable_lts" = "xyes"; then : HAVE_LTS="-DHAVE_LTS" - - + HAVE_IDS="" HAVE_DBUSPROXY="" - - HAVE_OVERLAYFS="" - - HAVE_OUTPUT="" - - HAVE_USERTMPFS="" - - HAVE_MAN="-DHAVE_MAN" - - HAVE_FIRETUNNEL="" - - - HAVE_PRIVATEHOME="" - - + HAVE_PRIVATE_HOME="" HAVE_CHROOT="" - - HAVE_GLOBALCFG="" - - HAVE_USERNS="" - - HAVE_X11="" - - HAVE_FILE_TRANSFER="" - - - HAVE_SUID="yes" - - + HAVE_SUID="-DHAVE_SUID" BUSYBOX_WORKAROUND="no" + HAVE_CONTRIB_INSTALL="no" - - HAVE_CONTRIB_INSTALL="no", - - -fi - - - - -# checking pthread library -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 -$as_echo_n "checking for main in -lpthread... " >&6; } -if ${ac_cv_lib_pthread_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpthread $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/ end confdefs.h. / - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_pthread_main=yes -else - ac_cv_lib_pthread_main=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 -$as_echo "$ac_cv_lib_pthread_main" >&6; } -if test "x$ac_cv_lib_pthread_main" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPTHREAD 1 -_ACEOF - - LIBS="-lpthread $LIBS" - -else - as_fn_error $? " POSIX thread support not installed " "$LINENO" 5 fi ac_ext=c @@ -4342,14 +4082,6 @@ done -ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" -if test "x$ac_cv_header_pthread_h" = xyes; then : - -else - as_fn_error $? " POSIX thread support not installed " "$LINENO" 5 -fi - - ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : @@ -4364,9 +4096,7 @@ test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" fi -ac_config_files="$ac_config_files mkdeb.sh" - -ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile" +ac_config_files="$ac_config_files config.mk config.sh" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4910,7 +4640,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.66, which was +This file was extended by firejail $as_me 0.9.72, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4964,7 +4694,7 @@ cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.66 +firejail config.status 0.9.72 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -4974,7 +4704,6 @@ ac_pwd='$ac_pwd' srcdir='$srcdir' -INSTALL='$INSTALL' test -n "\$AWK" \|\| AWK=awk _ACEOF @@ -5075,31 +4804,8 @@ for ac_config_target in $ac_config_targets do case $ac_config_target in - "mkdeb.sh") CONFIG_FILES="$CONFIG_FILES mkdeb.sh" ;; - "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; - "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;; - "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; - "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; - "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; - "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;; - "src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;; - "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; - "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; - "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; - "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; - "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; - "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; - "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; - "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; - "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; - "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; - "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; - "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; - "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; - "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;; - "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;; - "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; - "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;; + "config.mk") CONFIG_FILES="$CONFIG_FILES config.mk" ;; + "config.sh") CONFIG_FILES="$CONFIG_FILES config.sh" ;; ) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac @@ -5434,10 +5140,6 @@ # CONFIG_FILE # - case $INSTALL in - [\\/$]* \| ?:[\\/]* ) ac_INSTALL=$INSTALL ;; - ) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; - esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF \|\| ac_write_fail=1 @@ -5491,7 +5193,6 @@ s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t -s&@INSTALL@&$ac_INSTALL&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" \| $AWK -f "$ac_tmp/subs.awk" \ @@ -5518,11 +5219,6 @@ esac - - case $ac_file$ac_mode in - "mkdeb.sh":F) chmod +x mkdeb.sh ;; - - esac done # for ac_tag @@ -5562,47 +5258,51 @@ cat <<EOF -Configuration options: +Compile options: + CC: $CC + CFLAGS: $CFLAGS + LDFLAGS: $LDFLAGS + EXTRA_CFLAGS: $EXTRA_CFLAGS + EXTRA_LDFLAGS: $EXTRA_LDFLAGS + LIBS: $LIBS + fatal warnings: $HAVE_FATAL_WARNINGS + gcov instrumentation: $HAVE_GCOV + install as a SUID executable: $HAVE_SUID + install contrib scripts: $HAVE_CONTRIB_INSTALL prefix: $prefix sysconfdir: $sysconfdir + Spectre compiler patch: $HAVE_SPECTRE + +Features: + allow tmpfs as regular user: $HAVE_USERTMPFS + always enforce filters: $HAVE_FORCE_NONEWPRIVS apparmor: $HAVE_APPARMOR - SELinux labeling support: $HAVE_SELINUX - global config: $HAVE_GLOBALCFG + busybox workaround: $BUSYBOX_WORKAROUND chroot: $HAVE_CHROOT - network: $HAVE_NETWORK - user namespace: $HAVE_USERNS - X11 sandboxing support: $HAVE_X11 - whitelisting: $HAVE_WHITELIST - private home support: $HAVE_PRIVATE_HOME - file transfer support: $HAVE_FILE_TRANSFER - overlayfs support: $HAVE_OVERLAYFS DBUS proxy support: $HAVE_DBUSPROXY - allow tmpfs as regular user: $HAVE_USERTMPFS - enable --ouput logging: $HAVE_OUTPUT - Manpage support: $HAVE_MAN + disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES + enable --output logging: $HAVE_OUTPUT + file transfer support: $HAVE_FILE_TRANSFER firetunnel support: $HAVE_FIRETUNNEL - busybox workaround: $BUSYBOX_WORKAROUND - Spectre compiler patch: $HAVE_SPECTRE - EXTRA_LDFLAGS: $EXTRA_LDFLAGS - EXTRA_CFLAGS: $EXTRA_CFLAGS - fatal warnings: $HAVE_FATAL_WARNINGS - Gcov instrumentation: $HAVE_GCOV - Install contrib scripts: $HAVE_CONTRIB_INSTALL - Install as a SUID executable: $HAVE_SUID + global config: $HAVE_GLOBALCFG + IDS support: $HAVE_IDS LTS: $HAVE_LTS - Always enforce filters: $HAVE_FORCE_NONEWPRIVS + manpage support: $HAVE_MAN + network: $HAVE_NETWORK + overlayfs support: $HAVE_OVERLAYFS + private home support: $HAVE_PRIVATE_HOME + SELinux labeling support: $HAVE_SELINUX + user namespace: $HAVE_USERNS + X11 sandboxing support: $HAVE_X11 EOF if test "$HAVE_LTS" = -DHAVE_LTS; then cat <<\EOF - - ******************************************************** * Warning: Long-term support (LTS) was enabled! * -* Most compile-time options have bean rewritten! * +* Most compile-time options have been rewritten! * ********************************************************* - EOF fi
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/configure.ac ^
@@ -12,348 +12,330 @@ # AC_PREREQ([2.68]) -AC_INIT([firejail],[0.9.66],[netblue30@protonmail.com],[],[https://firejail.wordpress.com]) -AC_CONFIG_SRCDIR([src/firejail/main.c]) +AC_INIT([firejail], [0.9.72], [netblue30@protonmail.com], [], + [https://firejail.wordpress.com]) +AC_CONFIG_SRCDIR([src/firejail/main.c]) AC_CONFIG_MACRO_DIR([m4]) AC_PROG_CC -AC_PROG_INSTALL -AC_PROG_RANLIB HAVE_SPECTRE="no" -AX_CHECK_COMPILE_FLAG( - [-mindirect-branch=thunk], - [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"] -) -AX_CHECK_COMPILE_FLAG( - [-mretpoline], - [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"] -) -AX_CHECK_COMPILE_FLAG( - [-fstack-clash-protection], - [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"] -) -AX_CHECK_COMPILE_FLAG( - [-fstack-protector-strong], - [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"] -) +AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [ + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" +]) +AX_CHECK_COMPILE_FLAG([-mretpoline], [ + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" +]) +AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [ + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" +]) +AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [ + HAVE_SPECTRE="yes" + EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" +]) AC_ARG_ENABLE([analyzer], - AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])) + [AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])]) AS_IF([test "x$enable_analyzer" = "xyes"], [ EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak" ]) +AC_ARG_ENABLE([sanitizer], + [AS_HELP_STRING([--enable-sanitizer=@<:@address \| memory \| undefined@:>@], + [enable a compiler-based sanitizer (debug)])], + [], + [enable_sanitizer=no]) +AS_IF([test "x$enable_sanitizer" != "xno" ], [ + AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [ + EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer" + EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer" + ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]) +]) + +HAVE_IDS="" +AC_SUBST([HAVE_IDS]) +AC_ARG_ENABLE([ids], + [AS_HELP_STRING([--enable-ids], [enable ids])]) +AS_IF([test "x$enable_ids" = "xyes"], [ + HAVE_IDS="-DHAVE_IDS" +]) + HAVE_APPARMOR="" +AC_SUBST([HAVE_APPARMOR]) AC_ARG_ENABLE([apparmor], - AS_HELP_STRING([--enable-apparmor], [enable apparmor])) + [AS_HELP_STRING([--enable-apparmor], [enable apparmor])]) AS_IF([test "x$enable_apparmor" = "xyes"], [ HAVE_APPARMOR="-DHAVE_APPARMOR" - PKG_CHECK_MODULES([AA], libapparmor, - [EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"]) - AC_SUBST(HAVE_APPARMOR) + PKG_CHECK_MODULES([AA], [libapparmor], [ + EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" + LIBS="$LIBS $AA_LIBS" + ]) ]) HAVE_SELINUX="" +AC_SUBST([HAVE_SELINUX]) AC_ARG_ENABLE([selinux], - AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) + [AS_HELP_STRING([--enable-selinux], [SELinux labeling support])]) AS_IF([test "x$enable_selinux" = "xyes"], [ HAVE_SELINUX="-DHAVE_SELINUX" - EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux " - AC_SUBST(HAVE_SELINUX) + LIBS="$LIBS -lselinux" ]) AC_SUBST([EXTRA_CFLAGS]) AC_SUBST([EXTRA_LDFLAGS]) - HAVE_DBUSPROXY="" +AC_SUBST([HAVE_DBUSPROXY]) AC_ARG_ENABLE([dbusproxy], - AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])) + [AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])]) AS_IF([test "x$enable_dbusproxy" != "xno"], [ HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" - AC_SUBST(HAVE_DBUSPROXY) ]) -# overlayfs features temporarely disabled pending fixes +# overlayfs features temporarily disabled pending fixes HAVE_OVERLAYFS="" -AC_SUBST(HAVE_OVERLAYFS) -# +AC_SUBST([HAVE_OVERLAYFS]) #AC_ARG_ENABLE([overlayfs], -# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) +# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])]) #AS_IF([test "x$enable_overlayfs" != "xno"], [ # HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" -# AC_SUBST(HAVE_OVERLAYFS) #]) HAVE_OUTPUT="" +AC_SUBST([HAVE_OUTPUT]) AC_ARG_ENABLE([output], - AS_HELP_STRING([--disable-output], [disable --output logging])) + [AS_HELP_STRING([--disable-output], [disable --output logging])]) AS_IF([test "x$enable_output" != "xno"], [ HAVE_OUTPUT="-DHAVE_OUTPUT" - AC_SUBST(HAVE_OUTPUT) ]) HAVE_USERTMPFS="" +AC_SUBST([HAVE_USERTMPFS]) AC_ARG_ENABLE([usertmpfs], - AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) + [AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])]) AS_IF([test "x$enable_usertmpfs" != "xno"], [ HAVE_USERTMPFS="-DHAVE_USERTMPFS" - AC_SUBST(HAVE_USERTMPFS) ]) HAVE_MAN="no" +AC_SUBST([HAVE_MAN]) AC_ARG_ENABLE([man], - AS_HELP_STRING([--disable-man], [disable man pages])) + [AS_HELP_STRING([--disable-man], [disable man pages])]) AS_IF([test "x$enable_man" != "xno"], [ HAVE_MAN="-DHAVE_MAN" - AC_SUBST(HAVE_MAN) AC_CHECK_PROG([HAVE_GAWK], [gawk], [yes], [no]) - AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR("* gawk not found ")]) + AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR([ gawk not found ])]) ]) HAVE_FIRETUNNEL="" +AC_SUBST([HAVE_FIRETUNNEL]) AC_ARG_ENABLE([firetunnel], - AS_HELP_STRING([--disable-firetunnel], [disable firetunnel])) -AS_IF([test "x$enable_firetunnel" != "xno"], [ + [AS_HELP_STRING([--enable-firetunnel], [enable firetunnel])]) +AS_IF([test "x$enable_firetunnel" = "xyes"], [ HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" - AC_SUBST(HAVE_FIRETUNNEL) ]) -HAVE_PRIVATEHOME="" +HAVE_PRIVATE_HOME="" +AC_SUBST([HAVE_PRIVATE_HOME]) AC_ARG_ENABLE([private-home], - AS_HELP_STRING([--disable-private-home], [disable private home feature])) + [AS_HELP_STRING([--disable-private-home], [disable private home feature])]) AS_IF([test "x$enable_private_home" != "xno"], [ HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" - AC_SUBST(HAVE_PRIVATE_HOME) ]) HAVE_CHROOT="" +AC_SUBST([HAVE_CHROOT]) AC_ARG_ENABLE([chroot], - AS_HELP_STRING([--disable-chroot], [disable chroot])) + [AS_HELP_STRING([--disable-chroot], [disable chroot])]) AS_IF([test "x$enable_chroot" != "xno"], [ HAVE_CHROOT="-DHAVE_CHROOT" - AC_SUBST(HAVE_CHROOT) ]) HAVE_GLOBALCFG="" +AC_SUBST([HAVE_GLOBALCFG]) AC_ARG_ENABLE([globalcfg], - AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults])) + [AS_HELP_STRING([--disable-globalcfg], + [if the global config file firejail.config is not present, continue the program using defaults])]) AS_IF([test "x$enable_globalcfg" != "xno"], [ HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" - AC_SUBST(HAVE_GLOBALCFG) ]) HAVE_NETWORK="" +AC_SUBST([HAVE_NETWORK]) AC_ARG_ENABLE([network], - AS_HELP_STRING([--disable-network], [disable network])) + [AS_HELP_STRING([--disable-network], [disable network])]) AS_IF([test "x$enable_network" != "xno"], [ HAVE_NETWORK="-DHAVE_NETWORK" - AC_SUBST(HAVE_NETWORK) ]) HAVE_USERNS="" +AC_SUBST([HAVE_USERNS]) AC_ARG_ENABLE([userns], - AS_HELP_STRING([--disable-userns], [disable user namespace])) + [AS_HELP_STRING([--disable-userns], [disable user namespace])]) AS_IF([test "x$enable_userns" != "xno"], [ HAVE_USERNS="-DHAVE_USERNS" - AC_SUBST(HAVE_USERNS) ]) HAVE_X11="" +AC_SUBST([HAVE_X11]) AC_ARG_ENABLE([x11], - AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support])) + [AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support])]) AS_IF([test "x$enable_x11" != "xno"], [ HAVE_X11="-DHAVE_X11" - AC_SUBST(HAVE_X11) ]) HAVE_FILE_TRANSFER="" +AC_SUBST([HAVE_FILE_TRANSFER]) AC_ARG_ENABLE([file-transfer], - AS_HELP_STRING([--disable-file-transfer], [disable file transfer])) + [AS_HELP_STRING([--disable-file-transfer], [disable file transfer])]) AS_IF([test "x$enable_file_transfer" != "xno"], [ HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" - AC_SUBST(HAVE_FILE_TRANSFER) -]) - -HAVE_WHITELIST="" -AC_ARG_ENABLE([whitelist], - AS_HELP_STRING([--disable-whitelist], [disable whitelist])) -AS_IF([test "x$enable_whitelist" != "xno"], [ - HAVE_WHITELIST="-DHAVE_WHITELIST" - AC_SUBST(HAVE_WHITELIST) ]) HAVE_SUID="" +AC_SUBST([HAVE_SUID]) AC_ARG_ENABLE([suid], - AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])) -AS_IF([test "x$enable_suid" = "xno"], - [HAVE_SUID="no"], - [HAVE_SUID="yes"] -) -AC_SUBST(HAVE_SUID) + [AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])]) +AS_IF([test "x$enable_suid" != "xno"], [ + HAVE_SUID="-DHAVE_SUID" +]) HAVE_FATAL_WARNINGS="" +AC_SUBST([HAVE_FATAL_WARNINGS]) AC_ARG_ENABLE([fatal_warnings], - AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) + [AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])]) AS_IF([test "x$enable_fatal_warnings" = "xyes"], [ HAVE_FATAL_WARNINGS="-W -Wall -Werror" - AC_SUBST(HAVE_FATAL_WARNINGS) ]) BUSYBOX_WORKAROUND="no" +AC_SUBST([BUSYBOX_WORKAROUND]) AC_ARG_ENABLE([busybox-workaround], - AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])) + [AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])]) AS_IF([test "x$enable_busybox_workaround" = "xyes"], [ BUSYBOX_WORKAROUND="yes" - AC_SUBST(BUSYBOX_WORKAROUND) ]) - HAVE_GCOV="" +AC_SUBST([HAVE_GCOV]) AC_ARG_ENABLE([gcov], - AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) + [AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])]) AS_IF([test "x$enable_gcov" = "xyes"], [ - HAVE_GCOV="--coverage -DHAVE_GCOV " - EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage " - AC_SUBST(HAVE_GCOV) + HAVE_GCOV="--coverage -DHAVE_GCOV" + EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage" + LIBS="$LIBS -lgcov" ]) HAVE_CONTRIB_INSTALL="yes" +AC_SUBST([HAVE_CONTRIB_INSTALL]) AC_ARG_ENABLE([contrib-install], - AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])) -AS_IF([test "x$enable_contrib_install" = "xno"], - [HAVE_CONTRIB_INSTALL="no"], - [HAVE_CONTRIB_INSTALL="yes"] -) -AC_SUBST(HAVE_CONTRIB_INSTALL) + [AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])]) +AS_IF([test "x$enable_contrib_install" = "xno"], [ + HAVE_CONTRIB_INSTALL="no" +]) HAVE_FORCE_NONEWPRIVS="" +AC_SUBST([HAVE_FORCE_NONEWPRIVS]) AC_ARG_ENABLE([force-nonewprivs], - AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])) + [AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])]) AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [ HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" - AC_SUBST(HAVE_FORCE_NONEWPRIVS) +]) + +HAVE_ONLY_SYSCFG_PROFILES="" +AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES]) +AC_ARG_ENABLE([only-syscfg-profiles], + [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])]) +AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [ + HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" ]) HAVE_LTS="" +AC_SUBST([HAVE_LTS]) AC_ARG_ENABLE([lts], - AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) + [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])]) AS_IF([test "x$enable_lts" = "xyes"], [ HAVE_LTS="-DHAVE_LTS" - AC_SUBST(HAVE_LTS) - + HAVE_IDS="" HAVE_DBUSPROXY="" - AC_SUBST(HAVE_DBUSPROXY) - HAVE_OVERLAYFS="" - AC_SUBST(HAVE_OVERLAYFS) - HAVE_OUTPUT="" - AC_SUBST(HAVE_OUTPUT) - HAVE_USERTMPFS="" - AC_SUBST(HAVE_USERTMPFS) - HAVE_MAN="-DHAVE_MAN" - AC_SUBST(HAVE_MAN) - HAVE_FIRETUNNEL="" - AC_SUBST(HAVE_FIRETUNNEL) - - HAVE_PRIVATEHOME="" - AC_SUBST(HAVE_PRIVATE_HOME) - + HAVE_PRIVATE_HOME="" HAVE_CHROOT="" - AC_SUBST(HAVE_CHROOT) - HAVE_GLOBALCFG="" - AC_SUBST(HAVE_GLOBALCFG) - HAVE_USERNS="" - AC_SUBST(HAVE_USERNS) - HAVE_X11="" - AC_SUBST(HAVE_X11) - HAVE_FILE_TRANSFER="" - AC_SUBST(HAVE_FILE_TRANSFER) - - HAVE_SUID="yes" - AC_SUBST(HAVE_SUID) - + HAVE_SUID="-DHAVE_SUID" BUSYBOX_WORKAROUND="no" - AC_SUBST(BUSYBOX_WORKAROUND) - - HAVE_CONTRIB_INSTALL="no", - AC_SUBST(HAVE_CONTRIB_INSTALL) + HAVE_CONTRIB_INSTALL="no" ]) - - - -# checking pthread library -AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([ POSIX thread support not installed ])) -AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([ POSIX thread support not installed ])) -AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([ SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ])) +AC_CHECK_HEADER([linux/seccomp.h], [], + [AC_MSG_ERROR([ SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ])]) # set sysconfdir if test "$prefix" = /usr; then test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" fi -AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) -AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ -src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ -src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ -src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ -src/jailcheck/Makefile]) +AC_CONFIG_FILES([config.mk config.sh]) AC_OUTPUT cat <<EOF -Configuration options: +Compile options: + CC: $CC + CFLAGS: $CFLAGS + LDFLAGS: $LDFLAGS + EXTRA_CFLAGS: $EXTRA_CFLAGS + EXTRA_LDFLAGS: $EXTRA_LDFLAGS + LIBS: $LIBS + fatal warnings: $HAVE_FATAL_WARNINGS + gcov instrumentation: $HAVE_GCOV + install as a SUID executable: $HAVE_SUID + install contrib scripts: $HAVE_CONTRIB_INSTALL prefix: $prefix sysconfdir: $sysconfdir + Spectre compiler patch: $HAVE_SPECTRE + +Features: + allow tmpfs as regular user: $HAVE_USERTMPFS + always enforce filters: $HAVE_FORCE_NONEWPRIVS apparmor: $HAVE_APPARMOR - SELinux labeling support: $HAVE_SELINUX - global config: $HAVE_GLOBALCFG + busybox workaround: $BUSYBOX_WORKAROUND chroot: $HAVE_CHROOT - network: $HAVE_NETWORK - user namespace: $HAVE_USERNS - X11 sandboxing support: $HAVE_X11 - whitelisting: $HAVE_WHITELIST - private home support: $HAVE_PRIVATE_HOME - file transfer support: $HAVE_FILE_TRANSFER - overlayfs support: $HAVE_OVERLAYFS DBUS proxy support: $HAVE_DBUSPROXY - allow tmpfs as regular user: $HAVE_USERTMPFS - enable --ouput logging: $HAVE_OUTPUT - Manpage support: $HAVE_MAN + disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES + enable --output logging: $HAVE_OUTPUT + file transfer support: $HAVE_FILE_TRANSFER firetunnel support: $HAVE_FIRETUNNEL - busybox workaround: $BUSYBOX_WORKAROUND - Spectre compiler patch: $HAVE_SPECTRE - EXTRA_LDFLAGS: $EXTRA_LDFLAGS - EXTRA_CFLAGS: $EXTRA_CFLAGS - fatal warnings: $HAVE_FATAL_WARNINGS - Gcov instrumentation: $HAVE_GCOV - Install contrib scripts: $HAVE_CONTRIB_INSTALL - Install as a SUID executable: $HAVE_SUID + global config: $HAVE_GLOBALCFG + IDS support: $HAVE_IDS LTS: $HAVE_LTS - Always enforce filters: $HAVE_FORCE_NONEWPRIVS + manpage support: $HAVE_MAN + network: $HAVE_NETWORK + overlayfs support: $HAVE_OVERLAYFS + private home support: $HAVE_PRIVATE_HOME + SELinux labeling support: $HAVE_SELINUX + user namespace: $HAVE_USERNS + X11 sandboxing support: $HAVE_X11 EOF if test "$HAVE_LTS" = -DHAVE_LTS; then cat <<\EOF - - ******************************************************** * Warning: Long-term support (LTS) was enabled! * -* Most compile-time options have bean rewritten! * +* Most compile-time options have been rewritten! * ********************************************************* - EOF fi
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fix_private-bin.py ^
@@ -164,7 +164,7 @@ def main() -> None: - """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" + """The main function. Parses the commandline args, shows messages and calls the function actually doing the work.""" if len(sys.argv) > 2 or (len(sys.argv) == 2 and (sys.argv[1] == "-h" or sys.argv[1] == "--help")): printHelp()
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fj-mkdeb.py ^
@@ -1,49 +1,39 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 -# This script automates the workaround for https://github.com/netblue30/firejail/issues/772 +# This script automates the creation of a .deb package. It was originally +# created to work around https://github.com/netblue30/firejail/issues/772 -import os, shlex, subprocess, sys +import os, subprocess, sys def run(srcdir, args): if srcdir: os.chdir(srcdir) - if not (os.path.isfile('./mkdeb.sh.in')): + if not (os.path.isfile('./mkdeb.sh')): print('Error: Not a firejail source tree? Exiting.') return 1 - dry_run = False - escaped_args = [] - # We need to modify the list as we go. So be sure to copy the list to be iterated! + # Ignore unsupported arguments. for a in args[:]: if a.startswith('--prefix'): # prefix should ALWAYS be /usr here. Discard user-set values args.remove(a) - elif a == '--only-fix-mkdeb': - # for us, not configure - dry_run = True - args.remove(a) - else: - escaped_args.append(shlex.quote(a)) - # Run configure to generate mkdeb.sh. + # Run configure to generate config.sh. first_config = subprocess.call(['./configure', '--prefix=/usr'] + args) if first_config != 0: return first_config - # Fix up dynamically-generated mkdeb.sh to include custom configure options. - with open('mkdeb.sh', 'rb') as f: - sh = str(f.read(), 'utf_8') - with open('mkdeb.sh', 'wb') as f: - f.write(bytes(sh.replace('./configure $CONFIG_ARGS', - './configure $CONFIG_ARGS ' + (' '.join(escaped_args))), 'utf_8')) - - if dry_run: return 0 + # Create the dist file used by mkdeb.sh. + make_dist = subprocess.call(['make', 'dist']) + if make_dist != 0: + return make_dist - return subprocess.call(['make', 'deb']) + # Run mkdeb.sh with the custom configure options. + return subprocess.call(['./mkdeb.sh'] + args) if __name__ == '__main__': @@ -51,13 +41,12 @@ print('''Build a .deb of firejail with custom configure options usage: -{script} [--fj-src=SRCDIR] [--only-fix-mkdeb] [CONFIGURE_OPTIONS [...]] +{script} [--fj-src=SRCDIR] [CONFIGURE_OPTIONS [...]] --fj-src=SRCDIR: manually specify the location of firejail source tree as SRCDIR. If not specified, looks in the parent directory of the directory where this script is located, and then the current working directory, in that order. - --only-fix-mkdeb: don't run configure or make after modifying mkdeb.sh CONFIGURE_OPTIONS: arguments for configure '''.format(script=sys.argv[0])) sys.exit(0) @@ -73,9 +62,9 @@ if not (srcdir): # srcdir not manually specified, try to auto-detect srcdir = os.path.dirname(os.path.abspath(sys.argv[0] + '/..')) - if not (os.path.isfile(srcdir + '/mkdeb.sh.in')): + if not (os.path.isfile(srcdir + '/mkdeb.sh')): # Script is probably installed. Check the cwd. - if os.path.isfile('./mkdeb.sh.in'): + if os.path.isfile('./mkdeb.sh'): srcdir = None else: print(
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fjclip.py ^
@@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 import sys
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fjdisplay.py ^
@@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 import re
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/fjresize.py ^
@@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 import sys
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/gdb-firejail.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set -x @@ -17,8 +17,8 @@ else # First argument is not named firejail, then add default unless environment # variable already set. - set -- ${FIREJAIL:=$(which firejail)} "$@" + set -- ${FIREJAIL:=$(command -v firejail)} "$@" fi bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & -sudo gdb -e "$FIREJAIL" -p "$!" +sudo gdb -e "$FIREJAIL" -p "$!"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/gtksourceview-5/language-specs/firejail-profile.lang ^
@@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- vim: set ts=2 sts=2 sw=2 et: --> +<!-- + https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md + https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-reference.md +--> +<language id="firejail-profile" name="Firejail Profile" version="2.0" _section="Other"> + <metadata> + <property name="mimetypes">text/plain;text/x-firejail-profile</property> + <property name="globs">.profile;.local;*.inc</property> + <property name="line-comment-start">#</property> + </metadata> + + <styles> + <style id="comment" name="Comment" map-to="def:comment"/> + <style id="condition" name="Condition" map-to="def:preprocessor"/> + <style id="command" name="Command" map-to="def:keyword"/> + <style id="invalid" name="Invalid" map-to="def:error"/> + </styles> + + <definitions> + <define-regex id="commands-with-arguments" extended="true"> + (apparmor\|bind\|blacklist-nolog\|blacklist\|caps.drop\|caps.keep\|cpu\|dbus-system.broadcast\|dbus-system.call\|dbus-system.own\|dbus-system.see\|dbus-system.talk\|dbus-system\|dbus-user.broadcast\|dbus-user.call\|dbus-user.own\|dbus-user.see\|dbus-user.talk\|dbus-user\|defaultgw\|dns\|env\|hostname\|hosts-file\|ignore\|include\|ip6\|ip\|iprange\|join-or-start\|keep-fd\|mac\|mkdir\|mkfile\|mtu\|name\|net\|netfilter6\|netfilter\|netmask\|netns\|nice\|noblacklist\|noexec\|nowhitelist\|overlay-named\|private-bin\|private-cwd\|private-etc\|private-home\|private-lib\|private-opt\|private-srv\|private\|protocol\|read-only\|read-write\|restrict-namespaces\|rlimit-as\|rlimit-cpu\|rlimit-fsize\|rlimit-nofile\|rlimit-nproc\|rlimit-sigpending\|rlimit\|rmenv\|seccomp-error-action\|seccomp.32.drop\|seccomp.32.keep\|seccomp.32\|seccomp.drop\|seccomp.keep\|seccomp\|shell\|timeout\|tmpfs\|veth-name\|whitelist-ro\|whitelist\|x11\|xephyr-screen) + </define-regex> + + <define-regex id="commands-without-arguments" extended="true"> + (allow-debuggers\|allusers\|apparmor\|caps\|deterministic-exit-code\|deterministic-shutdown\|disable-mnt\|ipc-namespace\|keep-config-pulse\|keep-dev-shm\|keep-fd\|keep-var-tmp\|machine-id\|memory-deny-write-execute\|netfilter\|no3d\|noautopulse\|nodbus\|nodvd\|nogroups\|noinput\|nonewprivs\|noprinters\|noroot\|nosound\|notv\|nou2f\|novideo\|overlay-tmpfs\|overlay\|private-cache\|private-cwd\|private-dev\|private-lib\|private-tmp\|private\|quiet\|restrict-namespaces\|seccomp.32\|seccomp.block-secondary\|seccomp\|tab\|tracelog\|writable-etc\|writable-run-user\|writable-var-log\|writable-var\|x11) + </define-regex> + + <define-regex id="conditions" extended="true"> + (ALLOW_TRAY\|BROWSER_ALLOW_DRM\|BROWSER_DISABLE_U2F\|HAS_APPIMAGE\|HAS_NET\|HAS_NODBUS\|HAS_NOSOUND\|HAS_X11) + </define-regex> + + <context id="conditional-line"> + <match>\?(?P<condition>\%{conditions}): </match> + <include> + <context sub-pattern="condition" style-ref="condition"/> + </include> + </context> + + <context id="command-with-args"> + <match>(?P<command>\%{commands-with-arguments}) (?P<args>.+)</match> + <include> + <context sub-pattern="command" style-ref="command"/> + </include> + </context> + + <context id="command-without-args"> + <match dupnames="true">(?P<command>\%{commands-without-arguments})</match> + <include> + <context sub-pattern="command" style-ref="command"/> + </include> + </context> + + <context id="invalid" style-ref="invalid"> + <match>.+</match> + </context> + + <context id="firejail-profile" class="no-spell-check"> + <include> + <context ref="def:shell-like-comment"/> + <context ref="conditional-line"/> + <context ref="command-with-args"/> + <context ref="command-without-args"/> + <context ref="invalid"/> + </include> + </context> + </definitions> +</language>
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/jail_prober.py ^
@@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 """ Figure out which profile options may be causing a particular program to break
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/sort.py ^
@@ -1,49 +1,62 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 -""" -Sort the items of multi-item options in profiles, the following options are supported: - private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol -Usage: - $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ] +# Requirements: +# python >= 3.6 +from os import path +from sys import argv, exit as sys_exit, stderr + +__doc__ = f"""\ +Sort the arguments of commands in profiles. + +Usage: {path.basename(argv[0])} [/path/to/profile ...] + +The following commands are supported: + + private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, + seccomp.drop, protocol + +Note that this is only applicable to commands that support multiple arguments. + Keep in mind that this will overwrite your profile(s). Examples: - $ ./sort.py MyAwesomeProfile.profile - $ ./sort.py new_profile.profile second_new_profile.profile - $ ./sort.py ~/.config/firejail/.{profile,inc,local} - $ sudo ./sort.py /etc/firejail/.{profile,inc,local} - -Exit-Codes: - 0: No Error; No Profile Fixed. - 1: Error, one or more profiles were not processed correctly. - 101: No Error; One or more profile were fixed. + $ {argv[0]} MyAwesomeProfile.profile + $ {argv[0]} new_profile.profile second_new_profile.profile + $ {argv[0]} ~/.config/firejail/.{{profile,inc,local}} + $ sudo {argv[0]} /etc/firejail/.{{profile,inc,local}} + +Exit Codes: + 0: Success: No profiles needed fixing. + 1: Error: One or more profiles could not be processed correctly. + 2: Error: Missing arguments. + 101: Info: One or more profiles were fixed. """ -# Requirements: -# python >= 3.6 -from sys import argv - -def sort_alphabetical(raw_items): - items = raw_items.split(",") - items.sort(key=lambda s: s.casefold()) +def sort_alphabetical(original_items): + items = original_items.split(",") + items.sort(key=str.casefold) return ",".join(items) -def sort_protocol(protocols): - """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" +def sort_protocol(original_protocols): + """ + Sort the given protocols into the following order: + + unix,inet,inet6,netlink,packet,bluetooth + """ # shortcut for common protocol lines - if protocols in ("unix", "unix,inet,inet6"): - return protocols + if original_protocols in ("unix", "unix,inet,inet6"): + return original_protocols fixed_protocols = "" for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): for prefix in ("", "-", "+", "="): - if f",{prefix}{protocol}," in f",{protocols},": + if f",{prefix}{protocol}," in f",{original_protocols},": fixed_protocols += f"{prefix}{protocol}," return fixed_protocols[:-1] @@ -53,7 +66,7 @@ lines = profile.read().split("\n") was_fixed = False fixed_profile = [] - for lineno, line in enumerate(lines): + for lineno, line in enumerate(lines, 1): if line[:12] in ("private-bin ", "private-etc ", "private-lib "): fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" elif line[:13] in ("seccomp.drop ", "seccomp.keep "): @@ -69,8 +82,8 @@ if fixed_line != line: was_fixed = True print( - f"{filename}:{lineno + 1}:-{line}\n" - f"{filename}:{lineno + 1}:+{fixed_line}" + f"{filename}:{lineno}:-{line}\n" + f"{filename}:{lineno}:+{fixed_line}" ) fixed_profile.append(fixed_line) if was_fixed: @@ -84,25 +97,33 @@ def main(args): + if len(args) < 1: + print(__doc__, file=stderr) + return 2 + + print(f"sort.py: checking {len(args)} profile(s)...") + exit_code = 0 - print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...") for filename in args: try: if exit_code not in (1, 101): exit_code = fix_profile(filename) else: fix_profile(filename) - except FileNotFoundError: - print(f"[ Error ] Can't find `{filename}'") + except FileNotFoundError as err: + print(f"[ Error ] {err}", file=stderr) exit_code = 1 - except PermissionError: - print(f"[ Error ] Can't read/write `{filename}'") + except PermissionError as err: + print(f"[ Error ] {err}", file=stderr) exit_code = 1 except Exception as err: - print(f"[ Error ] An error occurred while processing `{filename}': {err}") + print( + f"[ Error ] An error occurred while processing '{filename}': {err}", + file=stderr, + ) exit_code = 1 return exit_code if __name__ == "__main__": - exit(main(argv[1:])) + sys_exit(main(argv[1:]))
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/syscalls.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/update_deb.sh ^
@@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # Purpose: Fetch, compile, and install firejail from GitHub source. For @@ -9,15 +9,13 @@ git clone --depth=1 https://github.com/netblue30/firejail.git cd firejail -./configure --enable-apparmor --prefix=/usr +./configure # Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916920 -sed -i \ - -e "s/# cgroup ./cgroup no/" \ - -e "s/# restricted-network ./restricted-network yes/" \ +sed -i "s/# restricted-network ./restricted-network yes/" \ etc/firejail.config -make deb +make deb-apparmor sudo dpkg -i firejail.deb echo "Firejail updated." cd ..
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/contrib/vim/syntax/firejail.vim ^
@@ -17,18 +17,21 @@ syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained syn match fjCapabilityList /,/ nextgroup=fjCapability contained +syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained +syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained + syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained syn match fjProtocolList /,/ nextgroup=fjProtocol contained " Syscalls grabbed from: src/include/syscall.h -" Generate list with: sed -ne 's/{\s\+"$[^"]\+$",.},/\1/p' src/include/syscall.h \| sort -u \| tr $'\n' ' ' +" Generate list with: sed -n 's/{\s\+"$[^"]\+$",.},/\1/p' src/include/syscall.h \| sort -u \| tr '\n' ' ' syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained " Syscall groups grabbed from: src/fseccomp/syscall.c -" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c \| sort -u \| tr $'\n' '\|' +" Generate list with: sed -En 's/."@([^",]+)./\1/p' src/lib/syscall.c \| sort -u \| tr '\n' '\|' syn match fjSyscall /\v\@(aio\|basic-io\|chown\|clock\|cpu-emulation\|debug\|default\|default-keep\|default-nodebuggers\|file-system\|io-event\|ipc\|keyring\|memlock\|module\|mount\|network-io\|obsolete\|privileged\|process\|raw-io\|reboot\|resources\|setuid\|signal\|swap\|sync\|system-service\|timer)>/ nextgroup=fjSyscallErrno contained syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained " Errnos grabbed from: src/fseccomp/errno.c -" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c \| sort -u \| tr $'\n' '\|' +" Generate list with: sed -En 's/."(E[^"]+)./\1/p' src/lib/errno.c \| sort -u \| tr '\n' '\|' syn match fjSyscallErrno /\v(:(E2BIG\|EACCES\|EADDRINUSE\|EADDRNOTAVAIL\|EADV\|EAFNOSUPPORT\|EAGAIN\|EALREADY\|EBADE\|EBADF\|EBADFD\|EBADMSG\|EBADR\|EBADRQC\|EBADSLT\|EBFONT\|EBUSY\|ECANCELED\|ECHILD\|ECHRNG\|ECOMM\|ECONNABORTED\|ECONNREFUSED\|ECONNRESET\|EDEADLK\|EDEADLOCK\|EDESTADDRREQ\|EDOM\|EDOTDOT\|EDQUOT\|EEXIST\|EFAULT\|EFBIG\|EHOSTDOWN\|EHOSTUNREACH\|EHWPOISON\|EIDRM\|EILSEQ\|EINPROGRESS\|EINTR\|EINVAL\|EIO\|EISCONN\|EISDIR\|EISNAM\|EKEYEXPIRED\|EKEYREJECTED\|EKEYREVOKED\|EL2HLT\|EL2NSYNC\|EL3HLT\|EL3RST\|ELIBACC\|ELIBBAD\|ELIBEXEC\|ELIBMAX\|ELIBSCN\|ELNRNG\|ELOOP\|EMEDIUMTYPE\|EMFILE\|EMLINK\|EMSGSIZE\|EMULTIHOP\|ENAMETOOLONG\|ENAVAIL\|ENETDOWN\|ENETRESET\|ENETUNREACH\|ENFILE\|ENOANO\|ENOATTR\|ENOBUFS\|ENOCSI\|ENODATA\|ENODEV\|ENOENT\|ENOEXEC\|ENOKEY\|ENOLCK\|ENOLINK\|ENOMEDIUM\|ENOMEM\|ENOMSG\|ENONET\|ENOPKG\|ENOPROTOOPT\|ENOSPC\|ENOSR\|ENOSTR\|ENOSYS\|ENOTBLK\|ENOTCONN\|ENOTDIR\|ENOTEMPTY\|ENOTNAM\|ENOTRECOVERABLE\|ENOTSOCK\|ENOTSUP\|ENOTTY\|ENOTUNIQ\|ENXIO\|EOPNOTSUPP\|EOVERFLOW\|EOWNERDEAD\|EPERM\|EPFNOSUPPORT\|EPIPE\|EPROTO\|EPROTONOSUPPORT\|EPROTOTYPE\|ERANGE\|EREMCHG\|EREMOTE\|EREMOTEIO\|ERESTART\|ERFKILL\|EROFS\|ESHUTDOWN\|ESOCKTNOSUPPORT\|ESPIPE\|ESRCH\|ESRMNT\|ESTALE\|ESTRPIPE\|ETIME\|ETIMEDOUT\|ETOOMANYREFS\|ETXTBSY\|EUCLEAN\|EUNATCH\|EUSERS\|EWOULDBLOCK\|EXDEV\|EXFULL)>)?/ nextgroup=fjSyscallList contained syn match fjSyscallList /,/ nextgroup=fjSyscall contained @@ -44,18 +47,19 @@ syn keyword fjFilter filter contained " Variable names grabbed from: src/firejail/macros.c -" Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c \| sort -u \| tr $'\n' '\|' +" Generate list with: sed -En 's/.\$\{([^}]+)\}./\1/p' src/firejail/macros.c \| sort -u \| tr '\n' '\|' syn match fjVar /\v\$\{(CFG\|DESKTOP\|DOCUMENTS\|DOWNLOADS\|HOME\|MUSIC\|PATH\|PICTURES\|RUNUSER\|VIDEOS)}/ " Commands grabbed from: src/firejail/profile.c -" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } \| grep -vEx '(include\|ignore\|caps\.drop\|caps\.keep\|protocol\|seccomp\|seccomp\.drop\|seccomp\.keep\|env\|rmenv\|net\|ip)' \| sort -u \| tr $'\n' '\|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) -syn match fjCommand /\v(bind\|blacklist\|blacklist-nolog\|cgroup\|cpu\|defaultgw\|dns\|hostname\|hosts-file\|ip6\|iprange\|join-or-start\|mac\|mkdir\|mkfile\|mtu\|name\|netfilter\|netfilter6\|netmask\|nice\|noblacklist\|noexec\|nowhitelist\|overlay-named\|private\|private-bin\|private-cwd\|private-etc\|private-home\|private-lib\|private-opt\|private-srv\|read-only\|read-write\|rlimit-as\|rlimit-cpu\|rlimit-fsize\|rlimit-nofile\|rlimit-nproc\|rlimit-sigpending\|timeout\|tmpfs\|veth-name\|whitelist\|xephyr-screen) / skipwhite contained -" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "][^ ])"' -r '$1' src/firejail/profile.c \| grep -vEx '(include\|rlimit\|quiet)' \| sed -e 's/\./\\./' \| sort -u \| tr $'\n' '\|' # include/rlimit are false positives, quiet is special-cased below -syn match fjCommand /\v(allow-debuggers\|allusers\|apparmor\|caps\|disable-mnt\|ipc-namespace\|keep-config-pulse\|keep-dev-shm\|keep-var-tmp\|machine-id\|memory-deny-write-execute\|netfilter\|no3d\|noautopulse\|nodbus\|nodvd\|nogroups\|noinput\|nonewprivs\|noroot\|nosound\|notv\|nou2f\|novideo\|overlay\|overlay-tmpfs\|private\|private-cache\|private-cwd\|private-dev\|private-lib\|private-tmp\|seccomp\|seccomp\.32\|seccomp\.block-secondary\|tracelog\|writable-etc\|writable-run-user\|writable-var\|writable-var-log\|x11)$/ contained +" Generate list with: { sed -En 's/.strn?cmp\(ptr, "([^"]+) "./\1/p' src/firejail/profile.c; echo private-lib; } \| grep -Ev '^(include\|ignore\|caps\.drop\|caps\.keep\|protocol\|restrict-namespaces\|seccomp\|seccomp\.drop\|seccomp\.keep\|env\|rmenv\|net\|ip)$' \| sort -u \| tr '\n' '\|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) +syn match fjCommand /\v(apparmor\|bind\|blacklist\|blacklist-nolog\|cpu\|defaultgw\|dns\|hostname\|hosts-file\|ip6\|iprange\|join-or-start\|mac\|mkdir\|mkfile\|mtu\|name\|netfilter\|netfilter6\|netmask\|nice\|noblacklist\|noexec\|nowhitelist\|overlay-named\|private\|private-bin\|private-cwd\|private-etc\|private-home\|private-lib\|private-opt\|private-srv\|read-only\|read-write\|rlimit-as\|rlimit-cpu\|rlimit-fsize\|rlimit-nofile\|rlimit-nproc\|rlimit-sigpending\|timeout\|tmpfs\|veth-name\|whitelist\|xephyr-screen) / skipwhite contained +" Generate list with: sed -En 's/.strn?cmp\(ptr, "([^ "][^ ])"./\1/p' src/firejail/profile.c \| grep -Ev '^(include\|rlimit\|quiet)$' \| sed 's/\./\\./' \| sort -u \| tr '\n' '\|' # include/rlimit are false positives, quiet is special-cased below +syn match fjCommand /\v(allow-debuggers\|allusers\|apparmor\|caps\|deterministic-exit-code\|deterministic-shutdown\|disable-mnt\|ipc-namespace\|keep-config-pulse\|keep-dev-shm\|keep-fd\|keep-var-tmp\|machine-id\|memory-deny-write-execute\|netfilter\|no3d\|noautopulse\|nodbus\|nodvd\|nogroups\|noinput\|nonewprivs\|noprinters\|noroot\|nosound\|notv\|nou2f\|novideo\|overlay\|overlay-tmpfs\|private\|private-cache\|private-cwd\|private-dev\|private-lib\|private-tmp\|seccomp\|seccomp\.32\|seccomp\.block-secondary\|tracelog\|writable-etc\|writable-run-user\|writable-var\|writable-var-log\|x11)$/ contained syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained +syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained syn match fjCommand /\vseccomp(\.32)?(\.drop\|\.keep)? / nextgroup=fjSyscall skipwhite contained syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained @@ -71,8 +75,8 @@ syn match fjCommandNoCond /quiet$/ contained " Conditionals grabbed from: src/firejail/profile.c -" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t\{"[^"]+"./ { if (process) {print gensub(/^\t\{"([^"]+)".$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c \| sort -u \| tr $'\n' '\|' -syn match fjConditional /\v\?(BROWSER_ALLOW_DRM\|BROWSER_DISABLE_U2F\|HAS_APPIMAGE\|HAS_NET\|HAS_NODBUS\|HAS_NOSOUND\|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained +" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t\{"[^"]+"./ { if (process) {print gensub(/^\t\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c \| sort -u \| tr '\n' '\|' +syn match fjConditional /\v\?(ALLOW_TRAY\|BROWSER_ALLOW_DRM\|BROWSER_DISABLE_U2F\|HAS_APPIMAGE\|HAS_NET\|HAS_NODBUS\|HAS_NOSOUND\|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained " A line is either a command, a conditional or a comment syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc-fixes/0.9.58/atom.profile ^
@@ -1,4 +1,3 @@ - # Firejail profile for atom # Description: A hackable text editor for the 21st Century # This file is overwritten after every install/update
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc-fixes/seccomp-join-bug/README ^
@@ -8,4 +8,3 @@ The original discussion thread: https://github.com/netblue30/firejail/issues/2718 The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 -
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/apparmor/firejail-base ^
@@ -0,0 +1,27 @@ +######################################### +# Firejail base abstraction drop-in +# +# Adds basic Firejail support to AppArmor profiles. +# Please note: Firejail's nonewprivs and seccomp options +# are not compatible with AppArmor profile transitions. +# Also there is no support for Firejail chroot options. +######################################### + +# Discovery of process names +owner /proc/@{pid}/comm r, + +########## +# Following paths only exist inside a Firejail sandbox +########## + +# Library preloading +/{,var/}run/firejail/lib/*.so mr, + +# Supporting seccomp +owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, + +# Supporting trace +owner /{,var/}run/firejail/mnt/trace w, + +# Supporting tracelog +/{,var/}run/firejail/mnt/fslogger r,
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/apparmor/firejail-default ^
@@ -33,6 +33,7 @@ #ptrace, # Allow obtaining some process information, but not ptrace(2) ptrace (read,readby) peer=@{profile_name}, +ptrace (read,readby) peer=@{profile_name}//&unconfined, ########## # Allow read access to whole filesystem and control it from firejail. @@ -67,6 +68,9 @@ # Allow access to cups printing socket. /{,var/}run/cups/cups.sock w, +# Allow access to avahi-daemon socket. +/{,var/}run/avahi-daemon/socket w, + # Allow access to pcscd socket (smartcards) /{,var/}run/pcscd/pcscd.comm w, @@ -120,6 +124,7 @@ ########## # There is no equivalent in Firejail for filtering signals. ########## +signal (send) peer=@{profile_name}//&unconfined, signal (send) peer=@{profile_name}, signal (receive), @@ -129,7 +134,7 @@ ########## # The list of recognized capabilities varies from one apparmor version to another. # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available -# We allow all caps by default and remove the ones we don't like: +# We allow all caps by default and remove the ones we don't like: capability, deny capability audit_write, deny capability audit_control,
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/apparmor/firejail-local ^
@@ -8,8 +8,17 @@ #owner @HOME/bin/ ix #owner @HOME/.local/bin/ ix +# Uncomment to opt-in to apparmor for brave + ipfs +#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp//* ix, + # Uncomment to opt-in to apparmor for brave + tor #owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp//* ix, +# Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm) +#owner @{HOME}/.mozilla/firefox//gm/ ix, + +# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME} +#owner @{HOME}/.mozilla/native-messaging-hosts/ ix, + # Uncomment to opt-in to apparmor for torbrowser-launcher #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_/Browser/* ix,
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/firejail.config ^
@@ -2,6 +2,10 @@ # keyword-argument pairs, one per line. Most features are enabled by default. # Use 'yes' or 'no' as configuration values. +# Allow programs to display a tray icon (warning: allows escaping the sandbox; +# see https://github.com/netblue30/firejail/discussions/4053) +# allow-tray no + # Enable AppArmor functionality, default enabled. # apparmor yes @@ -21,11 +25,8 @@ # Disable U2F in browsers, default enabled. # browser-disable-u2f yes -# Enable or disable cgroup support, default enabled. -# cgroup yes - -# Enable or disable chroot support, default enabled. -# chroot yes +# Enable or disable chroot support, default disabled +# chroot no # Enable or disable dbus handling, default enabled. # dbus yes @@ -56,6 +57,11 @@ # to the specified period of time to allow sandbox setup to finish. # join-timeout 5 +# tracelog enables auditing blacklisted files and directories. A message +# is sent to syslog in case the file or the directory is accessed. +# Disabled by default. +# tracelog no + # Enable or disable sandbox name change, default enabled. # name-change yes @@ -63,7 +69,7 @@ # a file argument, the default filter is hardcoded (see man 1 firejail). This # configuration entry allows the user to change the default by specifying # a file containing the filter configuration. The filter file format is the -# format of iptables-save and iptable-restore commands. Example: +# format of iptables-save and iptables-restore commands. Example: # netfilter-default /etc/iptables.iptables.rules # Enable or disable networking features, default enabled. @@ -72,6 +78,10 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Hide blacklisted files in /etc directory (enabling this may break +# /etc/resolv.conf; see #5010), default disabled. +# etc-hide-blacklisted no + # Set the limit for file copy in several --private-* options. The size is set # in megabytes. By default we allow up to 500MB. # Note: the files are copied in RAM. @@ -92,8 +102,8 @@ # Enable or disable private-home feature, default enabled # private-home yes -# Enable or disable private-lib feature, default enabled -# private-lib yes +# Enable or disable private-lib feature, default disabled +# private-lib no # Enable or disable private-opt feature, default enabled. # private-opt yes @@ -120,12 +130,15 @@ # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) # seccomp-error-action EPERM +# If seccomp subsystem in Linux kernel kills a program, a message is posted to syslog. +# Starting with Linux kernel version 4.14, it is possible to send seccomp violation messages +# even if the program is allowed to continue (see "seccomp-error-action EPERM" above). +# This logging feature is disabled by default in our implementation. +# seccomp-log no + # Enable or disable user namespace support, default enabled. # userns yes -# Enable or disable whitelisting support, default enabled. -# whitelist yes - # Disable whitelist top level directories, in addition to those # that are disabled out of the box. None by default; this is an example. # whitelist-disable-topdir /etc,/usr/etc
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/ids.config ^
@@ -0,0 +1,163 @@ +# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System +# This config file is overwritten when a new version of Firejail is installed. +# For global customization use /etc/firejail/ids.config.local. +include ids.config.local +# +# Each line is a file or directory name such as +# /usr/bin +# or +# ${HOME}/Desktop/.desktop +# +# ${HOME} is expanded to the user's home directory, and is the regular +# globbing match for zero or more characters. +# +# File or directory names starting with ! are not scanned. For example +# !${HOME}/.ssh/known_hosts +# ${HOME}/.ssh +# will scan all files in ~/.ssh directory with the exception of known_hosts + +### system executables ### +/bin +/sbin +/usr/bin +/usr/games +/usr/libexec +/usr/sbin + +### user executables ### +#/opt +#/usr/local + +### system libraries ### +#/lib +#/usr/lib +#/usr/lib32 +#/usr/lib64 +#/usr/libx32 + +### shells local ### +# bash +${HOME}/.bash_aliases +${HOME}/.bash_login +${HOME}/.bash_logout +${HOME}/.bash_profile +${HOME}/.bashrc +# fish +${HOME}/.config/fish/config.fish +# others +${HOME}/.cshrc +${HOME}/.kshrc +${HOME}/.login +${HOME}/.logout +${HOME}/.profile +${HOME}/.tcshrc +# zsh +${HOME}/.zlogin +${HOME}/.zlogout +${HOME}/.zshenv +${HOME}/.zshprofile +${HOME}/.zshrc + +# Note: This list should be kept in sync with the one in inc/disable-shell.inc. +### shells global ### +# all +/etc/dircolors +/etc/environment +/etc/profile +/etc/profile.d +/etc/shells +/etc/skel +# bash +/etc/bash +/etc/bash.bashrc +/etc/bash_completion* +/etc/bashrc +# fish +/etc/fish +# ksh +/etc/ksh.kshrc +/etc/suid_profile +# tcsh +/etc/complete.tcsh +/etc/csh.cshrc +/etc/csh.login +/etc/csh.logout +# zsh +/etc/zlogin +/etc/zlogout +/etc/zprofile +/etc/zsh +/etc/zshenv +/etc/zshrc + +### X11 ### +/etc/X11 +${HOME}/.xinitrc +${HOME}/.xmodmaprc +${HOME}/.xprofile +${HOME}/.Xresources +${HOME}/.xserverrc +${HOME}/.Xsession +${HOME}/.xsession +${HOME}/.xsessionrc + +### window/desktop manager ### +${HOME}/Desktop/.desktop +${HOME}/.config/autostart +${HOME}/.config/autostart-scripts +${HOME}/.config/lxsession/LXDE/autostart +${HOME}/.config/openbox/autostart +${HOME}/.config/openbox/environment +${HOME}/.config/plasma-workspace/env +${HOME}/.config/plasma-workspace/shutdown +${HOME}/.gnomerc +${HOME}/.gtkrc +${HOME}/.kde/Autostart +${HOME}/.kde/env +${HOME}/.kde/share/autostart +${HOME}/.kde/shutdown +${HOME}/.kde4/Autostart +${HOME}/.kde4/env +${HOME}/.kde4/share/autostart +${HOME}/.kde4/shutdown +${HOME}/.kderc +${HOME}/.local/share/autostart + +### security ### +/etc/aide +/etc/apparmor +/etc/chkrootkit.conf +/etc/cracklib +/etc/doas.conf +/etc/libaudit.conf +/etc/group* +/etc/gshadow* +/etc/pam.* +/etc/passwd* +/etc/rkhunter* +/etc/securetty +/etc/security +/etc/selinux +/etc/shadow* +/etc/sudoers* +/etc/tripwire +${HOME}/.config/firejail +${HOME}/.gnupg +${HOME}/.pam_environment + +### network security ### +/etc/ca-certificates* +/etc/hosts.* +/etc/services +/etc/snort +/etc/ssh +/etc/ssl +/etc/wireshark +!${HOME}/.ssh/known_hosts # excluding +${HOME}/.ssh +/usr/share/ca-certificates + +### system config ### +/etc/cron.* +/etc/crontab +/etc/default
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-common-devel.inc ^
@@ -8,8 +8,13 @@ noblacklist ${HOME}/.git-credentials # Java +noblacklist ${HOME}/.ammonite +noblacklist ${HOME}/.config/jgit +noblacklist ${HOME}/.g8 noblacklist ${HOME}/.gradle +noblacklist ${HOME}/.ivy2 noblacklist ${HOME}/.java +noblacklist ${HOME}/.sbt # Node.js noblacklist ${HOME}/.node-gyp @@ -27,5 +32,8 @@ noblacklist ${HOME}/.python_history noblacklist ${HOME}/.pythonhist +# Ruby +noblacklist ${HOME}/.bundle + # Rust -noblacklist ${HOME}/.cargo/* +noblacklist ${HOME}/.cargo
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-nodejs.inc ^
@@ -2,6 +2,8 @@ # Persistent customizations should go in a .local file. include allow-nodejs.local +ignore read-only ${HOME}/.nvm +noblacklist ${HOME}/.nvm noblacklist ${PATH}/node noblacklist /usr/include/node
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-opengl-game.inc ^
@@ -1,3 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-opengl-game.local + noblacklist ${PATH}/bash whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-perl.inc ^
@@ -10,3 +10,6 @@ noblacklist /usr/lib/perl* noblacklist /usr/lib64/perl* noblacklist /usr/share/perl* + +# rxvt is also blacklisted in disable-interpreters.inc +noblacklist ${PATH}/rxvt
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-ruby.inc ^
@@ -4,3 +4,4 @@ noblacklist ${PATH}/ruby noblacklist /usr/lib/ruby +noblacklist /usr/lib64/ruby
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/allow-ssh.inc ^
@@ -5,4 +5,12 @@ noblacklist ${HOME}/.ssh noblacklist /etc/ssh noblacklist /etc/ssh/ssh_config +noblacklist /etc/ssh/ssh_config.d +noblacklist ${PATH}/ssh noblacklist /tmp/ssh-* +# Arch Linux and derivatives +noblacklist /usr/lib/ssh +# Debian/Ubuntu and derivatives +noblacklist /usr/lib/openssh +# Fedora and derivatives +noblacklist /usr/libexec/openssh
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-X11.inc ^
@@ -0,0 +1,15 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include disable-X11.local + +blacklist /tmp/.X11-unix +blacklist ${HOME}/.Xauthority +blacklist ${RUNUSER}/gdm/Xauthority +blacklist ${RUNUSER}/.mutter-Xwaylandauth* +blacklist ${RUNUSER}/xauth_* +#blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] +blacklist /tmp/xauth* +blacklist /tmp/.ICE-unix +blacklist ${RUNUSER}/ICEauthority +rmenv DISPLAY +rmenv XAUTHORITY
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-common.inc ^
@@ -9,14 +9,20 @@ # History files in $HOME and clipboard managers blacklist-nolog ${HOME}/._history +blacklist-nolog ${HOME}/._history_* blacklist-nolog ${HOME}/.adobe +blacklist-nolog ${HOME}/.ammonite/history blacklist-nolog ${HOME}/.cache/greenclip* +blacklist-nolog ${HOME}/.cache/mupdf.history blacklist-nolog ${HOME}/.histfile blacklist-nolog ${HOME}/.history blacklist-nolog ${HOME}/.kde/share/apps/klipper blacklist-nolog ${HOME}/.kde4/share/apps/klipper blacklist-nolog ${HOME}/.local/share/fish/fish_history +blacklist-nolog ${HOME}/.local/share/ibus-typing-booster blacklist-nolog ${HOME}/.local/share/klipper +blacklist-nolog ${HOME}/.local/share/nvim +blacklist-nolog ${HOME}/.local/state/nvim blacklist-nolog ${HOME}/.macromedia blacklist-nolog ${HOME}/.mupdf.history blacklist-nolog ${HOME}/.python-history @@ -159,20 +165,23 @@ # systemd blacklist ${HOME}/.config/systemd blacklist ${HOME}/.local/share/systemd -blacklist /var/lib/systemd +blacklist ${PATH}/systemctl blacklist ${PATH}/systemd-run blacklist ${RUNUSER}/systemd +blacklist /etc/systemd/network +blacklist /etc/systemd/system +blacklist /var/lib/systemd # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf #blacklist /var/run/systemd # openrc -blacklist /etc/runlevels/ -blacklist /etc/init.d/ +blacklist /etc/init.d blacklist /etc/rc.conf +blacklist /etc/runlevels # VirtualBox -blacklist ${HOME}/.VirtualBox blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.VirtualBox blacklist ${HOME}/VirtualBox VMs # GNOME Boxes @@ -242,20 +251,33 @@ blacklist /var/spool/mail # etc +blacklist /etc/adduser.conf blacklist /etc/anacrontab +blacklist /etc/apparmor* blacklist /etc/cron* -blacklist /etc/profile.d +blacklist /etc/default +blacklist /etc/dkms +blacklist /etc/grub* +blacklist /etc/kernel* +blacklist /etc/logrotate* +blacklist /etc/modules* blacklist /etc/rc.local # rc1.d, rc2.d, ... blacklist /etc/rc?.d -blacklist /etc/kernel* -blacklist /etc/grub* -blacklist /etc/dkms -blacklist /etc/apparmor* -blacklist /etc/selinux -blacklist /etc/modules* -blacklist /etc/logrotate* -blacklist /etc/adduser.conf +blacklist /etc/sysconfig + +# hide config for various intrusion detection systems +blacklist /etc/aide +blacklist /etc/aide.conf +blacklist /etc/chkrootkit.conf +blacklist /etc/fail2ban.conf +blacklist /etc/logcheck +blacklist /etc/lynis +blacklist /etc/rkhunter.* +blacklist /etc/snort +blacklist /etc/suricata +blacklist /etc/tripwire +blacklist /var/lib/rkhunter # Startup files read-only ${HOME}/.antigen @@ -305,6 +327,8 @@ # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc read-only ${HOME}/.cargo/env +read-only ${HOME}/.config/nvim +read-only ${HOME}/.config/pkcs11 read-only ${HOME}/.dotfiles read-only ${HOME}/.emacs read-only ${HOME}/.emacs.d @@ -314,6 +338,8 @@ read-only ${HOME}/.iscreenrc read-only ${HOME}/.local/lib read-only ${HOME}/.local/share/cool-retro-term +read-only ${HOME}/.local/share/nvim +read-only ${HOME}/.local/state/nvim read-only ${HOME}/.mailcap read-only ${HOME}/.msmtprc read-only ${HOME}/.mutt/muttrc @@ -335,15 +361,19 @@ read-only ${HOME}/dotfiles # Make directories commonly found in $PATH read-only +read-only ${HOME}/.bin +read-only ${HOME}/.cargo/bin read-only ${HOME}/.gem +read-only ${HOME}/.local/bin +read-only ${HOME}/.local/share/coursier/bin read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages read-only ${HOME}/.nvm -read-only ${HOME}/bin -read-only ${HOME}/.bin -read-only ${HOME}/.local/bin -read-only ${HOME}/.cargo/bin read-only ${HOME}/.rustup +read-only ${HOME}/bin + +# Write-protection for portable apps +read-only ${HOME}/Applications # used for storing AppImages # Write-protection for desktop entries read-only ${HOME}/.config/menus @@ -362,14 +392,32 @@ blacklist /tmp/ssh-* # top secret +blacklist /.fscrypt +blacklist /etc/davfs2/secrets +blacklist /etc/group+ +blacklist /etc/group- +blacklist /etc/gshadow +blacklist /etc/gshadow+ +blacklist /etc/gshadow- +blacklist /etc/passwd+ +blacklist /etc/passwd- +blacklist /etc/shadow +blacklist /etc/shadow+ +blacklist /etc/shadow- +blacklist /etc/ssh +blacklist /etc/ssh/* +blacklist /home/.ecryptfs +blacklist /home/.fscrypt blacklist ${HOME}/.kdb blacklist ${HOME}/.kdbx blacklist ${HOME}/.key +blacklist ${HOME}/Private blacklist ${HOME}/.Private blacklist ${HOME}/.caff blacklist ${HOME}/.cargo/credentials blacklist ${HOME}/.cargo/credentials.toml blacklist ${HOME}/.cert +blacklist ${HOME}/.config/hub blacklist ${HOME}/.config/keybase blacklist ${HOME}/.davfs2/secrets blacklist ${HOME}/.ecryptfs @@ -379,40 +427,37 @@ blacklist ${HOME}/.git-credentials blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.gnupg -blacklist ${HOME}/.config/hub blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.local/share/keyrings blacklist ${HOME}/.local/share/kwalletd +blacklist ${HOME}/.local/share/pki blacklist ${HOME}/.local/share/plasma-vault +blacklist ${HOME}/.minisign blacklist ${HOME}/.msmtprc blacklist ${HOME}/.mutt blacklist ${HOME}/.muttrc blacklist ${HOME}/.netrc blacklist ${HOME}/.nyx blacklist ${HOME}/.pki -blacklist ${HOME}/.local/share/pki blacklist ${HOME}/.smbcredentials blacklist ${HOME}/.ssh blacklist ${HOME}/.vaults -blacklist /.fscrypt -blacklist /etc/davfs2/secrets -blacklist /etc/group+ -blacklist /etc/group- -blacklist /etc/gshadow -blacklist /etc/gshadow+ -blacklist /etc/gshadow- -blacklist /etc/passwd+ -blacklist /etc/passwd- -blacklist /etc/shadow -blacklist /etc/shadow+ -blacklist /etc/shadow- -blacklist /etc/ssh -blacklist /etc/ssh/ -blacklist /home/.ecryptfs -blacklist /home/.fscrypt +blacklist /run/timeshift blacklist /var/backup +# Remove environment variables with auth tokens. +# Note however that the sandbox might still have access to the +# files where these variables are set. +rmenv GH_TOKEN +rmenv GITHUB_TOKEN +rmenv GH_ENTERPRISE_TOKEN +rmenv GITHUB_ENTERPRISE_TOKEN +rmenv CARGO_REGISTRY_TOKEN +rmenv RESTIC_KEY_HINT +rmenv RESTIC_PASSWORD_COMMAND +rmenv RESTIC_PASSWORD_FILE + # cloud provider configuration blacklist ${HOME}/.aws blacklist ${HOME}/.boto @@ -427,13 +472,14 @@ blacklist /usr/local/sbin blacklist /usr/sbin -# system management +# system management and various SUID executables blacklist ${PATH}/at blacklist ${PATH}/busybox blacklist ${PATH}/chage blacklist ${PATH}/chfn blacklist ${PATH}/chsh blacklist ${PATH}/crontab +blacklist ${PATH}/doas blacklist ${PATH}/evtest blacklist ${PATH}/expiry blacklist ${PATH}/fusermount @@ -462,6 +508,43 @@ blacklist ${PATH}/unix_chkpwd blacklist ${PATH}/xev blacklist ${PATH}/xinput +# from 0.9.67 +blacklist /usr/lib/openssh +blacklist /usr/lib/ssh +blacklist /usr/libexec/openssh +blacklist ${PATH}/passwd +blacklist /usr/lib/xorg/Xorg.wrap +blacklist /usr/lib/policykit-1/polkit-agent-helper-1 +blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper +blacklist /usr/lib/eject/dmcrypt-get-device +blacklist /usr/lib/chromium/chrome-sandbox +blacklist /usr/lib/opera/opera_sandbox +blacklist /usr/lib/vmware +blacklist ${PATH}/suexec +blacklist /usr/lib/squid/basic_pam_auth +blacklist ${PATH}/slock +blacklist ${PATH}/physlock +blacklist ${PATH}/schroot +blacklist ${PATH}/wshowkeys +blacklist ${PATH}/pmount +blacklist ${PATH}/pumount +blacklist ${PATH}/bmon +blacklist ${PATH}/fping +blacklist ${PATH}/fping6 +blacklist ${PATH}/hostname +# blacklist ${PATH}/ip - breaks --ip=dhcp +blacklist ${PATH}/mtr +blacklist ${PATH}/mtr-packet +blacklist ${PATH}/netstat +blacklist ${PATH}/nm-online +blacklist ${PATH}/nmcli +blacklist ${PATH}/nmtui +blacklist ${PATH}/nmtui-connect +blacklist ${PATH}/nmtui-edit +blacklist ${PATH}/nmtui-hostname +blacklist ${PATH}/networkctl +blacklist ${PATH}/ss +blacklist ${PATH}/traceroute # other SUID binaries blacklist /usr/lib/virtualbox @@ -473,10 +556,13 @@ blacklist /tmp/tmux-* # disable terminals running as server resulting in sandbox escape -blacklist ${PATH}/lxterminal blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper +blacklist ${PATH}/kgx +# blacklist ${PATH}/konsole +# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 blacklist ${PATH}/lilyterm +blacklist ${PATH}/lxterminal blacklist ${PATH}/mate-terminal blacklist ${PATH}/mate-terminal.wrapper blacklist ${PATH}/pantheon-terminal @@ -488,8 +574,6 @@ blacklist ${PATH}/urxvtcd blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper -# blacklist ${PATH}/konsole -# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 # kernel files blacklist /initrd* @@ -505,20 +589,27 @@ read-only ${HOME}/.local/share/flatpak/exports blacklist ${HOME}/.local/share/flatpak/* blacklist ${HOME}/.var -blacklist ${RUNUSER}/app -blacklist ${RUNUSER}/doc +# most of the time bwrap is SUID binary +blacklist ${PATH}/bwrap blacklist ${RUNUSER}/.dbus-proxy blacklist ${RUNUSER}/.flatpak blacklist ${RUNUSER}/.flatpak-cache blacklist ${RUNUSER}/.flatpak-helper +blacklist ${RUNUSER}/app +blacklist ${RUNUSER}/doc blacklist /usr/share/flatpak noblacklist /var/lib/flatpak/exports blacklist /var/lib/flatpak/* -# most of the time bwrap is SUID binary -blacklist ${PATH}/bwrap # snap +blacklist ${HOME}/snap +blacklist ${PATH}/snap +blacklist ${PATH}/snapctl blacklist ${RUNUSER}/snapd-session-agent.socket +blacklist /snap +blacklist /usr/lib/snapd +blacklist /var/lib/snapd +blacklist /var/snap # mail directories used by mutt blacklist ${HOME}/.Mail @@ -529,11 +620,10 @@ blacklist ${HOME}/postponed blacklist ${HOME}/sent -# kernel configuration +# kernel configuration - keep this here although it's also in disable-proc.inc blacklist /proc/config.gz -# prevent DNS malware attempting to communicate with the server -# using regular DNS tools +# prevent DNS malware attempting to communicate with the server using regular DNS tools blacklist ${PATH}/dig blacklist ${PATH}/dlint blacklist ${PATH}/dns2tcp @@ -551,8 +641,19 @@ blacklist ${PATH}/resolvectl blacklist ${PATH}/unbound-host +# prevent an intruder to guess passwords using regular network tools +blacklist ${PATH}/ftp +blacklist ${PATH}/ssh +blacklist ${PATH}/telnet + # rest of ${RUNUSER} blacklist ${RUNUSER}/*.lock blacklist ${RUNUSER}/inaccessible blacklist ${RUNUSER}/pk-debconf-socket blacklist ${RUNUSER}/update-notifier.pid + +# tor-browser +blacklist ${HOME}/.local/opt/tor-browser + +# pass utility (pass package in Debian etc.) +blacklist ${HOME}/.password-store
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-devel.inc ^
@@ -41,6 +41,13 @@ blacklist /usr/lib/java blacklist /usr/share/java +# Scala +blacklist ${PATH}/scala +blacklist ${PATH}/scala3 +blacklist ${PATH}/scala3-compiler +blacklist ${PATH}/scala3-repl +blacklist ${PATH}/scalac + #OpenSSL blacklist ${PATH}/openssl blacklist ${PATH}/openssl-1.0 @@ -60,9 +67,7 @@ blacklist ${PATH}/valgrind* blacklist /usr/lib/valgrind - # Source-Code - blacklist /usr/src blacklist /usr/local/src blacklist /usr/include
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-exec.inc ^
@@ -6,6 +6,7 @@ noexec ${RUNUSER} noexec /dev/mqueue noexec /dev/shm +noexec /run/shm noexec /tmp # /var is noexec by default for unprivileged users # except there is a writable-var option, so just in case:
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-interpreters.inc ^
@@ -40,6 +40,15 @@ blacklist /usr/lib64/perl* blacklist /usr/share/perl* +# rxvt needs Perl modules, thus does not work. In particular, blacklisting +# it is needed so that Firefox can run applications with Terminal=true in +# their .desktop file (depending on what is installed). The reason is that +# this is done via glib, which currently uses a hardcoded list of terminal +# emulators: +# https://gitlab.gnome.org/GNOME/glib/-/issues/338 +# And in this list, rxvt comes before xterm. +blacklist ${PATH}/rxvt + # PHP blacklist ${PATH}/php* blacklist /usr/lib/php* @@ -48,6 +57,7 @@ # Ruby blacklist ${PATH}/ruby blacklist /usr/lib/ruby +blacklist /usr/lib64/ruby # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus # Python 2
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-proc.inc ^
@@ -0,0 +1,82 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include disable-proc.local + +blacklist /proc/acpi +blacklist /proc/asound +blacklist /proc/bootconfig +blacklist /proc/buddyinfo +blacklist /proc/cgroups +blacklist /proc/cmdline +blacklist /proc/config.gz # keep this here even though it's also in disable-common.inc +blacklist /proc/consoles +#blacklist /proc/cpuinfo +blacklist /proc/crypto +blacklist /proc/devices +blacklist /proc/diskstats +blacklist /proc/dma +#blacklist /proc/driver +blacklist /proc/dynamic_debug +blacklist /proc/execdomains +blacklist /proc/fb +#blacklist /proc/filesystems +blacklist /proc/fs +blacklist /proc/i8k +blacklist /proc/interrupts +blacklist /proc/iomem +blacklist /proc/ioports +blacklist /proc/irq +blacklist /proc/kallsyms +blacklist /proc/kcore +blacklist /proc/keys +blacklist /proc/key-users +blacklist /proc/kmsg +blacklist /proc/kpagecgroup +blacklist /proc/kpagecount +blacklist /proc/kpageflags +blacklist /proc/latency_stats +#blacklist /proc/loadavg +blacklist /proc/locks +blacklist /proc/mdstat +#blacklist /proc/meminfo +blacklist /proc/misc +#blacklist /proc/modules +#blacklist /proc/mounts +blacklist /proc/mtrr +#blacklist /proc/net +blacklist /proc/partitions +blacklist /proc/pressure +blacklist /proc/sched_debug +blacklist /proc/schedstat +blacklist /proc/scsi +#blacklist /proc/self +blacklist /proc/slabinfo +blacklist /proc/softirqs +blacklist /proc/spl +#blacklist /proc/stat +blacklist /proc/swaps +#blacklist /proc/sys +blacklist /proc/sysrq-trigger +blacklist /proc/sysvipc +#blacklist /proc/thread-self +blacklist /proc/timer_list +blacklist /proc/tty +#blacklist /proc/uptime +#blacklist /proc/version +blacklist /proc/version_signature +blacklist /proc/vmallocinfo +#blacklist /proc/vmstat +#blacklist /proc/zoneinfo + +blacklist /proc/sys/abi +blacklist /proc/sys/crypto +blacklist /proc/sys/debug +blacklist /proc/sys/dev +blacklist /proc/sys/fs +blacklist /proc/sys/net +blacklist /proc/sys/user +blacklist /proc/sys/vm + +noblacklist /proc/sys/kernel/osrelease +noblacklist /proc/sys/kernel/yama +blacklist /proc/sys//
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-programs.inc ^
@@ -2,18 +2,6 @@ # Persistent customizations should go in a .local file. include disable-programs.local -blacklist ${HOME}/Arduino -blacklist ${HOME}/i2p -blacklist ${HOME}/Monero/wallets -blacklist ${HOME}/Nextcloud -blacklist ${HOME}/Nextcloud/Notes -blacklist ${HOME}/SoftMaker -blacklist ${HOME}/Standard Notes Backups -blacklist ${HOME}/TeamSpeak3-Client-linux_x86 -blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 -blacklist ${HOME}/hyperrogue.ini -blacklist ${HOME}/mps -blacklist ${HOME}/wallet.dat blacklist ${HOME}/.coin blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.AndroidStudio @@ -38,10 +26,11 @@ blacklist ${HOME}/.WebStorm* blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.ZAP +blacklist ${HOME}/.aMule blacklist ${HOME}/.abook blacklist ${HOME}/.addressbook blacklist ${HOME}/.alpine-smime -blacklist ${HOME}/.aMule +blacklist ${HOME}/.ammonite blacklist ${HOME}/.android blacklist ${HOME}/.anydesk blacklist ${HOME}/.arduino15 @@ -53,6 +42,7 @@ blacklist ${HOME}/.atom blacklist ${HOME}/.attic blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.avidemux3 blacklist ${HOME}/.avidemux6 blacklist ${HOME}/.ballbuster.hs blacklist ${HOME}/.balsa @@ -61,12 +51,200 @@ blacklist ${HOME}/.bitcoin blacklist ${HOME}/.blobby blacklist ${HOME}/.bogofilter +blacklist ${HOME}/.bundle blacklist ${HOME}/.bzf -blacklist ${HOME}/.cargo/* +blacklist ${HOME}/.cache/0ad +blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/Authenticator +blacklist ${HOME}/.cache/BraveSoftware +blacklist ${HOME}/.cache/Clementine +blacklist ${HOME}/.cache/ENCOM/Spectral +blacklist ${HOME}/.cache/Enox +blacklist ${HOME}/.cache/Enpass +blacklist ${HOME}/.cache/Ferdi +blacklist ${HOME}/.cache/Flavio Tordini +blacklist ${HOME}/.cache/Franz +blacklist ${HOME}/.cache/GoldenDict +blacklist ${HOME}/.cache/INRIA +blacklist ${HOME}/.cache/INRIA/Natron +blacklist ${HOME}/.cache/JetBrains/CLion* +blacklist ${HOME}/.cache/JetBrains/PyCharm* +blacklist ${HOME}/.cache/KDE/neochat +blacklist ${HOME}/.cache/Mendeley Ltd. +blacklist ${HOME}/.cache/MusicBrainz +blacklist ${HOME}/.cache/NewsFlashGTK +blacklist ${HOME}/.cache/Otter +blacklist ${HOME}/.cache/PawelStolowski +blacklist ${HOME}/.cache/Psi +blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/Quotient/quaternion +blacklist ${HOME}/.cache/Shortwave +blacklist ${HOME}/.cache/Tox +blacklist ${HOME}/.cache/Zeal +blacklist ${HOME}/.cache/agenda +blacklist ${HOME}/.cache/akonadi* +blacklist ${HOME}/.cache/atril +blacklist ${HOME}/.cache/attic +blacklist ${HOME}/.cache/audacity +blacklist ${HOME}/.cache/babl +blacklist ${HOME}/.cache/bnox +blacklist ${HOME}/.cache/borg +blacklist ${HOME}/.cache/cachy +blacklist ${HOME}/.cache/calibre +blacklist ${HOME}/.cache/cantata +blacklist ${HOME}/.cache/champlain +blacklist ${HOME}/.cache/chromium +blacklist ${HOME}/.cache/chromium-dev +blacklist ${HOME}/.cache/cliqz +blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate +blacklist ${HOME}/.cache/darktable +blacklist ${HOME}/.cache/deja-dup +blacklist ${HOME}/.cache/discover +blacklist ${HOME}/.cache/dnox +blacklist ${HOME}/.cache/dolphin +blacklist ${HOME}/.cache/dolphin-emu +blacklist ${HOME}/.cache/ephemeral +blacklist ${HOME}/.cache/epiphany +blacklist ${HOME}/.cache/evolution +blacklist ${HOME}/.cache/falkon +blacklist ${HOME}/.cache/feedreader +blacklist ${HOME}/.cache/firedragon +blacklist ${HOME}/.cache/flaska.net/trojita +blacklist ${HOME}/.cache/folks +blacklist ${HOME}/.cache/font-manager +blacklist ${HOME}/.cache/fossamail +blacklist ${HOME}/.cache/fractal +blacklist ${HOME}/.cache/freecol +blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.cache/gdfuse +blacklist ${HOME}/.cache/geary +blacklist ${HOME}/.cache/geeqie +blacklist ${HOME}/.cache/gegl-0.4 +blacklist ${HOME}/.cache/gfeeds +blacklist ${HOME}/.cache/gimp +blacklist ${HOME}/.cache/gnome-boxes +blacklist ${HOME}/.cache/gnome-builder +blacklist ${HOME}/.cache/gnome-control-center +blacklist ${HOME}/.cache/gnome-recipes +blacklist ${HOME}/.cache/gnome-screenshot +blacklist ${HOME}/.cache/gnome-software +blacklist ${HOME}/.cache/gnome-twitch +blacklist ${HOME}/.cache/godot +blacklist ${HOME}/.cache/google-chrome +blacklist ${HOME}/.cache/google-chrome-beta +blacklist ${HOME}/.cache/google-chrome-unstable +blacklist ${HOME}/.cache/gradio +blacklist ${HOME}/.cache/gummi +blacklist ${HOME}/.cache/icedove +blacklist ${HOME}/.cache/inkscape +blacklist ${HOME}/.cache/inox +blacklist ${HOME}/.cache/io.github.lainsce.Notejot +blacklist ${HOME}/.cache/iridium +blacklist ${HOME}/.cache/kcmshell5 +blacklist ${HOME}/.cache/kdenlive +blacklist ${HOME}/.cache/keepassxc +blacklist ${HOME}/.cache/kfind +blacklist ${HOME}/.cache/kinfocenter +blacklist ${HOME}/.cache/kmail2 +blacklist ${HOME}/.cache/krunner +blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* +blacklist ${HOME}/.cache/kscreenlocker_greet +blacklist ${HOME}/.cache/ksmserver-logout-greeter +blacklist ${HOME}/.cache/ksplashqml +blacklist ${HOME}/.cache/kube +blacklist ${HOME}/.cache/kwin +blacklist ${HOME}/.cache/lbry-viewer +blacklist ${HOME}/.cache/libgweather +blacklist ${HOME}/.cache/librewolf +blacklist ${HOME}/.cache/liferea +blacklist ${HOME}/.cache/lutris +blacklist ${HOME}/.cache/marker +blacklist ${HOME}/.cache/matrix-mirage +blacklist ${HOME}/.cache/microsoft-edge +blacklist ${HOME}/.cache/microsoft-edge-beta +blacklist ${HOME}/.cache/microsoft-edge-dev +blacklist ${HOME}/.cache/midori +blacklist ${HOME}/.cache/minetest +blacklist ${HOME}/.cache/mirage +blacklist ${HOME}/.cache/moonchild productions/basilisk +blacklist ${HOME}/.cache/moonchild productions/pale moon +blacklist ${HOME}/.cache/mozilla +blacklist ${HOME}/.cache/ms-excel-online +blacklist ${HOME}/.cache/ms-office-online +blacklist ${HOME}/.cache/ms-onenote-online +blacklist ${HOME}/.cache/ms-outlook-online +blacklist ${HOME}/.cache/ms-powerpoint-online +blacklist ${HOME}/.cache/ms-skype-online +blacklist ${HOME}/.cache/ms-word-online +blacklist ${HOME}/.cache/mutt +blacklist ${HOME}/.cache/mypaint +blacklist ${HOME}/.cache/netsurf +blacklist ${HOME}/.cache/nheko +blacklist ${HOME}/.cache/nvim +blacklist ${HOME}/.cache/ocenaudio +blacklist ${HOME}/.cache/okular +blacklist ${HOME}/.cache/opera +blacklist ${HOME}/.cache/opera-beta +blacklist ${HOME}/.cache/opera-developer +blacklist ${HOME}/.cache/org.gabmus.gfeeds +blacklist ${HOME}/.cache/org.gnome.Books +blacklist ${HOME}/.cache/org.gnome.Maps +blacklist ${HOME}/.cache/pdfmod +blacklist ${HOME}/.cache/peek +blacklist ${HOME}/.cache/pip +blacklist ${HOME}/.cache/pipe-viewer +blacklist ${HOME}/.cache/plasmashell +blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* +blacklist ${HOME}/.cache/psi +blacklist ${HOME}/.cache/qBittorrent +blacklist ${HOME}/.cache/quodlibet +blacklist ${HOME}/.cache/qupzilla +blacklist ${HOME}/.cache/qutebrowser +blacklist ${HOME}/.cache/rclone +blacklist ${HOME}/.cache/rednotebook +blacklist ${HOME}/.cache/rhythmbox +blacklist ${HOME}/.cache/rpcs3 +blacklist ${HOME}/.cache/shotwell +blacklist ${HOME}/.cache/simple-scan +blacklist ${HOME}/.cache/slimjet +blacklist ${HOME}/.cache/smuxi +blacklist ${HOME}/.cache/snox +blacklist ${HOME}/.cache/spotify +blacklist ${HOME}/.cache/straw-viewer +blacklist ${HOME}/.cache/strawberry +blacklist ${HOME}/.cache/supertuxkart +blacklist ${HOME}/.cache/systemsettings +blacklist ${HOME}/.cache/telepathy +blacklist ${HOME}/.cache/thunderbird +blacklist ${HOME}/.cache/torbrowser +blacklist ${HOME}/.cache/transmission +blacklist ${HOME}/.cache/ungoogled-chromium +blacklist ${HOME}/.cache/vivaldi +blacklist ${HOME}/.cache/vivaldi-snapshot +blacklist ${HOME}/.cache/vlc +blacklist ${HOME}/.cache/vmware +blacklist ${HOME}/.cache/warsow-2.1 +blacklist ${HOME}/.cache/waterfox +blacklist ${HOME}/.cache/wesnoth +blacklist ${HOME}/.cache/wine +blacklist ${HOME}/.cache/winetricks +blacklist ${HOME}/.cache/xmms2 +blacklist ${HOME}/.cache/xournalpp +blacklist ${HOME}/.cache/xreader +blacklist ${HOME}/.cache/yandex-browser +blacklist ${HOME}/.cache/yandex-browser-beta +blacklist ${HOME}/.cache/youtube-dl +blacklist ${HOME}/.cache/youtube-viewer +blacklist ${HOME}/.cache/yt-dlp +blacklist ${HOME}/.cache/zim +blacklist ${HOME}/.cachy +blacklist ${HOME}/.cargo blacklist ${HOME}/.claws-mail +blacklist ${HOME}/.clion* blacklist ${HOME}/.cliqz blacklist ${HOME}/.clonk blacklist ${HOME}/.config/0ad +blacklist ${HOME}/.config/1Password blacklist ${HOME}/.config/2048-qt blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/Audaciousrc @@ -77,17 +255,20 @@ blacklist ${HOME}/.config/Brackets blacklist ${HOME}/.config/BraveSoftware blacklist ${HOME}/.config/Clementine +blacklist ${HOME}/.config/ClipGrab blacklist ${HOME}/.config/Code blacklist ${HOME}/.config/Code - OSS blacklist ${HOME}/.config/Code Industry blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/Debauchee/Barrier.conf blacklist ${HOME}/.config/Dharkael +blacklist ${HOME}/.config/ENCOM +blacklist ${HOME}/.config/Electron blacklist ${HOME}/.config/Element blacklist ${HOME}/.config/Element (Riot) -blacklist ${HOME}/.config/ENCOM blacklist ${HOME}/.config/Enox blacklist ${HOME}/.config/Epic +blacklist ${HOME}/.config/Exodus blacklist ${HOME}/.config/Ferdi blacklist ${HOME}/.config/Flavio Tordini blacklist ${HOME}/.config/Franz @@ -102,17 +283,24 @@ blacklist ${HOME}/.config/Gpredict blacklist ${HOME}/.config/INRIA blacklist ${HOME}/.config/InSilmaril +blacklist ${HOME}/.config/JetBrains/CLion* +blacklist ${HOME}/.config/JetBrains/PyCharm* blacklist ${HOME}/.config/Jitsi Meet blacklist ${HOME}/.config/KDE/neochat +blacklist ${HOME}/.config/KeePass +blacklist ${HOME}/.config/KeePassXCrc blacklist ${HOME}/.config/Kid3 blacklist ${HOME}/.config/Kingsoft +blacklist ${HOME}/.config/Ledger Live blacklist ${HOME}/.config/LibreCAD blacklist ${HOME}/.config/Loop_Hero blacklist ${HOME}/.config/Luminance blacklist ${HOME}/.config/LyX +blacklist ${HOME}/.config/MangoHud blacklist ${HOME}/.config/Mattermost blacklist ${HOME}/.config/Meltytech blacklist ${HOME}/.config/Mendeley Ltd. +blacklist ${HOME}/.config/Microsoft blacklist ${HOME}/.config/Min blacklist ${HOME}/.config/ModTheSpire blacklist ${HOME}/.config/Mousepad @@ -122,13 +310,17 @@ blacklist ${HOME}/.config/MusicBrainz blacklist ${HOME}/.config/Nathan Osman blacklist ${HOME}/.config/Nextcloud +blacklist ${HOME}/.config/NitroShare +blacklist ${HOME}/.config/Notable blacklist ${HOME}/.config/Nylas Mail +blacklist ${HOME}/.config/PBE blacklist ${HOME}/.config/PacmanLogViewer blacklist ${HOME}/.config/PawelStolowski -blacklist ${HOME}/.config/PBE blacklist ${HOME}/.config/Philipp Schmieder +blacklist ${HOME}/.config/Pinta blacklist ${HOME}/.config/QGIS blacklist ${HOME}/.config/QMediathekView +blacklist ${HOME}/.config/QQ blacklist ${HOME}/.config/Qlipper blacklist ${HOME}/.config/QuiteRss blacklist ${HOME}/.config/QuiteRssrc @@ -138,6 +330,7 @@ blacklist ${HOME}/.config/Rocket.Chat blacklist ${HOME}/.config/RogueLegacy blacklist ${HOME}/.config/RogueLegacyStorageContainer +blacklist ${HOME}/.config/Seafile blacklist ${HOME}/.config/Signal blacklist ${HOME}/.config/Sinew Software Systems blacklist ${HOME}/.config/Slack @@ -146,11 +339,14 @@ blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/Twitch blacklist ${HOME}/.config/Unknown Organization +blacklist ${HOME}/.config/VSCodium blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.config/Whalebird blacklist ${HOME}/.config/Wire blacklist ${HOME}/.config/Youtube -blacklist ${HOME}/.config/Zeal blacklist ${HOME}/.config/ZeGrapher Project +blacklist ${HOME}/.config/Zeal +blacklist ${HOME}/.config/Zulip blacklist ${HOME}/.config/aacs blacklist ${HOME}/.config/abiword blacklist ${HOME}/.config/agenda @@ -166,6 +362,7 @@ blacklist ${HOME}/.config/asunder blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/audacious +blacklist ${HOME}/.config/audacity blacklist ${HOME}/.config/autokey blacklist ${HOME}/.config/avidemux3_qt5rc blacklist ${HOME}/.config/aweather @@ -199,10 +396,12 @@ blacklist ${HOME}/.config/clipit blacklist ${HOME}/.config/cliqz blacklist ${HOME}/.config/cmus +blacklist ${HOME}/.config/cointop blacklist ${HOME}/.config/com.github.bleakgrey.tootle blacklist ${HOME}/.config/corebird blacklist ${HOME}/.config/cower blacklist ${HOME}/.config/coyim +blacklist ${HOME}/.config/d-feet blacklist ${HOME}/.config/darktable blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/deluge @@ -217,7 +416,7 @@ blacklist ${HOME}/.config/dolphinrc blacklist ${HOME}/.config/dragonplayerrc blacklist ${HOME}/.config/draw.io -blacklist ${HOME}/.config/d-feet +blacklist ${HOME}/.config/electron-flag.conf blacklist ${HOME}/.config/electron-mail blacklist ${HOME}/.config/emaildefaults blacklist ${HOME}/.config/emailidentities @@ -237,7 +436,9 @@ blacklist ${HOME}/.config/freecol blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/galculator +blacklist ${HOME}/.config/gallery-dl blacklist ${HOME}/.config/gconf +blacklist ${HOME}/.config/gdfuse blacklist ${HOME}/.config/geany blacklist ${HOME}/.config/geary blacklist ${HOME}/.config/gedit @@ -277,6 +478,7 @@ blacklist ${HOME}/.config/itch blacklist ${HOME}/.config/jami blacklist ${HOME}/.config/jd-gui.cfg +blacklist ${HOME}/.config/jgit blacklist ${HOME}/.config/k3brc blacklist ${HOME}/.config/kaffeinerc blacklist ${HOME}/.config/kalgebrarc @@ -291,6 +493,9 @@ blacklist ${HOME}/.config/kdenliverc blacklist ${HOME}/.config/kdiff3fileitemactionrc blacklist ${HOME}/.config/kdiff3rc +blacklist ${HOME}/.config/keepass +blacklist ${HOME}/.config/keepassx +blacklist ${HOME}/.config/keepassxc blacklist ${HOME}/.config/kfindrc blacklist ${HOME}/.config/kgetrc blacklist ${HOME}/.config/kid3rc @@ -300,13 +505,14 @@ blacklist ${HOME}/.config/kmailsearchindexingrc blacklist ${HOME}/.config/kmplayerrc blacklist ${HOME}/.config/knotesrc -blacklist ${HOME}/.config/konversationrc blacklist ${HOME}/.config/konversation.notifyrc +blacklist ${HOME}/.config/konversationrc blacklist ${HOME}/.config/kritarc blacklist ${HOME}/.config/ktorrentrc blacklist ${HOME}/.config/ktouch2rc blacklist ${HOME}/.config/kube blacklist ${HOME}/.config/kwriterc +blacklist ${HOME}/.config/lbry-viewer blacklist ${HOME}/.config/leafpad blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/liferea @@ -322,13 +528,15 @@ blacklist ${HOME}/.config/matrix-mirage blacklist ${HOME}/.config/mcomix blacklist ${HOME}/.config/meld -blacklist ${HOME}/.config/meteo-qt blacklist ${HOME}/.config/menulibre.cfg +blacklist ${HOME}/.config/meteo-qt blacklist ${HOME}/.config/mfusion -blacklist ${HOME}/.config/Microsoft +blacklist ${HOME}/.config/microsoft-edge +blacklist ${HOME}/.config/microsoft-edge-beta blacklist ${HOME}/.config/microsoft-edge-dev blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/mirage +blacklist ${HOME}/.config/monero-project blacklist ${HOME}/.config/mono blacklist ${HOME}/.config/mpDris2 blacklist ${HOME}/.config/mpd @@ -341,17 +549,17 @@ blacklist ${HOME}/.config/nano blacklist ${HOME}/.config/nautilus blacklist ${HOME}/.config/nemo -blacklist ${HOME}/.config/neochatrc blacklist ${HOME}/.config/neochat.notifyrc +blacklist ${HOME}/.config/neochatrc blacklist ${HOME}/.config/neomutt blacklist ${HOME}/.config/netsurf blacklist ${HOME}/.config/newsbeuter blacklist ${HOME}/.config/newsboat blacklist ${HOME}/.config/newsflash blacklist ${HOME}/.config/nheko -blacklist ${HOME}/.config/NitroShare blacklist ${HOME}/.config/nomacs blacklist ${HOME}/.config/nuclear +blacklist ${HOME}/.config/nvim blacklist ${HOME}/.config/obs-studio blacklist ${HOME}/.config/okularpartrc blacklist ${HOME}/.config/okularrc @@ -361,6 +569,7 @@ blacklist ${HOME}/.config/openmw blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta +blacklist ${HOME}/.config/opera-developer blacklist ${HOME}/.config/orage blacklist ${HOME}/.config/org.gabmus.gfeeds.json blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles @@ -370,7 +579,6 @@ blacklist ${HOME}/.config/pavucontrol.ini blacklist ${HOME}/.config/pcmanfm blacklist ${HOME}/.config/pdfmod -blacklist ${HOME}/.config/Pinta blacklist ${HOME}/.config/pipe-viewer blacklist ${HOME}/.config/pitivi blacklist ${HOME}/.config/pix @@ -388,10 +596,12 @@ blacklist ${HOME}/.config/qupzilla blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.config/ranger +blacklist ${HOME}/.config/rclone blacklist ${HOME}/.config/redshift blacklist ${HOME}/.config/redshift.conf blacklist ${HOME}/.config/remmina blacklist ${HOME}/.config/ristretto +blacklist ${HOME}/.config/rpcs3 blacklist ${HOME}/.config/rtv blacklist ${HOME}/.config/scribus blacklist ${HOME}/.config/scribusrc @@ -407,10 +617,11 @@ blacklist ${HOME}/.config/specialmailcollectionsrc blacklist ${HOME}/.config/spectaclerc blacklist ${HOME}/.config/spotify +blacklist ${HOME}/.config/spotify-adblock blacklist ${HOME}/.config/sqlitebrowser blacklist ${HOME}/.config/stellarium -blacklist ${HOME}/.config/strawberry blacklist ${HOME}/.config/straw-viewer +blacklist ${HOME}/.config/strawberry blacklist ${HOME}/.config/supertuxkart blacklist ${HOME}/.config/synfig blacklist ${HOME}/.config/teams @@ -422,6 +633,7 @@ blacklist ${HOME}/.config/transgui blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/truecraft +blacklist ${HOME}/.config/tuir blacklist ${HOME}/.config/tuta_integration blacklist ${HOME}/.config/tutanota-desktop blacklist ${HOME}/.config/tvbrowser @@ -433,19 +645,20 @@ blacklist ${HOME}/.config/vivaldi-snapshot blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth -blacklist ${HOME}/.config/wormux -blacklist ${HOME}/.config/Whalebird +blacklist ${HOME}/.config/wget blacklist ${HOME}/.config/wireshark +blacklist ${HOME}/.config/wormux blacklist ${HOME}/.config/xchat blacklist ${HOME}/.config/xed blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/xfce4-dict blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc blacklist ${HOME}/.config/xfce4/xfce4-notes.rc blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml -blacklist ${HOME}/.config/xfce4-dict blacklist ${HOME}/.config/xiaoyong blacklist ${HOME}/.config/xmms2 +blacklist ${HOME}/.config/xournalpp blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer @@ -454,12 +667,14 @@ blacklist ${HOME}/.config/yelp blacklist ${HOME}/.config/youtube-dl blacklist ${HOME}/.config/youtube-dlg -blacklist ${HOME}/.config/youtubemusic-nativefier-040164 blacklist ${HOME}/.config/youtube-music-desktop-app blacklist ${HOME}/.config/youtube-viewer +blacklist ${HOME}/.config/youtubemusic-nativefier-040164 +blacklist ${HOME}/.config/yt-dlp +blacklist ${HOME}/.config/yt-dlp.conf blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/zim blacklist ${HOME}/.config/zoomus.conf -blacklist ${HOME}/.config/Zulip blacklist ${HOME}/.conkeror.mozdev.org blacklist ${HOME}/.crawl blacklist ${HOME}/.cups @@ -487,31 +702,38 @@ blacklist ${HOME}/.flowblade blacklist ${HOME}/.fltk blacklist ${HOME}/.fossamail +blacklist ${HOME}/.fpm blacklist ${HOME}/.freeciv blacklist ${HOME}/.freecol blacklist ${HOME}/.freemind blacklist ${HOME}/.frogatto blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.funnyboat +blacklist ${HOME}/.g8 +blacklist ${HOME}/.gallery-dl.conf +blacklist ${HOME}/.gdfuse +blacklist ${HOME}/.geekbench5 blacklist ${HOME}/.gimp* blacklist ${HOME}/.gist blacklist ${HOME}/.gitconfig blacklist ${HOME}/.gl-117 blacklist ${HOME}/.glaxiumrc blacklist ${HOME}/.gnome/gnome-schedule +blacklist ${HOME}/.goldendict blacklist ${HOME}/.googleearth blacklist ${HOME}/.gradle blacklist ${HOME}/.gramps blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hashcat -blacklist ${HOME}/.hex-a-hop blacklist ${HOME}/.hedgewars +blacklist ${HOME}/.hex-a-hop blacklist ${HOME}/.hugin blacklist ${HOME}/.i2p blacklist ${HOME}/.icedove blacklist ${HOME}/.imagej blacklist ${HOME}/.inkscape blacklist ${HOME}/.itch +blacklist ${HOME}/.ivy2 blacklist ${HOME}/.jack-server blacklist ${HOME}/.jack-settings blacklist ${HOME}/.jak @@ -581,6 +803,9 @@ blacklist ${HOME}/.kde4/share/config/ktorrentrc blacklist ${HOME}/.kde4/share/config/okularpartrc blacklist ${HOME}/.kde4/share/config/okularrc +blacklist ${HOME}/.keepass +blacklist ${HOME}/.keepassx +blacklist ${HOME}/.keepassxc blacklist ${HOME}/.killingfloor blacklist ${HOME}/.kingsoft blacklist ${HOME}/.kino-history @@ -588,6 +813,7 @@ blacklist ${HOME}/.klatexformula blacklist ${HOME}/.klei blacklist ${HOME}/.kodi +blacklist ${HOME}/.lastpass blacklist ${HOME}/.librewolf blacklist ${HOME}/.lincity-ng blacklist ${HOME}/.links @@ -599,18 +825,24 @@ blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/3909/PapersPlease blacklist ${HOME}/.local/share/Anki2 +blacklist ${HOME}/.local/share/Colossal Order blacklist ${HOME}/.local/share/Dredmor blacklist ${HOME}/.local/share/Empathy blacklist ${HOME}/.local/share/Enpass +blacklist ${HOME}/.local/share/FasterThanLight blacklist ${HOME}/.local/share/Flavio Tordini +blacklist ${HOME}/.local/share/HotlineMiami +blacklist ${HOME}/.local/share/IntoTheBreach blacklist ${HOME}/.local/share/JetBrains blacklist ${HOME}/.local/share/KDE/neochat +blacklist ${HOME}/.local/share/KeePass blacklist ${HOME}/.local/share/Kingsoft blacklist ${HOME}/.local/share/LibreCAD blacklist ${HOME}/.local/share/Mendeley Ltd. blacklist ${HOME}/.local/share/Mumble blacklist ${HOME}/.local/share/Nextcloud blacklist ${HOME}/.local/share/PBE +blacklist ${HOME}/.local/share/Paradox Interactive blacklist ${HOME}/.local/share/PawelStolowski blacklist ${HOME}/.local/share/PillarsOfEternity blacklist ${HOME}/.local/share/Psi @@ -621,21 +853,23 @@ blacklist ${HOME}/.local/share/RogueLegacy blacklist ${HOME}/.local/share/RogueLegacyStorageContainer blacklist ${HOME}/.local/share/Shortwave +blacklist ${HOME}/.local/share/SongRec blacklist ${HOME}/.local/share/Steam -blacklist ${HOME}/.local/share/SteamWorldDig blacklist ${HOME}/.local/share/SteamWorld Dig 2 +blacklist ${HOME}/.local/share/SteamWorldDig blacklist ${HOME}/.local/share/SuperHexagon blacklist ${HOME}/.local/share/TelegramDesktop blacklist ${HOME}/.local/share/Terraria blacklist ${HOME}/.local/share/TpLogger blacklist ${HOME}/.local/share/Zeal +blacklist ${HOME}/.local/share/agenda blacklist ${HOME}/.local/share/akonadi* blacklist ${HOME}/.local/share/akregator -blacklist ${HOME}/.local/share/agenda blacklist ${HOME}/.local/share/apps/korganizer blacklist ${HOME}/.local/share/aspyr-media -blacklist ${HOME}/.local/share/autokey +blacklist ${HOME}/.local/share/audacity blacklist ${HOME}/.local/share/authenticator-rs +blacklist ${HOME}/.local/share/autokey blacklist ${HOME}/.local/share/backintime blacklist ${HOME}/.local/share/baloo blacklist ${HOME}/.local/share/barrier @@ -646,6 +880,7 @@ blacklist ${HOME}/.local/share/calligragemini blacklist ${HOME}/.local/share/cantata blacklist ${HOME}/.local/share/cdprojektred +blacklist ${HOME}/.local/share/chatterino blacklist ${HOME}/.local/share/clipit blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate blacklist ${HOME}/.local/share/contacts @@ -662,12 +897,12 @@ blacklist ${HOME}/.local/share/emailidentities blacklist ${HOME}/.local/share/epiphany blacklist ${HOME}/.local/share/evolution -blacklist ${HOME}/.local/share/FasterThanLight blacklist ${HOME}/.local/share/feedreader blacklist ${HOME}/.local/share/feral-interactive blacklist ${HOME}/.local/share/five-or-more blacklist ${HOME}/.local/share/freecol blacklist ${HOME}/.local/share/gajim +blacklist ${HOME}/.local/share/gdfuse blacklist ${HOME}/.local/share/geary blacklist ${HOME}/.local/share/geeqie blacklist ${HOME}/.local/share/ghostwriter @@ -692,12 +927,13 @@ blacklist ${HOME}/.local/share/gradio blacklist ${HOME}/.local/share/gwenview blacklist ${HOME}/.local/share/i2p -blacklist ${HOME}/.local/share/IntoTheBreach +blacklist ${HOME}/.local/share/io.github.lainsce.Notejot blacklist ${HOME}/.local/share/jami blacklist ${HOME}/.local/share/kaffeine blacklist ${HOME}/.local/share/kalgebra blacklist ${HOME}/.local/share/kate blacklist ${HOME}/.local/share/kdenlive +blacklist ${HOME}/.local/share/keepass blacklist ${HOME}/.local/share/kget blacklist ${HOME}/.local/share/kiwix blacklist ${HOME}/.local/share/kiwix-desktop @@ -748,14 +984,14 @@ blacklist ${HOME}/.local/share/openmw blacklist ${HOME}/.local/share/orage blacklist ${HOME}/.local/share/org.kde.gwenview -blacklist ${HOME}/.local/share/Paradox Interactive blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/plasma_notes blacklist ${HOME}/.local/share/profanity blacklist ${HOME}/.local/share/psi blacklist ${HOME}/.local/share/psi+ -blacklist ${HOME}/.local/share/quadrapassel +blacklist ${HOME}/.local/share/qBittorrent blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/quadrapassel blacklist ${HOME}/.local/share/qutebrowser blacklist ${HOME}/.local/share/remmina blacklist ${HOME}/.local/share/rhythmbox @@ -775,16 +1011,21 @@ blacklist ${HOME}/.local/share/terasology blacklist ${HOME}/.local/share/torbrowser blacklist ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/tuir blacklist ${HOME}/.local/share/uzbl blacklist ${HOME}/.local/share/vlc blacklist ${HOME}/.local/share/vpltd blacklist ${HOME}/.local/share/vulkan blacklist ${HOME}/.local/share/warsow-2.1 +blacklist ${HOME}/.local/share/warzone2100-3.* blacklist ${HOME}/.local/share/wesnoth +blacklist ${HOME}/.local/share/wget blacklist ${HOME}/.local/share/wormux blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/xreader blacklist ${HOME}/.local/share/zathura +blacklist ${HOME}/.local/state/audacity +blacklist ${HOME}/.local/state/pipewire blacklist ${HOME}/.lv2 blacklist ${HOME}/.lyx blacklist ${HOME}/.magicor @@ -815,6 +1056,7 @@ blacklist ${HOME}/.newsrc blacklist ${HOME}/.nicotine blacklist ${HOME}/.node-gyp +blacklist ${HOME}/.notable blacklist ${HOME}/.npm blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv @@ -828,8 +1070,10 @@ blacklist ${HOME}/.openttd blacklist ${HOME}/.opera blacklist ${HOME}/.opera-beta +blacklist ${HOME}/.opera-developer blacklist ${HOME}/.ostrichriders blacklist ${HOME}/.paradoxinteractive +blacklist ${HOME}/.paradoxlauncher blacklist ${HOME}/.parallelrealities/blobwars blacklist ${HOME}/.pcsxr blacklist ${HOME}/.penguin-command @@ -843,6 +1087,7 @@ blacklist ${HOME}/.pinercex blacklist ${HOME}/.pingus blacklist ${HOME}/.pioneer +blacklist ${HOME}/.prey blacklist ${HOME}/.purple blacklist ${HOME}/.pylint.d blacklist ${HOME}/.qemu-launcher @@ -850,11 +1095,13 @@ blacklist ${HOME}/.qmmp blacklist ${HOME}/.quodlibet blacklist ${HOME}/.redeclipse +blacklist ${HOME}/.rednotebook blacklist ${HOME}/.remmina blacklist ${HOME}/.repo_.gitconfig.json blacklist ${HOME}/.repoconfig blacklist ${HOME}/.retroshare blacklist ${HOME}/.ripperXrc +blacklist ${HOME}/.sbt blacklist ${HOME}/.scorched3d blacklist ${HOME}/.scribus blacklist ${HOME}/.scribusrc @@ -920,176 +1167,31 @@ blacklist ${HOME}/.yarncache blacklist ${HOME}/.yarnrc blacklist ${HOME}/.zoom -blacklist /tmp/akonadi-* +blacklist ${HOME}/Applications # used for storing AppImages +blacklist ${HOME}/Arduino +blacklist ${HOME}/Monero/wallets +blacklist ${HOME}/Nextcloud +blacklist ${HOME}/Nextcloud/Notes +blacklist ${HOME}/Seafile/.seafile-data +blacklist ${HOME}/SoftMaker +blacklist ${HOME}/Standard Notes Backups +blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 +blacklist ${HOME}/TeamSpeak3-Client-linux_x86 +blacklist ${HOME}/hyperrogue.ini +blacklist ${HOME}/i2p +blacklist ${HOME}/mps +blacklist ${HOME}/openstego.ini +blacklist ${HOME}/wallet.dat +blacklist ${HOME}/yt-dlp.conf +blacklist ${HOME}/yt-dlp.conf.txt +blacklist ${RUNUSER}/firefox +blacklist ${RUNUSER}/akonadi +blacklist ${RUNUSER}/psd/firefox +blacklist /etc/ssmtp blacklist /tmp/.wine-* +blacklist /tmp/akonadi-* blacklist /var/games/nethack blacklist /var/games/slashem blacklist /var/games/vulturesclaw blacklist /var/games/vultureseye blacklist /var/lib/games/Maelstrom-Scores - -# ${HOME}/.cache directory -blacklist ${HOME}/.cache/0ad -blacklist ${HOME}/.cache/8pecxstudios -blacklist ${HOME}/.cache/Authenticator -blacklist ${HOME}/.cache/BraveSoftware -blacklist ${HOME}/.cache/Clementine -blacklist ${HOME}/.cache/ENCOM/Spectral -blacklist ${HOME}/.cache/Enox -blacklist ${HOME}/.cache/Enpass -blacklist ${HOME}/.cache/Ferdi -blacklist ${HOME}/.cache/Flavio Tordini -blacklist ${HOME}/.cache/Franz -blacklist ${HOME}/.cache/INRIA -blacklist ${HOME}/.cache/MusicBrainz -blacklist ${HOME}/.cache/NewsFlashGTK -blacklist ${HOME}/.cache/Otter -blacklist ${HOME}/.cache/PawelStolowski -blacklist ${HOME}/.cache/Psi -blacklist ${HOME}/.cache/QuiteRss -blacklist ${HOME}/.cache/quodlibet -blacklist ${HOME}/.cache/Quotient/quaternion -blacklist ${HOME}/.cache/Shortwave -blacklist ${HOME}/.cache/Tox -blacklist ${HOME}/.cache/Zeal -blacklist ${HOME}/.cache/agenda -blacklist ${HOME}/.cache/akonadi* -blacklist ${HOME}/.cache/atril -blacklist ${HOME}/.cache/attic -blacklist ${HOME}/.cache/babl -blacklist ${HOME}/.cache/bnox -blacklist ${HOME}/.cache/borg -blacklist ${HOME}/.cache/calibre -blacklist ${HOME}/.cache/cantata -blacklist ${HOME}/.cache/champlain -blacklist ${HOME}/.cache/chromium -blacklist ${HOME}/.cache/chromium-dev -blacklist ${HOME}/.cache/cliqz -blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate -blacklist ${HOME}/.cache/darktable -blacklist ${HOME}/.cache/deja-dup -blacklist ${HOME}/.cache/discover -blacklist ${HOME}/.cache/dnox -blacklist ${HOME}/.cache/dolphin -blacklist ${HOME}/.cache/dolphin-emu -blacklist ${HOME}/.cache/ephemeral -blacklist ${HOME}/.cache/epiphany -blacklist ${HOME}/.cache/evolution -blacklist ${HOME}/.cache/falkon -blacklist ${HOME}/.cache/feedreader -blacklist ${HOME}/.cache/firedragon -blacklist ${HOME}/.cache/flaska.net/trojita -blacklist ${HOME}/.cache/folks -blacklist ${HOME}/.cache/font-manager -blacklist ${HOME}/.cache/fossamail -blacklist ${HOME}/.cache/fractal -blacklist ${HOME}/.cache/freecol -blacklist ${HOME}/.cache/gajim -blacklist ${HOME}/.cache/geary -blacklist ${HOME}/.cache/gegl-0.4 -blacklist ${HOME}/.cache/geeqie -blacklist ${HOME}/.cache/gfeeds -blacklist ${HOME}/.cache/gimp -blacklist ${HOME}/.cache/gnome-boxes -blacklist ${HOME}/.cache/gnome-builder -blacklist ${HOME}/.cache/gnome-control-center -blacklist ${HOME}/.cache/gnome-recipes -blacklist ${HOME}/.cache/gnome-screenshot -blacklist ${HOME}/.cache/gnome-software -blacklist ${HOME}/.cache/gnome-twitch -blacklist ${HOME}/.cache/godot -blacklist ${HOME}/.cache/google-chrome -blacklist ${HOME}/.cache/google-chrome-beta -blacklist ${HOME}/.cache/google-chrome-unstable -blacklist ${HOME}/.cache/gradio -blacklist ${HOME}/.cache/gummi -blacklist ${HOME}/.cache/icedove -blacklist ${HOME}/.cache/INRIA/Natron -blacklist ${HOME}/.cache/inkscape -blacklist ${HOME}/.cache/inox -blacklist ${HOME}/.cache/iridium -blacklist ${HOME}/.cache/kcmshell5 -blacklist ${HOME}/.cache/KDE/neochat -blacklist ${HOME}/.cache/kdenlive -blacklist ${HOME}/.cache/keepassxc -blacklist ${HOME}/.cache/kfind -blacklist ${HOME}/.cache/kinfocenter -blacklist ${HOME}/.cache/kmail2 -blacklist ${HOME}/.cache/krunner -blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* -blacklist ${HOME}/.cache/kscreenlocker_greet -blacklist ${HOME}/.cache/ksmserver-logout-greeter -blacklist ${HOME}/.cache/ksplashqml -blacklist ${HOME}/.cache/kube -blacklist ${HOME}/.cache/kwin -blacklist ${HOME}/.cache/libgweather -blacklist ${HOME}/.cache/librewolf -blacklist ${HOME}/.cache/liferea -blacklist ${HOME}/.cache/lutris -blacklist ${HOME}/.cache/Mendeley Ltd. -blacklist ${HOME}/.cache/marker -blacklist ${HOME}/.cache/matrix-mirage -blacklist ${HOME}/.cache/microsoft-edge-dev -blacklist ${HOME}/.cache/midori -blacklist ${HOME}/.cache/minetest -blacklist ${HOME}/.cache/mirage -blacklist ${HOME}/.cache/moonchild productions/basilisk -blacklist ${HOME}/.cache/moonchild productions/pale moon -blacklist ${HOME}/.cache/mozilla -blacklist ${HOME}/.cache/ms-excel-online -blacklist ${HOME}/.cache/ms-office-online -blacklist ${HOME}/.cache/ms-onenote-online -blacklist ${HOME}/.cache/ms-outlook-online -blacklist ${HOME}/.cache/ms-powerpoint-online -blacklist ${HOME}/.cache/ms-skype-online -blacklist ${HOME}/.cache/ms-word-online -blacklist ${HOME}/.cache/mutt -blacklist ${HOME}/.cache/mypaint -blacklist ${HOME}/.cache/nheko -blacklist ${HOME}/.cache/netsurf -blacklist ${HOME}/.cache/okular -blacklist ${HOME}/.cache/opera -blacklist ${HOME}/.cache/opera-beta -blacklist ${HOME}/.cache/org.gabmus.gfeeds -blacklist ${HOME}/.cache/org.gnome.Books -blacklist ${HOME}/.cache/org.gnome.Maps -blacklist ${HOME}/.cache/pdfmod -blacklist ${HOME}/.cache/peek -blacklist ${HOME}/.cache/pip -blacklist ${HOME}/.cache/pipe-viewer -blacklist ${HOME}/.cache/plasmashell -blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* -blacklist ${HOME}/.cache/psi -blacklist ${HOME}/.cache/qBittorrent -blacklist ${HOME}/.cache/qupzilla -blacklist ${HOME}/.cache/qutebrowser -blacklist ${HOME}/.cache/rhythmbox -blacklist ${HOME}/.cache/shotwell -blacklist ${HOME}/.cache/simple-scan -blacklist ${HOME}/.cache/slimjet -blacklist ${HOME}/.cache/smuxi -blacklist ${HOME}/.cache/snox -blacklist ${HOME}/.cache/spotify -blacklist ${HOME}/.cache/strawberry -blacklist ${HOME}/.cache/straw-viewer -blacklist ${HOME}/.cache/supertuxkart -blacklist ${HOME}/.cache/systemsettings -blacklist ${HOME}/.cache/telepathy -blacklist ${HOME}/.cache/thunderbird -blacklist ${HOME}/.cache/torbrowser -blacklist ${HOME}/.cache/transmission -blacklist ${HOME}/.cache/ungoogled-chromium -blacklist ${HOME}/.cache/vivaldi -blacklist ${HOME}/.cache/vivaldi-snapshot -blacklist ${HOME}/.cache/vlc -blacklist ${HOME}/.cache/vmware -blacklist ${HOME}/.cache/warsow-2.1 -blacklist ${HOME}/.cache/waterfox -blacklist ${HOME}/.cache/wesnoth -blacklist ${HOME}/.cache/winetricks -blacklist ${HOME}/.cache/xmms2 -blacklist ${HOME}/.cache/xreader -blacklist ${HOME}/.cache/yandex-browser -blacklist ${HOME}/.cache/yandex-browser-beta -blacklist ${HOME}/.cache/youtube-dl -blacklist ${HOME}/.cache/youtube-viewer
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/disable-shell.inc ^
@@ -13,3 +13,35 @@ blacklist ${PATH}/tclsh blacklist ${PATH}/tcsh blacklist ${PATH}/zsh + +# Note: This list should be kept in sync with the one in ../ids.config. +### shells global ### +# all +blacklist /etc/dircolors +blacklist /etc/environment +blacklist /etc/profile +blacklist /etc/profile.d +blacklist /etc/shells +blacklist /etc/skel +# bash +blacklist /etc/bash +blacklist /etc/bash.bashrc +blacklist /etc/bash_completion* +blacklist /etc/bashrc +# fish +blacklist /etc/fish +# ksh +blacklist /etc/ksh.kshrc +blacklist /etc/suid_profile +# tcsh +blacklist /etc/complete.tcsh +blacklist /etc/csh.cshrc +blacklist /etc/csh.login +blacklist /etc/csh.logout +# zsh +blacklist /etc/zlogin +blacklist /etc/zlogout +blacklist /etc/zprofile +blacklist /etc/zsh +blacklist /etc/zshenv +blacklist /etc/zshrc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-1793-workaround.inc ^
@@ -23,6 +23,7 @@ noblacklist ${HOME}/.config/kioslaverc noblacklist ${HOME}/.config/ksslcablacklist noblacklist ${HOME}/.config/qt5ct +noblacklist ${HOME}/.config/qt6ct noblacklist ${HOME}/.config/qtcurve blacklist ${HOME}/.config/*
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-common.inc ^
@@ -23,6 +23,7 @@ whitelist ${HOME}/.local/share/icons whitelist ${HOME}/.local/share/mime whitelist ${HOME}/.mime.types +whitelist ${HOME}/.sndio/cookie whitelist ${HOME}/.uim.d # dconf @@ -68,6 +69,7 @@ whitelist ${HOME}/.config/kioslaverc whitelist ${HOME}/.config/ksslcablacklist whitelist ${HOME}/.config/qt5ct +whitelist ${HOME}/.config/qt6ct whitelist ${HOME}/.config/qtcurve whitelist ${HOME}/.kde/share/config/kdeglobals whitelist ${HOME}/.kde/share/config/kio_httprc @@ -82,3 +84,8 @@ whitelist ${HOME}/.kde4/share/config/oxygenrc whitelist ${HOME}/.kde4/share/icons whitelist ${HOME}/.local/share/qt5ct +whitelist ${HOME}/.local/share/qt6ct + +# NixOS specific to resolve binary paths in +# user environment +whitelist ${HOME}/.nix-profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-run-common.inc ^
@@ -0,0 +1,18 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include whitelist-run-common.local + +whitelist /run/NetworkManager/resolv.conf +whitelist /run/avahi-daemon/socket +whitelist /run/cups/cups.sock +whitelist /run/dbus/system_bus_socket +whitelist /run/media +whitelist /run/resolvconf/resolv.conf +whitelist /run/netconfig/resolv.conf # openSUSE Leap +whitelist /run/shm +whitelist /run/systemd/journal/dev-log +whitelist /run/systemd/journal/socket +whitelist /run/systemd/resolve/resolv.conf +whitelist /run/systemd/resolve/stub-resolv.conf +whitelist /run/udev/data +whitelist /run/opengl-driver # NixOS
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-runuser-common.inc ^
@@ -10,7 +10,7 @@ whitelist ${RUNUSER}/ICEauthority whitelist ${RUNUSER}/.mutter-Xwaylandauth.* whitelist ${RUNUSER}/pulse/native -whitelist ${RUNUSER}/wayland-0 -whitelist ${RUNUSER}/wayland-1 +whitelist ${RUNUSER}/pipewire-? +whitelist ${RUNUSER}/wayland-? whitelist ${RUNUSER}/xauth_* whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/inc/whitelist-usr-share-common.inc ^
@@ -12,6 +12,7 @@ whitelist /usr/share/dconf whitelist /usr/share/distro-info whitelist /usr/share/drirc.d +whitelist /usr/share/egl whitelist /usr/share/enchant whitelist /usr/share/enchant-2 whitelist /usr/share/file @@ -45,6 +46,7 @@ whitelist /usr/share/p11-kit whitelist /usr/share/perl whitelist /usr/share/perl5 +whitelist /usr/share/pipewire whitelist /usr/share/pixmaps whitelist /usr/share/pki whitelist /usr/share/plasma @@ -53,6 +55,8 @@ whitelist /usr/share/qt4 whitelist /usr/share/qt5 whitelist /usr/share/qt5ct +whitelist /usr/share/qt6 +whitelist /usr/share/qt6ct whitelist /usr/share/sounds whitelist /usr/share/tcl8.6 whitelist /usr/share/tcltk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/net/nolocal.net ^
@@ -20,8 +20,8 @@ # allow ping etc. -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT --A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT +-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # accept dns requests going out to a server on the local network -A OUTPUT -p udp --dport 53 -j ACCEPT
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/net/nolocal6.net ^
@@ -20,8 +20,8 @@ # allow ping etc. -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT # required for ipv6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/0ad.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -45,7 +44,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -56,3 +54,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/1password.profile ^
@@ -0,0 +1,20 @@ +# Firejail profile for 1password +# Description: 1Password is a password manager developed by AgileBits Inc. +# This file is overwritten after every install/update +# Persistent local customizations +include 1password.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/1Password + +mkdir ${HOME}/.config/1Password +whitelist ${HOME}/.config/1Password + +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl + +# Needed for keychain things, talking to Firefox, possibly other things? Not sure how to narrow down +ignore dbus-user none + +# Redirect +include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/2048-qt.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/2048-qt @@ -37,8 +36,9 @@ novideo protocol unix seccomp -shell none disable-mnt private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Books.profile ^
@@ -1,6 +1,10 @@ # Firejail profile for gnome-books # This file is overwritten after every install/update - +# Persistent local customizations +include Books.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Cryptocat.profile ^
@@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -25,8 +24,9 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Discord.profile ^
@@ -3,15 +3,8 @@ # Persistent local customizations include Discord.local # Persistent global definitions -include globals.local - -noblacklist ${HOME}/.config/discord - -mkdir ${HOME}/.config/discord -whitelist ${HOME}/.config/discord - -private-bin Discord -private-opt Discord +# added by included profile +#include globals.local # Redirect -include discord-common.profile +include discord.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/DiscordCanary.profile ^
@@ -3,15 +3,8 @@ # Persistent local customizations include DiscordCanary.local # Persistent global definitions -include globals.local - -noblacklist ${HOME}/.config/discordcanary - -mkdir ${HOME}/.config/discordcanary -whitelist ${HOME}/.config/discordcanary - -private-bin DiscordCanary -private-opt DiscordCanary +# added by included profile +#include globals.local # Redirect -include discord-common.profile +include discord-canary.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/Fritzing.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,8 +32,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/JDownloader.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,7 +38,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/abiword.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -37,14 +36,15 @@ novideo protocol unix seccomp -shell none tracelog private-bin abiword private-cache private-dev -private-etc fonts,gtk-3.0,passwd +private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd private-tmp # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/agetpkg.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,16 +44,16 @@ novideo protocol inet,inet6 seccomp -shell none tracelog private-bin agetpkg,python3 private-cache private-dev -private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/akonadi_control.profile ^
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/contacts noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.local/share/notes +noblacklist ${RUNUSER}/akonadi noblacklist /sbin noblacklist /tmp/akonadi-* noblacklist /usr/sbin @@ -25,9 +26,9 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include whitelist-run-common.inc include whitelist-var-common.inc # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. @@ -54,3 +55,4 @@ private-dev # private-tmp - breaks programs that depend on akonadi +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/akregator.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -26,6 +25,7 @@ whitelist ${HOME}/.local/share/kssl whitelist ${HOME}/.local/share/kxmlgui5/akregator include whitelist-common.inc +include whitelist-run-common.inc include whitelist-var-common.inc caps.drop all @@ -42,10 +42,11 @@ protocol unix,inet,inet6,netlink # chroot syscalls are needed for setting up the built-in sandbox seccomp !chroot -shell none disable-mnt private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5 private-dev private-tmp +deterministic-shutdown +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/alacarte.profile ^
@@ -15,7 +15,6 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc -include disable-passwdmgr.inc include disable-xdg.inc # Whitelist your system icon directory,varies by distro @@ -47,14 +46,13 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt # private-bin alacarte,bash,python*,sh private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg private-tmp dbus-user none @@ -64,3 +62,4 @@ read-write ${HOME}/.gnome/apps read-write ${HOME}/.local/share/applications read-write ${HOME}/.local/share/flatpak/exports +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/alienarena.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -30,7 +29,6 @@ netfilter nodvd nogroups -noinput nonewprivs noroot notv @@ -39,7 +37,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -51,3 +48,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/alpine.profile ^
@@ -37,7 +37,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -85,7 +84,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -102,3 +100,4 @@ memory-deny-write-execute read-only ${HOME}/.signature +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/amarok.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,7 +27,6 @@ novideo protocol unix,inet,inet6 # seccomp -shell none # private-bin amarok private-dev @@ -40,9 +38,11 @@ dbus-user.own org.mpris.amarok dbus-user.own org.mpris.MediaPlayer2.amarok dbus-user.talk org.freedesktop.Notifications -dbus-user.talk org.kde.StatusNotifierWatcher +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher # If you're not on kde-plasma add the next lines to your amarok.local. #dbus-user.own org.kde.kded #dbus-user.own org.kde.klauncher #dbus-user.talk org.kde.knotify dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/amule.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.aMule @@ -33,11 +32,12 @@ notv nou2f novideo +# Add netlink protocol to use UPnP protocol unix,inet,inet6 seccomp -shell none private-bin amule private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/android-studio.profile ^
@@ -20,7 +20,6 @@ include allow-ssh.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -35,10 +34,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache # private-tmp # noexec /tmp breaks 'Android Profiler' #noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/anki.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,15 +44,15 @@ protocol unix,inet,inet6 # QtWebengine needs chroot to set up its own sandbox seccomp !chroot -shell none -tracelog disable-mnt private-bin anki,python* private-cache private-dev -private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf +private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf private-tmp dbus-user none dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/anydesk.profile ^
@@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -29,9 +28,10 @@ nou2f protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin anydesk private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/aosp.profile ^
@@ -20,7 +20,6 @@ include allow-ssh.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,6 +38,7 @@ novideo protocol unix,inet,inet6 #seccomp -shell none private-tmp + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/apktool.profile ^
@@ -9,7 +9,6 @@ include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,7 +28,6 @@ novideo protocol unix seccomp -shell none private-bin apktool,basename,bash,dirname,expr,java,sh private-cache @@ -37,3 +35,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/apostrophe.profile ^
@@ -26,7 +26,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -57,7 +56,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -71,3 +69,5 @@ dbus-user.own org.gnome.gitlab.somas.Apostrophe dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/arch-audit.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol inet,inet6 seccomp -shell none disable-mnt private @@ -51,3 +49,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/archaudit-report.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,7 +28,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private @@ -38,3 +36,4 @@ private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/archiver-common.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc @@ -40,7 +39,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -51,3 +49,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ardour5.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,7 +31,6 @@ nou2f protocol unix seccomp -shell none #private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh private-cache @@ -42,3 +40,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/arduino.profile ^
@@ -10,14 +10,10 @@ noblacklist ${HOME}/Arduino noblacklist ${DOCUMENTS} -# Allow java (blacklisted by disable-devel.inc) -include allow-java.inc +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,8 +29,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/aria2c.profile ^
@@ -7,6 +7,7 @@ include globals.local noblacklist ${HOME}/.aria2 +noblacklist ${HOME}/.cache/winetricks # XXX: See #5238 noblacklist ${HOME}/.config/aria2 noblacklist ${HOME}/.netrc @@ -17,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -38,7 +38,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none # disable-mnt # Add your custom event hook commands to 'private-bin' in your aria2c.local. @@ -46,7 +45,7 @@ # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). #private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl private-lib libreadline.so.* private-tmp @@ -54,3 +53,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ark.profile ^
@@ -13,10 +13,10 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/ark +include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -35,7 +35,6 @@ novideo protocol unix seccomp -shell none private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo #private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg @@ -45,3 +44,5 @@ # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/arm.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.arm @@ -38,12 +37,12 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor private-dev -private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/artha.profile ^
@@ -10,14 +10,12 @@ noblacklist ${HOME}/.config/artha.log noblacklist ${HOME}/.config/enchant -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -50,18 +48,21 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin artha,enchant,notify-send private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-lib libnotify.so.* private-tmp -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.artha.unique.* +dbus-user.talk org.freedesktop.Notifications +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/assogiate.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -53,3 +51,4 @@ memory-deny-write-execute read-write ${HOME}/.local/share/mime +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/asunder.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev @@ -47,3 +45,4 @@ # mdwe is disabled due to breaking hardware accelerated decoding # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/atom.profile ^
@@ -11,6 +11,8 @@ ignore include disable-interpreters.inc ignore include disable-xdg.inc ignore whitelist ${DOWNLOADS} +ignore whitelist ${HOME}/.config/Electron +ignore whitelist ${HOME}/.config/electron-flag.conf ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/atool.profile ^
@@ -13,7 +13,7 @@ noroot # without login.defs atool complains and uses UID/GID 1000 by default -private-etc alternatives,group,login.defs,passwd +private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd private-tmp # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/atril.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,12 +37,11 @@ novideo protocol unix seccomp -shell none tracelog private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote private-dev -private-etc alternatives,fonts,ld.so.cache +private-etc alternatives,fonts,ld.so.cache,ld.so.preload # atril uses webkit gtk to display epub files # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit @@ -51,3 +49,4 @@ # webkit gtk killed by memory-deny-write-execute #memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/audacious.profile ^
@@ -14,10 +14,10 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +include whitelist-run-common.inc include whitelist-var-common.inc apparmor @@ -32,7 +32,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog # private-bin audacious @@ -43,3 +42,5 @@ # dbus needed for MPRIS # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/audacity.profile ^
@@ -6,7 +6,16 @@ # Persistent global definitions include globals.local +# Add the below lines to your audacity.local if you need online plugins. +#ignore net none +#netfilter +#protocol inet6 + noblacklist ${HOME}/.audacity-data +noblacklist ${HOME}/.cache/audacity +noblacklist ${HOME}/.config/audacity +noblacklist ${HOME}/.local/share/audacity +noblacklist ${HOME}/.local/state/audacity noblacklist ${DOCUMENTS} noblacklist ${MUSIC} @@ -14,14 +23,16 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc -apparmor +# Silence blacklist violation. See #5539. +allow-debuggers +## Enabling App Armor appears to break some Fedora / Arch installs +#apparmor caps.drop all net none no3d @@ -33,9 +44,8 @@ notv nou2f novideo -protocol unix +protocol unix,inet seccomp -shell none tracelog private-bin audacity @@ -45,3 +55,5 @@ # problems on Fedora 27 # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/audio-recorder.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,7 +38,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -53,3 +51,4 @@ dbus-system none # memory-deny-write-execute - breaks on Arch +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/authenticator-rs.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,16 +40,17 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin authenticator-rs private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg private-tmp dbus-user filter dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/authenticator.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # apparmor @@ -35,12 +34,11 @@ # novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt # private-bin authenticator,python* private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp # makes settings immutable @@ -48,3 +46,4 @@ # dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/autokey-common.profile ^
@@ -19,7 +19,6 @@ # disable-exec.inc might break scripting functionality #include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -33,7 +32,6 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog private-cache @@ -41,3 +39,4 @@ private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux.profile ^
@@ -1,10 +1,12 @@ # Firejail profile for Avidemux # Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks. +# This file is overwritten after every install/update # Persistent local customizations include avidemux.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.avidemux3 noblacklist ${HOME}/.avidemux6 noblacklist ${HOME}/.config/avidemux3_qt5rc noblacklist ${VIDEOS} @@ -13,16 +15,18 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +mkdir ${HOME}/.avidemux3 mkdir ${HOME}/.avidemux6 mkdir ${HOME}/.config/avidemux3_qt5rc +whitelist ${HOME}/.avidemux3 whitelist ${HOME}/.avidemux6 whitelist ${HOME}/.config/avidemux3_qt5rc whitelist ${VIDEOS} + include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -42,7 +46,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5 @@ -52,3 +55,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux3_cli.profile ^
@@ -0,0 +1,11 @@ +# Firejail profile for avidemux3_cli +# Description: The command-line interface for Avidemux. +# This file is overwritten after every install/update +# Persistent local customizations +include avidemux3_cli.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include avidemux.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux3_jobs_qt5.profile ^
@@ -0,0 +1,18 @@ +# Firejail profile for avidemux3_jobs_qt5 +# Description: The Qt5 GUI to run Avidemux jobs. +# This file is overwritten after every install/update +# Persistent local customizations +include avidemux3_jobs_qt5.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Provide a shell to spawn avidemux3_cli +include allow-bin-sh.inc +private-bin sh + +# Needs to bind to a socket on localhost +protocol inet,inet6 + +# Redirect +include avidemux3_qt5.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/avidemux3_qt5.profile ^
@@ -0,0 +1,15 @@ +# Firejail profile for avidemux3_qt5 +# Description: The Qt5 GUI for Avidemux. +# This file is overwritten after every install/update +# Persistent local customizations +include avidemux3_qt5.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Allow translations +whitelist /usr/share/avidemux3 +whitelist /usr/share/avidemux6 + +# Redirect +include avidemux.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/aweather.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -33,9 +32,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin aweather private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/awesome.profile ^
@@ -14,6 +14,7 @@ netfilter noroot protocol unix,inet,inet6 -seccomp +seccomp !chroot read-only ${HOME}/.config/awesome/autorun.sh +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ballbuster.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,7 +38,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -51,3 +49,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/baloo_file.profile ^
@@ -23,9 +23,9 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include whitelist-run-common.inc include whitelist-var-common.inc apparmor @@ -46,10 +46,11 @@ protocol unix # blacklisting of ioprio_set system calls breaks baloo_file seccomp !ioprio_set -shell none # x11 xorg private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4 private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/balsa.profile ^
@@ -7,77 +7,20 @@ include globals.local noblacklist ${HOME}/.balsa -noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.mozilla -noblacklist ${HOME}/.signature noblacklist ${HOME}/mail -noblacklist /var/mail -noblacklist /var/spool/mail -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc include disable-shell.inc -include disable-xdg.inc mkdir ${HOME}/.balsa -mkdir ${HOME}/.gnupg -mkfile ${HOME}/.signature mkdir ${HOME}/mail whitelist ${HOME}/.balsa -whitelist ${HOME}/.gnupg -whitelist ${HOME}/.mozilla/firefox/profiles.ini -whitelist ${HOME}/.signature whitelist ${HOME}/mail -whitelist ${RUNUSER}/gnupg whitelist /usr/share/balsa -whitelist /usr/share/gnupg -whitelist /usr/share/gnupg2 -whitelist /var/mail -whitelist /var/spool/mail -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - -# disable-mnt -# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg -# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. -private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm -private-cache -private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg -private-tmp -writable-run-user -writable-var -dbus-user filter +# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg. +#private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm + dbus-user.own org.desktop.Balsa -dbus-user.talk ca.desrt.dconf -dbus-user.talk org.freedesktop.Notifications -dbus-user.talk org.freedesktop.secrets -dbus-user.talk org.gnome.keyring.SystemPrompter -dbus-system none -read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file +# Redirect +include email-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/baobab.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc include disable-shell.inc # include disable-xdg.inc @@ -32,7 +31,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-bin baobab @@ -43,3 +41,4 @@ # dbus-system none read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/barrier.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -44,3 +42,4 @@ private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/basilisk.profile ^
@@ -22,5 +22,8 @@ #private-etc basilisk #private-opt basilisk +restrict-namespaces +ignore restrict-namespaces + # Redirect include firefox-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bcompare.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc #include disable-shell.inc - breaks launch @@ -37,7 +36,6 @@ novideo protocol unix seccomp -shell none tracelog private-cache @@ -46,3 +44,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bibletime.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.bibletime @@ -47,14 +46,15 @@ novideo protocol unix,inet,inet6,netlink seccomp !chroot -shell none disable-mnt -# private-bin bibletime,qt5ct +# private-bin bibletime private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf private-tmp dbus-user none dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bijiben.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,14 +44,13 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin bijiben # private-cache -- access to .cache/tracker is required private-dev -private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp dbus-user filter @@ -62,3 +60,4 @@ dbus-system none env WEBKIT_FORCE_SANDBOX=0 +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bitcoin-qt.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -39,7 +38,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin bitcoin-qt @@ -49,3 +47,4 @@ private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bitlbee.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,3 +38,4 @@ private-tmp read-write /var/lib/bitlbee +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bitwarden.profile ^
@@ -23,7 +23,7 @@ nosound ?HAS_APPIMAGE: ignore private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl private-opt Bitwarden # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blackbox.profile ^
@@ -14,5 +14,6 @@ netfilter noroot protocol unix,inet,inet6 -seccomp +seccomp !chroot +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bleachbit.profile ^
@@ -1,6 +1,7 @@ # Firejail profile for bleachbit # Description: Delete unnecessary files from the system # This file is overwritten after every install/update +quiet # Persistent local customizations include bleachbit.local # Persistent global definitions @@ -14,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc caps.drop all @@ -31,7 +31,6 @@ novideo protocol unix seccomp -shell none private-dev # private-tmp @@ -41,3 +40,4 @@ # memory-deny-write-execute breaks some systems, see issue #1850 # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blender.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # Allow usage of AMD GPU by OpenCL @@ -36,6 +35,7 @@ protocol unix,inet,inet6,netlink # numpy, used by many add-ons, requires the mbind syscall seccomp !mbind -shell none private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bless.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -31,13 +30,14 @@ novideo protocol unix seccomp -shell none # private-bin bash,bless,mono,sh private-cache private-dev -private-etc alternatives,fonts,mono +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blobby.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,13 +35,12 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-bin blobby private-dev -private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse +private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse private-lib private-tmp @@ -50,3 +48,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/blobwars.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -20,6 +19,7 @@ mkdir ${HOME}/.parallelrealities/blobwars whitelist ${HOME}/.parallelrealities/blobwars whitelist /usr/share/blobwars +whitelist /usr/share/games/blobwars include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -29,7 +29,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -37,15 +36,16 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt private-bin blobwars private-cache private-dev -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bluefish.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -30,7 +29,6 @@ novideo protocol unix seccomp -shell none tracelog private-bin bluefish @@ -39,3 +37,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bnox.profile ^
@@ -6,7 +6,8 @@ include globals.local # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/brackets.profile ^
@@ -13,7 +13,6 @@ include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -29,7 +28,8 @@ novideo protocol unix,inet,inet6,netlink seccomp !chroot,!ioperm -shell none private-cache private-dev + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/brasero.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -28,10 +27,11 @@ novideo protocol unix seccomp -shell none tracelog # private-bin brasero private-cache # private-dev # private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/brave.profile ^
@@ -13,6 +13,8 @@ # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. # Alternatively you can add 'ignore apparmor' to your brave.local. ignore noexec ${HOME} +# Causes slow starts (#4604) +ignore private-cache noblacklist ${HOME}/.cache/BraveSoftware noblacklist ${HOME}/.config/BraveSoftware
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bsdtar.profile ^
@@ -6,7 +6,7 @@ # Persistent global definitions include globals.local -private-etc alternatives,group,localtime,passwd +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd # Redirect include archiver-common.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/build-systems-common.profile ^
@@ -0,0 +1,67 @@ +# Firejail profile for build-systems-common +# This file is overwritten after every install/update +# Persistent local customizations +include build-systems-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +ignore noexec ${HOME} +ignore noexec /tmp + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allows files commonly used by IDEs +include allow-common-devel.inc + +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +#whitelist ${HOME}/Projects +#include whitelist-common.inc + +whitelist /usr/share/pkgconfig +include whitelist-run-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +# net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bundle.profile ^
@@ -0,0 +1,23 @@ +# Firejail profile for bundle +# Description: Ruby Dependency Management +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include bundle.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.bundle + +# Allow ruby (blacklisted by disable-interpreters.inc) +include allow-ruby.inc + +#whitelist ${HOME}/.bundle +#whitelist ${HOME}/.gem +#whitelist ${HOME}/.local/share/gem +whitelist /usr/share/gems +whitelist /usr/share/ruby +whitelist /usr/share/rubygems + +# Redirect +include build-systems-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/bzflag.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -46,3 +44,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cachy-browser.profile ^
@@ -0,0 +1,56 @@ +# Firejail profile for Cachy-Browser +# Description: Librewolf fork based on enhanced privacy with gentoo patchset +# This file is overwritten after every install/update +# Persistent local customizations +include cachy-browser.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/cachy +noblacklist ${HOME}/.cachy + +mkdir ${HOME}/.cache/cachy +mkdir ${HOME}/.cachy +whitelist ${HOME}/.cache/cachy +whitelist ${HOME}/.cachy + +# Add the next lines to your cachy-browser.local if you want to use the migration wizard. +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.mozilla + +# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. +# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them. +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + +whitelist /usr/share/doc +whitelist /usr/share/gtk-doc/html +whitelist /usr/share/mozilla +whitelist /usr/share/webext +include whitelist-usr-share-common.inc + +# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). +#private-bin dbus-launch,dbus-send,cachy-browser,sh +# Add the next line to your cachy-browser.local to enable private-etc. +# NOTE: private-etc must first be enabled in firefox-common.local. +#private-etc cachy-browser + +dbus-user filter +dbus-user.own org.mozilla.cachybrowser.* +# Add the next line to your cachy-browser.local to enable native notifications. +#dbus-user.talk org.freedesktop.Notifications +# Add the next line to your cachy-browser.local to allow inhibiting screensavers. +#dbus-user.talk org.freedesktop.ScreenSaver +# Add the next lines to your cachy-browser.local for plasma browser integration. +#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration +#dbus-user.talk org.kde.JobViewServer +#dbus-user.talk org.kde.kuiserver +# Add the next line to your cachy-browser.local to allow screensharing under Wayland. +#dbus-user.talk org.freedesktop.portal.Desktop +# Also add the next line to your cachy-browser.local if screensharing does not work with +# the above lines (depends on the portal implementation). +#ignore noroot +ignore dbus-user none + +# Redirect +include firefox-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/calibre.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,8 @@ novideo protocol unix,inet,inet6,netlink seccomp !chroot -shell none private-dev private-tmp + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/calligra.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -29,7 +28,6 @@ protocol unix seccomp seccomp.block-secondary -shell none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 private-dev @@ -39,3 +37,4 @@ # noexec ${HOME} noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cameramonitor.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,16 +40,16 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin cameramonitor,python* private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp # dbus-user none # dbus-system none # memory-deny-write-execute - breaks on Arch +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cantata.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -34,8 +33,9 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none -# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg +# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg private-bin cantata,mpd,perl private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cargo.profile ^
@@ -7,67 +7,18 @@ # Persistent global definitions include globals.local -ignore noexec ${HOME} -ignore noexec /tmp - -blacklist /tmp/.X11-unix -blacklist ${RUNUSER} +ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -# Allows files commonly used by IDEs -include allow-common-devel.inc - -# Allow ssh (blacklisted by disable-common.inc) -#include allow-ssh.inc - -include disable-common.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -#mkdir ${HOME}/.cargo -#whitelist ${HOME}/YOUR_CARGO_PROJECTS #whitelist ${HOME}/.cargo #whitelist ${HOME}/.rustup -#include whitelist-common.inc -whitelist /usr/share/pkgconfig -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -seccomp.block-secondary -shell none -tracelog -disable-mnt #private-bin cargo,rustc -private-cache -private-dev private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl -private-tmp - -dbus-user none -dbus-system none memory-deny-write-execute -read-write ${HOME}/.cargo/bin + +# Redirect +include build-systems-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/catfish.profile ^
@@ -18,7 +18,6 @@ # include disable-common.inc # include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc whitelist /var/lib/mlocate @@ -37,7 +36,6 @@ novideo protocol unix seccomp -shell none tracelog # These options work but are disabled in case @@ -48,3 +46,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cawbird.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -33,15 +32,16 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin cawbird private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg private-tmp # dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/celluloid.profile ^
@@ -23,10 +23,8 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -read-only ${DESKTOP} mkdir ${HOME}/.config/celluloid mkdir ${HOME}/.config/gnome-mpv mkdir ${HOME}/.config/youtube-dl @@ -50,19 +48,20 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog private-bin celluloid,env,gnome-mpv,python*,youtube-dl private-cache -private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg private-dev private-tmp dbus-user filter dbus-user.own io.github.celluloid_player.Celluloid +dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.SettingsDaemon.MediaKeys dbus-system none read-only ${HOME} read-write ${HOME}/.config/celluloid +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chafa.profile ^
@@ -0,0 +1,56 @@ +# Firejail profile for chafa +# Description: A terminal-based image viewer and image-to-text converter. +# This file is overwritten after every install/update +# Persistent local customizations +include chafa.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc + +include whitelist-run-common.inc +include whitelist-runuser-common.inc +# Add the following to your chafa.local if you do not need to view images in +# /usr/share. +#include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +seccomp socket +seccomp.block-secondary +tracelog +x11 none + +private-bin chafa +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +read-only ${HOME} +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chatterino.profile ^
@@ -0,0 +1,92 @@ +# Firejail profile for Chatterino +# Description: Chat client for https://twitch.tv +# This file is overwritten after every install/update +# Persistent local customizations +include chatterino.local +# Persistent global definitions +include globals.local + +# To upload images, whitelist/noblacklist their path in chatterino.local. +#whitelist ${PICTURES} +# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. +#whitelist ${MUSIC} + +# Also allow access to mpv/vlc, they're usable via streamlink. +noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.config/pulse +noblacklist ${HOME}/.config/vlc +noblacklist ${HOME}/.local/share/chatterino +noblacklist ${HOME}/.local/share/vlc + +# Allow Lua for mpv (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-xdg.inc + +# Also allow read-only access to mpv/VLC, they're usable via streamlink. +mkdir ${HOME}/.local/share/chatterino +# VLC preferences will fail to save with read-only set. +whitelist ${HOME}/.local/share/chatterino +whitelist-ro ${HOME}/.config/mpv +whitelist-ro ${HOME}/.config/pulse +whitelist-ro ${HOME}/.config/vlc +whitelist-ro ${HOME}/.local/share/vlc +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +# Streamlink+VLC doesn't seem to close properly with apparmor enabled. +#apparmor +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noprinters +noroot +notv +nou2f +# Netlink is required for streamlink integration. +protocol unix,inet,inet6,netlink +# Seccomp may break browser integration. +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +# Add more private-bin lines for browsers or video players to chatterino.local if wanted. +private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python,qvlc,rvlc,streamlink,svlc,vlc +# private-cache may cause issues with mpv (see #2838) +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 +private-srv none +private-tmp + +dbus-user filter +dbus-user.own com.chatterino. +# Allow notifications. +dbus-user.talk org.freedesktop.Notifications +# For media player integration. +dbus-user.talk org.freedesktop.ScreenSaver +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.own org.mpris.MediaPlayer2.chatterino +dbus-user.talk org.mpris.MediaPlayer2.Player +dbus-system none + +# Prevents browsers/players from lingering after Chatterino is closed. +#deterministic-shutdown +# memory-deny-write-execute may break streamlink and browser integration. +#memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/checkbashisms.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -42,7 +41,6 @@ novideo protocol unix seccomp -shell none x11 none private-cache @@ -54,3 +52,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cheese.profile ^
@@ -9,18 +9,23 @@ noblacklist ${VIDEOS} noblacklist ${PICTURES} +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist ${VIDEOS} whitelist ${PICTURES} +whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner whitelist /usr/share/gnome-video-effects +whitelist /usr/share/gstreamer-1.0 include whitelist-common.inc +include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -31,21 +36,27 @@ net none nodvd nogroups +noinput nonewprivs noroot +nosound notv nou2f protocol unix seccomp -shell none +seccomp.block-secondary tracelog disable-mnt private-bin cheese private-cache -private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 +private-dev +private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user filter +dbus-user.own org.gnome.Cheese dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cherrytree.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,10 +34,10 @@ novideo protocol unix seccomp -shell none tracelog private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chromium-common-hardened.inc.profile ^
@@ -6,5 +6,6 @@ nonewprivs noroot protocol unix,inet,inet6,netlink -# kcmp is required for ozone-platform=wayland, see #3783. -seccomp !chroot,!kcmp +seccomp !chroot + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chromium-common.profile ^
@@ -9,8 +9,9 @@ # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki +noblacklist /usr/lib/chromium/chrome-sandbox # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser # to have access to Gnome extensions (extensions.gnome.org) via browser connector @@ -20,16 +21,18 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -# include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki whitelist ${DOWNLOADS} -whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist ${HOME}/.pki +whitelist /usr/share/mozilla/extensions +whitelist /usr/share/webext include whitelist-common.inc +include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -37,10 +40,6 @@ # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. #include chromium-common-hardened.inc.profile -# Add the next two lines to your chromium-common.local to allow screen sharing under wayland. -#whitelist ${RUNUSER}/pipewire-0 -#whitelist /usr/share/pipewire/client.conf - apparmor caps.keep sys_admin,sys_chroot netfilter @@ -49,13 +48,16 @@ noinput notv ?BROWSER_DISABLE_U2F: nou2f -shell none disable-mnt private-cache ?BROWSER_DISABLE_U2F: private-dev #private-tmp - issues when using multiple browser sessions +blacklist ${PATH}/curl +blacklist ${PATH}/wget +blacklist ${PATH}/wget2 + #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. dbus-system none
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/chromium.profile ^
@@ -16,7 +16,6 @@ whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf whitelist /usr/share/chromium -whitelist /usr/share/mozilla/extensions # private-bin chromium,chromium-browser,chromedriver
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cin.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -28,7 +27,6 @@ # If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local. seccomp -shell none #private-bin cin,ffmpeg private-cache @@ -36,3 +34,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cinelerra-gg.profile ^
@@ -0,0 +1,10 @@ +# Firejail profile alias for cin +# This file is overwritten after every install/update +# Persistent local customizations +include cinelerra-gg.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include cin.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clamav.profile ^
@@ -26,7 +26,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -38,3 +37,4 @@ read-only ${HOME} memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clamtk.profile ^
@@ -22,9 +22,10 @@ novideo protocol unix seccomp -shell none private-dev dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/claws-mail.profile ^
@@ -1,5 +1,5 @@ # Firejail profile for claws-mail -# Description: Fast, lightweight and user-friendly GTK+2 based email client +# Description: Fast, lightweight and user-friendly GTK based email client # This file is overwritten after every install/update # Persistent local customizations include claws-mail.local @@ -20,11 +20,5 @@ # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 -dbus-user filter -dbus-user.talk ca.desrt.dconf -dbus-user.talk org.gnome.keyring.SystemPrompter -# Add the next line to your claws-mail.local if you use the notification plugin. -# dbus-user.talk org.freedesktop.Notifications - # Redirect include email-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clawsker.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.claws-mail @@ -39,13 +38,12 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin bash,clawsker,perl,sh,which private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib girepository-1.,libdbus-glib-1.so.,libetpan.so.,libgirepository-1.,libgtk-3.so.,libgtk-x11-2.0.so.,libstartup-notification-1.so.,perl private-tmp @@ -53,3 +51,4 @@ dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clementine.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,3 +38,5 @@ dbus-system none # dbus-user none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clion-eap.profile ^
@@ -0,0 +1,10 @@ +# Firejail profile for CLion EAP +# This file is overwritten after every install/update +# Persistent local customizations +include clion-eap.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include clion.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clion.profile ^
@@ -5,6 +5,9 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/JetBrains/CLion* +noblacklist ${HOME}/.cache/JetBrains/CLion* +noblacklist ${HOME}/.clion* noblacklist ${HOME}/.CLion* noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig @@ -17,7 +20,6 @@ include allow-ssh.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -32,10 +34,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev # private-tmp noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clipgrab.profile ^
@@ -6,15 +6,18 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/ClipGrab noblacklist ${HOME}/.config/Philipp Schmieder noblacklist ${HOME}/.pki noblacklist ${VIDEOS} +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,7 +39,6 @@ novideo protocol unix,inet,inet6,netlink seccomp !chroot -shell none disable-mnt private-cache @@ -46,3 +48,5 @@ # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. # dbus-user none # dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/clipit.profile ^
@@ -13,8 +13,9 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc +include disable-proc.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/clipit @@ -22,6 +23,8 @@ whitelist ${HOME}/.config/clipit whitelist ${HOME}/.local/share/clipit include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -35,6 +38,7 @@ nogroups noinput nonewprivs +noprinters noroot nosound notv @@ -42,10 +46,18 @@ novideo protocol unix seccomp -shell none +tracelog disable-mnt +private-bin clipit,xdotool private-cache private-dev +private-lib libxdo.so.* private-tmp +dbus-user none +dbus-system none + +#memory-deny-write-execute +read-only ${HOME} +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cmake.profile ^
@@ -0,0 +1,16 @@ +# Firejail profile for cmake +# Description: A cross-platform open-source make system +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cmake.local +# Persistent global definitions +include globals.local + +whitelist /usr/share/cmake +whitelist /usr/share/cmake-* + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cmus.profile ^
@@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -25,7 +24,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin cmus -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/code.profile ^
@@ -5,6 +5,23 @@ # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include disable-devel.inc +ignore include disable-exec.inc +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore whitelist ${DOWNLOADS} +ignore whitelist ${HOME}/.config/Electron +ignore whitelist ${HOME}/.config/electron-flag.conf +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore apparmor +ignore disable-mnt +ignore dbus-user none +ignore dbus-system none + noblacklist ${HOME}/.config/Code noblacklist ${HOME}/.config/Code - OSS noblacklist ${HOME}/.vscode @@ -13,31 +30,13 @@ # Allows files commonly used by IDEs include allow-common-devel.inc -include disable-common.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -noinput -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp -shell none - -private-cache -private-dev -private-tmp # Disabling noexec ${HOME} for now since it will # probably interfere with running some programmes # in VS Code # noexec ${HOME} noexec /tmp + +# Redirect +include electron.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/codium.profile ^
@@ -0,0 +1,10 @@ +# Firejail profile alias for VSCodium +# This file is overwritten after every install/update +# Persistent local customizations +include codium.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include vscodium.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cointop.profile ^
@@ -0,0 +1,63 @@ +# Firejail profile for cointop +# Description: TUI for tracking cryptocurrency stats +# This file is overwritten after every install/update +# Persistent local customizations +include cointop.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/cointop + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/cointop +whitelist ${HOME}/.config/cointop +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin cointop +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cola.profile ^
@@ -7,4 +7,4 @@ include globals.local # Redirect -include git-cola.profile \ No newline at end of file +include git-cola.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/colorful.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,7 +38,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -51,3 +49,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.bleakgrey.tootle.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,14 +38,13 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin com.github.bleakgrey.tootle private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg private-tmp # Settings are immutable @@ -54,3 +52,5 @@ # dbus-user.own com.github.bleakgrey.tootle # dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.dahenson.agenda.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -46,14 +45,13 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin com.github.dahenson.agenda private-cache private-dev -private-etc dconf,fonts,gtk-3.0 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user filter @@ -65,3 +63,4 @@ read-write ${HOME}/.cache/agenda read-write ${HOME}/.config/agenda read-write ${HOME}/.local/share/agenda +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.johnfactotum.Foliate.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -49,16 +48,16 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin com.github.johnfactotum.Foliate,gjs private-cache private-dev -private-etc dconf,fonts,gconf,gtk-3.0 +private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload private-tmp read-only ${HOME} read-write ${HOME}/.cache/com.github.johnfactotum.Foliate read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.phase1geo.minder.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -46,7 +45,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -60,3 +58,5 @@ dbus-user.own com.github.phase1geo.minder dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/com.github.tchx84.Flatseal.profile ^
@@ -0,0 +1,65 @@ +# Firejail profile for flatseal +# This file is overwritten after every install/update +# Persistent local customizations +include com.github.tchx84.Flatseal.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/flatpak/overrides +noblacklist /var/lib/flatpak/app + +# Allow gjs (blacklisted by disable-interpreters.inc) +include allow-gjs.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/flatpak/overrides +whitelist ${HOME}/.local/share/flatpak/overrides +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin com.github.tchx84.Flatseal,gjs +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload +private-tmp + +dbus-user filter +dbus-user.own com.github.tchx84.Flatseal +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.impl.portal.PermissionStore +dbus-user.talk org.gnome.Software +dbus-system none + +read-write ${HOME}/.local/share/flatpak/overrides +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/conkeror.profile ^
@@ -34,3 +34,5 @@ seccomp disable-mnt + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/conky.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,7 +36,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-cache @@ -45,3 +43,4 @@ private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/corebird.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -31,9 +30,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin corebird private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/cower.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin cower @@ -48,3 +46,4 @@ memory-deny-write-execute read-only ${HOME}/.config/cower/config +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/coyim.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,16 +34,16 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl private-tmp dbus-user none dbus-system none #memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/crawl.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin crawl,crawl-tiles @@ -46,3 +44,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/crow.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,13 +34,13 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt private-bin crow private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt none private-tmp private-srv none +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/curl.profile ^
@@ -18,9 +18,12 @@ blacklist /tmp/.X11-unix blacklist ${RUNUSER} +# If you use nvm, add the below lines to your curl.local +#ignore read-only ${HOME}/.nvm +#noblacklist ${HOME}/.nvm + include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc # Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. #include disable-xdg.inc @@ -45,7 +48,6 @@ novideo protocol inet,inet6 seccomp -shell none tracelog # private-bin curl @@ -56,3 +58,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/d-feet.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,13 +44,13 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin d-feet,python* private-cache private-dev -private-etc alternatives,dbus-1,fonts,machine-id +private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/darktable.profile ^
@@ -10,11 +10,16 @@ noblacklist ${HOME}/.config/darktable noblacklist ${PICTURES} +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,9 +36,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none -#private-bin darktable +#private-bin darktable,exiftool,perl private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dbus-send.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -44,7 +43,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -52,9 +50,10 @@ private-bin dbus-send private-cache private-dev -private-etc alternatives,dbus-1 +private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload private-lib libpcre* private-tmp memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dconf-editor.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,14 +36,13 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin dconf-editor private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0,machine-id +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id private-lib private-tmp @@ -52,3 +50,5 @@ dbus-user.own ca.desrt.dconf-editor dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dconf.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,7 +38,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -47,8 +45,9 @@ private-bin dconf,gsettings private-cache private-dev -private-etc alternatives,dconf +private-etc alternatives,dconf,ld.so.cache,ld.so.preload private-lib private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ddgtk.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,16 +39,16 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none # memory-deny-write-execute - breaks on Arch +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/deadbeef.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,8 +28,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/default.profile ^
@@ -12,7 +12,6 @@ # include disable-devel.inc # include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # include disable-shell.inc # include disable-write-mnt.inc @@ -58,5 +57,7 @@ # dbus-user none # dbus-system none +# deterministic-shutdown # memory-deny-write-execute # read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/deluge.profile ^
@@ -16,7 +16,6 @@ # include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/deluge @@ -37,11 +36,12 @@ notv nou2f novideo -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp -shell none # deluge is using python on Debian private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/desktopeditors.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -34,7 +33,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-bin desktopeditors,sh @@ -44,3 +42,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/devhelp.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,14 +35,13 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin devhelp private-cache private-dev -private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl +private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl private-tmp # makes settings immutable @@ -52,3 +50,4 @@ #memory-deny-write-execute - breaks on Arch (see issue #1803) read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/devilspie.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -41,7 +40,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -49,7 +47,7 @@ private-bin devilspie private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-lib gconv private-tmp @@ -58,3 +56,4 @@ memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dex2jar.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,6 @@ novideo protocol unix seccomp -shell none private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname private-cache @@ -41,3 +39,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dia.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -45,7 +44,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -56,3 +54,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dig.profile ^
@@ -17,7 +17,6 @@ # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -44,7 +43,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -58,3 +56,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/digikam.profile ^
@@ -13,11 +13,13 @@ noblacklist ${HOME}/.local/share/kxmlgui5/digikam noblacklist ${PICTURES} +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,7 +36,6 @@ protocol unix,inet,inet6,netlink # QtWebengine needs chroot to set up its own sandbox seccomp !chroot -shell none # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl @@ -42,3 +43,5 @@ # dbus-user none # dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dillo.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.dillo @@ -36,3 +35,6 @@ private-dev private-tmp + +deterministic-shutdown +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dino.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -33,10 +32,9 @@ noroot notv nou2f -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -45,4 +43,15 @@ # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection private-tmp -dbus-system none +dbus-user filter +# Integration with notification and other desktop environment functionalities +dbus-user.own im.dino.Dino +# dconf integration +dbus-user.talk ca.desrt.dconf +# Notification support +dbus-user.talk org.freedesktop.Notifications +dbus-system filter +# Integration with systemd-logind or elogind +dbus-system.talk org.freedesktop.login1 + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/discord-canary.profile ^
@@ -10,8 +10,8 @@ mkdir ${HOME}/.config/discordcanary whitelist ${HOME}/.config/discordcanary -private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9] -private-opt discord-canary +private-bin discord-canary,DiscordCanary +private-opt discord-canary,DiscordCanary # Redirect include discord-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/discord-common.profile ^
@@ -23,8 +23,8 @@ whitelist ${HOME}/.config/BetterDiscord whitelist ${HOME}/.local/share/betterdiscordctl -private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl +private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl join-or-start discord
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/discord.profile ^
@@ -10,8 +10,8 @@ mkdir ${HOME}/.config/discord whitelist ${HOME}/.config/discord -private-bin discord -private-opt discord +private-bin discord,Discord +private-opt discord,Discord # Redirect include discord-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/display.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,14 +34,16 @@ nou2f protocol unix seccomp -shell none # x11 xorg - problems on kubuntu 17.04 private-bin display,python* private-dev # On Debian-based systems, display is a symlink in /etc/alternatives -private-etc alternatives +private-etc alternatives,ImageMagick-6,ImageMagick-7,ld.so.cache,ld.so.preload +private-lib gcc///libgcc_s.so.,gcc///libgomp.so.,ImageMagick,libfreetype.so.,libltdl.so.,libMagickWand-.so.,libXext.so. private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dnox.profile ^
@@ -6,7 +6,8 @@ include globals.local # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dnscrypt-proxy.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,7 +39,6 @@ novideo protocol inet,inet6 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice -shell none tracelog disable-mnt @@ -53,3 +51,4 @@ # mdwe can break modules/plugins memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dnsmasq.profile ^
@@ -9,17 +9,20 @@ noblacklist /sbin noblacklist /usr/sbin +noblacklist /var/lib/libvirt blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* +blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +whitelist /var/lib/libvirt/dnsmasq +whitelist /var/run + caps.keep net_admin,net_bind_service,net_raw,setgid,setuid no3d nodvd @@ -34,5 +37,8 @@ disable-mnt private -private-cache private-dev +private-tmp +writable-var + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dolphin-emu.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc @@ -49,7 +48,6 @@ novideo protocol unix,inet,inet6,netlink,bluetooth seccomp -shell none tracelog private-bin bash,dolphin-emu,dolphin-emu-x11,sh @@ -62,3 +60,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dooble.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.dooble @@ -33,10 +32,10 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dosbox.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -34,7 +33,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin dosbox @@ -43,3 +41,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dragon.profile ^
@@ -14,12 +14,12 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc whitelist /usr/share/dragonplayer +include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -34,9 +34,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin dragon private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/drawio.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,16 +39,16 @@ novideo protocol unix seccomp !chroot -shell none # tracelog - breaks on Arch private-bin drawio private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none # memory-deny-write-execute - breaks on Arch +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/drill.profile ^
@@ -16,7 +16,6 @@ # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -41,7 +40,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -54,3 +52,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/dropbox.profile ^
@@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.dropbox @@ -42,9 +41,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev private-tmp noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/easystroke.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -46,7 +44,7 @@ #private-bin bash,easystroke,sh private-cache private-dev -private-etc alternatives,fonts,group,passwd +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd # breaks custom shell command functionality #private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.* private-tmp @@ -55,3 +53,4 @@ # dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electron-hardened.inc.profile ^
@@ -0,0 +1,10 @@ +# Firejail profile alias for chrome-common-hardened.inc +# This file is overwritten after every install/update +# Persistent local customizations +include electron-hardened.inc.local +# Persistent global definitions +# added by caller profile +#include globals.local + +# Redirect +include chrome-common-hardened.inc.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electron-mail.profile ^
@@ -1,57 +1,43 @@ -# Firejail profile for electron-mail -# Description: Unofficial desktop app for several E2E encrypted email providers +# Firejail profile for ElectronMail +# Description: Unofficial desktop app for the Proton Mail E2E encrypted email provider # This file is overwritten after every install/update # Persistent local customizations include electron-mail.local # Persistent global definitions include globals.local +ignore dbus-user none +ignore disable-mnt + noblacklist ${HOME}/.config/electron-mail -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc +# sh is needed to allow Firefox to open links +include allow-bin-sh.inc + include disable-shell.inc -include disable-xdg.inc mkdir ${HOME}/.config/electron-mail whitelist ${HOME}/.config/electron-mail -whitelist ${DOWNLOADS} -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp !chroot -shell none -# tracelog - breaks on Arch - -private-bin electron-mail -private-cache -private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg +# The lines below are needed to find the default Firefox profile name, to allow +# opening links in an existing instance of Firefox (note that it still fails if +# there isn't a Firefox instance running with the default profile; see #5352) +noblacklist ${HOME}/.mozilla +whitelist ${HOME}/.mozilla/firefox/profiles.ini +read-only ${HOME}/.mozilla/firefox/profiles.ini + +machine-id +nosound + +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl private-opt ElectronMail -private-tmp -# breaks tray functionality -# dbus-user none -dbus-system none +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.keyring.SystemPrompter +# allow D-Bus communication with firefox for opening links +dbus-user.talk org.mozilla.* -# memory-deny-write-execute - breaks on Arch +# Redirect +include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electron.profile ^
@@ -4,22 +4,26 @@ # Persistent local customizations include electron.local +noblacklist ${HOME}/.config/Electron +noblacklist ${HOME}/.config/electron-flag.conf + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Electron +whitelist ${HOME}/.config/electron-flag.conf include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc -# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. -#include chromium-common-hardened.inc.profile +# Add the next line to your electron.local if your kernel allows unprivileged userns clone. +#include electron-hardened.inc.profile apparmor caps.keep sys_admin,sys_chroot @@ -30,7 +34,6 @@ notv nou2f novideo -shell none disable-mnt private-cache
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/electrum.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,15 +40,16 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin electrum,python* private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl private-tmp # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/elinks.profile ^
@@ -9,6 +9,9 @@ noblacklist ${HOME}/.elinks +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + mkdir ${HOME}/.elinks whitelist ${HOME}/.elinks
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/emacs.profile ^
@@ -15,7 +15,6 @@ include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -31,3 +30,4 @@ read-write ${HOME}/.emacs read-write ${HOME}/.emacs.d +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/email-common.profile ^
@@ -1,5 +1,5 @@ # Firejail profile for email-common -# Description: Common profile for claws-mail and sylpheed email clients +# Description: Common profile for GUI mail clients # This file is overwritten after every install/update # Persistent local customizations include email-common.local @@ -7,12 +7,15 @@ # added by caller profile #include globals.local +noblacklist ${HOME}/.bogofilter noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.signature # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local -# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications +# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications noblacklist ${HOME}/Mail +noblacklist /var/mail +noblacklist /var/spool/mail noblacklist ${DOCUMENTS} @@ -20,7 +23,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,6 +40,8 @@ whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 +whitelist /var/mail +whitelist /var/spool/mail include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -60,25 +64,26 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog # disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,timezone,xdg private-tmp # encrypting and signing email writable-run-user +writable-var +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.keyring.* +dbus-user.talk org.gnome.seahorse.* +dbus-user.talk org.mozilla.* dbus-system none -# If you want to read local mail stored in /var/mail, add the following to email-common.local: -#noblacklist /var/mail -#noblacklist /var/spool/mail -#whitelist /var/mail -#whitelist /var/spool/mail -#writable-var - read-only ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.signature +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/empathy.profile ^
@@ -24,3 +24,5 @@ private-cache private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/enchant.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -42,14 +41,13 @@ novideo protocol unix seccomp -shell none tracelog x11 none private-bin enchant,enchant-* private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-tmp @@ -57,3 +55,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/engrampa.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -30,7 +29,6 @@ novideo protocol unix seccomp -shell none tracelog # private-bin engrampa @@ -40,3 +38,5 @@ dbus-user filter dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/enox.profile ^
@@ -6,7 +6,8 @@ include globals.local # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/enpass.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -51,7 +50,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-bin dirname,Enpass,importer_enpass,readlink,sh @@ -61,3 +59,4 @@ private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/eo-common.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc @@ -43,11 +42,12 @@ protocol unix,netlink seccomp seccomp.block-secondary -shell none tracelog private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-lib eog,eom,gdk-pixbuf-2.,gio,girepository-1.,gvfs,libgconf-2.so.* private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/eog.profile ^
@@ -18,7 +18,7 @@ private-bin eog -# broken on Debian 10 (buster) running LXDE got the folowing error: +# broken on Debian 10 (buster) running LXDE got the following error: # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown #dbus-user filter #dbus-user.own org.gnome.eog
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ephemeral.profile ^
@@ -9,8 +9,8 @@ # enforce private-cache #noblacklist ${HOME}/.cache/ephemeral -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} @@ -23,12 +23,12 @@ # enforce private-cache #mkdir ${HOME}/.cache/ephemeral -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki # enforce private-cache #whitelist ${HOME}/.cache/ephemeral -whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist ${HOME}/.pki whitelist ${DOWNLOADS} include whitelist-common.inc include whitelist-usr-share-common.inc @@ -49,7 +49,6 @@ ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -62,3 +61,5 @@ # breaks preferences # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/epiphany.profile ^
@@ -34,3 +34,5 @@ notv protocol unix,inet,inet6 seccomp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/equalx.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -48,17 +47,17 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin equalx,gs,pdflatex,pdftocairo private-cache private-dev -private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf +private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/etr.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,7 +42,6 @@ protocol unix,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -55,3 +53,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/evince.profile ^
@@ -6,20 +6,20 @@ # Persistent global definitions include globals.local -# WARNING: using bookmarks possibly exposes information, including file history from other programs. -# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below). -#noblacklist ${HOME}/.local/share/gvfs-metadata +# WARNING: This exposes information like file history from other programs. +# You can add a blacklist for it in your evince.local for additional hardening if you can live with some restrictions. +noblacklist ${HOME}/.local/share/gvfs-metadata noblacklist ${HOME}/.config/evince noblacklist ${DOCUMENTS} blacklist /usr/libexec +include allow-bin-sh.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -49,20 +49,20 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog -private-bin evince,evince-previewer,evince-thumbnailer +private-bin evince,evince-previewer,evince-thumbnailer,sh private-cache private-dev -private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd # private-lib might break two-page-view on some systems -private-lib evince,gcc///libgcc_s.so.,gcc///libstdc++.so.,gconv,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libdjvulibre.so.,libgconf-2.so.,libgraphite2.so.,libpoppler-glib.so.,librsvg-2.so.,libspectre.so.* +private-lib evince,gcc///libgcc_s.so.,gcc///libstdc++.so.,gconv,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libarchive.so.,libdjvulibre.so.,libgconf-2.so.,libgraphite2.so.,libpoppler-glib.so.,librsvg-2.so.,libspectre.so. private-tmp -# dbus-user filtering might break two-page-view on some systems dbus-user filter -# Add the next two lines to your evince.local if you need bookmarks support. -#dbus-user.talk org.gtk.vfs.Daemon -#dbus-user.talk org.gtk.vfs.Metadata +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gtk.vfs.Daemon +dbus-user.talk org.gtk.vfs.Metadata dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/evolution.profile ^
@@ -20,7 +20,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -40,8 +39,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev private-tmp writable-var + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/exiftool.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/perl-image-exiftool @@ -39,7 +38,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -49,10 +47,11 @@ #private-bin exiftool,perl private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/falkon.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ whitelist ${HOME}/.config/falkon whitelist /usr/share/falkon include whitelist-common.inc +include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -47,9 +47,11 @@ # private-bin falkon private-cache private-dev -private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-tmp # dbus-user filter # dbus-user.own org.kde.Falkon dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fbreader.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -33,8 +32,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin fbreader,FBReader private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fdns.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -43,8 +42,9 @@ private-bin bash,fdns,sh private-cache #private-dev -private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl # private-lib private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/feedreader.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -42,7 +41,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -58,3 +56,5 @@ #dbus-user.talk org.freedesktop.Notifications #dbus-user.talk org.gnome.OnlineAccounts dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/feh-network.inc.profile ^
@@ -5,4 +5,4 @@ ignore net none netfilter protocol unix,inet,inet6 -private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/feh.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -32,13 +31,14 @@ novideo protocol unix seccomp -shell none private-bin feh,jpegexiforient,jpegtran private-cache private-dev -private-etc alternatives,feh +private-etc alternatives,feh,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ferdi.profile ^
@@ -9,8 +9,8 @@ noblacklist ${HOME}/.cache/Ferdi noblacklist ${HOME}/.config/Ferdi -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki include disable-common.inc include disable-devel.inc @@ -20,13 +20,13 @@ mkdir ${HOME}/.cache/Ferdi mkdir ${HOME}/.config/Ferdi -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/Ferdi whitelist ${HOME}/.config/Ferdi -whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist ${HOME}/.pki include whitelist-common.inc caps.drop all @@ -40,8 +40,9 @@ nou2f protocol unix,inet,inet6,netlink seccomp !chroot -shell none disable-mnt private-dev private-tmp + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fetchmail.profile ^
@@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -29,7 +28,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none #private-bin bash,chmod,fetchmail,procmail private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ffmpeg.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,7 +42,6 @@ # allow set_mempolicy, which is required to encode using libx265 seccomp !set_mempolicy seccomp.block-secondary -shell none tracelog private-bin ffmpeg @@ -56,3 +54,4 @@ dbus-system none # memory-deny-write-execute - it breaks old versions of ffmpeg +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ffplay.profile ^
@@ -14,7 +14,7 @@ ignore nosound private-bin ffplay -private-etc alsa,asound.conf,group +private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload # Redirect include ffmpeg.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/file-manager-common.profile ^
@@ -26,7 +26,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc #include disable-programs.inc allusers @@ -44,10 +43,11 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-dev #dbus-user none #dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/file-roller.profile ^
@@ -10,10 +10,10 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/libexec/file-roller +whitelist /usr/libexec/p7zip whitelist /usr/share/file-roller include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -37,13 +37,14 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd private-cache private-dev -private-etc dconf,fonts,gtk-3.0,xdg +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg # private-tmp dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/file.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -31,7 +30,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -46,3 +44,4 @@ memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/filezilla.profile ^
@@ -36,9 +36,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none # private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/firefox-common-addons.profile ^
@@ -2,7 +2,13 @@ # Persistent customizations should go in a .local file. include firefox-common-addons.local +# Prevent whitelisting in ${RUNUSER} +ignore whitelist ${RUNUSER}/firefox +ignore whitelist ${RUNUSER}/psd/firefox +ignore whitelist ${RUNUSER}/kpxc_server +ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer ignore include whitelist-runuser-common.inc + ignore private-cache noblacklist ${HOME}/.cache/youtube-dl
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/firefox-common.profile ^
@@ -8,29 +8,35 @@ # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} +# noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon. +?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER} # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. #include firefox-common-addons.profile -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +include disable-proc.inc include disable-programs.inc -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki whitelist ${DOWNLOADS} -whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist ${HOME}/.pki include whitelist-common.inc +include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor +# Fixme! +apparmor-replace caps.drop all # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. #machine-id @@ -46,7 +52,6 @@ protocol unix,inet,inet6,netlink # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. seccomp !chroot -shell none # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. #tracelog @@ -57,7 +62,13 @@ #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp +blacklist ${PATH}/curl +blacklist ${PATH}/wget +blacklist ${PATH}/wget2 + # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, # Gnome connector, KDE connect and power management on KDE Plasma. dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/firefox.profile ^
@@ -16,6 +16,8 @@ noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla +noblacklist ${RUNUSER}/firefox +noblacklist ${RUNUSER}/psd/firefox blacklist /usr/libexec @@ -35,6 +37,8 @@ whitelist /usr/share/gtk-doc/html whitelist /usr/share/mozilla whitelist /usr/share/webext +whitelist ${RUNUSER}/firefox +whitelist ${RUNUSER}/psd/firefox include whitelist-usr-share-common.inc # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. @@ -45,8 +49,7 @@ #private-etc firefox dbus-user filter -dbus-user.own org.mozilla.Firefox.* -dbus-user.own org.mozilla.firefox.* +dbus-user.own org.mozilla.* dbus-user.own org.mpris.MediaPlayer2.firefox.* # Add the next line to your firefox.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications @@ -56,10 +59,8 @@ #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver -# Add the next three lines to your firefox.local to allow screen sharing under wayland. -#whitelist ${RUNUSER}/pipewire-0 -#whitelist /usr/share/pipewire/client.conf -#dbus-user.talk org.freedesktop.portal.* +# Add the next line to your firefox.local to allow screen sharing under wayland. +#dbus-user.talk org.freedesktop.portal.Desktop # Add the next line to your firefox.local if screen sharing sharing still does not work # with the above lines (might depend on the portal implementation). #ignore noroot
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/flameshot.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -47,13 +46,12 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin flameshot private-cache -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl private-dev #private-tmp @@ -64,6 +62,8 @@ dbus-user.talk org.freedesktop.portal.Desktop dbus-user.talk org.gnome.Shell dbus-user.talk org.kde.KWin -dbus-user.talk org.kde.StatusNotifierWatcher -dbus-user.own org.kde.* +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +?ALLOW_TRAY: dbus-user.own org.kde.* dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/flashpeak-slimjet.profile ^
@@ -6,7 +6,8 @@ include globals.local # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/flowblade.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -31,9 +30,9 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fluxbox.profile ^
@@ -14,5 +14,6 @@ netfilter noroot protocol unix,inet,inet6 -seccomp +seccomp !chroot +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/font-manager.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -47,7 +46,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -56,3 +54,4 @@ private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fontforge.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,9 +33,9 @@ novideo protocol unix seccomp -shell none private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/fractal.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,7 +40,6 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -57,3 +55,5 @@ dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.secrets dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/franz.profile ^
@@ -9,8 +9,8 @@ noblacklist ${HOME}/.cache/Franz noblacklist ${HOME}/.config/Franz -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki include disable-common.inc include disable-devel.inc @@ -20,13 +20,13 @@ mkdir ${HOME}/.cache/Franz mkdir ${HOME}/.config/Franz -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/Franz whitelist ${HOME}/.config/Franz -whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist ${HOME}/.pki include whitelist-common.inc caps.drop all @@ -40,8 +40,9 @@ nou2f protocol unix,inet,inet6,netlink seccomp !chroot -shell none disable-mnt private-dev private-tmp + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freecad.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none private-bin freecad,freecadcmd,python* private-cache @@ -44,3 +42,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freeciv.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -46,3 +44,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freecol.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -47,7 +46,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -57,3 +55,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freemind.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -52,3 +50,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freetube.profile ^
@@ -6,15 +6,23 @@ # Persistent global definitions include globals.local +ignore dbus-user none + noblacklist ${HOME}/.config/FreeTube +include allow-bin-sh.inc + include disable-shell.inc mkdir ${HOME}/.config/FreeTube whitelist ${HOME}/.config/FreeTube -private-bin freetube -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg +private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg + +dbus-user filter +dbus-user.own org.mpris.MediaPlayer2.chromium.* +dbus-user.own org.mpris.MediaPlayer2.freetube # Redirect include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/freshclam.profile ^
@@ -22,7 +22,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -34,3 +33,4 @@ writable-var-log memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/frogatto.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,15 +38,16 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin frogatto,sh private-cache private-dev -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/frozen-bubble.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,7 +30,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -39,7 +37,6 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt @@ -49,3 +46,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ftp.profile ^
@@ -0,0 +1,54 @@ +# Firejail profile for ftp +# Description: standard File Access Protocol utility +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ftp.local +# Persistent global definitions +include globals.local + +noblacklist ${PATH}/ftp + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +#include disable-shell.inc +include disable-write-mnt.inc +include disable-X11.inc +include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +tracelog + +#disable-mnt +#private-bin PROGRAMS +private-cache +private-dev +#private-etc FILES +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +noexec ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/funnyboat.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # include disable-shell.inc include disable-xdg.inc @@ -36,14 +35,12 @@ netfilter nodvd nogroups -noinput nonewprivs noroot notv novideo protocol unix,inet,inet6 seccomp -shell none # tracelog disable-mnt @@ -55,3 +52,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gajim.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads. include disable-xdg.inc @@ -53,14 +52,13 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg private-tmp writable-run-user @@ -77,4 +75,5 @@ # Add the next line to your gajim.local to enable location plugin support. #dbus-system.talk org.freedesktop.GeoClue2 +restrict-namespaces join-or-start gajim
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/galculator.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,13 +37,12 @@ novideo protocol unix seccomp -shell none tracelog private-bin galculator private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib private-tmp @@ -52,3 +50,4 @@ dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gallery-dl.profile ^
@@ -0,0 +1,18 @@ +# Firejail profile for gallery-dl +# Description: Downloader of images from various sites +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gallery-dl.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.config/gallery-dl +noblacklist ${HOME}/.gallery-dl.conf + +private-bin gallery-dl +private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload + +# Redirect +include youtube-dl.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gapplication.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,7 +40,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog x11 none @@ -50,7 +48,7 @@ private-bin gapplication private-cache private-dev -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp # Add the next line to your gapplication.local to filter D-Bus names. @@ -72,3 +70,4 @@ memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gcloud.profile ^
@@ -31,13 +31,14 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-dev -private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gconf-editor.profile ^
@@ -13,5 +13,7 @@ ignore x11 none +ignore memory-deny-write-execute + # Redirect include gconf.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gconf.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -47,7 +46,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -55,8 +53,9 @@ private-bin gconf-editor,gconf-merge-,gconfpkg,gconftool-2,gsettings--convert,python2* private-cache private-dev -private-etc alternatives,fonts,gconf +private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload private-lib GConf,libpython,python2 private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gdu.profile ^
@@ -0,0 +1,47 @@ +# Firejail profile for gdu +# Description: Fast disk usage analyzer with console interface +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gdu.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER}/wayland-* + +include disable-exec.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +# block the socket syscall to simulate an be empty protocol line, see #639 +seccomp socket +seccomp.block-secondary +x11 none + +private-dev + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces + +# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. +# Depending on workflow and use case the sandbox can be hardened by adding the +# lines below to your gdu.local if you don't need/want these functionalities. +#include disable-shell.inc +#private-bin gdu +#read-only ${HOME}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geany.profile ^
@@ -12,7 +12,6 @@ include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -29,8 +28,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geary.profile ^
@@ -13,13 +13,16 @@ noblacklist ${HOME}/.config/geary noblacklist ${HOME}/.local/share/evolution noblacklist ${HOME}/.local/share/geary +noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.mozilla +noblacklist ${HOME}/.pki + +include allow-bin-sh.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,7 +42,9 @@ whitelist ${HOME}/.config/geary whitelist ${HOME}/.local/share/evolution whitelist ${HOME}/.local/share/geary +whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist ${HOME}/.pki whitelist /usr/share/geary include whitelist-common.inc include whitelist-runuser-common.inc @@ -48,7 +53,8 @@ apparmor caps.drop all -machine-id +#ipc-namespace - may cause issues with X11 +#machine-id netfilter no3d nodvd @@ -56,32 +62,34 @@ noinput nonewprivs noroot -nosound +#nosound notv nou2f novideo protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog # disable-mnt -# Add 'ignore private-bin' to geary.local for hyperlink support -private-bin geary +#private-bin geary,sh private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mailcap,mime.types,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg private-tmp dbus-user filter dbus-user.own org.gnome.Geary dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.secrets dbus-user.talk org.gnome.Contacts dbus-user.talk org.gnome.OnlineAccounts dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 dbus-user.talk org.gnome.evolution.dataserver.Sources5 +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.mozilla.* dbus-system none read-only ${HOME}/.mozilla/firefox/profiles.ini +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gedit.profile ^
@@ -16,7 +16,6 @@ # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -39,7 +38,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog # private-bin gedit @@ -51,3 +49,5 @@ # makes settings immutable # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geekbench.profile ^
@@ -6,14 +6,19 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.geekbench5 +noblacklist /sbin +noblacklist /usr/sbin + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.geekbench5 +whitelist ${HOME}/.geekbench5 include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -36,20 +41,18 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt -private-bin bash,geekbenc,sh +#private-bin bash,geekbench,sh -- #4576 private-cache private-dev -private-etc alternatives,group,lsb-release,passwd -private-lib gcc///libstdc++.so.* -private-opt none +private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd private-tmp dbus-user none dbus-system none -#memory-deny-write-execute - breaks on Arch (see issue #1803) read-only ${HOME} +read-write ${HOME}/.geekbench5 +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/geeqie.profile ^
@@ -10,10 +10,12 @@ noblacklist ${HOME}/.config/geeqie noblacklist ${HOME}/.local/share/geeqie +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -26,9 +28,11 @@ notv nou2f novideo -protocol unix +# remove inet,inet6 to disable network access +protocol unix,inet,inet6 seccomp -shell none # private-bin geeqie private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gfeeds.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -55,7 +54,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -69,3 +67,5 @@ dbus-user.own org.gabmus.gfeeds dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gget.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,14 +42,13 @@ protocol inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin gget private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-lib private-tmp @@ -58,3 +56,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ghostwriter.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -46,7 +45,6 @@ protocol unix,inet,inet6,netlink seccomp !chroot seccomp.block-secondary -shell none #tracelog -- breaks private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf @@ -58,3 +56,5 @@ dbus-user filter dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gimp.profile ^
@@ -13,7 +13,6 @@ #ignore net #protocol unix,inet,inet6 - # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. ignore noexec ${HOME} @@ -26,10 +25,13 @@ noblacklist ${DOCUMENTS} noblacklist ${PICTURES} +# See issue #4367, gimp 2.10.22-3: gegl:introspect broken +noblacklist /sbin +noblacklist /usr/sbin + include disable-common.inc include disable-exec.inc include disable-devel.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,6 +39,7 @@ whitelist /usr/share/gimp whitelist /usr/share/mypaint-data whitelist /usr/share/lensfun +include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -53,7 +56,6 @@ nou2f protocol unix seccomp !mbind -shell none tracelog private-dev @@ -61,3 +63,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gist.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -47,16 +46,16 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/git-cola.profile ^
@@ -28,7 +28,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -63,7 +62,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog # Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local. @@ -71,7 +69,7 @@ private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg private-tmp writable-run-user @@ -86,3 +84,5 @@ # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. read-only ${HOME}/.ssh + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/git.profile ^
@@ -12,12 +12,19 @@ noblacklist ${HOME}/.emacs noblacklist ${HOME}/.emacs.d noblacklist ${HOME}/.gitconfig +noblacklist ${HOME}/.git-credential-cache noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.nanorc noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo +# Allow environment variables (rmenv'ed by disable-common.inc) +ignore rmenv GH_TOKEN +ignore rmenv GITHUB_TOKEN +ignore rmenv GH_ENTERPRISE_TOKEN +ignore rmenv GITHUB_ENTERPRISE_TOKEN + # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc @@ -26,7 +33,6 @@ include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/git @@ -54,9 +60,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gitg.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc #whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY @@ -49,7 +48,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog private-bin git,gitg,ssh @@ -63,3 +61,5 @@ # Add the next line to your gitg.local if you need keyring access. #dbus-user.talk org.freedesktop.secrets dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/github-desktop.profile ^
@@ -14,6 +14,8 @@ # Disabled until someone reported positive feedback ignore include disable-xdg.inc ignore whitelist ${DOWNLOADS} +ignore whitelist ${HOME}/.config/Electron +ignore whitelist ${HOME}/.config/electron-flag.conf ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gitter.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Gitter @@ -34,12 +33,12 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt private-bin bash,env,gitter -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl private-opt Gitter private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gjs.profile ^
@@ -19,7 +19,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -37,10 +36,11 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog # private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gl-117.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -30,7 +29,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -39,7 +37,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -51,3 +48,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/glaxium.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -30,7 +29,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -39,7 +37,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -51,3 +48,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/globaltime.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,10 +28,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gmpc.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,13 +38,12 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt #private-bin gmpc private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp writable-run-user @@ -53,3 +51,4 @@ # dbus-system none # memory-deny-write-execute - breaks on Arch +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-books.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,10 +37,10 @@ novideo protocol unix seccomp -shell none tracelog # private-bin gjs,gnome-books private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-builder.profile ^
@@ -16,7 +16,6 @@ include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -34,8 +33,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev read-write ${HOME}/.bash_history +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-calculator.profile ^
@@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc @@ -40,7 +39,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -54,3 +52,5 @@ dbus-user.own org.gnome.Calculator dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-calendar.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -46,7 +44,7 @@ private-bin gnome-calendar private-cache private-dev -private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user filter @@ -62,3 +60,4 @@ #dbus-system.talk org.freedesktop.GeoClue2 read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-characters.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,7 +40,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -58,3 +56,4 @@ # dbus-system none read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-chess.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -44,12 +43,13 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin fairymax,gnome-chess,gnuchess,hoichess private-cache private-dev -private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 +private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-clocks.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,13 +35,13 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin gnome-clocks,gsound-play private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-contacts.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,3 +38,4 @@ private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-documents.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,10 +35,10 @@ novideo protocol unix seccomp -shell none tracelog private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-font-viewer.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,3 +35,4 @@ private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-hexgl.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,7 +34,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -43,7 +41,7 @@ private-bin gnome-hexgl private-cache private-dev -private-etc alsa,asound.conf,machine-id,pulse +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user none @@ -51,3 +49,4 @@ read-only ${HOME} read-write ${HOME}/.cache/mesa_shader_cache +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-keyring.profile ^
@@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc @@ -47,7 +46,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -61,3 +59,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-latex.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/gnome-latex @@ -43,12 +42,13 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-cache private-dev # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed -private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive +private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-logs.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -34,14 +33,13 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin gnome-logs private-cache private-dev -private-etc alternatives,fonts,localtime,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.* private-tmp writable-var-log @@ -53,3 +51,4 @@ # Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-maps.profile ^
@@ -24,7 +24,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -58,7 +57,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -75,3 +73,5 @@ dbus-system filter #dbus-system.talk org.freedesktop.NetworkManager dbus-system.talk org.freedesktop.GeoClue2 + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-mplayer.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,10 +25,10 @@ nou2f protocol unix,inet,inet6 seccomp -shell none # private-bin gnome-mplayer,mplayer private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-music.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,12 +36,12 @@ novideo protocol unix seccomp -shell none tracelog # private-bin calls a file manager - whatever is installed! #private-bin env,gio-launch-desktop,gnome-music,python*,yelp private-dev -private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg +private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-nettool.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -47,3 +46,5 @@ dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-passwordsafe.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -47,17 +46,18 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin gnome-passwordsafe,python3* private-cache private-dev -private-etc dconf,fonts,gtk-3.0,passwd +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd private-tmp dbus-user filter dbus-user.own org.gnome.PasswordSafe dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-photos.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -35,10 +34,10 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog # private-bin gjs,gnome-photos private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-pie.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc #include disable-interpreters.inc -include disable-passwdmgr.inc #include disable-programs.inc caps.drop all @@ -30,13 +29,13 @@ novideo protocol unix seccomp -shell none disable-mnt private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.* private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-pomodoro.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,14 +37,13 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin gnome-pomodoro private-cache private-dev -private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id private-tmp dbus-user filter @@ -58,3 +56,4 @@ read-only ${HOME} read-write ${HOME}/.local/share/gnome-pomodoro +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-recipes.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -43,12 +42,12 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin gnome-recipes,tar private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.,libgnutls.so.,libjpeg.so.,libp11-kit.so.,libproxy.so.,librsvg-2.so. private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-ring.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -26,9 +25,9 @@ notv protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt # private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-schedule.profile ^
@@ -29,7 +29,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -56,11 +55,9 @@ notv nou2f novideo -shell none tracelog disable-mnt private-cache private-dev writable-var -
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-screenshot.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,16 +36,17 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin gnome-screenshot private-dev -private-etc dconf,fonts,gtk-3.0,localtime,machine-id +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id private-tmp dbus-user filter dbus-user.own org.gnome.Screenshot dbus-user.talk org.gnome.Shell.Screenshot dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-sound-recorder.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,11 +34,12 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-cache private-dev -private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-system-log.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,13 +37,12 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin gnome-system-log private-cache private-dev -private-etc alternatives,fonts,localtime,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id private-lib private-tmp writable-var-log @@ -55,3 +53,4 @@ memory-deny-write-execute # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-todo.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,7 +38,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -47,7 +45,7 @@ private-bin gnome-todo private-cache private-dev -private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg private-tmp dbus-user filter @@ -63,3 +61,4 @@ #dbus-system.talk org.freedesktop.login1 read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-twitch.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/gnome-twitch @@ -33,9 +32,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome-weather.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,7 +38,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -48,3 +46,4 @@ # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnome_games-common.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,15 +35,16 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-cache private-dev -private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11 +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11 private-tmp dbus-user filter dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnote.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -22,6 +21,7 @@ mkdir ${HOME}/.local/share/gnote whitelist ${HOME}/.config/gnote whitelist ${HOME}/.local/share/gnote +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/gnote include whitelist-common.inc include whitelist-runuser-common.inc @@ -44,17 +44,18 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin gnote private-cache private-dev -private-etc dconf,fonts,gtk-3.0,pango,X11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11 private-tmp dbus-user filter dbus-user.own org.gnome.Gnote dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gnubik.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -44,8 +42,10 @@ private-bin gnubik private-cache private-dev -private-etc drirc,fonts,gtk-2.0 +private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/godot.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,15 +31,16 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog # private-bin godot private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/godot3.profile ^
@@ -0,0 +1,11 @@ +# Firejail profile for godot +# Description: multi-platform 2D and 3D game engine with a feature-rich editor +# This file is overwritten after every install/update +# Persistent local customizations +include godot3.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include godot.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/goldendict.profile ^
@@ -0,0 +1,59 @@ +# Firejail profile for goldendict +# This file is overwritten after every install/update +# Persistent local customizations +include goldendict.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.goldendict +noblacklist ${HOME}/.cache/GoldenDict + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.goldendict +mkdir ${HOME}/.cache/GoldenDict +whitelist ${HOME}/.goldendict +whitelist ${HOME}/.cache/GoldenDict +whitelist /usr/share/goldendict +# The default path of dictionaries +whitelist /usr/share/stardict/dic +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +# no3d leads to the libGL MESA-LOADER errors +#no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin goldendict +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/goobox.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,10 +26,11 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog # private-bin goobox private-dev # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl # private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-chrome-beta.profile ^
@@ -5,11 +5,6 @@ # Persistent global definitions include globals.local -# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium -ignore include whitelist-runuser-common.inc -ignore include whitelist-usr-share-common.inc - noblacklist ${HOME}/.cache/google-chrome-beta noblacklist ${HOME}/.config/google-chrome-beta
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-chrome-unstable.profile ^
@@ -5,11 +5,6 @@ # Persistent global definitions include globals.local -# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium -ignore include whitelist-runuser-common.inc -ignore include whitelist-usr-share-common.inc - noblacklist ${HOME}/.cache/google-chrome-unstable noblacklist ${HOME}/.config/google-chrome-unstable
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-chrome.profile ^
@@ -5,11 +5,6 @@ # Persistent global definitions include globals.local -# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium -ignore include whitelist-runuser-common.inc -ignore include whitelist-usr-share-common.inc - noblacklist ${HOME}/.cache/google-chrome noblacklist ${HOME}/.config/google-chrome
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-earth.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Google @@ -34,10 +33,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin bash,dirname,google-earth,grep,ls,sed,sh private-dev private-opt google +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/google-play-music-desktop-player.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Google Play Music Desktop Player @@ -36,8 +35,9 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/googler-common.profile ^
@@ -21,7 +21,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -48,15 +47,16 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin env,python3*,sh,w3m private-cache private-dev -private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpa.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -27,8 +26,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog # private-bin gpa,gpg private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpg-agent.profile ^
@@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -45,9 +44,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog -# private-bin gpg-agent,gpg +# private-bin gpg-agent private-cache private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpg.profile ^
@@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist ${RUNUSER}/gnupg @@ -41,10 +40,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog -# private-bin gpg,gpg-agent +# private-bin gpg private-cache private-dev @@ -53,3 +51,4 @@ # installing/upgrading archlinux-keyring extremely slow. read-write /etc/pacman.d/gnupg read-write /usr/share/pacman/keyrings +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpicview.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -36,13 +35,12 @@ novideo protocol unix seccomp -shell none tracelog private-bin gpicview private-cache private-dev -private-etc alternatives,fonts,group,passwd +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd private-lib private-tmp @@ -50,3 +48,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gpredict.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -32,11 +31,11 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog private-bin gpredict private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gradio.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,14 +38,13 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin gradio private-cache private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp dbus-user filter @@ -54,3 +52,5 @@ dbus-user.own org.mpris.MediaPlayer2.gradio dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gramps.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -41,7 +40,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-cache @@ -50,3 +48,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -33,7 +32,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -41,8 +39,10 @@ private-bin gravity-beams-and-evaporating-stars private-cache private-dev -private-etc fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gthumb.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -29,10 +28,11 @@ novideo protocol unix seccomp -shell none tracelog private-bin gthumb private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gtk-lbry-viewer.profile ^
@@ -0,0 +1,12 @@ +# Firejail profile for gtk-lbry-viewer +# Description: Gtk front-end to lbry-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include gtk-lbry-viewer.local +# added by included profile +#include globals.local + +ignore quiet + +# Redirect +include lbry-viewer.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gtk-update-icon-cache.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,7 +38,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -47,7 +45,7 @@ private-bin gtk-update-icon-cache private-cache private-dev -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-tmp @@ -55,3 +53,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/guayadeque.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -28,9 +27,9 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none private-bin guayadeque private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gucharmap.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,7 +36,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -53,3 +51,4 @@ # dbus-system none read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/guvcview.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -42,7 +41,6 @@ protocol unix,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -54,3 +52,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/gwenview.profile ^
@@ -22,10 +22,10 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc +include whitelist-run-common.inc include whitelist-var-common.inc apparmor @@ -42,14 +42,14 @@ novideo protocol unix seccomp -shell none # tracelog private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 private-dev -private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg +private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg # dbus-user none # dbus-system none # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/handbrake.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,10 +30,11 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hashcat.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,7 +33,6 @@ novideo protocol unix seccomp -shell none x11 none disable-mnt @@ -45,3 +43,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hasher-common.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc @@ -43,7 +42,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog x11 none @@ -58,3 +56,4 @@ memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hedgewars.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.hedgewars @@ -36,3 +35,5 @@ disable-mnt private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hexchat.profile ^
@@ -22,7 +22,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -46,7 +45,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -57,3 +55,4 @@ private-tmp # memory-deny-write-execute - breaks python +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/highlight.profile ^
@@ -8,10 +8,12 @@ blacklist ${RUNUSER} +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -29,7 +31,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -40,3 +41,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/homebank.profile ^
@@ -13,7 +13,6 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc -include disable-passwdmgr.inc include disable-shell.inc include disable-xdg.inc @@ -44,7 +43,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -58,3 +56,4 @@ dbus-system none # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/host.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -51,3 +49,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hugin.profile ^
@@ -10,11 +10,16 @@ noblacklist ${DOCUMENTS} noblacklist ${PICTURES} +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -32,12 +37,13 @@ novideo protocol unix seccomp -shell none -private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize +private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize private-cache private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/hyperrogue.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,16 +36,17 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin hyperrogue private-cache -private-cwd ${HOME} +private-cwd private-dev -private-etc fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/i2prouter.profile ^
@@ -28,7 +28,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -64,10 +63,11 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/i3.profile ^
@@ -14,5 +14,6 @@ netfilter noroot protocol unix,inet,inet6 -seccomp +seccomp !chroot +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/iagno.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -29,7 +28,6 @@ novideo protocol unix seccomp -shell none disable-mnt private @@ -39,3 +37,5 @@ # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/idea.sh.profile ^
@@ -19,7 +19,6 @@ include allow-ssh.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -34,10 +33,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev # private-tmp noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/imagej.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -32,7 +31,6 @@ novideo protocol unix seccomp -shell none private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop private-dev @@ -40,3 +38,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/img2txt.profile ^
@@ -1,5 +1,6 @@ # Firejail profile for img2txt # This file is overwritten after every install/update +quiet # Persistent local customizations include img2txt.local # Persistent global definitions @@ -14,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,7 +38,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -51,3 +50,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/impressive.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -44,7 +43,6 @@ novideo protocol unix seccomp -shell none tracelog private-cache @@ -56,3 +54,4 @@ read-only ${HOME} read-write ${HOME}/.cache/mesa_shader_cache +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/imv.profile ^
@@ -0,0 +1,57 @@ +# Firejail profile for imv +# Description: imv is an image viewer. +# This file is overwritten after every install/update +# Persistent local customizations +include imv.local +# Persistent global definitions +include globals.local + +include allow-bin-sh.inc + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +# Users may want to view images in ${HOME} +#include disable-xdg.inc + +# Users may want to view images in ${HOME} +#include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +# Users may want to view images in /usr/share +#include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +private-bin imv,imv-wayland,imv-x11,sh +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/inkscape.profile ^
@@ -1,6 +1,7 @@ # Firejail profile for inkscape # Description: Vector-based drawing program # This file is overwritten after every install/update +quiet # Persistent local customizations include inkscape.local # Persistent global definitions @@ -24,11 +25,11 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc whitelist /usr/share/inkscape +include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -48,7 +49,6 @@ novideo protocol unix seccomp -shell none tracelog # private-bin inkscape,potrace,python* - problems on Debian stretch @@ -60,3 +60,4 @@ dbus-system none # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/inox.profile ^
@@ -6,7 +6,8 @@ include globals.local # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/io.github.lainsce.Notejot.profile ^
@@ -0,0 +1,61 @@ +# Firejail profile for notejot +# Description: Jot your ideas +# This file is overwritten after every install/update +# Persistent local customizations +include io.github.lainsce.Notejot.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/io.github.lainsce.Notejot +noblacklist ${HOME}/.local/share/io.github.lainsce.Notejot + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/io.github.lainsce.Notejot +mkdir ${HOME}/.local/share/io.github.lainsce.Notejot +whitelist ${HOME}/.cache/io.github.lainsce.Notejot +whitelist ${HOME}/.local/share/io.github.lainsce.Notejot +whitelist /usr/libexec/webkit2gtk-4.0 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin io.github.lainsce.Notejot +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user filter +dbus-user.own io.github.lainsce.Notejot +dbus-user.talk ca.desrt.dconf +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ipcalc.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # include disable-shell.inc include disable-write-mnt.inc @@ -42,7 +41,6 @@ novideo # protocol unix seccomp -shell none # tracelog disable-mnt @@ -51,7 +49,7 @@ # private-cache private-dev # empty etc directory -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-opt none private-tmp @@ -61,3 +59,4 @@ # memory-deny-write-execute # read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/iridium.profile ^
@@ -5,11 +5,6 @@ # Persistent global definitions include globals.local -# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 -ignore whitelist /usr/share/chromium -ignore include whitelist-runuser-common.inc -ignore include whitelist-usr-share-common.inc - noblacklist ${HOME}/.cache/iridium noblacklist ${HOME}/.config/iridium
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/itch.profile ^
@@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.itch @@ -35,9 +34,9 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none private-dev private-tmp noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jami-gnome.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc #include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/jami @@ -34,10 +33,10 @@ notv protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt private-dev private-tmp env QT_QPA_PLATFORM=xcb +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jd-gui.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,7 +33,6 @@ novideo protocol unix seccomp -shell none private-bin bash,jd-gui,sh private-cache @@ -43,3 +41,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jerry.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,15 +29,15 @@ novideo protocol unix seccomp -shell none tracelog private-bin bash,jerry,sh,stockfish private-dev -private-etc fonts,gtk-2.0,gtk-3.0 +private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jitsi.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -24,9 +23,10 @@ notv protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-cache private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jumpnbump-menu.profile ^
@@ -10,7 +10,7 @@ # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc -private-bin jumpnbump-menu,python3* +private-bin env,jumpnbump-menu,python3* # Redirect include jumpnbump.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/jumpnbump.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,7 +27,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -36,15 +34,16 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt private-bin jumpnbump private-cache private-dev -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/k3b.profile ^
@@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,8 @@ novideo # protocol unix - breaks privileged helpers # seccomp - breaks privileged helpers -shell none private-dev # private-tmp + +# restrict-namespaces - breaks privileged helpers
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kaffeine.profile ^
@@ -19,10 +19,10 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +include whitelist-run-common.inc include whitelist-var-common.inc caps.drop all @@ -35,9 +35,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none # private-bin kaffeine private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kalgebra.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,15 +35,16 @@ novideo protocol unix,netlink seccomp !chroot -shell none # tracelog disable-mnt private-bin kalgebra,kalgebramobile private-cache private-dev -private-etc fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kate.profile ^
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/kateschemarc noblacklist ${HOME}/.config/katesyntaxhighlightingrc noblacklist ${HOME}/.config/katevirc +noblacklist ${HOME}/.config/kwinrc noblacklist ${HOME}/.local/share/kate noblacklist ${HOME}/.local/share/kxmlgui5/kate noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree @@ -23,13 +24,16 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kateproject noblacklist ${HOME}/.local/share/kxmlgui5/katesearch +# Allows files commonly used by IDEs +include allow-common-devel.inc + include disable-common.inc # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include whitelist-run-common.inc include whitelist-var-common.inc # apparmor @@ -47,8 +51,6 @@ novideo protocol unix seccomp -shell none -tracelog # private-bin kate,kbuildsycoca4,kdeinit4 private-dev @@ -58,4 +60,5 @@ # dbus-user none # dbus-system none +restrict-namespaces join-or-start kate
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kazam.profile ^
@@ -21,7 +21,6 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc -include disable-passwdmgr.inc include disable-shell.inc include disable-xdg.inc @@ -43,14 +42,15 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt # private-bin kazam,python* private-cache private-dev -private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg private-tmp dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kcalc.profile ^
@@ -12,15 +12,18 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +# Legacy paths +#mkdir ${HOME}/.kde/share/config +#mkdir ${HOME}/.kde4/share/config +#mkfile ${HOME}/.kde/share/config/kcalcrc +#mkfile ${HOME}/.kde4/share/config/kcalcrc + mkdir ${HOME}/.local/share/kxmlgui5/kcalc mkfile ${HOME}/.config/kcalcrc -mkfile ${HOME}/.kde/share/config/kcalcrc -mkfile ${HOME}/.kde4/share/config/kcalcrc whitelist ${HOME}/.config/kcalcrc whitelist ${HOME}/.kde/share/config/kcalcrc whitelist ${HOME}/.kde4/share/config/kcalcrc @@ -29,6 +32,7 @@ whitelist /usr/share/kcalc whitelist /usr/share/kconf_update/kcalcrc.upd include whitelist-common.inc +include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -49,14 +53,13 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin kcalc private-cache private-dev -private-etc alternatives,fonts,ld.so.cache,locale,locale.conf +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf # private-lib - problems on Arch private-tmp @@ -64,3 +67,4 @@ dbus-system none #memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kdeinit4.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -30,9 +29,9 @@ notv protocol unix,inet,inet6,netlink seccomp -shell none private-bin kbuildsycoca4,kded4,kdeinit4,knotify4 private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kdenlive.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -32,7 +31,6 @@ nou2f protocol unix,netlink seccomp -shell none private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine private-dev @@ -40,3 +38,5 @@ # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kdiff3.profile ^
@@ -18,12 +18,13 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc include disable-xdg.inc +# Add the next line to your kdiff3.local if you don't need to compare files in /run. +#include whitelist-run-common.inc include whitelist-runuser-common.inc # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. #include whitelist-usr-share-common.inc @@ -45,13 +46,14 @@ novideo seccomp seccomp.block-secondary -shell none tracelog disable-mnt -private-bin kdiff3 +private-bin kdiff3 private-cache private-dev dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepass.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,13 +32,15 @@ noroot nosound notv -nou2f novideo protocol unix,inet,inet6,netlink seccomp -shell none private-cache +# Note: private-dev prevents the program from seeing new devices (such as +# hardware keys) on /dev after it has already started; add "ignore private-dev" +# to keepassxc.local if this is an issue (see #4883). private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepassx.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,15 +36,15 @@ novideo protocol unix seccomp -shell none tracelog private-bin keepassx,keepassx2 private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepassxc-cli.profile ^
@@ -1,6 +1,7 @@ # Firejail profile for keepassxc-cli # Description: command line interface for KeePassXC # This file is overwritten after every install/update +quiet # Persistent local customizations include keepassxc-cli.local # Persistent global definitions
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/keepassxc.profile ^
@@ -28,7 +28,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,16 +37,22 @@ #mkdir ${HOME}/Documents/KeePassXC #whitelist ${HOME}/Documents/KeePassXC # Needed for KeePassXC-Browser. +#mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.config/chromium/NativeMessagingHosts #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.config/google-chrome/NativeMessagingHosts #mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.config/vivaldi/NativeMessagingHosts #mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts #mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.mozilla/native-messaging-hosts #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #mkdir ${HOME}/.cache/keepassxc @@ -58,6 +63,7 @@ #include whitelist-common.inc whitelist /usr/share/keepassxc +include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -72,34 +78,35 @@ noroot nosound notv -nou2f novideo -protocol unix,netlink +protocol unix seccomp !name_to_handle_at seccomp.block-secondary -shell none tracelog private-bin keepassxc,keepassxc-cli,keepassxc-proxy +# Note: private-dev prevents the program from seeing new devices (such as +# hardware keys) on /dev after it has already started; add "ignore private-dev" +# to keepassxc.local if this is an issue (see #4883). private-dev -private-etc alternatives,fonts,ld.so.cache,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user filter -#dbus-user.own org.keepassxc.KeePassXC -dbus-user.talk com.canonical.Unity.Session +dbus-user.own org.keepassxc.KeePassXC.* +dbus-user.talk com.canonical.Unity dbus-user.talk org.freedesktop.ScreenSaver -dbus-user.talk org.freedesktop.login1.Manager -dbus-user.talk org.freedesktop.login1.Session dbus-user.talk org.gnome.ScreenSaver dbus-user.talk org.gnome.SessionManager -dbus-user.talk org.gnome.SessionManager.Presence +dbus-user.talk org.xfce.ScreenSaver +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +?ALLOW_TRAY: dbus-user.own org.kde.* # Add the next line to your keepassxc.local to allow notifications. #dbus-user.talk org.freedesktop.Notifications -# Add the next line to your keepassxc.local to allow the tray menu. -#dbus-user.talk org.kde.StatusNotifierWatcher -#dbus-user.own org.kde.* -dbus-system none +dbus-system filter +dbus-system.talk org.freedesktop.login1 + +restrict-namespaces # Mutex is stored in /tmp by default, which is broken by private-tmp. join-or-start keepassxc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kfind.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc apparmor @@ -38,7 +37,6 @@ novideo protocol unix seccomp -shell none # private-bin kbuildsycoca4,kdeinit4,kfind private-dev @@ -46,3 +44,5 @@ # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kget.profile ^
@@ -18,9 +18,9 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include whitelist-run-common.inc include whitelist-var-common.inc caps.drop all @@ -41,3 +41,4 @@ private-tmp # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kid3.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,12 +32,11 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp private-opt none private-srv none @@ -47,3 +45,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kino.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -30,9 +29,9 @@ novideo protocol unix seccomp -shell none private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kiwix-desktop.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,13 +39,14 @@ novideo protocol unix,inet,inet6,netlink seccomp !chroot -shell none disable-mnt private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/klatexformula.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none tracelog private-cache @@ -44,3 +42,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/klavaro.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,17 +38,18 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin bash,klavaro,sh,tclsh,tclsh* private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp private-opt none private-srv none dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kmail.profile ^
@@ -29,15 +29,16 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2 noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.local/share/notes +noblacklist ${RUNUSER}/akonadi noblacklist /tmp/akonadi-* include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include whitelist-run-common.inc include whitelist-var-common.inc # apparmor @@ -61,3 +62,5 @@ # private-tmp - interrupts connection to akonadi, breaks opening of email attachments # writable-run-user is needed for signing and encrypting emails writable-run-user + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kmplayer.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,10 +32,10 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none # private-bin kmplayer,mplayer private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kodi.profile ^
@@ -12,6 +12,12 @@ #ignore nogroups #ignore noroot #ignore private-dev +# Add the following to your kodi.local if you use the Lutris Kodi Addon +#noblacklist /sbin +#noblacklist /usr/sbin +#noblacklist ${HOME}/.cache/lutris +#noblacklist ${HOME}/.config/lutris +#noblacklist ${HOME}/.local/share/lutris noblacklist ${HOME}/.kodi noblacklist ${MUSIC} @@ -26,7 +32,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,13 +43,13 @@ nogroups noinput nonewprivs -# Seems to cause issues with Nvidia drivers sometimes (#3501) noroot nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/konversation.profile ^
@@ -16,11 +16,11 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +include whitelist-run-common.inc include whitelist-var-common.inc caps.drop all @@ -35,7 +35,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-bin kbuildsycoca4,konversation @@ -44,3 +43,4 @@ private-tmp # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kopete.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/lib/winpopup @@ -38,3 +37,4 @@ private-tmp writable-var +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/krita.profile ^
@@ -22,7 +22,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -42,7 +41,6 @@ novideo protocol unix seccomp -shell none private-cache private-dev @@ -50,3 +48,5 @@ # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/krunner.profile ^
@@ -22,7 +22,6 @@ include disable-common.inc # include disable-devel.inc # include disable-interpreters.inc -# include disable-passwdmgr.inc # include disable-programs.inc include whitelist-var-common.inc @@ -36,3 +35,5 @@ seccomp # private-cache + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ktorrent.profile ^
@@ -18,17 +18,20 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc -mkdir ${HOME}/.kde/share/apps/ktorrent -mkdir ${HOME}/.kde4/share/apps/ktorrent +# Legacy paths +#mkdir ${HOME}/.kde/share/apps/ktorrent +#mkdir ${HOME}/.kde/share/config +#mkdir ${HOME}/.kde4/share/apps/ktorrent +#mkdir ${HOME}/.kde4/share/config +#mkfile ${HOME}/.kde/share/config/ktorrentrc +#mkfile ${HOME}/.kde4/share/config/ktorrentrc + mkdir ${HOME}/.local/share/ktorrent mkdir ${HOME}/.local/share/kxmlgui5/ktorrent mkfile ${HOME}/.config/ktorrentrc -mkfile ${HOME}/.kde/share/config/ktorrentrc -mkfile ${HOME}/.kde4/share/config/ktorrentrc whitelist ${DOWNLOADS} whitelist ${HOME}/.config/ktorrentrc whitelist ${HOME}/.kde/share/apps/ktorrent @@ -38,6 +41,7 @@ whitelist ${HOME}/.local/share/ktorrent whitelist ${HOME}/.local/share/kxmlgui5/ktorrent include whitelist-common.inc +include whitelist-run-common.inc include whitelist-var-common.inc caps.drop all @@ -55,11 +59,12 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none -private-bin kbuildsycoca4,kdeinit4,ktorrent +private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest private-dev # private-lib - problems on Arch private-tmp +deterministic-shutdown # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/ktouch.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,15 +39,16 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt private-bin ktouch private-cache private-dev -private-etc alternatives,fonts,kde5rc,machine-id +private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kube.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -60,7 +59,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog # disable-mnt @@ -69,7 +67,7 @@ private-bin kube,sink_synchronizer private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg private-tmp writable-run-user @@ -80,3 +78,4 @@ dbus-system none read-only ${HOME}/.mozilla/firefox/profiles.ini +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kwin_x11.profile ^
@@ -17,11 +17,11 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +include whitelist-run-common.inc include whitelist-var-common.inc caps.drop all @@ -37,11 +37,12 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin kwin_x11 private-dev -private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg +private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/kwrite.profile ^
@@ -20,11 +20,11 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +include whitelist-run-common.inc include whitelist-var-common.inc apparmor @@ -42,15 +42,15 @@ novideo protocol unix seccomp -shell none tracelog private-bin kbuildsycoca4,kdeinit4,kwrite private-dev -private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg +private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg private-tmp # dbus-user none # dbus-system none +restrict-namespaces join-or-start kwrite
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/latex-common.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/lib @@ -31,7 +30,6 @@ novideo protocol unix seccomp -shell none tracelog private-cache @@ -40,3 +38,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lbry-viewer.profile ^
@@ -0,0 +1,21 @@ +# Firejail profile for lbry-viewer +# Description:CLI for searching and playing videos from LBRY, with the Librarian frontend +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include lbry-viewer.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/lbry-viewer +noblacklist ${HOME}/.config/lbry-viewer + +mkdir ${HOME}/.config/lbry-viewer +mkdir ${HOME}/.cache/lbry-viewer +whitelist ${HOME}/.cache/lbry-viewer +whitelist ${HOME}/.config/lbry-viewer + +private-bin gtk-lbry-viewer,lbry-viewer + +# Redirect +include youtube-viewers-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/leafpad.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -33,10 +32,10 @@ novideo protocol unix seccomp -shell none private-bin leafpad private-dev private-lib private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/less.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc apparmor caps.drop all @@ -32,7 +31,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -50,3 +48,4 @@ memory-deny-write-execute read-only ${HOME} read-write ${HOME}/.lesshst +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/librecad.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,13 +34,12 @@ protocol unix,inet,inet6 netfilter seccomp -shell none #tracelog #disable-mnt private-bin librecad private-dev -# private-etc cups,drirc,fonts,passwd,xdg +#private-etc alternatives,cups,drirc,fonts,passwd,xdg #private-lib private-tmp @@ -49,3 +47,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/libreoffice.profile ^
@@ -19,9 +19,9 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc +include whitelist-run-common.inc include whitelist-var-common.inc # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. @@ -45,7 +45,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls @@ -55,4 +54,5 @@ dbus-system none +restrict-namespaces join-or-start libreoffice
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/librewolf.profile ^
@@ -25,6 +25,7 @@ whitelist /usr/share/doc whitelist /usr/share/gtk-doc/html +whitelist /usr/share/librewolf whitelist /usr/share/mozilla whitelist /usr/share/webext include whitelist-usr-share-common.inc @@ -36,6 +37,8 @@ #private-etc librewolf dbus-user filter +dbus-user.own io.gitlab.librewolf.* +dbus-user.own org.mozilla.librewolf.* # Add the next line to your librewolf.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications # Add the next line to your librewolf.local to allow inhibiting screensavers. @@ -44,13 +47,12 @@ #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver -# Add the next three lines to your librewolf.local to allow screensharing under Wayland. -#whitelist ${RUNUSER}/pipewire-0 -#whitelist /usr/share/pipewire/client.conf -#dbus-user.talk org.freedesktop.portal.* +# Add the next line to your librewolf.local to allow screensharing under Wayland. +#dbus-user.talk org.freedesktop.portal.Desktop # Also add the next line to your librewolf.local if screensharing does not work with # the above lines (depends on the portal implementation). #ignore noroot +ignore apparmor ignore dbus-user none # Redirect
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lifeograph.profile ^
@@ -0,0 +1,58 @@ +# Firejail profile for lifeograph +# Description: Lifeograph is a diary program to take personal notes +# This file is overwritten after every install/update +# Persistent local customizations +include lifeograph.local +# Persistent global definitions +include globals.local + +noblacklist ${DOCUMENTS} + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOCUMENTS} +whitelist /usr/share/lifeograph +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin lifeograph +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/liferea.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/liferea @@ -46,7 +45,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -61,3 +59,5 @@ # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. #dbus-user.talk org.freedesktop.secrets dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lincity-ng.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/links-common.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # Additional noblacklist files/directories (blacklisted in disable-programs.inc) # used as associated programs can be added in your links-common.local. include disable-programs.inc @@ -44,15 +43,14 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt -# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. +# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. private-bin sh private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Add the next line to your links-common.local to allow external media players. # private-etc alsa,asound.conf,machine-id,openal,pulse private-tmp @@ -61,3 +59,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/linphone.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # linphone 4.0 (released 2017-06-26) moved config and database files to respect @@ -43,9 +42,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-dev private-tmp +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/linuxqq.profile ^
@@ -0,0 +1,43 @@ +# Firejail profile for linuxqq +# Description: IM client based on Electron +# This file is overwritten after every install/update +# Persistent local customizations +include linuxqq.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/QQ +noblacklist ${HOME}/.mozilla + +include allow-bin-sh.inc + +include disable-shell.inc + +mkdir ${HOME}/.config/QQ +whitelist ${HOME}/.config/QQ +whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist ${DESKTOP} + +ignore apparmor +noprinters + +# If you don't need/want to save anything to disk you can add `private` to your linuxqq.local. +#private +private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg +private-opt QQ + +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.portal.Desktop +dbus-user.talk org.freedesktop.portal.Fcitx +dbus-user.talk org.freedesktop.portal.IBus +dbus-user.talk org.freedesktop.ScreenSaver +dbus-user.talk org.gnome.Mutter.IdleMonitor +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.mozilla.* +ignore dbus-user none + +read-only ${HOME}/.mozilla/firefox/profiles.ini + +# Redirect +include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lmms.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,10 +31,11 @@ novideo protocol unix seccomp -shell none private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lollypop.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,9 +34,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lugaru.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,7 +39,6 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt @@ -51,3 +49,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/luminance-hdr.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,7 +29,6 @@ novideo protocol unix seccomp -shell none tracelog #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack @@ -38,3 +36,4 @@ private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lutris.profile ^
@@ -9,6 +9,7 @@ noblacklist ${PATH}/llvm* noblacklist ${HOME}/Games noblacklist ${HOME}/.cache/lutris +noblacklist ${HOME}/.cache/wine noblacklist ${HOME}/.cache/winetricks noblacklist ${HOME}/.config/lutris noblacklist ${HOME}/.local/share/lutris @@ -29,12 +30,12 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/Games mkdir ${HOME}/.cache/lutris +mkdir ${HOME}/.cache/wine mkdir ${HOME}/.cache/winetricks mkdir ${HOME}/.config/lutris mkdir ${HOME}/.local/share/lutris @@ -42,6 +43,7 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/Games whitelist ${HOME}/.cache/lutris +whitelist ${HOME}/.cache/wine whitelist ${HOME}/.cache/winetricks whitelist ${HOME}/.config/lutris whitelist ${HOME}/.local/share/lutris @@ -67,8 +69,8 @@ nou2f novideo protocol unix,inet,inet6,netlink -seccomp -shell none +seccomp !modify_ldt +seccomp.32 !modify_ldt # Add the next line to your lutris.local if you do not need controller support. #private-dev @@ -78,3 +80,5 @@ dbus-user.own net.lutris.Lutris dbus-user.talk com.feralinteractive.GameMode dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lximage-qt.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -31,9 +30,9 @@ novideo protocol unix seccomp -shell none private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lxmusic.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,8 +33,8 @@ novideo protocol unix seccomp -shell none private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lynx.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog # private-bin lynx @@ -41,3 +39,5 @@ private-dev # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-a-l/lyx.profile ^
@@ -32,7 +32,7 @@ machine-id # private-bin atril,dvilualatex,env,latex,lua,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex -private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg +private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg # Redirect include latex-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Maelstrom.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -34,7 +33,6 @@ novideo #protocol unix #seccomp -shell none tracelog disable-mnt @@ -45,3 +43,5 @@ dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Mathematica.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.Mathematica @@ -28,3 +27,5 @@ noroot notv seccomp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/PCSX2.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -42,7 +41,6 @@ novideo protocol unix,netlink #seccomp - breaks loading with no logs -shell none #tracelog - 32/64 bit incompatibility private-bin PCSX2 @@ -55,3 +53,5 @@ dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/QMediathekView.profile ^
@@ -23,15 +23,34 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +mkdir ${HOME}/.config/QMediathekView +mkdir ${HOME}/.local/share/QMediathekView +whitelist ${HOME}/.config/QMediathekView +whitelist ${HOME}/.local/share/QMediathekView + +whitelist ${DOWNLOADS} +whitelist ${VIDEOS} + +whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.config/smplayer +whitelist ${HOME}/.config/totem +whitelist ${HOME}/.config/vlc +whitelist ${HOME}/.config/xplayer +whitelist ${HOME}/.local/share/totem +whitelist ${HOME}/.local/share/xplayer +whitelist ${HOME}/.mplayer whitelist /usr/share/qtchooser +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all netfilter # no3d @@ -39,22 +58,24 @@ nogroups noinput nonewprivs +noprinters noroot notv nou2f novideo -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer private-cache private-dev +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,login.defs,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-user none dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/QOwnNotes.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,12 +44,12 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-bin gio,QOwnNotes private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Viber.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.ViberPC @@ -30,9 +29,10 @@ notv protocol unix,inet,inet6 seccomp !chroot -shell none disable-mnt private-bin awk,bash,dig,sh,Viber -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 private-tmp + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/XMind.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.xmind @@ -30,10 +29,10 @@ nou2f protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin cp,sh,XMind private-tmp private-dev +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Xephyr.profile ^
@@ -31,7 +31,6 @@ nou2f protocol unix seccomp -shell none disable-mnt # using a private home directory @@ -41,3 +40,5 @@ private-dev # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf #private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/Xvfb.profile ^
@@ -35,7 +35,6 @@ novideo protocol unix seccomp -shell none disable-mnt # using a private home directory @@ -43,5 +42,7 @@ # private-bin sh,xkbcomp,Xvfb # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb private-dev -private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf +private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ZeGrapher.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -36,7 +35,6 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/macrofusion.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python* private-cache @@ -44,3 +42,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/magicor.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,15 +38,16 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin magicor,python2* private-cache private-dev -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/make.profile ^
@@ -0,0 +1,13 @@ +# Firejail profile for make +# Description: GNU make utility to maintain groups of programs +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include make.local +# Persistent global definitions +include globals.local + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/makedeb.profile ^
@@ -0,0 +1,13 @@ +# Firejail profile for makedeb +# Description: A utility to automate the building of Debian packages +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include makedeb.local +# Persistent global definitions +#include globals.local + +ignore noblacklist /var/lib/pacman + +# Redirect +include makepkg.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/makepkg.profile ^
@@ -1,4 +1,5 @@ # Firejail profile for makepkg +# Description: A utility to automate the building of Arch Linux packages # This file is overwritten after every install/update quiet # Persistent local customizations @@ -32,7 +33,6 @@ include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -51,7 +51,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -59,3 +58,4 @@ private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/man.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,7 +25,6 @@ whitelist /usr/share/groff whitelist /usr/share/info whitelist /usr/share/lintian -whitelist /usr/share/locale whitelist /usr/share/man whitelist /var/cache/man #include whitelist-common.inc @@ -51,7 +49,6 @@ nou2f protocol unix seccomp -shell none tracelog x11 none @@ -59,7 +56,7 @@ #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim private-cache private-dev -private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg +private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg #private-tmp dbus-user none @@ -67,4 +64,5 @@ memory-deny-write-execute read-only ${HOME} -read-only /tmp +#read-only /tmp # breaks mandoc (see #4927) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/manaplus.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,7 +38,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -50,3 +48,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/marker.profile ^
@@ -20,7 +20,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -49,7 +48,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-bin marker,python3* @@ -62,3 +60,5 @@ dbus-user.own com.github.fabiocolacio.marker dbus-user.talk ca.desrt.dconf dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/masterpdfeditor.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -32,11 +31,11 @@ novideo protocol unix seccomp -shell none tracelog private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mate-calc.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/mate-calc @@ -39,11 +38,10 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin mate-calc,mate-calculator -private-etc alternatives,dconf,fonts,gtk-3.0 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-dev private-opt none private-tmp @@ -52,3 +50,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mate-color-select.profile ^
@@ -9,7 +9,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -30,13 +29,13 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin mate-color-select -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-dev private-lib private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mate-dictionary.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -34,13 +33,13 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin mate-dictionary -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-opt mate-dictionary private-dev private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mcabber.profile ^
@@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -28,8 +27,9 @@ novideo protocol inet,inet6 seccomp -shell none private-bin mcabber private-dev -private-etc alternatives,ca-certificates,crypto-policies,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mcomix.profile ^
@@ -22,7 +22,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -51,7 +50,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog # mcomix <= 1.2 uses python2 @@ -72,3 +70,4 @@ read-write ${HOME}/.local/share # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails read-write ${HOME}/.thumbnails +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mdr.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -46,7 +44,7 @@ private-bin mdr private-cache private-dev -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-tmp @@ -54,3 +52,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mediainfo.profile ^
@@ -1,6 +1,7 @@ # Firejail profile for mediainfo # Description: Command-line utility for reading information from audio/video files # This file is overwritten after every install/update +quiet # Persistent local customizations include mediainfo.local # Persistent global definitions @@ -12,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -36,17 +36,17 @@ novideo protocol unix seccomp -shell none tracelog x11 none private-bin mediainfo private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mediathekview.profile ^
@@ -17,6 +17,8 @@ noblacklist ${HOME}/.mplayer noblacklist ${VIDEOS} +ignore noexec /tmp + # Allow java (blacklisted by disable-devel.inc) include allow-java.inc @@ -24,10 +26,11 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.mediathek3 +whitelist ${HOME}/.mediathek3 include whitelist-var-common.inc caps.drop all @@ -48,3 +51,4 @@ private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/megaglest.profile ^
@@ -8,11 +8,12 @@ noblacklist ${HOME}/.megaglest +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -20,7 +21,8 @@ mkdir ${HOME}/.megaglest whitelist ${HOME}/.megaglest whitelist /usr/share/megaglest -whitelist /usr/share/games/megaglest # Debian version +# Debian version +whitelist /usr/share/games/megaglest include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -41,7 +43,6 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -52,3 +53,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/meld.profile ^
@@ -36,7 +36,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # Add the next line to your meld.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc @@ -68,7 +67,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog private-bin bzr,cvs,git,hg,meld,python*,svn @@ -80,3 +78,4 @@ private-tmp read-only ${HOME}/.ssh +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mencoder.profile ^
@@ -11,7 +11,6 @@ #include disable-common.inc #include disable-devel.inc #include disable-interpreters.inc -#include disable-passwdmgr.inc #include disable-programs.inc ipc-namespace
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mendeleydesktop.profile ^
@@ -22,7 +22,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -39,7 +38,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -49,3 +47,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/menulibre.profile ^
@@ -15,7 +15,6 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc -include disable-passwdmgr.inc include disable-xdg.inc # Whitelist your system icon directory,varies by distro @@ -47,13 +46,12 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg private-tmp dbus-user none @@ -63,3 +61,4 @@ read-write ${HOME}/.gnome/apps read-write ${HOME}/.local/share/applications read-write ${HOME}/.local/share/flatpak/exports +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/meson.profile ^
@@ -0,0 +1,14 @@ +# Firejail profile for meson +# Description: A high productivity build system +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include meson.local +# Persistent global definitions +include globals.local + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +# Redirect +include build-systems-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/meteo-qt.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,7 +39,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -53,3 +51,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/microsoft-edge-beta.profile ^
@@ -0,0 +1,20 @@ +# Firejail profile for Microsoft Edge Beta +# Description: Web browser from Microsoft,beta channel +# This file is overwritten after every install/update +# Persistent local customizations +include microsoft-edge-beta.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/microsoft-edge-beta +noblacklist ${HOME}/.config/microsoft-edge-beta + +mkdir ${HOME}/.cache/microsoft-edge-beta +mkdir ${HOME}/.config/microsoft-edge-beta +whitelist ${HOME}/.cache/microsoft-edge-beta +whitelist ${HOME}/.config/microsoft-edge-beta + +whitelist /opt/microsoft/msedge-beta + +# Redirect +include chromium-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/microsoft-edge-dev.profile ^
@@ -14,7 +14,7 @@ whitelist ${HOME}/.cache/microsoft-edge-dev whitelist ${HOME}/.config/microsoft-edge-dev -private-opt microsoft +whitelist /opt/microsoft/msedge-dev # Redirect include chromium-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/microsoft-edge.profile ^
@@ -1,11 +1,20 @@ # Firejail profile for Microsoft Edge -# Description: Web browser from Microsoft +# Description: Web browser from Microsoft,stable channel # This file is overwritten after every install/update # Persistent local customizations include microsoft-edge.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local + +noblacklist ${HOME}/.cache/microsoft-edge +noblacklist ${HOME}/.config/microsoft-edge + +mkdir ${HOME}/.cache/microsoft-edge +mkdir ${HOME}/.config/microsoft-edge +whitelist ${HOME}/.cache/microsoft-edge +whitelist ${HOME}/.config/microsoft-edge + +whitelist /opt/microsoft/msedge # Redirect -include microsoft-edge-dev.profile +include chromium-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/midori.profile ^
@@ -12,10 +12,10 @@ noblacklist ${HOME}/.cache/midori noblacklist ${HOME}/.config/midori noblacklist ${HOME}/.local/share/midori +noblacklist ${HOME}/.local/share/pki # noblacklist ${HOME}/.local/share/webkit # noblacklist ${HOME}/.local/share/webkitgtk noblacklist ${HOME}/.pki -noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.cache/gnome-mplayer noblacklist ${HOME}/.config/gnome-mplayer @@ -25,17 +25,16 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -#include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.cache/midori mkdir ${HOME}/.config/midori mkdir ${HOME}/.local/share/midori +mkdir ${HOME}/.local/share/pki mkdir ${HOME}/.local/share/webkit mkdir ${HOME}/.local/share/webkitgtk mkdir ${HOME}/.pki -mkdir ${HOME}/.local/share/pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/gnome-mplayer/plugin whitelist ${HOME}/.cache/midori @@ -43,10 +42,10 @@ whitelist ${HOME}/.config/midori whitelist ${HOME}/.lastpass whitelist ${HOME}/.local/share/midori +whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.local/share/webkit whitelist ${HOME}/.local/share/webkitgtk whitelist ${HOME}/.pki -whitelist ${HOME}/.local/share/pki include whitelist-common.inc include whitelist-var-common.inc @@ -63,3 +62,5 @@ disable-mnt private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mindless.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -43,10 +41,11 @@ private-bin mindless private-cache private-dev -private-etc fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/minecraft-launcher.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,7 +42,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -58,3 +56,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/minetest.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -49,7 +48,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -63,3 +61,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/minitube.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -47,8 +46,7 @@ nou2f novideo protocol unix,inet,inet6,netlink -seccomp !kcmp -shell none +seccomp tracelog disable-mnt @@ -60,3 +58,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mirage.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -48,7 +47,6 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -60,3 +58,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mirrormagic.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,7 +36,6 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt @@ -45,8 +43,10 @@ private-bin mirrormagic private-cache private-dev -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mocp.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,13 +36,12 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-bin mocp private-cache private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none @@ -52,3 +50,4 @@ memory-deny-write-execute read-only ${HOME} read-write ${HOME}/.moc +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mousepad.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -32,10 +31,11 @@ novideo protocol unix seccomp -shell none tracelog private-bin mousepad private-dev private-lib private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mp3splt-gtk.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -32,14 +31,15 @@ novideo protocol unix seccomp -shell none tracelog private-bin mp3splt-gtk private-cache private-dev -private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mp3splt.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,7 +36,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -45,10 +43,11 @@ private-bin flacsplt,mp3splt,mp3wrap,oggsplt private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp -memory-deny-write-execute - dbus-user none dbus-system none + +memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpDris2.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,15 +44,15 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin mpDris2,notify-send,python* private-cache private-dev -private-etc alternatives,hosts,nsswitch.conf +private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf private-lib libdbus-1.so.,libdbus-glib-1.so.,libgirepository-1.0.so.,libnotify.so.,libpython,python2,python3* private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpd.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,10 +35,10 @@ # blacklisting of ioprio_set system calls breaks auto-updating of # MPD's database when files in music_directory are changed seccomp !ioprio_set -shell none #private-bin bash,mpd private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpg123.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog #private-bin mpg123* @@ -44,3 +42,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mplayer.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc read-only ${DESKTOP} @@ -34,8 +33,9 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none private-bin mplayer private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpsyt.profile ^
@@ -27,7 +27,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -51,7 +50,6 @@ caps.drop all netfilter nodvd -# Seems to cause issues with Nvidia drivers sometimes nogroups noinput nonewprivs @@ -61,7 +59,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl @@ -71,3 +68,4 @@ dbus-user none dbus-system none +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mpv.profile ^
@@ -11,7 +11,7 @@ # edit ~/.config/mpv/foobar.conf: # screenshot-directory=~/Pictures -# Mpv has a powerfull lua-API, some off these lua-scripts interact +# Mpv has a powerful lua-API, some off these lua-scripts interact # with external resources which are blocked by firejail. In such cases # you need to allow these resources by # - adding additional binaries to private-bin @@ -26,7 +26,11 @@ noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/youtube-dl +noblacklist ${HOME}/.config/yt-dlp +noblacklist ${HOME}/.config/yt-dlp.conf noblacklist ${HOME}/.netrc +noblacklist ${HOME}/yt-dlp.conf +noblacklist ${HOME}/yt-dlp.conf.txt # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc @@ -41,29 +45,30 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc read-only ${DESKTOP} mkdir ${HOME}/.config/mpv -mkdir ${HOME}/.config/youtube-dl mkfile ${HOME}/.netrc whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/youtube-dl +whitelist ${HOME}/.config/yt-dlp +whitelist ${HOME}/.config/yt-dlp.conf whitelist ${HOME}/.netrc -include whitelist-common.inc -include whitelist-player-common.inc +whitelist ${HOME}/yt-dlp.conf +whitelist ${HOME}/yt-dlp.conf.txt whitelist /usr/share/lua whitelist /usr/share/lua* whitelist /usr/share/vulkan +include whitelist-common.inc +include whitelist-player-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all netfilter -# nogroups seems to cause issues with Nvidia drivers sometimes nogroups noinput nonewprivs @@ -72,13 +77,14 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none tracelog -private-bin env,mpv,python,waf,youtube-dl +private-bin env,mpv,python,waf,youtube-dl,yt-dlp # private-cache causes slow OSD, see #2838 #private-cache private-dev dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mrrescue.profile ^
@@ -20,7 +20,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -47,15 +45,16 @@ protocol unix,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin love,mrrescue,sh private-cache private-dev -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ms-office.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -31,14 +30,15 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin bash,env,fonts,jak,ms-office,python*,sh -private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mtpaint.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,7 +36,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -48,3 +46,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/multimc5.profile ^
@@ -9,6 +9,10 @@ noblacklist ${HOME}/.local/share/multimc5 noblacklist ${HOME}/.multimc5 +# Ignore noexec on ${HOME} as MultiMC installs LWJGL native +# libraries in ${HOME}/.local/share/multimc +ignore noexec ${HOME} + # Allow java (blacklisted by disable-devel.inc) include allow-java.inc @@ -16,7 +20,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.local/share/multimc @@ -39,7 +42,6 @@ novideo protocol unix,inet,inet6 # seccomp -shell none disable-mnt # private-bin works, but causes weirdness @@ -47,3 +49,4 @@ private-dev private-tmp +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mumble.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -36,7 +35,6 @@ notv protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -44,3 +42,4 @@ private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf-gl.profile ^
@@ -7,7 +7,10 @@ # added by included profile #include globals.local +noblacklist ${HOME}/.cache/mupdf.history noblacklist ${HOME}/.mupdf.history +ignore no3d + # Redirect include mupdf.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf-x11-curl.profile ^
@@ -12,7 +12,7 @@ netfilter protocol unix,inet,inet6 -private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Redirect include mupdf.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf-x11.profile ^
@@ -7,8 +7,5 @@ # added by included profile #include globals.local -memory-deny-write-execute -read-only ${HOME} - # Redirect include mupdf.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupdf.profile ^
@@ -4,7 +4,7 @@ # Persistent local customizations include mupdf.local # Persistent global definitions -#include globals.local +include globals.local noblacklist ${DOCUMENTS} @@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -22,6 +21,7 @@ caps.drop all machine-id net none +no3d nodvd nogroups noinput @@ -33,7 +33,6 @@ novideo protocol unix seccomp -shell none tracelog private-dev @@ -42,3 +41,7 @@ dbus-user none dbus-system none + +memory-deny-write-execute +read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mupen64plus.profile ^
@@ -11,8 +11,6 @@ include disable-common.inc include disable-devel.inc -include disable-passwdmgr.inc -include disable-passwdmgr.inc include disable-programs.inc # you'll need to manually whitelist ROM files @@ -33,3 +31,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/musescore.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,8 +35,9 @@ protocol unix,inet,inet6 # QtWebengine needs chroot to set up its own sandbox seccomp !chroot -shell none tracelog # private-bin musescore,mscore private-tmp + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/musictube.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -44,7 +43,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -56,3 +54,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/musixmatch.profile ^
@@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,9 +29,10 @@ nou2f novideo protocol unix,inet,inet6,netlink -seccomp +seccomp !chroot disable-mnt private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mutt.profile ^
@@ -47,7 +47,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -129,13 +128,12 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog # disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg private-tmp writable-run-user writable-var @@ -148,3 +146,4 @@ read-only ${HOME}/.nanorc read-only ${HOME}/.signature read-only ${HOME}/.w3m +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/mypaint.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,13 +38,14 @@ novideo protocol unix seccomp -shell none tracelog private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nano.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/nano @@ -39,7 +38,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -50,7 +48,7 @@ # Add the next lines to your nano.local if you want to edit files in /etc directly. #ignore private-etc #writable-etc -private-etc alternatives,nanorc +private-etc alternatives,ld.so.cache,ld.so.preload,nanorc # Add the next line to your nano.local if you want to edit files in /var directly. #writable-var @@ -58,3 +56,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/natron.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -30,9 +29,10 @@ nou2f protocol unix seccomp -shell none private-bin natron,Natron,NatronRenderer dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ncdu.profile ^
@@ -1,6 +1,7 @@ # Firejail profile for ncdu # Description: Ncurses disk usage viewer # This file is overwritten after every install/update +quiet # Persistent local customizations include ncdu.local # Persistent global definitions @@ -25,7 +26,6 @@ novideo protocol unix seccomp -shell none x11 none private-dev @@ -35,3 +35,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ncdu2.profile ^
@@ -0,0 +1,12 @@ +# Firejail profile for ncdu2 +# Description: Ncurses disk usage viewer (zig rewrite) +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ncdu2.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include ncdu.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/neochat.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -49,7 +48,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -61,6 +59,8 @@ dbus-user filter dbus-user.own org.kde.neochat dbus-user.talk org.freedesktop.Notifications -dbus-user.talk org.kde.StatusNotifierWatcher +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.kde.kwalletd5 dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/neomutt.profile ^
@@ -46,36 +46,15 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.Mail -mkdir ${HOME}/.bogofilter -mkdir ${HOME}/.config/mutt -mkdir ${HOME}/.config/nano -mkdir ${HOME}/.config/neomutt -mkdir ${HOME}/.elinks -mkdir ${HOME}/.emacs.d -mkdir ${HOME}/.gnupg mkdir ${HOME}/.mail -mkdir ${HOME}/.mutt -mkdir ${HOME}/.neomutt -mkdir ${HOME}/.vim -mkdir ${HOME}/.w3m mkdir ${HOME}/Mail mkdir ${HOME}/mail mkdir ${HOME}/postponed mkdir ${HOME}/sent -mkfile ${HOME}/.emacs -mkfile ${HOME}/.mailcap -mkfile ${HOME}/.msmtprc -mkfile ${HOME}/.muttrc -mkfile ${HOME}/.nanorc -mkfile ${HOME}/.neomuttrc -mkfile ${HOME}/.signature -mkfile ${HOME}/.viminfo -mkfile ${HOME}/.vimrc whitelist ${DOCUMENTS} whitelist ${DOWNLOADS} whitelist ${HOME}/.Mail @@ -132,13 +111,12 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog # disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg private-tmp writable-run-user writable-var @@ -151,3 +129,4 @@ read-only ${HOME}/.nanorc read-only ${HOME}/.signature read-only ${HOME}/.w3m +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/netactview.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,13 +39,12 @@ nou2f novideo seccomp -shell none disable-mnt private-bin netactview,netactview_polkit private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib private-tmp @@ -54,3 +52,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nethack-vultures.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.vultures @@ -33,7 +32,6 @@ novideo #protocol unix,netlink #seccomp -shell none disable-mnt #private @@ -44,3 +42,5 @@ dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nethack.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/games/nethack @@ -33,7 +32,6 @@ novideo #protocol unix,netlink #seccomp -shell none disable-mnt #private @@ -46,3 +44,4 @@ dbus-system none #memory-deny-write-execute +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/netsurf.profile ^
@@ -32,3 +32,5 @@ tracelog disable-mnt + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/neverball.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -50,3 +48,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/newsboat.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -48,16 +47,16 @@ novideo protocol inet,inet6 seccomp -shell none disable-mnt private-bin gzip,lynx,newsboat,sh,w3m private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/newsflash.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,17 +44,18 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin com.gitlab.newsflash,newsflash private-cache private-dev -private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 private-tmp dbus-user none #dbus-user.own com.gitlab.newsflash #dbus-user.talk org.freedesktop.Notifications dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nextcloud.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -30,6 +29,7 @@ whitelist ${HOME}/Nextcloud whitelist ${HOME}/.config/Nextcloud whitelist ${HOME}/.local/share/Nextcloud +whitelist /usr/share/nextcloud # Add the next lines to your nextcloud.local to allow sync in more directories. #whitelist ${DOCUMENTS} #whitelist ${MUSIC} @@ -44,7 +44,6 @@ caps.drop all machine-id netfilter -no3d nodvd nogroups noinput @@ -57,16 +56,18 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin nextcloud,nextcloud-desktop private-cache -private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-dev private-tmp dbus-user filter dbus-user.talk org.freedesktop.secrets +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nheko.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -42,7 +41,6 @@ notv protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -52,11 +50,11 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp - -# Add the next lines to your nheko.local to enable notification support. -#ignore dbus-user none -#dbus-user filter +dbus-user filter +dbus-user.talk org.freedesktop.secrets +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +# Add the next line to your nheko.local to enable notification support. #dbus-user.talk org.freedesktop.Notifications -#dbus-user.talk org.kde.StatusNotifierWatcher -dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nicotine.profile ^
@@ -8,14 +8,17 @@ noblacklist ${HOME}/.nicotine +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,6 +41,7 @@ nogroups noinput nonewprivs +noprinters noroot nosound notv @@ -45,14 +49,15 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt -private-bin nicotine,python2* +#private-bin nicotine,python2* private-cache private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nitroshare.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -37,13 +36,12 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui private-cache private-dev -private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl +private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl # private-lib libnitroshare.so.,libqhttpengine.so.,libqmdnsengine.so.*,nitroshare private-tmp @@ -51,3 +49,4 @@ # dbus-system none # memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/node-gyp.profile ^
@@ -0,0 +1,11 @@ +# Firejail profile for node-gyp +# Description: Part of the Node.js stack +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include node-gyp.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nodejs-common.profile ^
@@ -7,7 +7,14 @@ # added by caller profile #include globals.local -blacklist /tmp/.X11-unix +# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts +# using the `#!/usr/bin/env node` shebang. By sandboxing node the full +# node.js stack will be firejailed. The only exception is nvm, which is implemented +# as a sourced shell function, not an executable binary. Hence it is not +# directly firejailable. You can work around this by sandboxing the programs +# used by nvm: curl, sha256sum, tar and wget. We have comments in these +# profiles on how to enable nvm support via local overrides. + blacklist ${RUNUSER} ignore read-only ${HOME}/.npm-packages @@ -25,14 +32,13 @@ noblacklist ${HOME}/.yarnrc ignore noexec ${HOME} - include allow-bin-sh.inc include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc # If you want whitelisting, change ${HOME}/Projects below to your node projects directory @@ -74,6 +80,7 @@ nogroups noinput nonewprivs +noprinters noroot nosound notv @@ -82,7 +89,6 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none disable-mnt private-dev @@ -94,3 +100,4 @@ # Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. #env GATSBY_TELEMETRY_DISABLED=1 +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nomacs.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,11 +35,12 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog #private-bin nomacs private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl private-tmp + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/noprofile.profile ^
@@ -0,0 +1,29 @@ +# This is the weakest possible firejail profile. +# If a program still fail with this profile, it is incompatible with firejail. +# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) +# +# Usage: +# 1. download +# 2. firejail --profile=noprofile.profile /path/to/program + +# Keep in mind that even with this profile some things are done +# which can break the program. +# - some env-vars are cleared +# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes' +# - a new private pid-namespace is created +# - a minimal hardcoded blacklist is applied +# - ... + +noblacklist /sys/fs +noblacklist /sys/module + +allow-debuggers +allusers +keep-config-pulse +keep-dev-shm +keep-fd all +keep-var-tmp +writable-etc +writable-run-user +writable-var +writable-var-log
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/notable.profile ^
@@ -0,0 +1,37 @@ +# Firejail profile for notable +# Description: The Markdown-based note-taking app that doesn't suck +# This file is overwritten after every install/update +# Persistent local customizations +include notable.local +# Persistent global definitions +include globals.local + +# Note: On debian-based distributions the binary might be located in +# /opt/Notable/notable, and therefore not be in PATH. +# If that's the case you can start Notable with firejail via +# `firejail "/opt/Notable/notable"`. + +noblacklist ${HOME}/.config/Notable +noblacklist ${HOME}/.notable + +net none +nosound + +?HAS_APPIMAGE: ignore private-dev +private-opt Notable + +dbus-user filter +dbus-user.talk ca.desrt.dconf +ignore dbus-user none + +# Notable keeps claiming it is started for the first time when whitelisting - see #4812. +ignore whitelist ${DOWNLOADS} +ignore whitelist ${HOME}/.config/Electron +ignore whitelist ${HOME}/.config/electron-flag.conf +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc + +# Redirect +include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/notify-send.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -41,7 +40,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -50,7 +48,7 @@ private-bin notify-send private-cache private-dev -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user filter @@ -59,3 +57,4 @@ memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/npx.profile ^
@@ -0,0 +1,11 @@ +# Firejail profile for npx +# Description: Part of the Node.js stack +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include npx.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nslookup.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -42,7 +41,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -54,3 +52,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nuclear.profile ^
@@ -18,7 +18,7 @@ no3d # private-bin nuclear -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt nuclear # Redirect
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nvim.profile ^
@@ -0,0 +1,54 @@ +# Firejail profile for neovim +# Description: Nvim is open source and freely distributable +# This file is overwritten after every install/update +# Persistent local customizations +include nvim.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.vim +noblacklist ${HOME}/.vimrc +noblacklist ${HOME}/.cache/nvim +noblacklist ${HOME}/.config/nvim +noblacklist ${HOME}/.local/share/nvim +noblacklist ${HOME}/.local/state/nvim + +include disable-common.inc +include disable-devel.inc +include disable-programs.inc +include disable-xdg.inc + +blacklist ${RUNUSER} + +include whitelist-runuser-common.inc + +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +tracelog +x11 none + +private-dev + +dbus-user none +dbus-system none + +read-only ${HOME}/.config +read-write ${HOME}/.config/nvim +read-write ${HOME}/.local/share/nvim +read-write ${HOME}/.local/state/nvim +read-write ${HOME}/.vim +read-write ${HOME}/.vimrc +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nylas.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Nylas Mail @@ -34,6 +33,7 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/nyx.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,16 +39,17 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin nyx,python* private-cache private-dev -private-etc alternatives,fonts,passwd,tor +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor private-opt none private-srv none private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/obs.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,7 +33,6 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog private-bin bash,obs,obs-ffmpeg-mux,python*,sh @@ -42,3 +40,4 @@ private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ocenaudio.profile ^
@@ -6,51 +6,58 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/ocenaudio noblacklist ${HOME}/.local/share/ocenaudio -noblacklist ${DOCUMENTS} + noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +mkdir ${HOME}/.cache/ocenaudio +mkdir ${HOME}/.local/share/ocenaudio +whitelist ${HOME}/.cache/ocenaudio +whitelist ${HOME}/.local/share/ocenaudio +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all -ipc-namespace -# net none - breaks update functionality and AppArmor on Ubuntu systems -# Add 'net none' to your ocenaudio.local when you want that functionality. -#net none +#ipc-namespace netfilter no3d nodvd nogroups noinput nonewprivs +noprinters noroot notv nou2f novideo -protocol unix +# Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking. +protocol unix,inet,inet6 seccomp -shell none tracelog -private-bin ocenaudio +private-bin ocenaudio,ocenvst private-cache private-dev -private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg +private-opt ocenaudio private-tmp -# breaks preferences -# dbus-user none -# dbus-system none +dbus-user none +dbus-system none -#memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/odt2txt.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -32,17 +31,17 @@ novideo protocol unix seccomp -shell none tracelog x11 none private-bin odt2txt private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/okular.profile ^
@@ -23,7 +23,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,6 +36,7 @@ whitelist /usr/share/kxmlgui5/okular whitelist /usr/share/okular whitelist /usr/share/poppler +include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -57,12 +57,11 @@ novideo protocol unix seccomp -shell none tracelog private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar private-dev -private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg +private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients # dbus-user none @@ -70,4 +69,5 @@ # memory-deny-write-execute +restrict-namespaces join-or-start okular
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onboard.profile ^
@@ -17,7 +17,6 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc -include disable-passwdmgr.inc include disable-shell.inc include disable-xdg.inc @@ -44,14 +43,15 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-cache private-bin onboard,python*,tput private-dev -private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg +private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg private-tmp dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onionshare-cli.profile ^
@@ -0,0 +1,12 @@ +# Firejail profile for onionshare-cli +# Description: Share a file over Tor Hidden Services anonymously and securely (CLI) +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include onionshare-cli.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include onionshare-gui.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onionshare-gui.profile ^
@@ -1,4 +1,5 @@ # Firejail profile for onionshare-gui +# Description: Share a file over Tor Hidden Services anonymously and securely # This file is overwritten after every install/update # Persistent local customizations include onionshare-gui.local @@ -10,23 +11,37 @@ # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc +blacklist /sys/class/net + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc +include disable-proc.inc include disable-programs.inc +include disable-shell.inc +mkdir ${HOME}/.config/onionshare +mkdir ${HOME}/OnionShare +whitelist ${HOME}/.config/onionshare +whitelist ${HOME}/OnionShare +whitelist /usr/share/onionshare +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all ipc-namespace +machine-id netfilter no3d nodvd nogroups noinput nonewprivs +noprinters noroot nosound notv @@ -34,9 +49,20 @@ novideo protocol unix,inet,inet6 seccomp -shell none +seccomp.block-secondary +#tracelog - may cause issues, see #1930 +disable-mnt +private-bin onionshare,onionshare-cli,onionshare-gui,python,tor +private-cache private-dev private-tmp +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-system none + memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/onionshare.profile ^
@@ -0,0 +1,11 @@ +# Firejail profile for onionshare +# Description: Share a file over Tor Hidden Services anonymously and securely (GUI) +# This file is overwritten after every install/update +# Persistent local customizations +include onionshare.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include onionshare-gui.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/open-invaders.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -26,7 +25,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -34,7 +32,6 @@ novideo protocol unix,netlink seccomp -shell none private-bin open-invaders private-dev @@ -42,3 +39,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openarena.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,15 +36,16 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity private-cache private-dev -private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg +private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openbox.profile ^
@@ -14,7 +14,8 @@ netfilter noroot protocol unix,inet,inet6 -seccomp +seccomp !chroot read-only ${HOME}/.config/openbox/autostart read-only ${HOME}/.config/openbox/environment +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opencity.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openclonk.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -29,7 +28,6 @@ netfilter nodvd nogroups -noinput nonewprivs noroot notv @@ -37,7 +35,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -48,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openmw.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -48,7 +47,6 @@ protocol unix,netlink seccomp seccomp.block-secondary -shell none tracelog private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard @@ -60,3 +58,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openshot.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/blender @@ -38,7 +37,6 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none tracelog private-bin blender,inkscape,openshot,openshot-qt,python3* @@ -48,3 +46,5 @@ dbus-user filter dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openstego.profile ^
@@ -0,0 +1,59 @@ +# Firejail profile for OpenStego +# Description: Steganography application that provides data hiding and watermarking functionality +# This file is overwritten after every install/update +# Persistent local customizations +include openstego.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/openstego.ini + +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc + +mkfile ${HOME}/openstego.ini +whitelist ${HOME}/openstego.ini +whitelist ${HOME}/.java +whitelist ${PICTURES} +whitelist ${DOCUMENTS} +whitelist ${DESKTOP} +whitelist /usr/share/java +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +machine-id +net none +no3d +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin bash,dirname,openstego,readlink,sh +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/openttd.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opera-beta.profile ^
@@ -5,18 +5,16 @@ # Persistent global definitions include globals.local -# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus -ignore whitelist /usr/share/chromium -ignore include whitelist-runuser-common.inc -ignore include whitelist-usr-share-common.inc - -noblacklist ${HOME}/.cache/opera +noblacklist ${HOME}/.cache/opera-beta noblacklist ${HOME}/.config/opera-beta +noblacklist ${HOME}/.opera-beta -mkdir ${HOME}/.cache/opera +mkdir ${HOME}/.cache/opera-beta mkdir ${HOME}/.config/opera-beta -whitelist ${HOME}/.cache/opera +mkdir ${HOME}/.opera-beta +whitelist ${HOME}/.cache/opera-beta whitelist ${HOME}/.config/opera-beta +whitelist ${HOME}/.opera-beta # Redirect include chromium-common.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opera-developer.profile ^
@@ -0,0 +1,20 @@ +# Firejail profile for opera-developer +# This file is overwritten after every install/update +# Persistent local customizations +include opera-developer.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/opera-developer +noblacklist ${HOME}/.config/opera-developer +noblacklist ${HOME}/.opera-developer + +mkdir ${HOME}/.cache/opera-developer +mkdir ${HOME}/.config/opera-developer +mkdir ${HOME}/.opera-developer +whitelist ${HOME}/.cache/opera-developer +whitelist ${HOME}/.config/opera-developer +whitelist ${HOME}/.opera-developer + +# Redirect +include chromium-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/opera.profile ^
@@ -6,11 +6,6 @@ # Persistent global definitions include globals.local -# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus -ignore whitelist /usr/share/chromium -ignore include whitelist-runuser-common.inc -ignore include whitelist-usr-share-common.inc - noblacklist ${HOME}/.cache/opera noblacklist ${HOME}/.config/opera noblacklist ${HOME}/.opera @@ -22,5 +17,16 @@ whitelist ${HOME}/.config/opera whitelist ${HOME}/.opera +# https://github.com/netblue30/firejail/issues/4965 +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext + +# opera uses opera_sandbox instead of chrome-sandbox +noblacklist /usr/lib/opera/opera_sandbox +ignore noblacklist /usr/lib/chromium/chrome-sandbox + +# Add the below to your opera.local if you want to disable auto update +#env OPERA_AUTOUPDATE_DISABLED=1 + # Redirect include chromium-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/orage.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,10 +30,10 @@ novideo protocol unix seccomp -shell none disable-mnt private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ostrichriders.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt @@ -49,3 +47,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/otter-browser.profile ^
@@ -10,26 +10,25 @@ noblacklist ${HOME}/.cache/Otter noblacklist ${HOME}/.config/otter -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.cache/Otter mkdir ${HOME}/.config/otter -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/Otter whitelist ${HOME}/.config/otter -whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist ${HOME}/.pki whitelist /usr/share/otter-browser include whitelist-common.inc include whitelist-runuser-common.inc @@ -48,7 +47,6 @@ ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink seccomp !chroot -shell none disable-mnt private-bin bash,otter-browser,sh,which @@ -58,3 +56,5 @@ private-tmp dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/palemoon.profile ^
@@ -22,5 +22,8 @@ #private-etc palemoon #private-opt palemoon +restrict-namespaces +ignore restrict-namespaces + # Redirect include firefox-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pandoc.profile ^
@@ -11,15 +11,17 @@ noblacklist ${DOCUMENTS} +include allow-bin-sh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +include whitelist-runuser-common.inc # breaks pdf output #include whitelist-var-common.inc @@ -40,18 +42,18 @@ novideo protocol unix seccomp -shell none +seccomp.block-secondary tracelog x11 none disable-mnt -private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf private-cache private-dev -private-etc alternatives,texlive,texmf +private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/parole.profile ^
@@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -24,8 +23,9 @@ notv protocol unix,inet,inet6 seccomp -shell none private-bin dbus-launch,parole private-cache -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/patch.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog x11 none @@ -50,3 +48,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pavucontrol.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,14 +38,13 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin pavucontrol private-cache private-dev -private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse +private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse private-lib private-tmp @@ -55,3 +53,4 @@ # mdwe is broken under Wayland, but works under Xorg. #memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pcsxr.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -42,7 +41,6 @@ novideo protocol unix,netlink seccomp -shell none tracelog private-bin pcsxr @@ -55,3 +53,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdfchain.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,14 +30,14 @@ novideo protocol unix seccomp -shell none private-bin pdfchain,pdftk,sh private-dev -private-etc alternatives,dconf,fonts,gtk-3.0,xdg +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdfmod.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,10 +35,11 @@ novideo protocol unix seccomp -shell none private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdfsam.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,7 +33,6 @@ novideo protocol unix seccomp -shell none private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which private-cache @@ -43,3 +41,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pdftotext.profile ^
@@ -1,6 +1,7 @@ # Firejail profile for pdftotext # Description: Portable Document Format (PDF) to text converter # This file is overwritten after every install/update +quiet # Persistent local customizations include pdftotext.local # Persistent global definitions @@ -14,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -42,15 +42,16 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog x11 none private-bin pdftotext private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/peek.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -43,13 +42,12 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh private-dev -private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11 +private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11 private-tmp dbus-user filter @@ -61,3 +59,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/penguin-command.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -33,7 +32,6 @@ novideo protocol unix,netlink seccomp -shell none private-bin penguin-command private-dev @@ -41,3 +39,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/photoflare.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,15 +36,16 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin photoflare private-cache private-dev -private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11 +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11 private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/picard.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,8 +36,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pidgin.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -46,3 +45,5 @@ private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pinball.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -42,7 +41,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -54,3 +52,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ping-hardened.inc.profile ^
@@ -0,0 +1,12 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include ping-hardened.inc.local + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ping.profile ^
@@ -7,24 +7,30 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc +include disable-proc.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +# Add the next line to your ping.local if your kernel allows unprivileged userns clone. +#include ping-hardened.inc.profile + apparmor caps.keep net_raw ipc-namespace +machine-id #net tun0 #netfilter /etc/firejail/ping.net netfilter @@ -32,8 +38,9 @@ nodvd nogroups noinput -# ping needs to rise privileges, noroot and nonewprivs will kill it +# ping needs to raise privileges, nonewprivs and noroot will kill it #nonewprivs +noprinters #noroot nosound notv @@ -41,15 +48,17 @@ novideo # protocol command is built using seccomp; nonewprivs will kill it #protocol unix,inet,inet6,netlink,packet -# killed by no-new-privs #seccomp +tracelog disable-mnt private -#private-bin has mammoth problems with execvp: "No such file or directory" +#private-bin ping - has mammoth problems with execvp: "No such file or directory" +private-cache private-dev # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! -#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl +#private-etc alternatives,ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl +private-lib private-tmp # memory-deny-write-execute is built using seccomp; nonewprivs will kill it @@ -57,3 +66,6 @@ dbus-user none dbus-system none + +read-only ${HOME} +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pingus.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -44,15 +43,16 @@ protocol unix,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin pingus,pingus.bin,sh private-cache private-dev -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pinta.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,7 +31,6 @@ novideo protocol unix seccomp -shell none private-dev private-cache @@ -40,3 +38,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pioneer.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt @@ -46,3 +44,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pip.profile ^
@@ -0,0 +1,21 @@ +# Firejail profile for pip +# Description: package manager for Python packages +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include pip.local +# Persistent global definitions +include globals.local + +ignore read-only ${HOME}/.local/lib + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +noblacklist ${HOME}/.cache/pip + +#whitelist ${HOME}/.cache/pip +#whitelist ${HOME}/.local/lib/python* + +# Redirect +include build-systems-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pithos.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,10 +34,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin env,pithos,python* private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pitivi.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -36,8 +35,8 @@ novideo protocol unix seccomp -shell none private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pix.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -29,10 +28,11 @@ novideo protocol unix seccomp -shell none tracelog private-bin pix private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pkglog.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,7 +36,6 @@ nou2f novideo seccomp -shell none tracelog disable-mnt @@ -45,7 +43,7 @@ private-bin pkglog,python* private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-opt none private-tmp writable-var-log @@ -58,3 +56,4 @@ read-only /var/log/apt/history.log read-only /var/log/dnf.rpm.log read-only /var/log/pacman.log +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pluma.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -38,7 +37,6 @@ novideo protocol unix seccomp -shell none tracelog private-bin pluma @@ -50,4 +48,5 @@ # dbus-user none # dbus-system none +restrict-namespaces join-or-start pluma
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/plv.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,14 +39,13 @@ nou2f novideo seccomp -shell none tracelog disable-mnt private-bin plv private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-opt none private-tmp writable-var-log @@ -59,3 +57,4 @@ read-only ${HOME} read-write ${HOME}/.config/PacmanLogViewer read-only /var/log/pacman.log +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pngquant.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,20 +38,19 @@ notv nou2f novideo -# protocol can be empty, but this is not yet supported see #639 -protocol inet -seccomp -shell none +# block the socket syscall to simulate an be empty protocol line, see #639 +seccomp socket tracelog x11 none private-bin pngquant private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/polari.profile ^
@@ -43,10 +43,10 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ppsspp.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc @@ -39,7 +38,6 @@ novideo protocol unix,netlink seccomp -shell none private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL # Add the next line to your ppsspp.local if you do not need controller support. @@ -50,3 +48,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pragha.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,9 +30,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/profanity.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,15 +39,15 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin profanity private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/psi-plus.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/psi+ @@ -39,8 +38,9 @@ protocol unix,inet,inet6 # QtWebengine needs chroot to set up its own sandbox seccomp !chroot -shell none disable-mnt private-dev private-tmp + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/psi.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -63,7 +62,6 @@ nou2f protocol unix,inet,inet6,netlink seccomp !chroot -shell none #tracelog - breaks on Arch disable-mnt @@ -72,8 +70,10 @@ private-bin getopt,psi private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-tmp dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pybitmessage.profile ^
@@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-interpreters.inc @@ -37,7 +36,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat @@ -45,3 +43,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pycharm-community.profile ^
@@ -5,7 +5,13 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.PyCharmCE* +noblacklist ${HOME}/.PyCharm* +# Persistent cache is needed for spell and grammar checkers, etc. +noblacklist ${HOME}/.cache/JetBrains/PyCharm* +noblacklist ${HOME}/.config/JetBrains/PyCharm* +# Not `PyCharm*`, because the state about of "anonymous data sent" is shared +# between JetBrains IDEs. +noblacklist ${HOME}/.local/share/JetBrains # Allow java (blacklisted by disable-devel.inc) include allow-java.inc @@ -15,7 +21,6 @@ include disable-common.inc include disable-devel.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -27,12 +32,10 @@ notv nou2f novideo -shell none tracelog # private-etc alternatives,fonts,passwd - minimal required to run but will probably break # program! -private-cache private-dev private-tmp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/pycharm-professional.profile ^
@@ -6,7 +6,5 @@ # added by included profile #include globals.local -noblacklist ${HOME}/.PyCharm* - # Redirect include pycharm-community.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qbittorrent.profile ^
@@ -1,5 +1,5 @@ # Firejail profile for qbittorrent -# Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI +# Description: An advanced BitTorrent client programmed in C++, based on Qt toolkit and libtorrent-rasterbar # This file is overwritten after every install/update # Persistent local customizations include qbittorrent.local @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/qBittorrent noblacklist ${HOME}/.config/qBittorrentrc noblacklist ${HOME}/.local/share/data/qBittorrent +noblacklist ${HOME}/.local/share/qBittorrent # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc @@ -19,7 +20,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -27,11 +27,13 @@ mkdir ${HOME}/.config/qBittorrent mkfile ${HOME}/.config/qBittorrentrc mkdir ${HOME}/.local/share/data/qBittorrent +mkdir ${HOME}/.local/share/qBittorrent whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/qBittorrent whitelist ${HOME}/.config/qBittorrent whitelist ${HOME}/.config/qBittorrentrc whitelist ${HOME}/.local/share/data/qBittorrent +whitelist ${HOME}/.local/share/qBittorrent include whitelist-common.inc include whitelist-var-common.inc @@ -50,7 +52,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none private-bin python*,qbittorrent private-dev @@ -62,3 +63,4 @@ dbus-system none # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qcomicbook.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -48,7 +47,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip @@ -66,3 +64,4 @@ read-write ${HOME}/.local/share/PawelStolowski #to allow ${HOME}/.local/share/recently-used.xbel read-write ${HOME}/.local/share +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qemu-launcher.profile ^
@@ -8,7 +8,6 @@ noblacklist ${HOME}/.qemu-launcher include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -20,10 +19,10 @@ notv protocol unix,inet,inet6 seccomp -shell none tracelog private-cache private-tmp noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qemu-system-x86_64.profile ^
@@ -7,7 +7,6 @@ include globals.local include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -19,10 +18,10 @@ notv protocol unix,inet,inet6 seccomp -shell none tracelog private-cache private-tmp noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qgis.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -47,14 +46,15 @@ # blacklisting of mbind system calls breaks old version seccomp !mbind protocol unix,inet,inet6,netlink -shell none tracelog disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qlipper.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,10 +29,10 @@ novideo protocol unix seccomp -shell none disable-mnt private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qmmp.profile ^
@@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -29,7 +28,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin bzip2,gzip,qmmp,tar,unzip @@ -38,3 +36,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qnapi.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -42,15 +41,16 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-bin 7z,qnapi private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-opt none private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qpdfview.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none tracelog private-bin qpdfview @@ -45,3 +43,5 @@ # needs D-Bus when started from a file manager # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qq.profile ^
@@ -0,0 +1,11 @@ +# Firejail profile for qq +# Description: IM client based on Electron +# This file is overwritten after every install/update +# Persistent local customizations +include qq.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include linuxqq.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qrencode.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -40,7 +39,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -48,7 +46,7 @@ private-bin qrencode private-cache private-dev -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-lib libpcre* private-tmp @@ -56,3 +54,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qtox.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,17 +36,17 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin qtox private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/quassel.profile ^
@@ -24,3 +24,5 @@ private-cache private-tmp + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/quaternion.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,7 +40,6 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -53,3 +51,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/quiterss.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -46,7 +45,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -54,3 +52,4 @@ private-dev # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/quodlibet.profile ^
@@ -21,7 +21,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -55,7 +54,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog private-bin exfalso,operon,python*,quodlibet,sh @@ -65,3 +63,5 @@ private-tmp dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qupzilla.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/qupzilla
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/qutebrowser.profile ^
@@ -10,14 +10,19 @@ noblacklist ${HOME}/.config/qutebrowser noblacklist ${HOME}/.local/share/qutebrowser +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.cache/qutebrowser mkdir ${HOME}/.config/qutebrowser @@ -26,8 +31,14 @@ whitelist ${HOME}/.cache/qutebrowser whitelist ${HOME}/.config/qutebrowser whitelist ${HOME}/.local/share/qutebrowser +whitelist /usr/share/qutebrowser include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd @@ -37,4 +48,22 @@ protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks qt webengine seccomp !chroot,!name_to_handle_at -# tracelog +#tracelog + +disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl +private-tmp + +dbus-user filter +dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* +dbus-user.talk org.freedesktop.Notifications +# Add the next line to your qutebrowser.local to allow screen sharing under wayland. +#dbus-user.talk org.freedesktop.portal.Desktop +# Add the next line to your qutebrowser.local if screen sharing sharing still does not work +# with the above lines (might depend on the portal implementation). +#ignore noroot +dbus-system none + +#restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/raincat.profile ^
@@ -0,0 +1,49 @@ +# Firejail profile for raincat +# This file is overwritten after every install/update +# Persistent local customizations +include raincat.local +# Persistent global definitions +include globals.local + +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/games +whitelist /usr/share/timidity +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +net none +seccomp +tracelog + +disable-mnt +private +private-bin raincat +private-cache +private-dev +private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg +#private-lib +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rambox.profile ^
@@ -7,8 +7,8 @@ include globals.local noblacklist ${HOME}/.config/Rambox -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki include disable-common.inc include disable-devel.inc @@ -16,12 +16,12 @@ include disable-programs.inc mkdir ${HOME}/.config/Rambox -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.config/Rambox -whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist ${HOME}/.pki include whitelist-common.inc caps.drop all @@ -35,4 +35,6 @@ # electron-based application, needing chroot #seccomp seccomp !chroot -# tracelog +#tracelog + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/redeclipse.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rednotebook.profile ^
@@ -0,0 +1,67 @@ +# Firejail profile for rednotebook +# Description: Daily journal with calendar, templates and keyword searching +# This file is overwritten after every install/update +# Persistent local customizations +include rednotebook.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/rednotebook +noblacklist ${HOME}/.rednotebook + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc + +mkdir ${HOME}/.cache/rednotebook +mkdir ${HOME}/.rednotebook +whitelist ${HOME}/.cache/rednotebook +whitelist ${HOME}/.rednotebook +whitelist ${DESKTOP} +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +whitelist ${PICTURES} +whitelist ${VIDEOS} +whitelist /usr/libexec/webkit2gtk-4.0 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin python3*,rednotebook +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/redshift.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc @@ -40,7 +39,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -52,3 +50,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/regextester.profile ^
@@ -9,7 +9,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc @@ -37,14 +36,13 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin regextester private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib libgranite.so.* private-tmp @@ -54,3 +52,4 @@ # never write anything read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/remmina.profile ^
@@ -13,11 +13,13 @@ # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,9 +37,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/retroarch.profile ^
@@ -0,0 +1,55 @@ +# Firejail profile for retroarch +# Description: retroarch is a frontend to libretro emulator cores. +# This file is overwritten after every install/update +# Persistent local customizations +include retroarch.local +# Persistent global definitions +include globals.local + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/retroarch +whitelist ${HOME}/.config/retroarch +whitelist /run/udev +whitelist /usr/share/retroarch +whitelist /usr/share/libretro +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +# If you need access to cameras, add `ignore novideo` to retroarch.local +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin retroarch +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rhythmbox.profile ^
@@ -21,7 +21,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -47,7 +46,6 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none tracelog private-bin rhythmbox,rhythmbox-client @@ -65,3 +63,5 @@ dbus-user.talk org.gnome.SettingsDaemon.MediaKeys dbus-system filter dbus-system.talk org.freedesktop.Avahi + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ricochet.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -34,10 +33,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin ricochet,tor private-dev #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ripperx.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-cache @@ -42,3 +40,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ristretto.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -35,9 +34,9 @@ novideo protocol unix seccomp -shell none private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rpcs3.profile ^
@@ -0,0 +1,63 @@ +# Firejail profile for RPCS3 emulator +# Description: RPCS3 emulator +# This file is overwritten after every install/update +# Persistent local customizations +include rpcs3.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/rpcs3 +noblacklist ${HOME}/.cache/rpcs3 +# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise +# won't even start. +noblacklist /sbin +noblacklist /usr/sbin + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc # disable if PPU compilation crashes +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/rpcs3 +mkdir ${HOME}/.config/rpcs3 +whitelist ${HOME}/.cache/rpcs3 +whitelist ${HOME}/.config/rpcs3 +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +netfilter +nodvd +nogroups +#noinput +nonewprivs +noroot +noprinters +notv +nou2f +novideo +protocol unix,netlink +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +#private-cache +#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rsync-download_only.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,17 +42,17 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin rsync private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rtin.profile ^
@@ -5,4 +5,5 @@ # Persistent local customizations include rtin.local +# Redirect include tin.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rtorrent.profile ^
@@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -27,9 +26,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin rtorrent private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/rtv.profile ^
@@ -27,7 +27,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -53,7 +52,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -64,3 +62,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sayonara.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -28,10 +27,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin sayonara private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scallion.profile ^
@@ -14,7 +14,6 @@ include disable-common.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,7 +33,6 @@ novideo protocol unix seccomp -shell none disable-mnt private @@ -43,3 +41,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scorched3d.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -49,3 +47,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scorchwentbonkers.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,15 +36,16 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt private-bin scorchwentbonkers private-cache private-dev -private-etc alsa,asound.conf,machine-id,pulse +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/scribus.profile ^
@@ -34,7 +34,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -54,7 +53,6 @@ novideo protocol unix seccomp -shell none tracelog # private-bin gimp*,gs,scribus @@ -63,3 +61,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sdat2img.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none private-bin env,python*,sdat2img private-cache @@ -43,3 +41,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seafile-applet.profile ^
@@ -0,0 +1,63 @@ +# Firejail profile for Seafile +# Description: Seafile desktop client. +# This file is overwritten after every install/update +# Persistent local customizations +include seafile-applet.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/Seafile +noblacklist ${HOME}/Seafile/.seafile-data + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.ccnet +mkdir ${HOME}/.config/Seafile +mkdir ${HOME}/Seafile +whitelist ${HOME}/.ccnet +whitelist ${HOME}/.config/Seafile +whitelist ${HOME}/Seafile + +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin seaf-cli,seaf-daemon,seafile-applet +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +#private-opt none +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse-adventures.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,7 +40,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -49,8 +47,10 @@ private-bin bash,dash,python*,seahorse-adventures,sh private-cache private-dev -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse-daemon.profile ^
@@ -8,6 +8,9 @@ # added by included profile #include globals.local +blacklist ${RUNUSER}/wayland-* +include disable-X11.inc + memory-deny-write-execute # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse-tool.profile ^
@@ -7,9 +7,5 @@ # added by included profile #include globals.local -# private-etc workaround for: #2877 -private-etc firejail,login.defs,passwd -private-tmp - # Redirect include seahorse.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seahorse.profile ^
@@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.gnupg # Allow ssh (blacklisted by disable-common.inc) @@ -17,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -55,17 +52,20 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-cache private-dev -private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg +private-tmp writable-run-user dbus-user filter dbus-user.own org.gnome.seahorse dbus-user.own org.gnome.seahorse.Application +dbus-user.talk ca.desrt.dconf dbus-user.talk org.freedesktop.secrets dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/seamonkey.profile ^
@@ -7,9 +7,10 @@ include globals.local noblacklist ${HOME}/.cache/mozilla +noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mozilla -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist ${HOME}/.pki include disable-common.inc include disable-devel.inc @@ -17,22 +18,24 @@ include disable-programs.inc mkdir ${HOME}/.cache/mozilla +mkdir ${HOME}/.gnupg mkdir ${HOME}/.mozilla -mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki +mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/gnome-mplayer/plugin whitelist ${HOME}/.cache/mozilla whitelist ${HOME}/.config/gnome-mplayer whitelist ${HOME}/.config/pipelight-silverlight5.1 whitelist ${HOME}/.config/pipelight-widevine +whitelist ${HOME}/.gnupg whitelist ${HOME}/.keysnail.js whitelist ${HOME}/.lastpass +whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.mozilla whitelist ${HOME}/.pentadactyl whitelist ${HOME}/.pentadactylrc whitelist ${HOME}/.pki -whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.vimperator whitelist ${HOME}/.vimperatorrc whitelist ${HOME}/.wine-pipelight @@ -53,3 +56,6 @@ disable-mnt # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl +writable-run-user + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/semver.profile ^
@@ -0,0 +1,11 @@ +# Firejail profile for semver +# Description: Part of the Node.js stack +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include semver.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/server.profile ^
@@ -7,7 +7,6 @@ # [sudo] password for netblue: # Reading profile /etc/firejail/server.profile # Reading profile /etc/firejail/disable-common.inc -# Reading profile /etc/firejail/disable-passwdmgr.inc # Reading profile /etc/firejail/disable-programs.inc # # Note: you can use --noprofile to disable server.profile @@ -34,6 +33,7 @@ noblacklist /sbin noblacklist /usr/sbin +noblacklist /etc/init.d # noblacklist /var/opt blacklist /tmp/.X11-unix @@ -43,7 +43,6 @@ # include disable-devel.inc # include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc @@ -52,7 +51,9 @@ # include whitelist-usr-share-common.inc # include whitelist-var-common.inc -apparmor +# people use to install servers all over the place! +# apparmor runs executable only from default system locations +# apparmor caps # ipc-namespace machine-id @@ -61,15 +62,16 @@ nodvd # nogroups noinput -# nonewprivs +nonewprivs # noroot nosound notv nou2f novideo -# protocol unix,inet,inet6,netlink +protocol unix,inet,inet6,netlink,packet seccomp # shell none +tab # allow tab completion disable-mnt private @@ -81,12 +83,14 @@ # private-lib # private-opt none private-tmp +# writable-run-user +# writable-var +# writable-var-log dbus-user none # dbus-system none +# deterministic-shutdown # memory-deny-write-execute # read-only ${HOME} -# writable-run-user -# writable-var -# writable-var-log +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/servo.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,7 +36,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -48,3 +46,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sha256sum.profile ^
@@ -7,6 +7,9 @@ # Persistent global definitions include globals.local +# If you use nvm, add the below lines to your sha256sum.local +#noblacklist ${HOME}/.nvm + private-bin sha256sum # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shellcheck.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -41,7 +40,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog x11 none @@ -52,4 +50,4 @@ dbus-user none dbus-system none -memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shortwave.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,7 +39,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -49,3 +47,5 @@ private-dev private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shotcut.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -28,7 +27,6 @@ nou2f protocol unix seccomp -shell none tracelog #private-bin melt,nice,qmelt,shotcut @@ -37,3 +35,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/shotwell.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -44,13 +43,12 @@ novideo protocol unix seccomp -shell none tracelog private-bin shotwell private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-opt none private-tmp @@ -59,3 +57,5 @@ dbus-user.talk ca.desrt.dconf dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/signal-cli.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,7 +39,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -50,3 +48,5 @@ # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try #private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/signal-desktop.profile ^
@@ -21,9 +21,14 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl -# allow D-Bus notifications dbus-user filter + +# allow D-Bus notifications dbus-user.talk org.freedesktop.Notifications + +# allow D-Bus communication with Firefox browsers for opening links +dbus-user.talk org.mozilla.* + ignore dbus-user none # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/silentarmy.profile ^
@@ -10,7 +10,6 @@ # include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -30,7 +29,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private @@ -39,3 +37,4 @@ private-opt none private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/simple-scan.profile ^
@@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,10 +32,11 @@ protocol unix,inet,inet6,netlink # blacklisting of ioperm system calls breaks simple-scan seccomp !ioperm -shell none tracelog # private-bin simple-scan # private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl # private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/simplescreenrecorder.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,9 +31,10 @@ nou2f protocol unix seccomp -shell none tracelog private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/simutrans.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.simutrans @@ -33,7 +32,6 @@ novideo protocol unix seccomp -shell none # private-bin simutrans private-dev @@ -41,3 +39,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/skanlite.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,7 +26,6 @@ protocol unix,inet,inet6,netlink # blacklisting of ioperm system calls breaks skanlite seccomp !ioperm -shell none # private-bin kbuildsycoca4,kdeinit4,skanlite # private-dev @@ -35,3 +33,5 @@ # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/skypeforlinux.profile ^
@@ -6,24 +6,28 @@ include globals.local # Disabled until someone reported positive feedback -ignore whitelist ${DOWNLOADS} -ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc ignore include whitelist-var-common.inc ignore nou2f -ignore novideo -ignore private-dev -ignore dbus-user none -ignore dbus-system none # breaks Skype ignore apparmor +ignore dbus-user none ignore noexec /tmp +ignore novideo +ignore private-dev # needs /dev/disk noblacklist ${HOME}/.config/skypeforlinux -# private-dev - needs /dev/disk +mkdir ${HOME}/.config/skypeforlinux +whitelist ${HOME}/.config/skypeforlinux + +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +# Note: Skype will log out the current session on start-up without this: +dbus-user.talk org.kde.StatusNotifierWatcher # Redirect include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/slack.profile ^
@@ -26,7 +26,7 @@ whitelist ${HOME}/.config/Slack private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe # Redirect include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/slashem.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/games/slashem @@ -33,7 +32,6 @@ novideo #protocol unix,netlink #seccomp -shell none disable-mnt #private @@ -46,3 +44,4 @@ dbus-system none #memory-deny-write-execute +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/smplayer.profile ^
@@ -24,7 +24,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -45,7 +44,6 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none private-bin env,mplayer,mpv,python*,smplayer,smtube,waf,youtube-dl private-dev @@ -54,3 +52,5 @@ # problems with KDE # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/smtube.profile ^
@@ -19,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -41,9 +40,9 @@ noroot protocol unix,inet,inet6,netlink seccomp -shell none #no private-bin because users can add their own players to smtube and that would prevent that private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/smuxi-frontend-gnome.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -42,15 +41,16 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/snox.profile ^
@@ -5,8 +5,9 @@ # Persistent global definitions include globals.local -# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus -ignore whitelist /usr/share/chromium +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/softmaker-common.profile ^
@@ -6,9 +6,9 @@ # added by caller profile #include globals.local -# The offical packages install the desktop file under /usr/local/share/applications -# with an absolute Exec line. These files are NOT handelt by firecfg, -# therefore you must manualy copy them in you home and remove '/usr/bin/'. +# The official packages install the desktop file under /usr/local/share/applications +# with an absolute Exec line. These files are NOT handled by firecfg, +# therefore you must manually copy them in you home and remove '/usr/bin/'. noblacklist ${HOME}/SoftMaker @@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/office2018 @@ -38,14 +37,15 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free private-cache private-dev -private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sol.profile ^
@@ -9,7 +9,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -34,7 +33,6 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin sol @@ -46,3 +44,4 @@ dbus-system none # memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/songrec.profile ^
@@ -0,0 +1,55 @@ +# Firejail profile for songrec +# Description: An open-source Shazam client for Linux +# This file is overwritten after every install/update +# Persistent local customizations +include songrec.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/SongRec +noblacklist ${MUSIC} +noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +nowhitelist ${PICTURES} + +mkdir ${HOME}/.local/share/SongRec +whitelist ${HOME}/.local/share/SongRec +include whitelist-common.inc +include whitelist-player-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary + +disable-mnt +private-bin ffmpeg,songrec +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sound-juicer.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog private-cache @@ -42,3 +40,5 @@ # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/soundconverter.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -43,9 +42,9 @@ novideo protocol unix seccomp -shell none private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spectacle.profile ^
@@ -19,11 +19,10 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -mkfile ${HOME}/.config/spectaclerc +mkfile ${HOME}/.config/spectaclerc whitelist ${HOME}/.config/spectaclerc whitelist ${PICTURES} whitelist /usr/share/kconf_update/spectacle_newConfig.upd @@ -50,14 +49,13 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin spectacle private-cache private-dev -private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp dbus-user filter @@ -67,3 +65,5 @@ #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kglobalaccel dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spectral.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,7 +39,6 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -50,10 +48,10 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp -dbus-user none -# Add the next lines to your spectral.local to enable notification support. -#ignore dbus-user none -#dbus-user filter +dbus-user filter +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +# Add the next line to your spectral.local to enable notification support. #dbus-user.talk org.freedesktop.Notifications -#dbus-user.talk org.kde.StatusNotifierWatcher dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spectre-meltdown-checker.profile ^
@@ -10,6 +10,7 @@ noblacklist ${PATH}/mount noblacklist ${PATH}/umount +noblacklist /proc/config.gz # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc @@ -18,7 +19,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,12 +38,11 @@ novideo protocol unix seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap -shell none x11 none disable-mnt private -private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils +private-bin awk,basename,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,ps,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,unzstd,which,xz-utils private-cache private-tmp @@ -51,3 +50,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/spotify.profile ^
@@ -7,6 +7,7 @@ noblacklist ${HOME}/.cache/spotify noblacklist ${HOME}/.config/spotify +noblacklist ${HOME}/.config/spotify-adblock noblacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.bashrc @@ -15,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/spotify @@ -23,6 +23,7 @@ mkdir ${HOME}/.local/share/spotify whitelist ${HOME}/.cache/spotify whitelist ${HOME}/.config/spotify +whitelist ${HOME}/.config/spotify-adblock whitelist ${HOME}/.local/share/spotify include whitelist-common.inc include whitelist-var-common.inc @@ -38,14 +39,13 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity private-dev # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,spotify-adblock,ssl private-opt spotify private-srv none private-tmp @@ -53,3 +53,5 @@ # dbus needed for MPRIS # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sqlitebrowser.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,12 +37,11 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none private-bin sqlitebrowser private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl private-tmp # breaks proxy creation @@ -51,3 +49,4 @@ # dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ssh-agent.profile ^
@@ -13,7 +13,6 @@ blacklist ${RUNUSER}/wayland-* include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -28,10 +27,11 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog writable-run-user dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ssh.profile ^
@@ -16,7 +16,6 @@ include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh @@ -40,7 +39,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-cache @@ -51,4 +49,6 @@ dbus-user none dbus-system none +deterministic-shutdown memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ssmtp.profile ^
@@ -0,0 +1,75 @@ +# Firejail profile for ssmtp +# Description: Extremely simple MTA to get mail off the system to a mailhub +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ssmtp.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} +blacklist /usr/libexec + +noblacklist /etc/logcheck +noblacklist /etc/ssmtp +noblacklist /sbin +noblacklist /usr/sbin + +noblacklist ${DOCUMENTS} +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +include disable-X11.inc + +mkfile ${HOME}/dead.letter +whitelist ${HOME}/dead.letter +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +#nogroups breaks app +noinput +nonewprivs +noprinters +#noroot breaks app +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +# private works but then we lose ${HOME}/dead.letter +# which is useful to get notified on mail issues +#private +private-bin mailq,newaliases,sendmail,ssmtp +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces +read-only ${HOME} +read-write ${HOME}/dead.letter
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/standardnotes-desktop.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/Standard Notes Backups @@ -39,7 +38,9 @@ disable-mnt private-dev private-tmp -private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg dbus-user none dbus-system none + +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/steam.profile ^
@@ -8,6 +8,7 @@ noblacklist ${HOME}/.config/Epic noblacklist ${HOME}/.config/Loop_Hero +noblacklist ${HOME}/.config/MangoHud noblacklist ${HOME}/.config/ModTheSpire noblacklist ${HOME}/.config/RogueLegacy noblacklist ${HOME}/.config/RogueLegacyStorageContainer @@ -17,9 +18,11 @@ noblacklist ${HOME}/.local/share/aspyr-media noblacklist ${HOME}/.local/share/bohemiainteractive noblacklist ${HOME}/.local/share/cdprojektred +noblacklist ${HOME}/.local/share/Colossal Order noblacklist ${HOME}/.local/share/Dredmor noblacklist ${HOME}/.local/share/FasterThanLight noblacklist ${HOME}/.local/share/feral-interactive +noblacklist ${HOME}/.local/share/HotlineMiami noblacklist ${HOME}/.local/share/IntoTheBreach noblacklist ${HOME}/.local/share/Paradox Interactive noblacklist ${HOME}/.local/share/PillarsOfEternity @@ -34,6 +37,8 @@ noblacklist ${HOME}/.local/share/vulkan noblacklist ${HOME}/.mbwarband noblacklist ${HOME}/.paradoxinteractive +noblacklist ${HOME}/.paradoxlauncher +noblacklist ${HOME}/.prey noblacklist ${HOME}/.steam noblacklist ${HOME}/.steampath noblacklist ${HOME}/.steampid @@ -51,11 +56,11 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Epic mkdir ${HOME}/.config/Loop_Hero +mkdir ${HOME}/.config/MangoHud mkdir ${HOME}/.config/ModTheSpire mkdir ${HOME}/.config/RogueLegacy mkdir ${HOME}/.config/unity3d @@ -65,9 +70,11 @@ mkdir ${HOME}/.local/share/aspyr-media mkdir ${HOME}/.local/share/bohemiainteractive mkdir ${HOME}/.local/share/cdprojektred +mkdir ${HOME}/.local/share/Colossal Order mkdir ${HOME}/.local/share/Dredmor mkdir ${HOME}/.local/share/FasterThanLight mkdir ${HOME}/.local/share/feral-interactive +mkdir ${HOME}/.local/share/HotlineMiami mkdir ${HOME}/.local/share/IntoTheBreach mkdir ${HOME}/.local/share/Paradox Interactive mkdir ${HOME}/.local/share/PillarsOfEternity @@ -81,11 +88,14 @@ mkdir ${HOME}/.local/share/vulkan mkdir ${HOME}/.mbwarband mkdir ${HOME}/.paradoxinteractive +mkdir ${HOME}/.paradoxlauncher +mkdir ${HOME}/.prey mkdir ${HOME}/.steam mkfile ${HOME}/.steampath mkfile ${HOME}/.steampid whitelist ${HOME}/.config/Epic whitelist ${HOME}/.config/Loop_Hero +whitelist ${HOME}/.config/MangoHud whitelist ${HOME}/.config/ModTheSpire whitelist ${HOME}/.config/RogueLegacy whitelist ${HOME}/.config/RogueLegacyStorageContainer @@ -96,9 +106,11 @@ whitelist ${HOME}/.local/share/aspyr-media whitelist ${HOME}/.local/share/bohemiainteractive whitelist ${HOME}/.local/share/cdprojektred +whitelist ${HOME}/.local/share/Colossal Order whitelist ${HOME}/.local/share/Dredmor whitelist ${HOME}/.local/share/FasterThanLight whitelist ${HOME}/.local/share/feral-interactive +whitelist ${HOME}/.local/share/HotlineMiami whitelist ${HOME}/.local/share/IntoTheBreach whitelist ${HOME}/.local/share/Paradox Interactive whitelist ${HOME}/.local/share/PillarsOfEternity @@ -113,6 +125,8 @@ whitelist ${HOME}/.local/share/vulkan whitelist ${HOME}/.mbwarband whitelist ${HOME}/.paradoxinteractive +whitelist ${HOME}/.paradoxlauncher +whitelist ${HOME}/.prey whitelist ${HOME}/.steam whitelist ${HOME}/.steampath whitelist ${HOME}/.steampid @@ -133,7 +147,6 @@ nodvd nogroups nonewprivs -# If you use nVidia you might need to add 'ignore noroot' to your steam.local. noroot notv nou2f @@ -142,14 +155,17 @@ protocol unix,inet,inet6,netlink # seccomp sometimes causes issues (see #2951, #3267). # Add 'ignore seccomp' to your steam.local if you experience this. -seccomp !ptrace -shell none +# mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 +# (see #4366). +seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 +# process_vm_readv is used by GE-Proton7-18 (see #5185). +seccomp.32 !process_vm_readv # tracelog breaks integrated browser #tracelog # private-bin is disabled while in testing, but is known to work with multiple games. # Add the next line to your steam.local to enable private-bin. -#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity +#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,wget2,which,whoami,xterm,xz,zenity # Extra programs are available which might be needed for select games. # Add the next line to your steam.local to enable support for these programs. #private-bin java,java-config,mono @@ -159,8 +175,11 @@ private-dev # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' # to your steam.local to support those. -private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan private-tmp -# dbus-user none -# dbus-system none +#dbus-user none +#dbus-system none + +read-only ${HOME}/.config/MangoHud +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/stellarium.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -37,7 +36,6 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -45,3 +43,4 @@ private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/straw-viewer.profile ^
@@ -18,4 +18,4 @@ private-bin gtk-straw-viewer,straw-viewer # Redirect -include youtube-viewers-common.profile \ No newline at end of file +include youtube-viewers-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/strawberry.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,14 +36,15 @@ protocol unix,inet,inet6,netlink # blacklisting of ioprio_set system calls breaks strawberry seccomp !ioprio_set -shell none tracelog disable-mnt private-bin strawberry,strawberry-tagreader private-cache private-dev -private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/strings.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc #include disable-programs.inc include disable-shell.inc #include disable-xdg.inc @@ -39,7 +38,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog x11 none @@ -56,3 +54,4 @@ memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/subdownloader.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,15 +39,15 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/supertux2.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -31,7 +30,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -40,15 +38,16 @@ protocol unix,netlink seccomp seccomp.block-secondary -shell none tracelog disable-mnt # private-bin supertux2 private-cache -private-etc machine-id +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/supertuxkart.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -44,10 +43,9 @@ notv nou2f novideo -protocol unix,inet,inet6,bluetooth +protocol unix,inet,inet6,netlink,bluetooth seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -55,10 +53,12 @@ private-cache # Add the next line to your supertuxkart.local if you do not need controller support. #private-dev -private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl private-tmp private-opt none private-srv none dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/surf.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.surf @@ -29,12 +28,12 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sushi.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc include disable-shell.inc @@ -32,7 +31,6 @@ novideo protocol unix seccomp -shell none tracelog private-bin gjs,sushi @@ -47,3 +45,4 @@ read-only /run/mount read-only /run/media read-only ${HOME} +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sway.profile ^
@@ -0,0 +1,21 @@ +# Firejail profile for Sway +# Description: i3-compatible Wayland compositor +# This file is overwritten after every install/update +# Persistent local customizations +include sway.local +# Persistent global definitions +include globals.local + +# all applications started in sway will run in this profile +noblacklist ${HOME}/.config/sway +# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway +noblacklist ${HOME}/.config/i3 +include disable-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sylpheed.profile ^
@@ -15,12 +15,5 @@ # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed -dbus-user filter -dbus-user.talk ca.desrt.dconf -dbus-user.talk org.freedesktop.secrets -dbus-user.talk org.gnome.keyring.SystemPrompter -# Add the next line to your sylpheed.local to enable notifications. -# dbus-user.talk org.freedesktop.Notifications - # Redirect include email-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/synfigstudio.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -29,7 +28,6 @@ novideo protocol unix seccomp -shell none #private-bin ffmpeg,synfig,synfigstudio private-cache @@ -38,3 +36,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/sysprof.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -57,14 +56,13 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt #private-bin sysprof - breaks help menu private-cache private-dev -private-etc alternatives,fonts,ld.so.cache,machine-id,ssl +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl # private-lib - breaks help menu #private-lib gdk-pixbuf-2.,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so private-tmp @@ -76,3 +74,4 @@ dbus-user.talk ca.desrt.dconf # memory-deny-write-execute - breaks on Arch +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tar.profile ^
@@ -7,6 +7,9 @@ # Persistent global definitions include globals.local +# If you use nvm, add the below lines to your tar.local +#noblacklist ${HOME}/.nvm + # Included in archiver-common.profile ignore include disable-shell.inc @@ -14,7 +17,7 @@ # all capabilities this is automatically read-only. noblacklist /var/lib/pacman -private-etc alternatives,group,localtime,login.defs,passwd +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd #private-lib libfakeroot,liblzma.so.,libreadline.so. # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) writable-var
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tcpdump.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -45,3 +44,4 @@ private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/teams-for-linux.profile ^
@@ -11,6 +11,8 @@ ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc +ignore noinput + ignore dbus-user none ignore dbus-system none @@ -19,8 +21,8 @@ mkdir ${HOME}/.config/teams-for-linux whitelist ${HOME}/.config/teams-for-linux -private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh -private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl +private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl # Redirect include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/teamspeak3.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.ts3client @@ -35,9 +34,9 @@ novideo protocol unix,inet,inet6,netlink seccomp !chroot -shell none disable-mnt private-dev private-tmp +# restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/teeworlds.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -27,7 +26,6 @@ netfilter nodvd nogroups -noinput nonewprivs noroot notv @@ -35,7 +33,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -46,3 +43,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/telegram.profile ^
@@ -8,11 +8,13 @@ noblacklist ${HOME}/.TelegramDesktop noblacklist ${HOME}/.local/share/TelegramDesktop +# Allow opening hyperlinks +include allow-bin-sh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -22,6 +24,7 @@ whitelist ${HOME}/.TelegramDesktop whitelist ${HOME}/.local/share/TelegramDesktop whitelist ${DOWNLOADS} +whitelist /usr/share/TelegramDesktop include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -38,18 +41,20 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none disable-mnt -#private-bin telegram,Telegram,telegram-desktop +private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open private-cache private-dev -private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg +private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg private-tmp dbus-user filter +dbus-user.own org.telegram.desktop.* dbus-user.talk org.freedesktop.Notifications -dbus-user.talk org.kde.StatusNotifierWatcher +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.gnome.Mutter.IdleMonitor dbus-user.talk org.freedesktop.ScreenSaver dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/telnet.profile ^
@@ -0,0 +1,54 @@ +# Firejail profile for telnet +# Description: standard telnet client +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include telnet.local +# Persistent global definitions +include globals.local + +noblacklist ${PATH}/telnet + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +#include disable-shell.inc +include disable-write-mnt.inc +include disable-X11.inc +include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +tracelog + +#disable-mnt +#private-bin PROGRAMS +private-cache +private-dev +#private-etc FILES +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +noexec ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/terasology.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.java @@ -38,7 +37,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-dev @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tesseract.profile ^
@@ -0,0 +1,65 @@ +# Firejail profile for tesseract +# Description: An OCR program +# This file is overwritten after every install/update +# Persistent local customizations +include tesseract.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +noblacklist ${DOCUMENTS} +noblacklist ${PICTURES} +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${PICTURES} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +whitelist /usr/share/tessdata +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +hostname tesseract +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +seccomp +tracelog +x11 none + +#disable-mnt +private-bin ambiguous_words,classifier_tester,cntraining,combine_lang_model,combine_tessdata,dawg2wordlist,lstmeval,lstmtraining,merge_unicharsets,mftraining,set_unicharset_properties,shapeclustering,tesseract,text2image,unicharset_extractor,wordlist2dawg +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload +#private-lib libtesseract.so.* +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/thunderbird.profile ^
@@ -31,7 +31,6 @@ # noblacklist ${HOME}/.icedove noblacklist ${HOME}/.thunderbird -include disable-passwdmgr.inc include disable-xdg.inc # If you have setup Thunderbird to archive emails to a local folder, @@ -48,6 +47,7 @@ whitelist ${HOME}/.thunderbird whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 whitelist /usr/share/mozilla whitelist /usr/share/thunderbird whitelist /usr/share/webext
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tilp.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -25,12 +24,12 @@ novideo protocol unix,netlink seccomp -shell none tracelog disable-mnt private-bin tilp private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tin.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -52,14 +51,13 @@ protocol inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin rtin,tin private-cache private-dev -private-etc passwd,resolv.conf,terminfo,tin +private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin private-lib terminfo private-tmp @@ -67,3 +65,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tmux.profile ^
@@ -15,7 +15,6 @@ # include disable-common.inc # include disable-devel.inc # include disable-exec.inc -include disable-passwdmgr.inc # include disable-programs.inc caps.drop all @@ -35,7 +34,6 @@ protocol unix,inet,inet6,netlink seccomp seccomp.block-secondary -shell none tracelog # private-cache @@ -44,3 +42,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tor-browser.profile ^
@@ -7,9 +7,12 @@ #include globals.local noblacklist ${HOME}/.tor-browser +noblacklist ${HOME}/.local/opt/tor-browser mkdir ${HOME}/.tor-browser whitelist ${HOME}/.tor-browser +mkdir ${HOME}/.local/opt/tor-browser +whitelist ${HOME}/.local/opt/tor-browser # Redirect include torbrowser-launcher.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tor.profile ^
@@ -21,7 +21,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,13 +39,14 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private private-bin bash,tor private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor private-tmp writable-var + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/torbrowser-launcher.profile ^
@@ -15,14 +15,13 @@ include allow-python2.inc include allow-python3.inc -blacklist /opt blacklist /srv +blacklist /sys/class/net include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.config/torbrowser whitelist ${HOME}/.local/share/torbrowser +whitelist /opt/tor-browser whitelist /usr/share/torbrowser-launcher include whitelist-common.inc include whitelist-var-common.inc @@ -53,7 +53,6 @@ novideo protocol unix,inet,inet6 seccomp !chroot -shell none #tracelog - may cause issues, see #1930 disable-mnt @@ -64,3 +63,5 @@ dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/torbrowser.profile ^
@@ -0,0 +1,27 @@ +# Firejail profile for torbrowser +# Description: This profile was tested with www-client/torbrowser::torbrowser +# on Gentoo Linux. +# This file is overwritten after every install/update +# Persistent local customizations +include torbrowser.local +# Persistent global definitions +include globals.local + +ignore dbus-user none + +noblacklist ${HOME}/.cache/mozilla +noblacklist ${HOME}/.mozilla + +blacklist /usr/libexec +blacklist /sys/class/net + +mkdir ${HOME}/.cache/mozilla/torbrowser +mkdir ${HOME}/.mozilla +whitelist ${HOME}/.cache/mozilla/torbrowser +whitelist ${HOME}/.mozilla +include whitelist-usr-share-common.inc + +dbus-user filter +dbus-user.own org.mozilla.torbrowser.* + +include firefox-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/torcs.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,7 +28,6 @@ net none nodvd nogroups -noinput nonewprivs noroot notv @@ -37,7 +35,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -48,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/totem.profile ^
@@ -20,7 +20,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -46,7 +45,6 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog private-bin totem @@ -59,3 +57,5 @@ # makes settings immutable # dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tracker.profile ^
@@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -32,9 +31,10 @@ novideo protocol unix seccomp -shell none tracelog # private-bin tracker # private-dev # private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transgui.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -40,13 +39,12 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog private-bin geoiplookup,geoiplookup6,transgui private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib libgdk_pixbuf-2.0.so.,libGeoIP.so,libgthread-2.0.so.,libgtk-x11-2.0.so.,libX11.so.* private-tmp @@ -54,3 +52,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-cli.profile ^
@@ -8,7 +8,7 @@ include globals.local private-bin transmission-cli -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Redirect include transmission-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-common.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/transmission @@ -41,15 +40,14 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog private-cache private-dev -private-lib private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-daemon.profile ^
@@ -17,7 +17,7 @@ protocol packet private-bin transmission-daemon -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl read-write /var/lib/transmission writable-var-log
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-gtk.profile ^
@@ -12,6 +12,12 @@ private-bin transmission-gtk private-cache +# If you need native notifications, add the next lines to your transmission-gtk.local. +#ignore dbus-user none +#dbus-user filter +#dbus-user.own com.transmissionbt.Transmission.* +#dbus-user.talk org.freedesktop.Notifications + ignore memory-deny-write-execute # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-qt.profile ^
@@ -9,8 +9,11 @@ private-bin transmission-qt -# private-lib - breaks on Arch -ignore private-lib +# If you need native notifications, add the next lines to your transmission-qt.local. +#ignore dbus-user none +#dbus-user filter +#dbus-user.own com.transmissionbt.Transmission.* +#dbus-user.talk org.freedesktop.Notifications ignore memory-deny-write-execute
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-remote-gtk.profile ^
@@ -12,9 +12,7 @@ mkdir ${HOME}/.config/transmission-remote-gtk whitelist ${HOME}/.config/transmission-remote-gtk -private-etc fonts,hostname,hosts,resolv.conf -# Problems with private-lib (see issue #2889) -ignore private-lib +private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf ignore memory-deny-write-execute
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-remote.profile ^
@@ -8,7 +8,7 @@ include globals.local private-bin transmission-remote -private-etc alternatives,hosts,nsswitch.conf +private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf # Redirect include transmission-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/transmission-show.profile ^
@@ -8,7 +8,7 @@ include globals.local private-bin transmission-show -private-etc alternatives,hosts,nsswitch.conf +private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf # Redirect include transmission-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tremulous.profile ^
@@ -8,11 +8,13 @@ noblacklist ${HOME}/.tremulous +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,14 +40,15 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt -private-bin tremded,tremulous,tremulous-wrapper +private-bin env,sh,tremded,tremulous,tremulous-wrapper private-cache private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/trojita.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -47,7 +46,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog # disable-mnt @@ -55,7 +53,7 @@ private-bin trojita private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg private-tmp dbus-user filter @@ -63,3 +61,4 @@ dbus-system none read-only ${HOME}/.mozilla/firefox/profiles.ini +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/truecraft.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/mono @@ -32,9 +31,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-dev private-tmp +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tuir.profile ^
@@ -0,0 +1,23 @@ +# Firejail profile for tuir +# Description: Browse Reddit from your terminal (rtv fork) +# This file is overwritten after every install/update +# Persistent local customizations +include tuir.local +# Persistent global definitions +#include globals.local + +ignore mkdir ${HOME}/.config/rtv +ignore mkdir ${HOME}/.local/share/rtv + +noblacklist ${HOME}/.config/tuir +noblacklist ${HOME}/.local/share/tuir + +mkdir ${HOME}/.config/tuir +mkdir ${HOME}/.local/share/tuir +whitelist ${HOME}/.config/tuir +whitelist ${HOME}/.local/share/tuir + +private-bin tuir + +# Redirect +include rtv.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tuxguitar.profile ^
@@ -20,7 +20,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -44,3 +43,5 @@ private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/tvbrowser.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -42,7 +41,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -52,3 +50,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/twitch.profile ^
@@ -17,8 +17,8 @@ mkdir ${HOME}/.config/Twitch whitelist ${HOME}/.config/Twitch -private-bin twitch -private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-bin electron,electron[0-9],electron[0-9][0-9],twitch +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt Twitch # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/udiskie.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,7 +32,6 @@ novideo protocol unix seccomp !request_key -shell none tracelog private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop @@ -44,3 +42,5 @@ private-dev private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uefitool.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,7 +29,6 @@ novideo protocol unix seccomp -shell none private-cache private-dev @@ -38,3 +36,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uget-gtk.profile ^
@@ -32,8 +32,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin uget-gtk private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unbound.profile ^
@@ -10,18 +10,20 @@ noblacklist /usr/sbin blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* +blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/dns include whitelist-usr-share-common.inc +whitelist /var/lib/ca-certificates +read-only /var/lib/ca-certificates whitelist /var/lib/unbound whitelist /var/run @@ -38,7 +40,7 @@ nou2f novideo protocol inet,inet6 -seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice +seccomp !chroot disable-mnt private @@ -49,5 +51,5 @@ dbus-user none dbus-system none -# mdwe can break modules/plugins memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unf.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,7 +40,6 @@ novideo protocol unix seccomp -shell none tracelog x11 none @@ -50,7 +48,7 @@ private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -private-etc alternatives +private-etc alternatives,ld.so.cache,ld.so.preload private-lib gcc///libgcc_s.so.* private-tmp @@ -58,3 +56,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unknown-horizons.profile ^
@@ -10,7 +10,6 @@ include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.unknown-horizons @@ -33,7 +32,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none disable-mnt # private-bin unknown-horizons @@ -43,3 +41,4 @@ # doesn't work - maybe all Tcl/Tk programs have this problem # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unrar.profile ^
@@ -8,7 +8,7 @@ include globals.local private-bin unrar -private-etc alternatives,group,localtime,passwd +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd private-tmp # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/unzip.profile ^
@@ -10,7 +10,7 @@ # GNOME Shell integration (chrome-gnome-shell) noblacklist ${HOME}/.local/share/gnome-shell -private-etc alternatives,group,localtime,passwd +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd # Redirect include archiver-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/utox.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,14 +36,14 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin utox private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uudeview.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -35,14 +34,15 @@ novideo protocol unix seccomp -shell none tracelog x11 none private-bin uudeview private-cache private-dev -private-etc alternatives,ld.so.preload +private-etc alternatives,ld.so.cache,ld.so.preload dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/uzbl-browser.profile ^
@@ -8,6 +8,7 @@ noblacklist ${HOME}/.config/uzbl noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/uzbl +noblacklist ${HOME}/.password-store # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc @@ -38,3 +39,5 @@ protocol unix,inet,inet6 seccomp tracelog + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/viewnior.profile ^
@@ -16,10 +16,10 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc +whitelist /usr/share/viewnior include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -38,16 +38,16 @@ novideo protocol unix seccomp -shell none tracelog private-bin viewnior private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none dbus-system none #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/viking.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,8 +30,8 @@ nou2f protocol unix,inet,inet6 seccomp -shell none private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vim.profile ^
@@ -14,7 +14,6 @@ include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -33,3 +32,5 @@ seccomp private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/virtualbox.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,13 +39,12 @@ nodvd #nogroups notv -shell none tracelog #disable-mnt #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox,vbox,whoami private-cache -private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl +private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vlc.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc read-only ${DESKTOP} @@ -28,9 +27,11 @@ whitelist ${HOME}/.local/share/vlc include whitelist-common.inc include whitelist-player-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-var-common.inc -#apparmor - on Ubuntu 18.04 it refuses to start without dbus access +apparmor caps.drop all netfilter nogroups @@ -40,15 +41,17 @@ nou2f protocol unix,inet,inet6,netlink seccomp -shell none private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc private-dev private-tmp -# dbus needed for MPRIS -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.mpris.MediaPlayer2.vlc +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.ScreenSaver +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.mpris.MediaPlayer2.Player +dbus-system none -# mdwe is disabled due to breaking hardware accelerated decoding -#memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vmware-view.profile ^
@@ -7,6 +7,7 @@ include globals.local noblacklist ${HOME}/.vmware +noblacklist /usr/lib/vmware noblacklist /sbin noblacklist /usr/sbin @@ -17,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,7 +43,6 @@ protocol unix,inet,inet6 seccomp !iopl seccomp.block-secondary -shell none tracelog disable-mnt @@ -55,3 +54,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vmware.profile ^
@@ -8,12 +8,12 @@ noblacklist ${HOME}/.cache/vmware noblacklist ${HOME}/.vmware +noblacklist /usr/lib/vmware include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,12 +33,11 @@ netfilter nogroups notv -shell none tracelog #disable-mnt # Add the next line to your vmware.local to enable private-bin. #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_,vmnet-,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* -private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix +private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix dbus-user none dbus-system none
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vscodium.profile ^
@@ -1,4 +1,4 @@ -# Firejail profile alias for Visual Studio Code +# Firejail profile alias for VSCodium # This file is overwritten after every install/update # Persistent local customizations include vscodium.local @@ -7,6 +7,7 @@ #include globals.local noblacklist ${HOME}/.VSCodium +noblacklist ${HOME}/.config/VSCodium # Redirect include code.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/vym.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -29,9 +28,9 @@ novideo protocol unix seccomp -shell none disable-mnt private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/w3m.profile ^
@@ -27,7 +27,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -56,17 +55,17 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin perl,sh,w3m private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/warmux.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,15 +42,16 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin warmux private-cache private-dev -private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/warsow.profile ^
@@ -11,11 +11,13 @@ noblacklist ${HOME}/.cache/warsow-2.1 noblacklist ${HOME}/.local/share/warsow-2.1 +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -35,22 +37,22 @@ netfilter nodvd nogroups -noinput nonewprivs noroot notv nou2f novideo -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt -private-bin warsow +private-bin basename,bash,dirname,sed,sh,uname,warsow private-cache private-dev private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/warzone2100.profile ^
@@ -7,20 +7,22 @@ include globals.local noblacklist ${HOME}/.warzone2100-3.* +noblacklist ${HOME}/.local/share/warzone2100-3.* include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -include disable-shell.inc +#include disable-shell.inc - problems on Debian 11 mkdir ${HOME}/.warzone2100-3.1 mkdir ${HOME}/.warzone2100-3.2 +whitelist ${HOME}/.local/share/warzone2100-3.3.0 # config dir moved under .local/share whitelist ${HOME}/.warzone2100-3.1 whitelist ${HOME}/.warzone2100-3.2 whitelist /usr/share/games +whitelist /usr/share/gdm include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -39,10 +41,11 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt -private-bin warzone2100 +private-bin bash,dash,sh,warzone2100,which private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/webstorm.profile ^
@@ -18,13 +18,12 @@ # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc -noblacklist ${PATH}/node noblacklist ${HOME}/.nvm +noblacklist ${PATH}/node include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -39,8 +38,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/webui-aria2.profile ^
@@ -6,13 +6,13 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.nvm noblacklist ${PATH}/node include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,7 +29,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-cache private-dev @@ -37,3 +36,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/weechat-curses.profile ^
@@ -1,5 +1,6 @@ # Firejail profile alias for weechat # This file is overwritten after every install/update +quiet # Persistent local customizations include weechat-curses.local # Persistent global definitions
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/weechat.profile ^
@@ -1,6 +1,7 @@ # Firejail profile for weechat # Description: Fast, light and extensible chat client # This file is overwritten after every install/update +quiet # Persistent local customizations include weechat.local # Persistent global definitions @@ -27,3 +28,5 @@ # no private-bin support for various reasons: # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wesnoth.profile ^
@@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/wesnoth @@ -37,3 +36,5 @@ private-dev private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wget.profile ^
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.wget-hsts noblacklist ${HOME}/.wgetrc +# If you use nvm, add the below lines to your wget.local +#ignore read-only ${HOME}/.nvm +#noblacklist ${HOME}/.nvm + blacklist /tmp/.X11-unix blacklist ${RUNUSER} @@ -18,7 +22,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc # Depending on workflow you can add the next line to your wget.local. @@ -45,7 +48,6 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog private-bin wget @@ -59,3 +61,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wget2.profile ^
@@ -0,0 +1,20 @@ +# Firejail profile for wget2 +# Description: Updated version of the popular wget URL retrieval tool +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include wget2.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.config/wget +noblacklist ${HOME}/.local/share/wget +ignore noblacklist ${HOME}/.wgetrc + +private-bin wget2 +# Depending on workflow you can add the next line to your wget2.local. +#private-etc wget2rc + +# Redirect +include wget.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/whalebird.profile ^
@@ -10,6 +10,7 @@ ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc +ignore apparmor ignore dbus-user none ignore dbus-system none @@ -20,8 +21,8 @@ no3d -private-bin whalebird -private-etc fonts,machine-id +private-bin electron,electron[0-9],electron[0-9][0-9],whalebird +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl # Redirect include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/whois.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,7 +39,6 @@ protocol inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt @@ -48,7 +46,7 @@ private-bin bash,sh,whois private-cache private-dev -private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf +private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf private-lib gconv private-tmp @@ -56,3 +54,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/widelands.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -36,7 +35,6 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none tracelog disable-mnt @@ -47,3 +45,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wine.profile ^
@@ -6,6 +6,7 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/wine noblacklist ${HOME}/.cache/winetricks noblacklist ${HOME}/.Steam noblacklist ${HOME}/.local/share/Steam @@ -17,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # whitelist /usr/share/wine @@ -40,3 +40,5 @@ seccomp private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wire-desktop.profile ^
@@ -26,7 +26,7 @@ whitelist ${HOME}/.config/Wire private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop -private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl # Redirect include electron.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wireshark.profile ^
@@ -17,7 +17,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,7 +26,7 @@ apparmor # caps.drop all -caps.keep dac_override,net_admin,net_raw +caps.keep dac_override,dac_read_search,net_admin,net_raw netfilter no3d # nogroups - breaks network traffic capture for unprivileged users @@ -41,14 +40,17 @@ novideo # protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols #seccomp -shell none tracelog # private-bin wireshark private-cache -private-dev +# private-dev prevents (some) interfaces from being shown. +# Add the below line to your wirehsark.local if you only want to inspect pcap files. +#private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl private-tmp dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wordwarvi.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,7 +37,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -46,8 +44,10 @@ private-bin wordwarvi private-cache private-dev -private-etc alsa,asound.conf,machine-id,pulse +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/wps.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -39,7 +38,6 @@ protocol unix,inet,inet6 # seccomp causes some minor issues. Add the next line to your wps.local if you can live with those. #seccomp -shell none tracelog private-cache @@ -48,3 +46,5 @@ dbus-user none dbus-system none + +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/x-terminal-emulator.profile ^
@@ -21,3 +21,4 @@ dbus-system none noexec /tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/x2goclient.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -34,7 +33,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog #private-bin nxproxy,x2goclient @@ -50,3 +48,4 @@ dbus-system none #memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xbill.profile ^
@@ -10,7 +10,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,7 +36,6 @@ novideo protocol unix seccomp -shell none tracelog disable-mnt @@ -45,7 +43,7 @@ private-bin xbill private-cache private-dev -private-etc none +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none @@ -53,3 +51,4 @@ memory-deny-write-execute read-only ${HOME} +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xcalc.profile ^
@@ -9,7 +9,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -31,7 +30,6 @@ novideo protocol unix seccomp -shell none disable-mnt private @@ -42,3 +40,5 @@ dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xchat.profile ^
@@ -21,3 +21,5 @@ seccomp # private-bin requires perl, python*, etc. + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xed.profile ^
@@ -18,7 +18,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -40,7 +39,6 @@ novideo protocol unix seccomp -shell none tracelog private-bin xed @@ -53,3 +51,4 @@ # xed uses python plugins, memory-deny-write-execute breaks python # memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfburn.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -24,9 +23,10 @@ novideo protocol unix seccomp -shell none tracelog # private-bin xfburn # private-dev # private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-dict.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -32,10 +31,10 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-mixer.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -41,13 +40,12 @@ novideo protocol unix seccomp -shell none disable-mnt private-bin xfce4-mixer,xfconf-query private-cache private-dev -private-etc alternatives,asound.conf,fonts,machine-id,pulse +private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user filter @@ -56,3 +54,4 @@ dbus-system none # memory-deny-write-execute - breaks on Arch +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-notes.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -34,10 +33,10 @@ novideo protocol unix seccomp -shell none disable-mnt private-cache private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xfce4-screenshooter.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -37,16 +36,16 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin xfce4-screenshooter,xfconf-query private-dev -private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp dbus-user none dbus-system none # memory-deny-write-execute -- see #3790 +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xiphos.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -41,12 +40,13 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt private-bin xiphos private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xlinks.profile ^
@@ -14,7 +14,7 @@ # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line private-bin xlinks -private-etc fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.preload # Redirect include links.profile
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xlinks2.profile ^
@@ -0,0 +1,20 @@ +# Firejail profile for xlinks2 +# Description: Text WWW browser (X11) +# This file is overwritten after every install/update +# Persistent local customizations +include xlinks2.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist /tmp/.X11-unix + +include whitelist-common.inc + +# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' +# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line +private-bin xlinks2 +private-etc alternatives,fonts,ld.so.cache,ld.so.preload + +# Redirect +include links2.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xmms.profile ^
@@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -27,7 +26,8 @@ novideo protocol unix,inet,inet6 seccomp -shell none private-bin xmms private-dev + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xmr-stak.profile ^
@@ -11,7 +11,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -33,15 +32,15 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private ${HOME}/.xmr-stak private-bin xmr-stak private-dev -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend private-opt cuda private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xonotic.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -33,7 +32,6 @@ netfilter nodvd nogroups -noinput nonewprivs noroot notv @@ -41,7 +39,6 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt @@ -56,3 +53,4 @@ read-only ${HOME} read-write ${HOME}/.xonotic +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xournal.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -38,15 +37,16 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-bin xournal private-cache private-dev -private-etc alternatives,fonts,group,machine-id,passwd +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd # TODO should use private-lib private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xournalpp.profile ^
@@ -7,6 +7,8 @@ # added by included profile #include globals.local +noblacklist ${HOME}/.cache/xournalpp +noblacklist ${HOME}/.config/xournalpp noblacklist ${HOME}/.xournalpp include allow-lua.inc @@ -16,14 +18,17 @@ whitelist /var/lib/texmf include whitelist-runuser-common.inc -#mkdir ${HOME}/.xournalpp +#mkdir ${HOME}/.cache/xournalpp +#mkdir ${HOME}/.config/xournalpp +#whitelist ${HOME}/.cache/xournalpp +#whitelist ${HOME}/.config/xournalpp #whitelist ${HOME}/.xournalpp #whitelist ${HOME}/.texlive20* #whitelist ${DOCUMENTS} #include whitelist-common.inc private-bin kpsewhich,pdflatex,xournalpp -private-etc latexmk.conf,texlive +private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive # Redirect include xournal.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xpdf.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none private-dev private-tmp @@ -44,3 +42,4 @@ dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xplayer.profile ^
@@ -16,7 +16,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc read-only ${DESKTOP} @@ -38,7 +37,6 @@ nou2f protocol unix,inet,inet6 seccomp -shell none tracelog private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer @@ -49,3 +47,5 @@ # makes settings immutable # dbus-user none # dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xpra.profile ^
@@ -22,7 +22,6 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/lib/xkb @@ -43,7 +42,6 @@ novideo protocol unix seccomp -shell none disable-mnt # private home directory doesn't work on some distros, so we go for a regular home @@ -53,3 +51,5 @@ private-dev # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xreader.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,12 +34,12 @@ novideo protocol unix seccomp -shell none tracelog private-bin xreader,xreader-previewer,xreader-thumbnailer private-dev -private-etc alternatives,fonts,ld.so.cache +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/xviewer.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc @@ -35,7 +34,6 @@ novideo protocol unix seccomp -shell none tracelog private-bin xviewer @@ -48,3 +46,4 @@ # dbus-system none memory-deny-write-execute +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/yandex-browser.profile ^
@@ -5,8 +5,9 @@ # Persistent global definitions include globals.local -# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus -ignore whitelist /usr/share/chromium +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/mozilla/extensions +ignore whitelist /usr/share/webext ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/yelp.profile ^
@@ -12,7 +12,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -50,14 +49,13 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin groff,man,tbl,troff,yelp private-cache private-dev -private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml +private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml private-tmp dbus-user filter @@ -76,3 +74,5 @@ # your yelp.local if you need PDF printing support. #noblacklist ${DOCUMENTS} #whitelist ${DOCUMENTS} + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-dl-gui.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -43,15 +42,16 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog disable-mnt private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl private-tmp dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-dl.profile ^
@@ -27,7 +27,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -53,16 +52,16 @@ protocol unix,inet,inet6 seccomp seccomp.block-secondary -shell none tracelog private-bin env,ffmpeg,python*,youtube-dl private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf +private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf private-tmp dbus-user none dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-viewer.profile ^
@@ -18,4 +18,4 @@ private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer # Redirect -include youtube-viewers-common.profile \ No newline at end of file +include youtube-viewers-common.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube-viewers-common.profile ^
@@ -19,11 +19,17 @@ include allow-python2.inc include allow-python3.inc +# The lines below are needed to find the default Firefox profile name, to allow +# opening links in an existing instance of Firefox (note that it still fails if +# there isn't a Firefox instance running with the default profile; see #5352) +noblacklist ${HOME}/.mozilla +whitelist ${HOME}/.mozilla/firefox/profiles.ini +read-only ${HOME}/.mozilla/firefox/profiles.ini + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -47,15 +53,19 @@ novideo protocol unix,inet,inet6 seccomp -shell none tracelog disable-mnt -private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python,sh,smplayer,stty,wget,which,xterm,youtube-dl +private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg private-tmp -dbus-user none +dbus-user filter +# allow D-Bus communication with firefox for opening links +dbus-user.talk org.mozilla.* + dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtube.profile ^
@@ -16,8 +16,8 @@ mkdir ${HOME}/.config/Youtube whitelist ${HOME}/.config/Youtube -private-bin youtube -private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-bin electron,electron[0-9],electron[0-9][0-9],youtube +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt Youtube # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/youtubemusic-nativefier.profile ^
@@ -13,8 +13,8 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164 whitelist ${HOME}/.config/youtubemusic-nativefier-040164 -private-bin youtubemusic-nativefier -private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt youtubemusic-nativefier # Redirect
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/yt-dlp.profile ^
@@ -0,0 +1,21 @@ +# Firejail profile for yt-dlp +# Description: Downloader of videos of various sites +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include yt-dlp.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.cache/yt-dlp +noblacklist ${HOME}/.config/yt-dlp +noblacklist ${HOME}/.config/yt-dlp.conf +noblacklist ${HOME}/yt-dlp.conf +noblacklist ${HOME}/yt-dlp.conf.txt + +private-bin ffprobe,yt-dlp +private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf + +# Redirect +include youtube-dl.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/ytmdesktop.profile ^
@@ -1,5 +1,5 @@ # Firejail profile for ytmdesktop -# Description: Unofficial electron based desktop warpper for YouTube Music +# Description: Unofficial electron based desktop wrapper for YouTube Music # This file is overwritten after every install/update # Persistent local customizations include youtube.local @@ -14,7 +14,7 @@ whitelist ${HOME}/.config/youtube-music-desktop-app # private-bin env,ytmdesktop -private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg # private-opt # Redirect
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zaproxy.profile ^
@@ -15,7 +15,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.java @@ -40,9 +39,9 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-dev private-tmp +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zart.profile ^
@@ -13,7 +13,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -30,10 +29,11 @@ nou2f protocol unix seccomp -shell none private-bin ffmpeg,ffplay,ffprobe,melt,zart private-dev dbus-user none dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zathura.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc @@ -44,7 +43,6 @@ protocol unix seccomp seccomp.block-secondary -shell none tracelog private-bin zathura @@ -61,3 +59,4 @@ read-only ${HOME} read-write ${HOME}/.config/zathura read-write ${HOME}/.local/share/zathura +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zeal.profile ^
@@ -6,27 +6,35 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/Zeal noblacklist ${HOME}/.cache/Zeal +noblacklist ${HOME}/.config/Zeal noblacklist ${HOME}/.local/share/Zeal include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc +include disable-proc.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +# Allow zeal to open links in Firefox browsers. +# This also requires dbus-user filtering (see below). +noblacklist ${HOME}/.mozilla +whitelist ${HOME}/.mozilla/firefox/profiles.ini +read-only ${HOME}/.mozilla/firefox/profiles.ini + mkdir ${HOME}/.cache/Zeal -mkdir ${HOME}/.config/qt5ct mkdir ${HOME}/.config/Zeal mkdir ${HOME}/.local/share/Zeal whitelist ${HOME}/.cache/Zeal whitelist ${HOME}/.config/Zeal whitelist ${HOME}/.local/share/Zeal include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -45,7 +53,7 @@ novideo protocol unix,inet,inet6,netlink seccomp -shell none +seccomp.block-secondary tracelog disable-mnt @@ -55,7 +63,10 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg private-tmp -dbus-user none +dbus-user filter +dbus-user.talk org.mozilla.* +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher dbus-system none # memory-deny-write-execute - breaks on Arch +restrict-namespaces
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zim.profile ^
@@ -0,0 +1,72 @@ +# Firejail profile for Zim +# Description: Desktop wiki & notekeeper +# This file is overwritten after every install/update +# Persistent local customizations +include zim.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/zim +noblacklist ${HOME}/.config/zim + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc + +mkdir ${HOME}/.cache/zim +mkdir ${HOME}/.config/zim +mkdir ${HOME}/Notebooks +whitelist ${HOME}/.cache/zim +whitelist ${HOME}/.config/zim +whitelist ${HOME}/Notebooks +whitelist ${DESKTOP} +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +whitelist ${PICTURES} +whitelist ${VIDEOS} +whitelist /usr/share/zim +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin python*,zim +private-cache +private-dev +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/profile-m-z/zulip.profile ^
@@ -14,7 +14,6 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc @@ -39,11 +38,12 @@ novideo protocol unix,inet,inet6 seccomp -shell none disable-mnt private-bin locale,zulip private-cache private-dev -private-etc asound.conf,fonts,machine-id +private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp + +restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/templates/profile.template ^
@@ -102,13 +102,11 @@ #include allow-ssh.inc ##blacklist PATH -# Disable X11 (CLI only), see also 'x11 none' below -#blacklist /tmp/.X11-unix # Disable Wayland #blacklist ${RUNUSER}/wayland-* # Disable RUNUSER (cli only; supersedes Disable Wayland) #blacklist ${RUNUSER} -# Remove the next blacklist if you system has no /usr/libexec dir, +# Remove the next blacklist if your system has no /usr/libexec dir, # otherwise try to add it. #blacklist /usr/libexec @@ -118,10 +116,11 @@ #include disable-devel.inc #include disable-exec.inc #include disable-interpreters.inc -#include disable-passwdmgr.inc +#include disable-proc.inc #include disable-programs.inc #include disable-shell.inc #include disable-write-mnt.inc +#include disable-X11.inc #include disable-xdg.inc # This section often mirrors noblacklist section above. The idea is @@ -133,6 +132,7 @@ ##mkfile PATH #whitelist PATH #include whitelist-common.inc +#include whitelist-run-common.inc #include whitelist-runuser-common.inc #include whitelist-usr-share-common.inc #include whitelist-var-common.inc @@ -155,6 +155,7 @@ #nogroups #noinput #nonewprivs +#noprinters #noroot #nosound #notv @@ -173,7 +174,7 @@ ##seccomp-error-action log (only for debugging seccomp issues) #shell none #tracelog -# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set +# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set ##x11 none #disable-mnt @@ -205,7 +206,7 @@ # Since 0.9.63 also a more granular control of dbus is supported. # To get the dbus-addresses an application needs access to you can -# check with flatpak (when the application is distriputed that way): +# check with flatpak (when the application is distributed that way): # flatpak remote-info --show-metadata flathub <APP-ID> # Notes: # - flatpak implicitly allows an app to own <APP-ID> on the session bus @@ -213,16 +214,18 @@ # - In order to make dconf work (when used by the app) you need to allow # 'ca.desrt.dconf' even when not allowed by flatpak. # Notes and policies about addresses can be found at -# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> +# <https://github.com/netblue30/firejail/wiki/Restrict-DBus> #dbus-user filter #dbus-user.own com.github.netblue30.firejail #dbus-user.talk ca.desrt.dconf #dbus-user.talk org.freedesktop.Notifications #dbus-system none +##deterministic-shutdown ##env VAR=VALUE ##join-or-start NAME #memory-deny-write-execute ##noexec PATH ##read-only ${HOME} ##read-write ${HOME} +#restrict-namespaces
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/etc/templates/syscalls.txt ^
@@ -27,26 +27,26 @@ Definition of groups -------------------- -@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit -@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev +@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit,io_uring_enter,io_uring_register,io_uring_setup +@basic-io=_llseek,close,close_range,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old -@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext +@debug=lookup_dcookie,perf_event_open,pidfd_getfd,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup @default-nodebuggers=@default,ptrace,personality,process_vm_readv @default-keep=execveat,execve,prctl -@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes +@file-system=access,chdir,chmod,close,close_range,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,openat2,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select -@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget +@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_madvise,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget @keyring=add_key,keyctl,request_key @memlock=mlock,mlock2,mlockall,munlock,munlockall @module=delete_module,finit_module,init_module -@mount=chroot,mount,pivot_root,umount,umount2 +@mount=chroot,fsconfig,fsmount,fsopen,fspick,mount,move_mount,open_tree,pivot_root,umount,umount2 @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup -@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid +@process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write @reboot=kexec_load,kexec_file_load,reboot @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy @@ -89,18 +89,24 @@ What to do if seccomp breaks a program -------------------------------------- +Start `journalctl --grep=SECCOMP --follow` in a terminal and run +`firejail --seccomp-error-action=log /path/to/program` in a second terminal. +Now switch back to the first terminal (where `journalctl` is running) and look +for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you +have found them, you can stop `journalctl` (^C) and execute +`firejail --debug-syscalls \| grep NUMBER` to get the name of the syscall. +In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 \| grep NUMBER`. +Now you can add a seccomp exception using `seccomp !NAME`. + +If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. + ``` -$ journalctl --grep=syscall --follow -<...> audit[…]: SECCOMP <...> syscall=161 <...> -$ firejail --debug-syscalls \| grep 161 -161 - chroot +term1$ journalctl --grep=SECCOMP --follow +term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop +term1$ (journalctl --grep=SECCOMP --follow) +audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... +^C +term1$ firejail --debug-syscalls \| grep "^161[[:space:]]" +161 - chroot ``` Profile: `seccomp -> seccomp !chroot` - -Start `journalctl --grep=syscall --follow` in a terminal, then start the broken -program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. -Stop journalctl (^C) and execute `firejail --debug-syscalls \| grep NUMBER`. You -will see something like `NUMBER - NAME`, because you now know the name of the -syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. - -If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/gcov.sh ^
@@ -1,10 +1,10 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 gcov_init() { - USER=`whoami` + USER="$(whoami)" firejail --help > /dev/null firemon --help > /dev/null /usr/lib/firejail/fnet --help > /dev/null @@ -20,22 +20,22 @@ /usr/lib/firejail/faudit --help > /dev/null /usr/lib/firejail/fbuilder --help > /dev/null - sudo chown $USER:$USER `find .` + find . -exec sudo chown "$USER:$USER" '{}' + } generate() { - lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new - lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file + lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new + lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file rm -fr gcov-dir genhtml -q gcov-file --output-directory gcov-dir - sudo rm `find . -name .gcda` + find . -name '.gcda' -exec sudo rm '{}' + cp gcov-file gcov-file-old gcov_init } gcov_init -lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old +lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old #make test-utils #generate
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/install.sh ^
@@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 echo "installing..."
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/linecnt.sh ^
@@ -1,10 +1,10 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 gcov_init() { - USER=`whoami` + USER="$(whoami)" firejail --help > /dev/null firemon --help > /dev/null /usr/lib/firejail/fnet --help > /dev/null @@ -20,12 +20,12 @@ /usr/lib/firejail/faudit --help > /dev/null /usr/lib/firejail/fbuilder --help > /dev/null - sudo chown $USER:$USER `find .` + find . -exec sudo chown "$USER:$USER" '{}' + } rm -fr gcov-dir gcov_init lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ - -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ - -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file + -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ + -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file genhtml -q gcov-file --output-directory gcov-dir
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/m4/ax_check_compile_flag.m4 ^
@@ -29,33 +29,12 @@ # Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> # Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com> # -# This program is free software: you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 3 of the License, or (at your -# option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General -# Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program. If not, see <https://www.gnu.org/licenses/>. -# -# As a special exception, the respective Autoconf Macro's copyright owner -# gives unlimited permission to copy, distribute and modify the configure -# scripts that are the output of Autoconf when processing the Macro. You -# need not follow the terms of the GNU General Public License when using -# or distributing such scripts, even though portions of the text of the -# Macro appear in them. The GNU General Public License (GPL) does govern -# all other use of the material that constitutes the Autoconf Macro. -# -# This special exception to the GPL applies to versions of the Autoconf -# Macro released by the Autoconf Archive. When you make and distribute a -# modified version of the Autoconf Macro, you may extend this special -# exception to the GPL to apply to your modified version as well. +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. -#serial 5 +#serial 6 AC_DEFUN([AX_CHECK_COMPILE_FLAG], [AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkasc.sh ^
@@ -1,13 +1,13 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 echo "Calculating SHA256 for all files in /transfer - firejail version $1" -cd /transfer -sha256sum * > firejail-$1-unsigned -gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc -gpg --verify firejail-$1.asc -gpg --detach-sign --armor firejail-$1.tar.xz -rm firejail-$1-unsigned +cd /transfer \|\| exit 1 +sha256sum ./* > "firejail-$1-unsigned" +gpg --clearsign --digest-algo SHA256 < "firejail-$1-unsigned" > "firejail-$1.asc" +gpg --verify "firejail-$1.asc" +gpg --detach-sign --armor "firejail-$1.tar.xz" +rm "firejail-$1-unsigned"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkdeb.sh ^
@@ -0,0 +1,61 @@ +#!/bin/sh +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +# based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ +# a code archive should already be available + +set -e + +. "$(dirname "$0")/config.sh" + +EXTRA_VERSION=$1 + +test "$#" -gt 0 && shift + +CODE_ARCHIVE="$TARNAME-$VERSION.tar.xz" +CODE_DIR="$TARNAME-$VERSION" +INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" +DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" + +echo "***************************************" +echo "code archive: $CODE_ARCHIVE" +echo "code directory: $CODE_DIR" +echo "install directory: $INSTALL_DIR" +echo "debian control directory: $DEBIAN_CTRL_DIR" +echo "*************************************" + +tar -xJvf "$CODE_ARCHIVE" +#mkdir -p "$INSTALL_DIR" +cd "$CODE_DIR" +./configure --prefix=/usr "$@" +make -j2 +mkdir debian +DESTDIR=debian make install-strip + +cd .. +echo "*************************************" +SIZE="$(du -s "$INSTALL_DIR")" +echo "install size $SIZE" +echo "***************************************" + +mv "$INSTALL_DIR/usr/share/doc/firejail/RELNOTES" "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian" +gzip -9 -n "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian" +rm "$INSTALL_DIR/usr/share/doc/firejail/COPYING" +install -m644 "$CODE_DIR/platform/debian/copyright" "$INSTALL_DIR/usr/share/doc/firejail/." +mkdir -p "$DEBIAN_CTRL_DIR" +sed "s/FIREJAILVER/$VERSION/g" "$CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH)" > "$DEBIAN_CTRL_DIR/control" + +mkdir -p "$INSTALL_DIR/usr/share/lintian/overrides/" +install -m644 "$CODE_DIR/platform/debian/firejail.lintian-overrides" "$INSTALL_DIR/usr/share/lintian/overrides/firejail" + +find "$INSTALL_DIR/etc" -type f \| sed "s,^$INSTALL_DIR,," \| LC_ALL=C sort > "$DEBIAN_CTRL_DIR/conffiles" +chmod 644 "$DEBIAN_CTRL_DIR/conffiles" +find "$INSTALL_DIR" -type d -exec chmod 755 '{}' + +cd "$CODE_DIR" +fakeroot dpkg-deb --build debian +lintian --no-tag-display-limit debian.deb +mv debian.deb "../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb" +cd .. +rm -fr "$CODE_DIR"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mketc.sh ^
@@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 sed -i -e '
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkman.sh ^
@@ -1,12 +1,12 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set -e -sed "s/VERSION/$1/g" $2 > $3 -MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b` -sed -i "s/MONTH/$MONTH/g" $3 -YEAR=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y` -sed -i "s/YEAR/$YEAR/g" $3 +sed "s/VERSION/$1/g" "$2" > "$3" +MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" +sed -i "s/MONTH/$MONTH/g" "$3" +YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" +sed -i "s/YEAR/$YEAR/g" "$3"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/mkuid.sh ^
@@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 echo "extracting UID_MIN and GID_MIN" @@ -9,8 +9,8 @@ if [ -r /etc/login.defs ] then - UID_MIN=`awk '/^\sUID_MIN\s([0-9]).?$/ {print $2}' /etc/login.defs` - GID_MIN=`awk '/^\sGID_MIN\s([0-9]).?$/ {print $2}' /etc/login.defs` + UID_MIN="$(awk '/^\sUID_MIN\s([0-9]).?$/ {print $2}' /etc/login.defs)" + GID_MIN="$(awk '/^\sGID_MIN\s([0-9]).?$/ {print $2}' /etc/login.defs)" fi # use default values if not found
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/platform/debian/copyright ^
@@ -7,7 +7,7 @@ and networking stack isolation, and it runs on any recent Linux system. It includes a sandbox profile for Mozilla Firefox. - Copyright (C) 2014-2021 Firejail Authors (see README file for more details) + Copyright (C) 2014-2022 Firejail Authors (see README file for more details) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/platform/rpm/mkrpm.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/bash_completion/Makefile ^
@@ -0,0 +1,17 @@ +.PHONY: all +all: firejail.bash_completion + +ROOT = ../.. +-include $(ROOT)/config.mk + +firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk + gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp + sed "s\|_SYSCONFDIR_\|$(sysconfdir)\|" < $@.tmp > $@ + rm $@.tmp + +.PHONY: clean +clean: + rm -fr firejail.bash_completion + +.PHONY: distclean +distclean: clean
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/bash_completion/firejail.bash_completion.in ^
@@ -5,7 +5,7 @@ # http://bash-completion.alioth.debian.org #******************************************************************* -__interfaces(){ +__interfaces() { cut -f 1 -d ':' /proc/net/dev \| tail -n +3 \| grep -v lo \| xargs } @@ -42,10 +42,6 @@ _filedir -d return 0 ;; - --cgroup) - _filedir -d - return 0 - ;; --tmpfs) _filedir return 0 @@ -90,11 +86,11 @@ _filedir return 0 ;; - --net) - comps=$(__interfaces) + --net) + comps=$(__interfaces) COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) return 0 - ;; + ;; esac $split && return 0
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/Makefile ^
@@ -0,0 +1,9 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fbuilder +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/syscall.h + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_bin.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_fs.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -68,8 +68,23 @@ ptr += 7; else if (strncmp(ptr, "open ", 5) == 0) ptr += 5; + else if (strncmp(ptr, "opendir ", 8) == 0) + ptr += 8; + else if (strncmp(ptr, "connect ", 8) == 0) { + ptr += 8; + // file descriptor argument + if (!isdigit(ptr)) + continue; + while (isdigit(ptr)) + ptr++; + if (ptr++ != ' ') + continue; + if (ptr != '/') + continue; + } else continue; + if (strncmp(ptr, dir, dir_len) != 0) continue; @@ -117,8 +132,19 @@ if (strncmp(ptr, "/etc/firejail", 13) == 0) return; + // extract the directory: + assert(strncmp(ptr, "/etc", 4) == 0); + ptr += 4; + if (ptr != '/') + return; + ptr++; + + if (ptr == '/') // double '/' + ptr++; + if (ptr == '\0') + return; + // add only top files and directories - ptr += 5; // skip "/etc/" char end = strchr(ptr, '/'); if (end) end = '\0'; @@ -163,6 +189,11 @@ static FileDB var_out = NULL; static FileDB var_skip = NULL; static void var_callback(char ptr) { + // skip /var/lib/flatpak, /var/lib/snapd directory + if (strncmp(ptr, "/var/lib/flatpak", 16) == 0 \|\| + strncmp(ptr, "/var/lib/snapd", 14) == 0) + return; + // extract the directory: assert(strncmp(ptr, "/var", 4) == 0); char p1 = ptr + 4; @@ -191,6 +222,88 @@ fprintf(fp, "include whitelist-var-common.inc\n"); } +//**************************************** +// run directory +//***************************************** +static FileDB run_out = NULL; +static FileDB run_skip = NULL; +static void run_callback(char ptr) { + // skip /run/firejail + if (strncmp(ptr, "/run/firejail", 13) == 0) + return; + // skip files in /run/user + if (strncmp(ptr, "/run/user", 9) == 0) + return; + + // extract the directory: + assert(strncmp(ptr, "/run", 4) == 0); + char p1 = ptr + 4; + if (p1 != '/') + return; + p1++; + + if (p1 == '/') // double '/' + p1++; + if (p1 == '\0') + return; + + if (!filedb_find(run_skip, p1)) + run_out = filedb_add(run_out, p1); +} + +void build_run(const char fname, FILE fp) { + assert(fname); + + run_skip = filedb_load_whitelist(run_skip, "whitelist-run-common.inc", "whitelist /run/"); + process_files(fname, "/run", run_callback); + + // always whitelist /run + if (run_out) + filedb_print(run_out, "whitelist /run/", fp); + fprintf(fp, "include whitelist-run-common.inc\n"); +} + +//**************************************** +// ${RUNUSER} directory +//***************************************** +static char runuser_fname = NULL; +static FileDB runuser_out = NULL; +static FileDB runuser_skip = NULL; +static void runuser_callback(char ptr) { + // extract the directory: + assert(runuser_fname); + assert(strncmp(ptr, runuser_fname, strlen(runuser_fname)) == 0); + char p1 = ptr + strlen(runuser_fname); + if (p1 != '/') + return; + p1++; + + if (p1 == '/') // double '/' + p1++; + if (p1 == '\0') + return; + + if (!filedb_find(runuser_skip, p1)) + runuser_out = filedb_add(runuser_out, p1); +} + +void build_runuser(const char fname, FILE fp) { + assert(fname); + + if (asprintf(&runuser_fname, "/run/user/%d", getuid()) < 0) + errExit("asprintf"); + + if (!is_dir(runuser_fname)) + return; + + runuser_skip = filedb_load_whitelist(runuser_skip, "whitelist-runuser-common.inc", "whitelist ${RUNUSER}/"); + process_files(fname, runuser_fname, runuser_callback); + + // always whitelist /run/user/$UID + if (runuser_out) + filedb_print(runuser_out, "whitelist ${RUNUSER}/", fp); + fprintf(fp, "include whitelist-runuser-common.inc\n"); +} //***************************************** // usr/share directory @@ -236,9 +349,6 @@ //***************************************** static FileDB tmp_out = NULL; static void tmp_callback(char ptr) { - // skip strace file - if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) - return; if (strncmp(ptr, "/tmp/runtime-", 13) == 0) return; if (strcmp(ptr, "/tmp") == 0) @@ -289,6 +399,7 @@ "/dev/pts", "/dev/ptmx", "/dev/log", + "/dev/shm", "/dev/aload", // old ALSA devices, not covered in private-dev "/dev/dsp", // old OSS device, deprecated
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_home.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -68,6 +68,8 @@ ptr += 7; else if (strncmp(ptr, "open /home", 10) == 0) ptr += 5; + else if (strncmp(ptr, "opendir /home", 13) == 0) + ptr += 8; else continue; @@ -93,6 +95,9 @@ strcmp(ptr, ".bashrc") == 0) continue; + // skip flatpak files + if (strncmp(ptr, ".local/share/flatpak", 20) == 0) + continue; // try to find the relevant directory for this file char *dir = extract_dir(ptr);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_profile.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,7 +22,6 @@ #include <sys/wait.h> #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" -#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" void build_profile(int argc, char *argv, int index, FILE fp) { // next index is the application name @@ -31,79 +30,42 @@ exit(1); } - char trace_output[] = "/tmp/firejail-trace.XXXXXX"; - char strace_output[] = "/tmp/firejail-strace.XXXXXX"; - + char trace_output[] = TRACE_OUTPUT; int tfile = mkstemp(trace_output); - int stfile = mkstemp(strace_output); - if(tfile == -1 \|\| stfile == -1) + if(tfile == -1) errExit("mkstemp"); - - // close the files, firejail/strace will overwrite them! close(tfile); - close(stfile); - char output; - char stroutput; if(asprintf(&output,"--trace=%s",trace_output) == -1) errExit("asprintf"); - if(asprintf(&stroutput,"-o%s",strace_output) == -1) - errExit("asprintf"); - - char cmdlist[] = { - BINDIR "/firejail", - "--quiet", - "--noprofile", - "--caps.drop=all", - "--nonewprivs", - output, - "--shell=none", - "/usr/bin/strace", // also used as a marker in build_profile() - "-c", - "-f", - stroutput, - }; - - // detect strace and check if Yama LSM allows us to use it - int have_strace = 0; - int have_yama_permission = 1; - if (access("/usr/bin/strace", X_OK) == 0) { - have_strace = 1; - FILE ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); - if (ps) { - unsigned val; - if (fscanf(ps, "%u", &val) == 1) - have_yama_permission = (val < 2); - fclose(ps); - } - } // calculate command length - unsigned len = (int) sizeof(cmdlist) / sizeof(char) + argc - index + 1; - if (arg_debug) - printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char)), argc - index); - char cmd[len]; - cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error + unsigned len = 64; // plenty of space for firejail command line + len += argc - index; // program command line + len += 1; // NULL // build command - // skip strace if not installed, or no permission to use it - int skip_strace = !(have_strace && have_yama_permission); - unsigned i = 0; - for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char); i++) { - if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) - break; - cmd[i] = cmdlist[i]; - } + char *cmd[len]; + unsigned curr_len = 0; + cmd[curr_len++] = BINDIR "/firejail"; + cmd[curr_len++] = "--quiet"; + cmd[curr_len++] = "--noprofile"; + cmd[curr_len++] = "--caps.drop=all"; + cmd[curr_len++] = "--seccomp=!chroot"; + cmd[curr_len++] = output; + if (arg_appimage) + cmd[curr_len++] = "--appimage"; + + int i; + for (i = index; i < argc; i++) + cmd[curr_len++] = argv[i]; - int i2 = index; - for (; i < (len - 1); i++, i2++) - cmd[i] = argv[i2]; - assert(i < len); - cmd[i] = NULL; + assert(curr_len < len); + cmd[curr_len] = NULL; if (arg_debug) { - for (i = 0; i < len; i++) + for (i = 0; cmd[i]; i++) printf("%s%s\n", (i)?"\t":"", cmd[i]); } @@ -125,7 +87,7 @@ if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { if (fp == stdout) - printf("--- Built profile beings after this line ---\n"); + printf("--- Built profile begins after this line ---\n"); fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); @@ -147,7 +109,6 @@ fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n"); fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n"); fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n"); - fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n"); fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n"); fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n"); fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n"); @@ -160,8 +121,10 @@ fprintf(fp, "\n"); fprintf(fp, "### Filesystem Whitelisting ###\n"); - build_share(trace_output, fp); - //todo: include whitelist-runuser-common.inc + build_run(trace_output, fp); + build_runuser(trace_output, fp); + if (!arg_appimage) + build_share(trace_output, fp); build_var(trace_output, fp); fprintf(fp, "\n"); @@ -179,21 +142,14 @@ fprintf(fp, "#nou2f\t# disable U2F devices\n"); fprintf(fp, "#novideo\t# disable video capture devices\n"); build_protocol(trace_output, fp); - fprintf(fp, "seccomp\n"); - if (!have_strace) { - fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); - fprintf(fp, "### whitelisted seccomp filter.\n"); - } - else if (!have_yama_permission) - fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); - else - build_seccomp(strace_output, fp); + fprintf(fp, "seccomp !chroot\t# allowing chroot, just in case this is an Electron app\n"); fprintf(fp, "shell none\n"); - fprintf(fp, "tracelog\n"); + fprintf(fp, "#tracelog\t# send blacklist violations to syslog\n"); fprintf(fp, "\n"); fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n"); - build_bin(trace_output, fp); + if (!arg_appimage) + build_bin(trace_output, fp); fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n"); build_dev(trace_output, fp); build_etc(trace_output, fp); @@ -206,10 +162,8 @@ fprintf(fp, "\n"); fprintf(fp, "#memory-deny-write-execute\n"); - if (!arg_debug) { + if (!arg_debug) unlink(trace_output); - unlink(strace_output); - } } else { fprintf(stderr, "Error: cannot run the sandbox\n");
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/build_seccomp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "fbuilder.h" +#if 0 void build_seccomp(const char fname, FILE fp) { assert(fname); assert(fp); @@ -78,6 +79,7 @@ fclose(fp2); } +#endif //*************************************** // protocol @@ -188,7 +190,7 @@ if (net == 0) fprintf(fp, "net none\n"); else { - fprintf(fp, "# net eth0\n"); + fprintf(fp, "#net eth0\n"); fprintf(fp, "netfilter\n"); } }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/fbuilder.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -26,11 +26,12 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> - +#include <fnmatch.h> #define MAX_BUF 4096 // main.c extern int arg_debug; +extern int arg_appimage; // build_profile.c void build_profile(int argc, char *argv, int index, FILE fp); @@ -45,6 +46,8 @@ void build_tmp(const char fname, FILE fp); void build_dev(const char fname, FILE fp); void build_share(const char fname, FILE fp); +void build_run(const char fname, FILE fp); +void build_runuser(const char fname, FILE fp); // build_bin.c void build_bin(const char fname, FILE fp); @@ -60,7 +63,7 @@ typedef struct filedb_t { struct filedb_t next; char fname; // file name - int len; // length of file name + unsigned len; // length of file name } FileDB; FileDB filedb_add(FileDB head, const char *fname);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/filedb.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -25,17 +25,17 @@ assert(fname); FileDB ptr = head; int found = 0; - int len = strlen(fname); while (ptr) { - // exact name - if (strcmp(fname, ptr->fname) == 0) { + // ptr->fname can be a pattern, like .mutter-Xwaylandauth. + // check if fname is a match + if (fnmatch(ptr->fname, fname, FNM_PATHNAME) == 0) { found = 1; break; } // parent directory in the list - if (len > ptr->len && + if (strlen(fname) > ptr->len && fname[ptr->len] == '/' && strncmp(ptr->fname, fname, ptr->len) == 0) { found = 1; @@ -54,8 +54,6 @@ FileDB filedb_add(FileDB head, const char fname) { assert(fname); - // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth. - // don't add it if it is already there or if the parent directory is already in the list if (filedb_find(head, fname)) return head; @@ -96,7 +94,7 @@ errExit("asprintf"); FILE *fp = fopen(f, "r"); if (!fp) { - fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); + fprintf(stderr, "Error: cannot open %s\n", f); free(f); exit(1); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -19,6 +19,7 @@ */ #include "fbuilder.h" int arg_debug = 0; +int arg_appimage = 0; static void usage(void) { printf("Firejail profile builder\n"); @@ -49,6 +50,8 @@ } else if (strcmp(argv[i], "--debug") == 0) arg_debug = 1; + else if (strcmp(argv[i], "--appimage") == 0) + arg_appimage = 1; else if (strcmp(argv[i], "--build") == 0) ; // do nothing, this is passed down from firejail else if (strncmp(argv[i], "--build=", 8) == 0) {
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fbuilder/utils.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fcopy/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fcopy +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/syscall.h +MOD_OBJS = ../lib/common.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fcopy/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -88,7 +88,8 @@ if (arg_debug) printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); - setfilecon_raw(procfs_path, fcon); + if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug) + printf("Cannot relabel %s: %s\n", path, strerror(errno)); } freecon(fcon); close: @@ -199,7 +200,8 @@ // check where /proc/self points to static const char proc_self[] = "/proc/self"; - if (!(proc_pid = realpath(proc_self, NULL))) + proc_pid = realpath(proc_self, NULL); + if (proc_pid == NULL) goto done; // redirect /proc/PID/xxx -> /proc/self/XXX @@ -284,11 +286,9 @@ } // extract mode and ownership - if (stat(infname, &s) != 0) { - if (!arg_quiet) - fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); + if (stat(infname, &s) != 0) goto out; - } + uid_t uid = s.st_uid; gid_t gid = s.st_gid; mode_t mode = s.st_mode; @@ -470,18 +470,12 @@ size_t len = strlen(src); while (len > 1 && src[len - 1] == '/') src[--len] = '\0'; - if (strcspn(src, "\\&!?\"'<>%^(){}[];,") != len) { - fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); - exit(1); - } + reject_meta_chars(src, 0); len = strlen(dest); while (len > 1 && dest[len - 1] == '/') dest[--len] = '\0'; - if (strcspn(dest, "\\&!?\"'<>%^(){}[];,~") != len) { - fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); - exit(1); - } + reject_meta_chars(dest, 0); // the destination should be a directory; struct stat s;
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/Makefile ^
@@ -0,0 +1,9 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fids +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h + +include $(ROOT)/src/prog.mk
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/blake2b.c ^
@@ -0,0 +1,176 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + / + +/ A simple unkeyed BLAKE2b Implementation based on the official reference + * from https://github.com/BLAKE2/BLAKE2. + * + * The original code was released under CC0 1.0 Universal license (Creative Commons), + * a public domain license. + / + +#include "fids.h" + +// little-endian vs big-endian is irrelevant since the checksum is calculated and checked on the same computer. +static inline uint64_t load64( const void src ) { + uint64_t w; + memcpy( &w, src, sizeof( w ) ); + return w; +} + +// mixing function +#define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y)))) +#define G(a, b, c, d, x, y) { \ + v[a] = v[a] + v[b] + x; \ + v[d] = ROTR64(v[d] ^ v[a], 32); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR64(v[b] ^ v[c], 24); \ + v[a] = v[a] + v[b] + y; \ + v[d] = ROTR64(v[d] ^ v[a], 16); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR64(v[b] ^ v[c], 63); } + +// init vector +static const uint64_t iv[8] = { + 0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, + 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1, + 0x510E527FADE682D1, 0x9B05688C2B3E6C1F, + 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179 +}; + + +const uint8_t sigma[12][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +}; + +// blake2b context +typedef struct { + uint8_t b[128]; // input buffer + uint64_t h[8]; // chained state + uint64_t t[2]; // total number of bytes + size_t c; // pointer for b[] + size_t outlen; // digest size +} CTX; + +// compress function +static void compress(CTX ctx, int last) { + uint64_t m[16]; + uint64_t v[16]; + size_t i; + + for (i = 0; i < 16; i++) + m[i] = load64(&ctx->b[8 i]); + + for (i = 0; i < 8; i++) { + v[i] = ctx->h[i]; + v[i + 8] = iv[i]; + } + + v[12] ^= ctx->t[0]; + v[13] ^= ctx->t[1]; + if (last) + v[14] = ~v[14]; + + for (i = 0; i < 12; i++) { + G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); + G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); + G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); + G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); + G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); + G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); + G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); + G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); + } + + for( i = 0; i < 8; ++i ) + ctx->h[i] ^= v[i] ^ v[i + 8]; +} + +static int init(CTX ctx, size_t outlen) { // (keylen=0: no key) + size_t i; + + if (outlen == 0 \|\| outlen > 64) + return -1; + + for (i = 0; i < 8; i++) + ctx->h[i] = iv[i]; + ctx->h[0] ^= 0x01010000 ^ outlen; + + ctx->t[0] = 0; + ctx->t[1] = 0; + ctx->c = 0; + ctx->outlen = outlen; + + return 0; +} + +static void update(CTX ctx, const void in, size_t inlen) { + size_t i; + + for (i = 0; i < inlen; i++) { + if (ctx->c == 128) { + ctx->t[0] += ctx->c; + if (ctx->t[0] < ctx->c) + ctx->t[1]++; + compress(ctx, 0); + ctx->c = 0; + } + ctx->b[ctx->c++] = ((const uint8_t ) in)[i]; + } +} + +static void final(CTX ctx, void out) { + size_t i; + + ctx->t[0] += ctx->c; + if (ctx->t[0] < ctx->c) + ctx->t[1]++; + + while (ctx->c < 128) + ctx->b[ctx->c++] = 0; + compress(ctx, 1); + + for (i = 0; i < ctx->outlen; i++) { + ((uint8_t ) out)[i] = + (ctx->h[i >> 3] >> (8 (i & 7))) & 0xFF; + } +} + +// public function +int blake2b(void out, size_t outlen, const void in, size_t inlen) { + CTX ctx; + + if (init(&ctx, outlen)) + return -1; + update(&ctx, in, inlen); + final(&ctx, out); + + return 0; +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/config ^
@@ -0,0 +1,16 @@ +/bin +/sbin +/usr/bin +/usr/sbin +/usr/games +/opt +/usr/share/ca-certificates + + +/home/netblue/.bashrc +/home/netblue/.config/firejail +/home/netblue/.config/autostart +/home/netblue/Desktop/*.desktop +/home/netblue/.ssh +/home/netblue/.gnupg +
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/db.c ^
@@ -0,0 +1,158 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include"fids.h" + +typedef struct db_t { + struct db_t next; + char fname; + char checksum; + char mode; + int checked; +} DB; + +#define MAXBUF 4096 +static DB database[HASH_MAX] = {NULL}; + +// djb2 hash function by Dan Bernstein +static unsigned hash(const char str) { + unsigned long hash = 5381; + int c; + + while ((c = str++) != '\0') + hash = ((hash << 5) + hash) + c; /* hash * 33 + c / + + return hash & (HASH_MAX - 1); +} + +#if 0 +// for testing the hash table +static void db_print(void) { + int i; + for (i = 0; i < HASH_MAX; i++) { + int cnt = 0; + DB ptr = database[i]; + while (ptr) { + cnt++; + ptr = ptr->next; + } + printf("%d ", cnt); + fflush(0); + } + printf("\n"); +} +#endif + +static void db_add(const char fname, const char checksum, const char mode) { + DB ptr = malloc(sizeof(DB)); + if (!ptr) + errExit("malloc"); + ptr->fname = strdup(fname); + ptr->checksum = strdup(checksum); + ptr->mode = strdup(mode); + ptr->checked = 0; + if (!ptr->fname \|\| !ptr->checksum \|\| !ptr->mode) + errExit("strdup"); + + unsigned h = hash(fname); + ptr->next = database[h]; + database[h] = ptr; +} + +void db_check(const char fname, const char checksum, const char mode) { + assert(fname); + assert(checksum); + assert(mode); + + unsigned h =hash(fname); + DB ptr = database[h]; + while (ptr) { + if (strcmp(fname, ptr->fname) == 0) { + ptr->checked = 1; + break; + } + ptr = ptr->next; + } + + if (ptr ) { + if (strcmp(checksum, ptr->checksum)) { + f_modified++; + fprintf(stderr, "\nWarning: modified %s\n", fname); + } + if (strcmp(mode, ptr->mode)) { + f_permissions++; + fprintf(stderr, "\nWarning: permissions %s: old %s, new %s\n", + fname, ptr->mode, mode); + } + } + else { + f_new++; + fprintf(stderr, "\nWarning: new file %s\n", fname); + } +} + +void db_missing(void) { + int i; + for (i = 0; i < HASH_MAX; i++) { + DB ptr = database[i]; + while (ptr) { + if (!ptr->checked) { + f_removed++; + fprintf(stderr, "Warning: removed %s\n", ptr->fname); + } + ptr = ptr->next; + } + } +} + +// return 0 if ok, 1 if error +int db_init(void) { + char buf[MAXBUF]; + while(fgets(buf, MAXBUF, stdin)) { + // split - tab separated + + char mode = buf; + char ptr = strchr(buf, '\t'); + if (!ptr) + goto errexit; + ptr = '\0'; + + char checksum = ptr + 1; + ptr = strchr(checksum, '\t'); + if (!ptr) + goto errexit; + ptr = '\0'; + + char fname = ptr + 1; + ptr = strchr(fname, '\n'); + if (!ptr) + goto errexit; + ptr = '\0'; + + db_add(fname, checksum, mode); + } +// db_print(); + + return 0; + +errexit: + fprintf(stderr, "Error fids: database corrupted\n"); + exit(1); +} +
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/db_exclude.c ^
@@ -0,0 +1,56 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include"fids.h" + +typedef struct db_exclude_t { + struct db_exclude_t next; + char fname; + int len; +} DB_EXCLUDE; +static DB_EXCLUDE database = NULL; + +void db_exclude_add(const char fname) { + assert(fname); + + DB_EXCLUDE ptr = malloc(sizeof(DB_EXCLUDE)); + if (!ptr) + errExit("malloc"); + + ptr->fname = strdup(fname); + if (!ptr->fname) + errExit("strdup"); + ptr->len = strlen(fname); + ptr->next = database; + database = ptr; +} + +int db_exclude_check(const char fname) { + assert(fname); + + DB_EXCLUDE ptr = database; + while (ptr != NULL) { + if (strncmp(fname, ptr->fname, ptr->len) == 0) + return 1; + ptr = ptr->next; + } + + return 0; +} +
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/fids.h ^
@@ -0,0 +1,51 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#ifndef FIDS_H +#define FIDS_H + +#include "../include/common.h" + +// main.c +#define MAX_DIR_LEVEL 20 // max directory tree depth +#define MAX_INCLUDE_LEVEL 10 // max include level for config files +extern int f_scanned; +extern int f_modified; +extern int f_new; +extern int f_removed; +extern int f_permissions; + +// db.c +#define HASH_MAX 2048 // power of 2 +int db_init(void); +void db_check(const char fname, const char checksum, const char mode); +void db_missing(void); + +// db_exclude.c +void db_exclude_add(const char fname); +int db_exclude_check(const char fname); + + +// blake2b.c +//#define KEY_SIZE 128 // key size in bytes +#define KEY_SIZE 256 +//#define KEY_SIZE 512 +int blake2b(void out, size_t outlen, const void in, size_t inlen); + +#endif
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fids/main.c ^
@@ -0,0 +1,378 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include "fids.h" +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <dirent.h> +#include <glob.h> + +#define MAXBUF 4096 + +static int dir_level = 1; +static int include_level = 0; +int arg_init = 0; +int arg_check = 0; +char arg_homedir = NULL; +char arg_dbfile = NULL; + +int f_scanned = 0; +int f_modified = 0; +int f_new = 0; +int f_removed = 0; +int f_permissions = 0; + + + +static inline int is_dir(const char fname) { + assert(fname); + + struct stat s; + if (stat(fname, &s) == 0) { + if (S_ISDIR(s.st_mode)) + return 1; + } + return 0; +} + +static inline int is_link(const char fname) { + assert(fname); + + char c; + ssize_t rv = readlink(fname, &c, 1); + return (rv != -1); +} + +// mode is an array of 10 chars or more +static inline void file_mode(const char fname, char mode) { + assert(fname); + assert(mode); + + struct stat s; + if (stat(fname, &s)) { + mode = '\0'; + return; + } + + sprintf(mode, (s.st_mode & S_IRUSR) ? "r" : "-"); + sprintf(mode + 1, (s.st_mode & S_IWUSR) ? "w" : "-"); + sprintf(mode + 2, (s.st_mode & S_IXUSR) ? "x" : "-"); + sprintf(mode + 3, (s.st_mode & S_IRGRP) ? "r" : "-"); + sprintf(mode + 4, (s.st_mode & S_IWGRP) ? "w" : "-"); + sprintf(mode + 5, (s.st_mode & S_IXGRP) ? "x" : "-"); + sprintf(mode + 6, (s.st_mode & S_IROTH) ? "r" : "-"); + sprintf(mode + 7, (s.st_mode & S_IWOTH) ? "w" : "-"); + sprintf(mode + 8, (s.st_mode & S_IXOTH) ? "x" : "-"); +} + + +static void file_checksum(const char fname) { + assert(fname); + + int fd = open(fname, O_RDONLY); + if (fd == -1) + return; + + off_t size = lseek(fd, 0, SEEK_END); + if (size < 0) { + close(fd); + return; + } + + char content = "empty"; + int mmapped = 0; + if (size == 0) { + // empty files don't mmap - use "empty" string as the file content + size = 6; // strlen("empty") + 1 + } + else { + content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); + close(fd); + mmapped = 1; + } + + unsigned char checksum[KEY_SIZE / 8]; + blake2b(checksum, sizeof(checksum), content, size); + if (mmapped) + munmap(content, size); + + // calculate blake2 checksum + char str_checksum[(KEY_SIZE / 8) * 2 + 1]; + int long unsigned i; + char ptr = str_checksum; + for (i = 0; i < sizeof(checksum); i++, ptr += 2) + sprintf(ptr, "%02x", (unsigned char ) checksum[i]); + + // build permissions string + char mode[10]; + file_mode(fname, mode); + + if (arg_init) + printf("%s\t%s\t%s\n", mode, str_checksum, fname); + else if (arg_check) + db_check(fname, str_checksum, mode); + else + assert(0); + + f_scanned++; + if (f_scanned % 500 == 0) + fprintf(stderr, "%d ", f_scanned); + fflush(0); +} + +void list_directory(const char fname) { + assert(fname); + if (dir_level > MAX_DIR_LEVEL) { + fprintf(stderr, "Warning fids: maximum depth level exceeded for %s\n", fname); + return; + } + + if (db_exclude_check(fname)) + return; + + if (is_link(fname)) + return; + + if (!is_dir(fname)) { + file_checksum(fname); + return; + } + + DIR dir; + struct dirent entry; + + if (!(dir = opendir(fname))) + return; + + dir_level++; + while ((entry = readdir(dir)) != NULL) { + if (strcmp(entry->d_name, ".") == 0 \|\| strcmp(entry->d_name, "..") == 0) + continue; + char path; + if (asprintf(&path, "%s/%s", fname, entry->d_name) == -1) + errExit("asprintf"); + list_directory(path); + free(path); + } + closedir(dir); + dir_level--; +} + +void globbing(const char fname) { + assert(fname); + + // filter top directory + if (strcmp(fname, "/") == 0) + return; + + glob_t globbuf; + int globerr = glob(fname, GLOB_NOCHECK \| GLOB_NOSORT \| GLOB_PERIOD, NULL, &globbuf); + if (globerr) { + fprintf(stderr, "Error fids: failed to glob pattern %s\n", fname); + exit(1); + } + + long unsigned i; + for (i = 0; i < globbuf.gl_pathc; i++) { + char path = globbuf.gl_pathv[i]; + assert(path); + + list_directory(path); + } + + globfree(&globbuf); +} + +static void process_config(const char fname) { + assert(fname); + + if (++include_level >= MAX_INCLUDE_LEVEL) { + fprintf(stderr, "Error ids: maximum include level for config files exceeded\n"); + exit(1); + } + + fprintf(stderr, "Opening config file %s\n", fname); + int fd = open(fname, O_RDONLY\|O_CLOEXEC); + if (fd < 0) { + if (include_level == 1) { + fprintf(stderr, "Error ids: cannot open config file %s\n", fname); + exit(1); + } + return; + } + + // make sure the file is owned by root + struct stat s; + if (fstat(fd, &s)) { + fprintf(stderr, "Error ids: cannot stat config file %s\n", fname); + exit(1); + } + if (s.st_uid \|\| s.st_gid) { + fprintf(stderr, "Error ids: config file not owned by root\n"); + exit(1); + } + + fprintf(stderr, "Loading config file %s\n", fname); + FILE fp = fdopen(fd, "r"); + if (!fp) { + fprintf(stderr, "Error fids: cannot open config file %s\n", fname); + exit(1); + } + + char buf[MAXBUF]; + int line = 0; + while (fgets(buf, MAXBUF, fp)) { + line++; + + // trim \n + char ptr = strchr(buf, '\n'); + if (ptr) + ptr = '\0'; + + // comments + ptr = strchr(buf, '#'); + if (ptr) + ptr = '\0'; + + // empty space + ptr = buf; + while (ptr == ' ' \|\| ptr == '\t') + ptr++; + char start = ptr; + + // empty line + if (start == '\0') + continue; + + // trailing spaces + ptr = start + strlen(start); + ptr--; + while (ptr == ' ' \|\| ptr == '\t') + ptr-- = '\0'; + + // replace ${HOME} + if (strncmp(start, "include", 7) == 0) { + ptr = start + 7; + if ((ptr != ' ' && ptr != '\t') \|\| ptr == '\0') { + fprintf(stderr, "Error fids: invalid line %d in %s\n", line, fname); + exit(1); + } + while (ptr == ' ' \|\| ptr == '\t') + ptr++; + + if (ptr == '/') + process_config(ptr); + else { + // assume the file is in /etc/firejail + char tmp; + if (asprintf(&tmp, "/etc/firejail/%s", ptr) == -1) + errExit("asprintf"); + process_config(tmp); + free(tmp); + } + } + else if (start == '!') { + // exclude file or dir + start++; + if (strncmp(start, "${HOME}", 7)) + db_exclude_add(start); + else { + char fname; + if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1) + errExit("asprintf"); + db_exclude_add(fname); + free(fname); + } + } + else if (strncmp(start, "${HOME}", 7)) + globbing(start); + else { + char fname; + if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1) + errExit("asprintf"); + globbing(fname); + free(fname); + } + } + + fclose(fp); + include_level--; +} + + + +void usage(void) { + printf("Usage: fids [--help\|-h\|-?] --init\|--check homedir\n"); +} + +int main(int argc, char *argv) { + int i; + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "-h") == 0 \|\| + strcmp(argv[i], "-?") == 0 \|\| + strcmp(argv[i], "--help") == 0) { + usage(); + return 0; + } + else if (strcmp(argv[i], "--init") == 0) + arg_init = 1; + else if (strcmp(argv[i], "--check") == 0) + arg_check = 1; + else if (strncmp(argv[i], "--", 2) == 0) { + fprintf(stderr, "Error fids: invalid argument %s\n", argv[i]); + exit(1); + } + } + + if (argc != 3) { + fprintf(stderr, "Error fids: invalid number of arguments\n"); + exit(1); + } + arg_homedir = argv[2]; + + int op = arg_check + arg_init; + if (op == 0 \|\| op == 2) { + fprintf(stderr, "Error fids: use either --init or --check\n"); + exit(1); + } + + if (arg_init) { + process_config(SYSCONFDIR"/ids.config"); + fprintf(stderr, "\n%d files scanned\n", f_scanned); + fprintf(stderr, "IDS database initialized\n"); + } + else if (arg_check) { + if (db_init()) { + fprintf(stderr, "Error: IDS database not initialized, please run \"firejail --ids-init\"\n"); + exit(1); + } + + process_config(SYSCONFDIR"/ids.config"); + fprintf(stderr, "\n%d files scanned: modified %d, permissions %d, new %d, removed %d\n", + f_scanned, f_modified, f_permissions, f_new, f_removed); + db_missing(); + } + else + assert(0); + + return 0; +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/Makefile ^
@@ -0,0 +1,16 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = firecfg +TARGET = $(PROG) + +MOD_HDRS = \ +../include/common.h \ +../include/euid_common.h \ +../include/libnetlink.h \ +../include/firejail_user.h \ +../include/pid.h + +MOD_OBJS = ../lib/common.o ../lib/firejail_user.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/desktop_files.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -24,11 +24,16 @@ static int check_profile(const char name, const char homedir) { // build profile name char profname1; +#ifndef HAVE_ONLY_SYSCFG_PROFILES char profname2; +#endif if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1) errExit("asprintf"); + +#ifndef HAVE_ONLY_SYSCFG_PROFILES if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1) errExit("asprintf"); +#endif int rv = 0; if (access(profname1, R_OK) == 0) { @@ -36,14 +41,18 @@ printf("found %s\n", profname1); rv = 1; } +#ifndef HAVE_ONLY_SYSCFG_PROFILES else if (access(profname2, R_OK) == 0) { if (arg_debug) printf("found %s\n", profname2); rv = 1; } +#endif free(profname1); +#ifndef HAVE_ONLY_SYSCFG_PROFILES free(profname2); +#endif return rv; } @@ -168,9 +177,9 @@ char *filename = entry->d_name; - // skip links - if (is_link(filename)) - continue; + // skip links - Discord on Arch #4235 seems to be a symlink to /opt directory +// if (is_link(filename)) +// continue; // no profile in /etc/firejail, no desktop file fixing if (!have_profile(filename, homedir))
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/firecfg.config ^
@@ -1,8 +1,8 @@ -# /usr/lib/firejail/firecfg.config - firecfg utility configuration file +# /etc/firejail/firecfg.config - firecfg utility configuration file # This is the list of programs in alphabetical order handled by firecfg utility # -#qemu-system-x86_64 0ad +1password 2048-qt Books Builder @@ -45,8 +45,8 @@ amuled android-studio anydesk -apostrophe apktool +apostrophe # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) arch-audit archaudit-report @@ -74,6 +74,8 @@ autokey-qt autokey-run autokey-shell +avidemux3_cli +avidemux3_jobs_qt5 avidemux3_qt5 aweather ballbuster @@ -94,6 +96,7 @@ blender blender-2.8 bless +blobby blobwars bluefish bnox @@ -109,6 +112,7 @@ # bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) bzflag # bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +cachy-browser calibre calligra calligraauthor @@ -125,6 +129,8 @@ catfish cawbird celluloid +chafa +chatterino checkbashisms cheese cherrytree @@ -134,27 +140,32 @@ chromium-freeworld cin cinelerra +cinelerra-gg clamdscan clamdtop clamscan clamtk -claws-mail clawsker +claws-mail clementine clion -clipit +clion-eap clipgrab +clipit cliqz clocks cmus code code-oss +codium +cointop cola colorful com.github.bleakgrey.tootle com.github.dahenson.agenda com.github.johnfactotum.Foliate com.github.phase1geo.minder +com.github.tchx84.Flatseal com.gitlab.newsflash conkeror conky @@ -176,6 +187,7 @@ desktopeditors devhelp dex2jar +d-feet dia dig digikam @@ -197,13 +209,12 @@ drawio drill dropbox -d-feet easystroke -ebook-viewer ebook-convert ebook-edit ebook-meta ebook-polish +ebook-viewer electron-mail electrum element-desktop @@ -253,8 +264,8 @@ flameshot flashpeak-slimjet flowblade -font-manager fontforge +font-manager fossamail four-in-a-row fractal @@ -273,14 +284,17 @@ freshclam frogatto frozen-bubble +ftp funnyboat gajim gajim-history-manager galculator +gallery-dl gapplication gcalccmd gcloud gconf-editor +gdu geany geary gedit @@ -294,8 +308,8 @@ gimp-2.8 gist gist-paste -gitg git-cola +gitg github-desktop gitter # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 @@ -345,6 +359,8 @@ gnote gnubik godot +godot3 +goldendict goobox google-chrome google-chrome-beta @@ -361,11 +377,12 @@ gramps gravity-beams-and-evaporating-stars gthumb +gtk2-youtube-viewer +gtk3-youtube-viewer +gtk-lbry-viewer gtk-pipe-viewer gtk-straw-viewer gtk-youtube-viewer -gtk2-youtube-viewer -gtk3-youtube-viewer guayadeque gucharmap gummi @@ -391,9 +408,11 @@ imagej img2txt impressive +imv inkscape inkview inox +io.github.lainsce.Notejot ipcalc ipcalc-ng iridium @@ -446,18 +465,21 @@ kube # kwin_x11 kwrite +lbry-viewer leafpad # less - breaks man librecad libreoffice librewolf librewolf-nightly +lifeograph liferea lightsoff lincity-ng links links2 linphone +linuxqq lmms lobase localc @@ -507,6 +529,7 @@ menulibre meteo-qt microsoft-edge +microsoft-edge-beta microsoft-edge-dev midori min @@ -523,8 +546,8 @@ mp3wrap mpDris2 mpg123 -mpg123.bin mpg123-alsa +mpg123.bin mpg123-id3dump mpg123-jack mpg123-nas @@ -563,6 +586,7 @@ mypaint-ora-thumbnailer natron ncdu +ncdu2 neochat neomutt netactview @@ -583,6 +607,7 @@ nitroshare-send nitroshare-ui nomacs +notable nslookup nuclear nylas @@ -593,22 +618,26 @@ oggsplt okular onboard +onionshare +onionshare-cli onionshare-gui ooffice ooviewdoc -open-invaders openarena openarena_ded opencity openclonk +open-invaders openmw openmw-launcher openoffice.org openshot openshot-qt +openstego openttd opera opera-beta +opera-developer orage ostrichriders otter-browser @@ -630,7 +659,7 @@ picard pidgin pinball -#ping - disabled until we fix #1912 +ping pingus pinta pioneer @@ -659,11 +688,13 @@ qbittorrent qcomicbook qemu-launcher +#qemu-system-x86_64 qgis qlipper qmmp qnapi qpdfview +qq qt-faststart qtox quadrapassel @@ -672,11 +703,14 @@ quiterss qupzilla qutebrowser +raincat rambox redeclipse +rednotebook redshift regextester remmina +retroarch rhythmbox rhythmbox-client ricochet @@ -685,6 +719,7 @@ ripperx ristretto rocketchat +rpcs3 rtorrent runenpass.sh sayonara @@ -693,6 +728,7 @@ scorchwentbonkers scribus sdat2img +seafile-applet seahorse seahorse-adventures seahorse-daemon @@ -720,8 +756,8 @@ snox soffice sol -sound-juicer soundconverter +sound-juicer spectacle spectral spotify @@ -755,7 +791,9 @@ teeworlds telegram telegram-desktop +telnet terasology +tesseract textmaker18 textmaker18free thunderbird @@ -763,6 +801,7 @@ thunderbird-wayland tilp tor-browser +torbrowser tor-browser-ar tor-browser-ca tor-browser-cs @@ -784,6 +823,7 @@ tor-browser-ja tor-browser-ka tor-browser-ko +torbrowser-launcher tor-browser-nb tor-browser-nl tor-browser-pl @@ -794,7 +834,6 @@ tor-browser-vi tor-browser-zh-cn tor-browser-zh-tw -torbrowser-launcher torcs totem tracker @@ -813,6 +852,7 @@ trojita truecraft tshark +tuir tutanota-desktop tuxguitar tvbrowser @@ -854,6 +894,7 @@ weechat-curses wesnoth wget +wget2 whalebird whois widelands @@ -862,10 +903,10 @@ wireshark wireshark-gtk wireshark-qt +wordwarvi wpp wps wpspdf -wordwarvi x2goclient xbill xcalc @@ -900,13 +941,15 @@ youtube youtube-dl youtube-dl-gui -youtube-viewer youtubemusic-nativefier +youtube-viewer +yt-dlp ytmdesktop zaproxy zart zathura zeal +zim zoom # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/firecfg.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/firejail-welcome.sh ^
@@ -0,0 +1,204 @@ +#!/bin/bash + +# This file is part of Firejail project +# Copyright (C) 2020-2022 Firejail Authors +# License GPL v2 +# +# Usage: firejail-welcome PROGRAM SYSCONFDIR USER_NAME +# where PROGRAM is detected and driven by firecfg. +# SYSCONFDIR is most of the time /etc/firejail. +# +# The plan is to go with zenity by default. If zenity is not installed +# we will provide a console-only replacement in /usr/lib/firejail/fzenity +# + +if ! command -v "$1" >/dev/null; then + echo "Please install $1." + exit 1 +fi + +PROGRAM="sudo -u $3 $1" +SYSCONFDIR=$2 +export LANG=en_US.UTF8 + +TITLE="Firejail Configuration Guide" +sed_scripts=() +run_firecfg=false +enable_u2f=false +enable_drm=false +enable_seccomp_kill=false +enable_restricted_net=false +enable_nonewprivs=false + +#**************************************************** +# Intro +#************************************************** +read -r -d $'\0' MSG_INTRO <<EOM +<big><b>Welcome to Firejail!</b></big> + +This guide will walk you through some of the most common sandbox customizations. +At the end of the guide you'll have the option to save your changes in Firejail's +global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is saved +as <b>/etc/firejal/firejail.config-</b>. + +Please note that running this script a second time can set new options, but does +not clear options set in a previous run. + +Press OK to continue, or close this window to stop the program. + +EOM +$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO" +[[ $? -eq 1 ]] && exit 0 + +#************************************************** +# symlinks +#************************************************** +read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM +<big><b>Should most programs be sandboxed by default?</b></big> + +Currently, Firejail recognizes more than 1000 regular desktop programs. These programs +can be sandboxed automatically when you start them. + +EOM + +if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then + run_firecfg=true +fi + +#************************************************** +# U2F +#************************************************** +read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM +<big><b>Should browsers be allowed to access u2f hardware?</b></big> + +Universal Two-Factor (U2F) devices are used as a password store for online +accounts. These devices usually come in a form of a USB key. + +EOM + +if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then + enable_u2f=true + sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/") +fi + +#************************************************** +# DRM +#************************************************** +read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM +<big><b>Should browsers be able to play DRM content?</b></big> + +The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications. +This means that executing programs located in your home directory is forbidden. + +Browsers install proprietary DRM plug-ins such as Widevine in your home directory. +In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This +may give the people developing and distributing the plug-in access to your private +data. + +NOTE: Software written in an interpreted language such as bash, python or java can +always be started from home directory. + +HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs. + +EOM + +if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then + enable_drm=true + sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/") +fi + +#************************************************** +# nonewprivs +#************************************************** +read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM +<big><b>Should we force nonewprivs by default?</b></big> + +nonewprivs is a Linux kernel feature that prevents programs from rising privileges. +It is also a strong mitigation against exploits in Firejail. However, some programs +like chromium, wireshark, or even ping might not work. + +NOTE: seccomp enables nonewprivs automatically. Most applications supported by +default by Firejail are using seccomp. + +EOM + +if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then + enable_nonewprivs=true + sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/") +fi + +#************************************************** +# restricted network +#************************************************** +read -r -d $'\0' MSG_Q_NETWORK <<EOM +<big><b>Should we restrict network functionality?</b></big> + +Restrict all network related commands except '<tt>net none</tt>' to root only. + +EOM + +if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then + enable_restricted_net=true + sed_scripts+=("-e s/# restricted-network no/restricted-network yes/") +fi + +#************************************************** +# seccomp kill +#************************************************** +read -r -d $'\0' MSG_Q_SECCOMP <<EOM +<big><b>Should we kill programs that violate seccomp rules?</b></big> + +By default seccomp prevents the program from running the syscall and returns an error. + +EOM + +if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then + enable_seccomp_kill=true + sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/") +fi + +#************************************************** +# root +#**************************************************** +read -r -d $'\0' MSG_RUN <<EOM +Now, I will apply the changes. This is what I will do: + + +EOM +MSG_RUN+="\n\n" +if [[ "$run_firecfg" == "true" ]]; then + MSG_RUN+=" * enable Firejail for all recognized programs\n" +fi +if [[ "$enable_u2f" == "true" ]]; then + MSG_RUN+=" * allow browsers to access U2F devices\n" +fi +if [[ "$enable_drm" == "true" ]]; then + MSG_RUN+=" * allow browsers to play DRM content\n" +fi +if [[ "$enable_nonewprivs" == "true" ]]; then + MSG_RUN+=" * enable nonewprivs globally\n" +fi +if [[ "$enable_restricted_net" == "true" ]]; then + MSG_RUN+=" * restrict networking features\n" +fi +if [[ "$enable_seccomp_kill" == "true" ]]; then + MSG_RUN+=" * enable seccomp kill\n" +fi +MSG_RUN+="\n\nPress OK to continue, or close this window to stop the program." + +$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN" +[[ $? -eq 1 ]] && exit 0 + +if [[ -n "${sed_scripts[]}" ]]; then + cp "$SYSCONFDIR"/firejail.config "$SYSCONFDIR"/firejail.config- + sed -i "${sed_scripts[@]}" "$SYSCONFDIR"/firejail.config +fi +if [[ "$run_firecfg" == "true" ]]; then + # return 55 to inform firecfg symlinks are desired + exit 55 +fi + +#*************************************************** +# all done +#**************************************************** +exit 0
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include "../include/firejail_user.h" int arg_debug = 0; char arg_bindir = "/usr/local/bin"; +int arg_guide = 0; static char usage_str = "Firecfg is the desktop configuration utility for Firejail software. The utility\n" @@ -37,6 +38,7 @@ " --debug - print debug messages.\n\n" " --fix - fix .desktop files.\n\n" " --fix-sound - create ~/.config/pulse/client.conf file.\n\n" + " --guide - guided configuration for new users.\n\n" " --help, -? - this help screen.\n\n" " --list - list all firejail symbolic links.\n\n" " --version - print program version and exit.\n\n" @@ -171,17 +173,17 @@ free(fname); } -// parse /usr/lib/firejail/firecfg.cfg file +// parse /etc/firejail/firecfg.config file static void set_links_firecfg(void) { char cfgfile; - if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1) + if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1) errExit("asprintf"); char firejail_exec; if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) errExit("asprintf"); - // parse /usr/lib/firejail/firecfg.cfg file + // parse /etc/firejail/firecfg.config file FILE fp = fopen(cfgfile, "r"); if (!fp) { perror("fopen"); @@ -373,6 +375,9 @@ fix_desktop_files(home); return 0; } + else if (strcmp(argv[i], "--guide") == 0) { + arg_guide = 1; + } else if (strcmp(argv[i], "--list") == 0) { list(); return 0; @@ -437,10 +442,33 @@ umask(orig_umask); } + if (arg_guide) { + char cmd; +if (arg_debug) { + if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/lib/firejail/fzenity %s %s", LIBDIR, SYSCONFDIR, user) == -1) + errExit("asprintf"); +} +else { + if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/bin/zenity %s %s", LIBDIR, SYSCONFDIR, user) == -1) + errExit("asprintf"); +} + int status = system(cmd); + if (status == -1) { + fprintf(stderr, "Error: cannot run firejail-welcome.sh\n"); + exit(1); + } + free(cmd); + + // the last 8 bits of the status is the return value of the command executed by system() + // firejail-welcome.sh returns 55 if setting sysmlinks is required + if (WEXITSTATUS(status) != 55) + return 0; + } + // clear all symlinks clean(); - // set new symlinks based on /usr/lib/firejail/firecfg.cfg + // set new symlinks based on /etc/firejail/firecfg.config set_links_firecfg(); if (getuid() == 0) { @@ -468,8 +496,6 @@ #endif } - - // set new symlinks based on ~/.config/firejail directory set_links_homedir(home);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/sound.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firecfg/util.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/Makefile ^
@@ -0,0 +1,25 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = firejail +TARGET = $(PROG) + +MOD_HDRS = \ +../include/rundefs.h \ +../include/common.h \ +../include/ldd_utils.h \ +../include/euid_common.h \ +../include/pid.h \ +../include/seccomp.h \ +../include/syscall_i386.h \ +../include/syscall_x86_64.h \ +../include/firejail_user.h + +MOD_OBJS = \ +../lib/common.o \ +../lib/ldd_utils.o \ +../lib/firejail_user.o \ +../lib/errno.o \ +../lib/syscall.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/appimage.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -45,10 +45,10 @@ assert(archive); assert(strlen(archive)); - // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config - FILE fp = fopen(LIBDIR "/firejail/firecfg.config", "r"); + // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config + FILE fp = fopen(SYSCONFDIR "/firecfg.config", "r"); if (!fp) { - fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config"); + fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", SYSCONFDIR "/firecfg.config"); exit(1); } char buf[MAXBUF];
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/appimage_size.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/arp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "firejail.h" #include <sys/socket.h> #include <sys/ioctl.h> +#include <sys/time.h> #include <linux/if_ether.h> //TCP/IP Protocol Suite for Linux #include <net/if.h> #include <netinet/in.h> @@ -188,9 +189,14 @@ FD_SET(sock, &fds); int maxfd = sock; struct timeval ts; - ts.tv_sec = 0; // 0.5 seconds wait time - ts.tv_usec = 500000; + gettimeofday(&ts, NULL); + double timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5; while (1) { + gettimeofday(&ts, NULL); + double now = ts.tv_sec + ts.tv_usec / 1000000.0; + double timeout = timerend - now; + ts.tv_sec = timeout; + ts.tv_usec = (timeout - ts.tv_sec) * 1000000; int nready = select(maxfd + 1, &fds, (fd_set ) 0, (fd_set ) 0, &ts); if (nready < 0) errExit("select"); @@ -201,8 +207,8 @@ } if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) errExit("send"); - ts.tv_sec = 0; // 0.5 seconds wait time - ts.tv_usec = 500000; + gettimeofday(&ts, NULL); + timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5; fflush(0); } else {
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/bandwidth.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/caps.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include <errno.h> #include <linux/filter.h> #include <stddef.h> +#include <fcntl.h> #include <linux/capability.h> #include <linux/audit.h> #include <sys/prctl.h> @@ -381,34 +382,21 @@ } #define MAXBUF 4098 -static uint64_t extract_caps(int pid) { - EUID_ASSERT(); - - char file; - if (asprintf(&file, "/proc/%d/status", pid) == -1) - errExit("asprintf"); - - EUID_ROOT(); // grsecurity - FILE fp = fopen(file, "re"); - EUID_USER(); // grsecurity - if (!fp) - goto errexit; +static uint64_t extract_caps(ProcessHandle process) { + FILE fp = process_fopen(process, "status"); char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) { if (strncmp(buf, "CapBnd:\t", 8) == 0) { - char ptr = buf + 8; unsigned long long val; - sscanf(ptr, "%llx", &val); - free(file); - fclose(fp); - return val; + if (sscanf(buf + 8, "%llx", &val) == 1) { + fclose(fp); + return val; + } + break; } } - fclose(fp); -errexit: - free(file); fprintf(stderr, "Error: cannot read caps configuration\n"); exit(1); } @@ -416,13 +404,11 @@ void caps_print_filter(pid_t pid) { EUID_ASSERT(); - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); + ProcessHandle sandbox = pin_sandbox_process(pid); - // exit if no permission to join the sandbox - check_join_permission(pid); + uint64_t caps = extract_caps(sandbox); + unpin_process(sandbox); - uint64_t caps = extract_caps(pid); int i; uint64_t mask; int elems = sizeof(capslist) / sizeof(capslist[0]);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/checkcfg.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -51,6 +51,7 @@ cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; + cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0; cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; cfg_val[CFG_FIREJAIL_PROMPT] = 0; cfg_val[CFG_DISABLE_MNT] = 0; @@ -58,6 +59,11 @@ cfg_val[CFG_XPRA_ATTACH] = 0; cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1; cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; + cfg_val[CFG_ALLOW_TRAY] = 0; + cfg_val[CFG_CHROOT] = 0; + cfg_val[CFG_SECCOMP_LOG] = 0; + cfg_val[CFG_PRIVATE_LIB] = 0; + cfg_val[CFG_TRACELOG] = 0; // open configuration file const char *fname = SYSCONFDIR "/firejail.config"; @@ -99,18 +105,18 @@ PARSE_YESNO(CFG_X11, "x11") PARSE_YESNO(CFG_APPARMOR, "apparmor") PARSE_YESNO(CFG_BIND, "bind") - PARSE_YESNO(CFG_CGROUP, "cgroup") PARSE_YESNO(CFG_NAME_CHANGE, "name-change") PARSE_YESNO(CFG_USERNS, "userns") PARSE_YESNO(CFG_CHROOT, "chroot") PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") PARSE_YESNO(CFG_SECCOMP, "seccomp") - PARSE_YESNO(CFG_WHITELIST, "whitelist") PARSE_YESNO(CFG_NETWORK, "network") PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") + PARSE_YESNO(CFG_TRACELOG, "tracelog") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") + PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted") PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") @@ -123,6 +129,8 @@ PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") + PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") + PARSE_YESNO(CFG_SECCOMP_LOG, "seccomp-log") #undef PARSE_YESNO // netfilter @@ -299,6 +307,12 @@ exit(1); } +void print_version(void) { + printf("firejail version %s\n", VERSION); + printf("\n"); + print_compiletime_support(); + printf("\n"); +} void print_compiletime_support(void) { printf("Compile time support:\n"); @@ -342,24 +356,24 @@ #endif ); - printf("\t- file and directory whitelisting support is %s\n", -#ifdef HAVE_WHITELIST + printf("\t- file transfer support is %s\n", +#ifdef HAVE_FILE_TRANSFER "enabled" #else "disabled" #endif ); - printf("\t- file transfer support is %s\n", -#ifdef HAVE_FILE_TRANSFER + printf("\t- firetunnel support is %s\n", +#ifdef HAVE_FIRETUNNEL "enabled" #else "disabled" #endif ); - printf("\t- firetunnel support is %s\n", -#ifdef HAVE_FIRETUNNEL + printf("\t- IDS support is %s\n", +#ifdef HAVE_IDS "enabled" #else "disabled" @@ -428,6 +442,4 @@ "disabled" #endif ); - - }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/chroot.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,7 +22,6 @@ #include "firejail.h" #include "../include/gcov_wrapper.h" #include <sys/mount.h> -#include <sys/sendfile.h> #include <errno.h> #include <fcntl.h> @@ -34,41 +33,27 @@ void fs_check_chroot_dir(void) { EUID_ASSERT(); assert(cfg.chrootdir); - if (strstr(cfg.chrootdir, "..") \|\| - is_link(cfg.chrootdir)) - goto errout; // check chroot dirname exists, chrooting into the root directory is not allowed char rpath = realpath(cfg.chrootdir, NULL); - if (rpath == NULL \|\| !is_dir(rpath) \|\| strcmp(rpath, "/") == 0) - goto errout; - - char overlay; - if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - if (strncmp(rpath, overlay, strlen(overlay)) == 0) { - fprintf(stderr, "Error: invalid chroot directory: no directories in %s are allowed\n", overlay); + if (rpath == NULL \|\| !is_dir(rpath) \|\| strcmp(rpath, "/") == 0) { + fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir); exit(1); } - free(overlay); cfg.chrootdir = rpath; return; - -errout: - fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir); - exit(1); } // copy /etc/resolv.conf or /etc/machine-id in chroot directory static void update_file(int parentfd, const char relpath) { assert(relpath && relpath[0] && relpath[0] != '/'); - char abspath; - if (asprintf(&abspath, "/%s", relpath) == -1) - errExit("asprintf"); - int in = open(abspath, O_RDONLY\|O_CLOEXEC); - free(abspath); + int rootfd = open("/", O_PATH\|O_CLOEXEC); + if (rootfd == -1) + errExit("open"); + int in = openat(rootfd, relpath, O_RDONLY\|O_CLOEXEC); + close(rootfd); if (in == -1) goto errout; @@ -86,13 +71,13 @@ if (arg_debug) printf("Updating chroot /%s\n", relpath); unlinkat(parentfd, relpath, 0); - int out = openat(parentfd, relpath, O_WRONLY\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH); + int out = openat(parentfd, relpath, O_WRONLY\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); if (out == -1) { close(in); goto errout; } - if (sendfile(out, in, NULL, src.st_size) == -1) - errExit("sendfile"); + if (copy_file_by_fd(in, out) != 0) + errExit("copy_file_by_fd"); close(in); close(out); return; @@ -134,6 +119,11 @@ int parentfd = safer_openat(-1, rootdir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); if (parentfd == -1) errExit("safer_openat"); + + if (faccessat(parentfd, ".", X_OK, 0) != 0) { + fprintf(stderr, "Error: no search permission on chroot directory\n"); + exit(1); + } // rootdir has to be owned by root and is not allowed to be generally writable, // this also excludes /tmp and friends struct stat s;
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/cmdline.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/cpu.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. / #include "firejail.h" +#include <fcntl.h> #include <sched.h> #include <unistd.h> #include <sys/stat.h> @@ -87,22 +88,6 @@ } } -void load_cpu(const char fname) { - if (!fname) - return; - - FILE fp = fopen(fname, "re"); - if (fp) { - unsigned tmp; - int rv = fscanf(fp, "%x", &tmp); - if (rv) - cfg.cpus = (uint32_t) tmp; - fclose(fp); - } - else - fwarning("cannot load cpu affinity mask\n"); -} - void set_cpu_affinity(void) { // set cpu affinity cpu_set_t mask; @@ -131,21 +116,8 @@ } } -static void print_cpu(int pid) { - char file; - if (asprintf(&file, "/proc/%d/status", pid) == -1) { - errExit("asprintf"); - exit(1); - } - - EUID_ROOT(); // grsecurity - FILE fp = fopen(file, "re"); - EUID_USER(); // grsecurity - if (!fp) { - printf(" Error: cannot open %s\n", file); - free(file); - return; - } +static void print_cpu(ProcessHandle process) { + FILE fp = process_fopen(process, "status"); #define MAXBUF 4096 char buf[MAXBUF]; @@ -153,28 +125,21 @@ if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { printf(" %s", buf); fflush(0); - free(file); fclose(fp); return; } } fclose(fp); - free(file); } -// allow any user to run --cpu.print +// TODO: allow any user to run --cpu.print void cpu_print_filter(pid_t pid) { EUID_ASSERT(); - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); + ProcessHandle sandbox = pin_sandbox_process(pid); - // now check if the pid belongs to a firejail sandbox - if (is_ready_for_join(pid) == false) { - fprintf(stderr, "Error: no valid sandbox\n"); - exit(1); - } + print_cpu(sandbox); + unpin_process(sandbox); - print_cpu(pid); exit(0); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/dbus.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -180,7 +180,7 @@ } } - if (num_matches > 0) { + if (num_matches > 0 && !arg_quiet) { assert(first_match != NULL); if (num_matches == 1) { fprintf(stderr, "Ignoring \"%s\".\n", first_match); @@ -297,11 +297,12 @@ if (dbus_proxy_pid == -1) errExit("fork"); if (dbus_proxy_pid == 0) { - int i; - for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) { - if (i != status_pipe[1] && i != args_pipe[0]) - close(i); // close open files - } + // close open files + int keep[2]; + keep[0] = status_pipe[1]; + keep[1] = args_pipe[0]; + close_all(keep, ARRAY_SIZE(keep)); + if (arg_dbus_log_file != NULL) { int output_fd = creat(arg_dbus_log_file, 0666); if (output_fd < 0)
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/dhcp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/env.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include <sys/stat.h> #include <unistd.h> #include <dirent.h> +#include <limits.h> typedef struct env_t { struct env_t *next; @@ -117,10 +118,7 @@ // env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV); // env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, - if (!cfg.shell) - cfg.shell = guess_shell(); - if (cfg.shell) - env_store_name_val("SHELL", cfg.shell, SETENV); + env_store_name_val("SHELL", cfg.usershell, SETENV); // spawn KIO slaves inside the sandbox env_store_name_val("KDE_FORK_SLAVES", "1", SETENV); @@ -262,7 +260,7 @@ "LANG", "LANGUAGE", "LC_MESSAGES", - "PATH", + // "PATH", "DISPLAY" // required by X11 }; @@ -311,6 +309,10 @@ errExit("clearenv"); env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); + + // hardcoding PATH + if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0) + errExit("setenv"); } // Filter env variables for a sbox app
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/firejail.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include "../include/common.h" #include "../include/euid_common.h" #include "../include/rundefs.h" +#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) #include <stdarg.h> #include <sys/stat.h> @@ -153,11 +154,15 @@ // user data char username; char homedir; + char usershell; // filesystem ProfileEntry profile; + ProfileEntry profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() + #define MAX_PROFILE_IGNORE 32 char profile_ignore[MAX_PROFILE_IGNORE]; + char keep_fd; // inherit file descriptors to sandbox char chrootdir; // chroot directory char home_private; // private home directory char home_private_keep; // keep list for private home directory @@ -193,6 +198,7 @@ char seccomp_list_drop, seccomp_list_drop32; // seccomp drop list char seccomp_list_keep, seccomp_list_keep32; // seccomp keep list char protocol; // protocol list + char restrict_namespaces; // namespaces list char seccomp_error_action; // error action: kill, log or errno // rlimits @@ -207,13 +213,11 @@ // cpu affinity, nice and control groups uint32_t cpus; int nice; - char cgroup; // command line char command_line; char window_title; char command_name; - char shell; char *original_argv; int original_argc; int original_program_index; @@ -306,7 +310,6 @@ extern char arg_netfilter6_file; // netfilter file extern char arg_netns; // "ip netns"-created network namespace to use extern int arg_doubledash; // double dash -extern int arg_shell_none; // run the program directly without a shell extern int arg_private_dev; // private dev directory extern int arg_keep_dev_shm; // preserve /dev/shm extern int arg_private_etc; // private etc directory @@ -321,6 +324,7 @@ extern int arg_nosound; // disable sound extern int arg_novideo; //disable video devices in /dev extern int arg_no3d; // disable 3d hardware acceleration +extern int arg_noprinters; // disable printers extern int arg_quiet; // no output for scripting extern int arg_join_network; // join only the network namespace extern int arg_join_filesystem; // join only the mount namespace @@ -334,11 +338,13 @@ extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage extern int arg_apparmor; // apparmor +extern char apparmor_profile; // apparmor profile +extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 extern int arg_x11_xorg; // use X11 security extension extern int arg_allusers; // all user home directories visible -extern int arg_machineid; // preserve /etc/machine-id +extern int arg_machineid; // spoof /etc/machine-id extern int arg_disable_mnt; // disable /mnt and /media extern int arg_noprofile; // use default.profile if none other found/specified extern int arg_memory_deny_write_execute; // block writable and executable memory @@ -347,6 +353,9 @@ extern int arg_nou2f; // --nou2f extern int arg_noinput; // --noinput extern int arg_deterministic_exit_code; // always exit with first child's exit status +extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies +extern int arg_keep_fd_all; // inherit all file descriptors to sandbox +extern int arg_netlock; // netlocker typedef enum { DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus @@ -358,6 +367,7 @@ extern int arg_dbus_log_user; extern int arg_dbus_log_system; extern const char arg_dbus_log_file; +extern int arg_tab; extern int login_shell; extern int parent_to_child_fds[2]; @@ -379,7 +389,6 @@ #define SANDBOX_DONE '1' int sandbox(void sandbox_arg); void start_application(int no_sandbox, int fd, char set_sandbox_status) __attribute__((noreturn)); -void set_apparmor(void); // network_main.c void net_configure_sandbox_ip(Bridge br); @@ -431,13 +440,15 @@ void disable_config(void); // build a basic read-only filesystem void fs_basic_fs(void); -// mount overlayfs on top of / directory -char fs_check_overlay_dir(const char subdirname, int allow_reuse); -void fs_overlayfs(void); void fs_private_tmp(void); void fs_private_cache(void); void fs_mnt(const int enforce); +// fs_overlayfs.c +char fs_check_overlay_dir(const char subdirname, int allow_reuse); +void fs_overlayfs(void); +int remove_overlay_directory(void); + // chroot.c // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf void fs_check_chroot_dir(void); @@ -467,11 +478,29 @@ // usage.c void usage(void); +// process.c +typedef struct processhandle_instance_t * ProcessHandle; + +ProcessHandle pin_process(pid_t pid); +void unpin_process(ProcessHandle process); +pid_t process_get_pid(ProcessHandle process); +int process_get_fd(ProcessHandle process); +int process_stat_nofail(ProcessHandle process, const char fname, struct stat s); +int process_stat(ProcessHandle process, const char fname, struct stat s); +int process_open_nofail(ProcessHandle process, const char fname); +int process_open(ProcessHandle process, const char fname); +FILE process_fopen(ProcessHandle process, const char fname); +int process_join_namespace(ProcessHandle process, char type); +void process_send_signal(ProcessHandle process, int signum); +ProcessHandle pin_parent_process(ProcessHandle process); +ProcessHandle pin_child_process(ProcessHandle process, pid_t child); +void process_rootfs_chroot(ProcessHandle process); +int process_rootfs_stat(ProcessHandle process, const char fname, struct stat s); +int process_rootfs_open(ProcessHandle process, const char fname); + // join.c +ProcessHandle pin_sandbox_process(pid_t pid); void join(pid_t pid, int argc, char *argv, int index) __attribute__((noreturn)); -bool is_ready_for_join(const pid_t pid); -void check_join_permission(pid_t pid); -pid_t switch_to_child(pid_t pid); // shutdown.c void shut(pid_t pid); @@ -499,7 +528,8 @@ void fwarning(char fmt, ...); void fmessage(char* fmt, ...); long long unsigned parse_arg_size(char str); -void drop_privs(int nogroups); +int check_can_drop_all_groups(); +void drop_privs(int force_nogroups); int mkpath_as_root(const char path); void extract_command_name(int index, char argv); void logsignal(int s); @@ -507,6 +537,7 @@ void logargs(int argc, char argv) ; void logerr(const char msg); void set_nice(int inc); +int copy_file_by_fd(int src, int dst); int copy_file(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode); void copy_file_as_user(const char srcname, const char destname, mode_t mode); void copy_file_from_user_to_root(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode); @@ -514,6 +545,7 @@ int is_dir(const char fname); int is_link(const char fname); char realpath_as_user(const char fname); +ssize_t readlink_as_user(const char fname, char buf, size_t sz); int stat_as_user(const char fname, struct stat s); int lstat_as_user(const char fname, struct stat s); void trim_trailing_slash_or_dot(char path); @@ -527,8 +559,7 @@ void wait_for_other(int fd); void notify_other(int fd); uid_t pid_get_uid(pid_t pid); -uid_t get_group_id(const char group); -int remove_overlay_directory(void); +gid_t get_group_id(const char groupname); void flush_stdin(void); int create_empty_dir_as_user(const char dir, mode_t mode); void create_empty_dir_as_root(const char dir, mode_t mode); @@ -543,6 +574,7 @@ int bind_mount_by_fd(int src, int dst); int bind_mount_path_to_fd(const char srcname, int dst); int bind_mount_fd_to_path(int src, const char destname); +void close_all(int keep_list, size_t sz); int has_handler(pid_t pid, int signal); void enter_network_namespace(pid_t pid); int read_pid(const char name, pid_t pid); @@ -561,8 +593,8 @@ // mountinfo.c MountData get_last_mount(void); -int get_mount_id(const char path); -char build_mount_array(const int mount_id, const char path); +int get_mount_id(int fd); +char *build_mount_array(const int mountid, const char path); // fs_var.c void fs_var_log(void); // mounting /var/log @@ -604,6 +636,7 @@ int seccomp_filter_drop(bool native); int seccomp_filter_keep(bool native); int seccomp_filter_mdwx(bool native); +int seccomp_filter_namespaces(bool native, const char list); void seccomp_print_filter(pid_t pid) __attribute__((noreturn)); // caps.c @@ -619,13 +652,13 @@ void caps_drop_dac_override(void); // fs_trace.c -void fs_trace_preload(void); +void fs_trace_touch_preload(void); +void fs_trace_touch_or_store_preload(void); void fs_tracefile(void); void fs_trace(void); // fs_hostname.c void fs_hostname(const char hostname); -void fs_resolvconf(void); char fs_check_hosts_file(const char fname); void fs_store_hosts_file(void); void fs_mount_hosts_file(void); @@ -636,19 +669,15 @@ // cpu.c void read_cpu_list(const char str); void set_cpu_affinity(void); -void load_cpu(const char fname); void save_cpu(void); void cpu_print_filter(pid_t pid) __attribute__((noreturn)); -// cgroup.c -void save_cgroup(void); -void load_cgroup(const char fname); -void set_cgroup(const char path); - // output.c void check_output(int argc, char *argv); // netfilter.c +void netfilter_netlock(pid_t pid); +void netfilter_trace(pid_t pid, const char cmd); void check_netfilter_file(const char fname); void netfilter(const char fname); void netfilter6(const char fname); @@ -668,6 +697,7 @@ void fs_private_dir_copy(const char private_dir, const char private_run_dir, const char private_list); void fs_private_dir_mount(const char private_dir, const char private_run_dir); void fs_private_dir_list(const char private_dir, const char private_run_dir, const char private_list); +void fs_rebuild_etc(void); // no_sandbox.c int check_namespace_virt(void); @@ -695,6 +725,7 @@ void fs_whitelist(void); // pulseaudio.c +void pipewire_disable(void); void pulseaudio_init(void); void pulseaudio_disable(void); @@ -702,6 +733,8 @@ void fs_private_bin_list(void); // fs_lib.c +int is_firejail_link(const char fname); +char find_in_path(const char program); void fs_private_lib(void); // protocol.c @@ -776,9 +809,9 @@ CFG_NETWORK, CFG_RESTRICTED_NETWORK, CFG_FORCE_NONEWPRIVS, - CFG_WHITELIST, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, + CFG_ETC_HIDE_BLACKLISTED, CFG_PRIVATE_BIN, CFG_PRIVATE_BIN_NO_LOCAL, CFG_PRIVATE_CACHE, @@ -796,10 +829,12 @@ CFG_BROWSER_ALLOW_DRM, CFG_APPARMOR, CFG_DBUS, - CFG_CGROUP, CFG_NAME_CHANGE, CFG_SECCOMP_ERROR_ACTION, // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv + CFG_ALLOW_TRAY, + CFG_SECCOMP_LOG, + CFG_TRACELOG, CFG_MAX // this should always be the last entry }; extern char xephyr_screen; @@ -814,6 +849,7 @@ extern char whitelist_reject_topdirs; int checkcfg(int val); +void print_version(void); void print_compiletime_support(void); // appimage.c @@ -834,7 +870,6 @@ #define PATH_FNET_MAIN (LIBDIR "/firejail/fnet") // when called from main thread #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet") // when called from sandbox thread -//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter") #define PATH_FIREMON (PREFIX "/bin/firemon") @@ -843,21 +878,18 @@ #define PATH_FSECCOMP_MAIN (LIBDIR "/firejail/fseccomp") // when called from main thread #define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp") // when called from sandbox thread -// FSEC_PRINT is run outside of sandbox by --seccomp.print -// it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first -#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") +#define PATH_FSEC_PRINT (RUN_FIREJAIL_LIB_DIR "/fsec-print") -//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize") -//#define PATH_FCOPY (LIBDIR "/firejail/fcopy") #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy") #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" -//#define PATH_FLDD (LIBDIR "/firejail/fldd") #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd") +#define PATH_FIDS (LIBDIR "/firejail/fids") + // bitmapped filters for sbox_run #define SBOX_ROOT (1 << 0) // run the sandbox as root #define SBOX_USER (1 << 1) // run the sandbox as a regular user @@ -869,7 +901,6 @@ #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open -#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process // run sbox int sbox_run(unsigned filter, int num, ...); @@ -882,6 +913,8 @@ void set_name_run_file(pid_t pid); void set_x11_run_file(pid_t pid, int display); void set_profile_run_file(pid_t pid, const char fname); +void set_sandbox_run_file(pid_t pid, pid_t child); +void release_sandbox_lock(void); // dbus.c int dbus_check_name(const char name); @@ -902,4 +935,10 @@ // selinux.c void selinux_relabel_path(const char path, const char inside_path); +// ids.c +void run_ids(int argc, char argv); + +// oom.c +void oom_set(const char oom_string); + #endif
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,10 +20,7 @@ #include "firejail.h" #include "../include/gcov_wrapper.h" #include <sys/mount.h> -#include <sys/stat.h> #include <sys/statvfs.h> -#include <sys/wait.h> -#include <linux/limits.h> #include <fnmatch.h> #include <glob.h> #include <dirent.h> @@ -35,7 +32,7 @@ #endif #define MAX_BUF 4096 -#define EMPTY_STRING ("") + // check noblacklist statements not matched by a proper blacklist in disable-.inc files //#define TEST_NO_BLACKLIST_MATCHING @@ -97,22 +94,31 @@ return; } - // if the file is not present, do nothing assert(fname); - struct stat s; - if (stat(fname, &s) < 0) { + // check for firejail executable + // we might have a file found in ${PATH} pointing to /usr/bin/firejail + // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird + // and expects Firefox to open in the same sandbox + if (strcmp(BINDIR "/firejail", fname) == 0) { + free(fname); + return; + } + + // if the file is not present, do nothing + int fd = open(fname, O_PATH\|O_CLOEXEC); + if (fd < 0) { if (arg_debug) - printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno)); + printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno)); free(fname); return; } - // check for firejail executable - // we migth have a file found in ${PATH} pointing to /usr/bin/firejail - // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird - // and expects Firefox to open in the same sandbox - if (strcmp(BINDIR "/firejail", fname) == 0) { + struct stat s; + if (fstat(fd, &s) < 0) { + if (arg_debug) + printf("Warning (blacklisting): cannot stat %s: %s\n", fname, strerror(errno)); free(fname); + close(fd); return; } @@ -139,13 +145,6 @@ printf(" - no logging\n"); } - int fd = open(fname, O_PATH\|O_CLOEXEC); - if (fd < 0) { - if (arg_debug) - printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno)); - free(fname); - return; - } EUID_ROOT(); if (S_ISDIR(s.st_mode)) { if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0) @@ -156,12 +155,24 @@ errExit("disable file"); } EUID_USER(); - close(fd); if (op == BLACKLIST_FILE) fs_logger2("blacklist", fname); else fs_logger2("blacklist-nolog", fname); + + // files in /etc will be reprocessed during /etc rebuild + if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { + ProfileEntry prf = malloc(sizeof(ProfileEntry)); + if (!prf) + errExit("malloc"); + memset(prf, 0, sizeof(ProfileEntry)); + prf->data = strdup(fname); + if (!prf->data) + errExit("strdup"); + prf->next = cfg.profile_rebuild_etc; + cfg.profile_rebuild_etc = prf; + } } } else if (op == MOUNT_READONLY \|\| op == MOUNT_RDWR \|\| op == MOUNT_NOEXEC) { @@ -170,8 +181,7 @@ else if (op == MOUNT_TMPFS) { if (!S_ISDIR(s.st_mode)) { fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); - free(fname); - return; + goto out; } uid_t uid = getuid(); @@ -181,19 +191,18 @@ strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 \|\| fname[strlen(cfg.homedir)] != '/') { fwarning("you are not allowed to mount a tmpfs on %s\n", fname); - free(fname); - return; + goto out; } } fs_tmpfs(fname, uid); - EUID_USER(); // fs_tmpfs returns with EUID 0 - selinux_relabel_path(fname, fname); } else assert(0); +out: + close(fd); free(fname); } @@ -269,6 +278,8 @@ // blacklist files or directories by mounting empty files on top of them void fs_blacklist(void) { + EUID_ASSERT(); + ProfileEntry entry = cfg.profile; if (!entry) return; @@ -280,7 +291,6 @@ if (noblacklist == NULL) errExit("failed allocating memory for noblacklist entries"); - EUID_USER(); while (entry) { OPERATION op = OPERATION_MAX; char ptr; @@ -456,8 +466,6 @@ for (i = 0; i < noblacklist_c; i++) free(noblacklist[i]); free(noblacklist); - - EUID_ROOT(); } //*********************************************** @@ -466,7 +474,7 @@ // mount a writable tmpfs on directory; requires a resolved path void fs_tmpfs(const char dir, unsigned check_owner) { - EUID_USER(); + EUID_ASSERT(); assert(dir); if (arg_debug) printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); @@ -489,14 +497,15 @@ struct statvfs buf; if (fstatvfs(fd, &buf) == -1) errExit("fstatvfs"); - unsigned long flags = buf.f_flag & ~(MS_RDONLY\|MS_BIND); + unsigned long flags = buf.f_flag & ~(MS_RDONLY\|MS_BIND\|MS_REMOUNT); // mount via the symbolic link in /proc/self/fd - EUID_ROOT(); char proc; if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) errExit("asprintf"); + EUID_ROOT(); if (mount("tmpfs", proc, "tmpfs", flags\|MS_NOSUID\|MS_NODEV, options) < 0) errExit("mounting tmpfs"); + EUID_USER(); // check the last mount operation MountData mdata = get_last_mount(); if (strcmp(mdata->fstype, "tmpfs") != 0 \|\| strcmp(mdata->dir, dir) != 0) @@ -521,7 +530,9 @@ if (fstat(fd, &s) < 0) { // fstat can fail with EACCES if path is a FUSE mount, // mounted without 'allow_root' or 'allow_other' - if (errno != EACCES) + // fstat can also fail with EIO if the underlying FUSE system + // is being buggy + if (errno != EACCES && errno != EIO) errExit("fstat"); close(fd); goto out; @@ -622,40 +633,37 @@ } // remount recursively; requires a resolved path -static void fs_remount_rec(const char dir, OPERATION op) { +static void fs_remount_rec(const char path, OPERATION op) { EUID_ASSERT(); - assert(dir); + assert(op < OPERATION_MAX); + assert(path); - struct stat s; - if (stat(dir, &s) != 0) - return; - if (!S_ISDIR(s.st_mode)) { - // no need to search in /proc/self/mountinfo for submounts if not a directory - fs_remount_simple(dir, op); + // no need to search /proc/self/mountinfo for submounts if not a directory + int fd = open(path, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); + if (fd < 0) { + fs_remount_simple(path, op); return; } - // get mount point of the directory - int mountid = get_mount_id(dir); - if (mountid == -1) - return; - if (mountid == -2) { - // falling back to a simple remount on old kernels - static int mount_warning = 0; - if (!mount_warning) { - fwarning("read-only, read-write and noexec options are not applied recursively\n"); - mount_warning = 1; - } - fs_remount_simple(dir, op); + + // get mount id of the directory + int mountid = get_mount_id(fd); + close(fd); + if (mountid < 0) { + // falling back to a simple remount + fwarning("%s %s not applied recursively\n", opstr[op], path); + fs_remount_simple(path, op); return; } + // build array with all mount points that need to get remounted - char arr = build_mount_array(mountid, dir); - assert(arr); + char arr = build_mount_array(mountid, path); + if (!arr) + return; // remount - char tmp = arr; - while (tmp) { - fs_remount_simple(tmp, op); - free(tmp++); + int i; + for (i = 0; arr[i]; i++) { + fs_remount_simple(arr[i], op); + free(arr[i]); } free(arr); } @@ -819,13 +827,16 @@ // disable firejail configuration in ~/.config/firejail void disable_config(void) { EUID_USER(); +#ifndef HAVE_ONLY_SYSCFG_PROFILES char fname; if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) errExit("asprintf"); disable_file(BLACKLIST_FILE, fname); free(fname); +#endif // disable run time information + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_SANDBOX_DIR); disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); @@ -890,367 +901,6 @@ } - -#ifdef HAVE_OVERLAYFS -char fs_check_overlay_dir(const char subdirname, int allow_reuse) { - assert(subdirname); - EUID_ASSERT(); - struct stat s; - char dirname; - - if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - // check if ~/.firejail already exists - if (lstat(dirname, &s) == 0) { - if (!S_ISDIR(s.st_mode)) { - if (S_ISLNK(s.st_mode)) - fprintf(stderr, "Error: %s is a symbolic link\n", dirname); - else - fprintf(stderr, "Error: %s is not a directory\n", dirname); - exit(1); - } - if (s.st_uid != getuid()) { - fprintf(stderr, "Error: %s is not owned by the current user\n", dirname); - exit(1); - } - } - else { - // create ~/.firejail directory - create_empty_dir_as_user(dirname, 0700); - if (stat(dirname, &s) == -1) { - fprintf(stderr, "Error: cannot create directory %s\n", dirname); - exit(1); - } - } - free(dirname); - - // check overlay directory - if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) - errExit("asprintf"); - if (lstat(dirname, &s) == 0) { - if (!S_ISDIR(s.st_mode)) { - if (S_ISLNK(s.st_mode)) - fprintf(stderr, "Error: %s is a symbolic link\n", dirname); - else - fprintf(stderr, "Error: %s is not a directory\n", dirname); - exit(1); - } - if (s.st_uid != 0) { - fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname); - exit(1); - } - if (allow_reuse == 0) { - fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n"); - exit(1); - } - } - - return dirname; -} - - - -// mount overlayfs on top of / directory -// mounting an overlay and chrooting into it: -// -// Old Ubuntu kernel -// # cd ~ -// # mkdir -p overlay/root -// # mkdir -p overlay/diff -// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root -// # chroot /root/overlay/root -// to shutdown, first exit the chroot and then unmount the overlay -// # exit -// # umount /root/overlay/root -// -// Kernels 3.18+ -// # cd ~ -// # mkdir -p overlay/root -// # mkdir -p overlay/diff -// # mkdir -p overlay/work -// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root -// # cat /etc/mtab \| grep overlay -// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0 -// # chroot /root/overlay/root -// to shutdown, first exit the chroot and then unmount the overlay -// # exit -// # umount /root/overlay/root - - -// to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean -#include <sys/utsname.h> -void fs_overlayfs(void) { - struct stat s; - - // check kernel version - struct utsname u; - int rv = uname(&u); - if (rv != 0) - errExit("uname"); - int major; - int minor; - if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { - fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); - exit(1); - } - - if (arg_debug) - printf("Linux kernel version %d.%d\n", major, minor); - int oldkernel = 0; - if (major < 3) { - fprintf(stderr, "Error: minimum kernel version required 3.x\n"); - exit(1); - } - if (major == 3 && minor < 18) - oldkernel = 1; - - // mounting an overlayfs on top of / seems to be broken for kernels > 4.19 - // we disable overlayfs for now, pending fixing - if (major >= 4 &&minor >= 19) { - fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n"); - exit(1); - } - - char oroot = RUN_OVERLAY_ROOT; - mkdir_attr(oroot, 0755, 0, 0); - - // set base for working and diff directories - char basedir = RUN_MNT_DIR; - int basefd = -1; - - if (arg_overlay_keep) { - basedir = cfg.overlay_dir; - assert(basedir); - // get a file descriptor for ~/.firejail, fails if there is any symlink - char firejail; - if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - int fd = safer_openat(-1, firejail, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); - if (fd == -1) - errExit("safer_openat"); - free(firejail); - // create basedir if it doesn't exist - // the new directory will be owned by root - const char dirname = gnu_basename(basedir); - if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) { - perror("mkdir"); - fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir); - exit(1); - } - // open basedir - basefd = openat(fd, dirname, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); - close(fd); - } - else { - basefd = open(basedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); - } - if (basefd == -1) { - perror("open"); - fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir); - exit(1); - } - - // confirm once more base is owned by root - if (fstat(basefd, &s) == -1) - errExit("fstat"); - if (s.st_uid != 0) { - fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir); - exit(1); - } - // confirm permissions of base are 0755 - if (((S_IRWXU\|S_IRGRP\|S_IXGRP\|S_IROTH\|S_IXOTH) & s.st_mode) != (S_IRWXU\|S_IRGRP\|S_IXGRP\|S_IROTH\|S_IXOTH)) { - fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir); - exit(1); - } - - // create diff and work directories inside base - // no need to check arg_overlay_reuse - char odiff; - if (asprintf(&odiff, "%s/odiff", basedir) == -1) - errExit("asprintf"); - // the new directory will be owned by root - if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) { - perror("mkdir"); - fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff); - exit(1); - } - ASSERT_PERMS(odiff, 0, 0, 0755); - - char owork; - if (asprintf(&owork, "%s/owork", basedir) == -1) - errExit("asprintf"); - // the new directory will be owned by root - if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) { - perror("mkdir"); - fprintf(stderr, "Error: cannot create overlay directory %s\n", owork); - exit(1); - } - ASSERT_PERMS(owork, 0, 0, 0755); - - // mount overlayfs - if (arg_debug) - printf("Mounting OverlayFS\n"); - char option; - if (oldkernel) { // old Ubuntu/OpenSUSE kernels - if (arg_overlay_keep) { - fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n"); - exit(1); - } - if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1) - errExit("asprintf"); - if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0) - errExit("mounting overlayfs"); - } - else { // kernel 3.18 or newer - if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1) - errExit("asprintf"); - if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) { - fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor); - errExit("mounting overlayfs"); - } - - //************************** - // issue #263 start code - // My setup has a separate mount point for /home. When the overlay is mounted, - // the overlay does not contain the original /home contents. - // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work - // @dshmgh, Jan 2016 - { - char overlayhome; - struct stat s; - char hroot; - char hdiff; - char hwork; - - // dons add debug - if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork); - - // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it? - // must create var for oroot/cfg.homedir - if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1) - errExit("asprintf"); - if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome); - - // if no homedir in overlay -- create another overlay for /home - if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) { - - // no need to check arg_overlay_reuse - if (asprintf(&hdiff, "%s/hdiff", basedir) == -1) - errExit("asprintf"); - // the new directory will be owned by root - if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) { - perror("mkdir"); - fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff); - exit(1); - } - ASSERT_PERMS(hdiff, 0, 0, 0755); - - // no need to check arg_overlay_reuse - if (asprintf(&hwork, "%s/hwork", basedir) == -1) - errExit("asprintf"); - // the new directory will be owned by root - if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) { - perror("mkdir"); - fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork); - exit(1); - } - ASSERT_PERMS(hwork, 0, 0, 0755); - - // no homedir in overlay so now mount another overlay for /home - if (asprintf(&hroot, "%s/home", oroot) == -1) - errExit("asprintf"); - if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) - errExit("asprintf"); - if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0) - errExit("mounting overlayfs for mounted home directory"); - - printf("OverlayFS for /home configured in %s directory\n", basedir); - free(hroot); - free(hdiff); - free(hwork); - - } // stat(overlayhome) - free(overlayhome); - } - // issue #263 end code - //*************************** - } - fmessage("OverlayFS configured in %s directory\n", basedir); - close(basefd); - - // /dev, /run and /tmp are not covered by the overlay - // mount-bind dev directory - if (arg_debug) - printf("Mounting /dev\n"); - char dev; - if (asprintf(&dev, "%s/dev", oroot) == -1) - errExit("asprintf"); - if (mount("/dev", dev, NULL, MS_BIND\|MS_REC, NULL) < 0) - errExit("mounting /dev"); - fs_logger("whitelist /dev"); - - // mount-bind run directory - if (arg_debug) - printf("Mounting /run\n"); - char run; - if (asprintf(&run, "%s/run", oroot) == -1) - errExit("asprintf"); - if (mount("/run", run, NULL, MS_BIND\|MS_REC, NULL) < 0) - errExit("mounting /run"); - fs_logger("whitelist /run"); - - // mount-bind tmp directory - if (arg_debug) - printf("Mounting /tmp\n"); - char tmp; - if (asprintf(&tmp, "%s/tmp", oroot) == -1) - errExit("asprintf"); - if (mount("/tmp", tmp, NULL, MS_BIND\|MS_REC, NULL) < 0) - errExit("mounting /tmp"); - fs_logger("whitelist /tmp"); - - // chroot in the new filesystem - __gcov_flush(); - - if (chroot(oroot) == -1) - errExit("chroot"); - - // mount a new proc filesystem - if (arg_debug) - printf("Mounting /proc filesystem representing the PID namespace\n"); - if (mount("proc", "/proc", "proc", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_REC, NULL) < 0) - errExit("mounting /proc"); - - // update /var directory in order to support multiple sandboxes running on the same root directory -// if (!arg_private_dev) -// fs_dev_shm(); - fs_var_lock(); - if (!arg_keep_var_tmp) - fs_var_tmp(); - if (!arg_writable_var_log) - fs_var_log(); - fs_var_lib(); - fs_var_cache(); - fs_var_utmp(); - fs_machineid(); - - // don't leak user information - restrict_users(); - - // when starting as root, firejail config is not disabled; - if (getuid() != 0) - disable_config(); - - // cleanup and exit - free(option); - free(odiff); - free(owork); - free(dev); - free(run); - free(tmp); -} -#endif - // this function is called from sandbox.c before blacklist/whitelist functions void fs_private_tmp(void) { EUID_ASSERT(); @@ -1274,9 +924,11 @@ // whitelist x11 directory profile_add("whitelist /tmp/.X11-unix"); - // read-only x11 directory profile_add("read-only /tmp/.X11-unix"); + // whitelist sndio directory + profile_add("whitelist /tmp/sndio"); + // whitelist any pulse file in /tmp directory // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user DIR *dir;
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_bin.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -27,7 +27,7 @@ static int prog_cnt = 0; -static char paths[] = { +static const char const paths[] = { "/usr/local/bin", "/usr/bin", "/bin", @@ -40,10 +40,10 @@ }; // return 1 if found, 0 if not found -static char check_dir_or_file(const char name) { +static const char check_dir_or_file(const char name) { + EUID_ASSERT(); assert(name); struct stat s; - char fname = NULL; int i = 0; while (paths[i]) { @@ -54,50 +54,34 @@ } // check file + char fname; if (asprintf(&fname, "%s/%s", paths[i], name) == -1) errExit("asprintf"); if (arg_debug) printf("Checking %s/%s\n", paths[i], name); - if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories - // check symlink to firejail executable in /usr/local/bin - if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { - /* coverity[toctou] / - char actual_path = realpath(fname, NULL); - if (actual_path) { - char ptr = strstr(actual_path, "/firejail"); - if (ptr && strlen(ptr) == strlen("/firejail")) { - if (arg_debug) - printf("firejail exec symlink detected\n"); - free(actual_path); - free(fname); - fname = NULL; - i++; - continue; - } - free(actual_path); - } - - } + if (stat(fname, &s) == 0 && + !S_ISDIR(s.st_mode) && // do not allow directories + !is_firejail_link(fname)) { // skip symlinks to firejail executable, as created by firecfg + free(fname); break; // file found } free(fname); - fname = NULL; i++; } - if (!fname) { + if (!paths[i]) { if (arg_debug) fwarning("file %s not found\n", name); return NULL; } - free(fname); return paths[i]; } // return 1 if the file is in paths[] static int valid_full_path_file(const char name) { + EUID_ASSERT(); assert(name); if (name != '/') @@ -149,6 +133,7 @@ } static void duplicate(char fname) { + EUID_ASSERT(); assert(fname); if (fname == '~' \|\| strstr(fname, "..")) { @@ -175,7 +160,7 @@ else { // Find the standard directory (by looping through paths[]) // where the filename fname is located - char path = check_dir_or_file(fname); + const char path = check_dir_or_file(fname); if (!path) return; if (asprintf(&full_path, "%s/%s", path, fname) == -1) @@ -220,6 +205,7 @@ } static void globbing(char fname) { + EUID_ASSERT(); assert(fname); // go directly to duplicate() if no globbing char is present - see man 7 glob @@ -256,6 +242,9 @@ // testing for GLOB_NOCHECK - no pattern matched returns the original pattern if (strcmp(globbuf.gl_pathv[j], pattern) == 0) continue; + // skip symlinks to firejail executable, as created by firecfg + if (is_firejail_link(globbuf.gl_pathv[j])) + continue; duplicate(globbuf.gl_pathv[j]); } @@ -267,6 +256,7 @@ } void fs_private_bin_list(void) { + EUID_ASSERT(); char *private_list = cfg.bin_private_keep; assert(private_list); @@ -274,7 +264,9 @@ timetrace_start(); // create /run/firejail/mnt/bin directory + EUID_ROOT(); mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); + EUID_USER(); if (arg_debug) printf("Copying files in the new bin directory\n"); @@ -293,9 +285,9 @@ while ((ptr = strtok(NULL, ",")) != NULL) globbing(ptr); free(dlist); - fs_logger_print(); // mount-bind + EUID_ROOT(); int i = 0; while (paths[i]) { struct stat s; @@ -309,6 +301,9 @@ } i++; } + fs_logger_print(); + EUID_USER(); + selinux_relabel_path(RUN_BIN_DIR, "/bin"); fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end()); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_dev.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,7 +20,6 @@ #include "firejail.h" #include <sys/mount.h> #include <sys/stat.h> -#include <linux/limits.h> #include <glob.h> #include <dirent.h> #include <fcntl.h> @@ -330,8 +329,10 @@ } // disable all jack sockets in /dev/shm + EUID_USER(); glob_t globbuf; int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); + EUID_ROOT(); if (globerr) return;
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_etc.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -24,6 +24,7 @@ #include <sys/types.h> #include <time.h> #include <unistd.h> +#include <dirent.h> // spoof /etc/machine_id void fs_machineid(void) { @@ -103,7 +104,10 @@ q = '\0'; r = '/'; r = q; - create_empty_dir_as_root(dst, s.st_mode); + if (mkdir(dst, 0700) != 0 && errno != EEXIST) + errExit("mkdir"); + if (chmod(dst, s.st_mode) != 0) + errExit("chmod"); } if (!last) { // If we're not at the final terminating null, restore @@ -141,7 +145,7 @@ static void duplicate(const char fname, const char private_dir, const char private_run_dir) { assert(fname); - if (fname == '~' \|\| fname == '/' \|\| strncmp(fname, "..", 2) == 0) { + if (fname == '~' \|\| fname == '/' \|\| strstr(fname, "..")) { fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); exit(1); } @@ -164,7 +168,14 @@ errExit("asprintf"); build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); - sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); + + // follow links! this will make a copy of the file or directory pointed by the symlink + // this will solve problems such as NixOS #4887 + // don't follow links to dynamic directories such as /proc + if (strcmp(src, "/etc/mtab") == 0) + sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); + else + sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst); free(dst); fs_logger2("clone", src); @@ -250,3 +261,134 @@ fs_private_dir_mount(private_dir, private_run_dir); fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); } + +void fs_rebuild_etc(void) { + int have_dhcp = 1; + if (cfg.dns1 == NULL && !any_dhcp()) { + // Disabling this option ensures that updates to files using + // rename(2) propagate into the sandbox, in order to avoid + // breaking /etc/resolv.conf (issue #5010). + if (!checkcfg(CFG_ETC_HIDE_BLACKLISTED)) + return; + have_dhcp = 0; + } + + if (arg_debug) + printf("rebuilding /etc directory\n"); + if (mkdir(RUN_DNS_ETC, 0755)) + errExit("mkdir"); + selinux_relabel_path(RUN_DNS_ETC, "/etc"); + fs_logger("tmpfs /etc"); + + DIR dir = opendir("/etc"); + if (!dir) + errExit("opendir"); + + struct stat s; + struct dirent entry; + while ((entry = readdir(dir))) { + if (strcmp(entry->d_name, ".") == 0 \|\| strcmp(entry->d_name, "..") == 0) + continue; + + // skip files in cfg.profile_rebuild_etc list + // these files are already blacklisted + { + ProfileEntry prf = cfg.profile_rebuild_etc; + int found = 0; + while (prf) { + if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/") + found = 1; + break; + } + prf = prf->next; + } + if (found) + continue; + } + + // for resolv.conf we might have to create a brand new file later + if (have_dhcp && + (strcmp(entry->d_name, "resolv.conf") == 0 \|\| + strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0)) + continue; +// printf("linking %s\n", entry->d_name); + + char src; + if (asprintf(&src, "/etc/%s", entry->d_name) == -1) + errExit("asprintf"); + if (stat(src, &s) != 0) { + free(src); + continue; + } + + char dest; + if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1) + errExit("asprintf"); + + int symlink_done = 0; + if (is_link(src)) { + char rp =realpath(src, NULL); + if (rp == NULL) { + free(src); + free(dest); + continue; + } + if (symlink(rp, dest)) + errExit("symlink"); + else + symlink_done = 1; + } + else if (S_ISDIR(s.st_mode)) + create_empty_dir_as_root(dest, S_IRWXU); + else + create_empty_file_as_root(dest, S_IRUSR \| S_IWUSR); + + // bind-mount src on top of dest + if (!symlink_done) { + if (mount(src, dest, NULL, MS_BIND\|MS_REC, NULL) < 0) + errExit("mount bind mirroring /etc"); + } + fs_logger2("clone", src); + + free(src); + free(dest); + } + closedir(dir); + + // mount bind our private etc directory on top of /etc + if (arg_debug) + printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC); + if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND\|MS_REC, NULL) < 0) + errExit("mount bind mirroring /etc"); + fs_logger("mount /etc"); + + if (have_dhcp == 0) + return; + + if (arg_debug) + printf("Creating a new /etc/resolv.conf file\n"); + FILE fp = fopen("/etc/resolv.conf", "wxe"); + if (!fp) { + fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); + exit(1); + } + + if (cfg.dns1) { + if (any_dhcp()) + fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); + fprintf(fp, "nameserver %s\n", cfg.dns1); + } + if (cfg.dns2) + fprintf(fp, "nameserver %s\n", cfg.dns2); + if (cfg.dns3) + fprintf(fp, "nameserver %s\n", cfg.dns3); + if (cfg.dns4) + fprintf(fp, "nameserver %s\n", cfg.dns4); + + // mode and owner + SET_PERMS_STREAM(fp, 0, 0, 0644); + + fclose(fp); + + fs_logger("create /etc/resolv.conf"); +}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_home.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -19,7 +19,6 @@ / #include "firejail.h" #include <sys/mount.h> -#include <linux/limits.h> #include <dirent.h> #include <errno.h> #include <sys/stat.h> @@ -34,13 +33,37 @@ #define O_PATH 010000000 #endif +static void disable_tab_completion(const char homedir) { + if (arg_tab) + return; + + char fname; + if (asprintf(&fname, "%s/.inputrc", homedir) == -1) + errExit("asprintf"); + + // don't create a new one if we already have it + if (access(fname, F_OK)) { + FILE fp = fopen(fname, "w"); + if (!fp) + errExit("fopen"); + fprintf(fp, "set disable-completion on\n"); + fclose(fp); + if (chmod(fname, 0644)) + errExit("chmod"); + } + free(fname); +} + + static void skel(const char homedir) { EUID_ASSERT(); + char fname; + + disable_tab_completion(homedir); // zsh - if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 \|\| strcmp(cfg.shell,"/bin/zsh") == 0)) { + if (strcmp(cfg.usershell,"/usr/bin/zsh") == 0 \|\| strcmp(cfg.usershell,"/bin/zsh") == 0) { // copy skel files - char fname; if (asprintf(&fname, "%s/.zshrc", homedir) == -1) errExit("asprintf"); // don't copy it if we already have the file @@ -63,9 +86,8 @@ free(fname); } // csh - else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) { + else if (strcmp(cfg.usershell,"/bin/csh") == 0) { // copy skel files - char fname; if (asprintf(&fname, "%s/.cshrc", homedir) == -1) errExit("asprintf"); // don't copy it if we already have the file @@ -90,7 +112,6 @@ // bash etc. else { // copy skel files - char fname; if (asprintf(&fname, "%s/.bashrc", homedir) == -1) errExit("asprintf"); // don't copy it if we already have the file @@ -381,12 +402,14 @@ selinux_relabel_path("/home", "/home"); fs_logger("tmpfs /home"); } + EUID_USER(); if (u != 0) { if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) { // create new empty /home/user directory if (arg_debug) printf("Create a new user directory\n"); + EUID_ROOT(); if (mkdir(homedir, S_IRWXU) == -1) { if (mkpath_as_root(homedir) == -1) errExit("mkpath"); @@ -395,7 +418,7 @@ } if (chown(homedir, u, g) < 0) errExit("chown"); - + EUID_USER(); fs_logger2("mkdir", homedir); fs_logger2("tmpfs", homedir); } @@ -406,7 +429,6 @@ selinux_relabel_path(homedir, homedir); } - EUID_USER(); skel(homedir); if (xflag) @@ -433,18 +455,33 @@ } // check new private working directory (--private-cwd= option) - exit if it fails +// for testing: +// $ firejail --private --private-cwd=. --noprofile ls +// issue #4780: exposes full home directory, not the --private one +// $ firejail --private-cwd=.. --noprofile ls -> error: full dir path required +// $ firejail --private-cwd=/etc --noprofile ls -> OK +// $ firejail --private-cwd=FULL-SYMLINK-PATH --noprofile ls -> error: no symlinks +// $ firejail --private --private-cwd="${HOME}" --noprofile ls -al --> OK +// $ firejail --private --private-cwd='${HOME}' --noprofile ls -al --> OK +// $ firejail --private-cwd --> OK: should go in top of the home dir +// profile with "private-cwd ${HOME} void fs_check_private_cwd(const char dir) { EUID_ASSERT(); invalid_filename(dir, 0); // no globbing + if (strcmp(dir, ".") == 0) + goto errout; // Expand the working directory cfg.cwd = expand_macros(dir); // realpath/is_dir not used because path may not exist outside of jail - if (strstr(cfg.cwd, "..")) { - fprintf(stderr, "Error: invalid private working directory\n"); - exit(1); - } + if (strstr(cfg.cwd, "..") \|\| cfg.cwd != '/') + goto errout; + + return; +errout: + fprintf(stderr, "Error: invalid private working directory\n"); + exit(1); } //********************************************************************************** @@ -564,12 +601,13 @@ int xflag = store_xauthority(); int aflag = store_asoundrc(); - // create /run/firejail/mnt/home directory EUID_ROOT(); + // create /run/firejail/mnt/home directory mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); selinux_relabel_path(RUN_HOME_DIR, homedir); - fs_logger_print(); // save the current log + // save the current log + fs_logger_print(); EUID_USER(); // copy the list of files in the new home directory
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_hostname.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,7 +20,6 @@ #include "firejail.h" #include <sys/mount.h> #include <sys/stat.h> -#include <linux/limits.h> #include <glob.h> #include <dirent.h> #include <fcntl.h> @@ -33,7 +32,7 @@ if (arg_debug) printf("Creating a new /etc/hostname file\n"); - create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH); + create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); // bind-mount the file on top of /etc/hostname if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND\|MS_REC, NULL) < 0) @@ -75,7 +74,7 @@ } fclose(fp1); // mode and owner - SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH); + SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); fclose(fp2); // bind-mount the file on top of /etc/hostname @@ -88,118 +87,11 @@ exit(1); } -void fs_resolvconf(void) { - if (cfg.dns1 == NULL && !any_dhcp()) - return; - - if (arg_debug) - printf("mirroring /etc directory\n"); - if (mkdir(RUN_DNS_ETC, 0755)) - errExit("mkdir"); - selinux_relabel_path(RUN_DNS_ETC, "/etc"); - fs_logger("tmpfs /etc"); - - DIR dir = opendir("/etc"); - if (!dir) - errExit("opendir"); - - struct stat s; - struct dirent entry; - while ((entry = readdir(dir))) { - if (strcmp(entry->d_name, ".") == 0 \|\| strcmp(entry->d_name, "..") == 0) - continue; - // for resolv.conf we create a brand new file - if (strcmp(entry->d_name, "resolv.conf") == 0 \|\| - strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0) - continue; -// printf("linking %s\n", entry->d_name); - - char src; - if (asprintf(&src, "/etc/%s", entry->d_name) == -1) - errExit("asprintf"); - if (stat(src, &s) != 0) { - free(src); - continue; - } - - char dest; - if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1) - errExit("asprintf"); - - int symlink_done = 0; - if (is_link(src)) { - char rp =realpath(src, NULL); - if (rp == NULL) { - free(src); - free(dest); - continue; - } - if (symlink(rp, dest)) - errExit("symlink"); - else - symlink_done = 1; - } - else if (S_ISDIR(s.st_mode)) - create_empty_dir_as_root(dest, s.st_mode); - else - create_empty_file_as_root(dest, s.st_mode); - - // bind-mount src on top of dest - if (!symlink_done) { - if (mount(src, dest, NULL, MS_BIND\|MS_REC, NULL) < 0) - errExit("mount bind mirroring /etc"); - } - fs_logger2("clone", src); - - free(src); - free(dest); - } - closedir(dir); - - // mount bind our private etc directory on top of /etc - if (arg_debug) - printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC); - if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND\|MS_REC, NULL) < 0) - errExit("mount bind mirroring /etc"); - fs_logger("mount /etc"); - - if (arg_debug) - printf("Creating a new /etc/resolv.conf file\n"); - FILE fp = fopen("/etc/resolv.conf", "wxe"); - if (!fp) { - fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); - exit(1); - } - - if (cfg.dns1) { - if (any_dhcp()) - fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); - fprintf(fp, "nameserver %s\n", cfg.dns1); - } - if (cfg.dns2) - fprintf(fp, "nameserver %s\n", cfg.dns2); - if (cfg.dns3) - fprintf(fp, "nameserver %s\n", cfg.dns3); - if (cfg.dns4) - fprintf(fp, "nameserver %s\n", cfg.dns4); - - // mode and owner - SET_PERMS_STREAM(fp, 0, 0, 0644); - - fclose(fp); - - fs_logger("create /etc/resolv.conf"); -} - char fs_check_hosts_file(const char fname) { assert(fname); invalid_filename(fname, 0); // no globbing char *rv = expand_macros(fname); - // no a link - if (is_link(rv)) - goto errexit; - // the user has read access to the file if (access(rv, R_OK)) goto errexit; @@ -222,9 +114,6 @@ struct stat s; if (stat("/etc/hosts", &s) == -1) goto errexit; - // not a link - if (is_link("/etc/hosts")) - goto errexit; // owned by root if (s.st_uid != 0) goto errexit;
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_lib.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -61,17 +61,31 @@ return 0; } +// return 1 if symlink to firejail executable +int is_firejail_link(const char fname) { + EUID_ASSERT(); + + if (!is_link(fname)) + return 0; + + char rp = realpath(fname, NULL); + if (!rp) + return 0; + + int rv = 0; + const char base = gnu_basename(rp); + if (strcmp(base, "firejail") == 0) + rv = 1; + + free(rp); + return rv; +} + char find_in_path(const char program) { EUID_ASSERT(); if (arg_debug) printf("Searching $PATH for %s\n", program); - char self[MAXBUF]; - ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1); - if (len < 0) - errExit("readlink"); - self[len] = '\0'; - const char path = env_get("PATH"); if (!path) return NULL; @@ -88,18 +102,12 @@ if (arg_debug) printf("trying #%s#\n", fname); struct stat s; - if (stat(fname, &s) == 0) { - // but skip links created by firecfg - char rp = realpath(fname, NULL); - if (!rp) - errExit("realpath"); - if (strcmp(self, rp) != 0) { - free(rp); - free(dup); - return fname; - } - free(rp); + if (stat(fname, &s) == 0 && + !is_firejail_link(fname)) { // skip links created by firecfg + free(dup); + return fname; } + free(fname); tok = strtok(NULL, ":"); } @@ -195,6 +203,11 @@ assert(full_path); // if library/executable does not exist or the user does not have read access to it // print a warning and exit the function. + if (access(full_path, F_OK)) { + if (arg_debug \|\| arg_debug_private_lib) + printf("Cannot find %s, skipping...\n", full_path); + return; + } if (user && access(full_path, R_OK)) { if (arg_debug \|\| arg_debug_private_lib) printf("Cannot read %s, skipping...\n", full_path); @@ -263,9 +276,9 @@ assert(lib); // filename check - int len = strlen(lib); - if (strcspn(lib, "\\&!?\"'<>%^(){}[];,") != (size_t)len \|\| - strstr(lib, "..")) { + reject_meta_chars(lib, 1); + + if (strstr(lib, "..")) { fprintf(stderr, "Error: \"%s\" is an invalid library\n", lib); exit(1); } @@ -379,8 +392,7 @@ char private_list = cfg.lib_private_keep; if (arg_debug \|\| arg_debug_private_lib) printf("Starting private-lib processing: program %s, shell %s\n", - (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", - (arg_shell_none)? "none": cfg.shell); + (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", cfg.usershell); // create /run/firejail/mnt/lib directory mkdir_attr(RUN_LIB_DIR, 0755, 0, 0); @@ -417,15 +429,15 @@ } } - // for the shell - if (!arg_shell_none) { - if (arg_debug \|\| arg_debug_private_lib) - printf("Installing shell libraries\n"); - - fslib_install_list(cfg.shell); - // a shell is useless without some basic commands - fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); - } +// Note: this might be used for appimages!!! +// if (!arg_shell_none) { +// if (arg_debug \|\| arg_debug_private_lib) +// printf("Installing shell libraries\n"); +// +// fslib_install_list(cfg.shell); +// // a shell is useless without some basic commands +// fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); +// } // for the listed libs and directories if (private_list && *private_list != '\0') {
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_lib2.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -143,7 +143,7 @@ NULL, }; - // need to parse as root user, unprivileged users have no read permission on executables + // need to parse as root user, unprivileged users have no read permission on some of these binaries int i; for (i = 0; fbin[i]; i++) fslib_mount_libs(fbin[i], 0); @@ -153,7 +153,9 @@ timetrace_start(); // bring in firejail executable libraries, in case we are redirected here // by a firejail symlink from /usr/local/bin/firejail - fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user + // fldd might have no read permission on the firejail executable + // parse as root in order to support these setups + fslib_mount_libs(PATH_FIREJAIL, 0); // bring in firejail directory fdir();
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_logger.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> +#include <fcntl.h> #define MAXBUF 4098 @@ -120,24 +121,21 @@ void fs_logger_print_log(pid_t pid) { EUID_ASSERT(); - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); + ProcessHandle sandbox = pin_sandbox_process(pid); - // exit if no permission to join the sandbox - check_join_permission(pid); + // chroot in the sandbox + process_rootfs_chroot(sandbox); + unpin_process(sandbox); - // print RUN_FSLOGGER_FILE - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_FSLOGGER_FILE) == -1) - errExit("asprintf"); + drop_privs(0); - EUID_ROOT(); - FILE fp = fopen(fname, "re"); - free(fname); + // print RUN_FSLOGGER_FILE + FILE *fp = fopen(RUN_FSLOGGER_FILE, "re"); if (!fp) { fprintf(stderr, "Error: Cannot open filesystem log\n"); exit(1); } + char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) printf("%s", buf);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_mkdir.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_overlayfs.c ^
@@ -0,0 +1,470 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ + +#ifdef HAVE_OVERLAYFS +#include "firejail.h" +#include "../include/gcov_wrapper.h" +#include <sys/mount.h> +#include <sys/wait.h> +#include <ftw.h> +#include <errno.h> + +#include <fcntl.h> +#ifndef O_PATH +#define O_PATH 010000000 +#endif + + +char fs_check_overlay_dir(const char subdirname, int allow_reuse) { + assert(subdirname); + EUID_ASSERT(); + struct stat s; + char dirname; + + if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + // check if ~/.firejail already exists + if (lstat(dirname, &s) == 0) { + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) + fprintf(stderr, "Error: %s is a symbolic link\n", dirname); + else + fprintf(stderr, "Error: %s is not a directory\n", dirname); + exit(1); + } + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: %s is not owned by the current user\n", dirname); + exit(1); + } + } + else { + // create ~/.firejail directory + create_empty_dir_as_user(dirname, 0700); + if (stat(dirname, &s) == -1) { + fprintf(stderr, "Error: cannot create directory %s\n", dirname); + exit(1); + } + } + free(dirname); + + // check overlay directory + if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) + errExit("asprintf"); + if (lstat(dirname, &s) == 0) { + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) + fprintf(stderr, "Error: %s is a symbolic link\n", dirname); + else + fprintf(stderr, "Error: %s is not a directory\n", dirname); + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname); + exit(1); + } + if (allow_reuse == 0) { + fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n"); + exit(1); + } + } + + return dirname; +} + + +// mount overlayfs on top of / directory +// mounting an overlay and chrooting into it: +// +// Old Ubuntu kernel +// # cd ~ +// # mkdir -p overlay/root +// # mkdir -p overlay/diff +// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root +// # chroot /root/overlay/root +// to shutdown, first exit the chroot and then unmount the overlay +// # exit +// # umount /root/overlay/root +// +// Kernels 3.18+ +// # cd ~ +// # mkdir -p overlay/root +// # mkdir -p overlay/diff +// # mkdir -p overlay/work +// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root +// # cat /etc/mtab \| grep overlay +// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0 +// # chroot /root/overlay/root +// to shutdown, first exit the chroot and then unmount the overlay +// # exit +// # umount /root/overlay/root + +// to do: fix the code below +#include <sys/utsname.h> +void fs_overlayfs(void) { + struct stat s; + + // check kernel version + struct utsname u; + int rv = uname(&u); + if (rv != 0) + errExit("uname"); + int major; + int minor; + if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { + fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); + exit(1); + } + + if (arg_debug) + printf("Linux kernel version %d.%d\n", major, minor); + int oldkernel = 0; + if (major < 3) { + fprintf(stderr, "Error: minimum kernel version required 3.x\n"); + exit(1); + } + if (major == 3 && minor < 18) + oldkernel = 1; + + // mounting an overlayfs on top of / seems to be broken for kernels > 4.19 + // we disable overlayfs for now, pending fixing + if (major >= 4 &&minor >= 19) { + fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n"); + exit(1); + } + + char oroot = RUN_OVERLAY_ROOT; + mkdir_attr(oroot, 0755, 0, 0); + + // set base for working and diff directories + char basedir = RUN_MNT_DIR; + int basefd = -1; + + if (arg_overlay_keep) { + basedir = cfg.overlay_dir; + assert(basedir); + // get a file descriptor for ~/.firejail, fails if there is any symlink + char firejail; + if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + int fd = safer_openat(-1, firejail, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); + if (fd == -1) + errExit("safer_openat"); + free(firejail); + // create basedir if it doesn't exist + // the new directory will be owned by root + const char dirname = gnu_basename(basedir); + if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) { + perror("mkdir"); + fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir); + exit(1); + } + // open basedir + basefd = openat(fd, dirname, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); + close(fd); + } + else { + basefd = open(basedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); + } + if (basefd == -1) { + perror("open"); + fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir); + exit(1); + } + + // confirm once more base is owned by root + if (fstat(basefd, &s) == -1) + errExit("fstat"); + if (s.st_uid != 0) { + fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir); + exit(1); + } + // confirm permissions of base are 0755 + if (((S_IRWXU\|S_IRGRP\|S_IXGRP\|S_IROTH\|S_IXOTH) & s.st_mode) != (S_IRWXU\|S_IRGRP\|S_IXGRP\|S_IROTH\|S_IXOTH)) { + fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir); + exit(1); + } + + // create diff and work directories inside base + // no need to check arg_overlay_reuse + char odiff; + if (asprintf(&odiff, "%s/odiff", basedir) == -1) + errExit("asprintf"); + // the new directory will be owned by root + if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) { + perror("mkdir"); + fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff); + exit(1); + } + ASSERT_PERMS(odiff, 0, 0, 0755); + + char owork; + if (asprintf(&owork, "%s/owork", basedir) == -1) + errExit("asprintf"); + // the new directory will be owned by root + if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) { + perror("mkdir"); + fprintf(stderr, "Error: cannot create overlay directory %s\n", owork); + exit(1); + } + ASSERT_PERMS(owork, 0, 0, 0755); + + // mount overlayfs + if (arg_debug) + printf("Mounting OverlayFS\n"); + char option; + if (oldkernel) { // old Ubuntu/OpenSUSE kernels + if (arg_overlay_keep) { + fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n"); + exit(1); + } + if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1) + errExit("asprintf"); + if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0) + errExit("mounting overlayfs"); + } + else { // kernel 3.18 or newer + if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1) + errExit("asprintf"); + if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) { + fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor); + errExit("mounting overlayfs"); + } + + //************************** + // issue #263 start code + // My setup has a separate mount point for /home. When the overlay is mounted, + // the overlay does not contain the original /home contents. + // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work + // @dshmgh, Jan 2016 + { + char overlayhome; + struct stat s; + char hroot; + char hdiff; + char hwork; + + // dons add debug + if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork); + + // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it? + // must create var for oroot/cfg.homedir + if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1) + errExit("asprintf"); + if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome); + + // if no homedir in overlay -- create another overlay for /home + if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) { + + // no need to check arg_overlay_reuse + if (asprintf(&hdiff, "%s/hdiff", basedir) == -1) + errExit("asprintf"); + // the new directory will be owned by root + if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) { + perror("mkdir"); + fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff); + exit(1); + } + ASSERT_PERMS(hdiff, 0, 0, 0755); + + // no need to check arg_overlay_reuse + if (asprintf(&hwork, "%s/hwork", basedir) == -1) + errExit("asprintf"); + // the new directory will be owned by root + if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) { + perror("mkdir"); + fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork); + exit(1); + } + ASSERT_PERMS(hwork, 0, 0, 0755); + + // no homedir in overlay so now mount another overlay for /home + if (asprintf(&hroot, "%s/home", oroot) == -1) + errExit("asprintf"); + if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) + errExit("asprintf"); + if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0) + errExit("mounting overlayfs for mounted home directory"); + + printf("OverlayFS for /home configured in %s directory\n", basedir); + free(hroot); + free(hdiff); + free(hwork); + + } // stat(overlayhome) + free(overlayhome); + } + // issue #263 end code + //*************************** + } + fmessage("OverlayFS configured in %s directory\n", basedir); + close(basefd); + + // /dev, /run and /tmp are not covered by the overlay + // mount-bind dev directory + if (arg_debug) + printf("Mounting /dev\n"); + char dev; + if (asprintf(&dev, "%s/dev", oroot) == -1) + errExit("asprintf"); + if (mount("/dev", dev, NULL, MS_BIND\|MS_REC, NULL) < 0) + errExit("mounting /dev"); + fs_logger("whitelist /dev"); + + // mount-bind run directory + if (arg_debug) + printf("Mounting /run\n"); + char run; + if (asprintf(&run, "%s/run", oroot) == -1) + errExit("asprintf"); + if (mount("/run", run, NULL, MS_BIND\|MS_REC, NULL) < 0) + errExit("mounting /run"); + fs_logger("whitelist /run"); + + // mount-bind tmp directory + if (arg_debug) + printf("Mounting /tmp\n"); + char tmp; + if (asprintf(&tmp, "%s/tmp", oroot) == -1) + errExit("asprintf"); + if (mount("/tmp", tmp, NULL, MS_BIND\|MS_REC, NULL) < 0) + errExit("mounting /tmp"); + fs_logger("whitelist /tmp"); + + // chroot in the new filesystem + __gcov_flush(); + + if (chroot(oroot) == -1) + errExit("chroot"); + + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc filesystem representing the PID namespace\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_REC, NULL) < 0) + errExit("mounting /proc"); + + // update /var directory in order to support multiple sandboxes running on the same root directory +// if (!arg_private_dev) +// fs_dev_shm(); + fs_var_lock(); + if (!arg_keep_var_tmp) + fs_var_tmp(); + if (!arg_writable_var_log) + fs_var_log(); + fs_var_lib(); + fs_var_cache(); + fs_var_utmp(); + fs_machineid(); + + // don't leak user information + restrict_users(); + + // when starting as root, firejail config is not disabled; + if (getuid() != 0) + disable_config(); + + // cleanup and exit + free(option); + free(odiff); + free(owork); + free(dev); + free(run); + free(tmp); +} + + +static int remove_callback(const char fpath, const struct stat sb, int typeflag, struct FTW ftwbuf) { + (void) sb; + (void) typeflag; + (void) ftwbuf; + assert(fpath); + + if (strcmp(fpath, ".") == 0) // rmdir would fail with EINVAL + return 0; + + if (remove(fpath)) { // removes the link not the actual file + fprintf(stderr, "Error: cannot remove file: %s\n", strerror(errno)); + exit(1); + } + + return 0; +} + +int remove_overlay_directory(void) { + EUID_ASSERT(); + sleep(1); + + char *path; + if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + + if (access(path, F_OK) == 0) { + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // open ~/.firejail + int fd = safer_openat(-1, path, O_PATH\|O_NOFOLLOW\|O_CLOEXEC); + if (fd == -1) { + fprintf(stderr, "Error: cannot open %s\n", path); + exit(1); + } + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) + fprintf(stderr, "Error: %s is a symbolic link\n", path); + else + fprintf(stderr, "Error: %s is not a directory\n", path); + exit(1); + } + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: %s is not owned by the current user\n", path); + exit(1); + } + // chdir to ~/.firejail + if (fchdir(fd) == -1) + errExit("fchdir"); + close(fd); + + EUID_ROOT(); + // FTW_PHYS - do not follow symbolic links + if (nftw(".", remove_callback, 64, FTW_DEPTH \| FTW_PHYS) == -1) + errExit("nftw"); + + EUID_USER(); + // remove ~/.firejail + if (rmdir(path) == -1) + errExit("rmdir"); + + __gcov_flush(); + + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + // check if ~/.firejail was deleted + if (access(path, F_OK) == 0) + return 1; + } + return 0; +} + +#endif // HAVE_OVERLAYFS
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_trace.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,25 +20,31 @@ #include "firejail.h" #include <sys/mount.h> #include <sys/stat.h> -#include <linux/limits.h> #include <glob.h> #include <dirent.h> #include <fcntl.h> #include <pwd.h> -void fs_trace_preload(void) { +// create an empty /etc/ld.so.preload +void fs_trace_touch_preload(void) { + create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); +} + +void fs_trace_touch_or_store_preload(void) { struct stat s; - // create an empty /etc/ld.so.preload - if (stat("/etc/ld.so.preload", &s)) { - if (arg_debug) - printf("Creating an empty /etc/ld.so.preload file\n"); - FILE fp = fopen("/etc/ld.so.preload", "wxe"); - if (!fp) - errExit("fopen"); - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH); - fclose(fp); - fs_logger("touch /etc/ld.so.preload"); + if (stat("/etc/ld.so.preload", &s) != 0) { + fs_trace_touch_preload(); + return; + } + + if (s.st_size == 0) + return; + + // create a copy of /etc/ld.so.preload + if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH)) { + fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n"); + exit(1); } } @@ -47,7 +53,7 @@ if (arg_debug) printf("Creating an empty trace log file: %s\n", arg_tracefile); EUID_USER(); - int fd = open(arg_tracefile, O_CREAT\|O_WRONLY\|O_CLOEXEC, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH); + int fd = open(arg_tracefile, O_CREAT\|O_WRONLY\|O_CLOEXEC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); if (fd == -1) { perror("open"); fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile); @@ -83,7 +89,7 @@ if (arg_debug) printf("Create the new ld.so.preload file\n"); - FILE fp = fopen(RUN_LDPRELOAD_FILE, "we"); + FILE fp = fopen(RUN_LDPRELOAD_FILE, "ae"); if (!fp) errExit("fopen"); const char prefix = RUN_FIREJAIL_LIB_DIR; @@ -100,7 +106,7 @@ fmessage("Post-exec seccomp protector enabled\n"); } - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH); + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); fclose(fp); // mount the new preload file
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_var.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,7 +20,6 @@ #include "firejail.h" #include <sys/mount.h> #include <sys/stat.h> -#include <linux/limits.h> #include <glob.h> #include <dirent.h> #include <fcntl.h> @@ -129,7 +128,7 @@ /* coverity[toctou] / FILE fp = fopen("/var/log/wtmp", "wxe"); if (fp) { - SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH); + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IWGRP \| S_IROTH); fclose(fp); } fs_logger("touch /var/log/wtmp"); @@ -137,7 +136,7 @@ // create an empty /var/log/btmp file fp = fopen("/var/log/btmp", "wxe"); if (fp) { - SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP); + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IWGRP); fclose(fp); } fs_logger("touch /var/log/btmp"); @@ -301,7 +300,7 @@ // read current utmp struct utmp *u; - struct utmp u_boot; + struct utmp u_boot = {0}; setutent(); while ((u = getutent()) != NULL) { if (u->ut_type == BOOT_TIME) { @@ -314,7 +313,7 @@ // save new utmp file int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); (void) rv; - SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH); + SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IWGRP \| S_IROTH); fclose(fp); // mount the new utmp file
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/fs_whitelist.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -49,21 +49,32 @@ exit(1); } -static int whitelist_mkpath(const char* path, mode_t mode) { +static int whitelist_mkpath(const char parentdir, const char relpath, mode_t mode) { + // starting from top level directory + int parentfd = safer_openat(-1, parentdir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); + if (parentfd < 0) + errExit("open"); + + // top level directory mount id + int mountid = get_mount_id(parentfd); + if (mountid < 0) { + close(parentfd); + return -1; + } + // work on a copy of the path - char dup = strdup(path); + char dup = strdup(relpath); if (!dup) errExit("strdup"); // only create leading directories, don't create the file char p = strrchr(dup, '/'); - assert(p); + if (!p) { // nothing to do + free(dup); + return parentfd; + } p = '\0'; - int parentfd = open("/", O_PATH\|O_DIRECTORY\|O_CLOEXEC); - if (parentfd == -1) - errExit("open"); - // traverse the path, return -1 if a symlink is encountered int fd = -1; int done = 0; @@ -91,29 +102,50 @@ free(dup); return -1; } + // different mount id indicates earlier whitelist mount + if (get_mount_id(fd) != mountid) { + if (arg_debug \|\| arg_debug_whitelists) + printf("Debug %d: whitelisted already\n", __LINE__); + close(parentfd); + close(fd); + free(dup); + return -1; + } // move on to next path segment close(parentfd); parentfd = fd; tok = strtok(NULL, "/"); } - if (done) - fs_logger2("mkpath", path); + if (done) { + char abspath; + if (asprintf(&abspath, "%s/%s", parentdir, relpath) < 0) + errExit("asprintf"); + fs_logger2("mkpath", abspath); + free(abspath); + } free(dup); return fd; } -static void whitelist_file(int dirfd, const char relpath, const char path) { - assert(relpath && path); +static void whitelist_file(const TopDir const top, const char path) { + EUID_ASSERT(); + assert(top && path); + + // check if path is inside top level directory + size_t top_pathlen = strlen(top->path); + if (strncmp(top->path, path, top_pathlen) != 0 \|\| path[top_pathlen] != '/') + return; + const char relpath = path + top_pathlen + 1; // open mount source, using a file descriptor that refers to the // top level directory // as the top level directory was opened before mounting the tmpfs // we still have full access to all directory contents - // take care to not follow symbolic links (dirfd was obtained without + // take care to not follow symbolic links (top->fd was obtained without // following a link, too) - int fd = safer_openat(dirfd, relpath, O_PATH\|O_NOFOLLOW\|O_CLOEXEC); + int fd = safer_openat(top->fd, relpath, O_PATH\|O_NOFOLLOW\|O_CLOEXEC); if (fd == -1) { if (arg_debug \|\| arg_debug_whitelists) printf("Debug %d: skip whitelist %s\n", __LINE__, path); @@ -129,36 +161,31 @@ return; } + // now modify the tmpfs: // create mount target as root, except if inside home or run/user/$UID directory - int userprivs = 0; - if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') \|\| - (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { - EUID_USER(); - userprivs = 1; - } + if (strcmp(top->path, cfg.homedir) != 0 && + strcmp(top->path, runuser) != 0) + EUID_ROOT(); // create path of the mount target - int fd2 = whitelist_mkpath(path, 0755); + int fd2 = whitelist_mkpath(top->path, relpath, 0755); if (fd2 == -1) { - // something went wrong during path creation or a symlink was found; - // if there is a symlink somewhere in the path of the mount target, - // assume the file is whitelisted already if (arg_debug \|\| arg_debug_whitelists) printf("Debug %d: skip whitelist %s\n", __LINE__, path); close(fd); - if (userprivs) - EUID_ROOT(); + EUID_USER(); return; } // get file name of the mount target - const char file = gnu_basename(path); + const char file = gnu_basename(relpath); - // create mount target itself and open it, a symlink is rejected + // create mount target itself if necessary + // and open it, a symlink is not allowed int fd3 = -1; if (S_ISDIR(s.st_mode)) { - // directory foo can exist already: - // firejail --whitelist=~/foo/bar --whitelist=~/foo + // directory bar can exist already: + // firejail --whitelist=/foo/bar/baz --whitelist=/foo/bar if (mkdirat(fd2, file, 0755) == -1 && errno != EEXIST) { if (arg_debug \|\| arg_debug_whitelists) { perror("mkdir"); @@ -166,15 +193,14 @@ } close(fd); close(fd2); - if (userprivs) - EUID_ROOT(); + EUID_USER(); return; } fd3 = openat(fd2, file, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC); } else - // create an empty file, fails with EEXIST if it is whitelisted already: - // firejail --whitelist=/foo --whitelist=/foo/bar + // create an empty file + // fails with EEXIST if it is whitelisted already fd3 = openat(fd2, file, O_RDONLY\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR\|S_IWUSR); if (fd3 == -1) { @@ -184,19 +210,17 @@ } close(fd); close(fd2); - if (userprivs) - EUID_ROOT(); + EUID_USER(); return; } - close(fd2); - if (userprivs) - EUID_ROOT(); if (arg_debug \|\| arg_debug_whitelists) printf("Whitelisting %s\n", path); + EUID_ROOT(); if (bind_mount_by_fd(fd, fd3)) errExit("mount bind"); + EUID_USER(); // check the last mount operation MountData mptr = get_last_mount(); // will do exit(1) if the mount cannot be found #ifdef TEST_MOUNTINFO @@ -218,28 +242,32 @@ fs_logger2("whitelist", path); } -static void whitelist_symlink(const char link, const char target) { - assert(link && target); +static void whitelist_symlink(const TopDir const top, const char link, const char target) { + EUID_ASSERT(); + assert(top && link && target); - // create files as root, except if inside home or run/user/$UID directory - int userprivs = 0; - if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') \|\| - (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) { - EUID_USER(); - userprivs = 1; - } + // confirm link is inside top level directory + // this should never fail + size_t top_pathlen = strlen(top->path); + assert(strncmp(top->path, link, top_pathlen) == 0 && link[top_pathlen] == '/'); + + const char relpath = link + top_pathlen + 1; + + // create link as root, except if inside home or run/user/$UID directory + if (strcmp(top->path, cfg.homedir) != 0 && + strcmp(top->path, runuser) != 0) + EUID_ROOT(); - int fd = whitelist_mkpath(link, 0755); + int fd = whitelist_mkpath(top->path, relpath, 0755); if (fd == -1) { if (arg_debug \|\| arg_debug_whitelists) printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); - if (userprivs) - EUID_ROOT(); + EUID_USER(); return; } // get file name of symlink - const char file = gnu_basename(link); + const char file = gnu_basename(relpath); // create the link if (symlinkat(target, fd, file) == -1) { @@ -252,8 +280,7 @@ printf("Created symbolic link %s -> %s\n", link, target); close(fd); - if (userprivs) - EUID_ROOT(); + EUID_USER(); } static void globbing(const char pattern) { @@ -295,7 +322,7 @@ } // mount tmpfs on all top level directories -static void tmpfs_topdirs(const TopDir topdirs) { +static void tmpfs_topdirs(const TopDir const topdirs) { int tmpfs_home = 0; int tmpfs_runuser = 0; @@ -330,55 +357,61 @@ // init tmpfs if (strcmp(topdirs[i].path, "/run") == 0) { // restore /run/firejail directory - if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1) - errExit("mkdir"); + EUID_ROOT(); + mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0); if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) errExit("mount bind"); + EUID_USER(); close(fd); fs_logger2("whitelist", RUN_FIREJAIL_DIR); // restore /run/user/$UID directory - // get path relative to /run - const char rel = runuser + 5; - whitelist_file(topdirs[i].fd, rel, runuser); + whitelist_file(&topdirs[i], runuser); } else if (strcmp(topdirs[i].path, "/tmp") == 0) { // fix pam-tmpdir (#2685) const char env = env_get("TMP"); if (env) { - char pamtmpdir; - if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) + // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151 + char pamtmpdir1; + if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1) + errExit("asprintf"); + char pamtmpdir2; + if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1) errExit("asprintf"); - if (strcmp(env, pamtmpdir) == 0) { + if (strcmp(env, pamtmpdir1) == 0) { // create empty user-owned /tmp/user/$UID directory - mkdir_attr("/tmp/user", 0711, 0, 0); + EUID_ROOT(); + mkdir_attr("/tmp/user", 0755, 0, 0); selinux_relabel_path("/tmp/user", "/tmp/user"); fs_logger("mkdir /tmp/user"); - mkdir_attr(pamtmpdir, 0700, getuid(), 0); - selinux_relabel_path(pamtmpdir, pamtmpdir); - fs_logger2("mkdir", pamtmpdir); + mkdir_attr(pamtmpdir1, 0700, getuid(), 0); + selinux_relabel_path(pamtmpdir1, pamtmpdir1); + fs_logger2("mkdir", pamtmpdir1); + EUID_USER(); } - free(pamtmpdir); + else if (strcmp(env, pamtmpdir2) == 0) { + // create empty user-owned /tmp/$UID directory + EUID_ROOT(); + mkdir_attr(pamtmpdir2, 0700, getuid(), 0); + selinux_relabel_path(pamtmpdir2, pamtmpdir2); + fs_logger2("mkdir", pamtmpdir2); + EUID_USER(); + } + free(pamtmpdir1); + free(pamtmpdir2); } } // restore user home directory if it is masked by the tmpfs // creates path owned by root // does nothing if user home directory doesn't exist - size_t topdir_len = strlen(topdirs[i].path); - if (strncmp(topdirs[i].path, cfg.homedir, topdir_len) == 0 && cfg.homedir[topdir_len] == '/') { - // get path relative to top level directory - const char rel = cfg.homedir + topdir_len + 1; - whitelist_file(topdirs[i].fd, rel, cfg.homedir); - } + whitelist_file(&topdirs[i], cfg.homedir); } // user home directory - if (tmpfs_home) { - EUID_USER(); + if (tmpfs_home) fs_private(); // checks owner if outside /home - EUID_ROOT(); - } // /run/user/$UID directory if (tmpfs_runuser) { @@ -402,6 +435,7 @@ // keep track of whitelist top level directories by adding them to an array // open each directory static TopDir add_topdir(const char dir, TopDir topdirs, const char path) { + EUID_ASSERT(); assert(dir && path); // /proc and /sys are not allowed @@ -516,6 +550,8 @@ } void fs_whitelist(void) { + EUID_ASSERT(); + ProfileEntry entry = cfg.profile; if (!entry) return; @@ -536,7 +572,6 @@ errExit("calloc"); // verify whitelist files, extract symbolic links, etc. - EUID_USER(); while (entry) { int nowhitelist_flag = 0; @@ -587,10 +622,6 @@ if (strstr(new_name, "..")) whitelist_error(new_name); - // /run/firejail is not allowed - if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) - whitelist_error(new_name); - TopDir current_top = NULL; if (!nowhitelist_flag) { // extract whitelist top level directory @@ -612,6 +643,13 @@ free(dir); } + // /run/firejail directory is internal and not allowed + if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { + entry = entry->next; + free(new_name); + continue; + } + // extract resolved path of the file // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr @@ -630,7 +668,7 @@ if (!fname) { if (arg_debug \|\| arg_debug_whitelists) { printf("Removed path: %s\n", entry->data); - printf("\texpanded: %s\n", new_name); + printf("\tnew_name: %s\n", new_name); printf("\trealpath: (null)\n"); printf("\t%s\n", strerror(errno)); } @@ -648,9 +686,13 @@ continue; } - // /run/firejail is not allowed - if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) - whitelist_error(fname); + // /run/firejail directory is internal and not allowed + if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { + entry = entry->next; + free(new_name); + free(fname); + continue; + } if (nowhitelist_flag) { // store the path in nowhitelist array @@ -708,11 +750,7 @@ entry = entry->next; } - // release nowhitelist memory - free(nowhitelist); - // mount tmpfs on all top level directories - EUID_ROOT(); tmpfs_topdirs(topdirs); // go through profile rules again, and interpret whitelist commands @@ -721,24 +759,15 @@ if (entry->wparam) { char file = entry->wparam->file; char link = entry->wparam->link; - const char topdir = entry->wparam->top->path; - size_t topdir_len = strlen(topdir); - int dirfd = entry->wparam->top->fd; + const TopDir const current_top = entry->wparam->top; // top level directories of link and file can differ - // whitelist the file only if it is in same top level directory - if (strncmp(file, topdir, topdir_len) == 0 && file[topdir_len] == '/') { - // get path relative to top level directory - const char *rel = file + topdir_len + 1; - - if (arg_debug \|\| arg_debug_whitelists) - printf("Debug %d: file: %s; dirfd: %d; topdir: %s; rel: %s\n", __LINE__, file, dirfd, topdir, rel); - whitelist_file(dirfd, rel, file); - } + // will whitelist the file only if it is in same top level directory + whitelist_file(current_top, file); // create the link if any if (link) { - whitelist_symlink(link, file); + whitelist_symlink(current_top, link, file); free(link); } @@ -751,12 +780,15 @@ } // release resources - free(runuser); - size_t i; + for (i = 0; i < nowhitelist_c; i++) + free(nowhitelist[i]); + free(nowhitelist); + for (i = 0; i < TOP_MAX && topdirs[i].path; i++) { free(topdirs[i].path); close(topdirs[i].fd); } free(topdirs); + free(runuser); }
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/ids.c ^
@@ -0,0 +1,89 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + / +#include "firejail.h" +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> + + +static void ids_init(void) { + // store checksums as root in /var/lib/firejail/${USERNAME}.ids + char fname; + if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1) + errExit("asprintf"); + + int rv = unlink(fname); + (void) rv; + int fd = open(fname, O_CREAT \| O_TRUNC \| O_WRONLY, 0600); + if (fd < 0) { + fprintf(stderr, "Error: cannot create %s\n", fname); + exit(1); + } + + // redirect output + close(STDOUT_FILENO); + if (dup(fd) != STDOUT_FILENO) + errExit("dup"); + close(fd); + + sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); +} + +static void ids_check(void) { + // store checksums as root in /var/lib/firejail/${USERNAME}.ids + char fname; + if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1) + errExit("asprintf"); + + int fd = open(fname, O_RDONLY); + if (fd < 0) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + + // redirect input + close(STDIN_FILENO); + if (dup(fd) != STDIN_FILENO) + errExit("dup"); + close(fd); + + sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP\| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); +} + +void run_ids(int argc, char *argv) { + if (argc != 2) { + fprintf(stderr, "Error: only one IDS command expected\n"); + exit(1); + } + + EUID_ROOT(); + struct stat s; + if (stat(VARDIR, &s)) // /var/lib/firejail + create_empty_dir_as_root(VARDIR, 0700); + + if (strcmp(argv[1], "--ids-init") == 0) + ids_init(); + else if (strcmp(argv[1], "--ids-check") == 0) + ids_check(); + else + fprintf(stderr, "Error: unrecognized IDS command\n"); + + exit(0); +}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/join.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -33,19 +33,16 @@ #define PR_SET_NO_NEW_PRIVS 38 #endif -#ifdef HAVE_APPARMOR -#include <sys/apparmor.h> -#endif - static int apply_caps = 0; static uint64_t caps = 0; static unsigned display = 0; #define BUFLEN 4096 + static void signal_handler(int sig){ flush_stdin(); - exit(sig); + exit(128 + sig); } static void install_handler(void) { @@ -58,46 +55,6 @@ sigaction(SIGTERM, &sga, NULL); } -#ifdef HAVE_APPARMOR -static void extract_apparmor(pid_t pid) { - if (checkcfg(CFG_APPARMOR)) { - EUID_USER(); - if (aa_is_enabled() == 1) { - // get pid of next child process - pid_t child; - if (find_child(pid, &child) == 1) - child = pid; // no child, proceed with current pid - - // get name of AppArmor profile - char fname; - if (asprintf(&fname, "/proc/%d/attr/current", child) == -1) - errExit("asprintf"); - EUID_ROOT(); - int fd = open(fname, O_RDONLY\|O_CLOEXEC); - EUID_USER(); - free(fname); - if (fd == -1) - goto errexit; - char buf[BUFLEN]; - ssize_t rv = read(fd, buf, sizeof(buf) - 1); - close(fd); - if (rv < 0) - goto errexit; - buf[rv] = '\0'; - // process confined by Firejail's AppArmor policy? - if (strncmp(buf, "firejail-default", 16) == 0) - arg_apparmor = 1; - } - EUID_ROOT(); - } - return; - -errexit: - fprintf(stderr, "Error: cannot read /proc file\n"); - exit(1); -} -#endif // HAVE_APPARMOR - static void extract_x11_display(pid_t pid) { char fname; if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) @@ -150,152 +107,115 @@ build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true); } -static void extract_nogroups(pid_t pid) { - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1) - errExit("asprintf"); +#if 0 +static int open_shell(void) { + EUID_ASSERT(); - struct stat s; - if (stat(fname, &s) == -1) { - free(fname); - return; + if (arg_debug) + printf("Opening shell %s\n", cfg.usershell); + // file descriptor will leak if not opened with O_CLOEXEC !! + int fd = open(cfg.usershell, O_PATH\|O_CLOEXEC); + if (fd == -1) { + fprintf(stderr, "Error: cannot open shell %s\n", cfg.usershell); + exit(1); } - arg_nogroups = 1; - free(fname); -} - -static void extract_nonewprivs(pid_t pid) { - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_NONEWPRIVS_CFG) == -1) + // file descriptor needs to reach final fexecve + if (asprintf(&cfg.keep_fd, "%s,%d", cfg.keep_fd ? cfg.keep_fd : "", fd) == -1) errExit("asprintf"); - struct stat s; - if (stat(fname, &s) == -1) { - free(fname); - return; - } - - arg_nonewprivs = 1; - free(fname); + return fd; } +#endif -static void extract_cpu(pid_t pid) { - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1) - errExit("asprintf"); - +static void extract_nogroups(ProcessHandle sandbox) { struct stat s; - if (stat(fname, &s) == -1) { - free(fname); - return; - } - // there is a CPU_CFG file, load it! - load_cpu(fname); - free(fname); + if (process_rootfs_stat(sandbox, RUN_GROUPS_CFG, &s) == 0) + arg_nogroups = 1; + else if (errno != ENOENT) + errExit("stat"); } -static void extract_cgroup(pid_t pid) { - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1) - errExit("asprintf"); - +static void extract_nonewprivs(ProcessHandle sandbox) { struct stat s; - if (stat(fname, &s) == -1) { - free(fname); - return; - } - // there is a cgroup file CGROUP_CFG, load it! - load_cgroup(fname); - free(fname); + if (process_rootfs_stat(sandbox, RUN_NONEWPRIVS_CFG, &s) == 0) + arg_nonewprivs = 1; + else if (errno != ENOENT) + errExit("stat"); } -static void extract_caps(pid_t pid) { - // open stat file - char file; - if (asprintf(&file, "/proc/%u/status", pid) == -1) { - perror("asprintf"); - exit(1); - } - FILE fp = fopen(file, "re"); - if (!fp) - goto errexit; +static void extract_caps(ProcessHandle sandbox) { + // open status file + FILE fp = process_fopen(sandbox, "status"); char buf[BUFLEN]; - while (fgets(buf, BUFLEN - 1, fp)) { + while (fgets(buf, BUFLEN, fp)) { if (strncmp(buf, "CapBnd:", 7) == 0) { - char ptr = buf + 7; unsigned long long val; - if (sscanf(ptr, "%llx", &val) != 1) + if (sscanf(buf + 7, "%llx", &val) != 1) goto errexit; apply_caps = 1; caps = val; } else if (strncmp(buf, "NoNewPrivs:", 11) == 0) { - char ptr = buf + 11; int val; - if (sscanf(ptr, "%d", &val) != 1) + if (sscanf(buf + 11, "%d", &val) != 1) goto errexit; if (val) arg_nonewprivs = 1; } } fclose(fp); - free(file); return; errexit: - fprintf(stderr, "Error: cannot read stat file for process %u\n", pid); + fprintf(stderr, "Error: cannot read /proc/%d/status\n", process_get_pid(sandbox)); exit(1); } -static void extract_user_namespace(pid_t pid) { +static void extract_user_namespace(ProcessHandle sandbox) { // test user namespaces available in the kernel - struct stat s1; - struct stat s2; - struct stat s3; - if (stat("/proc/self/ns/user", &s1) == 0 && - stat("/proc/self/uid_map", &s2) == 0 && - stat("/proc/self/gid_map", &s3) == 0); - else + struct stat self_userns; + if (stat("/proc/self/ns/user", &self_userns) != 0) return; - // read uid map - char uidmap; - if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) - errExit("asprintf"); - FILE fp = fopen(uidmap, "re"); - if (!fp) { - free(uidmap); - return; - } + // check sandbox user namespace + struct stat dest_userns; + process_stat(sandbox, "ns/user", &dest_userns); - // check uid map - int u1; - int u2; - if (fscanf(fp, "%d %d", &u1, &u2) == 2) { - if (arg_debug) - printf("User namespace detected: %s, %d, %d\n", uidmap, u1, u2); - if (u1 != 0 \|\| u2 != 0) - arg_noroot = 1; - } - fclose(fp); - free(uidmap); + if (dest_userns.st_ino != self_userns.st_ino \|\| + dest_userns.st_dev != self_userns.st_dev) + arg_noroot = 1; } -static void extract_umask(pid_t pid) { - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_UMASK_FILE) == -1) - errExit("asprintf"); +static void extract_cpu(ProcessHandle sandbox) { + int fd = process_rootfs_open(sandbox, RUN_CPU_CFG); + if (fd < 0) + return; // not configured - FILE fp = fopen(fname, "re"); - free(fname); - if (!fp) { + FILE fp = fdopen(fd, "r"); + if (!fp) + errExit("fdopen"); + + unsigned tmp; + if (fscanf(fp, "%x", &tmp) == 1) + cfg.cpus = (uint32_t) tmp; + fclose(fp); +} + +static void extract_umask(ProcessHandle sandbox) { + int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE); + if (fd < 0) { fprintf(stderr, "Error: cannot open umask file\n"); exit(1); } + + FILE fp = fdopen(fd, "r"); + if (!fp) + errExit("fdopen"); + if (fscanf(fp, "%3o", &orig_umask) != 1) { fprintf(stderr, "Error: cannot read umask\n"); exit(1); @@ -303,33 +223,11 @@ fclose(fp); } -static int open_shell(void) { - EUID_ASSERT(); - assert(cfg.shell); - - if (arg_debug) - printf("Opening shell %s\n", cfg.shell); - // file descriptor will leak if not opened with O_CLOEXEC !! - int fd = open(cfg.shell, O_PATH\|O_CLOEXEC); - if (fd == -1) { - fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell); - exit(1); - } - return fd; -} - -// return false if the sandbox identified by pid is not fully set up yet or if -// it is no firejail sandbox at all, return true if the sandbox is complete -bool is_ready_for_join(const pid_t pid) { - EUID_ASSERT(); +// returns false if the sandbox is not fully set up yet, +// or true if the sandbox is complete +static bool has_join_file(ProcessHandle sandbox) { // check if a file /run/firejail/mnt/join exists - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_JOIN_FILE) == -1) - errExit("asprintf"); - EUID_ROOT(); - int fd = open(fname, O_RDONLY\|O_CLOEXEC); - EUID_USER(); - free(fname); + int fd = process_rootfs_open(sandbox, RUN_JOIN_FILE); if (fd == -1) return false; struct stat s; @@ -349,105 +247,201 @@ } #define SNOOZE 10000 // sleep interval in microseconds -void check_join_permission(pid_t pid) { +static void check_joinable(ProcessHandle sandbox) { // check if pid belongs to a fully set up firejail sandbox unsigned long i; - for (i = SNOOZE; is_ready_for_join(pid) == false; i += SNOOZE) { // give sandbox some time to start up + for (i = SNOOZE; has_join_file(sandbox) == false; i += SNOOZE) { // give sandbox some time to start up if (i > join_timeout) { fprintf(stderr, "Error: no valid sandbox\n"); exit(1); } usleep(SNOOZE); } - // check privileges for non-root users - uid_t uid = getuid(); - if (uid != 0) { - uid_t sandbox_uid = pid_get_uid(pid); - if (uid != sandbox_uid) { - fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); - exit(1); - } +} + +static ProcessHandle find_pidns_parent(pid_t pid) { + // identify current pid namespace + struct stat self_pidns; + if (stat("/proc/self/ns/pid", &self_pidns) < 0) + errExit("stat"); + + ProcessHandle process = pin_process(pid); + + // in case pid is member of a different pid namespace + // find parent who created that namespace + while (1) { + struct stat dest_pidns; + process_stat(process, "ns/pid", &dest_pidns); + + if (dest_pidns.st_ino == self_pidns.st_ino && + dest_pidns.st_dev == self_pidns.st_dev) + break; // always true for init process + + // next parent process + ProcessHandle next = pin_parent_process(process); + unpin_process(process); + process = next; } + + return process; } -pid_t switch_to_child(pid_t pid) { - EUID_ASSERT(); - EUID_ROOT(); - pid_t rv = pid; - errno = 0; - char comm = pid_proc_comm(pid); - if (!comm) { - if (errno == ENOENT) - fprintf(stderr, "Error: cannot find process with pid %d\n", pid); - else - fprintf(stderr, "Error: cannot read /proc file\n"); +static void check_firejail_comm(ProcessHandle process) { + // open /proc/pid/comm + // note: comm value is under control of the target process + FILE fp = process_fopen(process, "comm"); + + char comm[16]; + if (fscanf(fp, "%15s", comm) != 1) { + fprintf(stderr, "Error: cannot read /proc file\n"); exit(1); } - EUID_USER(); + fclose(fp); - if (strcmp(comm, "firejail") == 0) { - if (find_child(pid, &rv) == 1) { - fprintf(stderr, "Error: no valid sandbox\n"); - exit(1); - } - fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) rv); + if (strcmp(comm, "firejail") != 0) { + fprintf(stderr, "Error: no valid sandbox\n"); + exit(1); + } + + return; +} + +static void check_firejail_credentials(ProcessHandle process) { + // open /proc/pid/status + FILE fp = process_fopen(process, "status"); + + uid_t ruid = -1; + uid_t suid = -1; + char buf[4096]; + while (fgets(buf, sizeof(buf), fp)) { + if (sscanf(buf, "Uid: %u %u %u", &ruid, &suid) == 2) + break; } - free(comm); - return rv; + fclose(fp); + + // target process should be privileged and owned by the user + if (suid != 0) + goto errexit; + uid_t u = getuid(); + if (ruid != u && u != 0) + goto errexit; + + return; + +errexit: + fprintf(stderr, "Error: no valid sandbox\n"); + exit(1); } +static pid_t read_sandbox_pidfile(pid_t parent) { + char pidfile; + if (asprintf(&pidfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, parent) == -1) + errExit("asprintf"); + + // open the pidfile + EUID_ROOT(); + int pidfile_fd = open(pidfile, O_RDWR\|O_CLOEXEC); + free(pidfile); + EUID_USER(); + if (pidfile_fd < 0) + goto errexit; + // assume pidfile is outdated if parent doesn't hold a lock + struct flock pidfile_lock = { + .l_type = F_WRLCK, + .l_whence = SEEK_SET, + .l_start = 0, + .l_len = 0, + .l_pid = 0, + }; + if (fcntl(pidfile_fd, F_GETLK, &pidfile_lock) < 0) + errExit("fcntl"); + if (pidfile_lock.l_type == F_UNLCK) + goto errexit; + if (pidfile_lock.l_pid != parent) + goto errexit; -void join(pid_t pid, int argc, char argv, int index) { + // read pidfile + pid_t sandbox; + FILE fp = fdopen(pidfile_fd, "r"); + if (!fp) + errExit("fdopen"); + if (fscanf(fp, "%d", &sandbox) != 1) + goto errexit; + fclose(fp); + + return sandbox; + +errexit: + fprintf(stderr, "Error: no valid sandbox\n"); + exit(1); +} + +static ProcessHandle switch_to_sandbox(ProcessHandle parent) { + // firejail forks many children, identify the sandbox child + // using a pidfile created by the sandbox parent + pid_t pid = read_sandbox_pidfile(process_get_pid(parent)); + + // pin the sandbox child + fmessage("Switching to pid %d, the first child process inside the sandbox\n", pid); + ProcessHandle sandbox = pin_child_process(parent, pid); + + return sandbox; +} + +ProcessHandle pin_sandbox_process(pid_t pid) { EUID_ASSERT(); - pid_t parent = pid; - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); + ProcessHandle parent = find_pidns_parent(pid); + check_firejail_comm(parent); + check_firejail_credentials(parent); + + ProcessHandle sandbox = switch_to_sandbox(parent); + check_joinable(sandbox); + + unpin_process(parent); + return sandbox; +} + + - // exit if no permission to join the sandbox - check_join_permission(pid); +void join(pid_t pid, int argc, char *argv, int index) { + EUID_ASSERT(); + ProcessHandle sandbox = pin_sandbox_process(pid); - extract_x11_display(parent); + extract_x11_display(pid); int shfd = -1; - if (!arg_shell_none) - shfd = open_shell(); +// Note: this might be used by joining appimages!!!! +// if (!arg_shell_none) +// shfd = open_shell(); - EUID_ROOT(); - // in user mode set caps seccomp, cpu, cgroup, etc + // in user mode set caps seccomp, cpu etc. if (getuid() != 0) { - extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps - extract_caps(pid); - extract_cpu(pid); - extract_cgroup(pid); - extract_nogroups(pid); - extract_user_namespace(pid); - extract_umask(pid); -#ifdef HAVE_APPARMOR - extract_apparmor(pid); -#endif + extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps + extract_caps(sandbox); + extract_cpu(sandbox); + extract_nogroups(sandbox); + extract_user_namespace(sandbox); + extract_umask(sandbox); } - // set cgroup - if (cfg.cgroup) // not available for uid 0 - set_cgroup(cfg.cgroup); - // join namespaces + EUID_ROOT(); if (arg_join_network) { - if (join_namespace(pid, "net")) + if (process_join_namespace(sandbox, "net")) exit(1); } else if (arg_join_filesystem) { - if (join_namespace(pid, "mnt")) + if (process_join_namespace(sandbox, "mnt")) exit(1); } else { - if (join_namespace(pid, "ipc") \|\| - join_namespace(pid, "net") \|\| - join_namespace(pid, "pid") \|\| - join_namespace(pid, "uts") \|\| - join_namespace(pid, "mnt")) + if (process_join_namespace(sandbox, "ipc") \|\| + process_join_namespace(sandbox, "net") \|\| + process_join_namespace(sandbox, "pid") \|\| + process_join_namespace(sandbox, "uts") \|\| + process_join_namespace(sandbox, "mnt")) exit(1); } @@ -458,42 +452,25 @@ // drop discretionary access control capabilities for root sandboxes caps_drop_dac_override(); - // chroot into /proc/PID/root directory - char rootdir; - if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) - errExit("asprintf"); - - int rv; if (!arg_join_network) { - rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option - if (rv == 0) - printf("changing root to %s\n", rootdir); - } - - EUID_USER(); - if (chdir("/") < 0) - errExit("chdir"); - if (cfg.homedir) { - struct stat s; - if (stat(cfg.homedir, &s) == 0) { - /* coverity[toctou] / - if (chdir(cfg.homedir) < 0) - errExit("chdir"); - } + // mount namespace doesn't know about --chroot + fmessage("Changing root to /proc/%d/root\n", process_get_pid(sandbox)); + process_rootfs_chroot(sandbox); + + // load seccomp filters + if (getuid() != 0) + seccomp_load_file_list(); } // set caps filter - EUID_ROOT(); if (apply_caps == 1) // not available for uid 0 caps_set(caps); - if (getuid() != 0) - seccomp_load_file_list(); - // mount user namespace or drop privileges + // user namespace if (arg_noroot) { // not available for uid 0 if (arg_debug) printf("Joining user namespace\n"); - if (join_namespace(1, "user")) + if (process_join_namespace(sandbox, "user")) exit(1); // user namespace resets capabilities @@ -501,15 +478,9 @@ if (apply_caps == 1) // not available for uid 0 caps_set(caps); } - - // set nonewprivs - if (arg_nonewprivs == 1) { // not available for uid 0 - int rv = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - if (arg_debug && rv == 0) - printf("NO_NEW_PRIVS set\n"); - } - EUID_USER(); + unpin_process(sandbox); + int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) @@ -529,22 +500,26 @@ } } + // set nonewprivs +#ifndef HAVE_FORCE_NONEWPRIVS + if (arg_nonewprivs == 1) // not available for uid 0 +#endif + { + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) + errExit("prctl"); + if (arg_debug) + printf("NO_NEW_PRIVS set\n"); + } + // drop privileges drop_privs(arg_nogroups); // kill the child in case the parent died prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); -#ifdef HAVE_APPARMOR - // add apparmor confinement after the execve - set_apparmor(); -#endif - extract_command(argc, argv, index); - if (cfg.command_line == NULL) { - assert(cfg.shell); - cfg.window_title = cfg.shell; - } + if (cfg.command_line == NULL) + cfg.window_title = cfg.usershell; else if (arg_debug) printf("Extracted command #%s#\n", cfg.command_line); @@ -552,10 +527,6 @@ if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); - // set nice value - if (arg_nice) - set_nice(cfg.nice); - // add x11 display if (display) { char display_str; @@ -574,11 +545,13 @@ dbus_set_system_bus_env(); #endif - start_application(0, shfd, NULL); + start_application(arg_join_network \|\| arg_join_filesystem, shfd, NULL); __builtin_unreachable(); } EUID_USER(); + unpin_process(sandbox); + if (shfd != -1) close(shfd); @@ -596,15 +569,17 @@ // end of signal-safe code //***************************** - flush_stdin(); if (WIFEXITED(status)) { + // if we had a proper exit, return that exit status status = WEXITSTATUS(status); } else if (WIFSIGNALED(status)) { - status = WTERMSIG(status); + // distinguish fatal signals by adding 128 + status = 128 + WTERMSIG(status); } else { - status = 0; + status = -1; } + flush_stdin(); exit(status); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/ls.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -46,7 +46,8 @@ struct stat s; if (stat(name, &s) == -1) { if (lstat(name, &s) == -1) { - printf("Error: cannot access %s\n", name); + printf("Error: cannot access %s\n", do_replace_cntrl_chars(name, '?')); + free(name); return; } } @@ -151,12 +152,17 @@ if (allocated) free(groupname); + // file size char sz; if (asprintf(&sz, "%d", (int) s.st_size) == -1) errExit("asprintf"); - printf("%11.10s %s\n", sz, fname); - free(sz); + // file name + char fname_print = replace_cntrl_chars(fname, '?'); + + printf("%11.10s %s\n", sz, fname_print); + free(sz); + free(fname_print); } static void print_directory(const char path) { @@ -192,13 +198,15 @@ fprintf(stderr, "Error: cannot access %s\n", path); exit(1); } + + // debug doesn't filter control characters currently if (arg_debug) printf("ls %s\n", rp); // list directory contents struct stat s; if (stat(rp, &s) == -1) { - fprintf(stderr, "Error: cannot access %s\n", rp); + fprintf(stderr, "Error: cannot access %s\n", do_replace_cntrl_chars(rp, '?')); exit(1); } if (S_ISDIR(s.st_mode)) @@ -237,13 +245,13 @@ fprintf(stderr, "Error: %s is not a regular file\n", path); exit(1); } - bool tty = isatty(STDOUT_FILENO); + int tty = isatty(STDOUT_FILENO); int c; while ((c = fgetc(fp)) != EOF) { // file is untrusted // replace control characters when printing to a terminal - if (tty && c != '\t' && c != '\n' && iscntrl((unsigned char) c)) + if (tty && iscntrl((unsigned char) c) && c != '\t' && c != '\n') c = '?'; fputc(c, stdout); } @@ -278,11 +286,7 @@ EUID_ASSERT(); assert(path1); - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); - - // exit if no permission to join the sandbox - check_join_permission(pid); + ProcessHandle sandbox = pin_sandbox_process(pid); // expand paths char fname1 = expand_path(path1); @@ -305,43 +309,34 @@ } // create destination file if necessary EUID_ASSERT(); - int fd = open(dest_fname, O_WRONLY\|O_CREAT\|O_CLOEXEC, S_IRUSR \| S_IWRITE); - if (fd == -1) { + int dest = open(dest_fname, O_WRONLY\|O_CREAT\|O_CLOEXEC, S_IRUSR \| S_IWUSR); + if (dest == -1) { fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); exit(1); } struct stat s; - if (fstat(fd, &s) == -1) + if (fstat(dest, &s) == -1) errExit("fstat"); if (!S_ISREG(s.st_mode)) { - fprintf(stderr, "Error: %s is no regular file\n", dest_fname); + fprintf(stderr, "Error: %s is not a regular file\n", dest_fname); exit(1); } - if (ftruncate(fd, 0) == -1) + if (ftruncate(dest, 0) == -1) errExit("ftruncate"); // go quiet - messages on stdout will corrupt the file arg_debug = 0; arg_quiet = 1; // redirection - if (dup2(fd, STDOUT_FILENO) == -1) + if (dup2(dest, STDOUT_FILENO) == -1) errExit("dup2"); - assert(fd != STDOUT_FILENO); - close(fd); + close(dest); op = SANDBOX_FS_CAT; } - // sandbox root directory - char rootdir; - if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) - errExit("asprintf"); - if (op == SANDBOX_FS_LS \|\| op == SANDBOX_FS_CAT) { - EUID_ROOT(); - // chroot - if (chroot(rootdir) < 0) - errExit("chroot"); - if (chdir("/") < 0) - errExit("chdir"); + // chroot into the sandbox + process_rootfs_chroot(sandbox); + unpin_process(sandbox); // drop privileges drop_privs(0); @@ -350,95 +345,48 @@ ls(fname1); else cat(fname1); - - __gcov_flush(); } // get file from host and store it in the sandbox else if (op == SANDBOX_FS_PUT && path2) { - char src_fname =fname1; + char src_fname = fname1; char dest_fname = fname2; - EUID_ROOT(); - if (arg_debug) - printf("copy %s to %s\n", src_fname, dest_fname); - - // create a user-owned temporary file in /run/firejail directory - char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; - int fd = mkstemp(tmp_fname); - if (fd == -1) { - fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname); + EUID_ASSERT(); + int src = open(src_fname, O_RDONLY\|O_CLOEXEC); + if (src == -1) { + fprintf(stderr, "Error: cannot open %s for reading\n", src_fname); exit(1); } - SET_PERMS_FD(fd, getuid(), getgid(), 0600); - close(fd); - // copy the source file into the temporary file - we need to chroot - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - // copy the file - if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user - _exit(1); - - __gcov_flush(); - - _exit(0); - } - - // wait for the child to finish - int status = 0; - waitpid(child, &status, 0); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else { - unlink(tmp_fname); + // chroot into the sandbox + process_rootfs_chroot(sandbox); + unpin_process(sandbox); + + // drop privileges + drop_privs(0); + + int dest = open(dest_fname, O_WRONLY\|O_CREAT\|O_CLOEXEC, S_IRUSR \| S_IWUSR); + if (dest == -1) { + fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); exit(1); } - - // copy the temporary file into the destination file - child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // chroot - if (chroot(rootdir) < 0) - errExit("chroot"); - if (chdir("/") < 0) - errExit("chdir"); - - // drop privileges - drop_privs(0); - - // copy the file - if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user - _exit(1); - - __gcov_flush(); - - _exit(0); - } - - // wait for the child to finish - status = 0; - waitpid(child, &status, 0); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else { - unlink(tmp_fname); + struct stat s; + if (fstat(dest, &s) == -1) + errExit("fstat"); + if (!S_ISREG(s.st_mode)) { + fprintf(stderr, "Error: %s is not a regular file\n", dest_fname); exit(1); } + if (ftruncate(dest, 0) == -1) + errExit("ftruncate"); - // remove the temporary file - unlink(tmp_fname); - EUID_USER(); + if (copy_file_by_fd(src, dest) != 0) + fwarning("an error occured during copying\n"); + close(src); + close(dest); } - if (fname2) - free(fname2); - free(fname1); - free(rootdir); + __gcov_flush(); exit(0); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/macros.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,9 +22,11 @@ #define MAXBUF 4098 typedef struct macro_t { - char name; // macro name + char name; // macro name char xdg; // xdg line in ~/.config/user-dirs.dirs -#define MAX_TRANSLATIONS 3 // several translations in case ~/.config/user-dirs.dirs not found + // several translations in case ~/.config/user-dirs.dirs not found + // covered currently: English, Russian, French, Italian, Spanish, Portuguese, German +#define MAX_TRANSLATIONS 7 char translation[MAX_TRANSLATIONS]; } Macro; @@ -32,37 +34,37 @@ { "${DOWNLOADS}", "XDG_DOWNLOAD_DIR=\"$HOME/", - { "Downloads", "Загрузки", "Téléchargement" } + {"Downloads", "Загрузки", "Téléchargement", "Scaricati", "Descargas"} }, { "${MUSIC}", "XDG_MUSIC_DIR=\"$HOME/", - {"Music", "Музыка", "Musique"} + {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} }, { "${VIDEOS}", "XDG_VIDEOS_DIR=\"$HOME/", - {"Videos", "Видео", "Vidéos"} + {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} }, { "${PICTURES}", "XDG_PICTURES_DIR=\"$HOME/", - {"Pictures", "Изображения", "Photos"} + {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} }, { "${DESKTOP}", "XDG_DESKTOP_DIR=\"$HOME/", - {"Desktop", "Рабочий стол", "Bureau"} + {"Desktop", "Рабочий стол", "Bureau", "Scrivania", "Escritorio", "Área de trabalho", "Schreibtisch"} }, { "${DOCUMENTS}", "XDG_DOCUMENTS_DIR=\"$HOME/", - {"Documents", "Документы", "Documents"} + {"Documents", "Документы", "Documenti", "Documentos", "Dokumente"} }, { 0 } @@ -154,7 +156,7 @@ struct stat s; int i = 0; - while (entries[i] != NULL) { + while (i < MAX_TRANSLATIONS && entries[i] != NULL) { if (asprintf(&fname, "%s/%s", cfg.homedir, entries[i]) == -1) errExit("asprintf"); @@ -263,28 +265,6 @@ return rv; } -// replace control characters with a '?' -static char fix_control_chars(const char fname) { - assert(fname); - - size_t len = strlen(fname); - char rv = malloc(len + 1); - if (!rv) - errExit("malloc"); - - size_t i = 0; - while (fname[i] != '\0') { - if (iscntrl((unsigned char) fname[i])) - rv[i] = '?'; - else - rv[i] = fname[i]; - i++; - } - rv[i] = '\0'; - - return rv; -} - void invalid_filename(const char fname, int globbing) { // EUID_ASSERT(); assert(fname); @@ -302,24 +282,5 @@ return; } - size_t i = 0; - while (ptr[i] != '\0') { - if (iscntrl((unsigned char) ptr[i])) { - char new = fix_control_chars(fname); - fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters allowed\n", new); - exit(1); - } - i++; - } - - char reject; - if (globbing) - reject = "\\&!\"'<>%^{};,"; // file globbing ('?[]') is allowed - else - reject = "\\&!?\"'<>%^{};,[]"; - char c = strpbrk(ptr, reject); - if (c) { - fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, c); - exit(1); - } + reject_meta_chars(ptr, globbing); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -32,7 +32,8 @@ #include <dirent.h> #include <pwd.h> #include <errno.h> -//#include <limits.h> + +#include <limits.h> #include <sys/file.h> #include <sys/prctl.h> #include <signal.h> @@ -104,7 +105,6 @@ char arg_netfilter6_file = NULL; // netfilter6 file char arg_netns = NULL; // "ip netns"-created network namespace to use int arg_doubledash = 0; // double dash -int arg_shell_none = 0; // run the program directly without a shell int arg_private_dev = 0; // private dev directory int arg_keep_dev_shm = 0; // preserve /dev/shm int arg_private_etc = 0; // private etc directory @@ -119,6 +119,7 @@ int arg_nosound = 0; // disable sound int arg_novideo = 0; //disable video devices in /dev int arg_no3d; // disable 3d hardware acceleration +int arg_noprinters = 0; // disable printers int arg_quiet = 0; // no output for scripting int arg_join_network = 0; // join only the network namespace int arg_join_filesystem = 0; // join only the mount namespace @@ -132,11 +133,13 @@ int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage int arg_apparmor = 0; // apparmor +char apparmor_profile = NULL; // apparmor profile +bool apparmor_replace = false; // apparmor profile int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 int arg_x11_xorg = 0; // use X11 security extension int arg_allusers = 0; // all user home directories visible -int arg_machineid = 0; // preserve /etc/machine-id +int arg_machineid = 0; // spoof /etc/machine-id int arg_allow_private_blacklist = 0; // blacklist things in private directories int arg_disable_mnt = 0; // disable /mnt and /media int arg_noprofile = 0; // use default.profile if none other found/specified @@ -146,12 +149,17 @@ int arg_nou2f = 0; // --nou2f int arg_noinput = 0; // --noinput int arg_deterministic_exit_code = 0; // always exit with first child's exit status +int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies +int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system const char arg_dbus_log_file = NULL; int arg_dbus_log_user = 0; int arg_dbus_log_system = 0; +int arg_tab = 0; int login_shell = 0; +int just_run_the_shell = 0; +int arg_netlock = 0; int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -189,13 +197,16 @@ logsignal(s); if (waitpid(child, NULL, WNOHANG) == 0) { - if (has_handler(child, s)) // signals are not delivered if there is no handler yet + // child is pid 1 of a pid namespace: + // signals are not delivered if there is no handler yet + if (has_handler(child, s)) kill(child, s); else kill(child, SIGKILL); waitpid(child, NULL, 0); } - myexit(s); + release_sandbox_lock(); + myexit(128 + s); } static void install_handler(void) { @@ -238,6 +249,9 @@ cfg.username = strdup(pw->pw_name); if (!cfg.username) errExit("strdup"); + cfg.usershell = strdup(pw->pw_shell); + if (!cfg.usershell) + errExit("strdup"); // check user database if (!firejail_user_check(cfg.username)) { @@ -331,7 +345,8 @@ static void exit_err_feature(const char feature) { - fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); + fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n", + feature, SYSCONFDIR "/firejail.config"); exit(1); } @@ -349,10 +364,7 @@ exit(0); } else if (strcmp(argv[i], "--version") == 0) { - printf("firejail version %s\n", VERSION); - printf("\n"); - print_compiletime_support(); - printf("\n"); + print_version(); exit(0); } #ifdef HAVE_OVERLAYFS @@ -403,6 +415,111 @@ } #endif #ifdef HAVE_NETWORK + else if (strcmp(argv[i], "--nettrace") == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: --nettrace is only available to root user\n"); + exit(1); + } + netfilter_trace(0, LIBDIR "/firejail/fnettrace"); + } + else + exit_err_feature("networking"); + exit(0); + } + else if (strncmp(argv[i], "--nettrace=", 11) == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: --nettrace is only available to root user\n"); + exit(1); + } + pid_t pid = require_pid(argv[i] + 11); + netfilter_trace(pid, LIBDIR "/firejail/fnettrace"); + } + else + exit_err_feature("networking"); + exit(0); + } + else if (strcmp(argv[i], "--dnstrace") == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: --dnstrace is only available to root user\n"); + exit(1); + } + netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns"); + } + else + exit_err_feature("networking"); + exit(0); + } + else if (strncmp(argv[i], "--dnstrace=", 11) == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: --dnstrace is only available to root user\n"); + exit(1); + } + pid_t pid = require_pid(argv[i] + 11); + netfilter_trace(pid, LIBDIR "/firejail/fnettrace-dns"); + } + else + exit_err_feature("networking"); + exit(0); + } + else if (strcmp(argv[i], "--snitrace") == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: --snitrace is only available to root user\n"); + exit(1); + } + netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni"); + } + else + exit_err_feature("networking"); + exit(0); + } + else if (strncmp(argv[i], "--snitrace=", 11) == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: --snitrace is only available to root user\n"); + exit(1); + } + pid_t pid = require_pid(argv[i] + 11); + netfilter_trace(pid, LIBDIR "/firejail/fnettrace-sni"); + } + else + exit_err_feature("networking"); + exit(0); + } + + + else if (strcmp(argv[i], "--icmptrace") == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: --icmptrace is only available to root user\n"); + exit(1); + } + netfilter_trace(0, LIBDIR "/firejail/fnettrace-icmp"); + } + else + exit_err_feature("networking"); + exit(0); + } + else if (strncmp(argv[i], "--icmptrace=", 12) == 0) { + if (checkcfg(CFG_NETWORK)) { + if (getuid() != 0) { + fprintf(stderr, "Error: -icmptrace is only available to root user\n"); + exit(1); + } + pid_t pid = require_pid(argv[i] + 12); + netfilter_trace(pid, LIBDIR "/firejail/fnettrace-icmp"); + } + else + exit_err_feature("networking"); + exit(0); + } + + + else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { if (checkcfg(CFG_NETWORK)) { logargs(argc, argv); @@ -613,8 +730,7 @@ #ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netstats") == 0) { if (checkcfg(CFG_NETWORK)) { - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0 \|\| pid_hidepid()) + if (pid_hidepid()) sbox_run(SBOX_ROOT \| SBOX_CAPS_HIDEPID \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN, 2, PATH_FIREMON, "--netstats"); else @@ -763,16 +879,9 @@ if (checkcfg(CFG_JOIN) \|\| getuid() == 0) { logargs(argc, argv); - if (arg_shell_none) { - if (argc <= (i+1)) { - fprintf(stderr, "Error: --shell=none set, but no command specified\n"); - exit(1); - } - cfg.original_program_index = i + 1; - } - - if (!cfg.shell && !arg_shell_none) - cfg.shell = guess_shell(); + if (argc <= (i+1)) + just_run_the_shell = 1; + cfg.original_program_index = i + 1; // join sandbox by pid or by name pid_t pid = require_pid(argv[i] + 7); @@ -789,20 +898,13 @@ if (checkcfg(CFG_JOIN) \|\| getuid() == 0) { logargs(argc, argv); - if (arg_shell_none) { - if (argc <= (i+1)) { - fprintf(stderr, "Error: --shell=none set, but no command specified\n"); - exit(1); - } - cfg.original_program_index = i + 1; - } + if (argc <= (i+1)) + just_run_the_shell = 1; + cfg.original_program_index = i + 1; // try to join by name only pid_t pid; if (!read_pid(argv[i] + 16, &pid)) { - if (!cfg.shell && !arg_shell_none) - cfg.shell = guess_shell(); - join(pid, argc, argv, i + 1); exit(0); } @@ -821,8 +923,9 @@ exit(1); } - if (!cfg.shell && !arg_shell_none) - cfg.shell = guess_shell(); + if (argc <= (i+1)) + just_run_the_shell = 1; + cfg.original_program_index = i + 1; // join sandbox by pid or by name pid_t pid = require_pid(argv[i] + 15); @@ -841,8 +944,9 @@ exit(1); } - if (!cfg.shell && !arg_shell_none) - cfg.shell = guess_shell(); + if (argc <= (i+1)) + just_run_the_shell = 1; + cfg.original_program_index = i + 1; // join sandbox by pid or by name pid_t pid = require_pid(argv[i] + 18); @@ -860,40 +964,6 @@ } -char guess_shell(void) { - const char shell; - char retval; - - shell = env_get("SHELL"); - if (shell) { - invalid_filename(shell, 0); // no globbing - if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL && - strcmp(shell, PATH_FIREJAIL) != 0) - goto found; - } - - // shells in order of preference - static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; - - int i = 0; - while (shells[i] != NULL) { - // access call checks as real UID/GID, not as effective UID/GID - if (access(shells[i], X_OK) == 0) { - shell = shells[i]; - goto found; - } - i++; - } - - return NULL; - - found: - retval = strdup(shell); - if (!retval) - errExit("strdup"); - return retval; -} - // return argument index static int check_arg(int argc, char *argv, const char argument, int strict) { int i; @@ -932,12 +1002,14 @@ if (setresuid(-1, getuid(), getuid()) != 0) errExit("setresuid"); + if (env_get("LD_PRELOAD") != NULL) + fprintf(stderr, "run_builder: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD")); assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); umask(orig_umask); - // restore some environment variables - env_apply_whitelist_sbox(); + // restore original environment variables + env_apply_all(); argv[0] = LIBDIR "/firejail/fbuilder"; execvp(argv[0], argv); @@ -980,136 +1052,61 @@ int prog_index = -1; // index in argv where the program command starts int lockfd_network = -1; int lockfd_directory = -1; - int option_cgroup = 0; int custom_profile = 0; // custom profile loaded int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) char *ptr; -#ifndef HAVE_SUID - if (geteuid() != 0) { - fprintf(stderr, "Error: Firejail needs to be SUID.\n"); - fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n"); - fprintf(stderr, " chmod u+s /usr/bin/firejail\n"); - } -#endif // sanitize the umask orig_umask = umask(022); - // check standard streams before printing anything - fix_std_streams(); - // drop permissions by default and rise them when required EUID_INIT(); EUID_USER(); + // check standard streams before opening any file + fix_std_streams(); + // argument count should be larger than 0 if (argc == 0 \|\| !argv \|\| strlen(argv[0]) == 0) { fprintf(stderr, "Error: argv is invalid\n"); exit(1); } else if (argc >= MAX_ARGS) { - fprintf(stderr, "Error: too many arguments\n"); + fprintf(stderr, "Error: too many arguments: argc (%d) >= MAX_ARGS (%d)\n", argc, MAX_ARGS); exit(1); } + // sanity check for arguments + for (i = 0; i < argc; i++) { + if (strlen(argv[i]) >= MAX_ARG_LEN) { + fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); + exit(1); + } + } + // Stash environment variables for (i = 0, ptr = envp; ptr && ptr && i < MAX_ENVS; i++, ptr++) env_store(ptr, SETENV); // sanity check for environment variables if (i >= MAX_ENVS) { - fprintf(stderr, "Error: too many environment variables\n"); + fprintf(stderr, "Error: too many environment variables: >= MAX_ENVS (%d)\n", MAX_ENVS); exit(1); } - // sanity check for arguments - for (i = 0; i < argc; i++) { - if (argv[i] == 0) { - fprintf(stderr, "Error: too short arguments\n"); - exit(1); - } - if (strlen(argv[i]) >= MAX_ARG_LEN) { - fprintf(stderr, "Error: too long arguments\n"); - exit(1); - } - } - // Reapply a minimal set of environment variables env_apply_whitelist(); - // check if the user is allowed to use firejail - init_cfg(argc, argv); - - // get starting timestamp, process --quiet - timetrace_start(); + // process --quiet const char env_quiet = env_get("FIREJAIL_QUIET"); if (check_arg(argc, argv, "--quiet", 1) \|\| (env_quiet && strcmp(env_quiet, "yes") == 0)) arg_quiet = 1; - // cleanup at exit - EUID_ROOT(); - atexit(clear_atexit); - - // build /run/firejail directory structure - preproc_build_firejail_dir(); - const char container_name = env_get("container"); - if (!container_name \|\| strcmp(container_name, "firejail")) { - lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY \| O_CREAT \| O_CLOEXEC, S_IRUSR \| S_IWUSR); - if (lockfd_directory != -1) { - int rv = fchown(lockfd_directory, 0, 0); - (void) rv; - flock(lockfd_directory, LOCK_EX); - } - preproc_clean_run(); - flock(lockfd_directory, LOCK_UN); - close(lockfd_directory); - } - EUID_USER(); - - // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) - // these paths are disabled in disable-common.inc - if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { - if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { - profile_add("noblacklist /sbin"); - profile_add("noblacklist /usr/sbin"); - } - } - - // for appimages we need to remove "include disable-shell.inc from the profile - // a --profile command can show up before --appimage - if (check_arg(argc, argv, "--appimage", 1)) - arg_appimage = 1; - - // process allow-debuggers - if (check_arg(argc, argv, "--allow-debuggers", 1)) { - // check kernel version - struct utsname u; - int rv = uname(&u); - if (rv != 0) - errExit("uname"); - int major; - int minor; - if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { - fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); - exit(1); - } - if (major < 4 \|\| (major == 4 && minor < 8)) { - fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " - "A bug in ptrace call allows a full bypass of the seccomp filter. " - "Your current kernel version is %d.%d.\n", major, minor); - exit(1); - } - - arg_allow_debuggers = 1; - char cmd = strdup("noblacklist ${PATH}/strace"); - if (!cmd) - errExit("strdup"); - profile_add(cmd); - } + // check if the user is allowed to use firejail + init_cfg(argc, argv); - // profile builder - if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename - run_builder(argc, argv); // this function will not return + // get starting timestamp + timetrace_start(); // check argv[0] symlink wrapper if this is not a login shell if (argv[0] != '-') @@ -1125,7 +1122,7 @@ EUID_USER(); if (rv == 0) { if (check_arg(argc, argv, "--version", 1)) { - printf("firejail version %s\n", VERSION); + print_version(); exit(0); } @@ -1134,15 +1131,53 @@ __builtin_unreachable(); } } - EUID_ASSERT(); + // profile builder + if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename + run_builder(argc, argv); // this function will not return + + // intrusion detection system +#ifdef HAVE_IDS + if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check + run_ids(argc, argv); // this function will not return +#else + if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check + fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n" + "\tTo enable it, configure your build system using --enable-ids.\n" + "\tExample: ./configure --prefix=/usr --enable-ids\n\n"); + exit(1); + } +#endif - // check firejail directories EUID_ROOT(); - delete_run_files(sandbox_pid); +#ifndef HAVE_SUID + if (geteuid() != 0) { + fprintf(stderr, "Error: Firejail needs to be SUID.\n"); + fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n"); + fprintf(stderr, " chmod u+s /usr/bin/firejail\n"); + } +#endif + + // build /run/firejail directory structure + preproc_build_firejail_dir(); + const char container_name = env_get("container"); + if (!container_name \|\| strcmp(container_name, "firejail")) { + lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY \| O_CREAT \| O_CLOEXEC, S_IRUSR \| S_IWUSR); + if (lockfd_directory != -1) { + int rv = fchown(lockfd_directory, 0, 0); + (void) rv; + flock(lockfd_directory, LOCK_EX); + } + preproc_clean_run(); + flock(lockfd_directory, LOCK_UN); + close(lockfd_directory); + } + + delete_run_files(getpid()); + atexit(clear_atexit); EUID_USER(); - //check if the parent is sshd daemon + // check if the parent is sshd daemon int parent_sshd = 0; { pid_t ppid = getppid(); @@ -1199,7 +1234,8 @@ } EUID_ASSERT(); - // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users + // is this a login shell, or a command passed by sshd, + // insert command line options from /etc/firejail/login.users if (argv[0] == '-' \|\| parent_sshd) { if (argc == 1) login_shell = 1; @@ -1251,10 +1287,56 @@ #endif EUID_ASSERT(); - // check for force-nonewprivs in /etc/firejail/firejail.config file + // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) + // these paths are disabled in disable-common.inc + if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { + if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { + profile_add("noblacklist /sbin"); + profile_add("noblacklist /usr/sbin"); + } + } + + // process allow-debuggers + if (check_arg(argc, argv, "--allow-debuggers", 1)) { + // check kernel version + struct utsname u; + int rv = uname(&u); + if (rv != 0) + errExit("uname"); + int major; + int minor; + if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { + fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); + exit(1); + } + if (major < 4 \|\| (major == 4 && minor < 8)) { + fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " + "A bug in ptrace call allows a full bypass of the seccomp filter. " + "Your current kernel version is %d.%d.\n", major, minor); + exit(1); + } + + arg_allow_debuggers = 1; + char cmd = strdup("noblacklist ${PATH}/strace"); + if (!cmd) + errExit("strdup"); + profile_add(cmd); + } + + // for appimages we need to remove "include disable-shell.inc from the profile + // a --profile command can show up before --appimage + if (check_arg(argc, argv, "--appimage", 1)) + arg_appimage = 1; + + // load configuration file /etc/firejail/firejail.config + // and check for force-nonewprivs if (checkcfg(CFG_FORCE_NONEWPRIVS)) arg_nonewprivs = 1; + // check oom + if ((i = check_arg(argc, argv, "--oom=", 0)) != 0) + oom_set(argv[i] + 6); + // parse arguments for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized @@ -1294,8 +1376,18 @@ // filtering //************************************ #ifdef HAVE_APPARMOR - else if (strcmp(argv[i], "--apparmor") == 0) + else if (strcmp(argv[i], "--apparmor") == 0) { + arg_apparmor = 1; + apparmor_profile = "firejail-default"; + } + else if (strncmp(argv[i], "--apparmor=", 11) == 0) { + arg_apparmor = 1; + apparmor_profile = argv[i] + 11; + } + else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { arg_apparmor = 1; + apparmor_replace = true; + } #endif else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1407,6 +1499,20 @@ else exit_err_feature("seccomp"); } + else if (strcmp(argv[i], "--restrict-namespaces") == 0) { + if (checkcfg(CFG_SECCOMP)) + profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); + else + exit_err_feature("seccomp"); + } + else if (strncmp(argv[i], "--restrict-namespaces=", 22) == 0) { + if (checkcfg(CFG_SECCOMP)) { + const char add = argv[i] + 22; + profile_list_augment(&cfg.restrict_namespaces, add); + } + else + exit_err_feature("seccomp"); + } else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) { if (checkcfg(CFG_SECCOMP)) { int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); @@ -1475,8 +1581,12 @@ arg_tracefile = tmp; } } - else if (strcmp(argv[i], "--tracelog") == 0) - arg_tracelog = 1; + else if (strcmp(argv[i], "--tracelog") == 0) { + if (checkcfg(CFG_TRACELOG)) + arg_tracelog = 1; + else + exit_err_feature("tracelog"); + } else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { check_unsigned(argv[i] + 13, "Error: invalid rlimit"); sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); @@ -1523,22 +1633,6 @@ cfg.nice = 0; arg_nice = 1; } - else if (strncmp(argv[i], "--cgroup=", 9) == 0) { - if (checkcfg(CFG_CGROUP)) { - if (option_cgroup) { - fprintf(stderr, "Error: only a cgroup can be defined\n"); - exit(1); - } - - option_cgroup = 1; - cfg.cgroup = strdup(argv[i] + 9); - if (!cfg.cgroup) - errExit("strdup"); - set_cgroup(cfg.cgroup); - } - else - exit_err_feature("cgroup"); - } //************************************ // filesystem @@ -1565,6 +1659,7 @@ profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--blacklist=", 12) == 0) { char line; if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) @@ -1581,19 +1676,13 @@ profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } - -#ifdef HAVE_WHITELIST else if (strncmp(argv[i], "--whitelist=", 12) == 0) { - if (checkcfg(CFG_WHITELIST)) { - char line; - if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) - errExit("asprintf"); + char line; + if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) + errExit("asprintf"); - profile_check_line(line, 0, NULL); // will exit if something wrong - profile_add(line); - } - else - exit_err_feature("whitelist"); + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); } else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { char line; @@ -1603,7 +1692,7 @@ profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } -#endif + else if (strncmp(argv[i], "--mkdir=", 8) == 0) { char line; if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) @@ -1662,11 +1751,6 @@ fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); exit(1); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); - } arg_overlay = 1; arg_overlay_keep = 1; @@ -1690,11 +1774,6 @@ fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); exit(1); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); - } arg_overlay = 1; arg_overlay_keep = 1; arg_overlay_reuse = 1; @@ -1726,11 +1805,6 @@ fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); exit(1); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); - } arg_overlay = 1; } else @@ -1853,6 +1927,14 @@ } profile_add_ignore(argv[i] + 9); } + else if (strncmp(argv[i], "--keep-fd=", 10) == 0) { + if (strcmp(argv[i] + 10, "all") == 0) + arg_keep_fd_all = 1; + else { + const char add = argv[i] + 10; + profile_list_augment(&cfg.keep_fd, add); + } + } #ifdef HAVE_CHROOT else if (strncmp(argv[i], "--chroot=", 9) == 0) { if (checkcfg(CFG_CHROOT)) { @@ -1861,11 +1943,6 @@ exit(1); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); - exit(1); - } // extract chroot dirname cfg.chrootdir = argv[i] + 9; if (cfg.chrootdir == '\0') { @@ -2121,6 +2198,11 @@ arg_novideo = 1; else if (strcmp(argv[i], "--no3d") == 0) arg_no3d = 1; + else if (strcmp(argv[i], "--noprinters") == 0) { + arg_noprinters = 1; + profile_add("blacklist /dev/lp"); + profile_add("blacklist /run/cups/cups.sock"); + } else if (strcmp(argv[i], "--notv") == 0) arg_notv = 1; else if (strcmp(argv[i], "--nodvd") == 0) @@ -2293,6 +2375,21 @@ continue; } #ifdef HAVE_NETWORK + else if (strcmp(argv[i], "--netlock") == 0) { + if (checkcfg(CFG_NETWORK)) + arg_netlock = 1; + else + exit_err_feature("networking"); + } + else if (strncmp(argv[i], "--netlock=", 10) == 0) { + if (checkcfg(CFG_NETWORK)) { + pid_t pid = require_pid(argv[i] + 10); + netfilter_netlock(pid); + } + else + exit_err_feature("networking"); + exit(0); + } else if (strncmp(argv[i], "--interface=", 12) == 0) { if (checkcfg(CFG_NETWORK)) { // checks @@ -2598,7 +2695,7 @@ else if (cfg.dns4 == NULL) cfg.dns4 = dns; else { - fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns); + fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns); free(dns); } } @@ -2619,6 +2716,15 @@ if (checkcfg(CFG_NETWORK)) { arg_netfilter = 1; arg_netfilter_file = argv[i] + 12; + + // expand tilde + if (arg_netfilter_file == '~') { + char tmp; + if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1) + errExit("asprintf"); + arg_netfilter_file = tmp; + } + check_netfilter_file(arg_netfilter_file); } else @@ -2629,6 +2735,15 @@ if (checkcfg(CFG_NETWORK)) { arg_netfilter6 = 1; arg_netfilter6_file = argv[i] + 13; + + // expand tilde + if (arg_netfilter6_file == '~') { + char tmp; + if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1) + errExit("asprintf"); + arg_netfilter6_file = tmp; + } + check_netfilter_file(arg_netfilter6_file); } else @@ -2649,47 +2764,15 @@ //************************************* else if (strncmp(argv[i], "--timeout=", 10) == 0) cfg.timeout = extract_timeout(argv[i] + 10); - else if (strcmp(argv[i], "--appimage") == 0) - arg_appimage = 1; - else if (strcmp(argv[i], "--shell=none") == 0) { - arg_shell_none = 1; - if (cfg.shell) { - fprintf(stderr, "Error: a shell was already specified\n"); - return 1; - } + else if (strcmp(argv[i], "--appimage") == 0) { + // already handled + } + else if (strncmp(argv[i], "--oom=", 6) == 0) { + // already handled } else if (strncmp(argv[i], "--shell=", 8) == 0) { - if (arg_shell_none) { - fprintf(stderr, "Error: --shell=none was already specified.\n"); - return 1; - } - invalid_filename(argv[i] + 8, 0); // no globbing - - if (cfg.shell) { - fprintf(stderr, "Error: only one user shell can be specified\n"); - return 1; - } - cfg.shell = argv[i] + 8; - - if (is_dir(cfg.shell) \|\| strstr(cfg.shell, "..")) { - fprintf(stderr, "Error: invalid shell\n"); - exit(1); - } - - // access call checks as real UID/GID, not as effective UID/GID - if(cfg.chrootdir) { - char shellpath; - if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) - errExit("asprintf"); - if (access(shellpath, X_OK)) { - fprintf(stderr, "Error: cannot access shell file in chroot\n"); - exit(1); - } - free(shellpath); - } else if (access(cfg.shell, X_OK)) { - fprintf(stderr, "Error: cannot access shell file\n"); - exit(1); - } + fprintf(stderr, "Warning: --shell feature has been deprecated\n"); + exit(1); } else if (strcmp(argv[i], "-c") == 0) { arg_command = 1; @@ -2725,6 +2808,11 @@ else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { arg_deterministic_exit_code = 1; } + else if (strcmp(argv[i], "--deterministic-shutdown") == 0) { + arg_deterministic_shutdown = 1; + } + else if (strcmp(argv[i], "--tab") == 0) + arg_tab = 1; else { // double dash - positional params to follow if (strcmp(argv[i], "--") == 0) { @@ -2746,9 +2834,6 @@ cfg.command_name = strdup(argv[i]); if (!cfg.command_name) errExit("strdup"); - - // disable shell= for appimages - arg_shell_none = 0; } else extract_command_name(i, argv); @@ -2775,11 +2860,6 @@ } } - // prog_index could still be -1 if no program was specified - if (prog_index == -1 && arg_shell_none) { - fprintf(stderr, "Error: shell=none configured, but no program specified\n"); - exit(1); - } // check trace configuration if (arg_trace && arg_tracelog) { @@ -2798,6 +2878,17 @@ } } + // check writable_etc and DNS/DHCP + if (arg_writable_etc) { + if (cfg.dns1 != NULL \|\| any_dhcp()) { + // we could end up overwriting the real /etc/resolv.conf, so we better exit now! + fprintf(stderr, "Error: --dns/--ip=dhcp and --writable-etc are mutually exclusive\n"); + exit(1); + } + } + + + // enable seccomp if only seccomp.block-secondary was specified if (arg_seccomp_block_secondary) arg_seccomp = 1; @@ -2812,27 +2903,18 @@ free(msg); } - // guess shell if unspecified - if (!arg_shell_none && !cfg.shell) { - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); - exit(1); - } - if (arg_debug) - printf("Autoselecting %s as shell\n", cfg.shell); - } - // build the sandbox command - if (prog_index == -1 && cfg.shell) { - assert(cfg.command_line == NULL); // runs cfg.shell + if (prog_index == -1) { + just_run_the_shell = 1; + + assert(cfg.command_line == NULL); // runs the user shell if (arg_appimage) { fprintf(stderr, "Error: no appimage archive specified\n"); exit(1); } - cfg.window_title = cfg.shell; - cfg.command_name = cfg.shell; + cfg.window_title = cfg.usershell; + cfg.command_name = cfg.usershell; } else if (arg_appimage) { if (arg_debug) @@ -2856,11 +2938,8 @@ // load the profile if (!arg_noprofile && !custom_profile) { - if (arg_appimage) { + if (arg_appimage) custom_profile = appimage_find_profile(cfg.command_name); - // disable shell=* for appimages - arg_shell_none = 0; - } else custom_profile = profile_find_firejail(cfg.command_name, 1); } @@ -3015,6 +3094,9 @@ errExit("clone"); EUID_USER(); + // sandbox pidfile + set_sandbox_run_file(getpid(), child); + if (!arg_command && !arg_quiet) { fmessage("Parent pid %u, child pid %u\n", sandbox_pid, child); // print the path of the new log directory @@ -3048,100 +3130,179 @@ } EUID_ASSERT(); - // close each end of the unused pipes - close(parent_to_child_fds[0]); - close(child_to_parent_fds[1]); + // close each end of the unused pipes + close(parent_to_child_fds[0]); + close(child_to_parent_fds[1]); // notify child that base setup is complete - notify_other(parent_to_child_fds[1]); + notify_other(parent_to_child_fds[1]); - // wait for child to create new user namespace with CLONE_NEWUSER - wait_for_other(child_to_parent_fds[0]); - close(child_to_parent_fds[0]); + // wait for child to create new user namespace with CLONE_NEWUSER + wait_for_other(child_to_parent_fds[0]); + close(child_to_parent_fds[0]); - if (arg_noroot) { - // update the UID and GID maps in the new child user namespace + if (arg_noroot) { + // update the UID and GID maps in the new child user namespace // uid - char map_path; - if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) - errExit("asprintf"); - - char map; - uid_t uid = getuid(); - if (asprintf(&map, "%d %d 1", uid, uid) == -1) - errExit("asprintf"); - EUID_ROOT(); - update_map(map, map_path); - EUID_USER(); - free(map); - free(map_path); + char map_path; + if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) + errExit("asprintf"); + + char map; + uid_t uid = getuid(); + if (asprintf(&map, "%d %d 1", uid, uid) == -1) + errExit("asprintf"); + EUID_ROOT(); + update_map(map, map_path); + EUID_USER(); + free(map); + free(map_path); - // gid file + // gid file if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1) errExit("asprintf"); - char gidmap[1024]; - char ptr = gidmap; - ptr = '\0'; - - // add user group - gid_t gid = getgid(); - sprintf(ptr, "%d %d 1\n", gid, gid); - ptr += strlen(ptr); - - if (!arg_nogroups) { - // add firejail group - gid_t g = get_group_id("firejail"); - if (g) { - sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); - } - - // add tty group - g = get_group_id("tty"); - if (g) { - sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); - } - - // add audio group - g = get_group_id("audio"); - if (g) { - sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); - } - - // add video group - g = get_group_id("video"); - if (g) { - sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); - } - - // add games group - g = get_group_id("games"); - if (g) { - sprintf(ptr, "%d %d 1\n", g, g); - } - } - - EUID_ROOT(); - update_map(gidmap, map_path); - EUID_USER(); - free(map_path); - } + char gidmap[1024]; + char ptr = gidmap; + ptr = '\0'; + + // add user group + gid_t gid = getgid(); + sprintf(ptr, "%d %d 1\n", gid, gid); + ptr += strlen(ptr); + + gid_t g; + if (!arg_nogroups \|\| !check_can_drop_all_groups()) { + // add audio group + if (!arg_nosound) { + g = get_group_id("audio"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add video group + if (!arg_novideo) { + g = get_group_id("video"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add render/vglusers group + if (!arg_no3d) { + g = get_group_id("render"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + g = get_group_id("vglusers"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add lp group + if (!arg_noprinters) { + g = get_group_id("lp"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add cdrom/optical groups + if (!arg_nodvd) { + g = get_group_id("cdrom"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + g = get_group_id("optical"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add input group + if (!arg_noinput) { + g = get_group_id("input"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + } + + if (!arg_nogroups) { + // add firejail group + g = get_group_id("firejail"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + + // add tty group + g = get_group_id("tty"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + + // add games group + g = get_group_id("games"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + } + } + + EUID_ROOT(); + update_map(gidmap, map_path); + EUID_USER(); + free(map_path); + } EUID_ASSERT(); - // notify child that UID/GID mapping is complete - notify_other(parent_to_child_fds[1]); - close(parent_to_child_fds[1]); + // notify child that UID/GID mapping is complete + notify_other(parent_to_child_fds[1]); + close(parent_to_child_fds[1]); - EUID_ROOT(); + EUID_ROOT(); if (lockfd_network != -1) { flock(lockfd_network, LOCK_UN); close(lockfd_network); } EUID_USER(); + // lock netfilter firewall + if (arg_netlock) { + pid_t netlock_child = fork(); + if (netlock_child < 0) + errExit("fork"); + if (netlock_child == 0) { + close_all(NULL, 0); + // drop privileges + if (setresgid(-1, getgid(), getgid()) != 0) + errExit("setresgid"); + if (setresuid(-1, getuid(), getuid()) != 0) + errExit("setresuid"); + + char arg[64]; + snprintf(arg, sizeof(arg), "--netlock=%d", sandbox_pid); + + char cmd[3]; + cmd[0] = BINDIR "/firejail"; + cmd[1] = arg; + cmd[2] = NULL; + execvp(cmd[0], cmd); + perror("Cannot start netlock"); + _exit(1); + } + } + int status = 0; //************************** // following code is signal-safe @@ -3159,35 +3320,16 @@ // end of signal-safe code //*************************** -#if 0 -// at this point the sandbox was closed and we are on our way out -// it would make sense to move this before waitpid above to free some memory -// crash for now as of issue #3662 from dhcp code - // free globals - if (cfg.profile) { - ProfileEntry prf = cfg.profile; - while (prf != NULL) { - ProfileEntry next = prf->next; -printf("data #%s#\n", prf->data); - if (prf->data) - free(prf->data); -printf("link #%s#\n", prf->link); - if (prf->link) - free(prf->link); - free(prf); - prf = next; - } - } -#endif - + release_sandbox_lock(); if (WIFEXITED(status)){ myexit(WEXITSTATUS(status)); } else if (WIFSIGNALED(status)) { - myexit(WTERMSIG(status)); + // distinguish fatal signals by adding 128 + myexit(128 + WTERMSIG(status)); } else { - myexit(0); + myexit(1); } - return 0; + return 1; }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/mountinfo.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -19,6 +19,7 @@ / #include "firejail.h" +#include <errno.h> #include <fcntl.h> #ifndef O_PATH @@ -32,43 +33,38 @@ // Convert octal escape sequence to decimal value -static int read_oct(const char path) { - int dec = 0; - int digit, i; - // there are always exactly three octal digits - for (i = 1; i < 4; i++) { - digit = (path + i); - if (digit < '0' \|\| digit > '7') { - fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); - exit(1); - } - dec = (dec << 3) + (digit - '0'); - } - return dec; +static unsigned read_oct(char s) { + assert(s[0] == '\\'); + s++; + + int i; + for (i = 0; i < 3; i++) + assert(s[i] >= '0' && s[i] <= '7'); + + return ((s[0] - '0') << 6 \| + (s[1] - '0') << 3 \| + (s[2] - '0') << 0); } // Restore empty spaces in pathnames extracted from /proc/self/mountinfo static void unmangle_path(char path) { - char p = strchr(path, '\\'); - if (p && read_oct(p) == ' ') { - p = ' '; - int i = 3; - do { - p++; - if ((p + i) == '\\' && read_oct(p + i) == ' ') { - p = ' '; - i += 3; - } - else - p = (p + i); - } while (p); - } + char r = strchr(path, '\\'); + if (!r) + return; + + char w = r; + do { + while (r == '\\') { + w++ = read_oct(r); + r += 4; + } + w++ = r; + } while (r++); } // Parse a line from /proc/self/mountinfo, // the function does an exit(1) if anything goes wrong. static void parse_line(char line, MountData output) { - assert(line && output); memset(output, 0, sizeof(output)); // extract mount id, filesystem name, directory and filesystem types // examples: @@ -86,8 +82,6 @@ char ptr = strtok(line, " "); if (!ptr) goto errexit; - if (ptr != line) - goto errexit; output->mountid = atoi(ptr); int cnt = 1; @@ -108,10 +102,9 @@ ptr = strtok(NULL, " "); if (!ptr) goto errexit; - output->fstype = ptr++; + output->fstype = ptr; - - if (output->mountid == 0 \|\| + if (output->mountid < 0 \|\| output->fsname == NULL \|\| output->dir == NULL \|\| output->fstype == NULL) @@ -151,111 +144,118 @@ return &mdata; } -// Extract the mount id from /proc/self/fdinfo and return it. -int get_mount_id(const char path) { - EUID_ASSERT(); - assert(path); +// Returns mount id, or -1 if fd refers to a procfs or sysfs file +static int get_mount_id_from_handle(int fd) { + char proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + + struct file_handle fh = malloc(sizeof fh); + if (!fh) + errExit("malloc"); + fh->handle_bytes = 0; + + int rv = -1; + int tmp; + if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) { + fprintf(stderr, "Error: unexpected result from name_to_handle_at\n"); + exit(1); + } + if (errno == EOVERFLOW && fh->handle_bytes) + rv = tmp; - int fd = open(path, O_PATH\|O_CLOEXEC); - if (fd == -1) - return -1; + free(proc); + free(fh); + return rv; +} - char fdinfo; - if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) +// Returns mount id, or -1 on kernels < 3.15 +static int get_mount_id_from_fdinfo(int fd) { + char proc; + if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1) errExit("asprintf"); - EUID_ROOT(); - FILE fp = fopen(fdinfo, "re"); - EUID_USER(); - free(fdinfo); - if (!fp) - goto errexit; - // read the file + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root == 0) + EUID_ROOT(); + + FILE fp = fopen(proc, "re"); + if (!fp) { + fprintf(stderr, "Error: cannot read proc file\n"); + exit(1); + } + + if (called_as_root == 0) + EUID_USER(); + + int rv = -1; char buf[MAX_BUF]; - if (fgets(buf, MAX_BUF, fp) == NULL) - goto errexit; - do { - if (strncmp(buf, "mnt_id:", 7) == 0) { - char ptr = buf + 7; - while (ptr != '\0' && (ptr == ' ' \|\| ptr == '\t')) { - ptr++; - } - if (ptr == '\0') - goto errexit; - fclose(fp); - close(fd); - return atoi(ptr); - } - } while (fgets(buf, MAX_BUF, fp)); + while (fgets(buf, MAX_BUF, fp)) { + if (sscanf(buf, "mnt_id: %d", &rv) == 1) + break; + } - // fallback, kernels older than 3.15 don't expose the mount id in this place + free(proc); fclose(fp); - close(fd); - return -2; + return rv; +} -errexit: - fprintf(stderr, "Error: cannot read proc file\n"); - exit(1); +int get_mount_id(int fd) { + int rv = get_mount_id_from_handle(fd); + if (rv < 0) + rv = get_mount_id_from_fdinfo(fd); + return rv; } // Check /proc/self/mountinfo if path contains any mounts points. // Returns an array that can be iterated over for recursive remounting. -char *build_mount_array(const int mount_id, const char path) { +char *build_mount_array(const int mountid, const char path) { assert(path); - // open /proc/self/mountinfo FILE fp = fopen("/proc/self/mountinfo", "re"); if (!fp) { fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); exit(1); } - // array to be returned - size_t cnt = 0; + // try to find line with mount id + int found = 0; + MountData mntp; + char line[MAX_BUF]; + while (fgets(line, MAX_BUF, fp)) { + parse_line(line, &mntp); + if (mntp.mountid == mountid) { + found = 1; + break; + } + } + + if (!found) { + fclose(fp); + return NULL; + } + + // allocate array size_t size = 32; char rv = malloc(size sizeof(rv)); if (!rv) errExit("malloc"); - // read /proc/self/mountinfo - size_t pathlen = strlen(path); - char buf[MAX_BUF]; - MountData mntp; - int found = 0; - - if (fgets(buf, MAX_BUF, fp) == NULL) { - fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); - exit(1); - } - do { - parse_line(buf, &mntp); - // find mount point with mount id - if (!found) { - if (mntp.mountid == mount_id) { - // give up if mount id has been reassigned, - // don't remount blacklisted path - if (strncmp(mntp.dir, path, strlen(mntp.dir)) \|\| - strstr(mntp.fsname, "firejail.ro.dir") \|\| - strstr(mntp.fsname, "firejail.ro.file")) - break; - - rv[cnt] = strdup(path); - if (rv[cnt] == NULL) - errExit("strdup"); - cnt++; - found = 1; - continue; - } - continue; - } - // from here on add all mount points below path, - // don't remount blacklisted paths - if (strncmp(mntp.dir, path, pathlen) == 0 && - mntp.dir[pathlen] == '/' && - strstr(mntp.fsname, "firejail.ro.dir") == NULL && - strstr(mntp.fsname, "firejail.ro.file") == NULL) { + // add directory itself + size_t cnt = 0; + rv[cnt] = strdup(path); + if (rv[cnt] == NULL) + errExit("strdup"); - if (cnt == size) { + // and add all following mountpoints contained in this directory + size_t pathlen = strlen(path); + while (fgets(line, MAX_BUF, fp)) { + parse_line(line, &mntp); + if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') { + if (++cnt == size) { size = 2; rv = realloc(rv, size * sizeof(rv)); if (!rv) @@ -264,18 +264,17 @@ rv[cnt] = strdup(mntp.dir); if (rv[cnt] == NULL) errExit("strdup"); - cnt++; } - } while (fgets(buf, MAX_BUF, fp)); + } + fclose(fp); - if (cnt == size) { - size++; + // end of array + if (++cnt == size) { + ++size; rv = realloc(rv, size sizeof(*rv)); if (!rv) errExit("realloc"); } - rv[cnt] = NULL; // end of the array - - fclose(fp); + rv[cnt] = NULL; return rv; }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/netfilter.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -24,6 +24,94 @@ #include <sys/wait.h> #include <fcntl.h> +void netfilter_netlock(pid_t pid) { + EUID_ASSERT(); + + // give the sandbox a chance to start up before entering the network namespace + sleep(1); + enter_network_namespace(pid); + + char flog; + if (asprintf(&flog, "/run/firejail/network/%d-netlock", getpid()) == -1) + errExit("asprintf"); + FILE fp = fopen(flog, "w"); + if (!fp) + errExit("fopen"); + fclose(fp); + + // try to find a X terminal + char terminal = NULL; + if (access("/usr/bin/xterm", X_OK) == 0) + terminal = "/usr/bin/xterm"; + else if (access("/usr/bin/lxterminal", X_OK) == 0) + terminal = "/usr/bin/lxterminal"; + else if (access("/usr/bin/xfce4-terminal", X_OK) == 0) + terminal = "/usr/bin/xfce4-terminal"; + else if (access("/usr/bin/konsole", X_OK) == 0) + terminal = "/usr/bin/konsole"; +// problem: newer gnome-terminal versions don't support -e command line option??? +// same for mate-terminal + + if (isatty(STDIN_FILENO)) + terminal = NULL; + + if (terminal) { + pid_t p = fork(); + if (p == -1) + ; // run without terminal logger + else if (p == 0) { // child + drop_privs(0); + env_apply_all(); + umask(orig_umask); + + char cmd; + if (asprintf(&cmd, "%s -e \"%s/firejail/fnettrace --tail --log=%s\"", terminal, LIBDIR, flog) == -1) + errExit("asprintf"); + int rv = system(cmd); + (void) rv; + exit(0); + } + } + + char cmd; + if (asprintf(&cmd, "%s/firejail/fnettrace --netfilter --log=%s", LIBDIR, flog) == -1) + errExit("asprintf"); + free(flog); + + //********************* + // build command + //********************** + char arg[4]; + arg[0] = "/bin/sh"; + arg[1] = "-c"; + arg[2] = cmd; + arg[3] = NULL; + clearenv(); + sbox_exec_v(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, arg); + // it will never get here!! +} + +void netfilter_trace(pid_t pid, const char cmd) { + EUID_ASSERT(); + + // a pid of 0 means the main system network namespace + if (pid) + enter_network_namespace(pid); + + //********************** + // build command + //********************** + char arg[4]; + arg[0] = "/bin/sh"; + arg[1] = "-c"; + arg[2] = (char ) cmd; + arg[3] = NULL; + + clearenv(); + sbox_exec_v(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, arg); + // it will never get here!! +} + void check_netfilter_file(const char *fname) { EUID_ASSERT();
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/netns.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2020-2021 Firejail Authors + * Copyright (C) 2020-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/network.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/network_main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -271,44 +271,25 @@ #define MAXBUF 4096 void net_dns_print(pid_t pid) { EUID_ASSERT(); - // drop privileges - will not be able to read /etc/resolv.conf for --noroot option + ProcessHandle sandbox = pin_sandbox_process(pid); - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); - - // exit if no permission to join the sandbox - check_join_permission(pid); - - EUID_ROOT(); - if (join_namespace(pid, "mnt")) + // chroot in the sandbox + process_rootfs_chroot(sandbox); + unpin_process(sandbox); + + drop_privs(0); + + // read /etc/resolv.conf + FILE fp = fopen("/etc/resolv.conf", "re"); + if (!fp) { + fprintf(stderr, "Error: cannot read /etc/resolv.conf\n"); exit(1); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - caps_drop_all(); - if (chdir("/") < 0) - errExit("chdir"); - - // access /etc/resolv.conf - FILE fp = fopen("/etc/resolv.conf", "re"); - if (!fp) { - fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); - exit(1); - } - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) - printf("%s", buf); - printf("\n"); - fclose(fp); - exit(0); } - // wait for the child to finish - waitpid(child, NULL, 0); - flush_stdin(); + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) + printf("%s", buf); + exit(0); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/no_sandbox.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -49,6 +49,7 @@ // check PID 1 container environment variable EUID_ROOT(); FILE *fp = fopen("/proc/1/environ", "re"); + EUID_USER(); if (fp) { int c = 0; while (c != EOF) { @@ -69,7 +70,6 @@ // found it if (is_container(buf + 10)) { fclose(fp); - EUID_USER(); return 1; } } @@ -79,7 +79,6 @@ fclose(fp); } - EUID_USER(); return 0; } @@ -190,25 +189,15 @@ } if (prog_index == 0) { - // got no command, require a shell and try to execute it - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); - exit(1); - } - assert(cfg.command_line == NULL); - cfg.window_title = cfg.shell; + cfg.window_title = cfg.usershell; } else { // this sandbox might not allow execution of a shell - // force --shell=none in order to not break firecfg symbolic links - arg_shell_none = 1; - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true); } fwarning("an existing sandbox was detected. " - "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell); + "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.usershell); cfg.original_argv = argv; cfg.original_program_index = prog_index;
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/oom.c ^
@@ -0,0 +1,87 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + / +#include "firejail.h" +#include <sys/wait.h> + +void oom_set(const char oom_string) { + int oom = atoi(oom_string); + uid_t uid = getuid(); + if (uid == 0) { + if (oom < -1000 \|\| oom > 1000) { + fprintf(stderr, "Error: invalid oom value (-1000 to 1000)\n"); + exit(1); + } + } + else { + if (oom < 0 \|\| oom > 1000) { + fprintf(stderr, "Error: invalid oom value (0 to 1000)\n"); + exit(1); + } + } + + pid_t parent = getpid(); + pid_t child = fork(); + if (child == -1) + errExit("fork"); + if (child == 0) { + EUID_ROOT(); + // elevate privileges + if (setreuid(0, 0)) + errExit("setreuid"); + if (setregid(0, 0)) + errExit("setregid"); + + char fname; + if (asprintf(&fname, "/proc/%d/oom_score_adj", parent) == -1) + errExit("asprintf"); + FILE fp = fopen(fname, "w"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + fprintf(fp, "%d", oom); + fclose(fp); + free(fname); + + if (asprintf(&fname, "/proc/%d/oom_score", parent) == -1) + errExit("asprintf"); + fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + int newoom; + if (1 != fscanf(fp, "%d", &newoom)) { + fprintf(stderr, "Error: cannot read from %s\n", fname); + exit(1); + } + fclose(fp); + free(fname); + + if (!arg_quiet) + printf("Out-Of-Memory score adjusted, new value %d\n", newoom); + exit(0); + } + + int status; + if (waitpid(child, &status, 0) == -1 ) + errExit("waitpid"); +} +
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/output.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -50,13 +50,21 @@ if (!outindex) return; - - // check filename drop_privs(0); char outfile = argv[outindex]; outfile += (enable_stderr)? 16:9; + + // check filename invalid_filename(outfile, 0); // no globbing + // expand user home directory + if (outfile[0] == '~') { + char full; + if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1) + errExit("asprintf"); + outfile = full; + } + // do not accept directories, links, and files with ".." if (strstr(outfile, "..") \|\| is_link(outfile) \|\| is_dir(outfile)) { fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/paths.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/preproc.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -34,58 +34,28 @@ create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); } - if (stat(RUN_FIREJAIL_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); - } + create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); + create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); + create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); + create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); + create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); + create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); + create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); + create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); + create_empty_dir_as_root(RUN_MNT_DIR, 0755); + + // restricted search permission + // only root should be able to lock files in this directory + create_empty_dir_as_root(RUN_FIREJAIL_SANDBOX_DIR, 0700); - if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); - } + create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755); + fs_remount(RUN_FIREJAIL_DBUS_DIR, MOUNT_NOEXEC, 0); - if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_X11_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_DBUS_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755); - if (arg_debug) - printf("Remounting the " RUN_FIREJAIL_DBUS_DIR - " directory as noexec\n"); - if (mount(RUN_FIREJAIL_DBUS_DIR, RUN_FIREJAIL_DBUS_DIR, NULL, - MS_BIND, NULL) == -1) - errExit("mounting " RUN_FIREJAIL_DBUS_DIR); - if (mount(NULL, RUN_FIREJAIL_DBUS_DIR, NULL, - MS_REMOUNT \| MS_BIND \| MS_NOSUID \| MS_NOEXEC \| MS_NODEV, - "mode=755,gid=0") == -1) - errExit("remounting " RUN_FIREJAIL_DBUS_DIR); - } - - if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_LIB_DIR, &s)) { - create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); - } - - if (stat(RUN_MNT_DIR, &s)) { - create_empty_dir_as_root(RUN_MNT_DIR, 0755); - } + create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); + fs_remount(RUN_RO_DIR, MOUNT_READONLY, 0); create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); - create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); + fs_remount(RUN_RO_FILE, MOUNT_READONLY, 0); } // build /run/firejail/mnt directory @@ -121,10 +91,18 @@ copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed copy_file(PATH_SECCOMP_MDWX_32, RUN_SECCOMP_MDWX_32, getuid(), getgid(), 0644); // root needed } - // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files + // as root, create empty RUN_SECCOMP_PROTOCOL, RUN_SECCOMP_NS and RUN_SECCOMP_POSTEXEC files create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) errExit("set_perms"); + if (cfg.restrict_namespaces) { + create_empty_file_as_root(RUN_SECCOMP_NS, 0644); + if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) + errExit("set_perms"); + create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); + if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) + errExit("set_perms"); + } create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) errExit("set_perms");
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/process.c ^
@@ -0,0 +1,244 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + / +#include "firejail.h" +#include <errno.h> +#include <signal.h> + +#include <fcntl.h> +#ifndef O_PATH +#define O_PATH 010000000 +#endif + +#include <sys/syscall.h> +#ifndef __NR_pidfd_send_signal +#define __NR_pidfd_send_signal 424 +#endif + +#define BUFLEN 4096 + +struct processhandle_instance_t { + pid_t pid; + int fd; // file descriptor referring to /proc/[PID] +}; + + +ProcessHandle pin_process(pid_t pid) { + EUID_ASSERT(); + + ProcessHandle rv = malloc(sizeof(struct processhandle_instance_t)); + if (!rv) + errExit("malloc"); + rv->pid = pid; + + char proc[64]; + snprintf(proc, sizeof(proc), "/proc/%d", pid); + + EUID_ROOT(); + int fd = open(proc, O_RDONLY\|O_CLOEXEC); + EUID_USER(); + if (fd < 0) { + if (errno == ENOENT) + fprintf(stderr, "Error: cannot find process with pid %d\n", pid); + else + fprintf(stderr, "Error: cannot open %s: %s\n", proc, strerror(errno)); + exit(1); + } + rv->fd = fd; + + return rv; +} + +void unpin_process(ProcessHandle process) { + close(process->fd); + free(process); +} + +pid_t process_get_pid(ProcessHandle process) { + return process->pid; +} + +int process_get_fd(ProcessHandle process) { + return process->fd; +} + +/******************************************** + * access path in proc filesystem + ********************************************/ + +int process_stat_nofail(ProcessHandle process, const char fname, struct stat s) { + EUID_ASSERT(); + assert(fname[0] != '/'); + + EUID_ROOT(); + int rv = fstatat(process_get_fd(process), fname, s, 0); + EUID_USER(); + + return rv; +} + +int process_stat(ProcessHandle process, const char fname, struct stat s) { + int rv = process_stat_nofail(process, fname, s); + if (rv) { + fprintf(stderr, "Error: cannot stat /proc/%d/%s: %s\n", process_get_pid(process), fname, strerror(errno)); + exit(1); + } + + return rv; +} + +int process_open_nofail(ProcessHandle process, const char fname) { + EUID_ASSERT(); + assert(fname[0] != '/'); + + EUID_ROOT(); + int rv = openat(process_get_fd(process), fname, O_RDONLY\|O_CLOEXEC); + EUID_USER(); + + return rv; +} + +int process_open(ProcessHandle process, const char fname) { + int rv = process_open_nofail(process, fname); + if (rv < 0) { + fprintf(stderr, "Error: cannot open /proc/%d/%s: %s\n", process_get_pid(process), fname, strerror(errno)); + exit(1); + } + + return rv; +} + +FILE process_fopen(ProcessHandle process, const char fname) { + int fd = process_open(process, fname); + FILE rv = fdopen(fd, "r"); + if (!rv) + errExit("fdopen"); + + return rv; +} + +int process_join_namespace(ProcessHandle process, char type) { + return join_namespace_by_fd(process_get_fd(process), type); +} + +/******************************************** + * sending a signal + *******************************************/ + +void process_send_signal(ProcessHandle process, int signum) { + fmessage("Sending signal %d to pid %d\n", signum, process_get_pid(process)); + + if (syscall(__NR_pidfd_send_signal, process_get_fd(process), signum, NULL, 0) == -1 && errno == ENOSYS) + kill(process_get_pid(process), signum); +} + +/******************************************* + * parent and child process + ********************************************/ + +static pid_t process_parent_pid(ProcessHandle process) { + pid_t rv = 0; + + FILE fp = process_fopen(process, "status"); + char buf[BUFLEN]; + while (fgets(buf, BUFLEN, fp)) { + if (sscanf(buf, "PPid: %d", &rv) == 1) + break; + } + fclose(fp); + + return rv; +} + +static ProcessHandle pin_process_relative_to(ProcessHandle process, pid_t pid) { + ProcessHandle rv = malloc(sizeof(struct processhandle_instance_t)); + if (!rv) + errExit("malloc"); + rv->pid = pid; + + char proc[64]; + snprintf(proc, sizeof(proc), "../%d", pid); + + rv->fd = process_open(process, proc); + + return rv; +} + +ProcessHandle pin_parent_process(ProcessHandle process) { + ProcessHandle parent = pin_process_relative_to(process, process_parent_pid(process)); + return parent; +} + +ProcessHandle pin_child_process(ProcessHandle process, pid_t child_pid) { + ProcessHandle child = pin_process_relative_to(process, child_pid); + + // verify parent/child relationship + if (process_parent_pid(child) != process_get_pid(process)) { + fprintf(stderr, "Error: cannot find child process of pid %d\n", process_get_pid(process)); + exit(1); + } + + return child; +} + +/********************************************* + * access process rootfs + ********************************************/ + +void process_rootfs_chroot(ProcessHandle process) { + if (fchdir(process_get_fd(process)) < 0) + errExit("fchdir"); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + if (called_as_root == 0) + EUID_ROOT(); + + if (chroot("root") < 0) + errExit("chroot"); + + if (called_as_root == 0) + EUID_USER(); + + if (chdir("/") < 0) + errExit("chdir"); +} + +int process_rootfs_stat(ProcessHandle process, const char fname, struct stat s) { + char proc; + if (asprintf(&proc, "root%s", fname) < 0) + errExit("asprintf"); + + int rv = process_stat_nofail(process, proc, s); + + free(proc); + return rv; +} + +int process_rootfs_open(ProcessHandle process, const char fname) { + char proc; + if (asprintf(&proc, "root%s", fname) < 0) + errExit("asprintf"); + + int rv = process_open_nofail(process, proc); + + free(proc); + return rv; +}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/profile.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -26,7 +26,8 @@ extern char xephyr_screen; -#define MAX_READ 8192 // line buffer for profile files +#define MAX_READ 8192 // line buffer for profile files +#define MAX_LIST 16384 // size limit for argument lists // find and read the profile specified by name from dir directory // return 1 if a profile was found @@ -72,6 +73,7 @@ // search and read the profile specified by name from firejail directories // return 1 if a profile was found int profile_find_firejail(const char name, int add_ext) { +#ifndef HAVE_ONLY_SYSCFG_PROFILES // look for a profile in ~/.config/firejail directory char usercfgdir; if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) @@ -84,6 +86,9 @@ rv = profile_find(name, SYSCONFDIR, add_ext); return rv; +#else + return profile_find(name, SYSCONFDIR, add_ext); +#endif } //************************************************** @@ -175,6 +180,10 @@ return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; } +static int check_allow_tray(void) { + return checkcfg(CFG_ALLOW_TRAY) != 0; +} + Cond conditionals[] = { {"HAS_APPIMAGE", check_appimage}, {"HAS_NET", check_netoptions}, @@ -184,6 +193,7 @@ {"HAS_X11", check_x11}, {"BROWSER_DISABLE_U2F", check_disable_u2f}, {"BROWSER_ALLOW_DRM", check_allow_drm}, + {"ALLOW_TRAY", check_allow_tray}, { NULL, NULL } }; @@ -285,6 +295,15 @@ return 0; } + if (strncmp(ptr, "keep-fd ", 8) == 0) { + if (strcmp(ptr + 8, "all") == 0) + arg_keep_fd_all = 1; + else { + const char add = ptr + 8; + profile_list_augment(&cfg.keep_fd, add); + } + return 0; + } if (strncmp(ptr, "xephyr-screen ", 14) == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { @@ -349,11 +368,13 @@ return 0; } else if (strcmp(ptr, "shell none") == 0) { - arg_shell_none = 1; + fprintf(stderr, "Warning: \"shell none\" command in the profile file is done by default; the command will be deprecated\n"); return 0; } else if (strcmp(ptr, "tracelog") == 0) { - arg_tracelog = 1; + if (checkcfg(CFG_TRACELOG)) + arg_tracelog = 1; + // no warning, we have tracelog in over 400 profiles return 0; } else if (strcmp(ptr, "private") == 0) { @@ -375,6 +396,10 @@ #endif return 0; } + else if (strcmp(ptr, "tab") == 0) { + arg_tab = 1; + return 0; + } else if (strcmp(ptr, "private-cwd") == 0) { cfg.cwd = NULL; arg_private_cwd = 1; @@ -411,13 +436,7 @@ return 0; } else if (strcmp(ptr, "nogroups") == 0) { - // nvidia cards require video group; disable nogroups - if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { - fwarning("Warning: NVIDIA card detected, nogroups command disabled\n"); - arg_nogroups = 0; - } - else - arg_nogroups = 1; + arg_nogroups = 1; return 0; } else if (strcmp(ptr, "nosound") == 0) { @@ -444,6 +463,12 @@ arg_no3d = 1; return 0; } + else if (strcmp(ptr, "noprinters") == 0) { + arg_noprinters = 1; + profile_add("blacklist /dev/lp"); + profile_add("blacklist /run/cups/cups.sock"); + return 0; + } else if (strcmp(ptr, "noinput") == 0) { arg_noinput = 1; return 0; @@ -630,7 +655,17 @@ #endif return 0; } - else if (strncmp(ptr, "netns ", 6) == 0) { + else if (strcmp(ptr, "netlock") == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + arg_netlock = 1; + } + else + warning_feature_disabled("networking"); +#endif + return 0; + } + else if (strncmp(ptr, "netns ", 6) == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) { arg_netns = ptr + 6; @@ -916,6 +951,33 @@ if (strcmp(ptr, "apparmor") == 0) { #ifdef HAVE_APPARMOR arg_apparmor = 1; + apparmor_profile = "firejail-default"; +#endif + return 0; + } + + if (strncmp(ptr, "apparmor ", 9) == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; + apparmor_profile = strdup(ptr + 9); + if (!apparmor_profile) + errExit("strdup"); +#endif + return 0; + } + + if (strcmp(ptr, "apparmor-replace") == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; + apparmor_replace = true; +#endif + return 0; + } + + if (strcmp(ptr, "apparmor-stack") == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; + apparmor_replace = false; #endif return 0; } @@ -981,10 +1043,10 @@ warning_feature_disabled("seccomp"); return 0; } - if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { + if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) { if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; - cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); + cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16); } else warning_feature_disabled("seccomp"); @@ -1001,10 +1063,10 @@ warning_feature_disabled("seccomp"); return 0; } - if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { + if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) { if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; - cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); + cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16); } else warning_feature_disabled("seccomp"); @@ -1020,6 +1082,24 @@ return 0; } + // restrict-namespaces + if (strcmp(ptr, "restrict-namespaces") == 0) { + if (checkcfg(CFG_SECCOMP)) + profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); + else + warning_feature_disabled("seccomp"); + return 0; + } + if (strncmp(ptr, "restrict-namespaces ", 20) == 0) { + if (checkcfg(CFG_SECCOMP)) { + const char add = ptr + 20; + profile_list_augment(&cfg.restrict_namespaces, add); + } + else + warning_feature_disabled("seccomp"); + return 0; + } + // seccomp error action if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1101,7 +1181,7 @@ else if (cfg.dns4 == NULL) cfg.dns4 = dns; else { - fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns); + fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns); free(dns); } return 0; @@ -1122,15 +1202,6 @@ return 0; } - // cgroup - if (strncmp(ptr, "cgroup ", 7) == 0) { - if (checkcfg(CFG_CGROUP)) - set_cgroup(ptr + 7); - else - warning_feature_disabled("cgroup"); - return 0; - } - // writable-etc if (strcmp(ptr, "writable-etc") == 0) { if (cfg.etc_private_keep) { @@ -1373,11 +1444,6 @@ fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); exit(1); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); - } arg_overlay = 1; arg_overlay_keep = 1; arg_overlay_reuse = 1; @@ -1410,11 +1476,6 @@ fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); exit(1); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); - } arg_overlay = 1; } else @@ -1431,11 +1492,6 @@ fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); exit(1); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); - } arg_overlay = 1; arg_overlay_keep = 1; @@ -1548,9 +1604,6 @@ int r = name2pid(ptr + 14, &pid); EUID_USER(); if (!r) { - if (!cfg.shell && !arg_shell_none) - cfg.shell = guess_shell(); - // find first non-option arg int i; for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); @@ -1581,6 +1634,11 @@ return 0; } + if (strcmp(ptr, "deterministic-shutdown") == 0) { + arg_deterministic_shutdown = 1; + return 0; + } + // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; @@ -1589,22 +1647,8 @@ else if (strncmp(ptr, "noblacklist ", 12) == 0) ptr += 12; else if (strncmp(ptr, "whitelist ", 10) == 0) { -#ifdef HAVE_WHITELIST - if (checkcfg(CFG_WHITELIST)) { - arg_whitelist = 1; - ptr += 10; - } - else { - static int whitelist_warning_printed = 0; - if (!whitelist_warning_printed) { - warning_feature_disabled("whitelist"); - whitelist_warning_printed = 1; - } - return 0; - } -#else - return 0; -#endif + arg_whitelist = 1; + ptr += 10; } else if (strncmp(ptr, "nowhitelist ", 12) == 0) ptr += 12; @@ -1750,6 +1794,18 @@ continue; } + if (strncmp(ptr, "whitelist-ro ", 13) == 0) { + char whitelist, readonly; + if (asprintf(&whitelist, "whitelist %s", ptr + 13) == -1) + errExit("asprintf"); + profile_add(whitelist); + if (asprintf(&readonly, "read-only %s", ptr + 13) == -1) + errExit("asprintf"); + profile_add(readonly); + free(ptr); + continue; + } + // process quiet // todo: a quiet in the profile file cannot be disabled by --ignore on command line if (strcmp(ptr, "quiet") == 0) { @@ -1914,7 +1970,7 @@ / Include non-empty item / if (!item) in[i] = 0; - /* Remove all allready included items / + / Remove all already included items / for (k = 0; k < i; ++k) in[k] = 0; break; @@ -1946,4 +2002,10 @@ errExit("asprintf"); free(list); list = profile_list_compress(tmp); + + // lists should not grow indefinitely + if (strlen(list) > MAX_LIST) { + fprintf(stderr, "Error: argument list is too long\n"); + exit(1); + } }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/protocol.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -63,27 +63,23 @@ (void) pid; #ifdef SYS_socket - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); + ProcessHandle sandbox = pin_sandbox_process(pid); - // exit if no permission to join the sandbox - check_join_permission(pid); + // chroot in the sandbox + process_rootfs_chroot(sandbox); + unpin_process(sandbox); // find the seccomp filter - EUID_ROOT(); - char *fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_PROTOCOL_CFG) == -1) - errExit("asprintf"); - struct stat s; - if (stat(fname, &s) == -1) { + if (stat(RUN_PROTOCOL_CFG, &s) != 0) { printf("Cannot access seccomp filter.\n"); exit(1); } // read and print the filter - protocol_filter_load(fname); - free(fname); + EUID_ROOT(); + protocol_filter_load(RUN_PROTOCOL_CFG); + if (cfg.protocol) printf("%s\n", cfg.protocol); exit(0);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/pulseaudio.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -25,6 +25,7 @@ #include <dirent.h> #include <errno.h> #include <sys/wait.h> +#include <glob.h> #include <fcntl.h> #ifndef O_PATH @@ -33,6 +34,59 @@ #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf" + + +static void disable_rundir_pipewire(const char path) { + assert(path); + + // globbing for path/pipewire- + char pattern; + if (asprintf(&pattern, "%s/pipewire-", path) == -1) + errExit("asprintf"); + + glob_t globbuf; + int globerr = glob(pattern, GLOB_NOCHECK \| GLOB_NOSORT, NULL, &globbuf); + if (globerr) { + fprintf(stderr, "Error: failed to glob pattern %s\n", pattern); + exit(1); + } + + size_t i; + for (i = 0; i < globbuf.gl_pathc; i++) { + char dir = globbuf.gl_pathv[i]; + assert(dir); + + // don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it! + if (is_link(dir)) + continue; + disable_file_or_dir(dir); + } + globfree(&globbuf); + free(pattern); +} + + + +// disable pipewire socket +void pipewire_disable(void) { + if (arg_debug) + printf("disable pipewire\n"); + // blacklist user config directory + disable_file_path(cfg.homedir, ".config/pipewire"); + + // blacklist pipewire in XDG_RUNTIME_DIR + const char name = env_get("XDG_RUNTIME_DIR"); + if (name) + disable_rundir_pipewire(name); + + // try the default location anyway + char *path; + if (asprintf(&path, "/run/user/%d", getuid()) == -1) + errExit("asprintf"); + disable_rundir_pipewire(path); + free(path); +} + // disable pulseaudio socket void pulseaudio_disable(void) { if (arg_debug)
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/restrict_users.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -21,7 +21,6 @@ #include "../include/firejail_user.h" #include <sys/mount.h> #include <sys/stat.h> -#include <linux/limits.h> #include <fnmatch.h> #include <glob.h> #include <dirent.h>
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/restricted_shell.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/rlimit.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/run_files.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,8 +20,18 @@ #include "firejail.h" #include "../include/pid.h" +#include <fcntl.h> #define BUFLEN 4096 +static void delete_sandbox_run_file(pid_t pid) { + char fname; + if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) + errExit("asprintf"); + int rv = unlink(fname); + (void) rv; + free(fname); +} + static void delete_x11_run_file(pid_t pid) { char fname; if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) @@ -68,6 +78,7 @@ void delete_run_files(pid_t pid) { + delete_sandbox_run_file(pid); delete_bandwidth_run_file(pid); delete_network_run_file(pid); delete_name_run_file(pid); @@ -152,3 +163,52 @@ EUID_USER(); free(runfile); } + +static int sandbox_lock_fd = -1; +void set_sandbox_run_file(pid_t pid, pid_t child) { + char *runfile; + if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) + errExit("asprintf"); + + EUID_ROOT(); + // the file is deleted first + // this file should be opened with O_CLOEXEC set + int fd = open(runfile, O_CREAT \| O_WRONLY \| O_TRUNC \| O_CLOEXEC, S_IRUSR \| S_IWUSR); + if (fd < 0) { + fprintf(stderr, "Error: cannot create %s\n", runfile); + exit(1); + } + free(runfile); + EUID_USER(); + + char buf[64]; + snprintf(buf, sizeof(buf), "%d\n", child); + size_t len = strlen(buf); + size_t done = 0; + while (done != len) { + ssize_t rv = write(fd, buf + done, len - done); + if (rv < 0) + errExit("write"); + done += rv; + } + + // set exclusive lock on the file + // the lock is never inherited, and is released if this process dies ungracefully + struct flock sandbox_lock = { + .l_type = F_WRLCK, + .l_whence = SEEK_SET, + .l_start = 0, + .l_len = 0, + }; + if (fcntl(fd, F_SETLK, &sandbox_lock) < 0) + errExit("fcntl"); + + sandbox_lock_fd = fd; +} + +void release_sandbox_lock(void) { + assert(sandbox_lock_fd > -1); + + close(sandbox_lock_fd); + sandbox_lock_fd = -1; +}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/run_symlink.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,7 +22,6 @@ #include <sys/stat.h> #include <unistd.h> -extern char find_in_path(const char program); void run_symlink(int argc, char **argv, int run_as_is) { EUID_ASSERT(); @@ -77,6 +76,8 @@ a[i + 2] = argv[i + 1]; } a[i + 2] = NULL; + if (env_get("LD_PRELOAD") != NULL) + fprintf(stderr, "run_symlink: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD")); assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(a[0], a);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/sandbox.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -50,7 +50,7 @@ #include <sys/apparmor.h> #endif -static int force_nonewprivs = 0; +extern int just_run_the_shell; static int monitored_pid = 0; static void sandbox_handler(int sig){ @@ -87,9 +87,9 @@ // broadcast a SIGKILL kill(-1, SIGKILL); - flush_stdin(); - exit(sig); + flush_stdin(); + exit(128 + sig); } static void install_handler(void) { @@ -127,10 +127,17 @@ } #ifdef HAVE_APPARMOR -void set_apparmor(void) { +static void set_apparmor(void) { EUID_ASSERT(); if (checkcfg(CFG_APPARMOR) && arg_apparmor) { - if (aa_change_onexec("firejail-default")) { + int res = 0; + if(apparmor_replace){ + fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); + res = aa_change_onexec(apparmor_profile); + } else { + res = aa_stack_onexec(apparmor_profile); + } + if (res) { fwarning("Cannot confine the application using AppArmor.\n" "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" "As root, run \"aa-enforce firejail-default\" to load it.\n"); @@ -204,7 +211,7 @@ } static char create_join_file(void) { - int fd = open(RUN_JOIN_FILE, O_RDWR\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH); + int fd = open(RUN_JOIN_FILE, O_RDWR\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); if (fd == -1) errExit("open"); if (ftruncate(fd, 1) == -1) @@ -356,6 +363,15 @@ if (arg_debug) printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status); + if (arg_deterministic_shutdown) { + if (arg_debug) + printf("Sandbox monitor: monitored process died, shut down the sandbox\n"); + kill(-1, SIGTERM); + usleep(100000); + kill(-1, SIGKILL); + break; + } + DIR dir; if (!(dir = opendir("/proc"))) { // sleep 2 seconds and try again @@ -377,18 +393,6 @@ if ((pid_t) pid == dhclient4_pid \|\| (pid_t) pid == dhclient6_pid) continue; - // todo: make this generic - // Dillo browser leaves a dpid process running, we need to shut it down - int found = 0; - if (strcmp(cfg.command_name, "dillo") == 0) { - char pidname = pid_proc_comm(pid); - if (pidname && strcmp(pidname, "dpid") == 0) - found = 1; - free(pidname); - } - if (found) - break; - monitored_pid = pid; break; } @@ -407,7 +411,6 @@ fmessage("Child process initialized in %.02f ms\n", delta); } - // check execute permissions for the program // this is done typically by the shell // we are here because of --shell=none @@ -464,10 +467,45 @@ return 0; } +static void close_file_descriptors(void) { + if (arg_keep_fd_all) + return; + + if (arg_debug) + printf("Closing non-standard file descriptors\n"); + + if (!cfg.keep_fd) { + close_all(NULL, 0); + return; + } + + size_t sz = 0; + int keep = str_to_int_array(cfg.keep_fd, &sz); + if (!keep) { + fprintf(stderr, "Error: invalid keep-fd option\n"); + exit(1); + } + close_all(keep, sz); + free(keep); +} + + void start_application(int no_sandbox, int fd, char set_sandbox_status) { - // set environment - if (no_sandbox == 0) + if (no_sandbox == 0) { +#ifdef HAVE_APPARMOR + set_apparmor(); +#endif + close_file_descriptors(); + + // set nice and rlimits + if (arg_nice) + set_nice(cfg.nice); + set_rlimits(); + env_defaults(); + } + + // set environment env_apply_all(); // restore original umask @@ -478,10 +516,28 @@ printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); } + if (just_run_the_shell) { + char arg[2]; + arg[0] = cfg.usershell; + arg[1] = NULL; + + if (!arg_command && !arg_quiet) + print_time(); + + __gcov_dump(); + + seccomp_install_filters(); + + if (set_sandbox_status) + set_sandbox_status = SANDBOX_DONE; + execvp(arg[0], arg); + + + } //************************************* // start the program without using a shell //************************************ - if (arg_shell_none) { + else if (!arg_appimage && !arg_doubledash) { if (arg_debug) { int i; for (i = cfg.original_program_index; i < cfg.original_argc; i++) { @@ -515,15 +571,14 @@ //************************************ // start the program using a shell //************************************** - else { - assert(cfg.shell); - + else { // appimage or double-dash char arg[5]; int index = 0; - arg[index++] = cfg.shell; + assert(cfg.usershell); + arg[index++] = cfg.usershell; if (cfg.command_line) { if (arg_debug) - printf("Running %s command through %s\n", cfg.command_line, cfg.shell); + printf("Running %s command through %s\n", cfg.command_line, cfg.usershell); arg[index++] = "-c"; if (arg_doubledash) arg[index++] = "--"; @@ -531,11 +586,11 @@ } else if (login_shell) { if (arg_debug) - printf("Starting %s login shell\n", cfg.shell); + printf("Starting %s login shell\n", cfg.usershell); arg[index++] = "-l"; } else if (arg_debug) - printf("Starting %s shell\n", cfg.shell); + printf("Starting %s shell\n", cfg.usershell); assert(index < 5); arg[index] = NULL; @@ -543,7 +598,7 @@ if (arg_debug) { char msg; if (asprintf(&msg, "sandbox %d, execvp into %s", - sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1) + sandbox_pid, cfg.command_line ? cfg.command_line : cfg.usershell) == -1) errExit("asprintf"); logmsg(msg); free(msg); @@ -580,7 +635,6 @@ fmessage("\n Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl \n\n"); // enforce NO_NEW_PRIVS arg_nonewprivs = 1; - force_nonewprivs = 1; // disable all capabilities arg_caps_drop_all = 1; @@ -783,14 +837,9 @@ exit(rv); } -#ifdef HAVE_FORCE_NONEWPRIVS - bool always_enforce_filters = true; -#else - bool always_enforce_filters = false; -#endif // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS // and drop all capabilities - if (getuid() != 0 && (arg_appimage \|\| cfg.chrootdir \|\| arg_overlay \|\| always_enforce_filters)) + if (getuid() != 0 && (arg_appimage \|\| cfg.chrootdir \|\| arg_overlay)) enforce_filters(); // need ld.so.preload if tracing or seccomp with any non-default lists @@ -798,7 +847,7 @@ // trace pre-install if (need_preload) - fs_trace_preload(); + fs_trace_touch_or_store_preload(); // store hosts file if (cfg.hosts_file) @@ -814,8 +863,11 @@ //************************** // trace pre-install, this time inside chroot //************************** - if (need_preload) - fs_trace_preload(); + if (need_preload) { + int rv = unlink(RUN_LDPRELOAD_FILE); + (void) rv; + fs_trace_touch_or_store_preload(); + } } else #endif @@ -887,16 +939,16 @@ else if (arg_overlay) fwarning("private-bin feature is disabled in overlay\n"); else { + EUID_USER(); // for --x11=xorg we need to add xauth command if (arg_x11_xorg) { - EUID_USER(); char tmp; if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) errExit("asprintf"); cfg.bin_private_keep = tmp; - EUID_ROOT(); } fs_private_bin_list(); + EUID_ROOT(); } } @@ -992,7 +1044,7 @@ // create /etc/ld.so.preload file again if (need_preload) - fs_trace_preload(); + fs_trace_touch_preload(); // openSUSE configuration is split between /etc and /usr/etc // process private-etc a second time @@ -1004,10 +1056,12 @@ // apply the profile file //************************* // apply all whitelist commands ... + EUID_USER(); fs_whitelist(); // ... followed by blacklist commands fs_blacklist(); // mkdir and mkfile are processed all over again + EUID_ROOT(); //************************ // nosound/no3d/notv/novideo and fix for pulseaudio 7.0 @@ -1016,6 +1070,9 @@ // disable pulseaudio pulseaudio_disable(); + // disable pipewire + pipewire_disable(); + // disable /dev/snd fs_dev_disable_sound(); } @@ -1041,9 +1098,10 @@ fs_dev_disable_input(); //************************ - // set dns + // rebuild etc directory, set dns //************************ - fs_resolvconf(); + if (!arg_writable_etc) + fs_rebuild_etc(); //************************** // start dhcp client @@ -1056,6 +1114,11 @@ EUID_USER(); int cwd = 0; if (cfg.cwd) { + if (is_link(cfg.cwd)) { + fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd); + exit(1); + } + if (chdir(cfg.cwd) == 0) cwd = 1; else if (arg_private_cwd) { @@ -1071,8 +1134,10 @@ struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] / - if (chdir(cfg.homedir) < 0) - errExit("chdir"); + if (chdir(cfg.homedir) < 0) { + fprintf(stderr, "Error: unable to enter home directory: %s: %s\n", cfg.homedir, strerror(errno)); + exit(1); + } } } } @@ -1108,9 +1173,6 @@ // save cpu affinity mask to CPU_CFG file save_cpu(); - // save cgroup in CGROUP_CFG file - save_cgroup(); - // set seccomp // install protocol filter #ifdef SYS_socket @@ -1152,6 +1214,16 @@ seccomp_load(RUN_SECCOMP_MDWX_32); } + if (cfg.restrict_namespaces) { + seccomp_filter_namespaces(true, cfg.restrict_namespaces); + seccomp_filter_namespaces(false, cfg.restrict_namespaces); + + if (arg_debug) + printf("Install namespaces filter\n"); + seccomp_load(RUN_SECCOMP_NS); // install filter + seccomp_load(RUN_SECCOMP_NS_32); + } + // make seccomp filters read-only fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); seccomp_debug(); @@ -1206,24 +1278,22 @@ //************************************* // Set NO_NEW_PRIVS if desired //************************************ - if (arg_nonewprivs) { - prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - - if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) { - fwarning("cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n"); - if (force_nonewprivs) { - fprintf(stderr, "Error: NO_NEW_PRIVS required for this sandbox, exiting ...\n"); - exit(1); - } +#ifndef HAVE_FORCE_NONEWPRIVS + if (arg_nonewprivs) +#endif + { + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { + fprintf(stderr, "Error: cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n"); + exit(1); } - else if (arg_debug) + if (arg_debug) printf("NO_NEW_PRIVS set\n"); } //************************************ // drop privileges //************************************** - drop_privs(arg_nogroups); + drop_privs(0); // kill the sandbox in case the parent died prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); @@ -1242,29 +1312,23 @@ errExit("fork"); if (app_pid == 0) { -#ifdef HAVE_APPARMOR - // add apparmor confinement after the execve - set_apparmor(); -#endif - - // set nice and rlimits - if (arg_nice) - set_nice(cfg.nice); - set_rlimits(); - - start_application(0, -1, set_sandbox_status); + start_application(0, -1, set_sandbox_status); // this function does not return } munmap(set_sandbox_status, 1); int status = monitor_application(app_pid); // monitor application - flush_stdin(); if (WIFEXITED(status)) { // if we had a proper exit, return that exit status - return WEXITSTATUS(status); + status = WEXITSTATUS(status); + } else if (WIFSIGNALED(status)) { + // distinguish fatal signals by adding 128 + status = 128 + WTERMSIG(status); } else { - // something else went wrong! - return -1; + status = -1; } + + flush_stdin(); + return status; }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/sbox.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -23,6 +23,7 @@ #include <unistd.h> #include <net/if.h> #include <stdarg.h> +#include <sys/resource.h> #include <sys/wait.h> #include "../include/seccomp.h" @@ -72,11 +73,8 @@ } // close all other file descriptors - if ((filtermask & SBOX_KEEP_FDS) == 0) { - int i; - for (i = 3; i < FIREJAIL_MAX_FD; i++) - close(i); // close open files - } + if ((filtermask & SBOX_KEEP_FDS) == 0) + close_all(NULL, 0); umask(027); @@ -206,6 +204,11 @@ if (filtermask & SBOX_USER) drop_privs(1); else if (filtermask & SBOX_ROOT) { + // https://seclists.org/oss-sec/2021/q4/43 + struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 }; + if (setrlimit(RLIMIT_CORE, &tozero)) + errExit("setrlimit"); + // elevate privileges in order to get grsecurity working if (setreuid(0, 0)) errExit("setreuid"); @@ -292,7 +295,8 @@ if (waitpid(child, &status, 0) == -1 ) { errExit("waitpid"); } - if (WIFEXITED(status) && WEXITSTATUS(status) != 0) { + if (WIFSIGNALED(status) \|\| + (WIFEXITED(status) && WEXITSTATUS(status) != 0)) { fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); exit(1); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/seccomp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -21,6 +21,7 @@ #include "firejail.h" #include "../include/seccomp.h" #include <sys/mman.h> +#include <sys/wait.h> typedef struct filter_list { struct filter_list next; @@ -70,9 +71,17 @@ assert(fl->fname); if (arg_debug) printf("Installing %s seccomp filter\n", fl->fname); + int rv = 0; +#ifdef SECCOMP_FILTER_FLAG_LOG + if (checkcfg(CFG_SECCOMP_LOG)) + rv = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog); + else + rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog); +#else + rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog); +#endif - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { - + if (rv == -1) { if (!err_printed) fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); err_printed = 1; @@ -407,7 +416,7 @@ // build the seccomp filter as a regular user int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3, - PATH_FSECCOMP, command, filter); + PATH_FSECCOMP, command, filter); if (rv) { fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n"); @@ -420,29 +429,52 @@ return 0; } +// create namespaces filter +int seccomp_filter_namespaces(bool native, const char list) { + if (arg_debug) + printf("Build restrict-namespaces filter\n"); + + const char command, filter; + if (native) { + command = "restrict-namespaces"; + filter = RUN_SECCOMP_NS; + } else { + command = "restrict-namespaces.32"; + filter = RUN_SECCOMP_NS_32; + } + + // build the seccomp filter as a regular user + int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 4, + PATH_FSECCOMP, command, filter, list); + + if (rv) { + fprintf(stderr, "Error: cannot build restrict-namespaces filter\n"); + exit(rv); + } + + if (arg_debug) + printf("restrict-namespaces filter configured\n"); + + return 0; +} + void seccomp_print_filter(pid_t pid) { EUID_ASSERT(); - // in case the pid is that of a firejail process, use the pid of the first child process - pid = switch_to_child(pid); + ProcessHandle sandbox = pin_sandbox_process(pid); - // exit if no permission to join the sandbox - check_join_permission(pid); + // chroot in the sandbox + process_rootfs_chroot(sandbox); + unpin_process(sandbox); - // find the seccomp list file - EUID_ROOT(); - char fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) - errExit("asprintf"); + drop_privs(0); - struct stat s; - if (stat(fname, &s) == -1) - goto errexit; - - FILE fp = fopen(fname, "re"); - if (!fp) - goto errexit; - free(fname); + // find the seccomp list file + FILE fp = fopen(RUN_SECCOMP_LIST, "re"); + if (!fp) { + printf("Cannot access seccomp filter.\n"); + exit(1); + } char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) { @@ -451,21 +483,21 @@ if (ptr) ptr = '\0'; - if (asprintf(&fname, "/proc/%d/root%s", pid, buf) == -1) - errExit("asprintf"); - printf("FILE: %s\n", fname); fflush(0); - - // read and print the filter - run this as root, the user doesn't have access - sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 2, PATH_FSEC_PRINT, fname); - fflush(0); + printf("FILE: %s\n", buf); fflush(0); + + // read and print the filter + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + execl(PATH_FSEC_PRINT, PATH_FSEC_PRINT, buf, NULL); + errExit("execl"); + } + waitpid(child, NULL, 0); printf("\n"); fflush(0); - free(fname); } fclose(fp); - exit(0); -errexit: - printf("Cannot access seccomp filter.\n"); - exit(1); + exit(0); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/selinux.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2020-2021 Firejail and systemd authors + * Copyright (C) 2020-2022 Firejail and systemd authors * * This file is part of firejail project, from systemd selinux-util.c * @@ -21,6 +21,7 @@ #include "firejail.h" #include <sys/types.h> #include <sys/stat.h> +#include <errno.h> #include <fcntl.h> #ifndef O_PATH @@ -57,7 +58,17 @@ /* Open the file as O_PATH, to pin it while we determine and adjust the label * Defeat symlink races by not allowing symbolic links */ + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + if (called_as_root) + EUID_USER(); + fd = safer_openat(-1, path, O_NOFOLLOW\|O_CLOEXEC\|O_PATH); + + if (called_as_root) + EUID_ROOT(); + if (fd < 0) return; if (fstat(fd, &st) < 0) @@ -68,8 +79,16 @@ if (arg_debug) printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); - setfilecon_raw(procfs_path, fcon); + if (!called_as_root) + EUID_ROOT(); + + if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug) + printf("Cannot relabel %s: %s\n", path, strerror(errno)); + + if (!called_as_root) + EUID_USER(); } + freecon(fcon); close: close(fd);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/shutdown.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -18,85 +18,43 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. / #include "firejail.h" -#include <sys/stat.h> -#include <sys/wait.h> #include <fcntl.h> -#include <sys/prctl.h> +#include <signal.h> void shut(pid_t pid) { EUID_ASSERT(); - EUID_ROOT(); - char comm = pid_proc_comm(pid); - EUID_USER(); - if (comm) { - if (strcmp(comm, "firejail") != 0) { - fprintf(stderr, "Error: this is not a firejail sandbox\n"); - exit(1); - } - free(comm); - } - else { - fprintf(stderr, "Error: cannot find process %d\n", pid); - exit(1); - } + ProcessHandle sandbox = pin_sandbox_process(pid); - // check privileges for non-root users - uid_t uid = getuid(); - if (uid != 0) { - uid_t sandbox_uid = pid_get_uid(pid); - if (uid != sandbox_uid) { - fprintf(stderr, "Error: permission is denied to shutdown a sandbox created by a different user.\n"); - exit(1); - } - } - - printf("Sending SIGTERM to %u\n", pid); - kill(pid, SIGTERM); + process_send_signal(sandbox, SIGTERM); // wait for not more than 11 seconds int monsec = 11; - char monfile; - if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1) - errExit("asprintf"); int killdone = 0; while (monsec) { sleep(1); monsec--; - EUID_ROOT(); - FILE fp = fopen(monfile, "re"); - EUID_USER(); - if (!fp) { + int monfd = process_open_nofail(sandbox, "cmdline"); + if (monfd < 0) { killdone = 1; break; } char c; - size_t count = fread(&c, 1, 1, fp); - fclose(fp); + ssize_t count = read(monfd, &c, 1); + close(monfd); if (count == 0) { // all done killdone = 1; break; } } - free(monfile); - // force SIGKILL - if (!killdone) { - // kill the process and its child - pid_t child; - if (find_child(pid, &child) == 0) { - printf("Sending SIGKILL to %u\n", child); - kill(child, SIGKILL); - } - printf("Sending SIGKILL to %u\n", pid); - kill(pid, SIGKILL); - } + if (!killdone) + process_send_signal(sandbox, SIGKILL); - EUID_ROOT(); - delete_run_files(pid); + unpin_process(sandbox); }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/usage.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -30,7 +30,9 @@ " -- - signal the end of options and disables further option processing.\n" " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" " --allusers - all user home directories are visible inside the sandbox.\n" - " --apparmor - enable AppArmor confinement.\n" + " --apparmor - enable AppArmor confinement with the default profile.\n" + " --apparmor=profile_name - enable AppArmor confinement with a\n" + "\tcustom profile.\n" " --apparmor.print=name\|pid - print apparmor status.\n" " --appimage - sandbox an AppImage application.\n" #ifdef HAVE_NETWORK @@ -49,7 +51,6 @@ #ifdef HAVE_FILE_TRANSFER " --cat=name\|pid filename - print content of file from sandbox container.\n" #endif - " --cgroup=tasks-file - place the sandbox in the specified control group.\n" #ifdef HAVE_CHROOT " --chroot=dirname - chroot into directory.\n" #endif @@ -58,16 +59,18 @@ #ifdef HAVE_DBUSPROXY " --dbus-log=file - set DBus log file location.\n" " --dbus-system=filter\|none - set system DBus access policy.\n" - " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" + " --dbus-system.broadcast=rule - allow signals on the system DBus according\n" + "\tto rule.\n" " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" - " --dbus-system.log - turn on logging for the system DBus." + " --dbus-system.log - turn on logging for the system DBus.\n" " --dbus-system.own=name - allow ownership of name on the system DBus.\n" " --dbus-system.see=name - allow seeing name on the system DBus.\n" " --dbus-system.talk=name - allow talking to name on the system DBus.\n" " --dbus-user=filter\|none - set session DBus access policy.\n" - " --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n" + " --dbus-user.broadcast=rule - allow signals on the session DBus according\n" + "\tto rule.\n" " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" - " --dbus-user.log - turn on logging for the user DBus." + " --dbus-user.log - turn on logging for the user DBus.\n" " --dbus-user.own=name - allow ownership of name on the session DBus.\n" " --dbus-user.see=name - allow seeing name on the session DBus.\n" " --dbus-user.talk=name - allow talking to name on the session DBus.\n" @@ -80,15 +83,17 @@ " --debug-protocols - print all recognized protocols.\n" " --debug-syscalls - print all recognized system calls.\n" " --debug-syscalls32 - print all recognized 32 bit system calls.\n" -#ifdef HAVE_WHITELIST " --debug-whitelists - debug whitelisting.\n" -#endif #ifdef HAVE_NETWORK " --defaultgw=address - configure default gateway.\n" #endif " --deterministic-exit-code - always exit with first child's status code.\n" + " --deterministic-shutdown - terminate orphan processes.\n" " --dns=address - set DNS server.\n" " --dns.print=name\|pid - print DNS configuration.\n" +#ifdef HAVE_NETWORK + " --dnstrace - monitor DNS queries.\n" +#endif " --env=name=value - set environment variable.\n" " --fs.print=name\|pid - print the filesystem log.\n" #ifdef HAVE_FILE_TRANSFER @@ -97,6 +102,11 @@ " --help, -? - this help screen.\n" " --hostname=name - set sandbox hostname.\n" " --hosts-file=file - use file as /etc/hosts.\n" +#ifdef HAVE_NETWORK + " --icmptrace - monitor Server Name Indiication (TLS/SNI).\n" +#endif + " --ids-check - verify file system.\n" + " --ids-init - initialize IDS database.\n" " --ignore=command - ignore command in profile files.\n" #ifdef HAVE_NETWORK " --interface=name - move interface in sandbox.\n" @@ -116,6 +126,7 @@ " --join-or-start=name\|pid - join the sandbox or start a new one.\n" " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" + " --keep-fd - inherit open file descriptors to sandbox.\n" " --keep-var-tmp - /var/tmp directory is untouched.\n" " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER @@ -124,7 +135,7 @@ #ifdef HAVE_NETWORK " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" #endif - " --machine-id - preserve /etc/machine-id\n" + " --machine-id - spoof /etc/machine-id with a random id\n" " --memory-deny-write-execute - seccomp filter to block attempts to create\n" "\tmemory mappings that are both writable and executable.\n" " --mkdir=dirname - create a directory.\n" @@ -143,10 +154,12 @@ " --netfilter.print=name\|pid - print the firewall.\n" " --netfilter6=filename - enable IPv6 firewall.\n" " --netfilter6.print=name\|pid - print the IPv6 firewall.\n" - " --netmask=address - define a network mask when dealing with unconfigured" - "\tparrent interfaces.\n" + " --netlock - enable the network locking feature\n" + " --netmask=address - define a network mask when dealing with unconfigured\n" + "\tparent interfaces.\n" " --netns=name - Run the program in a named, persistent network namespace.\n" " --netstats - monitor network statistics.\n" + " --nettrace - monitor received TCP, UDP and ICMP traffic.\n" #endif " --nice=value - set nice value.\n" " --no3d - disable 3D hardware acceleration.\n" @@ -157,6 +170,7 @@ " --nogroups - disable supplementary groups.\n" " --noinput - disable input devices.\n" " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" + " --noprinters - disable printers.\n" " --noprofile - do not use a security profile.\n" #ifdef HAVE_USERNS " --noroot - install a user namespace with only the current user.\n" @@ -166,6 +180,7 @@ " --novideo - disable video devices.\n" " --nou2f - disable U2F devices.\n" " --nowhitelist=filename - disable whitelist for file or directory.\n" + " --oom=value - configure OutOfMemory killer for the sandbox\n" #ifdef HAVE_OUTPUT " --output=logfile - stdout logging and log rotation.\n" " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" @@ -197,7 +212,6 @@ " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" " --profile=filename\|profile_name - use a custom profile.\n" " --profile.print=name\|pid - print the name of profile file.\n" - " --profile-path=directory - use this directory to look for profile files.\n" " --protocol=protocol,protocol,protocol - enable protocol filter.\n" " --protocol.print=name\|pid - print the protocol filter.\n" #ifdef HAVE_FILE_TRANSFER @@ -207,6 +221,9 @@ " --quiet - turn off Firejail's output.\n" " --read-only=filename - set directory or file read-only.\n" " --read-write=filename - set directory or file read-write.\n" + " --restrict-namespaces - seccomp filter that blocks attempts to create new namespaces.\n" + " --restrict-namespaces=namespace,namespace - seccomp filter that blocks attempts\n" + "\tto create specified namespaces.\n" " --rlimit-as=number - set the maximum size of the process's virtual memory.\n" "\t(address space) in bytes.\n" " --rlimit-cpu=number - set the maximum CPU time in seconds.\n" @@ -235,9 +252,9 @@ " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" " --seccomp-error-action=errno\|kill\|log - change error code, kill process\n" "\tor log the attempt.\n" - " --shell=none - run the program directly without a user shell.\n" - " --shell=program - set default user shell.\n" " --shutdown=name\|pid - shutdown the sandbox identified by name or PID.\n" + " --tab - enable shell tab completion in sandboxes using private or\n" + "\twhitelisted home directories.\n" " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" "\thas elapsed.\n" " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" @@ -252,9 +269,7 @@ #ifdef HAVE_NETWORK " --veth-name=name - use this name for the interface connected to the bridge.\n" #endif -#ifdef HAVE_WHITELIST " --whitelist=filename - whitelist directory or file.\n" -#endif " --writable-etc - /etc directory is mounted read-write.\n" " --writable-run-user - allow access to /run/user/$UID/systemd and\n" "\t/run/user/$UID/gnupg.\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/util.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -20,8 +20,6 @@ #define _XOPEN_SOURCE 500 #include "firejail.h" #include "../include/gcov_wrapper.h" -#include <ftw.h> -#include <sys/stat.h> #include <sys/mount.h> #include <syslog.h> #include <errno.h> @@ -32,9 +30,6 @@ #include <sys/wait.h> #include <limits.h> -#include <string.h> -#include <ctype.h> - #include <fcntl.h> #ifndef O_PATH #define O_PATH 010000000 @@ -46,7 +41,7 @@ #endif #define MAX_GROUPS 1024 -#define MAXBUF 4098 +#define MAXBUF 4096 #define EMPTY_STRING ("") @@ -108,43 +103,140 @@ exit(1); } +// Returns whether all supplementary groups can be safely dropped +int check_can_drop_all_groups() { + static int can_drop_all_groups = -1; + + // Avoid needlessly checking (and printing) things twice + if (can_drop_all_groups != -1) + goto out; + + // nvidia cards require video group; ignore nogroups + if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { + fwarning("NVIDIA card detected, nogroups command ignored\n"); + can_drop_all_groups = 0; + goto out; + } + + /* When we are not sure that the system has working seat-based ACLs + * (e.g.: probably yes on (e)udev + (e)logind, probably not on eudev + + * seatd), supplementary groups (e.g.: audio and input) might be needed + * to avoid breakage (e.g.: audio or gamepads not working). See #4600 + * and #4603. + / + if (access("/run/systemd/seats/", F_OK) != 0) { + // TODO: wrc causes this to be printed even with (e)logind (see #4930) + //fwarning("logind not detected, nogroups command ignored\n"); + can_drop_all_groups = 0; + goto out; + } + + if (arg_debug) + fprintf(stderr, "nogroups command not ignored\n"); + can_drop_all_groups = 1; + +out: + return can_drop_all_groups; +} + +static int find_group(gid_t group, const gid_t groups, int ngroups) { + int i; + for (i = 0; i < ngroups; i++) { + if (group == groups[i]) + return i; + } + + return -1; +} + +// Gets group from "groupname" and adds it to "new_groups" if it exists on +// "groups". Always returns the current value of new_ngroups. +static int copy_group_ifcont(const char groupname, + const gid_t groups, int ngroups, + gid_t new_groups, int new_ngroups, int new_sz) { + if (new_ngroups >= new_sz) { + errno = ERANGE; + goto out; + } + + gid_t g = get_group_id(groupname); + if (g && find_group(g, groups, ngroups) >= 0) { + new_groups[new_ngroups] = g; + (new_ngroups)++; + } + +out: + return new_ngroups; +} + static void clean_supplementary_groups(gid_t gid) { assert(cfg.username); gid_t groups[MAX_GROUPS]; int ngroups = MAX_GROUPS; + + if (arg_nogroups && check_can_drop_all_groups()) { + if (setgroups(0, NULL) < 0) + errExit("setgroups"); + if (arg_debug) + printf("No supplementary groups\n"); + return; + } + int rv = getgrouplist(cfg.username, gid, groups, &ngroups); if (rv == -1) goto clean_all; // clean supplementary group list - // allow only firejail, tty, audio, video, games gid_t new_groups[MAX_GROUPS]; int new_ngroups = 0; char allowed[] = { "firejail", "tty", - "audio", - "video", "games", NULL }; int i = 0; while (allowed[i]) { - gid_t g = get_group_id(allowed[i]); - if (g) { - int j; - for (j = 0; j < ngroups; j++) { - if (g == groups[j]) { - new_groups[new_ngroups] = g; - new_ngroups++; - break; - } - } - } + copy_group_ifcont(allowed[i], groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); i++; } + if (!arg_nosound) { + copy_group_ifcont("audio", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_novideo) { + copy_group_ifcont("video", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_no3d) { + copy_group_ifcont("render", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + copy_group_ifcont("vglusers", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_noprinters) { + copy_group_ifcont("lp", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_nodvd) { + copy_group_ifcont("cdrom", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + copy_group_ifcont("optical", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_noinput) { + copy_group_ifcont("input", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + if (new_ngroups) { rv = setgroups(new_ngroups, new_groups); if (rv) @@ -170,21 +262,22 @@ // drop privileges -// - for root group or if nogroups is set, supplementary groups are not configured -void drop_privs(int nogroups) { +// - for root group or if force_nogroups is set, supplementary groups are not configured +void drop_privs(int force_nogroups) { gid_t gid = getgid(); if (arg_debug) - printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n", getpid(), getuid(), gid, nogroups); + printf("Drop privileges: pid %d, uid %d, gid %d, force_nogroups %d\n", + getpid(), getuid(), gid, force_nogroups); // configure supplementary groups EUID_ROOT(); - if (gid == 0 \|\| nogroups) { + if (gid == 0 \|\| force_nogroups) { if (setgroups(0, NULL) < 0) errExit("setgroups"); if (arg_debug) printf("No supplementary groups\n"); } - else if (arg_noroot) + else if (arg_noroot \|\| arg_nogroups) clean_supplementary_groups(gid); // set uid/gid @@ -313,7 +406,7 @@ } -static int copy_file_by_fd(int src, int dst) { +int copy_file_by_fd(int src, int dst) { assert(src >= 0); assert(dst >= 0); @@ -459,31 +552,21 @@ if (fname == '\0') return 0; - int called_as_root = 0; - if (geteuid() == 0) - called_as_root = 1; - - if (called_as_root) - EUID_USER(); - // if fname doesn't end in '/', add one int rv; struct stat s; if (fname[strlen(fname) - 1] == '/') - rv = stat(fname, &s); + rv = stat_as_user(fname, &s); else { char tmp; if (asprintf(&tmp, "%s/", fname) == -1) { fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); errExit("asprintf"); } - rv = stat(tmp, &s); + rv = stat_as_user(tmp, &s); free(tmp); } - if (called_as_root) - EUID_ROOT(); - if (rv == -1) return 0; @@ -499,13 +582,6 @@ if (fname == '\0') return 0; - int called_as_root = 0; - if (geteuid() == 0) - called_as_root = 1; - - if (called_as_root) - EUID_USER(); - // remove trailing '/' if any char tmp = strdup(fname); if (!tmp) @@ -513,12 +589,9 @@ trim_trailing_slash_or_dot(tmp); char c; - ssize_t rv = readlink(tmp, &c, 1); + ssize_t rv = readlink_as_user(tmp, &c, 1); free(tmp); - if (called_as_root) - EUID_ROOT(); - return (rv != -1); } @@ -540,6 +613,24 @@ return rv; } +ssize_t readlink_as_user(const char fname, char buf, size_t sz) { + assert(fname && buf && sz); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + + ssize_t rv = readlink(fname, buf, sz); + + if (called_as_root) + EUID_ROOT(); + + return rv; +} + int stat_as_user(const char fname, struct stat s) { assert(fname); @@ -711,77 +802,6 @@ } -#define BUFLEN 4096 -// find the first child for this parent; return 1 if error -int find_child(pid_t parent, pid_t child) { - EUID_ASSERT(); - child = 0; // use it to flag a found child - - DIR dir; - EUID_ROOT(); // grsecurity fix - if (!(dir = opendir("/proc"))) { - // sleep 2 seconds and try again - sleep(2); - if (!(dir = opendir("/proc"))) { - fprintf(stderr, "Error: cannot open /proc directory\n"); - exit(1); - } - } - - struct dirent entry; - char end; - while (child == 0 && (entry = readdir(dir))) { - pid_t pid = strtol(entry->d_name, &end, 10); - if (end == entry->d_name \|\| end) - continue; - if (pid == parent) - continue; - - // open stat file - char file; - if (asprintf(&file, "/proc/%u/status", pid) == -1) { - perror("asprintf"); - exit(1); - } - FILE fp = fopen(file, "re"); - if (!fp) { - free(file); - continue; - } - - // look for firejail executable name - char buf[BUFLEN]; - while (fgets(buf, BUFLEN - 1, fp)) { - if (strncmp(buf, "PPid:", 5) == 0) { - char ptr = buf + 5; - while (ptr != '\0' && (ptr == ' ' \|\| ptr == '\t')) { - ptr++; - } - if (ptr == '\0') { - fprintf(stderr, "Error: cannot read /proc file\n"); - exit(1); - } - if (parent == atoi(ptr)) { - // we don't want /usr/bin/xdg-dbus-proxy! - char cmdline = pid_proc_cmdline(pid); - if (cmdline) { - if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) - child = pid; - free(cmdline); - } - } - break; // stop reading the file - } - } - fclose(fp); - free(file); - } - closedir(dir); - EUID_USER(); - return (child)? 0:1; // 0 = found, 1 = not found -} - - void extract_command_name(int index, char argv) { EUID_ASSERT(); assert(argv); @@ -870,14 +890,14 @@ //************************ // wait for the parent to be initialized //************************** - char childstr[BUFLEN + 1]; + char childstr[MAXBUF + 1]; int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0); if (newfd == -1) errExit("fcntl"); FILE* stream; stream = fdopen(newfd, "r"); childstr = '\0'; - if (fgets(childstr, BUFLEN, stream)) { + if (fgets(childstr, MAXBUF, stream)) { // remove \n) char ptr = childstr; while(ptr !='\0' && ptr != '\n') @@ -929,57 +949,10 @@ fclose(stream); } -uid_t pid_get_uid(pid_t pid) { - EUID_ASSERT(); - uid_t rv = 0; - - // open status file - char file; - if (asprintf(&file, "/proc/%u/status", pid) == -1) { - perror("asprintf"); - exit(1); - } - EUID_ROOT(); // grsecurity fix - FILE fp = fopen(file, "re"); - if (!fp) { - free(file); - fprintf(stderr, "Error: cannot open /proc file\n"); - exit(1); - } - - // extract uid - static const int PIDS_BUFLEN = 1024; - char buf[PIDS_BUFLEN]; - while (fgets(buf, PIDS_BUFLEN - 1, fp)) { - if (strncmp(buf, "Uid:", 4) == 0) { - char ptr = buf + 4; - while (ptr != '\0' && (ptr == ' ' \|\| ptr == '\t')) { - ptr++; - } - if (ptr == '\0') { - fprintf(stderr, "Error: cannot read /proc file\n"); - exit(1); - } - - rv = atoi(ptr); - break; // break regardless! - } - } - - fclose(fp); - free(file); - EUID_USER(); // grsecurity fix - - return rv; -} - - - -uid_t get_group_id(const char group) { - // find tty group id +gid_t get_group_id(const char groupname) { gid_t gid = 0; - struct group g = getgrnam(group); + struct group g = getgrnam(groupname); if (g) gid = g->gr_gid; @@ -987,86 +960,6 @@ } -static int remove_callback(const char fpath, const struct stat sb, int typeflag, struct FTW ftwbuf) { - (void) sb; - (void) typeflag; - (void) ftwbuf; - assert(fpath); - - if (strcmp(fpath, ".") == 0) - return 0; - - if (remove(fpath)) { // removes the link not the actual file - perror("remove"); - fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath); - exit(1); - } - - return 0; -} - - -int remove_overlay_directory(void) { - EUID_ASSERT(); - sleep(1); - - char path; - if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - - if (access(path, F_OK) == 0) { - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // open ~/.firejail - int fd = safer_openat(-1, path, O_PATH\|O_NOFOLLOW\|O_CLOEXEC); - if (fd == -1) { - fprintf(stderr, "Error: cannot open %s\n", path); - exit(1); - } - struct stat s; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISDIR(s.st_mode)) { - if (S_ISLNK(s.st_mode)) - fprintf(stderr, "Error: %s is a symbolic link\n", path); - else - fprintf(stderr, "Error: %s is not a directory\n", path); - exit(1); - } - if (s.st_uid != getuid()) { - fprintf(stderr, "Error: %s is not owned by the current user\n", path); - exit(1); - } - // chdir to ~/.firejail - if (fchdir(fd) == -1) - errExit("fchdir"); - close(fd); - - EUID_ROOT(); - // FTW_PHYS - do not follow symbolic links - if (nftw(".", remove_callback, 64, FTW_DEPTH \| FTW_PHYS) == -1) - errExit("nftw"); - - EUID_USER(); - // remove ~/.firejail - if (rmdir(path) == -1) - errExit("rmdir"); - - __gcov_flush(); - - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); - // check if ~/.firejail was deleted - if (access(path, F_OK) == 0) - return 1; - } - return 0; -} - // flush stdin if it is connected to a tty and has input void flush_stdin(void) { if (!isatty(STDIN_FILENO)) @@ -1095,31 +988,33 @@ assert(dir); mode &= 07777; - if (access(dir, F_OK) != 0) { + if (access(dir, F_OK) == 0) + return 0; + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + if (arg_debug) printf("Creating empty %s directory\n", dir); - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - if (mkdir(dir, mode) == 0) { - int err = chmod(dir, mode); - (void) err; - } - else if (arg_debug) - printf("Directory %s not created: %s\n", dir, strerror(errno)); + if (mkdir(dir, mode) == 0) { + int err = chmod(dir, mode); + (void) err; + } + else if (arg_debug) + printf("Directory %s not created: %s\n", dir, strerror(errno)); - __gcov_flush(); + __gcov_flush(); - _exit(0); - } - waitpid(child, NULL, 0); - if (access(dir, F_OK) == 0) - return 1; + _exit(0); } + waitpid(child, NULL, 0); + + if (access(dir, F_OK) == 0) + return 1; return 0; } @@ -1134,12 +1029,14 @@ / coverity[toctou] / // don't fail if directory already exists. This can be the case in a race // condition, when two jails launch at the same time. See #1013 - if (mkdir(dir, mode) == -1 && errno != EEXIST) + mode_t tmp = umask(~mode); // let's avoid an extra chmod race + int rv = mkdir(dir, mode); + umask(tmp); + if (rv < 0 && errno != EEXIST) errExit("mkdir"); - if (set_perms(dir, 0, 0, mode)) - errExit("set_perms"); - ASSERT_PERMS(dir, 0, 0, mode); } + + ASSERT_PERMS(dir, 0, 0, mode); } void create_empty_file_as_root(const char fname, mode_t mode) { @@ -1153,12 +1050,15 @@ /* coverity[toctou] / // don't fail if file already exists. This can be the case in a race // condition, when two jails launch at the same time. Compare to #1013 - FILE fp = fopen(fname, "we"); - if (!fp) - errExit("fopen"); - SET_PERMS_STREAM(fp, 0, 0, mode); - fclose(fp); + mode_t tmp = umask(~mode); // let's avoid an extra chmod race + int fd = open(fname, O_RDONLY\|O_CREAT\|O_CLOEXEC, mode); + umask(tmp); + if (fd < 0) + errExit("open"); + close(fd); } + + ASSERT_PERMS(fname, 0, 0, mode); } // return 1 if error @@ -1397,6 +1297,52 @@ return rv; } +void close_all(int keep_list, size_t sz) { + DIR dir; + if (!(dir = opendir("/proc/self/fd"))) { + // sleep 2 seconds and try again + sleep(2); + if (!(dir = opendir("/proc/self/fd"))) { + fprintf(stderr, "Error: cannot open /proc/self/fd directory\n"); + exit(1); + } + } + struct dirent entry; + while ((entry = readdir(dir)) != NULL) { + if (strcmp(entry->d_name, ".") == 0 \|\| + strcmp(entry->d_name, "..") == 0) + continue; + + int fd = atoi(entry->d_name); + + // don't close standard streams + if (fd == STDIN_FILENO \|\| + fd == STDOUT_FILENO \|\| + fd == STDERR_FILENO) + continue; + + if (fd == dirfd(dir)) + continue; // just postponed + + // dont't close file descriptors in keep list + int keep = 0; + if (keep_list) { + size_t i; + for (i = 0; i < sz; i++) { + if (keep_list[i] == fd) { + keep = 1; + break; + } + } + } + if (keep) + continue; + + close(fd); + } + closedir(dir); +} + int has_handler(pid_t pid, int signal) { if (signal > 0 && signal <= SIGRTMAX) { char fname; @@ -1407,8 +1353,8 @@ EUID_USER(); free(fname); if (fp) { - char buf[BUFLEN]; - while (fgets(buf, BUFLEN, fp)) { + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { if (strncmp(buf, "SigCgt:", 7) == 0) { unsigned long long val; if (sscanf(buf + 7, "%llx", &val) != 1) { @@ -1428,11 +1374,7 @@ } void enter_network_namespace(pid_t pid) { - // in case the pid is that of a firejail process, use the pid of the first child process - pid_t child = switch_to_child(pid); - - // exit if no permission to join the sandbox - check_join_permission(child); + ProcessHandle sandbox = pin_sandbox_process(pid); // check network namespace char name; @@ -1446,10 +1388,11 @@ // join the namespace EUID_ROOT(); - if (join_namespace(child, "net")) { + if (process_join_namespace(sandbox, "net")) { fprintf(stderr, "Error: cannot join the network namespace\n"); exit(1); } + unpin_process(sandbox); } // return 1 if error, 0 if a valid pid was found @@ -1509,12 +1452,11 @@ void check_homedir(const char dir) { assert(dir); if (dir[0] != '/') { - fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); + fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir); exit(1); } // symlinks are rejected in many places - if (has_link(dir)) { - fprintf(stderr, "No full support for symbolic links in path of user directory.\n" + if (has_link(dir)) + fmessage("No full support for symbolic links in path of user directory.\n" "Please provide resolved path in password database (/etc/passwd).\n\n"); - } }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firejail/x11.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = firemon +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/pid.h +MOD_OBJS = ../lib/common.o ../lib/pid.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/apparmor.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/arp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/caps.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/cpu.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/firemon.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -34,7 +34,6 @@ static int arg_seccomp = 0; static int arg_caps = 0; static int arg_cpu = 0; -static int arg_cgroup = 0; static int arg_x11 = 0; static int arg_top = 0; static int arg_list = 0; @@ -173,8 +172,6 @@ // cumulative options with or without a pid argument else if (strcmp(argv[i], "--x11") == 0) arg_x11 = 1; - else if (strcmp(argv[i], "--cgroup") == 0) - arg_cgroup = 1; else if (strcmp(argv[i], "--cpu") == 0) arg_cpu = 1; else if (strcmp(argv[i], "--seccomp") == 0) @@ -264,12 +261,11 @@ // if --name requested without other options, print all data if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor && - !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) { + !arg_x11 && !arg_interface && !arg_route && !arg_arp) { arg_tree = 1; arg_cpu = 1; arg_seccomp = 1; arg_caps = 1; - arg_cgroup = 1; arg_x11 = 1; arg_interface = 1; arg_route = 1; @@ -295,10 +291,6 @@ apparmor((pid_t) pid, print_procs); print_procs = 0; } - if (arg_cgroup) { - cgroup((pid_t) pid, print_procs); - print_procs = 0; - } if (arg_x11) { x11((pid_t) pid, print_procs); print_procs = 0;
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/firemon.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -75,9 +75,6 @@ // cpu.c void cpu(pid_t pid, int print_procs); -// cgroup.c -void cgroup(pid_t pid, int print_procs); - // tree.c void tree(pid_t pid);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/interface.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/list.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/netstats.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -47,7 +47,7 @@ static char get_header(void) { char rv; - if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", + if (asprintf(&rv, "%-7.7s %-9.9s %-10.10s %-10.10s %s", "PID", "User", "RX(KB/s)", "TX(KB/s)", "Command") == -1) errExit("asprintf"); @@ -106,10 +106,8 @@ } // store data - pids[parent].rx_delta = rx - pids[parent].rx; - pids[parent].rx = rx; - pids[parent].tx_delta = tx - pids[parent].tx; - pids[parent].tx = tx; + pids[parent].option.netstats.rx = rx - pids[parent].option.netstats.rx; + pids[parent].option.netstats.tx = tx - pids[parent].option.netstats.tx; free(fname); @@ -117,10 +115,8 @@ return; errexit: - pids[parent].rx = 0; - pids[parent].tx = 0; - pids[parent].rx_delta = 0; - pids[parent].tx_delta = 0; + pids[parent].option.netstats.rx = 0; + pids[parent].option.netstats.tx = 0; } @@ -174,16 +170,16 @@ ptruser = ""; - float rx_kbps = ((float) pids[index].rx_delta / 1000) / itv; + float rx_kbps = ((float) pids[index].option.netstats.rx / 1000) / itv; char ptrrx[15]; sprintf(ptrrx, "%.03f", rx_kbps); - float tx_kbps = ((float) pids[index].tx_delta / 1000) / itv; + float tx_kbps = ((float) pids[index].option.netstats.tx / 1000) / itv; char ptrtx[15]; sprintf(ptrtx, "%.03f", tx_kbps); char buf[1024 + 1]; - snprintf(buf, 1024, "%-5.5s %-9.9s %-10.10s %-10.10s %s", + snprintf(buf, 1024, "%-7.7s %-9.9s %-10.10s %-10.10s %s", pidstr, ptruser, ptrrx, ptrtx, ptrcmd); if (col < 1024) buf[col] = '\0'; @@ -205,7 +201,7 @@ while (1) { // set pid table int i; - int itv = 1; // 1 second interval + int itv = 3; // 3 second interval pid_read(0); // start rx/tx measurements
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/procevent.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -417,18 +417,18 @@ sprintf(lineptr, " %u", pid); lineptr += strlen(lineptr); - char user = pids[pid].user; + char user = pids[pid].option.event.user; if (!user) user = pid_get_user_name(pids[pid].uid); if (user) { - pids[pid].user = user; + pids[pid].option.event.user = user; sprintf(lineptr, " (%s)", user); lineptr += strlen(lineptr); } int sandbox_closed = 0; // exit sandbox flag - char cmd = pids[pid].cmd; + char cmd = pids[pid].option.event.cmd; if (!cmd) { cmd = pid_proc_cmdline(pid); } @@ -465,10 +465,10 @@ // unflag pid for exit events if (remove_pid) { - if (pids[pid].user) - free(pids[pid].user); - if (pids[pid].cmd) - free(pids[pid].cmd); + if (pids[pid].option.event.user) + free(pids[pid].option.event.user); + if (pids[pid].option.event.cmd) + free(pids[pid].option.event.cmd); memset(&pids[pid], 0, sizeof(Process)); } @@ -485,9 +485,9 @@ // on uid events the uid is changing if (proc_ev->what == PROC_EVENT_UID) { - if (pids[pid].user) - free(pids[pid].user); - pids[pid].user = 0; + if (pids[pid].option.event.user) + free(pids[pid].option.event.user); + pids[pid].option.event.user = 0; pids[pid].uid = pid_get_uid(pid); } @@ -505,6 +505,17 @@ exit(1); } + // set max_pids to the max value allowed by the kernel + FILE *fp = fopen("/proc/sys/kernel/pid_max", "r"); + if (fp) { + int val; + if (fscanf(fp, "%d", &val) == 1) { + if (val >= max_pids) + max_pids = val + 1; + } + fclose(fp); + } + // monitor using netlink int sock = procevent_netlink_setup(); if (sock < 0) {
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/route.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/seccomp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/top.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -47,7 +47,7 @@ static char get_header(void) { char rv; - if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", + if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", "PID", "User", "RES(KiB)", "SHR(KiB)", "CPU%", "Prcs", "Uptime", "Command") == -1) errExit("asprintf"); @@ -154,8 +154,8 @@ // cpu itv = clocktick; - float ud = (float) (utime - pids[index].utime) / itv * 100; - float sd = (float) (stime - pids[index].stime) / itv 100; + float ud = (float) (utime - pids[index].option.top.utime) / itv 100; + float sd = (float) (stime - pids[index].option.top.stime) / itv 100; float cd = ud + sd; cpu = cd; char cpu_str[10]; @@ -165,7 +165,7 @@ char prcs_str[10]; snprintf(prcs_str, 10, "%d", cnt); - if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", + if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) errExit("asprintf"); @@ -179,6 +179,34 @@ return rv; } +// recursivity!!! +void pid_store_cpu(unsigned index, unsigned parent, unsigned utime, unsigned stime) { + if (pids[index].level == 1) { + utime = 0; + stime = 0; + } + + // Remove unused parameter warning + (void)parent; + + unsigned utmp = 0; + unsigned stmp = 0; + pid_get_cpu_time(index, &utmp, &stmp); + utime += utmp; + stime += stmp; + + unsigned i; + for (i = index + 1; i < (unsigned)max_pids; i++) { + if (pids[i].parent == (pid_t)index) + pid_store_cpu(i, index, utime, stime); + } + + if (pids[index].level == 1) { + pids[index].option.top.utime = utime; + pids[index].option.top.stime = stime; + } +} + typedef struct node_t { struct node_t *next; @@ -267,7 +295,7 @@ // set pid table int i; - int itv = 1; // 1 second interval + int itv = 3; // 3 second interval pid_read(0); // start cpu measurements
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/tree.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/usage.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -29,7 +29,6 @@ "\t--apparmor - print AppArmor confinement status for each sandbox.\n\n" "\t--arp - print ARP table for each sandbox.\n\n" "\t--caps - print capabilities configuration for each sandbox.\n\n" - "\t--cgroup - print control group information for each sandbox.\n\n" "\t--cpu - print CPU affinity for each sandbox.\n\n" "\t--debug - print debug messages.\n\n" "\t--help, -? - this help screen.\n\n" @@ -38,12 +37,12 @@ "\t--name=name - print information only about named sandbox.\n\n" "\t--netstats - monitor network statistics for sandboxes creating a new\n" "\t\tnetwork namespace.\n\n" - "\t--nowrap - enable line wrapping in terminals.\n\n" "\t--route - print route table for each sandbox.\n\n" "\t--seccomp - print seccomp configuration for each sandbox.\n\n" "\t--tree - print a tree of all sandboxed processes.\n\n" "\t--top - monitor the most CPU-intensive sandboxes.\n\n" "\t--version - print program version and exit.\n\n" + "\t--wrap - enable line wrapping in terminals.\n\n" "\t--x11 - print X11 display number.\n\n" "Without any options, firemon monitors all fork, exec, id change, and exit\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/firemon/x11.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fldd/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fldd +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/syscall.h ../include/ldd_utils.h +MOD_OBJS = ../lib/common.o ../lib/ldd_utils.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fldd/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -261,12 +261,21 @@ // check directory // entry->d_type field is supported in glibc since version 2.19 (Feb 2014) - // we'll use stat to check for directories + // we'll use stat to check for directories using the real path + // (sometimes the path is a double symlink to a real file and stat would fail) + char *rpath = realpath(path, NULL); + if (!rpath) { + free(path); + continue; + } + free(path); + struct stat s; - if (stat(path, &s) == -1) + if (stat(rpath, &s) == -1) errExit("stat"); if (S_ISDIR(s.st_mode)) - walk_directory(path); + walk_directory(rpath); + free(rpath); } closedir(dir); }
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fnet +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/libnetlink.h +MOD_OBJS = ../lib/common.o ../lib/libnetlink.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/arp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/fnet.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/interface.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnet/veth.c ^
@@ -26,7 +26,7 @@ * / / - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnetfilter/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fnetfilter +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/syscall.h +MOD_OBJS = ../lib/common.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnetfilter/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -187,10 +187,9 @@ char command = (argc == 3)? argv[1]: NULL; //printf("command %s\n", command); //printf("destfile %s\n", destfile); + // destfile is a real filename - int len = strlen(destfile); - if (strcspn(destfile, "\\&!?\"'<>%^(){};,[]") != (size_t)len) - err_exit_cannot_open_file(destfile); + reject_meta_chars(destfile, 0); // handle default config (command = NULL, destfile) if (command == NULL) {
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-dns/Makefile ^
@@ -0,0 +1,7 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fnettrace-dns +TARGET = $(PROG) + +include $(ROOT)/src/prog.mk
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-dns/fnettrace_dns.h ^
@@ -0,0 +1,34 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#ifndef FNETTRACE_DNS_H +#define FNETTRACE_DNS_H + +#include "../include/common.h" +#include <unistd.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <time.h> +#include <stdarg.h> +#include <fcntl.h> +#include <sys/mman.h> + +#endif \ No newline at end of file
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-dns/main.c ^
@@ -0,0 +1,205 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include "fnettrace_dns.h" +#include <sys/ioctl.h> +#include <time.h> +#include <linux/filter.h> +#include <linux/if_ether.h> +#include <sys/prctl.h> +#include <signal.h> +#define MAX_BUF_SIZE (64 1024) + +static char last[512] = {'\0'}; + +// pkt - start of DNS layer +void print_dns(uint32_t ip_src, unsigned char pkt) { + assert(pkt); + + char ip[30]; + sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_src)); + time_t seconds = time(NULL); + struct tm t = localtime(&seconds); + + int nxdomain = (((pkt + 3) & 0x03) == 0x03)? 1: 0; + + // expecting a single question count + if (pkt[4] != 0 \|\| pkt[5] != 1) + goto errout; + + // check cname + unsigned char ptr = pkt + 12; + int len = 0; + while (ptr != 0 && len < 255) { // 255 is the maximum length of a domain name including multiple '.' + if (ptr > 63) // the name left of a '.' is 63 length maximum + goto errout; + + int delta = ptr + 1; + ptr = '.'; + len += delta;; + ptr += delta; + } + if (ptr != 0) + goto errout; + + ptr++; + uint16_t type; + memcpy(&type, ptr, 2); + type = ntohs(type); + + // filter output + char tmp[sizeof(last)]; + snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s (type %u)%s", + t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1, + type, (nxdomain)? " NXDOMAIN": ""); + if (strcmp(tmp, last)) { + printf("%s\n", tmp); + fflush(0); + strcpy(last, tmp); + } + + return; + +errout: + printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); + fflush(0); +} + +// https://www.kernel.org/doc/html/latest/networking/filter.html +static void custom_bpf(int sock) { + struct sock_filter code[] = { + // sudo tcpdump ip and udp and src port 53 -dd + { 0x28, 0, 0, 0x0000000c }, + { 0x15, 0, 8, 0x00000800 }, + { 0x30, 0, 0, 0x00000017 }, + { 0x15, 0, 6, 0x00000011 }, + { 0x28, 0, 0, 0x00000014 }, + { 0x45, 4, 0, 0x00001fff }, + { 0xb1, 0, 0, 0x0000000e }, + { 0x48, 0, 0, 0x0000000e }, + { 0x15, 0, 1, 0x00000035 }, + { 0x6, 0, 0, 0x00040000 }, + { 0x6, 0, 0, 0x00000000 }, + }; + + struct sock_fprog bpf = { + .len = (unsigned short) sizeof(code) / sizeof(code[0]), + .filter = code, + }; + + int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)); + if (rv < 0) { + fprintf(stderr, "Error: cannot attach BPF filter\n"); + exit(1); + } +} + +static void print_date(void) { + static int day = -1; + time_t now = time(NULL); + struct tm t = localtime(&now); + + if (day != t->tm_yday) { + printf("\nDNS trace for %s", ctime(&now)); + day = t->tm_yday; + } + fflush(0); +} + +static void run_trace(void) { + // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 + int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); + if (s < 0) + errExit("socket"); + custom_bpf(s); + + struct timeval tv; + tv.tv_sec = 10; + tv.tv_usec = 0; + unsigned char buf[MAX_BUF_SIZE]; + while (1) { + fd_set rfds; + FD_ZERO(&rfds); + FD_SET(s, &rfds); + int rv = select(s + 1, &rfds, NULL, NULL, &tv); + if (rv < 0) + errExit("select"); + else if (rv == 0) { + print_date(); + tv.tv_sec = 10; + tv.tv_usec = 0; + continue; + } + + unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); + + if (bytes >= (14 + 20 + 8)) { // size of MAC + IP + UDP headers + uint8_t ip_hlen = (buf[14] & 0x0f) * 4; + uint16_t port_src; + memcpy(&port_src, buf + 14 + ip_hlen, 2); + port_src = ntohs(port_src); + uint8_t protocol = buf[14 + 9]; + uint32_t ip_src; + memcpy(&ip_src, buf + 14 + 12, 4); + ip_src = ntohl(ip_src); + + // if DNS packet, extract the query + if (port_src == 53 && protocol == 0x11) // UDP protocol + print_dns(ip_src, buf + 14 + ip_hlen + 8); // IP and UDP header len + } + } + + close(s); +} + + +static void usage(void) { + printf("Usage: fnettrace-dns [OPTIONS]\n"); + printf("Options:\n"); + printf(" --help, -? - this help screen\n"); + printf("\n"); +} + +int main(int argc, char **argv) { + int i; + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--help") == 0 \|\| strcmp(argv[i], "-?") == 0) { + usage(); + return 0; + } + else { + fprintf(stderr, "Error: invalid argument\n"); + return 1; + } + } + + if (getuid() != 0) { + fprintf(stderr, "Error: you need to be root to run this program\n"); + return 1; + } + + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + + print_date(); + run_trace(); + + return 0; +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-icmp/Makefile ^
@@ -0,0 +1,7 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fnettrace-icmp +TARGET = $(PROG) + +include $(ROOT)/src/prog.mk
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-icmp/fnettrace_icmp.h ^
@@ -0,0 +1,34 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#ifndef FNETTRACE_SNI_H +#define FNETTRACE_SNI_H + +#include "../include/common.h" +#include <unistd.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <time.h> +#include <stdarg.h> +#include <fcntl.h> +#include <sys/mman.h> + +#endif \ No newline at end of file
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-icmp/main.c ^
@@ -0,0 +1,237 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include "fnettrace_icmp.h" +#include <sys/ioctl.h> +#include <time.h> +#include <linux/filter.h> +#include <linux/if_ether.h> +#include <sys/prctl.h> +#include <signal.h> +#define MAX_BUF_SIZE (64 1024) + +char type_description[19] = { + "Echo reply", + "unassigned", + "unassigned", + "Destination unreachable", + "Source quench", + "Redirect message", + "unassigned", + "unassigned", + "Echo request", + "Router advertisement", + "Router solicitation", + "Time exceeded", + "Bad IP header", + "Timestamp", + "Timestamp replay", + "Information request", + "Information reply", + "Address mask request", + "Address mask reply" +}; + +char code_dest_unreachable[16] = { + "Network unreachable", + "Host unreachable", + "Protocol unreachable", + "Port unreachable", + "Fragmentation required, and DF flag set", + "Source route failed", + "Network unknown", + "Host unknown", + "Source host isolated", + "Network administratively prohibited", + "Host administratively prohibited", + "Network unreachable for ToS", + "Host unreachable for ToS", + "Communication administratively prohibited", + "Host Precedence Violation", + "Precedence cutoff in effect" +}; + +char code_redirect_message[4] = { + "Datagram for the Network", + "Datagram for the Host", + "Datagram for the ToS & network", + "Datagram for the ToS & host" +}; + +char code_time_exceeded[2] = { + "TTL expired in transit", + "Fragment reassembly time exceeded" +}; + +char code_bad_ip_header[3] = { + "Pointer indicates the error", + "Missing a required option", + "Bad length" +}; + +static void print_icmp(uint32_t ip_dest, uint32_t ip_src, uint8_t type, uint8_t code, unsigned icmp_bytes) { + char type_number[10]; + char type_ptr = type_number; + if (type < 19) + type_ptr = type_description[type]; + else + sprintf(type_number, "%u", type); + + char code_number[10]; + char code_ptr = code_number; + if (type ==3 && code < 16) + code_ptr = code_dest_unreachable[code]; + else if (type == 5 && code < 4) + code_ptr = code_redirect_message[code]; + else if (type == 11 && code < 2) + code_ptr = code_time_exceeded[code]; + else if (type == 12 && code < 3) + code_ptr = code_bad_ip_header[code]; + else + sprintf(code_number, "%u", code); + + time_t seconds = time(NULL); + struct tm t = localtime(&seconds); + printf("%02d:%02d:%02d %d.%d.%d.%d -> %d.%d.%d.%d - %u bytes - %s/%s\n", + t->tm_hour, t->tm_min, t->tm_sec, + PRINT_IP(ip_src), + PRINT_IP(ip_dest), + icmp_bytes, + type_ptr, + code_ptr); + fflush(0); +} + +// https://www.kernel.org/doc/html/latest/networking/filter.html +static void custom_bpf(int sock) { + struct sock_filter code[] = { + // sudo tcpdump "icmp" -dd + { 0x28, 0, 0, 0x0000000c }, + { 0x15, 0, 3, 0x00000800 }, + { 0x30, 0, 0, 0x00000017 }, + { 0x15, 0, 1, 0x00000001 }, + { 0x6, 0, 0, 0x00040000 }, + { 0x6, 0, 0, 0x00000000 }, + }; + + struct sock_fprog bpf = { + .len = (unsigned short) sizeof(code) / sizeof(code[0]), + .filter = code, + }; + + int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)); + if (rv < 0) { + fprintf(stderr, "Error: cannot attach BPF filter\n"); + exit(1); + } +} + +static void print_date(void) { + static int day = -1; + time_t now = time(NULL); + struct tm t = localtime(&now); + + if (day != t->tm_yday) { + printf("\nICMP trace for %s", ctime(&now)); + day = t->tm_yday; + } + + fflush(0); +} + +static void run_trace(void) { + // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets + int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); + if (s < 0) + errExit("socket"); + custom_bpf(s); + + struct timeval tv; + tv.tv_sec = 10; + tv.tv_usec = 0; + unsigned char buf[MAX_BUF_SIZE]; + while (1) { + fd_set rfds; + FD_ZERO(&rfds); + FD_SET(s, &rfds); + int rv = select(s + 1, &rfds, NULL, NULL, &tv); + if (rv < 0) + errExit("select"); + else if (rv == 0) { + print_date(); + tv.tv_sec = 10; + tv.tv_usec = 0; + continue; + } + + unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); + + if (bytes >= (14 + 20 + 2)) { // size of MAC + IP + ICMP code and type fields + uint8_t ip_hlen = (buf[14] & 0x0f) 4; + uint8_t type = (buf + 14 +ip_hlen); + uint8_t code = (buf + 14 + ip_hlen + 1); + + uint32_t ip_dest; + memcpy(&ip_dest, buf + 14 + 16, 4); + ip_dest = ntohl(ip_dest); + uint32_t ip_src; + memcpy(&ip_src, buf + 14 + 12, 4); + ip_src = ntohl(ip_src); + + print_icmp(ip_dest, ip_src, type, code, bytes); + } + } + + close(s); +} + +static void usage(void) { + printf("Usage: fnettrace-icmp [OPTIONS]\n"); + printf("Options:\n"); + printf(" --help, -? - this help screen\n"); + printf("\n"); +} + +int main(int argc, char **argv) { + int i; + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--help") == 0 \|\| strcmp(argv[i], "-?") == 0) { + usage(); + return 0; + } + else { + fprintf(stderr, "Error: invalid argument\n"); + return 1; + } + } + + if (getuid() != 0) { + fprintf(stderr, "Error: you need to be root to run this program\n"); + return 1; + } + + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + + print_date(); + run_trace(); + + return 0; +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-sni/Makefile ^
@@ -0,0 +1,7 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fnettrace-sni +TARGET = $(PROG) + +include $(ROOT)/src/prog.mk
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-sni/fnettrace_sni.h ^
@@ -0,0 +1,34 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#ifndef FNETTRACE_SNI_H +#define FNETTRACE_SNI_H + +#include "../include/common.h" +#include <unistd.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <time.h> +#include <stdarg.h> +#include <fcntl.h> +#include <sys/mman.h> + +#endif \ No newline at end of file
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace-sni/main.c ^
@@ -0,0 +1,241 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include "fnettrace_sni.h" +#include <sys/ioctl.h> +#include <time.h> +#include <linux/filter.h> +#include <linux/if_ether.h> +#include <sys/prctl.h> +#include <signal.h> +#define MAX_BUF_SIZE (64 1024) + +static char last[512] = {'\0'}; + +// pkt - start of TLS layer +static void print_tls(uint32_t ip_dest, unsigned char pkt, unsigned len) { + assert(pkt); + + char ip[30]; + sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_dest)); + time_t seconds = time(NULL); + struct tm t = localtime(&seconds); + + // expecting a handshake packet and client hello + if (pkt[0] != 0x16 \|\| pkt[5] != 0x01) + goto errout; + + + // look for server name indication + unsigned char ptr = pkt; + unsigned int i = 0; + char name = NULL; + while (i < (len - 20)) { + // 3 zeros and 3 matching length fields + if (ptr == 0 && (ptr + 1) == 0 && ((ptr + 2) == 0 \|\| (ptr + 2) == 1) && (ptr + 6) == 0) { + uint16_t len1; + memcpy(&len1, ptr + 2, 2); + len1 = ntohs(len1); + + uint16_t len2; + memcpy(&len2, ptr + 4, 2); + len2 = ntohs(len2); + + uint16_t len3; + memcpy(&len3, ptr + 7, 2); + len3 = ntohs(len3); + + if (len1 == (len2 + 2) && len1 == (len3 + 5)) { + (ptr + 9 + len3) = 0; + name = (char ) (ptr + 9); + break; + } + } + ptr++; + i++; + } + + if (name) { + // filter output + char tmp[sizeof(last)]; + snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name); + if (strcmp(tmp, last)) { + printf("%s\n", tmp); + fflush(0); + strcpy(last, tmp); + } + } + else + goto nosni; + return; + +errout: + printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); + fflush(0); + return; + +nosni: + printf("%02d:%02d:%02d %-15s no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip); + return; +} + +// https://www.kernel.org/doc/html/latest/networking/filter.html +static void custom_bpf(int sock) { + struct sock_filter code[] = { + // ports: 443 (regular TLS), 853 (DoT) + // sudo tcpdump "tcp port (443 or 853) and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01)" -dd + { 0x28, 0, 0, 0x0000000c }, + { 0x15, 29, 0, 0x000086dd }, + { 0x15, 0, 28, 0x00000800 }, + { 0x30, 0, 0, 0x00000017 }, + { 0x15, 0, 26, 0x00000006 }, + { 0x28, 0, 0, 0x00000014 }, + { 0x45, 24, 0, 0x00001fff }, + { 0xb1, 0, 0, 0x0000000e }, + { 0x48, 0, 0, 0x0000000e }, + { 0x15, 4, 0, 0x000001bb }, + { 0x15, 3, 0, 0x00000355 }, + { 0x48, 0, 0, 0x00000010 }, + { 0x15, 1, 0, 0x000001bb }, + { 0x15, 0, 17, 0x00000355 }, + { 0x50, 0, 0, 0x0000001a }, + { 0x54, 0, 0, 0x000000f0 }, + { 0x74, 0, 0, 0x00000002 }, + { 0xc, 0, 0, 0x00000000 }, + { 0x7, 0, 0, 0x00000000 }, + { 0x50, 0, 0, 0x0000000e }, + { 0x15, 0, 10, 0x00000016 }, + { 0xb1, 0, 0, 0x0000000e }, + { 0x50, 0, 0, 0x0000001a }, + { 0x54, 0, 0, 0x000000f0 }, + { 0x74, 0, 0, 0x00000002 }, + { 0x4, 0, 0, 0x00000005 }, + { 0xc, 0, 0, 0x00000000 }, + { 0x7, 0, 0, 0x00000000 }, + { 0x50, 0, 0, 0x0000000e }, + { 0x15, 0, 1, 0x00000001 }, + { 0x6, 0, 0, 0x00040000 }, + { 0x6, 0, 0, 0x00000000 }, + }; + + struct sock_fprog bpf = { + .len = (unsigned short) sizeof(code) / sizeof(code[0]), + .filter = code, + }; + + int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)); + if (rv < 0) { + fprintf(stderr, "Error: cannot attach BPF filter\n"); + exit(1); + } +} + +static void print_date(void) { + static int day = -1; + time_t now = time(NULL); + struct tm t = localtime(&now); + + if (day != t->tm_yday) { + printf("\nSNI trace for %s", ctime(&now)); + day = t->tm_yday; + } + + fflush(0); +} + +static void run_trace(void) { + // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets + int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); + if (s < 0) + errExit("socket"); + custom_bpf(s); + + struct timeval tv; + tv.tv_sec = 10; + tv.tv_usec = 0; + unsigned char buf[MAX_BUF_SIZE]; + while (1) { + fd_set rfds; + FD_ZERO(&rfds); + FD_SET(s, &rfds); + int rv = select(s + 1, &rfds, NULL, NULL, &tv); + if (rv < 0) + errExit("select"); + else if (rv == 0) { + print_date(); + tv.tv_sec = 10; + tv.tv_usec = 0; + continue; + } + + unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); + + if (bytes >= (14 + 20 + 20)) { // size of MAC + IP + TCP headers + uint8_t ip_hlen = (buf[14] & 0x0f) * 4; + uint16_t port_dest; + memcpy(&port_dest, buf + 14 + ip_hlen + 2, 2); + port_dest = ntohs(port_dest); + uint32_t ip_dest; + memcpy(&ip_dest, buf + 14 + 16, 4); + ip_dest = ntohl(ip_dest); + uint8_t tcp_hlen = (buf[14 + ip_hlen + 12] & 0xf0) >> 2; + + // extract SNI + print_tls(ip_dest, buf + 14 + ip_hlen + tcp_hlen, bytes - 14 - ip_hlen - tcp_hlen); // IP and TCP header len + } + } + + close(s); +} + + +static void usage(void) { + printf("Usage: fnettrace-sni [OPTIONS]\n"); + printf("Options:\n"); + printf(" --help, -? - this help screen\n"); + printf("\n"); +} + +int main(int argc, char **argv) { + int i; + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--help") == 0 \|\| strcmp(argv[i], "-?") == 0) { + usage(); + return 0; + } + else { + fprintf(stderr, "Error: invalid argument\n"); + return 1; + } + } + + if (getuid() != 0) { + fprintf(stderr, "Error: you need to be root to run this program\n"); + return 1; + } + + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + + print_date(); + run_trace(); + + return 0; +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/Makefile ^
@@ -0,0 +1,7 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fnettrace +TARGET = $(PROG) + +include $(ROOT)/src/prog.mk
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/fnettrace.h ^
@@ -0,0 +1,73 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#ifndef FNETTRACE_H +#define FNETTRACE_H + +#include "../include/common.h" +#include <unistd.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <time.h> +#include <stdarg.h> +#include <fcntl.h> +#include <sys/mman.h> + + +//#define DEBUG 1 + +#define NETLOCK_INTERVAL 60 // seconds +#define DISPLAY_INTERVAL 2 // seconds +#define DISPLAY_TTL 4 // display intervals (4 2 seconds) +#define DISPLAY_BW_UNITS 20 // length of the bandwidth bar + + +static inline void ansi_topleft(void) { + char str[] = {0x1b, '[', '1', ';', '1', 'H', '\0'}; + printf("%s", str); + fflush(0); +} + +static inline void ansi_clrscr(void) { + ansi_topleft(); + char str[] = {0x1b, '[', '0', 'J', '\0'}; + printf("%s", str); + fflush(0); +} + +static inline uint8_t hash(uint32_t ip) { + uint8_t ptr = (uint8_t ) &ip; + // simple byte xor + return ptr ^ (ptr + 1) ^ (ptr + 2) ^ (ptr + 3); +} + +// main.c +void logprintf(char* fmt, ...); + +// hostnames.c +extern int geoip_calls; +void load_hostnames(const char fname); +char retrieve_hostname(uint32_t ip); + +// tail.c +void tail(const char *logfile); + +#endif \ No newline at end of file
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/hostnames.c ^
@@ -0,0 +1,124 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include "fnettrace.h" +#include "radix.h" +#define MAXBUF 1024 + +int geoip_calls = 0; +static int geoip_not_found = 0; +static char buf[MAXBUF]; + +char retrieve_hostname(uint32_t ip) { + if (geoip_not_found) + return NULL; + geoip_calls++; + + char rv = NULL; + char cmd; + if (asprintf(&cmd, "/usr/bin/geoiplookup %d.%d.%d.%d", PRINT_IP(ip)) == -1) + errExit("asprintf"); + + FILE fp = popen(cmd, "r"); + if (fp) { + char ptr; + if (fgets(buf, MAXBUF, fp)) { + ptr = strchr(buf, '\n'); + if (ptr) + ptr = '\0'; + if (strncmp(buf, "GeoIP Country Edition:", 22) == 0) { + ptr = buf + 22; + if (ptr == ' ' && (ptr + 3) == ',' && (ptr + 4) == ' ') { + rv = ptr + 5; + rv = radix_add(ip, 0xffffffff, rv); + } + } + } + pclose(fp); + return rv; + } + else + geoip_not_found = 1; + + free(cmd); + + return NULL; +} + +void load_hostnames(const char fname) { + assert(fname); + FILE fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Warning: cannot find %s file\n", fname); + return; + } + + char buf[MAXBUF]; + int line = 0; + while (fgets(buf, MAXBUF, fp)) { + line++; + + // skip empty spaces + char start = buf; + while (start == ' ' \|\| start == '\t') + start++; + // comments + if (start == '#') + continue; + char end = strchr(start, '#'); + if (end) + end = '\0'; + + // end + end = strchr(start, '\n'); + if (end) + end = '\0'; + end = start + strlen(start); + if (end == start) // empty line + continue; + + // line format: 1.2.3.4/32 name_without_empty_spaces + // a single empty space between address and name + end = strchr(start, ' '); + if (!end) + goto errexit; + end = '\0'; + end++; + if (*end == '\0') + goto errexit; + + uint32_t ip; + uint32_t mask; + if (atocidr(start, &ip, &mask)) { + fprintf(stderr, "Error: invalid CIDR address\n"); + goto errexit; + } + + radix_add(ip, mask, end); + } + + fclose(fp); + return; + + +errexit: + fprintf(stderr, "Error: invalid line %d in file %s\n", line, fname); + exit(1); +} +
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/main.c ^
@@ -0,0 +1,762 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include "fnettrace.h" +#include "radix.h" +#include <limits.h> +#include <sys/ioctl.h> +#include <sys/prctl.h> +#include <signal.h> +#define MAX_BUF_SIZE (64 1024) + +static int arg_netfilter = 0; +static int arg_tail = 0; +static char arg_log = NULL; + +typedef struct hnode_t { + struct hnode_t hnext; // used for hash table and unused linked list + struct hnode_t dnext; // used to display streams on the screen + uint32_t ip_src; + uint32_t bytes; // number of bytes received in the last display interval + uint16_t port_src; + uint8_t protocol; + // the firewall is build based on source address, and in the linked list + // we have elements with the same address but different ports + uint8_t ip_instance; + char hostname; + int ttl; +} HNode; + +// hash table +#define HMAX 256 +HNode htable[HMAX] = {NULL}; +// display linked list +HNode dlist = NULL; + + +// speed up malloc/free +#define HNODE_MAX_MALLOC 16 +static HNode hnode_unused = NULL; +HNode hmalloc(void) { + if (hnode_unused == NULL) { + hnode_unused = malloc(sizeof(HNode) * HNODE_MAX_MALLOC); + if (!hnode_unused) + errExit("malloc"); + memset(hnode_unused, 0, sizeof(HNode) * HNODE_MAX_MALLOC); + HNode ptr = hnode_unused; + int i; + for ( i = 1; i < HNODE_MAX_MALLOC; i++, ptr++) + ptr->hnext = hnode_unused + i; + } + + HNode rv = hnode_unused; + hnode_unused = hnode_unused->hnext; + return rv; +} + +void hfree(HNode ptr) { + assert(ptr); + memset(ptr, 0, sizeof(HNode)); + ptr->hnext = hnode_unused; + hnode_unused = ptr; +} + +// using protocol 0 and port 0 for ICMP +static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint32_t bytes) { + uint8_t h = hash(ip_src); + + // find + int ip_instance = 0; + HNode ptr = htable[h]; + while (ptr) { + if (ptr->ip_src == ip_src) { + ip_instance++; + if (ptr->port_src == port_src && ptr->protocol == protocol) { + ptr->bytes += bytes; + return; + } + } + ptr = ptr->hnext; + } + +#ifdef DEBUG + printf("malloc %d.%d.%d.%d\n", PRINT_IP(ip_src)); +#endif + HNode hnew = hmalloc(); + assert(hnew); + hnew->hostname = NULL; + hnew->ip_src = ip_src; + hnew->port_src = port_src; + hnew->protocol = protocol; + hnew->hnext = NULL; + hnew->bytes = bytes; + hnew->ip_instance = ip_instance + 1; + hnew->ttl = DISPLAY_TTL; + if (htable[h] == NULL) + htable[h] = hnew; + else { + hnew->hnext = htable[h]; + htable[h] = hnew; + } + + // add to the end of list + hnew->dnext = NULL; + if (dlist == NULL) + dlist = hnew; + else { + ptr = dlist; + while (ptr->dnext != NULL) + ptr = ptr->dnext; + ptr->dnext = hnew; + } + + if (arg_netfilter) + logprintf(" %d.%d.%d.%d ", PRINT_IP(hnew->ip_src)); +} + +static void hnode_free(HNode elem) { + assert(elem); +#ifdef DEBUG + printf("free %d.%d.%d.%d\n", PRINT_IP(elem->ip_src)); +#endif + + uint8_t h = hash(elem->ip_src); + HNode ptr = htable[h]; + assert(ptr); + + HNode prev = NULL; + while (ptr != elem) { + prev = ptr; + ptr = ptr->hnext; + } + if (prev == NULL) + htable[h] = elem->hnext; + else + prev->hnext = elem->hnext; + hfree(elem); +} + +#ifdef DEBUG +static void debug_dlist(void) { + HNode ptr = dlist; + while (ptr) { + printf("dlist %d.%d.%d.%d:%d\n", PRINT_IP(ptr->ip_src), ptr->port_src); + ptr = ptr->dnext; + } +} +static void debug_hnode(void) { + int i; + for (i = 0; i < HMAX; i++) { + HNode ptr = htable[i]; + while (ptr) { + printf("hnode (%d) %d.%d.%d.%d:%d\n", i, PRINT_IP(ptr->ip_src), ptr->port_src); + ptr = ptr->hnext; + } + } +} +#endif + +static char bw_line[DISPLAY_BW_UNITS + 1] = { NULL }; + +static char print_bw(unsigned units) { + if (units > DISPLAY_BW_UNITS) + units = DISPLAY_BW_UNITS ; + + if (bw_line[units] == NULL) { + char ptr = malloc(DISPLAY_BW_UNITS + 2); + if (!ptr) + errExit("malloc"); + bw_line[units] = ptr; + + unsigned i; + for (i = 0; i < DISPLAY_BW_UNITS; i++, ptr++) + sprintf(ptr, "%s", (i < units) ? "" : " "); + sprintf(ptr, "%s", " "); + } + + return bw_line[units]; +} + +static inline void adjust_line(char str, int len, int cols) { + if (len > LINE_MAX) // functions such as snprintf truncate the string, and return the length of the untruncated string + len = LINE_MAX; + if (cols > 4 && len > cols) { + str[cols] = '\0'; + str[cols - 1] = '\n'; + } +} + +#define BWMAX_CNT 8 +static unsigned adjust_bandwidth(unsigned bw) { + static unsigned array[BWMAX_CNT] = {0}; + static int instance = 0; + + array[instance] = bw; + int i; + unsigned sum = 0; + unsigned max = 0; + for ( i = 0; i < BWMAX_CNT; i++) { + sum += array[i]; + max = (max > array[i]) ? max : array[i]; + } + sum /= BWMAX_CNT; + + if (++instance >= BWMAX_CNT) + instance = 0; + + return (max < (sum / 2)) ? sum : max; +} + +typedef struct port_type_t { + uint16_t port; + char service; +} PortType; +static PortType ports[] = { + {20, "(FTP)"}, + {21, "(FTP)"}, + {22, "(SSH)"}, + {23, "(telnet)"}, + {25, "(SMTP)"}, + {43, "(WHOIS)"}, + {67, "(DHCP)"}, + {68, "(DHCP)"}, + {69, "(TFTP)"}, + {80, "(HTTP)"}, + {109, "(POP2)"}, + {110, "(POP3)"}, + {113, "(IRC)"}, + {123, "(NTP)"}, + {161, "(SNP)"}, + {162, "(SNP)"}, + {194, "(IRC)"}, + {0, NULL}, +}; + + +static inline const char common_port(uint16_t port) { + if (port >= 6660 && port <= 9150) { + if (port >= 6660 && port <= 6669) + return "(IRC)"; + else if (port == 6679) + return "(IRC)"; + else if (port == 6771) + return "(BitTorrent)"; + else if (port >= 6881 && port <= 6999) + return "(BitTorrent)"; + else if (port == 9001) + return "(Tor)"; + else if (port == 9030) + return "(Tor)"; + else if (port == 9050) + return "(Tor)"; + else if (port == 9051) + return "(Tor)"; + else if (port == 9150) + return "(Tor)"; + return NULL; + } + + if (port <= 194) { + PortType ptr =&ports[0]; + while(ptr->service != NULL) { + if (ptr->port == port) + return ptr->service; + ptr++; + } + } + + return NULL; +} + + + +static void hnode_print(unsigned bw) { + assert(!arg_netfilter); + bw = (bw < 1024 * DISPLAY_INTERVAL) ? 1024 * DISPLAY_INTERVAL : bw; +#ifdef DEBUG + printf("*******************\n"); + debug_dlist(); + printf("-----------------------------\n"); + debug_hnode(); + printf("******************\n"); +#else + ansi_clrscr(); +#endif + + // get terminal size + struct winsize sz; + int cols = 80; + if (isatty(STDIN_FILENO)) { + if (!ioctl(0, TIOCGWINSZ, &sz)) + cols = sz.ws_col; + } + if (cols > LINE_MAX) + cols = LINE_MAX; + char line[LINE_MAX + 1]; + + // print stats line + bw = adjust_bandwidth(bw); + char stats[31]; + if (bw > (1024 1024 * DISPLAY_INTERVAL)) + sprintf(stats, "%u MB/s ", bw / (1024 * 1024 * DISPLAY_INTERVAL)); + else + sprintf(stats, "%u KB/s ", bw / (1024 * DISPLAY_INTERVAL)); + int len = snprintf(line, LINE_MAX, "%32s geoip %d, IP database %d\n", stats, geoip_calls, radix_nodes); + adjust_line(line, len, cols); + printf("%s", line); + + HNode ptr = dlist; + HNode prev = NULL; + while (ptr) { + HNode next = ptr->dnext; + if (--ptr->ttl > 0) { + char bytes[11]; + if (ptr->bytes > (DISPLAY_INTERVAL 1024 * 1024 * 2)) // > 2 MB/second + snprintf(bytes, 11, "%u MB/s", + (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024 * 1024))); + else if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second + snprintf(bytes, 11, "%u KB/s", + (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024))); + else + snprintf(bytes, 11, "%u B/s ", (unsigned) (ptr->bytes / DISPLAY_INTERVAL)); + + if (!ptr->hostname) + ptr->hostname = radix_longest_prefix_match(ptr->ip_src); + if (!ptr->hostname) + ptr->hostname = retrieve_hostname(ptr->ip_src); + if (!ptr->hostname) + ptr->hostname = " "; + + unsigned bwunit = bw / DISPLAY_BW_UNITS; + char bwline; + if (bwunit == 0) + bwline = print_bw(0); + else + bwline = print_bw(ptr->bytes / bwunit); + + const char protocol = NULL; + if (ptr->port_src == 443) + protocol = "(TLS)"; + else if (ptr->port_src == 53) + protocol = "(DNS)"; + else if (ptr->port_src == 853) { + if (ptr->protocol == 0x06) + protocol = "(DoT)"; + else if (ptr->protocol == 0x11) + protocol = "(DoQ)"; + else + protocol = NULL; + } + else if ((protocol = common_port(ptr->port_src)) != NULL) + ; + else if (ptr->protocol == 0x11) + protocol = "(UDP)"; + + if (protocol == NULL) + protocol = ""; + if (ptr->port_src == 0) + len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d (ICMP) %s\n", + bytes, bwline, PRINT_IP(ptr->ip_src), ptr->hostname); + else + len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s\n", + bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->hostname); + + adjust_line(line, len, cols); + printf("%s", line); + + if (ptr->bytes) + ptr->ttl = DISPLAY_TTL; + ptr->bytes = 0; + prev = ptr; + } + else { + // free the element + if (prev == NULL) + dlist = next; + else + prev->dnext = next; + hnode_free(ptr); + } + + ptr = next; + } + +#ifdef DEBUG + { + int cnt = 0; + HNode ptr = hnode_unused; + while (ptr) { + cnt++; + ptr = ptr->hnext; + } + printf("hnode unused %d\n", cnt); + } +#endif +} + +// trace rx traffic coming in +static void run_trace(void) { + if (arg_netfilter) + logprintf("accumulating traffic for %d seconds\n", NETLOCK_INTERVAL); + + // trace only rx ipv4 tcp and upd + int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); + int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); + int s3 = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); + if (s1 < 0 \|\| s2 < 0 \|\| s3 < 0) + errExit("socket"); + + unsigned start = time(NULL); + unsigned last_print_traces = 0; + unsigned last_print_remaining = 0; + unsigned char buf[MAX_BUF_SIZE]; + unsigned bw = 0; // bandwidth calculations + while (1) { + unsigned end = time(NULL); + if (arg_netfilter && end - start >= NETLOCK_INTERVAL) + break; + if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second + if (!arg_netfilter) + hnode_print(bw); + last_print_traces = end; + bw = 0; + } + if (arg_netfilter && last_print_remaining != end) { + logprintf("."); + fflush(0); + last_print_remaining = end; + } + + fd_set rfds; + FD_ZERO(&rfds); + FD_SET(s1, &rfds); + FD_SET(s2, &rfds); + FD_SET(s3, &rfds); + int maxfd = (s1 > s2) ? s1 : s2; + maxfd = (s3 > maxfd) ? s3 : maxfd; + maxfd++; + + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; + + int rv = select(maxfd, &rfds, NULL, NULL, &tv); + if (rv < 0) + errExit("select"); + else if (rv == 0) + continue; + + int icmp = 0; + int sock = s1; + if (FD_ISSET(s2, &rfds)) + sock = s2; + else if (FD_ISSET(s3, &rfds)) { + sock = s3; + icmp = 1; + } + + unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL); + if (bytes >= 20) { // size of IP header +#ifdef DEBUG + { + uint32_t ip_src; + memcpy(&ip_src, buf + 12, 4); + ip_src = ntohl(ip_src); + + uint32_t ip_dst; + memcpy(&ip_dst, buf + 16, 4); + ip_dst = ntohl(ip_dst); + printf("%d.%d.%d.%d -> %d.%d.%d.%d, %u bytes\n", PRINT_IP(ip_src), PRINT_IP(ip_dst), bytes); + } +#endif + // filter out loopback traffic + if (buf[12] != 127 && buf[16] != 127) { + bw += bytes + 14; // assume a 14 byte Ethernet layer + + uint32_t ip_src; + memcpy(&ip_src, buf + 12, 4); + ip_src = ntohl(ip_src); + + uint8_t hlen = (buf[0] & 0x0f) 4; + if (icmp) + hnode_add(ip_src, 0, 0, bytes + 14); + else { + uint16_t port_src; + memcpy(&port_src, buf + hlen, 2); + port_src = ntohs(port_src); + + uint8_t protocol = buf[9]; + hnode_add(ip_src, protocol, port_src, bytes + 14); + } + } + } + } + + close(s1); + close(s2); +} + +static char filter_start = + "filter\n" + ":INPUT DROP [0:0]\n" + ":FORWARD DROP [0:0]\n" + ":OUTPUT DROP [0:0]\n"; + +// return 1 if error +static int print_filter(FILE fp) { + if (dlist == NULL) + return 1; + fprintf(fp, "%s\n", filter_start); + fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n"); + fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n"); + fprintf(fp, "\n"); + + int i; + for (i = 0; i < HMAX; i++) { + HNode ptr = htable[i]; + while (ptr) { + // filter rules are targeting ip address, the port number is disregarded, + // so we look only at the first instance of an address + if (ptr->ip_instance == 1) { + char protocol = (ptr->protocol == 6) ? "tcp" : "udp"; + fprintf(fp, "-A INPUT -s %d.%d.%d.%d -p %s -j ACCEPT\n", + PRINT_IP(ptr->ip_src), + protocol); + fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -p %s -j ACCEPT\n", + PRINT_IP(ptr->ip_src), + protocol); + fprintf(fp, "\n"); + } + ptr = ptr->hnext; + } + } + fprintf(fp, "COMMIT\n"); + + return 0; +} + +static char flush_rules[] = { + "-P INPUT ACCEPT", +// "-P FORWARD DENY", + "-P OUTPUT ACCEPT", + "-F", + "-X", +// "-t nat -F", +// "-t nat -X", +// "-t mangle -F", +// "-t mangle -X", +// "iptables -t raw -F", +// "-t raw -X", + NULL +}; + +static void deploy_netfilter(void) { + int rv; + char cmd; + int i; + + if (dlist == NULL) { + logprintf("Sorry, no network traffic was detected. The firewall was not configured.\n"); + return; + } + // find iptables command + char iptables = NULL; + char iptables_restore = NULL; + if (access("/sbin/iptables", X_OK) == 0) { + iptables = "/sbin/iptables"; + iptables_restore = "/sbin/iptables-restore"; + } + else if (access("/usr/sbin/iptables", X_OK) == 0) { + iptables = "/usr/sbin/iptables"; + iptables_restore = "/usr/sbin/iptables-restore"; + } + if (iptables == NULL \|\| iptables_restore == NULL) { + fprintf(stderr, "Error: iptables command not found, netfilter not configured\n"); + exit(1); + } + + // flush all netfilter rules + i = 0; + while (flush_rules[i]) { + char cmd; + if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1) + errExit("asprintf"); + int rv = system(cmd); + (void) rv; + free(cmd); + i++; + } + + // create temporary file + char fname[] = "/tmp/firejail-XXXXXX"; + int fd = mkstemp(fname); + if (fd == -1) { + fprintf(stderr, "Error: cannot create temporary configuration file\n"); + exit(1); + } + + FILE fp = fdopen(fd, "w"); + if (!fp) { + rv = unlink(fname); + (void) rv; + fprintf(stderr, "Error: cannot create temporary configuration file\n"); + exit(1); + } + print_filter(fp); + fclose(fp); + + logprintf("\n\n"); + logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1) + errExit("asprintf"); + rv = system(cmd); + (void) rv; + free(cmd); + + if (asprintf(&cmd, "cat %s", fname) == -1) + errExit("asprintf"); + rv = system(cmd); + (void) rv; + free(cmd); + logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + + // configuring + if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1) + errExit("asprintf"); + rv = system(cmd); + if (rv) + fprintf(stdout, "Warning: possible netfilter problem!"); + free(cmd); + + rv = unlink(fname); + (void) rv; + logprintf("\nfirewall deployed\n"); +} + +void logprintf(char fmt, ...) { + if (!arg_log) + return; + + FILE fp = fopen(arg_log, "a"); + if (fp) { // disregard if error + va_list args; + va_start(args, fmt); + vfprintf(fp, fmt, args); + va_end(args); + fclose(fp); + } + + va_list args; + va_start(args, fmt); + vfprintf(stdout, fmt, args); + va_end(args); +} + +static void usage(void) { + printf("Usage: fnettrace [OPTIONS]\n"); + printf("Options:\n"); + printf(" --help, -? - this help screen\n"); + printf(" --log=filename - netlocker logfile\n"); + printf(" --netfilter - build the firewall rules and commit them.\n"); + printf(" --tail - \"tail -f\" functionality\n"); + printf("Examples:\n"); + printf(" # fnettrace - traffic trace\n"); + printf(" # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n"); + printf(" # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n"); + printf("\n"); +} + +int main(int argc, char argv) { + int i; + +#ifdef DEBUG + // radix test + radix_add(0x09000000, 0xff000000, "IBM"); + radix_add(0x09090909, 0xffffffff, "Quad9 DNS"); + radix_add(0x09000000, 0xff000000, "IBM"); + printf("This test should print \"IBM, Quad9 DNS, IBM\"\n"); + char name = radix_longest_prefix_match(0x09040404); + printf("%s, ", name); + name = radix_longest_prefix_match(0x09090909); + printf("%s, ", name); + name = radix_longest_prefix_match(0x09322209); + printf("%s\n", name); +#endif + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--help") == 0 \|\| strcmp(argv[i], "-?") == 0) { + usage(); + return 0; + } + else if (strcmp(argv[i], "--netfilter") == 0) + arg_netfilter = 1; + else if (strcmp(argv[i], "--tail") == 0) + arg_tail = 1; + else if (strncmp(argv[i], "--log=", 6) == 0) + arg_log = argv[i] + 6; + else { + fprintf(stderr, "Error: invalid argument\n"); + return 1; + } + } + + // tail + if (arg_tail) { + if (!arg_log) { + fprintf(stderr, "Error: no log file\n"); + usage(); + exit(1); + } + + tail(arg_log); + sleep(5); + exit(0); + } + + if (getuid() != 0) { + fprintf(stderr, "Error: you need to be root to run this program\n"); + return 1; + } + + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + + ansi_clrscr(); + if (arg_netfilter) + logprintf("starting network lockdown\n"); + else { + char *fname = LIBDIR "/firejail/static-ip-map"; + load_hostnames(fname); + } + + run_trace(); + if (arg_netfilter) { + // TCP path MTU discovery will not work properly since the firewall drops all ICMP packets + // Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel + int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing"); + (void) rv; + + deploy_netfilter(); + sleep(3); + if (arg_log) + unlink(arg_log); + } + + return 0; +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/radix.c ^
@@ -0,0 +1,155 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <stdint.h> +#include <assert.h> +#include "radix.h" +#include "fnettrace.h" + +typedef struct rnode_t { + struct rnode_t zero; + struct rnode_t one; + char name; +} RNode; + +RNode head = 0; +int radix_nodes = 0; + +// get rid of the malloc overhead +#define RNODE_MAX_MALLOC 128 +static RNode rnode_unused = NULL; +static int rnode_malloc_cnt = 0; +static RNode rmalloc(void) { + if (rnode_unused == NULL \|\| rnode_malloc_cnt >= RNODE_MAX_MALLOC) { + rnode_unused = malloc(sizeof(RNode) RNODE_MAX_MALLOC); + if (!rnode_unused) + errExit("malloc"); + memset(rnode_unused, 0, sizeof(RNode) * RNODE_MAX_MALLOC); + rnode_malloc_cnt = 0; + } + + rnode_malloc_cnt++; + return rnode_unused + rnode_malloc_cnt - 1; +} + + +static inline char duplicate_name(const char name) { + assert(name); + + if (strcmp(name, "United States") == 0) + return "United States"; + else if (strcmp(name, "Amazon") == 0) + return "Amazon"; + return strdup(name); +} + +static inline RNode addOne(RNode ptr, char name) { + assert(ptr); + if (ptr->one) + return ptr->one; + RNode node = rmalloc(); + assert(node); + if (name) { + node->name = duplicate_name(name); + if (!node->name) + errExit("duplicate name"); + } + + ptr->one = node; + return node; +} + +static inline RNode addZero(RNode ptr, char name) { + assert(ptr); + if (ptr->zero) + return ptr->zero; + RNode node = rmalloc(); + assert(node); + if (name) { + node->name = duplicate_name(name); + if (!node->name) + errExit("duplicate name"); + } + + ptr->zero = node; + return node; +} + + +// add to radix tree +char radix_add(uint32_t ip, uint32_t mask, char name) { + assert(name); + uint32_t m = 0x80000000; + uint32_t lastm = 0; + if (head == 0) { + head = malloc(sizeof(RNode)); + memset(head, 0, sizeof(RNode)); + } + RNode ptr = head; + radix_nodes++; + + int i; + for (i = 0; i < 32; i++, m >>= 1) { + if (!(m & mask)) + break; + + lastm \|= m; + int valid = (lastm == mask)? 1: 0; + if (m & ip) + ptr = addOne(ptr, (valid)? name: NULL); + else + ptr = addZero(ptr, (valid)? name: NULL); + } + assert(ptr); + if (!ptr->name) { + ptr->name = duplicate_name(name); + if (!ptr->name) + errExit("duplicate_name"); + } + + return ptr->name; +} + +// find last match +char radix_longest_prefix_match(uint32_t ip) { + if (!head) + return NULL; + + uint32_t m = 0x80000000; + RNode ptr = head; + RNode rv = NULL; + + int i; + for (i = 0; i < 32; i++, m >>= 1) { + if (m & ip) + ptr = ptr->one; + else + ptr = ptr->zero; + if (!ptr) + break; + if (ptr->name) + rv = ptr; + } + + return (rv)? rv->name: NULL; +} +
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/radix.h ^
@@ -0,0 +1,27 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#ifndef RADIX_H +#define RADIX_H + +extern int radix_nodes; +char radix_longest_prefix_match(uint32_t ip); +char radix_add(uint32_t ip, uint32_t mask, char name); + +#endif \ No newline at end of file
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/static-ip-map ^
@@ -0,0 +1,5403 @@ +# +# Copyright (C) 2014-2022 Firejail Authors +# +# This file is part of firejail project +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# +# Static Internet Map +# +# Unfortunately we cannot do a hostname lookup. This will leak a lot of +# information about what network resources we access. +# A static map, helped out by geoip package available on all Linux distros, +# will have to do it for now! +# +# Format: +# CIDR-IPv4-address-range hostname +# a single space between address and hostname +# use '#' for comments +# example: 9.9.9.0/24 Quad9 DNS +# +# + +# +# The following list of addresses was compiled from various public sources. +# + + +# local network addresses +192.168.0.0/16 local network +10.0.0.0/8 local network +172.16.0.0/16 local network +169.254.0.0/16 local link + +# huge address ranges +4.0.0.0/9 Level 3 +6.0.0.0/8 US Army +7.0.0.0/8 US Army +8.0.0.0/9 Level 3 +9.0.0.0/8 IBM +11.0.0.0/8 US Army +17.0.0.0/8 Apple +19.0.0.0/8 Ford +21.0.0.0/8 US Army +22.0.0.0/8 US Army +26.0.0.0/8 US Army +28.0.0.0/8 US Army +29.0.0.0/8 US Army +30.0.0.0/8 US Army +33.0.0.0/8 US Army +48.0.0.0/8 Prudential US +55.0.0.0/8 US Army +56.0.0.0/8 US Postal Service +214.0.0.0/8 US Army +215.0.0.0/8 US Army + +# DNS +1.1.1.0/24 Cloudflare DNS +1.0.0.0/24 Cloudflare DNS +4.2.2.1/32 Level3 DNS +4.2.2.2/32 Level3 DNS +4.2.2.3/32 Level3 DNS +4.2.2.4/32 Level3 DNS +8.8.4.0/24 Google DNS +8.8.8.0/24 Google DNS +9.9.9.0/24 Quad9 DNS +45.90.28.0/22 NextDNS +149.112.112.0/24 Quad9 DNS +149.112.120.0/21 CIRA DNS Canada +146.255.56.96/29 Applied Privacy +176.103.128.0/19 Adguard DNS +185.228.168.0/24 Cleanbrowsing DNS +208.67.216.0/21 OpenDNS + +# whois +193.0.0.0/21 whois.ripe.net Netherlands +199.5.26.0/24 whois.arin.net US +199.15.80.0/21 whois.publicinterestregistry.net Canada +199.15.88.0/24 whois.publicinterestregistry.net Canada +199.71.0.0/24 whois.arin.net US +199.212.0.0/24 whois.arin.net US +200.3.12.0/22 whois.lacnic.net Uruguay +201.159.220.0/22 whois.lacnic.net Ecuador + +# some popular websites +23.160.0.0/24 Twitch +23.246.0.0/18 Netflix +31.13.24.0/21 Facebook +31.13.64.0/18 Facebook +37.77.184.0/21 Netflix +45.57.0.0/17 Netflix +45.58.64.0/20 Dropbox +45.113.128.0/22 Twitch +47.88.0.0/14 Alibaba +52.223.192.0/18 Twitch +63.245.208.0/23 Mozilla +64.63.0.0/18 Twitter +64.112.13.0/24 Dropbox +64.120.128.0/17 Netflix +66.197.128.0/17 Netflix +69.53.224.0/19 Netflix +69.171.224.0/19 Facebook +91.105.192.0/23 Telegram +91.108.4.0/22 Telegram +91.108.8.0/21 Telegram +91.108.16.0/21 Telegram +91.108.56.0/22 Telegram +91.189.88.0/24 Ubuntu One +91.189.90.0/23 Ubuntu One +91.189.92.0/23 Ubuntu One +91.189.94.0/24 Ubuntu One +95.161.64.0/20 Telegram +99.181.64.0/18 Twitch +103.53.48.0/23 Twitch +104.244.40.0/21 Twitter +103.10.124.0/23 Steam +103.28.54.0/24 Steam +108.160.160.0/20 Dropbox +108.175.32.0/20 Netflix +129.134.0.0/16 Facebook +140.82.112.0/20 GitHub +143.55.64.0/20 Github +146.66.152.0/24 Steam +146.66.155.0/24 Steam +149.154.160.0/20 Telegram +153.254.86.0/24 Steam +155.133.224.0/22 Steam +155.133.230.0/24 Steam +155.133.232.0/23 Steam +155.133.234.0/24 Steam +155.133.236.0/22 Steam +155.133.240.0/23 Steam +155.133.245.0/24 Steam +155.133.246.0/24 Steam +155.133.248.0/21 Steam +157.240.0.0/16 Facebook +162.125.0.0/16 Dropbox +162.213.32.0/22 Ubuntu One +162.254.192.0/21 Steam +172.98.56.0/22 Rumble +185.2.220.0/22 Netflix +185.9.188.0/22 Netflix +185.25.182.0/23 Steam +185.42.204.0/22 Twitch +185.45.8.0/22 Dropbox +185.70.40.0/22 ProtonMail +185.76.151.0/24 Telegram +185.105.164.0/24 Dropbox +185.125.188.0/22 Ubuntu One +185.199.108.0/22 GitHub +185.205.69.0/24 Tutanota +188.64.224.0/21 Twitter +190.217.33.0/24 Steam +192.0.64.0/18 Wordpress +192.16.64.0/21 Twitch +192.30.252.0/22 GitHub +192.69.96.0/22 Steam +192.108.239.0/24 Twitch +192.173.64.0/18 Netflix +192.189.200.0/23 Dropbox +194.169.254.0/24 Ubuntu One +198.38.96.0/19 Netflix +198.45.48.0/20 Netflix +199.9.248.0/21 Twitch +199.16.156.0/22 Twitter +199.59.148.0/22 Twitter +205.185.194.0/24 Steam +205.196.6.0/24 Steam +207.45.72.0/22 Netflix +208.64.200.0/22 Steam +208.75.76.0/22 Netflix +208.78.164.0/22 Steam +208.80.152.0/22 Wikipedia + +# WholeSale Internet +69.30.192.0/18 WholeSale Internet +69.197.128.0/18 WholeSale Internet +173.208.128.0/17 WholeSale Internet +204.12.192.0/18 WholeSale Internet +208.67.0.0/21 WholeSale Internet +208.110.64.0/19 WholeSale Internet +208.110.91.0/24 WholeSale Internet + +# StackPath +69.16.173.0/24 StackPath +69.16.174.0/23 StackPath +69.16.176.0/20 StackPath +151.139.0.0/16 StackPath + +# Linode +103.29.68.0/22 Linode +104.200.16.0/21 Linode +104.200.24.0/22 Linode +104.200.25.0/24 Linode +104.200.26.0/24 Linode +104.200.27.0/24 Linode +104.200.28.0/22 Linode +104.237.128.0/21 Linode +104.237.136.0/21 Linode +104.237.144.0/21 Linode +104.237.152.0/21 Linode +104.237.152.0/24 Linode +104.237.153.0/24 Linode +104.237.154.0/24 Linode +104.237.155.0/24 Linode +104.237.156.0/24 Linode +104.237.157.0/24 Linode +104.237.158.0/24 Linode +104.237.159.0/24 Linode +109.237.24.0/22 Linode +109.74.192.0/20 Linode +139.144.0.0/20 Linode +139.144.104.0/21 Linode +139.144.112.0/20 Linode +139.144.128.0/21 Linode +139.144.136.0/21 Linode +139.144.144.0/20 Linode +139.144.160.0/22 Linode +139.144.16.0/20 Linode +139.144.164.0/22 Linode +139.144.168.0/21 Linode +139.144.176.0/21 Linode +139.144.184.0/21 Linode +139.144.192.0/19 Linode +139.144.224.0/21 Linode +139.144.232.0/21 Linode +139.144.240.0/22 Linode +139.144.32.0/21 Linode +139.144.40.0/21 Linode +139.144.48.0/20 Linode +139.144.64.0/20 Linode +139.144.80.0/21 Linode +139.144.88.0/21 Linode +139.144.96.0/21 Linode +139.162.0.0/19 Linode +139.162.128.0/19 Linode +139.162.160.0/19 Linode +139.162.192.0/19 Linode +139.162.224.0/19 Linode +139.162.32.0/19 Linode +139.162.64.0/19 Linode +139.162.96.0/19 Linode +139.177.176.0/21 Linode +139.177.184.0/21 Linode +139.177.192.0/21 Linode +139.177.200.0/21 Linode +151.236.216.0/21 Linode +162.216.16.0/22 Linode +170.187.128.0/24 Linode +170.187.129.0/24 Linode +170.187.131.0/24 Linode +170.187.132.0/24 Linode +170.187.134.0/23 Linode +170.187.136.0/21 Linode +170.187.144.0/20 Linode +170.187.160.0/21 Linode +170.187.168.0/21 Linode +170.187.176.0/21 Linode +170.187.184.0/21 Linode +170.187.192.0/22 Linode +170.187.196.0/22 Linode +170.187.200.0/21 Linode +170.187.208.0/20 Linode +170.187.224.0/21 Linode +170.187.232.0/21 Linode +170.187.240.0/21 Linode +170.187.248.0/21 Linode +172.104.0.0/15 Linode +172.104.128.0/19 Linode +172.104.160.0/19 Linode +172.104.192.0/21 Linode +172.104.200.0/23 Linode +172.104.202.0/23 Linode +172.104.205.0/24 Linode +172.104.206.0/24 Linode +172.104.207.0/24 Linode +172.104.208.0/20 Linode +172.104.220.0/24 Linode +172.104.224.0/19 Linode +172.104.32.0/19 Linode +172.104.4.0/22 Linode +172.104.64.0/19 Linode +172.104.8.0/21 Linode +172.104.96.0/19 Linode +172.105.0.0/19 Linode +172.105.112.0/20 Linode +172.105.128.0/23 Linode + +# Akamai +23.0.0.0/12 Akamai +23.32.0.0/11 Akamai +23.64.0.0/14 Akamai +23.72.0.0/13 Akamai +23.192.0.0/11 Akamai +72.246.0.0/15 Akamai +96.6.0.0/15 Akamai +96.16.0.0/15 Akamai +104.64.0.0/10 Akamai +184.24.0.0/13 Akamai +184.50.0.0/15 Akamai +184.84.0.0/14 Akamai + +# Fastly +23.235.32.0/20 Fastly +43.249.72.0/22 Fastly +103.244.50.0/24 Fastly +103.245.222.0/23 Fastly +103.245.224.0/24 Fastly +104.156.80.0/20 Fastly +146.75.0.0/16 Fastly +151.101.0.0/16 Fastly +157.52.64.0/18 Fastly +167.82.0.0/17 Fastly +167.82.128.0/20 Fastly +167.82.160.0/20 Fastly +167.82.224.0/20 Fastly +172.111.64.0/18 Fastly +185.31.16.0/22 Fastly +199.27.72.0/21 Fastly +199.232.0.0/16 Fastly + +# MCI/Verizon +72.21.80.0/20 MCI +108.29.0.0/16 MCI +108.30.0.0/16 MCI +108.31.0.0/16 MCI +108.3.128.0/17 MCI +108.32.0.0/17 MCI +108.32.128.0/17 MCI +108.33.254.0/24 MCI +108.33.255.0/24 MCI +108.34.128.0/17 MCI +108.34.16.0/20 MCI +108.34.32.0/19 MCI +108.34.64.0/18 MCI +108.35.0.0/16 MCI +108.36.0.0/16 MCI +108.3.64.0/18 MCI +108.37.0.0/16 MCI +108.39.0.0/17 MCI +108.39.128.0/17 MCI +108.40.0.0/17 MCI +108.4.0.0/17 MCI +108.41.0.0/16 MCI +108.4.128.0/19 MCI +108.4.160.0/19 MCI +108.4.192.0/18 MCI +108.44.0.0/18 MCI +108.44.128.0/17 MCI +108.44.64.0/18 MCI +108.45.0.0/16 MCI +108.46.0.0/16 MCI +192.229.128.0/17 MCI + +# Microsoft +40.76.0.0/14 Microsoft +40.96.0.0/12 Microsoft +40.112.0.0/13 Microsoft +40.124.0.0/16 Microsoft +40.74.0.0/15 Microsoft +40.80.0.0/12 Microsoft +40.120.0.0/14 Microsoft +40.125.0.0/17 Microsoft +52.145.0.0/16 Microsoft +52.148.0.0/14 Microsoft +52.152.0.0/13 Microsoft +52.146.0.0/15 Microsoft +52.160.0.0/11 Microsoft + +# Yahoo +63.250.192.0/19 Yahoo +66.196.64.0/18 Yahoo +67.195.0.0/16 Yahoo +69.147.64.0/18 Yahoo +76.13.0.0/16 Yahoo +98.136.0.0/14 Yahoo +206.190.32.0/19 Yahoo +209.73.160.0/19 Yahoo +209.191.64.0/18 Yahoo +216.115.96.0/20 Yahoo + +# Google +# from https://support.google.com/a/answer/10026322?hl=en +# last update January 5, 2022 +8.34.208.0/20 Google +8.35.192.0/20 Google +23.236.48.0/20 Google +23.251.128.0/19 Google +34.64.0.0/10 Google +34.128.0.0/10 Google +35.184.0.0/13 Google +35.192.0.0/14 Google +35.196.0.0/15 Google +35.198.0.0/16 Google +35.199.0.0/17 Google +35.199.128.0/18 Google +35.200.0.0/13 Google +35.208.0.0/12 Google +35.224.0.0/12 Google +35.240.0.0/13 Google +64.15.112.0/20 Google +64.233.160.0/19 Google +66.102.0.0/20 Google +66.249.64.0/19 Google +70.32.128.0/19 Google +72.14.192.0/18 Google +74.114.24.0/21 Google +74.125.0.0/16 Google +104.154.0.0/15 Google +104.196.0.0/14 Google +104.237.160.0/19 Google +107.167.160.0/19 Google +107.178.192.0/18 Google +108.59.80.0/20 Google +108.170.192.0/18 Google +108.177.0.0/17 Google +130.211.0.0/16 Google +136.112.0.0/12 Google +142.250.0.0/15 Google +146.148.0.0/17 Google +162.216.148.0/22 Google +162.222.176.0/21 Google +172.110.32.0/21 Google +172.217.0.0/16 Google +172.253.0.0/16 Google +173.194.0.0/16 Google +173.255.112.0/20 Google +192.158.28.0/22 Google +192.178.0.0/15 Google +193.186.4.0/24 Google +199.36.154.0/23 Google +199.36.156.0/24 Google +199.192.112.0/22 Google +199.223.232.0/21 Google +207.223.160.0/20 Google +208.65.152.0/22 Google +208.68.108.0/22 Google +208.81.188.0/22 Google +208.117.224.0/19 Google +209.85.128.0/17 Google +216.58.192.0/19 Google +216.73.80.0/20 Google +216.239.32.0/19 Google + + +#Cloudflare +# from https://www.cloudflare.com/ips/ +# update April 8, 2021 +103.21.244.0/22 Cloudflare +103.22.200.0/22 Cloudflare +103.31.4.0/22 Cloudflare +104.16.0.0/13 Cloudflare +104.24.0.0/14 Cloudflare +108.162.192.0/18 Cloudflare +131.0.72.0/22 Cloudflare +141.101.64.0/18 Cloudflare +162.158.0.0/15 Cloudflare +172.64.0.0/13 Cloudflare +173.245.48.0/20 Cloudflare +188.114.96.0/20 Cloudflare +190.93.240.0/20 Cloudflare +197.234.240.0/22 Cloudflare +198.41.128.0/17 Cloudflare + +# Amazon +# from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html +# update January 6, 2022 +3.0.0.0/15 Amazon +3.2.0.0/24 Amazon +3.2.2.0/24 Amazon +3.2.3.0/24 Amazon +3.2.8.0/21 Amazon +3.3.0.0/23 Amazon +3.3.5.0/24 Amazon +3.3.6.0/23 Amazon +3.3.8.0/21 Amazon +3.3.16.0/21 Amazon +3.3.24.0/22 Amazon +3.3.28.0/22 Amazon +3.4.0.0/24 Amazon +3.4.1.0/24 Amazon +3.4.2.0/24 Amazon +3.4.3.0/24 Amazon +3.4.4.0/24 Amazon +3.4.6.0/24 Amazon +3.4.7.0/24 Amazon +3.4.16.0/21 Amazon +3.4.24.0/21 Amazon +3.5.0.0/19 Amazon +3.5.32.0/22 Amazon +3.5.36.0/22 Amazon +3.5.40.0/22 Amazon +3.5.44.0/22 Amazon +3.5.48.0/22 Amazon +3.5.52.0/22 Amazon +3.5.64.0/21 Amazon +3.5.72.0/23 Amazon +3.5.76.0/22 Amazon +3.5.80.0/21 Amazon +3.5.128.0/22 Amazon +3.5.132.0/23 Amazon +3.5.134.0/23 Amazon +3.5.136.0/22 Amazon +3.5.140.0/22 Amazon +3.5.144.0/23 Amazon +3.5.146.0/23 Amazon +3.5.148.0/22 Amazon +3.5.152.0/21 Amazon +3.5.160.0/22 Amazon +3.5.164.0/22 Amazon +3.5.168.0/23 Amazon +3.5.208.0/22 Amazon +3.5.212.0/23 Amazon +3.5.216.0/22 Amazon +3.5.220.0/22 Amazon +3.5.224.0/22 Amazon +3.5.228.0/22 Amazon +3.5.232.0/22 Amazon +3.5.236.0/22 Amazon +3.5.240.0/22 Amazon +3.5.244.0/22 Amazon +3.5.248.0/22 Amazon +3.5.252.0/22 Amazon +3.6.0.0/15 Amazon +3.8.0.0/14 Amazon +3.12.0.0/16 Amazon +3.13.0.0/16 Amazon +3.14.0.0/15 Amazon +3.16.0.0/14 Amazon +3.20.0.0/14 Amazon +3.24.0.0/14 Amazon +3.28.0.0/15 Amazon +3.30.0.0/15 Amazon +3.32.0.0/16 Amazon +3.33.34.0/24 Amazon +3.33.35.0/24 Amazon +3.33.128.0/17 Amazon +3.34.0.0/15 Amazon +3.36.0.0/14 Amazon +3.48.0.0/12 Amazon +3.64.0.0/12 Amazon +3.80.0.0/12 Amazon +3.96.0.0/15 Amazon +3.98.0.0/15 Amazon +3.100.0.0/16 Amazon +3.101.0.0/16 Amazon +3.104.0.0/14 Amazon +3.108.0.0/14 Amazon +3.112.0.0/14 Amazon +3.116.0.0/14 Amazon +3.120.0.0/14 Amazon +3.124.0.0/14 Amazon +3.128.0.0/15 Amazon +3.130.0.0/16 Amazon +3.131.0.0/16 Amazon +3.132.0.0/14 Amazon +3.136.0.0/13 Amazon +3.144.0.0/13 Amazon +3.152.0.0/13 Amazon +3.208.0.0/12 Amazon +3.224.0.0/12 Amazon +3.240.0.0/13 Amazon +3.248.0.0/13 Amazon +13.32.0.0/15 Amazon +13.34.0.128/27 Amazon +13.34.0.160/27 Amazon +13.34.1.0/27 Amazon +13.34.1.32/27 Amazon +13.34.3.128/27 Amazon +13.34.3.160/27 Amazon +13.34.3.192/27 Amazon +13.34.3.224/27 Amazon +13.34.4.64/27 Amazon +13.34.4.96/27 Amazon +13.34.5.12/32 Amazon +13.34.5.13/32 Amazon +13.34.5.14/32 Amazon +13.34.5.15/32 Amazon +13.34.5.16/32 Amazon +13.34.5.17/32 Amazon +13.34.5.44/32 Amazon +13.34.5.45/32 Amazon +13.34.5.46/32 Amazon +13.34.5.47/32 Amazon +13.34.5.48/32 Amazon +13.34.5.49/32 Amazon +13.34.5.78/32 Amazon +13.34.5.79/32 Amazon +13.34.5.80/32 Amazon +13.34.5.81/32 Amazon +13.34.5.110/32 Amazon +13.34.5.111/32 Amazon +13.34.5.112/32 Amazon +13.34.5.113/32 Amazon +13.34.5.128/27 Amazon +13.34.5.160/27 Amazon +13.34.5.192/27 Amazon +13.34.5.224/27 Amazon +13.34.6.192/27 Amazon +13.34.6.224/27 Amazon +13.34.7.64/27 Amazon +13.34.7.96/27 Amazon +13.34.8.64/27 Amazon +13.34.8.96/27 Amazon +13.34.9.0/27 Amazon +13.34.9.32/27 Amazon +13.34.10.128/27 Amazon +13.34.10.160/27 Amazon +13.34.11.0/27 Amazon +13.34.11.32/27 Amazon +13.34.11.128/27 Amazon +13.34.11.160/27 Amazon +13.34.12.64/27 Amazon +13.34.12.96/27 Amazon +13.34.12.192/27 Amazon +13.34.12.242/32 Amazon +13.34.12.243/32 Amazon +13.34.12.244/32 Amazon +13.34.12.245/32 Amazon +13.34.13.18/32 Amazon +13.34.13.19/32 Amazon +13.34.13.20/32 Amazon +13.34.13.21/32 Amazon +13.34.13.50/32 Amazon +13.34.13.51/32 Amazon +13.34.13.52/32 Amazon +13.34.13.53/32 Amazon +13.34.14.128/27 Amazon +13.34.14.160/27 Amazon +13.34.14.192/27 Amazon +13.34.14.224/27 Amazon +13.34.15.0/27 Amazon +13.34.15.32/27 Amazon +13.34.16.64/27 Amazon +13.34.16.96/27 Amazon +13.34.16.192/27 Amazon +13.34.17.24/29 Amazon +13.34.17.64/27 Amazon +13.34.17.96/27 Amazon +13.34.18.192/27 Amazon +13.34.18.224/27 Amazon +13.34.19.192/27 Amazon +13.34.19.224/27 Amazon +13.34.20.0/27 Amazon +13.34.20.32/27 Amazon +13.34.20.64/27 Amazon +13.34.20.96/27 Amazon +13.34.21.64/27 Amazon +13.34.21.96/27 Amazon +13.34.22.88/29 Amazon +13.34.22.160/27 Amazon +13.34.22.192/27 Amazon +13.34.22.224/27 Amazon +13.34.23.0/27 Amazon +13.34.23.32/27 Amazon +13.34.23.64/27 Amazon +13.34.23.96/27 Amazon +13.34.23.128/27 Amazon +13.34.23.160/27 Amazon +13.34.23.192/27 Amazon +13.34.23.224/27 Amazon +13.34.24.64/27 Amazon +13.34.24.96/27 Amazon +13.34.24.128/27 Amazon +13.34.24.160/27 Amazon +13.34.24.192/27 Amazon +13.34.25.64/27 Amazon +13.34.25.96/27 Amazon +13.34.25.128/27 Amazon +13.34.25.160/27 Amazon +13.34.25.192/27 Amazon +13.34.25.248/29 Amazon +13.34.26.0/27 Amazon +13.34.26.32/27 Amazon +13.34.26.64/27 Amazon +13.34.26.96/27 Amazon +13.34.26.128/27 Amazon +13.34.26.160/27 Amazon +13.34.26.192/27 Amazon +13.34.26.224/27 Amazon +13.34.27.16/32 Amazon +13.34.27.17/32 Amazon +13.34.27.32/27 Amazon +13.34.27.64/27 Amazon +13.34.27.96/27 Amazon +13.34.27.128/27 Amazon +13.34.28.0/27 Amazon +13.34.28.32/27 Amazon +13.34.28.64/27 Amazon +13.34.28.96/27 Amazon +13.34.28.128/27 Amazon +13.34.28.160/27 Amazon +13.34.28.192/27 Amazon +13.34.28.224/27 Amazon +13.34.29.0/27 Amazon +13.34.29.32/27 Amazon +13.34.29.64/27 Amazon +13.34.29.96/27 Amazon +13.34.29.128/27 Amazon +13.34.29.160/27 Amazon +13.34.29.192/27 Amazon +13.34.29.224/27 Amazon +13.34.30.0/27 Amazon +13.34.30.32/27 Amazon +13.34.30.64/27 Amazon +13.34.30.96/27 Amazon +13.34.30.128/27 Amazon +13.34.30.160/27 Amazon +13.34.30.192/27 Amazon +13.34.30.224/27 Amazon +13.34.31.0/27 Amazon +13.34.31.32/27 Amazon +13.34.31.64/27 Amazon +13.34.31.96/27 Amazon +13.34.31.128/27 Amazon +13.34.31.160/27 Amazon +13.34.31.192/27 Amazon +13.34.31.224/27 Amazon +13.34.32.0/27 Amazon +13.34.32.32/27 Amazon +13.34.32.64/27 Amazon +13.34.32.96/27 Amazon +13.34.32.128/27 Amazon +13.34.32.160/27 Amazon +13.34.33.0/27 Amazon +13.34.33.32/27 Amazon +13.34.33.64/27 Amazon +13.34.33.96/27 Amazon +13.34.33.128/27 Amazon +13.34.33.160/27 Amazon +13.34.33.192/27 Amazon +13.34.33.224/27 Amazon +13.34.34.0/27 Amazon +13.34.34.32/27 Amazon +13.34.34.64/27 Amazon +13.34.34.96/27 Amazon +13.34.34.128/27 Amazon +13.34.34.160/27 Amazon +13.34.34.192/27 Amazon +13.34.34.224/27 Amazon +13.34.35.0/27 Amazon +13.34.35.32/27 Amazon +13.34.35.64/27 Amazon +13.34.35.96/27 Amazon +13.34.35.128/27 Amazon +13.34.35.160/27 Amazon +13.34.35.192/27 Amazon +13.34.35.224/27 Amazon +13.34.36.0/27 Amazon +13.34.36.32/27 Amazon +13.34.36.64/27 Amazon +13.34.36.96/27 Amazon +13.34.36.128/27 Amazon +13.34.36.160/27 Amazon +13.34.36.192/27 Amazon +13.34.36.224/27 Amazon +13.34.37.0/27 Amazon +13.34.37.32/27 Amazon +13.34.37.64/27 Amazon +13.34.37.96/27 Amazon +13.34.37.128/27 Amazon +13.34.37.160/27 Amazon +13.34.37.192/27 Amazon +13.34.37.224/27 Amazon +13.34.38.0/27 Amazon +13.34.38.32/27 Amazon +13.34.38.64/27 Amazon +13.34.38.96/27 Amazon +13.34.38.128/27 Amazon +13.34.38.160/27 Amazon +13.34.39.0/27 Amazon +13.34.39.32/27 Amazon +13.34.39.64/27 Amazon +13.34.39.96/27 Amazon +13.34.39.128/27 Amazon +13.34.39.160/27 Amazon +13.34.39.192/27 Amazon +13.34.39.224/27 Amazon +13.34.40.0/27 Amazon +13.34.40.32/27 Amazon +13.34.40.64/27 Amazon +13.34.40.96/27 Amazon +13.34.40.128/27 Amazon +13.34.40.160/27 Amazon +13.34.40.192/27 Amazon +13.34.40.224/27 Amazon +13.34.41.0/27 Amazon +13.34.41.32/27 Amazon +13.34.41.64/27 Amazon +13.34.41.96/27 Amazon +13.34.41.128/27 Amazon +13.34.41.160/27 Amazon +13.34.41.192/27 Amazon +13.34.41.224/27 Amazon +13.34.42.0/27 Amazon +13.34.42.32/27 Amazon +13.34.42.64/27 Amazon +13.34.42.96/27 Amazon +13.34.42.128/27 Amazon +13.34.42.160/27 Amazon +13.34.42.192/27 Amazon +13.34.42.224/27 Amazon +13.34.43.0/27 Amazon +13.34.43.32/27 Amazon +13.34.43.64/27 Amazon +13.34.43.96/27 Amazon +13.34.43.128/27 Amazon +13.34.43.160/27 Amazon +13.34.43.192/27 Amazon +13.34.43.224/27 Amazon +13.34.44.0/27 Amazon +13.34.44.32/27 Amazon +13.34.44.64/27 Amazon +13.34.44.96/27 Amazon +13.34.44.128/27 Amazon +13.34.44.160/27 Amazon +13.34.44.192/27 Amazon +13.34.44.224/27 Amazon +13.34.45.0/27 Amazon +13.34.45.32/27 Amazon +13.34.45.64/27 Amazon +13.34.45.96/27 Amazon +13.34.45.128/27 Amazon +13.34.45.160/27 Amazon +13.34.45.192/27 Amazon +13.34.45.224/27 Amazon +13.34.46.0/27 Amazon +13.34.46.32/27 Amazon +13.34.46.64/27 Amazon +13.34.46.96/27 Amazon +13.34.46.128/27 Amazon +13.34.46.160/27 Amazon +13.34.46.192/27 Amazon +13.34.46.224/27 Amazon +13.34.47.0/27 Amazon +13.34.47.32/27 Amazon +13.34.47.64/27 Amazon +13.34.47.96/27 Amazon +13.34.47.128/27 Amazon +13.34.47.160/27 Amazon +13.34.47.192/27 Amazon +13.34.47.224/27 Amazon +13.34.48.0/27 Amazon +13.34.48.32/27 Amazon +13.34.48.64/27 Amazon +13.34.48.96/27 Amazon +13.34.48.128/27 Amazon +13.34.48.160/27 Amazon +13.34.48.192/27 Amazon +13.34.48.224/27 Amazon +13.34.49.0/27 Amazon +13.34.49.32/27 Amazon +13.34.49.64/27 Amazon +13.34.49.96/27 Amazon +13.34.49.128/27 Amazon +13.34.49.160/27 Amazon +13.34.49.192/27 Amazon +13.34.49.224/27 Amazon +13.34.50.0/27 Amazon +13.34.50.32/27 Amazon +13.34.50.64/27 Amazon +13.34.50.96/27 Amazon +13.34.50.128/27 Amazon +13.34.50.160/27 Amazon +13.34.50.192/27 Amazon +13.34.50.224/27 Amazon +13.34.51.0/27 Amazon +13.34.51.32/27 Amazon +13.34.51.64/27 Amazon +13.34.51.96/27 Amazon +13.34.51.128/27 Amazon +13.34.51.160/27 Amazon +13.34.51.192/27 Amazon +13.34.51.224/27 Amazon +13.34.52.0/27 Amazon +13.34.52.32/27 Amazon +13.34.52.64/27 Amazon +13.34.52.96/27 Amazon +13.34.52.128/27 Amazon +13.34.52.160/27 Amazon +13.34.52.192/27 Amazon +13.34.52.224/27 Amazon +13.34.53.0/27 Amazon +13.34.53.32/27 Amazon +13.34.53.64/27 Amazon +13.34.53.96/27 Amazon +13.34.53.128/27 Amazon +13.34.53.160/27 Amazon +13.34.53.192/27 Amazon +13.34.53.224/27 Amazon +13.34.54.0/27 Amazon +13.34.54.32/27 Amazon +13.34.54.64/27 Amazon +13.34.54.96/27 Amazon +13.34.54.128/27 Amazon +13.34.54.160/27 Amazon +13.34.54.192/27 Amazon +13.34.54.224/27 Amazon +13.34.55.0/27 Amazon +13.34.55.32/27 Amazon +13.34.55.64/27 Amazon +13.34.55.96/27 Amazon +13.34.55.128/27 Amazon +13.34.55.160/27 Amazon +13.34.55.192/27 Amazon +13.34.55.224/27 Amazon +13.34.56.0/27 Amazon +13.34.56.32/27 Amazon +13.34.56.64/27 Amazon +13.34.56.96/27 Amazon +13.34.56.128/27 Amazon +13.34.56.160/27 Amazon +13.34.56.192/27 Amazon +13.34.56.224/27 Amazon +13.34.57.0/27 Amazon +13.34.57.32/27 Amazon +13.34.57.64/27 Amazon +13.34.57.96/27 Amazon +13.34.57.128/27 Amazon +13.34.57.160/27 Amazon +13.34.57.192/27 Amazon +13.34.57.224/27 Amazon +13.34.58.0/27 Amazon +13.34.58.32/27 Amazon +13.34.58.64/27 Amazon +13.34.58.96/27 Amazon +13.34.58.128/27 Amazon +13.34.58.160/27 Amazon +13.34.58.192/27 Amazon +13.34.58.224/27 Amazon +13.34.59.0/27 Amazon +13.34.59.32/27 Amazon +13.34.59.64/27 Amazon +13.34.59.96/27 Amazon +13.34.59.128/27 Amazon +13.34.59.160/27 Amazon +13.34.59.192/27 Amazon +13.34.59.224/27 Amazon +13.34.60.0/27 Amazon +13.34.60.32/27 Amazon +13.34.60.64/27 Amazon +13.34.60.96/27 Amazon +13.34.60.128/27 Amazon +13.34.60.160/27 Amazon +13.34.60.192/27 Amazon +13.34.60.224/27 Amazon +13.34.61.0/27 Amazon +13.34.61.32/27 Amazon +13.34.61.64/27 Amazon +13.34.61.96/27 Amazon +13.34.61.128/27 Amazon +13.34.61.160/27 Amazon +13.34.61.192/27 Amazon +13.34.61.224/27 Amazon +13.34.62.0/27 Amazon +13.34.62.32/27 Amazon +13.34.62.128/27 Amazon +13.34.62.160/27 Amazon +13.34.62.192/27 Amazon +13.34.62.224/27 Amazon +13.34.63.0/27 Amazon +13.34.63.32/27 Amazon +13.34.63.64/27 Amazon +13.34.63.96/27 Amazon +13.34.63.128/27 Amazon +13.34.63.160/27 Amazon +13.35.0.0/16 Amazon +13.36.0.0/14 Amazon +13.40.0.0/14 Amazon +13.44.0.0/14 Amazon +13.48.0.0/15 Amazon +13.50.0.0/16 Amazon +13.51.0.0/16 Amazon +13.52.0.0/16 Amazon +13.53.0.0/16 Amazon +13.54.0.0/15 Amazon +13.56.0.0/16 Amazon +13.57.0.0/16 Amazon +13.58.0.0/15 Amazon +13.112.0.0/14 Amazon +13.124.0.0/16 Amazon +13.125.0.0/16 Amazon +13.126.0.0/15 Amazon +13.200.0.0/13 Amazon +13.208.0.0/16 Amazon +13.209.0.0/16 Amazon +13.210.0.0/15 Amazon +13.212.0.0/15 Amazon +13.214.0.0/15 Amazon +13.224.0.0/14 Amazon +13.228.0.0/15 Amazon +13.230.0.0/15 Amazon +13.232.0.0/14 Amazon +13.236.0.0/14 Amazon +13.244.0.0/15 Amazon +13.246.0.0/16 Amazon +13.247.0.0/16 Amazon +13.248.0.0/20 Amazon +13.248.16.0/21 Amazon +13.248.24.0/22 Amazon +13.248.28.0/22 Amazon +13.248.32.0/20 Amazon +13.248.48.0/21 Amazon +13.248.56.0/22 Amazon +13.248.60.0/22 Amazon +13.248.64.0/24 Amazon +13.248.65.0/24 Amazon +13.248.66.0/24 Amazon +13.248.67.0/24 Amazon +13.248.68.0/24 Amazon +13.248.69.0/24 Amazon +13.248.70.0/24 Amazon +13.248.71.0/24 Amazon +13.248.96.0/24 Amazon +13.248.97.0/24 Amazon +13.248.98.0/24 Amazon +13.248.99.0/24 Amazon +13.248.100.0/24 Amazon +13.248.101.0/24 Amazon +13.248.102.0/24 Amazon +13.248.103.0/24 Amazon +13.248.104.0/24 Amazon +13.248.105.0/24 Amazon +13.248.106.0/24 Amazon +13.248.107.0/24 Amazon +13.248.108.0/24 Amazon +13.248.109.0/24 Amazon +13.248.111.0/24 Amazon +13.248.112.0/24 Amazon +13.248.113.0/24 Amazon +13.248.114.0/24 Amazon +13.248.115.0/24 Amazon +13.248.116.0/24 Amazon +13.248.117.0/24 Amazon +13.248.118.0/24 Amazon +13.248.119.0/24 Amazon +13.248.120.0/24 Amazon +13.248.121.0/24 Amazon +13.248.122.0/24 Amazon +13.248.123.0/24 Amazon +13.248.124.0/24 Amazon +13.248.125.0/24 Amazon +13.248.126.0/24 Amazon +13.248.127.0/24 Amazon +13.248.128.0/17 Amazon +13.249.0.0/16 Amazon +13.250.0.0/15 Amazon +15.152.0.0/16 Amazon +15.156.0.0/15 Amazon +15.158.0.0/16 Amazon +15.160.0.0/16 Amazon +15.161.0.0/16 Amazon +15.164.0.0/15 Amazon +15.168.0.0/16 Amazon +15.177.0.0/18 Amazon +15.177.64.0/23 Amazon +15.177.66.0/23 Amazon +15.177.68.0/23 Amazon +15.177.70.0/23 Amazon +15.177.72.0/24 Amazon +15.177.73.0/24 Amazon +15.177.74.0/24 Amazon +15.177.75.0/24 Amazon +15.177.76.0/24 Amazon +15.177.77.0/24 Amazon +15.177.78.0/24 Amazon +15.177.79.0/24 Amazon +15.177.80.0/24 Amazon +15.177.81.0/24 Amazon +15.177.82.0/24 Amazon +15.177.83.0/24 Amazon +15.177.84.0/24 Amazon +15.177.85.0/24 Amazon +15.177.86.0/24 Amazon +15.177.87.0/24 Amazon +15.177.88.0/24 Amazon +15.177.89.0/24 Amazon +15.177.90.0/24 Amazon +15.177.91.0/24 Amazon +15.177.92.0/24 Amazon +15.181.0.0/20 Amazon +15.181.16.0/20 Amazon +15.181.32.0/21 Amazon +15.181.40.0/21 Amazon +15.181.48.0/20 Amazon +15.181.64.0/20 Amazon +15.181.80.0/20 Amazon +15.181.96.0/20 Amazon +15.181.112.0/22 Amazon +15.181.116.0/22 Amazon +15.181.120.0/21 Amazon +15.181.128.0/20 Amazon +15.181.144.0/20 Amazon +15.181.160.0/20 Amazon +15.181.176.0/20 Amazon +15.181.192.0/19 Amazon +15.181.224.0/21 Amazon +15.181.232.0/21 Amazon +15.181.240.0/24 Amazon +15.181.241.0/24 Amazon +15.181.242.0/24 Amazon +15.181.243.0/24 Amazon +15.181.244.0/24 Amazon +15.181.245.0/24 Amazon +15.181.246.0/24 Amazon +15.181.247.0/24 Amazon +15.181.248.0/24 Amazon +15.181.249.0/24 Amazon +15.181.250.0/24 Amazon +15.181.251.0/24 Amazon +15.181.252.0/24 Amazon +15.181.253.0/24 Amazon +15.181.254.0/24 Amazon +15.184.0.0/16 Amazon +15.185.0.0/16 Amazon +15.188.0.0/16 Amazon +15.191.0.0/16 Amazon +15.193.0.0/19 Amazon +15.197.0.0/23 Amazon +15.197.2.0/24 Amazon +15.197.3.0/24 Amazon +15.197.4.0/22 Amazon +15.197.8.0/22 Amazon +15.197.12.0/22 Amazon +15.197.16.0/23 Amazon +15.197.18.0/23 Amazon +15.197.20.0/22 Amazon +15.197.24.0/22 Amazon +15.197.28.0/23 Amazon +15.197.30.0/23 Amazon +15.197.32.0/23 Amazon +15.197.128.0/17 Amazon +15.200.0.0/16 Amazon +15.205.0.0/16 Amazon +15.206.0.0/15 Amazon +15.220.0.0/20 Amazon +15.220.16.0/20 Amazon +15.220.220.0/23 Amazon +15.220.222.0/23 Amazon +15.220.224.0/23 Amazon +15.220.226.0/24 Amazon +15.220.250.0/23 Amazon +15.220.252.0/22 Amazon +15.221.0.0/24 Amazon +15.221.1.0/24 Amazon +15.221.2.0/24 Amazon +15.221.3.0/24 Amazon +15.221.4.0/23 Amazon +15.221.6.0/24 Amazon +15.221.7.0/24 Amazon +15.221.8.0/21 Amazon +15.221.16.0/22 Amazon +15.221.20.0/22 Amazon +15.221.24.0/21 Amazon +15.221.33.0/24 Amazon +15.221.34.0/24 Amazon +15.221.35.0/24 Amazon +15.221.36.0/22 Amazon +15.221.40.0/21 Amazon +15.221.48.0/24 Amazon +15.221.49.0/24 Amazon +15.221.50.0/24 Amazon +15.221.51.0/24 Amazon +15.221.52.0/24 Amazon +15.221.53.0/24 Amazon +15.222.0.0/15 Amazon +15.228.0.0/15 Amazon +15.230.0.4/32 Amazon +15.230.0.5/32 Amazon +15.230.0.6/31 Amazon +15.230.0.12/31 Amazon +15.230.0.14/32 Amazon +15.230.4.19/32 Amazon +15.230.4.152/31 Amazon +15.230.4.154/31 Amazon +15.230.4.156/31 Amazon +15.230.4.158/31 Amazon +15.230.4.160/31 Amazon +15.230.4.162/31 Amazon +15.230.4.176/28 Amazon +15.230.5.0/24 Amazon +15.230.6.0/24 Amazon +15.230.14.12/32 Amazon +15.230.14.18/31 Amazon +15.230.14.20/31 Amazon +15.230.14.252/31 Amazon +15.230.16.0/32 Amazon +15.230.16.12/32 Amazon +15.230.16.17/32 Amazon +15.230.16.18/31 Amazon +15.230.16.20/31 Amazon +15.230.16.252/31 Amazon +15.230.18.0/24 Amazon +15.230.21.0/24 Amazon +15.230.22.0/24 Amazon +15.230.23.0/24 Amazon +15.230.24.0/22 Amazon +15.230.28.0/24 Amazon +15.230.29.0/24 Amazon +15.230.30.0/24 Amazon +15.230.31.0/24 Amazon +15.230.32.0/24 Amazon +15.230.35.0/24 Amazon +15.230.36.0/23 Amazon +15.230.38.0/24 Amazon +15.230.39.0/31 Amazon +15.230.39.2/31 Amazon +15.230.39.4/31 Amazon +15.230.39.6/31 Amazon +15.230.39.8/31 Amazon +15.230.39.10/31 Amazon +15.230.39.12/31 Amazon +15.230.39.14/31 Amazon +15.230.39.16/31 Amazon +15.230.39.18/31 Amazon +15.230.39.20/31 Amazon +15.230.39.22/31 Amazon +15.230.39.24/31 Amazon +15.230.39.26/31 Amazon +15.230.39.28/31 Amazon +15.230.39.30/31 Amazon +15.230.39.32/31 Amazon +15.230.39.34/31 Amazon +15.230.39.36/31 Amazon +15.230.39.38/31 Amazon +15.230.39.40/31 Amazon +15.230.39.42/31 Amazon +15.230.39.44/31 Amazon +15.230.39.46/31 Amazon +15.230.39.48/31 Amazon +15.230.39.50/31 Amazon +15.230.39.52/31 Amazon +15.230.39.54/31 Amazon +15.230.39.56/31 Amazon +15.230.39.58/31 Amazon +15.230.39.60/31 Amazon +15.230.39.62/31 Amazon +15.230.39.64/31 Amazon +15.230.39.66/31 Amazon +15.230.39.68/31 Amazon +15.230.39.70/31 Amazon +15.230.39.72/31 Amazon +15.230.39.74/31 Amazon +15.230.39.76/31 Amazon +15.230.39.78/31 Amazon +15.230.39.80/31 Amazon +15.230.39.82/31 Amazon +15.230.39.84/31 Amazon +15.230.39.86/31 Amazon +15.230.39.88/31 Amazon +15.230.39.90/31 Amazon +15.230.39.92/31 Amazon +15.230.39.94/31 Amazon +15.230.39.96/31 Amazon +15.230.39.98/31 Amazon +15.230.39.100/31 Amazon +15.230.39.102/31 Amazon +15.230.39.104/31 Amazon +15.230.39.106/31 Amazon +15.230.39.108/31 Amazon +15.230.39.110/31 Amazon +15.230.39.112/31 Amazon +15.230.39.114/31 Amazon +15.230.39.116/31 Amazon +15.230.39.118/31 Amazon +15.230.39.120/31 Amazon +15.230.39.122/31 Amazon +15.230.39.124/31 Amazon +15.230.39.126/31 Amazon +15.230.39.128/31 Amazon +15.230.39.130/31 Amazon +15.230.39.132/31 Amazon +15.230.39.134/31 Amazon +15.230.39.136/31 Amazon +15.230.39.138/31 Amazon +15.230.39.140/31 Amazon +15.230.39.142/31 Amazon +15.230.39.144/31 Amazon +15.230.39.146/31 Amazon +15.230.39.148/31 Amazon +15.230.39.150/31 Amazon +15.230.39.152/31 Amazon +15.230.39.154/31 Amazon +15.230.39.156/31 Amazon +15.230.39.158/31 Amazon +15.230.39.160/31 Amazon +15.230.39.162/31 Amazon +15.230.39.164/31 Amazon +15.230.39.166/31 Amazon +15.230.39.168/31 Amazon +15.230.39.170/31 Amazon +15.230.39.172/31 Amazon +15.230.39.174/31 Amazon +15.230.39.176/31 Amazon +15.230.39.178/31 Amazon +15.230.39.180/31 Amazon +15.230.39.182/31 Amazon +15.230.39.184/31 Amazon +15.230.39.186/31 Amazon +15.230.39.188/31 Amazon +15.230.39.190/31 Amazon +15.230.39.192/31 Amazon +15.230.39.194/31 Amazon +15.230.39.196/31 Amazon +15.230.39.198/31 Amazon +15.230.39.200/31 Amazon +15.230.39.202/31 Amazon +15.230.39.204/31 Amazon +15.230.39.206/31 Amazon +15.230.39.208/31 Amazon +15.230.39.210/31 Amazon +15.230.39.212/31 Amazon +15.230.39.214/31 Amazon +15.230.39.216/31 Amazon +15.230.39.218/31 Amazon +15.230.39.220/31 Amazon +15.230.39.222/31 Amazon +15.230.39.224/31 Amazon +15.230.39.226/31 Amazon +15.230.39.228/31 Amazon +15.230.39.230/31 Amazon +15.230.39.232/31 Amazon +15.230.39.234/31 Amazon +15.230.39.236/31 Amazon +15.230.39.238/31 Amazon +15.230.39.240/31 Amazon +15.230.39.242/31 Amazon +15.230.39.244/31 Amazon +15.230.39.246/31 Amazon +15.230.39.248/31 Amazon +15.230.39.250/31 Amazon +15.230.39.252/31 Amazon +15.230.39.254/31 Amazon +15.230.40.0/24 Amazon +15.230.41.0/24 Amazon +15.230.42.0/24 Amazon +15.230.43.0/24 Amazon +15.230.49.0/24 Amazon +15.230.50.0/24 Amazon +15.230.51.0/24 Amazon +15.230.52.0/24 Amazon +15.230.53.0/24 Amazon +15.230.54.0/24 Amazon +15.230.55.0/24 Amazon +15.230.56.0/24 Amazon +15.230.57.0/24 Amazon +15.230.58.0/24 Amazon +15.230.59.0/24 Amazon +15.230.60.0/24 Amazon +15.230.61.0/24 Amazon +15.230.64.192/26 Amazon +15.230.65.0/26 Amazon +15.230.65.64/26 Amazon +15.230.65.128/25 Amazon +15.230.66.0/25 Amazon +15.230.66.128/25 Amazon +15.230.67.0/26 Amazon +15.230.67.64/26 Amazon +15.230.67.128/26 Amazon +15.230.67.192/26 Amazon +15.230.68.0/26 Amazon +15.230.68.64/26 Amazon +15.230.68.128/26 Amazon +15.230.68.192/26 Amazon +15.230.69.0/26 Amazon +15.230.69.64/26 Amazon +15.230.69.128/26 Amazon +15.230.69.192/26 Amazon +15.230.70.0/26 Amazon +15.230.70.64/26 Amazon +15.230.70.128/26 Amazon +15.230.70.192/26 Amazon +15.230.71.0/26 Amazon +15.230.71.64/26 Amazon +15.230.71.128/26 Amazon +15.230.71.192/26 Amazon +15.230.72.0/26 Amazon +15.230.72.64/26 Amazon +15.230.72.128/26 Amazon +15.230.72.192/26 Amazon +15.230.73.0/26 Amazon +15.230.73.64/26 Amazon +15.230.73.128/26 Amazon +15.230.73.192/26 Amazon +15.230.74.0/26 Amazon +15.230.74.64/26 Amazon +15.230.74.128/26 Amazon +15.230.74.192/26 Amazon +15.230.75.0/26 Amazon +15.230.75.64/26 Amazon +15.230.75.128/26 Amazon +15.230.75.192/26 Amazon +15.230.76.0/26 Amazon +15.230.76.64/26 Amazon +15.230.76.128/26 Amazon +15.230.76.192/26 Amazon +15.230.77.0/26 Amazon +15.230.77.64/26 Amazon +15.230.77.128/26 Amazon +15.230.77.192/26 Amazon +15.230.78.0/26 Amazon +15.230.78.64/26 Amazon +15.230.78.128/26 Amazon +15.230.78.192/26 Amazon +15.230.79.0/26 Amazon +15.230.79.64/26 Amazon +15.230.79.128/26 Amazon +15.230.80.0/24 Amazon +15.230.81.0/24 Amazon +15.230.82.0/24 Amazon +15.230.83.0/24 Amazon +15.230.84.0/24 Amazon +15.230.85.0/24 Amazon +15.230.86.0/24 Amazon +15.230.87.0/24 Amazon +15.230.88.0/24 Amazon +15.230.89.0/24 Amazon +15.230.90.0/24 Amazon +15.230.91.0/24 Amazon +15.230.92.0/24 Amazon +15.230.93.0/24 Amazon +15.230.94.0/24 Amazon +15.230.129.0/24 Amazon +15.230.130.0/24 Amazon +15.230.131.0/32 Amazon +15.230.131.1/32 Amazon +15.230.131.2/32 Amazon +15.230.131.3/32 Amazon +15.230.131.4/32 Amazon +15.230.131.5/32 Amazon +15.230.131.6/32 Amazon +15.230.131.7/32 Amazon +15.230.131.8/32 Amazon +15.230.131.9/32 Amazon +15.230.131.10/31 Amazon +15.230.131.12/31 Amazon +15.230.131.14/32 Amazon +15.230.131.15/32 Amazon +15.230.131.16/28 Amazon +15.230.131.32/28 Amazon +15.230.131.48/28 Amazon +15.230.131.64/28 Amazon +15.230.131.80/28 Amazon +15.230.131.96/28 Amazon +15.230.131.112/28 Amazon +15.230.131.128/28 Amazon +15.230.131.144/28 Amazon +15.230.131.160/31 Amazon +15.230.131.162/31 Amazon +15.230.131.164/31 Amazon +15.230.131.166/31 Amazon +15.230.131.168/31 Amazon +15.230.131.170/31 Amazon +15.230.131.172/31 Amazon +15.230.131.174/31 Amazon +15.230.132.0/24 Amazon +15.230.133.0/28 Amazon +15.230.133.16/32 Amazon +15.230.133.17/32 Amazon +15.230.133.18/31 Amazon +15.230.133.20/31 Amazon +15.230.133.22/31 Amazon +15.230.133.24/32 Amazon +15.230.133.26/31 Amazon +15.230.133.28/31 Amazon +15.230.134.0/24 Amazon +15.230.135.0/24 Amazon +15.230.136.0/24 Amazon +15.230.137.0/24 Amazon +15.230.138.0/24 Amazon +15.230.140.0/24 Amazon +15.230.141.0/24 Amazon +15.230.142.0/24 Amazon +15.230.143.0/24 Amazon +15.230.144.0/24 Amazon +15.230.145.0/24 Amazon +15.230.148.0/24 Amazon +15.230.149.0/31 Amazon +15.230.149.2/31 Amazon +15.230.149.4/31 Amazon +15.230.149.8/31 Amazon +15.230.149.10/32 Amazon +15.230.149.11/32 Amazon +15.230.150.0/23 Amazon +15.230.152.0/24 Amazon +15.230.153.0/24 Amazon +15.230.154.0/23 Amazon +15.230.156.0/24 Amazon +15.230.157.0/24 Amazon +15.230.158.0/23 Amazon +15.230.160.0/24 Amazon +15.230.161.0/24 Amazon +15.230.162.0/24 Amazon +15.230.163.0/24 Amazon +15.230.164.0/24 Amazon +15.230.165.0/24 Amazon +15.230.166.0/24 Amazon +15.230.170.0/23 Amazon +15.230.173.0/24 Amazon +15.230.174.0/24 Amazon +15.230.176.0/24 Amazon +15.230.177.0/31 Amazon +15.230.177.2/31 Amazon +15.230.178.0/24 Amazon +15.230.179.0/29 Amazon +15.230.179.8/29 Amazon +15.230.179.16/29 Amazon +15.230.181.0/24 Amazon +15.230.182.0/24 Amazon +15.230.183.0/24 Amazon +15.230.184.0/24 Amazon +15.230.185.0/24 Amazon +15.230.186.0/24 Amazon +15.230.188.0/25 Amazon +15.230.188.128/25 Amazon +15.230.189.0/25 Amazon +15.230.189.128/25 Amazon +15.230.190.0/25 Amazon +15.230.190.128/25 Amazon +15.230.192.0/24 Amazon +15.230.193.0/24 Amazon +15.230.195.0/24 Amazon +15.230.196.0/24 Amazon +15.230.197.0/24 Amazon +15.230.198.0/24 Amazon +15.230.199.0/28 Amazon +15.230.200.0/24 Amazon +15.230.201.0/24 Amazon +15.230.202.0/30 Amazon +15.230.203.0/24 Amazon +15.230.204.0/32 Amazon +15.230.204.1/32 Amazon +15.230.204.2/32 Amazon +15.230.204.3/32 Amazon +15.230.205.0/24 Amazon +15.230.206.0/24 Amazon +15.230.207.0/24 Amazon +15.231.0.0/16 Amazon +15.236.0.0/15 Amazon +15.248.8.0/22 Amazon +15.248.16.0/22 Amazon +15.248.20.0/22 Amazon +15.248.24.0/22 Amazon +15.248.28.0/22 Amazon +15.248.32.0/22 Amazon +15.248.36.0/22 Amazon +15.248.40.0/22 Amazon +15.251.0.0/32 Amazon +15.251.0.1/32 Amazon +15.251.0.2/32 Amazon +15.251.0.3/32 Amazon +15.251.0.4/32 Amazon +15.251.0.5/32 Amazon +15.251.0.6/32 Amazon +15.251.0.7/32 Amazon +15.251.0.8/32 Amazon +15.251.0.9/32 Amazon +15.251.0.10/32 Amazon +15.251.0.11/32 Amazon +15.251.0.12/32 Amazon +15.251.0.13/32 Amazon +15.251.0.14/32 Amazon +15.251.0.15/32 Amazon +15.253.0.0/16 Amazon +15.254.0.0/16 Amazon +16.12.0.0/23 Amazon +16.12.2.0/24 Amazon +16.12.4.0/23 Amazon +16.12.6.0/23 Amazon +16.12.8.0/24 Amazon +16.16.0.0/16 Amazon +16.50.0.0/15 Amazon +16.62.0.0/15 Amazon +16.162.0.0/15 Amazon +16.168.0.0/15 Amazon +16.170.0.0/15 Amazon +18.32.0.0/11 Amazon +18.60.0.0/15 Amazon +18.64.0.0/10 Amazon +18.100.0.0/15 Amazon +18.102.0.0/16 Amazon +18.116.0.0/14 Amazon +18.128.0.0/9 Amazon +18.130.0.0/16 Amazon +18.132.0.0/14 Amazon +18.136.0.0/16 Amazon +18.138.0.0/15 Amazon +18.140.0.0/15 Amazon +18.142.0.0/15 Amazon +18.144.0.0/15 Amazon +18.148.0.0/14 Amazon +18.153.0.0/16 Amazon +18.156.0.0/14 Amazon +18.162.0.0/16 Amazon +18.163.0.0/16 Amazon +18.166.0.0/15 Amazon +18.168.0.0/14 Amazon +18.175.0.0/16 Amazon +18.176.0.0/15 Amazon +18.178.0.0/16 Amazon +18.179.0.0/16 Amazon +18.180.0.0/15 Amazon +18.182.0.0/16 Amazon +18.183.0.0/16 Amazon +18.184.0.0/15 Amazon +18.186.0.0/15 Amazon +18.188.0.0/16 Amazon +18.189.0.0/16 Amazon +18.190.0.0/16 Amazon +18.191.0.0/16 Amazon +18.192.0.0/15 Amazon +18.194.0.0/15 Amazon +18.196.0.0/15 Amazon +18.198.0.0/15 Amazon +18.200.0.0/16 Amazon +18.201.0.0/16 Amazon +18.202.0.0/15 Amazon +18.204.0.0/14 Amazon +18.208.0.0/13 Amazon +18.216.0.0/14 Amazon +18.220.0.0/14 Amazon +18.224.0.0/14 Amazon +18.228.0.0/16 Amazon +18.229.0.0/16 Amazon +18.230.0.0/16 Amazon +18.231.0.0/16 Amazon +18.232.0.0/14 Amazon +18.236.0.0/15 Amazon +18.246.0.0/16 Amazon +18.252.0.0/16 Amazon +18.253.0.0/16 Amazon +18.254.0.0/16 Amazon +23.20.0.0/14 Amazon +27.0.0.0/22 Amazon +34.192.0.0/12 Amazon +34.208.0.0/12 Amazon +34.224.0.0/12 Amazon +34.240.0.0/13 Amazon +34.248.0.0/13 Amazon +35.71.64.0/22 Amazon +35.71.96.0/24 Amazon +35.71.97.0/24 Amazon +35.71.128.0/17 Amazon +35.72.0.0/13 Amazon +35.80.0.0/12 Amazon +35.96.0.0/12 Amazon +35.152.0.0/16 Amazon +35.153.0.0/16 Amazon +35.154.0.0/16 Amazon +35.155.0.0/16 Amazon +35.156.0.0/14 Amazon +35.160.0.0/13 Amazon +35.168.0.0/13 Amazon +35.176.0.0/15 Amazon +35.178.0.0/15 Amazon +35.180.0.0/16 Amazon +35.181.0.0/16 Amazon +35.182.0.0/15 Amazon +36.103.232.0/25 Amazon +36.103.232.128/26 Amazon +43.192.0.0/15 Amazon +43.194.0.0/16 Amazon +43.195.0.0/16 Amazon +43.196.0.0/15 Amazon +43.198.0.0/15 Amazon +43.200.0.0/14 Amazon +43.204.0.0/15 Amazon +43.206.0.0/15 Amazon +43.224.76.0/30 Amazon +43.224.76.4/30 Amazon +43.224.76.8/30 Amazon +43.224.76.12/30 Amazon +43.224.76.16/30 Amazon +43.224.76.20/30 Amazon +43.224.76.24/30 Amazon +43.224.76.28/30 Amazon +43.224.76.32/30 Amazon +43.224.76.36/30 Amazon +43.224.76.40/30 Amazon +43.224.76.44/30 Amazon +43.224.76.48/30 Amazon +43.224.76.52/30 Amazon +43.224.76.56/30 Amazon +43.224.76.60/30 Amazon +43.224.76.64/30 Amazon +43.224.76.68/30 Amazon +43.224.76.72/30 Amazon +43.224.76.76/30 Amazon +43.224.76.80/30 Amazon +43.224.76.84/30 Amazon +43.224.76.88/30 Amazon +43.224.76.92/30 Amazon +43.224.76.96/30 Amazon +43.224.76.100/30 Amazon +43.224.76.104/30 Amazon +43.224.76.108/30 Amazon +43.224.76.112/30 Amazon +43.224.76.116/30 Amazon +43.224.76.120/30 Amazon +43.224.76.124/30 Amazon +43.224.76.128/30 Amazon +43.224.76.132/30 Amazon +43.224.76.136/30 Amazon +43.224.76.140/30 Amazon +43.224.76.144/30 Amazon +43.224.76.148/30 Amazon +43.224.76.152/30 Amazon +43.224.76.156/30 Amazon +43.224.76.160/30 Amazon +43.224.76.164/30 Amazon +43.224.76.168/30 Amazon +43.224.76.172/30 Amazon +43.224.76.176/30 Amazon +43.224.76.180/30 Amazon +43.224.76.184/30 Amazon +43.224.76.188/30 Amazon +43.224.76.192/30 Amazon +43.224.76.196/30 Amazon +43.224.76.200/30 Amazon +43.224.76.204/30 Amazon +43.224.76.208/30 Amazon +43.224.76.212/30 Amazon +43.224.76.216/30 Amazon +43.224.76.220/30 Amazon +43.224.76.224/30 Amazon +43.224.76.228/30 Amazon +43.224.76.232/30 Amazon +43.224.76.236/30 Amazon +43.224.76.240/30 Amazon +43.224.76.244/30 Amazon +43.224.76.248/30 Amazon +43.224.77.0/29 Amazon +43.224.77.8/29 Amazon +43.224.77.24/30 Amazon +43.224.77.28/30 Amazon +43.224.77.32/30 Amazon +43.224.77.36/30 Amazon +43.224.77.40/30 Amazon +43.224.77.44/30 Amazon +43.224.77.76/30 Amazon +43.224.77.80/30 Amazon +43.224.77.84/30 Amazon +43.224.77.88/30 Amazon +43.224.77.92/30 Amazon +43.224.77.96/30 Amazon +43.224.77.100/30 Amazon +43.224.77.104/30 Amazon +43.224.77.108/30 Amazon +43.224.77.112/30 Amazon +43.224.77.116/30 Amazon +43.224.77.120/30 Amazon +43.224.77.124/30 Amazon +43.224.77.128/30 Amazon +43.224.77.132/30 Amazon +43.224.77.136/30 Amazon +43.224.77.140/30 Amazon +43.224.77.144/30 Amazon +43.224.77.148/30 Amazon +43.224.77.152/30 Amazon +43.224.77.156/30 Amazon +43.224.77.168/30 Amazon +43.224.77.172/30 Amazon +43.224.77.176/30 Amazon +43.224.77.180/30 Amazon +43.224.77.184/30 Amazon +43.224.77.188/30 Amazon +43.224.77.192/30 Amazon +43.224.77.208/30 Amazon +43.224.77.212/30 Amazon +43.224.79.26/31 Amazon +43.224.79.28/31 Amazon +43.224.79.30/31 Amazon +43.224.79.32/31 Amazon +43.224.79.34/31 Amazon +43.224.79.36/31 Amazon +43.224.79.38/31 Amazon +43.224.79.40/31 Amazon +43.224.79.42/31 Amazon +43.224.79.44/31 Amazon +43.224.79.46/31 Amazon +43.224.79.48/31 Amazon +43.224.79.50/31 Amazon +43.224.79.52/31 Amazon +43.224.79.54/31 Amazon +43.224.79.56/31 Amazon +43.224.79.58/31 Amazon +43.224.79.60/31 Amazon +43.224.79.62/31 Amazon +43.224.79.64/31 Amazon +43.224.79.66/31 Amazon +43.224.79.68/31 Amazon +43.224.79.70/31 Amazon +43.224.79.72/31 Amazon +43.224.79.74/31 Amazon +43.224.79.76/31 Amazon +43.224.79.78/31 Amazon +43.224.79.80/31 Amazon +43.224.79.82/31 Amazon +43.224.79.84/31 Amazon +43.224.79.90/31 Amazon +43.224.79.92/31 Amazon +43.224.79.94/31 Amazon +43.224.79.96/31 Amazon +43.224.79.98/31 Amazon +43.224.79.100/31 Amazon +43.224.79.102/31 Amazon +43.224.79.104/31 Amazon +43.224.79.106/31 Amazon +43.224.79.108/31 Amazon +43.224.79.110/31 Amazon +43.224.79.112/31 Amazon +43.224.79.114/31 Amazon +43.224.79.116/31 Amazon +43.224.79.118/31 Amazon +43.224.79.120/31 Amazon +43.224.79.122/31 Amazon +43.224.79.124/31 Amazon +43.224.79.126/31 Amazon +43.224.79.128/31 Amazon +43.224.79.130/31 Amazon +43.224.79.136/31 Amazon +43.224.79.138/31 Amazon +43.224.79.140/31 Amazon +43.224.79.142/31 Amazon +43.224.79.144/31 Amazon +43.224.79.154/31 Amazon +43.224.79.156/31 Amazon +43.224.79.158/31 Amazon +43.224.79.160/31 Amazon +43.224.79.162/31 Amazon +43.224.79.164/31 Amazon +43.224.79.166/31 Amazon +43.224.79.168/31 Amazon +43.224.79.174/31 Amazon +43.224.79.176/31 Amazon +43.224.79.178/31 Amazon +43.224.79.180/31 Amazon +43.224.79.182/31 Amazon +43.224.79.184/31 Amazon +43.224.79.186/31 Amazon +43.224.79.188/31 Amazon +43.224.79.190/31 Amazon +43.224.79.192/31 Amazon +43.224.79.194/31 Amazon +43.224.79.196/31 Amazon +43.224.79.198/31 Amazon +43.224.79.200/31 Amazon +43.224.79.202/31 Amazon +43.224.79.204/31 Amazon +43.224.79.206/31 Amazon +43.224.79.208/31 Amazon +43.224.79.210/31 Amazon +43.224.79.212/31 Amazon +43.224.79.214/31 Amazon +43.224.79.216/31 Amazon +43.224.79.218/31 Amazon +43.224.79.220/31 Amazon +43.224.79.222/31 Amazon +43.224.79.224/31 Amazon +43.224.79.226/31 Amazon +43.224.79.228/31 Amazon +43.224.79.230/31 Amazon +43.224.79.232/31 Amazon +43.224.79.234/31 Amazon +43.224.79.236/31 Amazon +43.224.79.238/31 Amazon +43.224.79.240/31 Amazon +43.224.79.242/31 Amazon +43.224.79.244/31 Amazon +43.224.79.246/31 Amazon +43.224.79.248/31 Amazon +43.224.79.250/31 Amazon +43.224.79.252/31 Amazon +43.224.79.254/31 Amazon +43.249.45.0/24 Amazon +43.249.46.0/24 Amazon +43.249.47.0/24 Amazon +43.250.192.0/24 Amazon +43.250.193.0/24 Amazon +44.192.0.0/11 Amazon +44.224.0.0/11 Amazon +46.51.128.0/18 Amazon +46.51.192.0/20 Amazon +46.51.208.0/22 Amazon +46.51.216.0/21 Amazon +46.51.224.0/19 Amazon +46.137.0.0/17 Amazon +46.137.128.0/18 Amazon +46.137.192.0/19 Amazon +46.137.224.0/19 Amazon +50.16.0.0/15 Amazon +50.18.0.0/16 Amazon +50.19.0.0/16 Amazon +50.112.0.0/16 Amazon +51.20.0.0/14 Amazon +52.0.0.0/15 Amazon +52.2.0.0/15 Amazon +52.4.0.0/14 Amazon +52.8.0.0/16 Amazon +52.9.0.0/16 Amazon +52.10.0.0/15 Amazon +52.12.0.0/15 Amazon +52.14.0.0/16 Amazon +52.15.0.0/16 Amazon +52.16.0.0/15 Amazon +52.18.0.0/15 Amazon +52.20.0.0/14 Amazon +52.24.0.0/14 Amazon +52.28.0.0/16 Amazon +52.29.0.0/16 Amazon +52.30.0.0/15 Amazon +52.32.0.0/14 Amazon +52.36.0.0/14 Amazon +52.40.0.0/14 Amazon +52.44.0.0/15 Amazon +52.46.0.0/18 Amazon +52.46.64.0/20 Amazon +52.46.80.0/21 Amazon +52.46.88.0/22 Amazon +52.46.92.0/22 Amazon +52.46.96.0/19 Amazon +52.46.128.0/19 Amazon +52.46.164.0/23 Amazon +52.46.166.0/23 Amazon +52.46.168.0/23 Amazon +52.46.170.0/23 Amazon +52.46.172.0/22 Amazon +52.46.176.0/22 Amazon +52.46.180.0/22 Amazon +52.46.184.0/22 Amazon +52.46.188.24/30 Amazon +52.46.188.28/30 Amazon +52.46.188.36/30 Amazon +52.46.188.40/30 Amazon +52.46.188.44/30 Amazon +52.46.188.48/30 Amazon +52.46.188.52/30 Amazon +52.46.188.56/30 Amazon +52.46.188.60/30 Amazon +52.46.188.64/30 Amazon +52.46.188.68/30 Amazon +52.46.188.72/30 Amazon +52.46.188.76/30 Amazon +52.46.188.80/30 Amazon +52.46.188.84/30 Amazon +52.46.188.88/30 Amazon +52.46.188.92/30 Amazon +52.46.188.96/30 Amazon +52.46.188.108/30 Amazon +52.46.188.120/30 Amazon +52.46.188.132/30 Amazon +52.46.188.136/30 Amazon +52.46.188.140/30 Amazon +52.46.188.144/30 Amazon +52.46.188.148/30 Amazon +52.46.188.152/30 Amazon +52.46.188.156/30 Amazon +52.46.188.160/30 Amazon +52.46.188.164/30 Amazon +52.46.188.168/30 Amazon +52.46.188.172/30 Amazon +52.46.188.176/30 Amazon +52.46.188.180/30 Amazon +52.46.188.184/30 Amazon +52.46.188.188/30 Amazon +52.46.188.192/30 Amazon +52.46.188.204/30 Amazon +52.46.188.208/30 Amazon +52.46.188.216/30 Amazon +52.46.188.224/30 Amazon +52.46.188.228/30 Amazon +52.46.188.232/30 Amazon +52.46.188.236/30 Amazon +52.46.188.240/30 Amazon +52.46.188.244/30 Amazon +52.46.188.248/30 Amazon +52.46.188.252/30 Amazon +52.46.189.0/30 Amazon +52.46.189.4/30 Amazon +52.46.189.8/30 Amazon +52.46.189.12/30 Amazon +52.46.189.16/30 Amazon +52.46.189.32/30 Amazon +52.46.189.36/30 Amazon +52.46.189.40/30 Amazon +52.46.189.44/30 Amazon +52.46.189.48/30 Amazon +52.46.189.52/30 Amazon +52.46.189.56/30 Amazon +52.46.189.60/30 Amazon +52.46.189.64/30 Amazon +52.46.189.68/30 Amazon +52.46.189.72/30 Amazon +52.46.189.76/30 Amazon +52.46.189.80/30 Amazon +52.46.189.84/30 Amazon +52.46.189.88/30 Amazon +52.46.189.92/30 Amazon +52.46.189.96/30 Amazon +52.46.189.100/30 Amazon +52.46.189.104/30 Amazon +52.46.189.108/30 Amazon +52.46.189.112/30 Amazon +52.46.189.124/30 Amazon +52.46.189.128/30 Amazon +52.46.189.132/30 Amazon +52.46.189.136/30 Amazon +52.46.189.140/30 Amazon +52.46.189.156/30 Amazon +52.46.189.160/30 Amazon +52.46.189.168/30 Amazon +52.46.189.172/30 Amazon +52.46.189.176/30 Amazon +52.46.189.180/30 Amazon +52.46.189.192/30 Amazon +52.46.189.196/30 Amazon +52.46.189.200/30 Amazon +52.46.189.204/30 Amazon +52.46.189.216/30 Amazon +52.46.189.220/30 Amazon +52.46.189.224/30 Amazon +52.46.189.228/30 Amazon +52.46.189.240/30 Amazon +52.46.189.244/30 Amazon +52.46.189.248/30 Amazon +52.46.189.252/30 Amazon +52.46.190.0/30 Amazon +52.46.190.4/30 Amazon +52.46.190.8/30 Amazon +52.46.190.12/30 Amazon +52.46.190.32/30 Amazon +52.46.190.36/30 Amazon +52.46.190.40/30 Amazon +52.46.190.44/30 Amazon +52.46.190.52/30 Amazon +52.46.190.56/30 Amazon +52.46.190.60/30 Amazon +52.46.190.64/30 Amazon +52.46.190.68/30 Amazon +52.46.190.72/30 Amazon +52.46.190.76/30 Amazon +52.46.190.92/30 Amazon +52.46.190.96/30 Amazon +52.46.190.100/30 Amazon +52.46.190.104/30 Amazon +52.46.190.108/30 Amazon +52.46.190.120/30 Amazon +52.46.190.124/30 Amazon +52.46.190.144/30 Amazon +52.46.190.148/30 Amazon +52.46.190.152/30 Amazon +52.46.190.164/30 Amazon +52.46.190.168/30 Amazon +52.46.190.180/31 Amazon +52.46.190.182/31 Amazon +52.46.190.188/31 Amazon +52.46.190.190/31 Amazon +52.46.190.192/31 Amazon +52.46.190.202/31 Amazon +52.46.190.204/31 Amazon +52.46.190.206/31 Amazon +52.46.190.208/31 Amazon +52.46.190.210/31 Amazon +52.46.190.212/31 Amazon +52.46.190.214/31 Amazon +52.46.190.216/31 Amazon +52.46.190.222/31 Amazon +52.46.190.224/31 Amazon +52.46.190.226/31 Amazon +52.46.190.228/31 Amazon +52.46.190.230/31 Amazon +52.46.190.232/31 Amazon +52.46.190.234/31 Amazon +52.46.190.236/31 Amazon +52.46.190.238/31 Amazon +52.46.190.240/31 Amazon +52.46.190.242/31 Amazon +52.46.190.244/31 Amazon +52.46.190.254/31 Amazon +52.46.191.0/31 Amazon +52.46.191.2/31 Amazon +52.46.191.4/31 Amazon +52.46.191.6/31 Amazon +52.46.191.8/31 Amazon +52.46.191.10/31 Amazon +52.46.191.12/31 Amazon +52.46.191.18/31 Amazon +52.46.191.20/31 Amazon +52.46.191.22/31 Amazon +52.46.191.24/31 Amazon +52.46.191.26/31 Amazon +52.46.191.28/31 Amazon +52.46.191.34/31 Amazon +52.46.191.36/31 Amazon +52.46.191.42/31 Amazon +52.46.191.44/31 Amazon +52.46.191.46/31 Amazon +52.46.191.48/31 Amazon +52.46.191.52/31 Amazon +52.46.191.54/31 Amazon +52.46.191.60/31 Amazon +52.46.191.62/31 Amazon +52.46.191.64/31 Amazon +52.46.191.66/31 Amazon +52.46.191.68/31 Amazon +52.46.191.70/31 Amazon +52.46.191.72/31 Amazon +52.46.191.76/31 Amazon +52.46.191.78/31 Amazon +52.46.191.80/31 Amazon +52.46.191.82/31 Amazon +52.46.191.84/31 Amazon +52.46.191.86/31 Amazon +52.46.191.88/31 Amazon +52.46.191.90/31 Amazon +52.46.191.92/31 Amazon +52.46.191.94/31 Amazon +52.46.191.96/31 Amazon +52.46.191.98/31 Amazon +52.46.191.100/31 Amazon +52.46.191.102/31 Amazon +52.46.191.104/31 Amazon +52.46.191.106/31 Amazon +52.46.191.108/31 Amazon +52.46.191.110/31 Amazon +52.46.191.120/31 Amazon +52.46.191.122/31 Amazon +52.46.191.124/31 Amazon +52.46.191.126/31 Amazon +52.46.191.128/31 Amazon +52.46.191.130/31 Amazon +52.46.191.132/31 Amazon +52.46.191.134/31 Amazon +52.46.191.136/31 Amazon +52.46.191.140/31 Amazon +52.46.191.142/31 Amazon +52.46.191.144/31 Amazon +52.46.191.148/31 Amazon +52.46.191.150/31 Amazon +52.46.191.152/31 Amazon +52.46.191.156/31 Amazon +52.46.191.158/31 Amazon +52.46.191.164/31 Amazon +52.46.191.166/31 Amazon +52.46.191.168/31 Amazon +52.46.191.170/31 Amazon +52.46.191.172/31 Amazon +52.46.191.174/31 Amazon +52.46.191.176/31 Amazon +52.46.191.178/31 Amazon +52.46.191.180/31 Amazon +52.46.191.182/31 Amazon +52.46.191.184/31 Amazon +52.46.191.186/31 Amazon +52.46.191.188/31 Amazon +52.46.191.190/31 Amazon +52.46.191.192/31 Amazon +52.46.191.194/31 Amazon +52.46.191.200/31 Amazon +52.46.191.202/31 Amazon +52.46.191.210/31 Amazon +52.46.191.212/31 Amazon +52.46.191.214/31 Amazon +52.46.191.216/31 Amazon +52.46.191.218/31 Amazon +52.46.191.220/31 Amazon +52.46.191.222/31 Amazon +52.46.191.224/31 Amazon +52.46.191.226/31 Amazon +52.46.191.228/31 Amazon +52.46.191.230/31 Amazon +52.46.191.232/31 Amazon +52.46.191.234/31 Amazon +52.46.191.236/31 Amazon +52.46.191.238/31 Amazon +52.46.191.240/31 Amazon +52.46.192.0/20 Amazon +52.46.208.0/21 Amazon +52.46.216.0/22 Amazon +52.46.220.0/22 Amazon +52.46.224.0/20 Amazon +52.46.240.0/22 Amazon +52.46.249.0/24 Amazon +52.46.250.0/23 Amazon +52.46.252.0/22 Amazon +52.47.0.0/16 Amazon +52.48.0.0/14 Amazon +52.52.0.0/15 Amazon +52.54.0.0/15 Amazon +52.56.0.0/16 Amazon +52.57.0.0/16 Amazon +52.58.0.0/15 Amazon +52.60.0.0/16 Amazon +52.61.0.0/16 Amazon +52.62.0.0/15 Amazon +52.64.0.0/17 Amazon +52.64.128.0/17 Amazon +52.65.0.0/16 Amazon +52.66.0.0/16 Amazon +52.67.0.0/16 Amazon +52.68.0.0/15 Amazon +52.70.0.0/15 Amazon +52.72.0.0/15 Amazon +52.74.0.0/16 Amazon +52.75.0.0/16 Amazon +52.76.0.0/17 Amazon +52.76.128.0/17 Amazon +52.77.0.0/16 Amazon +52.78.0.0/16 Amazon +52.79.0.0/16 Amazon +52.80.0.0/16 Amazon +52.81.0.0/16 Amazon +52.82.0.0/17 Amazon +52.82.128.0/19 Amazon +52.82.160.0/22 Amazon +52.82.164.0/22 Amazon +52.82.168.0/24 Amazon +52.82.169.0/28 Amazon +52.82.169.16/28 Amazon +52.82.176.0/22 Amazon +52.82.180.0/22 Amazon +52.82.184.0/23 Amazon +52.82.187.0/24 Amazon +52.82.188.0/22 Amazon +52.82.192.0/18 Amazon +52.83.0.0/16 Amazon +52.84.0.0/15 Amazon +52.86.0.0/15 Amazon +52.88.0.0/15 Amazon +52.90.0.0/15 Amazon +52.92.0.0/17 Amazon +52.92.128.0/17 Amazon +52.93.0.0/24 Amazon +52.93.1.0/24 Amazon +52.93.2.0/24 Amazon +52.93.3.0/24 Amazon +52.93.4.0/24 Amazon +52.93.5.0/24 Amazon +52.93.8.0/22 Amazon +52.93.12.12/32 Amazon +52.93.12.13/32 Amazon +52.93.14.18/32 Amazon +52.93.14.19/32 Amazon +52.93.16.0/24 Amazon +52.93.17.0/24 Amazon +52.93.18.178/32 Amazon +52.93.18.179/32 Amazon +52.93.19.236/32 Amazon +52.93.19.237/32 Amazon +52.93.20.0/24 Amazon +52.93.21.14/32 Amazon +52.93.21.15/32 Amazon +52.93.32.176/32 Amazon +52.93.32.179/32 Amazon +52.93.32.180/32 Amazon +52.93.34.40/32 Amazon +52.93.34.42/32 Amazon +52.93.34.56/32 Amazon +52.93.34.57/32 Amazon +52.93.34.120/31 Amazon +52.93.34.122/31 Amazon +52.93.34.124/31 Amazon +52.93.34.126/31 Amazon +52.93.35.212/32 Amazon +52.93.35.213/32 Amazon +52.93.37.222/32 Amazon +52.93.37.223/32 Amazon +52.93.38.0/24 Amazon +52.93.43.0/24 Amazon +52.93.48.0/24 Amazon +52.93.50.128/32 Amazon +52.93.50.129/32 Amazon +52.93.50.130/32 Amazon +52.93.50.131/32 Amazon +52.93.50.132/31 Amazon +52.93.50.134/31 Amazon +52.93.50.136/31 Amazon +52.93.50.138/31 Amazon +52.93.50.140/31 Amazon +52.93.50.142/31 Amazon +52.93.50.144/31 Amazon +52.93.50.146/31 Amazon +52.93.50.148/31 Amazon +52.93.50.150/31 Amazon +52.93.50.152/31 Amazon +52.93.50.154/31 Amazon +52.93.50.156/31 Amazon +52.93.50.158/31 Amazon +52.93.50.160/31 Amazon +52.93.50.162/31 Amazon +52.93.50.164/31 Amazon +52.93.50.166/31 Amazon +52.93.50.168/31 Amazon +52.93.50.170/31 Amazon +52.93.50.172/31 Amazon +52.93.50.174/31 Amazon +52.93.50.176/31 Amazon +52.93.50.178/31 Amazon +52.93.50.180/31 Amazon +52.93.50.182/31 Amazon +52.93.50.184/31 Amazon +52.93.50.186/31 Amazon +52.93.50.188/31 Amazon +52.93.50.190/31 Amazon +52.93.50.192/31 Amazon +52.93.50.194/31 Amazon +52.93.51.28/32 Amazon +52.93.51.29/32 Amazon +52.93.55.144/31 Amazon +52.93.55.146/31 Amazon +52.93.55.148/31 Amazon +52.93.55.152/31 Amazon +52.93.55.154/31 Amazon +52.93.55.156/31 Amazon +52.93.55.158/31 Amazon +52.93.55.160/31 Amazon +52.93.55.162/31 Amazon +52.93.55.164/31 Amazon +52.93.55.166/31 Amazon +52.93.56.0/24 Amazon +52.93.57.0/24 Amazon +52.93.58.32/28 Amazon +52.93.59.0/24 Amazon +52.93.60.0/24 Amazon +52.93.62.0/24 Amazon +52.93.63.0/24 Amazon +52.93.64.0/24 Amazon +52.93.66.0/24 Amazon +52.93.67.0/24 Amazon +52.93.69.0/24 Amazon +52.93.71.37/32 Amazon +52.93.73.0/26 Amazon +52.93.75.0/24 Amazon +52.93.76.0/24 Amazon +52.93.78.0/24 Amazon +52.93.80.0/24 Amazon +52.93.81.0/24 Amazon +52.93.87.96/27 Amazon +52.93.91.96/32 Amazon +52.93.91.97/32 Amazon +52.93.91.98/32 Amazon +52.93.91.99/32 Amazon +52.93.91.100/32 Amazon +52.93.91.101/32 Amazon +52.93.91.102/32 Amazon +52.93.91.103/32 Amazon +52.93.91.104/32 Amazon +52.93.91.105/32 Amazon +52.93.91.106/32 Amazon +52.93.91.107/32 Amazon +52.93.91.108/32 Amazon +52.93.91.109/32 Amazon +52.93.91.110/32 Amazon +52.93.91.111/32 Amazon +52.93.91.112/32 Amazon +52.93.91.113/32 Amazon +52.93.91.114/32 Amazon +52.93.91.115/32 Amazon +52.93.92.64/31 Amazon +52.93.92.66/31 Amazon +52.93.92.68/31 Amazon +52.93.92.70/31 Amazon +52.93.92.72/31 Amazon +52.93.92.74/31 Amazon +52.93.96.0/24 Amazon +52.93.97.0/24 Amazon +52.93.98.0/24 Amazon +52.93.99.0/24 Amazon +52.93.112.0/24 Amazon +52.93.120.176/32 Amazon +52.93.120.177/32 Amazon +52.93.120.178/32 Amazon +52.93.120.179/32 Amazon +52.93.121.187/32 Amazon +52.93.121.188/32 Amazon +52.93.121.189/32 Amazon +52.93.121.190/32 Amazon +52.93.121.195/32 Amazon +52.93.121.196/32 Amazon +52.93.121.197/32 Amazon +52.93.121.198/32 Amazon +52.93.122.131/32 Amazon +52.93.122.202/32 Amazon +52.93.122.203/32 Amazon +52.93.122.218/32 Amazon +52.93.122.255/32 Amazon +52.93.123.6/32 Amazon +52.93.123.11/32 Amazon +52.93.123.98/32 Amazon +52.93.123.99/32 Amazon +52.93.123.136/32 Amazon +52.93.123.255/32 Amazon +52.93.124.14/32 Amazon +52.93.124.15/32 Amazon +52.93.124.96/32 Amazon +52.93.124.97/32 Amazon +52.93.124.210/32 Amazon +52.93.124.211/32 Amazon +52.93.124.212/32 Amazon +52.93.124.213/32 Amazon +52.93.125.42/32 Amazon +52.93.125.43/32 Amazon +52.93.126.76/32 Amazon +52.93.126.122/32 Amazon +52.93.126.123/32 Amazon +52.93.126.132/32 Amazon +52.93.126.133/32 Amazon +52.93.126.134/32 Amazon +52.93.126.135/32 Amazon +52.93.126.136/32 Amazon +52.93.126.137/32 Amazon +52.93.126.138/32 Amazon +52.93.126.139/32 Amazon +52.93.126.144/32 Amazon +52.93.126.145/32 Amazon +52.93.126.146/32 Amazon +52.93.126.147/32 Amazon +52.93.126.198/32 Amazon +52.93.126.199/32 Amazon +52.93.126.204/32 Amazon +52.93.126.205/32 Amazon +52.93.126.206/32 Amazon +52.93.126.207/32 Amazon +52.93.126.212/32 Amazon +52.93.126.213/32 Amazon +52.93.126.214/32 Amazon +52.93.126.215/32 Amazon +52.93.126.234/32 Amazon +52.93.126.235/32 Amazon +52.93.126.244/32 Amazon +52.93.126.245/32 Amazon +52.93.126.250/32 Amazon +52.93.126.251/32 Amazon +52.93.127.17/32 Amazon +52.93.127.18/32 Amazon +52.93.127.19/32 Amazon +52.93.127.24/32 Amazon +52.93.127.25/32 Amazon +52.93.127.26/32 Amazon +52.93.127.27/32 Amazon +52.93.127.68/32 Amazon +52.93.127.69/32 Amazon +52.93.127.70/32 Amazon +52.93.127.71/32 Amazon +52.93.127.92/32 Amazon +52.93.127.93/32 Amazon +52.93.127.94/32 Amazon +52.93.127.95/32 Amazon +52.93.127.96/32 Amazon +52.93.127.97/32 Amazon +52.93.127.98/32 Amazon +52.93.127.99/32 Amazon +52.93.127.100/32 Amazon +52.93.127.101/32 Amazon +52.93.127.102/32 Amazon +52.93.127.103/32 Amazon +52.93.127.104/32 Amazon +52.93.127.105/32 Amazon +52.93.127.106/32 Amazon +52.93.127.107/32 Amazon +52.93.127.108/32 Amazon +52.93.127.109/32 Amazon +52.93.127.110/32 Amazon +52.93.127.111/32 Amazon +52.93.127.112/32 Amazon +52.93.127.113/32 Amazon +52.93.127.114/32 Amazon +52.93.127.115/32 Amazon +52.93.127.116/32 Amazon +52.93.127.117/32 Amazon +52.93.127.118/32 Amazon +52.93.127.119/32 Amazon +52.93.127.120/32 Amazon +52.93.127.121/32 Amazon +52.93.127.122/32 Amazon +52.93.127.123/32 Amazon +52.93.127.124/32 Amazon +52.93.127.125/32 Amazon +52.93.127.126/32 Amazon +52.93.127.127/32 Amazon +52.93.127.128/32 Amazon +52.93.127.129/32 Amazon +52.93.127.130/32 Amazon +52.93.127.131/32 Amazon +52.93.127.132/32 Amazon +52.93.127.133/32 Amazon +52.93.127.138/32 Amazon +52.93.127.139/32 Amazon +52.93.127.146/32 Amazon +52.93.127.147/32 Amazon +52.93.127.148/32 Amazon +52.93.127.149/32 Amazon +52.93.127.152/32 Amazon +52.93.127.153/32 Amazon +52.93.127.154/32 Amazon +52.93.127.155/32 Amazon +52.93.127.156/32 Amazon +52.93.127.157/32 Amazon +52.93.127.158/32 Amazon +52.93.127.159/32 Amazon +52.93.127.160/32 Amazon +52.93.127.161/32 Amazon +52.93.127.162/32 Amazon +52.93.127.163/32 Amazon +52.93.127.164/32 Amazon +52.93.127.165/32 Amazon +52.93.127.166/32 Amazon +52.93.127.167/32 Amazon +52.93.127.168/32 Amazon +52.93.127.169/32 Amazon +52.93.127.172/32 Amazon +52.93.127.173/32 Amazon +52.93.127.174/32 Amazon +52.93.127.175/32 Amazon +52.93.127.176/32 Amazon +52.93.127.177/32 Amazon +52.93.127.178/32 Amazon +52.93.127.179/32 Amazon +52.93.127.180/32 Amazon +52.93.127.181/32 Amazon +52.93.127.182/32 Amazon +52.93.127.183/32 Amazon +52.93.127.184/32 Amazon +52.93.127.185/32 Amazon +52.93.127.194/32 Amazon +52.93.127.195/32 Amazon +52.93.127.196/32 Amazon +52.93.127.197/32 Amazon +52.93.127.198/32 Amazon +52.93.127.199/32 Amazon +52.93.127.200/32 Amazon +52.93.127.201/32 Amazon +52.93.127.202/32 Amazon +52.93.127.203/32 Amazon +52.93.127.204/32 Amazon +52.93.127.205/32 Amazon +52.93.127.206/32 Amazon +52.93.127.207/32 Amazon +52.93.127.216/32 Amazon +52.93.127.217/32 Amazon +52.93.127.218/32 Amazon +52.93.127.219/32 Amazon +52.93.127.220/32 Amazon +52.93.127.221/32 Amazon +52.93.127.232/32 Amazon +52.93.127.237/32 Amazon +52.93.127.238/32 Amazon +52.93.127.239/32 Amazon +52.93.127.244/32 Amazon +52.93.127.245/32 Amazon +52.93.127.246/32 Amazon +52.93.127.247/32 Amazon +52.93.127.248/32 Amazon +52.93.127.249/32 Amazon +52.93.127.250/32 Amazon +52.93.127.251/32 Amazon +52.93.127.252/32 Amazon +52.93.127.253/32 Amazon +52.93.127.254/32 Amazon +52.93.127.255/32 Amazon +52.93.129.95/32 Amazon +52.93.131.217/32 Amazon +52.93.133.127/32 Amazon +52.93.133.129/32 Amazon +52.93.133.131/32 Amazon +52.93.133.133/32 Amazon +52.93.133.153/32 Amazon +52.93.133.155/32 Amazon +52.93.133.175/32 Amazon +52.93.133.177/32 Amazon +52.93.133.179/32 Amazon +52.93.133.181/32 Amazon +52.93.134.181/32 Amazon +52.93.135.195/32 Amazon +52.93.137.0/24 Amazon +52.93.138.252/32 Amazon +52.93.138.253/32 Amazon +52.93.139.252/32 Amazon +52.93.139.253/32 Amazon +52.93.141.212/32 Amazon +52.93.141.213/32 Amazon +52.93.141.214/31 Amazon +52.93.141.216/31 Amazon +52.93.141.218/31 Amazon +52.93.141.220/31 Amazon +52.93.141.222/31 Amazon +52.93.141.224/31 Amazon +52.93.141.226/31 Amazon +52.93.141.228/31 Amazon +52.93.141.230/31 Amazon +52.93.141.232/31 Amazon +52.93.141.234/31 Amazon +52.93.141.236/31 Amazon +52.93.141.238/31 Amazon +52.93.141.240/31 Amazon +52.93.141.242/31 Amazon +52.93.141.244/31 Amazon +52.93.146.5/32 Amazon +52.93.149.0/24 Amazon +52.93.150.0/24 Amazon +52.93.151.0/24 Amazon +52.93.153.80/32 Amazon +52.93.153.148/32 Amazon +52.93.153.149/32 Amazon +52.93.153.168/32 Amazon +52.93.153.169/32 Amazon +52.93.153.170/32 Amazon +52.93.153.171/32 Amazon +52.93.153.172/32 Amazon +52.93.153.173/32 Amazon +52.93.153.174/32 Amazon +52.93.153.175/32 Amazon +52.93.153.176/32 Amazon +52.93.153.177/32 Amazon +52.93.153.178/32 Amazon +52.93.153.179/32 Amazon +52.93.156.0/22 Amazon +52.93.178.128/32 Amazon +52.93.178.129/32 Amazon +52.93.178.130/32 Amazon +52.93.178.131/32 Amazon +52.93.178.132/32 Amazon +52.93.178.133/32 Amazon +52.93.178.134/32 Amazon +52.93.178.135/32 Amazon +52.93.178.136/32 Amazon +52.93.178.137/32 Amazon +52.93.178.138/32 Amazon +52.93.178.139/32 Amazon +52.93.178.140/32 Amazon +52.93.178.141/32 Amazon +52.93.178.142/32 Amazon +52.93.178.143/32 Amazon +52.93.178.144/32 Amazon +52.93.178.145/32 Amazon +52.93.178.146/32 Amazon +52.93.178.147/32 Amazon +52.93.178.148/32 Amazon +52.93.178.149/32 Amazon +52.93.178.150/32 Amazon +52.93.178.151/32 Amazon +52.93.178.152/32 Amazon +52.93.178.153/32 Amazon +52.93.178.154/32 Amazon +52.93.178.155/32 Amazon +52.93.178.156/32 Amazon +52.93.178.157/32 Amazon +52.93.178.158/32 Amazon +52.93.178.159/32 Amazon +52.93.178.160/32 Amazon +52.93.178.161/32 Amazon +52.93.178.162/32 Amazon +52.93.178.163/32 Amazon +52.93.178.164/32 Amazon +52.93.178.165/32 Amazon +52.93.178.166/32 Amazon +52.93.178.167/32 Amazon +52.93.178.168/32 Amazon +52.93.178.169/32 Amazon +52.93.178.170/32 Amazon +52.93.178.171/32 Amazon +52.93.178.172/32 Amazon +52.93.178.173/32 Amazon +52.93.178.174/32 Amazon +52.93.178.175/32 Amazon +52.93.178.176/32 Amazon +52.93.178.177/32 Amazon +52.93.178.178/32 Amazon +52.93.178.179/32 Amazon +52.93.178.180/32 Amazon +52.93.178.181/32 Amazon +52.93.178.182/32 Amazon +52.93.178.183/32 Amazon +52.93.178.184/32 Amazon +52.93.178.185/32 Amazon +52.93.178.186/32 Amazon +52.93.178.187/32 Amazon +52.93.178.188/32 Amazon +52.93.178.189/32 Amazon +52.93.178.190/32 Amazon +52.93.178.191/32 Amazon +52.93.178.192/32 Amazon +52.93.178.193/32 Amazon +52.93.178.194/32 Amazon +52.93.178.195/32 Amazon +52.93.178.196/32 Amazon +52.93.178.197/32 Amazon +52.93.178.198/32 Amazon +52.93.178.199/32 Amazon +52.93.178.200/32 Amazon +52.93.178.201/32 Amazon +52.93.178.202/32 Amazon +52.93.178.203/32 Amazon +52.93.178.204/32 Amazon +52.93.178.205/32 Amazon +52.93.178.206/32 Amazon +52.93.178.207/32 Amazon +52.93.178.208/32 Amazon +52.93.178.209/32 Amazon +52.93.178.210/32 Amazon +52.93.178.211/32 Amazon +52.93.178.212/32 Amazon +52.93.178.213/32 Amazon +52.93.178.214/32 Amazon +52.93.178.215/32 Amazon +52.93.178.216/32 Amazon +52.93.178.217/32 Amazon +52.93.178.218/32 Amazon +52.93.178.219/32 Amazon +52.93.178.220/32 Amazon +52.93.178.221/32 Amazon +52.93.178.222/32 Amazon +52.93.178.223/32 Amazon +52.93.178.224/32 Amazon +52.93.178.225/32 Amazon +52.93.178.226/32 Amazon +52.93.178.227/32 Amazon +52.93.178.228/32 Amazon +52.93.178.229/32 Amazon +52.93.178.230/32 Amazon +52.93.178.231/32 Amazon +52.93.178.232/32 Amazon +52.93.178.233/32 Amazon +52.93.178.234/32 Amazon +52.93.178.235/32 Amazon +52.93.193.192/32 Amazon +52.93.193.193/32 Amazon +52.93.193.194/32 Amazon +52.93.193.195/32 Amazon +52.93.193.196/32 Amazon +52.93.193.197/32 Amazon +52.93.193.198/32 Amazon +52.93.193.199/32 Amazon +52.93.193.200/32 Amazon +52.93.193.201/32 Amazon +52.93.193.202/32 Amazon +52.93.193.203/32 Amazon +52.93.198.0/25 Amazon +52.93.229.148/32 Amazon +52.93.229.149/32 Amazon +52.93.236.0/24 Amazon +52.93.237.0/24 Amazon +52.93.240.146/31 Amazon +52.93.240.148/31 Amazon +52.93.240.150/31 Amazon +52.93.240.152/31 Amazon +52.93.240.154/31 Amazon +52.93.240.156/31 Amazon +52.93.240.158/31 Amazon +52.93.240.160/31 Amazon +52.93.240.162/31 Amazon +52.93.240.164/31 Amazon +52.93.240.166/31 Amazon +52.93.240.168/31 Amazon +52.93.240.170/31 Amazon +52.93.240.172/31 Amazon +52.93.240.174/31 Amazon +52.93.240.176/31 Amazon +52.93.240.178/31 Amazon +52.93.240.180/31 Amazon +52.93.240.182/31 Amazon +52.93.240.184/31 Amazon +52.93.240.186/31 Amazon +52.93.240.188/31 Amazon +52.93.240.190/31 Amazon +52.93.240.192/31 Amazon +52.93.240.194/31 Amazon +52.93.240.196/31 Amazon +52.93.240.198/31 Amazon +52.93.240.200/31 Amazon +52.93.240.202/31 Amazon +52.93.240.204/31 Amazon +52.93.245.0/24 Amazon +52.93.247.0/25 Amazon +52.93.248.0/24 Amazon +52.93.249.0/24 Amazon +52.93.250.0/23 Amazon +52.93.254.0/24 Amazon +52.94.0.0/22 Amazon +52.94.4.0/24 Amazon +52.94.5.0/24 Amazon +52.94.6.0/24 Amazon +52.94.7.0/24 Amazon +52.94.8.0/24 Amazon +52.94.9.0/24 Amazon +52.94.10.0/24 Amazon +52.94.11.0/24 Amazon +52.94.12.0/24 Amazon +52.94.13.0/24 Amazon +52.94.14.0/24 Amazon +52.94.15.0/24 Amazon +52.94.16.0/24 Amazon +52.94.17.0/24 Amazon +52.94.18.0/24 Amazon +52.94.19.0/24 Amazon +52.94.20.0/24 Amazon +52.94.22.0/24 Amazon +52.94.23.0/24 Amazon +52.94.24.0/23 Amazon +52.94.26.0/23 Amazon +52.94.28.0/23 Amazon +52.94.30.0/24 Amazon +52.94.32.0/20 Amazon +52.94.48.0/20 Amazon +52.94.64.0/22 Amazon +52.94.68.0/24 Amazon +52.94.69.0/24 Amazon +52.94.72.0/22 Amazon +52.94.76.0/22 Amazon +52.94.80.0/20 Amazon +52.94.96.0/20 Amazon +52.94.112.0/22 Amazon +52.94.116.0/22 Amazon +52.94.120.0/22 Amazon +52.94.124.0/22 Amazon +52.94.128.0/22 Amazon +52.94.132.0/22 Amazon +52.94.136.0/21 Amazon +52.94.148.0/22 Amazon +52.94.152.3/32 Amazon +52.94.152.9/32 Amazon +52.94.152.11/32 Amazon +52.94.152.12/32 Amazon +52.94.152.44/32 Amazon +52.94.152.60/32 Amazon +52.94.152.61/32 Amazon +52.94.152.62/32 Amazon +52.94.152.63/32 Amazon +52.94.152.64/32 Amazon +52.94.152.65/32 Amazon +52.94.152.66/32 Amazon +52.94.152.67/32 Amazon +52.94.152.68/32 Amazon +52.94.152.69/32 Amazon +52.94.160.0/20 Amazon +52.94.176.0/20 Amazon +52.94.192.0/22 Amazon +52.94.196.0/24 Amazon +52.94.197.0/24 Amazon +52.94.198.0/28 Amazon +52.94.198.16/28 Amazon +52.94.198.32/28 Amazon +52.94.198.48/28 Amazon +52.94.198.64/28 Amazon +52.94.198.80/28 Amazon +52.94.198.96/28 Amazon +52.94.198.112/28 Amazon +52.94.198.128/28 Amazon +52.94.198.144/28 Amazon +52.94.199.0/24 Amazon +52.94.200.0/24 Amazon +52.94.201.0/26 Amazon +52.94.204.0/23 Amazon +52.94.206.0/23 Amazon +52.94.208.0/21 Amazon +52.94.216.0/21 Amazon +52.94.224.0/20 Amazon +52.94.240.0/22 Amazon +52.94.244.0/22 Amazon +52.94.248.0/28 Amazon +52.94.248.16/28 Amazon +52.94.248.32/28 Amazon +52.94.248.48/28 Amazon +52.94.248.64/28 Amazon +52.94.248.80/28 Amazon +52.94.248.96/28 Amazon +52.94.248.112/28 Amazon +52.94.248.128/28 Amazon +52.94.248.144/28 Amazon +52.94.248.160/28 Amazon +52.94.248.176/28 Amazon +52.94.248.192/28 Amazon +52.94.248.208/28 Amazon +52.94.248.224/28 Amazon +52.94.249.32/28 Amazon +52.94.249.48/28 Amazon +52.94.249.64/28 Amazon +52.94.249.80/28 Amazon +52.94.249.96/28 Amazon +52.94.249.112/28 Amazon +52.94.249.128/28 Amazon +52.94.249.144/28 Amazon +52.94.249.160/28 Amazon +52.94.249.176/28 Amazon +52.94.249.192/28 Amazon +52.94.249.208/28 Amazon +52.94.249.224/28 Amazon +52.94.249.240/28 Amazon +52.94.250.0/28 Amazon +52.94.250.16/28 Amazon +52.94.252.0/23 Amazon +52.94.254.0/23 Amazon +52.95.0.0/20 Amazon +52.95.16.0/21 Amazon +52.95.24.0/22 Amazon +52.95.28.0/24 Amazon +52.95.29.0/26 Amazon +52.95.30.0/23 Amazon +52.95.34.0/24 Amazon +52.95.35.0/24 Amazon +52.95.36.0/22 Amazon +52.95.40.0/24 Amazon +52.95.41.0/24 Amazon +52.95.42.0/24 Amazon +52.95.48.0/22 Amazon +52.95.52.0/22 Amazon +52.95.56.0/22 Amazon +52.95.60.0/24 Amazon +52.95.61.0/24 Amazon +52.95.62.0/24 Amazon +52.95.63.0/24 Amazon +52.95.64.0/20 Amazon +52.95.80.0/20 Amazon +52.95.96.0/22 Amazon +52.95.100.0/22 Amazon +52.95.104.0/22 Amazon +52.95.108.0/23 Amazon +52.95.110.0/24 Amazon +52.95.111.0/24 Amazon +52.95.112.0/20 Amazon +52.95.128.0/21 Amazon +52.95.136.0/23 Amazon +52.95.138.0/24 Amazon +52.95.139.0/24 Amazon +52.95.140.0/23 Amazon +52.95.142.0/23 Amazon +52.95.144.0/24 Amazon +52.95.145.0/24 Amazon +52.95.146.0/23 Amazon +52.95.148.0/23 Amazon +52.95.150.0/24 Amazon +52.95.151.0/24 Amazon +52.95.152.0/23 Amazon +52.95.154.0/23 Amazon +52.95.156.0/24 Amazon +52.95.157.0/24 Amazon +52.95.158.0/23 Amazon +52.95.160.0/23 Amazon +52.95.162.0/24 Amazon +52.95.163.0/24 Amazon +52.95.164.0/23 Amazon +52.95.166.0/23 Amazon +52.95.168.0/24 Amazon +52.95.169.0/24 Amazon +52.95.170.0/23 Amazon +52.95.172.0/23 Amazon +52.95.174.0/24 Amazon +52.95.175.0/24 Amazon +52.95.176.0/24 Amazon +52.95.177.0/24 Amazon +52.95.178.0/23 Amazon +52.95.180.0/24 Amazon +52.95.181.0/24 Amazon +52.95.182.0/23 Amazon +52.95.184.0/23 Amazon +52.95.186.0/24 Amazon +52.95.187.0/24 Amazon +52.95.188.0/23 Amazon +52.95.190.0/24 Amazon +52.95.192.0/20 Amazon +52.95.208.0/22 Amazon +52.95.212.0/22 Amazon +52.95.216.0/22 Amazon +52.95.224.0/24 Amazon +52.95.225.0/24 Amazon +52.95.226.0/24 Amazon +52.95.227.0/24 Amazon +52.95.228.0/24 Amazon +52.95.229.0/24 Amazon +52.95.230.0/24 Amazon +52.95.235.0/24 Amazon +52.95.239.0/24 Amazon +52.95.240.0/24 Amazon +52.95.241.0/24 Amazon +52.95.242.0/24 Amazon +52.95.243.0/24 Amazon +52.95.244.0/24 Amazon +52.95.245.0/24 Amazon +52.95.246.0/24 Amazon +52.95.247.0/24 Amazon +52.95.248.0/24 Amazon +52.95.249.0/24 Amazon +52.95.250.0/24 Amazon +52.95.251.0/24 Amazon +52.95.252.0/24 Amazon +52.95.253.0/24 Amazon +52.95.254.0/24 Amazon +52.95.255.0/28 Amazon +52.95.255.16/28 Amazon +52.95.255.32/28 Amazon +52.95.255.48/28 Amazon +52.95.255.64/28 Amazon +52.95.255.80/28 Amazon +52.95.255.96/28 Amazon +52.95.255.112/28 Amazon +52.95.255.128/28 Amazon +52.95.255.144/28 Amazon +52.119.128.0/20 Amazon +52.119.144.0/21 Amazon +52.119.152.0/22 Amazon +52.119.156.0/22 Amazon +52.119.160.0/20 Amazon +52.119.176.0/21 Amazon +52.119.184.0/22 Amazon +52.119.188.0/22 Amazon +52.119.192.0/22 Amazon +52.119.196.0/22 Amazon +52.119.205.0/24 Amazon +52.119.206.0/23 Amazon +52.119.208.0/23 Amazon +52.119.210.0/23 Amazon +52.119.212.0/23 Amazon +52.119.214.0/23 Amazon +52.119.216.0/21 Amazon +52.119.224.0/21 Amazon +52.119.232.0/21 Amazon +52.119.240.0/21 Amazon +52.119.248.0/24 Amazon +52.119.249.0/24 Amazon +52.119.252.0/22 Amazon +52.124.128.0/17 Amazon +52.144.133.32/27 Amazon +52.144.192.0/26 Amazon +52.144.192.64/26 Amazon +52.144.192.128/26 Amazon +52.144.192.192/26 Amazon +52.144.193.0/26 Amazon +52.144.193.64/26 Amazon +52.144.193.128/26 Amazon +52.144.194.0/26 Amazon +52.144.194.64/26 Amazon +52.144.194.128/26 Amazon +52.144.194.192/26 Amazon +52.144.195.0/26 Amazon +52.144.196.192/26 Amazon +52.144.197.128/26 Amazon +52.144.197.192/26 Amazon +52.144.199.128/26 Amazon +52.144.200.64/26 Amazon +52.144.200.128/26 Amazon +52.144.201.64/26 Amazon +52.144.201.128/26 Amazon +52.144.205.0/26 Amazon +52.144.208.0/31 Amazon +52.144.208.2/31 Amazon +52.144.208.64/26 Amazon +52.144.208.128/26 Amazon +52.144.208.192/26 Amazon +52.144.209.0/26 Amazon +52.144.209.64/26 Amazon +52.144.209.128/26 Amazon +52.144.209.192/26 Amazon +52.144.210.0/26 Amazon +52.144.210.64/26 Amazon +52.144.210.128/26 Amazon +52.144.210.192/26 Amazon +52.144.211.0/26 Amazon +52.144.211.64/26 Amazon +52.144.211.128/26 Amazon +52.144.211.192/31 Amazon +52.144.211.194/31 Amazon +52.144.211.196/31 Amazon +52.144.211.198/31 Amazon +52.144.211.200/31 Amazon +52.144.211.202/31 Amazon +52.144.212.64/26 Amazon +52.144.212.192/26 Amazon +52.144.213.64/26 Amazon +52.144.214.128/26 Amazon +52.144.215.0/31 Amazon +52.144.215.2/31 Amazon +52.144.215.192/31 Amazon +52.144.215.194/31 Amazon +52.144.215.196/31 Amazon +52.144.215.198/31 Amazon +52.144.215.200/31 Amazon +52.144.215.202/31 Amazon +52.144.216.0/31 Amazon +52.144.216.2/31 Amazon +52.144.216.4/31 Amazon +52.144.216.6/31 Amazon +52.144.216.8/31 Amazon +52.144.216.10/31 Amazon +52.144.218.0/26 Amazon +52.144.218.64/26 Amazon +52.144.223.64/26 Amazon +52.144.223.128/26 Amazon +52.144.224.64/26 Amazon +52.144.224.128/26 Amazon +52.144.224.192/26 Amazon +52.144.225.0/26 Amazon +52.144.225.64/26 Amazon +52.144.225.128/26 Amazon +52.144.227.64/26 Amazon +52.144.227.192/26 Amazon +52.144.228.0/31 Amazon +52.144.228.2/31 Amazon +52.144.228.64/26 Amazon +52.144.228.128/26 Amazon +52.144.228.192/26 Amazon +52.144.229.0/26 Amazon +52.144.229.64/26 Amazon +52.144.230.0/26 Amazon +52.144.231.64/26 Amazon +52.144.233.64/31 Amazon +52.144.233.66/31 Amazon +52.144.233.68/31 Amazon +52.144.233.70/31 Amazon +52.144.233.128/31 Amazon +52.144.233.130/31 Amazon +52.144.233.132/31 Amazon +52.144.233.134/31 Amazon +52.144.233.192/26 Amazon +52.192.0.0/15 Amazon +52.194.0.0/15 Amazon +52.196.0.0/14 Amazon +52.200.0.0/13 Amazon +52.208.0.0/13 Amazon +52.216.0.0/15 Amazon +52.218.0.0/17 Amazon +52.218.128.0/17 Amazon +52.219.0.0/20 Amazon +52.219.16.0/22 Amazon +52.219.24.0/21 Amazon +52.219.32.0/21 Amazon +52.219.40.0/22 Amazon +52.219.44.0/22 Amazon +52.219.56.0/22 Amazon +52.219.60.0/23 Amazon +52.219.62.0/23 Amazon +52.219.64.0/22 Amazon +52.219.68.0/22 Amazon +52.219.72.0/22 Amazon +52.219.80.0/20 Amazon +52.219.96.0/20 Amazon +52.219.112.0/21 Amazon +52.219.120.0/22 Amazon +52.219.124.0/22 Amazon +52.219.128.0/22 Amazon +52.219.132.0/22 Amazon +52.219.136.0/22 Amazon +52.219.140.0/24 Amazon +52.219.141.0/24 Amazon +52.219.142.0/24 Amazon +52.219.143.0/24 Amazon +52.219.144.0/22 Amazon +52.219.148.0/23 Amazon +52.219.152.0/22 Amazon +52.219.156.0/22 Amazon +52.219.160.0/23 Amazon +52.219.164.0/22 Amazon +52.219.168.0/24 Amazon +52.219.169.0/24 Amazon +52.219.170.0/23 Amazon +52.219.172.0/22 Amazon +52.219.176.0/22 Amazon +52.219.180.0/22 Amazon +52.219.184.0/21 Amazon +52.219.192.0/23 Amazon +52.219.194.0/24 Amazon +52.219.195.0/24 Amazon +52.219.196.0/22 Amazon +52.219.200.0/24 Amazon +52.219.202.0/23 Amazon +52.219.204.0/22 Amazon +52.220.0.0/15 Amazon +52.222.0.0/17 Amazon +52.222.128.0/17 Amazon +52.223.0.0/17 Amazon +54.64.0.0/15 Amazon +54.66.0.0/16 Amazon +54.67.0.0/16 Amazon +54.68.0.0/14 Amazon +54.72.0.0/15 Amazon +54.74.0.0/15 Amazon +54.76.0.0/15 Amazon +54.78.0.0/16 Amazon +54.79.0.0/16 Amazon +54.80.0.0/13 Amazon +54.88.0.0/14 Amazon +54.92.0.0/17 Amazon +54.92.128.0/17 Amazon +54.93.0.0/16 Amazon +54.94.0.0/16 Amazon +54.95.0.0/16 Amazon +54.144.0.0/14 Amazon +54.148.0.0/15 Amazon +54.150.0.0/16 Amazon +54.151.0.0/17 Amazon +54.151.128.0/17 Amazon +54.152.0.0/16 Amazon +54.153.0.0/17 Amazon +54.153.128.0/17 Amazon +54.154.0.0/16 Amazon +54.155.0.0/16 Amazon +54.156.0.0/14 Amazon +54.160.0.0/13 Amazon +54.168.0.0/16 Amazon +54.169.0.0/16 Amazon +54.170.0.0/15 Amazon +54.172.0.0/15 Amazon +54.174.0.0/15 Amazon +54.176.0.0/15 Amazon +54.178.0.0/16 Amazon +54.179.0.0/16 Amazon +54.180.0.0/15 Amazon +54.182.0.0/16 Amazon +54.183.0.0/16 Amazon +54.184.0.0/13 Amazon +54.192.0.0/16 Amazon +54.193.0.0/16 Amazon +54.194.0.0/15 Amazon +54.196.0.0/15 Amazon +54.198.0.0/16 Amazon +54.199.0.0/16 Amazon +54.200.0.0/15 Amazon +54.202.0.0/15 Amazon +54.204.0.0/15 Amazon +54.206.0.0/16 Amazon +54.207.0.0/16 Amazon +54.208.0.0/15 Amazon +54.210.0.0/15 Amazon +54.212.0.0/15 Amazon +54.214.0.0/16 Amazon +54.215.0.0/16 Amazon +54.216.0.0/15 Amazon +54.218.0.0/16 Amazon +54.219.0.0/16 Amazon +54.220.0.0/16 Amazon +54.221.0.0/16 Amazon +54.222.0.0/19 Amazon +54.222.32.0/22 Amazon +54.222.36.0/22 Amazon +54.222.48.0/22 Amazon +54.222.52.0/22 Amazon +54.222.57.0/24 Amazon +54.222.58.0/28 Amazon +54.222.58.32/28 Amazon +54.222.58.48/28 Amazon +54.222.59.0/24 Amazon +54.222.64.0/23 Amazon +54.222.66.0/23 Amazon +54.222.68.0/23 Amazon +54.222.70.0/24 Amazon +54.222.71.0/24 Amazon +54.222.76.0/22 Amazon +54.222.80.0/21 Amazon +54.222.128.0/17 Amazon +54.223.0.0/16 Amazon +54.224.0.0/15 Amazon +54.226.0.0/15 Amazon +54.228.0.0/16 Amazon +54.229.0.0/16 Amazon +54.230.0.0/17 Amazon +54.230.128.0/18 Amazon +54.230.192.0/21 Amazon +54.230.200.0/21 Amazon +54.230.208.0/20 Amazon +54.230.224.0/19 Amazon +54.231.0.0/16 Amazon +54.232.0.0/16 Amazon +54.233.0.0/18 Amazon +54.233.64.0/18 Amazon +54.233.128.0/17 Amazon +54.234.0.0/15 Amazon +54.236.0.0/15 Amazon +54.238.0.0/16 Amazon +54.239.0.0/28 Amazon +54.239.0.16/28 Amazon +54.239.0.32/28 Amazon +54.239.0.48/28 Amazon +54.239.0.64/28 Amazon +54.239.0.80/28 Amazon +54.239.0.96/28 Amazon +54.239.0.112/28 Amazon +54.239.0.128/28 Amazon +54.239.0.144/28 Amazon +54.239.0.160/28 Amazon +54.239.0.176/28 Amazon +54.239.0.192/28 Amazon +54.239.0.208/28 Amazon +54.239.0.224/28 Amazon +54.239.0.240/28 Amazon +54.239.1.0/28 Amazon +54.239.1.16/28 Amazon +54.239.1.32/28 Amazon +54.239.1.48/28 Amazon +54.239.1.64/28 Amazon +54.239.1.80/28 Amazon +54.239.1.96/28 Amazon +54.239.1.112/28 Amazon +54.239.1.128/28 Amazon +54.239.1.144/28 Amazon +54.239.1.160/28 Amazon +54.239.1.176/28 Amazon +54.239.1.192/28 Amazon +54.239.1.208/28 Amazon +54.239.1.224/28 Amazon +54.239.2.0/23 Amazon +54.239.4.0/22 Amazon +54.239.8.0/21 Amazon +54.239.16.0/20 Amazon +54.239.32.0/21 Amazon +54.239.40.152/29 Amazon +54.239.48.0/22 Amazon +54.239.52.0/23 Amazon +54.239.54.0/23 Amazon +54.239.56.0/21 Amazon +54.239.64.0/21 Amazon +54.239.96.0/24 Amazon +54.239.98.0/24 Amazon +54.239.99.0/24 Amazon +54.239.100.0/23 Amazon +54.239.102.162/31 Amazon +54.239.102.232/31 Amazon +54.239.102.234/31 Amazon +54.239.102.236/31 Amazon +54.239.104.0/23 Amazon +54.239.106.0/23 Amazon +54.239.108.0/22 Amazon +54.239.112.0/24 Amazon +54.239.113.0/24 Amazon +54.239.115.0/25 Amazon +54.239.116.0/22 Amazon +54.239.120.0/21 Amazon +54.239.128.0/18 Amazon +54.239.192.0/19 Amazon +54.240.17.0/24 Amazon +54.240.128.0/18 Amazon +54.240.192.0/22 Amazon +54.240.196.0/24 Amazon +54.240.197.0/24 Amazon +54.240.198.0/24 Amazon +54.240.199.0/24 Amazon +54.240.200.0/24 Amazon +54.240.202.0/24 Amazon +54.240.203.0/24 Amazon +54.240.204.0/22 Amazon +54.240.208.0/22 Amazon +54.240.212.0/22 Amazon +54.240.216.0/22 Amazon +54.240.220.0/22 Amazon +54.240.225.0/24 Amazon +54.240.226.0/24 Amazon +54.240.227.0/24 Amazon +54.240.228.0/23 Amazon +54.240.230.0/23 Amazon +54.240.232.0/22 Amazon +54.240.236.1/32 Amazon +54.240.236.2/32 Amazon +54.240.236.5/32 Amazon +54.240.236.6/32 Amazon +54.240.236.9/32 Amazon +54.240.236.10/32 Amazon +54.240.236.13/32 Amazon +54.240.236.14/32 Amazon +54.240.236.17/32 Amazon +54.240.236.18/32 Amazon +54.240.236.21/32 Amazon +54.240.236.22/32 Amazon +54.240.236.25/32 Amazon +54.240.236.26/32 Amazon +54.240.236.29/32 Amazon +54.240.236.30/32 Amazon +54.240.236.33/32 Amazon +54.240.236.34/32 Amazon +54.240.236.37/32 Amazon +54.240.236.38/32 Amazon +54.240.236.41/32 Amazon +54.240.236.42/32 Amazon +54.240.236.45/32 Amazon +54.240.236.46/32 Amazon +54.240.236.49/32 Amazon +54.240.236.50/32 Amazon +54.240.236.53/32 Amazon +54.240.236.54/32 Amazon +54.240.236.57/32 Amazon +54.240.236.58/32 Amazon +54.240.236.61/32 Amazon +54.240.236.62/32 Amazon +54.240.236.65/32 Amazon +54.240.236.66/32 Amazon +54.240.236.69/32 Amazon +54.240.236.70/32 Amazon +54.240.236.73/32 Amazon +54.240.236.74/32 Amazon +54.240.236.77/32 Amazon +54.240.236.78/32 Amazon +54.240.236.81/32 Amazon +54.240.236.82/32 Amazon +54.240.236.85/32 Amazon +54.240.236.86/32 Amazon +54.240.236.89/32 Amazon +54.240.236.90/32 Amazon +54.240.236.93/32 Amazon +54.240.236.94/32 Amazon +54.240.241.0/24 Amazon +54.240.244.0/22 Amazon +54.240.248.0/21 Amazon +54.241.0.0/16 Amazon +54.242.0.0/15 Amazon +54.244.0.0/16 Amazon +54.245.0.0/16 Amazon +54.246.0.0/16 Amazon +54.247.0.0/16 Amazon +54.248.0.0/15 Amazon +54.250.0.0/16 Amazon +54.251.0.0/16 Amazon +54.252.0.0/16 Amazon +54.253.0.0/16 Amazon +54.254.0.0/16 Amazon +54.255.0.0/16 Amazon +58.254.138.0/25 Amazon +58.254.138.128/26 Amazon +63.32.0.0/14 Amazon +63.246.112.0/24 Amazon +63.246.113.0/24 Amazon +63.246.114.0/23 Amazon +63.246.119.0/24 Amazon +64.187.128.0/20 Amazon +64.252.64.0/18 Amazon +64.252.128.0/18 Amazon +65.0.0.0/14 Amazon +65.8.0.0/16 Amazon +65.9.0.0/17 Amazon +65.9.128.0/18 Amazon +67.202.0.0/18 Amazon +67.220.224.0/20 Amazon +67.220.240.0/20 Amazon +68.66.112.0/20 Amazon +68.79.0.0/18 Amazon +69.107.3.176/29 Amazon +69.107.3.184/29 Amazon +69.107.6.112/29 Amazon +69.107.6.120/29 Amazon +69.107.6.160/29 Amazon +69.107.6.168/29 Amazon +69.107.6.200/29 Amazon +69.107.6.208/29 Amazon +69.107.6.216/29 Amazon +69.107.6.224/29 Amazon +69.107.7.0/29 Amazon +69.107.7.8/29 Amazon +69.107.7.16/29 Amazon +69.107.7.32/29 Amazon +69.107.7.40/29 Amazon +69.107.7.48/29 Amazon +69.107.7.56/29 Amazon +69.107.7.64/29 Amazon +69.107.7.72/29 Amazon +69.107.7.80/29 Amazon +69.107.7.88/29 Amazon +69.107.7.96/29 Amazon +69.107.7.104/29 Amazon +69.107.7.112/29 Amazon +69.107.7.120/29 Amazon +69.107.7.128/29 Amazon +69.107.7.136/29 Amazon +69.230.192.0/18 Amazon +69.231.128.0/18 Amazon +69.234.192.0/18 Amazon +69.235.128.0/18 Amazon +70.132.0.0/18 Amazon +70.224.192.0/18 Amazon +70.232.64.0/20 Amazon +70.232.80.0/21 Amazon +70.232.88.0/22 Amazon +70.232.92.0/22 Amazon +70.232.96.0/20 Amazon +70.232.112.0/21 Amazon +70.232.120.0/22 Amazon +70.232.124.0/22 Amazon +71.131.192.0/18 Amazon +71.132.0.0/18 Amazon +71.137.0.0/22 Amazon +71.137.4.0/24 Amazon +71.137.8.0/22 Amazon +71.152.0.0/17 Amazon +72.21.192.0/19 Amazon +72.41.0.0/20 Amazon +72.44.32.0/19 Amazon +75.2.0.0/17 Amazon +75.101.128.0/17 Amazon +76.223.0.0/17 Amazon +79.125.0.0/17 Amazon +87.238.80.0/21 Amazon +96.127.0.0/17 Amazon +99.77.0.0/20 Amazon +99.77.16.0/21 Amazon +99.77.24.0/22 Amazon +99.77.28.0/22 Amazon +99.77.32.0/20 Amazon +99.77.48.0/21 Amazon +99.77.56.0/21 Amazon +99.77.128.0/18 Amazon +99.77.247.0/24 Amazon +99.77.250.0/24 Amazon +99.77.253.0/24 Amazon +99.77.254.0/24 Amazon +99.78.128.0/20 Amazon +99.78.144.0/21 Amazon +99.78.152.0/22 Amazon +99.78.156.0/22 Amazon +99.78.160.0/21 Amazon +99.78.168.0/23 Amazon +99.78.170.0/23 Amazon +99.78.172.0/24 Amazon +99.78.176.0/21 Amazon +99.78.184.0/22 Amazon +99.78.188.0/22 Amazon +99.78.192.0/22 Amazon +99.78.196.0/22 Amazon +99.78.208.0/22 Amazon +99.78.212.0/22 Amazon +99.78.216.0/22 Amazon +99.78.220.0/22 Amazon +99.78.228.0/22 Amazon +99.78.232.0/21 Amazon +99.78.240.0/20 Amazon +99.79.0.0/16 Amazon +99.80.0.0/15 Amazon +99.82.128.0/20 Amazon +99.82.144.0/21 Amazon +99.82.152.0/22 Amazon +99.82.156.0/22 Amazon +99.82.160.0/24 Amazon +99.82.161.0/24 Amazon +99.82.162.0/24 Amazon +99.82.163.0/24 Amazon +99.82.164.0/24 Amazon +99.82.165.0/24 Amazon +99.82.166.0/24 Amazon +99.82.167.0/24 Amazon +99.82.168.0/24 Amazon +99.82.169.0/24 Amazon +99.82.170.0/24 Amazon +99.82.171.0/24 Amazon +99.82.172.0/24 Amazon +99.82.173.0/24 Amazon +99.82.174.0/24 Amazon +99.82.175.0/24 Amazon +99.82.176.0/21 Amazon +99.82.184.0/22 Amazon +99.82.188.0/22 Amazon +99.83.64.0/21 Amazon +99.83.72.0/22 Amazon +99.83.76.0/22 Amazon +99.83.80.0/22 Amazon +99.83.84.0/22 Amazon +99.83.88.0/21 Amazon +99.83.96.0/24 Amazon +99.83.97.0/24 Amazon +99.83.98.0/24 Amazon +99.83.99.0/24 Amazon +99.83.100.0/24 Amazon +99.83.101.0/24 Amazon +99.83.112.0/21 Amazon +99.83.120.0/22 Amazon +99.83.128.0/17 Amazon +99.84.0.0/16 Amazon +99.86.0.0/16 Amazon +99.87.0.0/22 Amazon +99.87.4.0/22 Amazon +99.87.8.0/21 Amazon +99.87.16.0/20 Amazon +99.87.32.0/22 Amazon +99.150.0.0/21 Amazon +99.150.8.0/21 Amazon +99.150.16.0/21 Amazon +99.150.24.0/21 Amazon +99.150.32.0/21 Amazon +99.150.40.0/21 Amazon +99.150.48.0/21 Amazon +99.150.56.0/21 Amazon +99.150.64.0/21 Amazon +99.150.72.0/21 Amazon +99.150.80.0/21 Amazon +99.150.88.0/21 Amazon +99.150.96.0/21 Amazon +99.150.104.0/21 Amazon +99.150.112.0/21 Amazon +99.150.120.0/21 Amazon +99.151.64.0/21 Amazon +99.151.72.0/21 Amazon +99.151.80.0/21 Amazon +99.151.88.0/21 Amazon +99.151.96.0/21 Amazon +99.151.104.0/21 Amazon +99.151.112.0/21 Amazon +99.151.120.0/21 Amazon +99.151.128.0/21 Amazon +99.151.136.0/21 Amazon +99.151.144.0/21 Amazon +100.20.0.0/14 Amazon +100.24.0.0/13 Amazon +103.4.8.0/21 Amazon +103.8.172.0/22 Amazon +103.246.148.0/23 Amazon +103.246.150.0/23 Amazon +104.255.56.11/32 Amazon +104.255.56.12/32 Amazon +104.255.59.81/32 Amazon +104.255.59.82/32 Amazon +104.255.59.83/32 Amazon +104.255.59.85/32 Amazon +104.255.59.86/32 Amazon +104.255.59.87/32 Amazon +104.255.59.88/32 Amazon +104.255.59.91/32 Amazon +104.255.59.101/32 Amazon +104.255.59.102/32 Amazon +104.255.59.103/32 Amazon +104.255.59.104/32 Amazon +104.255.59.105/32 Amazon +104.255.59.106/32 Amazon +104.255.59.114/32 Amazon +104.255.59.115/32 Amazon +104.255.59.118/32 Amazon +104.255.59.119/32 Amazon +104.255.59.122/32 Amazon +104.255.59.130/32 Amazon +104.255.59.131/32 Amazon +104.255.59.132/32 Amazon +104.255.59.133/32 Amazon +104.255.59.134/32 Amazon +104.255.59.135/32 Amazon +104.255.59.136/32 Amazon +104.255.59.137/32 Amazon +104.255.59.138/32 Amazon +104.255.59.139/32 Amazon +107.20.0.0/14 Amazon +107.176.0.0/15 Amazon +108.128.0.0/13 Amazon +108.136.0.0/15 Amazon +108.138.0.0/15 Amazon +108.156.0.0/14 Amazon +108.166.224.0/21 Amazon +108.166.232.0/21 Amazon +108.166.240.0/21 Amazon +108.166.248.0/21 Amazon +108.175.48.0/22 Amazon +108.175.52.0/22 Amazon +108.175.56.0/22 Amazon +108.175.60.0/22 Amazon +116.129.226.0/25 Amazon +116.129.226.128/26 Amazon +118.193.97.64/26 Amazon +118.193.97.128/25 Amazon +119.147.182.0/25 Amazon +119.147.182.128/26 Amazon +120.52.12.64/26 Amazon +120.52.22.96/27 Amazon +120.52.39.128/27 Amazon +120.52.153.192/26 Amazon +120.232.236.0/25 Amazon +120.232.236.128/26 Amazon +120.253.240.192/26 Amazon +120.253.241.160/27 Amazon +120.253.245.128/26 Amazon +120.253.245.192/27 Amazon +122.248.192.0/18 Amazon +130.176.0.0/17 Amazon +130.176.128.0/18 Amazon +130.176.192.0/19 Amazon +130.176.224.0/20 Amazon +130.176.254.0/24 Amazon +130.176.255.0/24 Amazon +140.179.0.0/16 Amazon +142.4.160.0/29 Amazon +142.4.160.8/29 Amazon +142.4.160.16/29 Amazon +142.4.160.24/29 Amazon +142.4.160.32/29 Amazon +142.4.160.40/29 Amazon +142.4.160.48/29 Amazon +142.4.160.56/29 Amazon +142.4.160.64/29 Amazon +142.4.160.72/29 Amazon +142.4.160.80/29 Amazon +142.4.160.88/29 Amazon +142.4.160.96/29 Amazon +142.4.160.104/29 Amazon +142.4.160.112/29 Amazon +143.204.0.0/16 Amazon +144.220.0.0/16 Amazon +150.222.0.16/32 Amazon +150.222.0.17/32 Amazon +150.222.0.18/32 Amazon +150.222.0.19/32 Amazon +150.222.2.0/24 Amazon +150.222.3.176/32 Amazon +150.222.3.177/32 Amazon +150.222.3.178/32 Amazon +150.222.3.179/32 Amazon +150.222.3.180/32 Amazon +150.222.3.181/32 Amazon +150.222.3.182/32 Amazon +150.222.3.183/32 Amazon +150.222.3.184/32 Amazon +150.222.3.185/32 Amazon +150.222.3.186/32 Amazon +150.222.3.187/32 Amazon +150.222.3.188/32 Amazon +150.222.3.189/32 Amazon +150.222.3.190/32 Amazon +150.222.3.191/32 Amazon +150.222.3.192/31 Amazon +150.222.3.194/31 Amazon +150.222.3.196/31 Amazon +150.222.3.198/31 Amazon +150.222.3.200/31 Amazon +150.222.3.202/31 Amazon +150.222.3.204/31 Amazon +150.222.3.206/31 Amazon +150.222.3.208/31 Amazon +150.222.3.210/31 Amazon +150.222.3.212/31 Amazon +150.222.3.214/31 Amazon +150.222.3.216/31 Amazon +150.222.3.218/31 Amazon +150.222.3.220/31 Amazon +150.222.3.222/31 Amazon +150.222.3.224/31 Amazon +150.222.3.226/31 Amazon +150.222.3.228/31 Amazon +150.222.3.230/31 Amazon +150.222.3.232/31 Amazon +150.222.3.234/31 Amazon +150.222.3.236/31 Amazon +150.222.3.238/31 Amazon +150.222.3.240/31 Amazon +150.222.3.242/31 Amazon +150.222.3.244/31 Amazon +150.222.3.246/31 Amazon +150.222.3.248/31 Amazon +150.222.3.250/31 Amazon +150.222.3.252/31 Amazon +150.222.3.254/31 Amazon +150.222.5.0/24 Amazon +150.222.6.0/24 Amazon +150.222.7.0/24 Amazon +150.222.10.0/24 Amazon +150.222.11.0/31 Amazon +150.222.11.74/31 Amazon +150.222.11.76/31 Amazon +150.222.11.78/31 Amazon +150.222.11.80/31 Amazon +150.222.11.84/31 Amazon +150.222.11.86/31 Amazon +150.222.11.88/31 Amazon +150.222.11.90/31 Amazon +150.222.11.92/31 Amazon +150.222.11.94/31 Amazon +150.222.11.96/31 Amazon +150.222.12.0/24 Amazon +150.222.13.0/24 Amazon +150.222.14.72/31 Amazon +150.222.15.124/32 Amazon +150.222.15.125/32 Amazon +150.222.15.126/32 Amazon +150.222.15.127/32 Amazon +150.222.15.128/31 Amazon +150.222.15.130/31 Amazon +150.222.28.17/32 Amazon +150.222.28.18/31 Amazon +150.222.28.104/32 Amazon +150.222.28.105/32 Amazon +150.222.28.106/31 Amazon +150.222.28.108/31 Amazon +150.222.28.110/31 Amazon +150.222.28.112/31 Amazon +150.222.28.114/31 Amazon +150.222.28.116/31 Amazon +150.222.28.118/31 Amazon +150.222.28.120/31 Amazon +150.222.28.122/31 Amazon +150.222.28.124/31 Amazon +150.222.28.126/31 Amazon +150.222.28.128/31 Amazon +150.222.28.130/31 Amazon +150.222.28.132/31 Amazon +150.222.28.134/31 Amazon +150.222.28.136/31 Amazon +150.222.28.138/31 Amazon +150.222.28.140/31 Amazon +150.222.28.142/31 Amazon +150.222.66.0/24 Amazon +150.222.67.0/24 Amazon +150.222.69.0/24 Amazon +150.222.70.0/24 Amazon +150.222.71.0/24 Amazon +150.222.72.0/24 Amazon +150.222.73.0/24 Amazon +150.222.74.0/24 Amazon +150.222.75.0/24 Amazon +150.222.76.0/24 Amazon +150.222.77.0/24 Amazon +150.222.78.0/24 Amazon +150.222.79.0/24 Amazon +150.222.80.0/24 Amazon +150.222.81.0/24 Amazon +150.222.82.0/24 Amazon +150.222.83.0/24 Amazon +150.222.84.0/24 Amazon +150.222.85.0/24 Amazon +150.222.87.0/24 Amazon +150.222.88.0/24 Amazon +150.222.89.0/24 Amazon +150.222.90.0/24 Amazon +150.222.91.0/24 Amazon +150.222.92.0/22 Amazon +150.222.96.0/24 Amazon +150.222.97.0/24 Amazon +150.222.98.0/24 Amazon +150.222.99.0/24 Amazon +150.222.100.0/24 Amazon +150.222.101.0/24 Amazon +150.222.102.0/24 Amazon +150.222.104.0/24 Amazon +150.222.105.0/24 Amazon +150.222.106.0/24 Amazon +150.222.108.0/24 Amazon +150.222.109.0/24 Amazon +150.222.110.0/24 Amazon +150.222.112.0/24 Amazon +150.222.113.0/24 Amazon +150.222.114.0/24 Amazon +150.222.115.0/24 Amazon +150.222.116.0/24 Amazon +150.222.117.0/24 Amazon +150.222.118.0/24 Amazon +150.222.119.0/24 Amazon +150.222.120.20/31 Amazon +150.222.120.62/31 Amazon +150.222.120.224/31 Amazon +150.222.120.226/31 Amazon +150.222.120.228/31 Amazon +150.222.120.230/31 Amazon +150.222.120.232/31 Amazon +150.222.120.234/31 Amazon +150.222.120.240/31 Amazon +150.222.120.242/31 Amazon +150.222.120.244/31 Amazon +150.222.120.246/31 Amazon +150.222.120.248/31 Amazon +150.222.120.250/31 Amazon +150.222.120.252/32 Amazon +150.222.120.255/32 Amazon +150.222.121.0/24 Amazon +150.222.122.92/31 Amazon +150.222.122.94/31 Amazon +150.222.122.96/31 Amazon +150.222.122.98/31 Amazon +150.222.122.100/31 Amazon +150.222.122.102/31 Amazon +150.222.122.104/31 Amazon +150.222.122.106/31 Amazon +150.222.122.108/31 Amazon +150.222.122.110/31 Amazon +150.222.122.112/31 Amazon +150.222.122.114/31 Amazon +150.222.122.116/31 Amazon +150.222.129.19/32 Amazon +150.222.129.20/31 Amazon +150.222.129.62/31 Amazon +150.222.129.64/31 Amazon +150.222.129.66/31 Amazon +150.222.129.69/32 Amazon +150.222.129.110/31 Amazon +150.222.129.112/31 Amazon +150.222.129.114/31 Amazon +150.222.129.116/31 Amazon +150.222.129.118/31 Amazon +150.222.129.120/31 Amazon +150.222.129.122/31 Amazon +150.222.129.124/31 Amazon +150.222.129.126/31 Amazon +150.222.129.128/31 Amazon +150.222.129.130/31 Amazon +150.222.129.132/31 Amazon +150.222.129.134/31 Amazon +150.222.129.136/31 Amazon +150.222.129.138/31 Amazon +150.222.129.140/31 Amazon +150.222.129.142/31 Amazon +150.222.129.144/31 Amazon +150.222.129.146/31 Amazon +150.222.129.152/31 Amazon +150.222.129.154/31 Amazon +150.222.129.156/31 Amazon +150.222.129.158/31 Amazon +150.222.129.240/31 Amazon +150.222.129.242/31 Amazon +150.222.129.244/31 Amazon +150.222.129.246/31 Amazon +150.222.129.248/31 Amazon +150.222.129.250/31 Amazon +150.222.129.252/32 Amazon +150.222.129.255/32 Amazon +150.222.133.0/24 Amazon +150.222.134.0/24 Amazon +150.222.135.0/24 Amazon +150.222.136.0/24 Amazon +150.222.138.0/24 Amazon +150.222.139.116/30 Amazon +150.222.139.120/30 Amazon +150.222.139.124/30 Amazon +150.222.140.0/24 Amazon +150.222.141.0/24 Amazon +150.222.142.0/24 Amazon +150.222.143.0/24 Amazon +150.222.164.208/31 Amazon +150.222.164.210/32 Amazon +150.222.164.211/32 Amazon +150.222.164.220/31 Amazon +150.222.164.222/32 Amazon +150.222.176.0/22 Amazon +150.222.180.0/24 Amazon +150.222.196.0/24 Amazon +150.222.199.0/25 Amazon +150.222.202.0/24 Amazon +150.222.203.0/24 Amazon +150.222.204.0/24 Amazon +150.222.205.0/24 Amazon +150.222.206.0/24 Amazon +150.222.207.0/24 Amazon +150.222.208.64/32 Amazon +150.222.208.65/32 Amazon +150.222.208.66/31 Amazon +150.222.208.68/31 Amazon +150.222.208.70/31 Amazon +150.222.208.72/31 Amazon +150.222.208.74/31 Amazon +150.222.208.76/31 Amazon +150.222.208.78/31 Amazon +150.222.208.80/31 Amazon +150.222.208.82/31 Amazon +150.222.208.84/31 Amazon +150.222.208.86/31 Amazon +150.222.208.88/31 Amazon +150.222.208.90/31 Amazon +150.222.208.92/31 Amazon +150.222.208.94/31 Amazon +150.222.208.96/31 Amazon +150.222.210.0/24 Amazon +150.222.212.0/24 Amazon +150.222.213.40/32 Amazon +150.222.213.41/32 Amazon +150.222.214.0/24 Amazon +150.222.215.0/24 Amazon +150.222.217.17/32 Amazon +150.222.217.226/31 Amazon +150.222.217.228/30 Amazon +150.222.217.232/31 Amazon +150.222.217.234/31 Amazon +150.222.217.248/31 Amazon +150.222.217.250/31 Amazon +150.222.218.0/24 Amazon +150.222.219.0/24 Amazon +150.222.220.0/24 Amazon +150.222.221.0/24 Amazon +150.222.222.0/24 Amazon +150.222.223.0/24 Amazon +150.222.224.0/24 Amazon +150.222.226.0/24 Amazon +150.222.227.0/24 Amazon +150.222.228.0/24 Amazon +150.222.229.0/24 Amazon +150.222.230.92/32 Amazon +150.222.230.93/32 Amazon +150.222.230.94/31 Amazon +150.222.230.96/31 Amazon +150.222.230.98/31 Amazon +150.222.230.100/31 Amazon +150.222.230.102/31 Amazon +150.222.230.104/31 Amazon +150.222.230.106/31 Amazon +150.222.230.108/31 Amazon +150.222.230.110/31 Amazon +150.222.230.112/31 Amazon +150.222.230.114/31 Amazon +150.222.230.116/31 Amazon +150.222.230.118/31 Amazon +150.222.230.120/31 Amazon +150.222.230.122/31 Amazon +150.222.230.124/31 Amazon +150.222.231.0/24 Amazon +150.222.232.51/32 Amazon +150.222.232.88/32 Amazon +150.222.232.94/31 Amazon +150.222.232.96/28 Amazon +150.222.232.112/31 Amazon +150.222.232.114/31 Amazon +150.222.232.116/31 Amazon +150.222.232.118/31 Amazon +150.222.232.120/31 Amazon +150.222.233.0/24 Amazon +150.222.234.0/32 Amazon +150.222.234.1/32 Amazon +150.222.234.2/32 Amazon +150.222.234.3/32 Amazon +150.222.234.4/32 Amazon +150.222.234.5/32 Amazon +150.222.234.6/31 Amazon +150.222.234.8/31 Amazon +150.222.234.10/31 Amazon +150.222.234.12/31 Amazon +150.222.234.14/31 Amazon +150.222.234.16/31 Amazon +150.222.234.18/31 Amazon +150.222.234.20/31 Amazon +150.222.234.22/31 Amazon +150.222.234.24/31 Amazon +150.222.234.26/31 Amazon +150.222.234.28/31 Amazon +150.222.234.30/31 Amazon +150.222.234.32/31 Amazon +150.222.234.34/31 Amazon +150.222.234.36/31 Amazon +150.222.234.38/31 Amazon +150.222.234.40/31 Amazon +150.222.234.42/31 Amazon +150.222.234.44/31 Amazon +150.222.234.46/31 Amazon +150.222.234.48/31 Amazon +150.222.234.50/31 Amazon +150.222.234.52/31 Amazon +150.222.234.54/31 Amazon +150.222.234.56/31 Amazon +150.222.234.58/31 Amazon +150.222.234.60/31 Amazon +150.222.234.62/31 Amazon +150.222.234.64/31 Amazon +150.222.234.66/31 Amazon +150.222.234.68/31 Amazon +150.222.234.70/31 Amazon +150.222.234.72/31 Amazon +150.222.234.74/31 Amazon +150.222.234.76/31 Amazon +150.222.234.78/31 Amazon +150.222.234.80/31 Amazon +150.222.234.82/31 Amazon +150.222.234.84/31 Amazon +150.222.234.86/31 Amazon +150.222.234.96/31 Amazon +150.222.234.98/31 Amazon +150.222.234.100/31 Amazon +150.222.234.102/32 Amazon +150.222.234.103/32 Amazon +150.222.234.104/31 Amazon +150.222.234.106/31 Amazon +150.222.234.108/31 Amazon +150.222.234.110/31 Amazon +150.222.234.112/31 Amazon +150.222.234.114/31 Amazon +150.222.234.116/31 Amazon +150.222.234.118/31 Amazon +150.222.234.120/31 Amazon +150.222.234.122/31 Amazon +150.222.234.124/31 Amazon +150.222.234.126/31 Amazon +150.222.234.128/31 Amazon +150.222.234.130/31 Amazon +150.222.234.132/31 Amazon +150.222.234.134/31 Amazon +150.222.234.136/31 Amazon +150.222.234.138/31 Amazon +150.222.234.140/31 Amazon +150.222.234.142/31 Amazon +150.222.235.0/24 Amazon +150.222.236.0/24 Amazon +150.222.237.0/24 Amazon +150.222.239.0/24 Amazon +150.222.240.131/32 Amazon +150.222.240.135/32 Amazon +150.222.240.137/32 Amazon +150.222.240.161/32 Amazon +150.222.240.207/32 Amazon +150.222.240.237/32 Amazon +150.222.240.245/32 Amazon +150.222.240.247/32 Amazon +150.222.240.249/32 Amazon +150.222.240.251/32 Amazon +150.222.242.84/31 Amazon +150.222.242.97/32 Amazon +150.222.242.99/32 Amazon +150.222.242.214/31 Amazon +150.222.242.227/32 Amazon +150.222.242.229/32 Amazon +150.222.242.231/32 Amazon +150.222.242.233/32 Amazon +150.222.243.9/32 Amazon +150.222.243.11/32 Amazon +150.222.243.13/32 Amazon +150.222.243.15/32 Amazon +150.222.243.17/32 Amazon +150.222.243.19/32 Amazon +150.222.243.33/32 Amazon +150.222.243.35/32 Amazon +150.222.243.37/32 Amazon +150.222.243.39/32 Amazon +150.222.243.41/32 Amazon +150.222.243.43/32 Amazon +150.222.243.45/32 Amazon +150.222.243.47/32 Amazon +150.222.243.51/32 Amazon +150.222.243.53/32 Amazon +150.222.243.55/32 Amazon +150.222.243.57/32 Amazon +150.222.243.59/32 Amazon +150.222.243.177/32 Amazon +150.222.244.35/32 Amazon +150.222.244.37/32 Amazon +150.222.245.122/31 Amazon +150.222.252.244/31 Amazon +150.222.252.246/31 Amazon +150.222.252.248/31 Amazon +150.222.252.250/31 Amazon +157.175.0.0/16 Amazon +157.241.0.0/16 Amazon +160.1.0.0/16 Amazon +161.188.128.0/23 Amazon +161.188.130.0/23 Amazon +161.188.132.0/23 Amazon +161.188.134.0/23 Amazon +161.188.136.0/23 Amazon +161.188.138.0/23 Amazon +161.188.140.0/23 Amazon +161.188.142.0/23 Amazon +161.188.144.0/23 Amazon +161.188.146.0/23 Amazon +161.188.148.0/23 Amazon +161.188.150.0/23 Amazon +161.188.152.0/23 Amazon +161.188.154.0/23 Amazon +161.188.156.0/23 Amazon +161.188.158.0/23 Amazon +161.188.160.0/23 Amazon +161.189.0.0/16 Amazon +162.213.232.0/24 Amazon +162.213.233.0/24 Amazon +162.213.234.0/23 Amazon +162.222.148.0/22 Amazon +162.250.236.0/24 Amazon +162.250.237.0/24 Amazon +162.250.238.0/23 Amazon +172.96.97.0/24 Amazon +172.96.98.0/24 Amazon +172.96.110.0/24 Amazon +174.129.0.0/16 Amazon +175.41.128.0/18 Amazon +175.41.192.0/18 Amazon +176.32.64.0/19 Amazon +176.32.96.0/21 Amazon +176.32.104.0/21 Amazon +176.32.112.0/21 Amazon +176.32.120.0/22 Amazon +176.32.124.128/25 Amazon +176.32.125.0/25 Amazon +176.32.125.128/26 Amazon +176.32.125.192/27 Amazon +176.32.125.224/31 Amazon +176.32.125.226/31 Amazon +176.32.125.228/31 Amazon +176.32.125.230/31 Amazon +176.32.125.232/31 Amazon +176.32.125.234/31 Amazon +176.32.125.236/31 Amazon +176.32.125.238/31 Amazon +176.32.125.240/31 Amazon +176.32.125.242/31 Amazon +176.32.125.244/31 Amazon +176.32.125.246/31 Amazon +176.32.125.248/31 Amazon +176.32.125.250/31 Amazon +176.32.125.252/31 Amazon +176.32.125.254/31 Amazon +176.34.0.0/19 Amazon +176.34.32.0/19 Amazon +176.34.64.0/18 Amazon +176.34.128.0/17 Amazon +177.71.128.0/17 Amazon +177.72.240.0/21 Amazon +178.236.0.0/20 Amazon +180.163.57.0/25 Amazon +180.163.57.128/26 Amazon +184.72.0.0/18 Amazon +184.72.64.0/18 Amazon +184.72.128.0/17 Amazon +184.73.0.0/16 Amazon +184.169.128.0/17 Amazon +185.48.120.0/22 Amazon +185.143.16.0/24 Amazon +195.17.0.0/24 Amazon +198.99.2.0/24 Amazon +199.127.232.0/22 Amazon +203.83.220.0/22 Amazon +204.45.0.0/16 Amazon +204.236.128.0/18 Amazon +204.236.192.0/18 Amazon +204.246.160.0/22 Amazon +204.246.164.0/22 Amazon +204.246.168.0/22 Amazon +204.246.172.0/24 Amazon +204.246.173.0/24 Amazon +204.246.174.0/23 Amazon +204.246.176.0/20 Amazon +205.251.192.0/21 Amazon +205.251.200.0/21 Amazon +205.251.208.0/20 Amazon +205.251.224.0/22 Amazon +205.251.228.0/22 Amazon +205.251.232.0/22 Amazon +205.251.236.0/22 Amazon +205.251.240.0/22 Amazon +205.251.244.0/23 Amazon +205.251.246.0/24 Amazon +205.251.247.0/24 Amazon +205.251.248.0/24 Amazon +205.251.249.0/24 Amazon +205.251.250.0/23 Amazon +205.251.252.0/23 Amazon +205.251.254.0/24 Amazon +207.171.160.0/20 Amazon +207.171.176.0/20 Amazon +208.86.88.0/23 Amazon +208.86.90.0/23 Amazon +208.110.48.0/20 Amazon +209.54.176.0/21 Amazon +209.54.184.0/21 Amazon +216.137.32.0/19 Amazon +216.182.224.0/21 Amazon +216.182.232.0/22 Amazon +216.182.236.0/23 Amazon +216.182.238.0/23 Amazon +223.71.11.0/27 Amazon +223.71.71.96/27 Amazon +223.71.71.128/25 Amazon + + +# Digital Ocean +# from https://docs.digitalocean.com/products/platform/ +# last update Sept 2022 +5.101.96.0/21 Digital Ocean +5.101.104.0/22 Digital Ocean +24.199.64.0/22 Digital Ocean +24.199.68.0/22 Digital Ocean +37.139.0.0/19 Digital Ocean +45.55.0.0/19 Digital Ocean +45.55.32.0/19 Digital Ocean +45.55.64.0/19 Digital Ocean +45.55.96.0/22 Digital Ocean +45.55.100.0/22 Digital Ocean +45.55.104.0/22 Digital Ocean +45.55.108.0/22 Digital Ocean +45.55.112.0/22 Digital Ocean +45.55.116.0/22 Digital Ocean +45.55.120.0/22 Digital Ocean +45.55.124.0/22 Digital Ocean +45.55.128.0/18 Digital Ocean +45.55.192.0/18 Digital Ocean +46.101.0.0/18 Digital Ocean +46.101.64.0/22 Digital Ocean +46.101.68.0/22 Digital Ocean +46.101.72.0/21 Digital Ocean +46.101.80.0/20 Digital Ocean +46.101.96.0/20 Digital Ocean +46.101.112.0/20 Digital Ocean +46.101.124.0/22 Digital Ocean +46.101.128.0/18 Digital Ocean +46.101.192.0/18 Digital Ocean +64.225.0.0/20 Digital Ocean +64.225.16.0/20 Digital Ocean +64.225.32.0/20 Digital Ocean +64.225.48.0/20 Digital Ocean +64.225.64.0/20 Digital Ocean +64.225.80.0/22 Digital Ocean +64.225.84.0/22 Digital Ocean +64.225.88.0/22 Digital Ocean +64.225.92.0/22 Digital Ocean +64.225.96.0/20 Digital Ocean +64.225.112.0/20 Digital Ocean +64.227.0.0/20 Digital Ocean +64.227.16.0/20 Digital Ocean +64.227.32.0/20 Digital Ocean +64.227.48.0/20 Digital Ocean +64.227.64.0/20 Digital Ocean +64.227.80.0/20 Digital Ocean +64.227.96.0/20 Digital Ocean +64.227.112.0/20 Digital Ocean +64.227.128.0/19 Digital Ocean +64.227.160.0/20 Digital Ocean +64.227.176.0/20 Digital Ocean +67.205.128.0/20 Digital Ocean +67.205.144.0/20 Digital Ocean +67.205.160.0/20 Digital Ocean +67.205.176.0/20 Digital Ocean +67.207.68.0/22 Digital Ocean +67.207.72.0/22 Digital Ocean +67.207.76.0/22 Digital Ocean +67.207.80.0/20 Digital Ocean +68.183.0.0/20 Digital Ocean +68.183.16.0/20 Digital Ocean +68.183.32.0/20 Digital Ocean +68.183.48.0/20 Digital Ocean +68.183.64.0/20 Digital Ocean +68.183.80.0/20 Digital Ocean +68.183.96.0/20 Digital Ocean +68.183.112.0/20 Digital Ocean +68.183.128.0/20 Digital Ocean +68.183.144.0/20 Digital Ocean +68.183.160.0/20 Digital Ocean +68.183.176.0/20 Digital Ocean +68.183.192.0/20 Digital Ocean +68.183.208.0/20 Digital Ocean +68.183.224.0/20 Digital Ocean +68.183.240.0/22 Digital Ocean +68.183.244.0/22 Digital Ocean +68.183.248.0/22 Digital Ocean +68.183.252.0/22 Digital Ocean +69.55.49.0/24 Digital Ocean +69.55.54.0/24 Digital Ocean +69.55.55.0/24 Digital Ocean +69.55.59.64/26 Digital Ocean +69.55.59.128/26 Digital Ocean +69.55.59.192/27 Digital Ocean +69.55.60.96/27 Digital Ocean +69.55.60.128/26 Digital Ocean +69.55.61.64/26 Digital Ocean +69.55.62.0/26 Digital Ocean +80.240.128.0/20 Digital Ocean +82.196.0.0/20 Digital Ocean +95.85.1.0/24 Digital Ocean +95.85.2.0/24 Digital Ocean +95.85.3.0/24 Digital Ocean +95.85.4.0/24 Digital Ocean +95.85.5.0/24 Digital Ocean +95.85.6.0/24 Digital Ocean +95.85.7.0/24 Digital Ocean +95.85.8.0/24 Digital Ocean +95.85.9.0/24 Digital Ocean +95.85.10.0/24 Digital Ocean +95.85.11.0/24 Digital Ocean +95.85.12.0/24 Digital Ocean +95.85.13.0/24 Digital Ocean +95.85.14.0/24 Digital Ocean +95.85.15.0/24 Digital Ocean +95.85.16.0/24 Digital Ocean +95.85.17.0/24 Digital Ocean +95.85.18.0/24 Digital Ocean +95.85.19.0/24 Digital Ocean +95.85.20.0/24 Digital Ocean +95.85.21.0/24 Digital Ocean +95.85.22.0/24 Digital Ocean +95.85.23.0/24 Digital Ocean +95.85.24.0/24 Digital Ocean +95.85.25.0/24 Digital Ocean +95.85.26.0/24 Digital Ocean +95.85.27.0/24 Digital Ocean +95.85.28.0/24 Digital Ocean +95.85.29.0/24 Digital Ocean +95.85.30.0/24 Digital Ocean +95.85.31.0/24 Digital Ocean +95.85.32.0/24 Digital Ocean +95.85.33.0/24 Digital Ocean +95.85.34.0/24 Digital Ocean +95.85.35.0/24 Digital Ocean +95.85.36.0/24 Digital Ocean +95.85.37.0/24 Digital Ocean +95.85.38.0/24 Digital Ocean +95.85.39.0/24 Digital Ocean +95.85.40.0/24 Digital Ocean +95.85.41.0/24 Digital Ocean +95.85.42.0/24 Digital Ocean +95.85.43.0/24 Digital Ocean +95.85.44.0/24 Digital Ocean +95.85.45.0/24 Digital Ocean +95.85.46.0/24 Digital Ocean +95.85.47.0/24 Digital Ocean +95.85.48.0/24 Digital Ocean +95.85.49.0/24 Digital Ocean +95.85.50.0/24 Digital Ocean +95.85.51.0/24 Digital Ocean +95.85.52.0/24 Digital Ocean +95.85.53.0/24 Digital Ocean +95.85.54.0/24 Digital Ocean +95.85.55.0/24 Digital Ocean +95.85.56.0/24 Digital Ocean +95.85.57.0/24 Digital Ocean +95.85.58.0/24 Digital Ocean +95.85.59.0/24 Digital Ocean +95.85.60.0/24 Digital Ocean +95.85.61.0/24 Digital Ocean +95.85.62.0/24 Digital Ocean +95.85.63.0/24 Digital Ocean +103.253.145.0/24 Digital Ocean +103.253.146.0/24 Digital Ocean +103.253.147.0/24 Digital Ocean +104.131.0.0/18 Digital Ocean +104.131.64.0/18 Digital Ocean +104.131.128.0/20 Digital Ocean +104.131.144.0/20 Digital Ocean +104.131.160.0/20 Digital Ocean +104.131.176.0/20 Digital Ocean +104.131.192.0/19 Digital Ocean +104.131.224.0/19 Digital Ocean +104.236.0.0/18 Digital Ocean +104.236.64.0/18 Digital Ocean +104.236.128.0/18 Digital Ocean +104.236.192.0/18 Digital Ocean +104.248.0.0/20 Digital Ocean +104.248.16.0/20 Digital Ocean +104.248.32.0/20 Digital Ocean +104.248.48.0/20 Digital Ocean +104.248.64.0/20 Digital Ocean +104.248.80.0/20 Digital Ocean +104.248.96.0/22 Digital Ocean +104.248.100.0/22 Digital Ocean +104.248.104.0/22 Digital Ocean +104.248.108.0/22 Digital Ocean +104.248.112.0/20 Digital Ocean +104.248.128.0/20 Digital Ocean +104.248.144.0/20 Digital Ocean +104.248.160.0/20 Digital Ocean +104.248.176.0/20 Digital Ocean +104.248.192.0/20 Digital Ocean +104.248.208.0/20 Digital Ocean +104.248.224.0/20 Digital Ocean +104.248.240.0/20 Digital Ocean +107.170.0.0/18 Digital Ocean +107.170.64.0/20 Digital Ocean +107.170.80.0/20 Digital Ocean +107.170.96.0/20 Digital Ocean +107.170.112.0/20 Digital Ocean +107.170.128.0/19 Digital Ocean +107.170.160.0/19 Digital Ocean +107.170.192.0/20 Digital Ocean +107.170.208.0/20 Digital Ocean +107.170.224.0/24 Digital Ocean +107.170.225.0/24 Digital Ocean +107.170.226.0/24 Digital Ocean +107.170.227.0/24 Digital Ocean +107.170.228.0/24 Digital Ocean +107.170.229.0/24 Digital Ocean +107.170.230.0/24 Digital Ocean +107.170.231.0/24 Digital Ocean +107.170.232.0/24 Digital Ocean +107.170.233.0/24 Digital Ocean +107.170.234.0/24 Digital Ocean +107.170.235.0/24 Digital Ocean +107.170.236.0/24 Digital Ocean +107.170.237.0/24 Digital Ocean +107.170.238.0/24 Digital Ocean +107.170.239.0/24 Digital Ocean +107.170.240.0/24 Digital Ocean +107.170.241.0/24 Digital Ocean +107.170.242.0/24 Digital Ocean +107.170.243.0/24 Digital Ocean +107.170.244.0/24 Digital Ocean +107.170.245.0/24 Digital Ocean +107.170.246.0/24 Digital Ocean +107.170.247.0/24 Digital Ocean +107.170.248.0/24 Digital Ocean +107.170.249.0/24 Digital Ocean +107.170.250.0/24 Digital Ocean +107.170.251.0/24 Digital Ocean +107.170.252.0/24 Digital Ocean +107.170.253.0/24 Digital Ocean +107.170.254.0/24 Digital Ocean +107.170.255.0/24 Digital Ocean +128.199.0.0/20 Digital Ocean +128.199.16.0/20 Digital Ocean +128.199.32.0/19 Digital Ocean +128.199.64.0/18 Digital Ocean +128.199.128.0/18 Digital Ocean +128.199.192.0/18 Digital Ocean +134.122.0.0/20 Digital Ocean +134.122.16.0/20 Digital Ocean +134.122.32.0/20 Digital Ocean +134.122.48.0/20 Digital Ocean +134.122.64.0/20 Digital Ocean +134.122.80.0/20 Digital Ocean +134.122.96.0/20 Digital Ocean +134.122.112.0/20 Digital Ocean +134.209.0.0/20 Digital Ocean +134.209.16.0/20 Digital Ocean +134.209.32.0/20 Digital Ocean +134.209.48.0/20 Digital Ocean +134.209.64.0/20 Digital Ocean +134.209.80.0/20 Digital Ocean +134.209.96.0/20 Digital Ocean +134.209.112.0/20 Digital Ocean +134.209.128.0/22 Digital Ocean +134.209.132.0/22 Digital Ocean +134.209.136.0/22 Digital Ocean +134.209.140.0/22 Digital Ocean +134.209.144.0/20 Digital Ocean +134.209.160.0/20 Digital Ocean +134.209.176.0/20 Digital Ocean +134.209.192.0/20 Digital Ocean +134.209.208.0/20 Digital Ocean +134.209.224.0/20 Digital Ocean +134.209.240.0/20 Digital Ocean +137.184.0.0/20 Digital Ocean +137.184.16.0/20 Digital Ocean +137.184.32.0/20 Digital Ocean +137.184.48.0/20 Digital Ocean +137.184.64.0/20 Digital Ocean +137.184.80.0/20 Digital Ocean +137.184.96.0/20 Digital Ocean +137.184.112.0/20 Digital Ocean +137.184.128.0/20 Digital Ocean +137.184.144.0/20 Digital Ocean +137.184.160.0/20 Digital Ocean +137.184.176.0/20 Digital Ocean +137.184.192.0/20 Digital Ocean +137.184.208.0/20 Digital Ocean +137.184.224.0/20 Digital Ocean +137.184.240.0/22 Digital Ocean +137.184.244.0/22 Digital Ocean +137.184.248.0/22 Digital Ocean +137.184.254.0/24 Digital Ocean +138.68.0.0/20 Digital Ocean +138.68.16.0/20 Digital Ocean +138.68.36.0/22 Digital Ocean +138.68.40.0/21 Digital Ocean +138.68.48.0/20 Digital Ocean +138.68.64.0/20 Digital Ocean +138.68.80.0/20 Digital Ocean +138.68.96.0/20 Digital Ocean +138.68.112.0/22 Digital Ocean +138.68.116.0/22 Digital Ocean +138.68.120.0/23 Digital Ocean +138.68.122.0/23 Digital Ocean +138.68.124.0/22 Digital Ocean +138.68.128.0/20 Digital Ocean +138.68.144.0/20 Digital Ocean +138.68.160.0/20 Digital Ocean +138.68.176.0/20 Digital Ocean +138.68.192.0/22 Digital Ocean +138.68.196.0/22 Digital Ocean +138.68.200.0/22 Digital Ocean +138.68.204.0/22 Digital Ocean +138.68.208.0/20 Digital Ocean +138.68.224.0/20 Digital Ocean +138.68.240.0/20 Digital Ocean +138.197.0.0/20 Digital Ocean +138.197.16.0/20 Digital Ocean +138.197.32.0/20 Digital Ocean +138.197.48.0/22 Digital Ocean +138.197.52.0/22 Digital Ocean +138.197.56.0/22 Digital Ocean +138.197.60.0/22 Digital Ocean +138.197.64.0/20 Digital Ocean +138.197.80.0/20 Digital Ocean +138.197.96.0/20 Digital Ocean +138.197.112.0/20 Digital Ocean +138.197.128.0/20 Digital Ocean +138.197.144.0/20 Digital Ocean +138.197.160.0/20 Digital Ocean +138.197.176.0/20 Digital Ocean +138.197.192.0/20 Digital Ocean +138.197.208.0/20 Digital Ocean +138.197.224.0/22 Digital Ocean +138.197.228.0/22 Digital Ocean +138.197.232.0/22 Digital Ocean +138.197.236.0/22 Digital Ocean +138.197.240.0/22 Digital Ocean +138.197.252.0/22 Digital Ocean +139.59.0.0/20 Digital Ocean +139.59.16.0/20 Digital Ocean +139.59.32.0/20 Digital Ocean +139.59.48.0/22 Digital Ocean +139.59.52.0/22 Digital Ocean +139.59.56.0/21 Digital Ocean +139.59.64.0/20 Digital Ocean +139.59.80.0/20 Digital Ocean +139.59.96.0/20 Digital Ocean +139.59.112.0/20 Digital Ocean +139.59.128.0/20 Digital Ocean +139.59.144.0/20 Digital Ocean +139.59.160.0/20 Digital Ocean +139.59.176.0/20 Digital Ocean +139.59.192.0/22 Digital Ocean +139.59.196.0/22 Digital Ocean +139.59.200.0/22 Digital Ocean +139.59.204.0/22 Digital Ocean +139.59.208.0/21 Digital Ocean +139.59.216.0/22 Digital Ocean +139.59.220.0/22 Digital Ocean +139.59.224.0/20 Digital Ocean +139.59.240.0/20 Digital Ocean +141.0.169.0/24 Digital Ocean +141.0.170.0/24 Digital Ocean +142.93.0.0/20 Digital Ocean +142.93.16.0/20 Digital Ocean +142.93.32.0/20 Digital Ocean +142.93.48.0/20 Digital Ocean +142.93.64.0/20 Digital Ocean +142.93.80.0/20 Digital Ocean +142.93.96.0/20 Digital Ocean +142.93.112.0/20 Digital Ocean +142.93.128.0/20 Digital Ocean +142.93.144.0/20 Digital Ocean +142.93.160.0/20 Digital Ocean +142.93.176.0/20 Digital Ocean +142.93.192.0/20 Digital Ocean +142.93.208.0/20 Digital Ocean +142.93.224.0/20 Digital Ocean +142.93.240.0/20 Digital Ocean +143.110.128.0/20 Digital Ocean +143.110.144.0/20 Digital Ocean +143.110.160.0/20 Digital Ocean +143.110.176.0/20 Digital Ocean +143.110.192.0/20 Digital Ocean +143.110.208.0/20 Digital Ocean +143.110.224.0/20 Digital Ocean +143.110.240.0/20 Digital Ocean +143.198.0.0/20 Digital Ocean +143.198.16.0/20 Digital Ocean +143.198.32.0/20 Digital Ocean +143.198.48.0/20 Digital Ocean +143.198.64.0/20 Digital Ocean +143.198.80.0/20 Digital Ocean +143.198.96.0/20 Digital Ocean +143.198.112.0/20 Digital Ocean +143.198.128.0/20 Digital Ocean +143.198.144.0/20 Digital Ocean +143.198.160.0/20 Digital Ocean +143.198.176.0/20 Digital Ocean +143.198.192.0/20 Digital Ocean +143.198.208.0/20 Digital Ocean +143.198.224.0/20 Digital Ocean +143.198.240.0/22 Digital Ocean +143.198.244.0/22 Digital Ocean +143.198.248.0/22 Digital Ocean +143.244.128.0/20 Digital Ocean +143.244.144.0/20 Digital Ocean +143.244.160.0/20 Digital Ocean +143.244.176.0/20 Digital Ocean +143.244.196.0/22 Digital Ocean +143.244.200.0/22 Digital Ocean +143.244.204.0/22 Digital Ocean +143.244.208.0/22 Digital Ocean +143.244.212.0/22 Digital Ocean +143.244.218.0/24 Digital Ocean +143.244.220.0/22 Digital Ocean +144.126.192.0/20 Digital Ocean +144.126.208.0/20 Digital Ocean +144.126.224.0/20 Digital Ocean +144.126.240.0/22 Digital Ocean +144.126.244.0/22 Digital Ocean +144.126.248.0/22 Digital Ocean +144.126.252.0/22 Digital Ocean +146.185.128.0/24 Digital Ocean +146.185.129.0/24 Digital Ocean +146.185.130.0/24 Digital Ocean +146.185.131.0/24 Digital Ocean +146.185.132.0/24 Digital Ocean +146.185.133.0/24 Digital Ocean +146.185.134.0/24 Digital Ocean +146.185.135.0/24 Digital Ocean +146.185.136.0/24 Digital Ocean +146.185.137.0/24 Digital Ocean +146.185.138.0/24 Digital Ocean +146.185.139.0/24 Digital Ocean +146.185.140.0/24 Digital Ocean +146.185.141.0/24 Digital Ocean +146.185.142.0/24 Digital Ocean +146.185.143.0/24 Digital Ocean +146.185.144.0/24 Digital Ocean +146.185.145.0/24 Digital Ocean +146.185.146.0/24 Digital Ocean +146.185.147.0/24 Digital Ocean +146.185.148.0/24 Digital Ocean +146.185.149.0/24 Digital Ocean +146.185.150.0/24 Digital Ocean +146.185.151.0/24 Digital Ocean +146.185.152.0/24 Digital Ocean +146.185.153.0/24 Digital Ocean +146.185.154.0/24 Digital Ocean +146.185.155.0/24 Digital Ocean +146.185.156.0/24 Digital Ocean +146.185.157.0/24 Digital Ocean +146.185.158.0/24 Digital Ocean +146.185.159.0/24 Digital Ocean +146.185.160.0/24 Digital Ocean +146.185.161.0/24 Digital Ocean +146.185.162.0/24 Digital Ocean +146.185.163.0/24 Digital Ocean +146.185.164.0/24 Digital Ocean +146.185.165.0/24 Digital Ocean +146.185.166.0/24 Digital Ocean +146.185.167.0/24 Digital Ocean +146.185.168.0/24 Digital Ocean +146.185.169.0/24 Digital Ocean +146.185.170.0/24 Digital Ocean +146.185.171.0/24 Digital Ocean +146.185.172.0/24 Digital Ocean +146.185.173.0/24 Digital Ocean +146.185.174.0/24 Digital Ocean +146.185.175.0/24 Digital Ocean +146.185.176.0/24 Digital Ocean +146.185.177.0/24 Digital Ocean +146.185.178.0/24 Digital Ocean +146.185.179.0/24 Digital Ocean +146.185.180.0/24 Digital Ocean +146.185.181.0/24 Digital Ocean +146.185.182.0/24 Digital Ocean +146.185.183.0/24 Digital Ocean +146.185.184.0/21 Digital Ocean +146.190.0.0/22 Digital Ocean +146.190.4.0/22 Digital Ocean +146.190.8.0/22 Digital Ocean +146.190.12.0/22 Digital Ocean +146.190.16.0/20 Digital Ocean +146.190.32.0/19 Digital Ocean +146.190.192.0/22 Digital Ocean +146.190.224.0/20 Digital Ocean +146.190.240.0/20 Digital Ocean +147.182.128.0/20 Digital Ocean +147.182.144.0/20 Digital Ocean +147.182.160.0/20 Digital Ocean +147.182.176.0/20 Digital Ocean +147.182.192.0/20 Digital Ocean +147.182.208.0/20 Digital Ocean +147.182.224.0/20 Digital Ocean +147.182.240.0/20 Digital Ocean +157.230.0.0/20 Digital Ocean +157.230.16.0/20 Digital Ocean +157.230.32.0/20 Digital Ocean +157.230.48.0/20 Digital Ocean +157.230.64.0/22 Digital Ocean +157.230.68.0/22 Digital Ocean +157.230.72.0/22 Digital Ocean +157.230.76.0/22 Digital Ocean +157.230.80.0/20 Digital Ocean +157.230.96.0/20 Digital Ocean +157.230.112.0/20 Digital Ocean +157.230.128.0/20 Digital Ocean +157.230.144.0/20 Digital Ocean +157.230.160.0/20 Digital Ocean +157.230.176.0/20 Digital Ocean +157.230.192.0/22 Digital Ocean +157.230.196.0/22 Digital Ocean +157.230.200.0/22 Digital Ocean +157.230.204.0/22 Digital Ocean +157.230.208.0/20 Digital Ocean +157.230.224.0/20 Digital Ocean +157.230.240.0/20 Digital Ocean +157.245.0.0/20 Digital Ocean +157.245.16.0/22 Digital Ocean +157.245.20.0/22 Digital Ocean +157.245.24.0/22 Digital Ocean +157.245.28.0/22 Digital Ocean +157.245.32.0/20 Digital Ocean +157.245.48.0/20 Digital Ocean +157.245.64.0/20 Digital Ocean +157.245.80.0/20 Digital Ocean +157.245.96.0/20 Digital Ocean +157.245.112.0/20 Digital Ocean +157.245.128.0/20 Digital Ocean +157.245.144.0/20 Digital Ocean +157.245.160.0/20 Digital Ocean +157.245.176.0/20 Digital Ocean +157.245.192.0/20 Digital Ocean +157.245.208.0/20 Digital Ocean +157.245.224.0/20 Digital Ocean +157.245.240.0/20 Digital Ocean +159.65.0.0/20 Digital Ocean +159.65.16.0/20 Digital Ocean +159.65.32.0/20 Digital Ocean +159.65.48.0/20 Digital Ocean +159.65.64.0/20 Digital Ocean +159.65.80.0/20 Digital Ocean +159.65.96.0/20 Digital Ocean +159.65.112.0/20 Digital Ocean +159.65.128.0/20 Digital Ocean +159.65.144.0/20 Digital Ocean +159.65.160.0/20 Digital Ocean +159.65.176.0/20 Digital Ocean +159.65.192.0/20 Digital Ocean +159.65.208.0/22 Digital Ocean +159.65.212.0/22 Digital Ocean +159.65.216.0/21 Digital Ocean +159.65.224.0/20 Digital Ocean +159.65.240.0/20 Digital Ocean +159.89.0.0/20 Digital Ocean +159.89.16.0/20 Digital Ocean +159.89.32.0/20 Digital Ocean +159.89.48.0/21 Digital Ocean +159.89.64.0/20 Digital Ocean +159.89.80.0/20 Digital Ocean +159.89.96.0/20 Digital Ocean +159.89.112.0/20 Digital Ocean +159.89.128.0/20 Digital Ocean +159.89.144.0/20 Digital Ocean +159.89.160.0/20 Digital Ocean +159.89.176.0/20 Digital Ocean +159.89.192.0/20 Digital Ocean +159.89.208.0/22 Digital Ocean +159.89.212.0/22 Digital Ocean +159.89.216.0/22 Digital Ocean +159.89.220.0/22 Digital Ocean +159.89.224.0/20 Digital Ocean +159.89.240.0/22 Digital Ocean +159.89.244.0/22 Digital Ocean +159.89.248.0/22 Digital Ocean +159.89.252.0/22 Digital Ocean +159.203.0.0/20 Digital Ocean +159.203.16.0/20 Digital Ocean +159.203.32.0/20 Digital Ocean +159.203.48.0/22 Digital Ocean +159.203.52.0/22 Digital Ocean +159.203.56.0/21 Digital Ocean +159.203.64.0/20 Digital Ocean +159.203.80.0/20 Digital Ocean +159.203.96.0/20 Digital Ocean +159.203.112.0/20 Digital Ocean +159.203.128.0/20 Digital Ocean +159.203.144.0/22 Digital Ocean +159.203.148.0/22 Digital Ocean +159.203.152.0/22 Digital Ocean +159.203.156.0/22 Digital Ocean +159.203.160.0/20 Digital Ocean +159.203.176.0/20 Digital Ocean +159.203.192.0/20 Digital Ocean +159.203.208.0/20 Digital Ocean +159.203.224.0/20 Digital Ocean +159.203.240.0/20 Digital Ocean +159.223.0.0/20 Digital Ocean +159.223.16.0/20 Digital Ocean +159.223.32.0/20 Digital Ocean +159.223.48.0/20 Digital Ocean +159.223.64.0/20 Digital Ocean +159.223.80.0/20 Digital Ocean +159.223.96.0/20 Digital Ocean +159.223.112.0/20 Digital Ocean +159.223.128.0/20 Digital Ocean +159.223.144.0/20 Digital Ocean +159.223.160.0/19 Digital Ocean +159.223.192.0/20 Digital Ocean +159.223.208.0/20 Digital Ocean +159.223.224.0/20 Digital Ocean +161.35.0.0/20 Digital Ocean +161.35.16.0/20 Digital Ocean +161.35.32.0/20 Digital Ocean +161.35.48.0/20 Digital Ocean +161.35.64.0/20 Digital Ocean +161.35.80.0/20 Digital Ocean +161.35.96.0/20 Digital Ocean +161.35.112.0/20 Digital Ocean +161.35.128.0/20 Digital Ocean +161.35.144.0/20 Digital Ocean +161.35.160.0/20 Digital Ocean +161.35.176.0/20 Digital Ocean +161.35.192.0/20 Digital Ocean +161.35.208.0/20 Digital Ocean +161.35.224.0/20 Digital Ocean +161.35.240.0/22 Digital Ocean +161.35.244.0/22 Digital Ocean +161.35.248.0/22 Digital Ocean +161.35.252.0/22 Digital Ocean +162.243.0.0/16 Digital Ocean +163.47.8.0/22 Digital Ocean +164.90.128.0/20 Digital Ocean +164.90.144.0/20 Digital Ocean +164.90.160.0/20 Digital Ocean +164.90.176.0/20 Digital Ocean +164.90.192.0/20 Digital Ocean +164.90.208.0/20 Digital Ocean +164.90.224.0/20 Digital Ocean +164.90.240.0/22 Digital Ocean +164.90.244.0/22 Digital Ocean +164.90.252.0/22 Digital Ocean +164.92.64.0/19 Digital Ocean +164.92.96.0/19 Digital Ocean +164.92.128.0/20 Digital Ocean +164.92.144.0/20 Digital Ocean +164.92.160.0/20 Digital Ocean +164.92.176.0/20 Digital Ocean +164.92.192.0/20 Digital Ocean +164.92.208.0/20 Digital Ocean +164.92.224.0/20 Digital Ocean +164.92.240.0/20 Digital Ocean +165.22.0.0/20 Digital Ocean +165.22.16.0/20 Digital Ocean +165.22.32.0/20 Digital Ocean +165.22.48.0/20 Digital Ocean +165.22.64.0/20 Digital Ocean +165.22.80.0/20 Digital Ocean +165.22.96.0/20 Digital Ocean +165.22.112.0/20 Digital Ocean +165.22.128.0/20 Digital Ocean +165.22.144.0/20 Digital Ocean +165.22.160.0/20 Digital Ocean +165.22.176.0/20 Digital Ocean +165.22.192.0/20 Digital Ocean +165.22.208.0/20 Digital Ocean +165.22.224.0/20 Digital Ocean +165.22.240.0/20 Digital Ocean +165.227.0.0/20 Digital Ocean +165.227.16.0/20 Digital Ocean +165.227.32.0/20 Digital Ocean +165.227.48.0/20 Digital Ocean +165.227.64.0/20 Digital Ocean +165.227.80.0/20 Digital Ocean +165.227.96.0/20 Digital Ocean +165.227.112.0/20 Digital Ocean +165.227.128.0/20 Digital Ocean +165.227.144.0/20 Digital Ocean +165.227.160.0/20 Digital Ocean +165.227.176.0/20 Digital Ocean +165.227.192.0/20 Digital Ocean +165.227.208.0/20 Digital Ocean +165.227.224.0/20 Digital Ocean +165.227.240.0/22 Digital Ocean +165.227.244.0/22 Digital Ocean +165.227.248.0/22 Digital Ocean +165.227.252.0/22 Digital Ocean +165.232.32.0/20 Digital Ocean +165.232.48.0/20 Digital Ocean +165.232.64.0/20 Digital Ocean +165.232.80.0/20 Digital Ocean +165.232.96.0/20 Digital Ocean +165.232.112.0/20 Digital Ocean +165.232.128.0/20 Digital Ocean +165.232.144.0/20 Digital Ocean +165.232.160.0/20 Digital Ocean +165.232.176.0/20 Digital Ocean +167.71.0.0/20 Digital Ocean +167.71.16.0/20 Digital Ocean +167.71.32.0/20 Digital Ocean +167.71.48.0/20 Digital Ocean +167.71.64.0/20 Digital Ocean +167.71.80.0/20 Digital Ocean +167.71.96.0/20 Digital Ocean +167.71.112.0/20 Digital Ocean +167.71.128.0/20 Digital Ocean +167.71.144.0/20 Digital Ocean +167.71.160.0/20 Digital Ocean +167.71.176.0/20 Digital Ocean +167.71.192.0/20 Digital Ocean +167.71.208.0/20 Digital Ocean +167.71.224.0/20 Digital Ocean +167.71.240.0/20 Digital Ocean +167.99.0.0/20 Digital Ocean +167.99.16.0/22 Digital Ocean +167.99.20.0/22 Digital Ocean +167.99.24.0/22 Digital Ocean +167.99.28.0/22 Digital Ocean +167.99.32.0/20 Digital Ocean +167.99.48.0/20 Digital Ocean +167.99.64.0/20 Digital Ocean +167.99.80.0/20 Digital Ocean +167.99.96.0/20 Digital Ocean +167.99.112.0/20 Digital Ocean +167.99.128.0/20 Digital Ocean +167.99.144.0/20 Digital Ocean +167.99.160.0/20 Digital Ocean +167.99.176.0/20 Digital Ocean +167.99.192.0/20 Digital Ocean +167.99.208.0/20 Digital Ocean +167.99.224.0/20 Digital Ocean +167.99.240.0/20 Digital Ocean +167.172.0.0/22 Digital Ocean +167.172.4.0/22 Digital Ocean +167.172.8.0/22 Digital Ocean +167.172.12.0/22 Digital Ocean +167.172.16.0/20 Digital Ocean +167.172.32.0/20 Digital Ocean +167.172.48.0/20 Digital Ocean +167.172.64.0/20 Digital Ocean +167.172.80.0/20 Digital Ocean +167.172.96.0/20 Digital Ocean +167.172.112.0/20 Digital Ocean +167.172.128.0/20 Digital Ocean +167.172.144.0/20 Digital Ocean +167.172.160.0/20 Digital Ocean +167.172.176.0/20 Digital Ocean +167.172.192.0/20 Digital Ocean +167.172.208.0/20 Digital Ocean +167.172.224.0/20 Digital Ocean +167.172.240.0/20 Digital Ocean +170.64.128.0/19 Digital Ocean +170.64.248.0/21 Digital Ocean +174.138.0.0/20 Digital Ocean +174.138.16.0/20 Digital Ocean +174.138.32.0/20 Digital Ocean +174.138.48.0/20 Digital Ocean +174.138.64.0/20 Digital Ocean +174.138.80.0/20 Digital Ocean +174.138.96.0/22 Digital Ocean +174.138.100.0/22 Digital Ocean +174.138.104.0/22 Digital Ocean +174.138.108.0/22 Digital Ocean +174.138.112.0/22 Digital Ocean +174.138.116.0/22 Digital Ocean +174.138.120.0/22 Digital Ocean +174.138.124.0/22 Digital Ocean +178.62.0.0/18 Digital Ocean +178.62.64.0/18 Digital Ocean +178.62.128.0/18 Digital Ocean +178.62.192.0/18 Digital Ocean +178.128.0.0/20 Digital Ocean +178.128.16.0/20 Digital Ocean +178.128.32.0/20 Digital Ocean +178.128.48.0/20 Digital Ocean +178.128.64.0/20 Digital Ocean +178.128.80.0/20 Digital Ocean +178.128.96.0/20 Digital Ocean +178.128.112.0/20 Digital Ocean +178.128.128.0/22 Digital Ocean +178.128.132.0/22 Digital Ocean +178.128.136.0/22 Digital Ocean +178.128.140.0/22 Digital Ocean +178.128.144.0/20 Digital Ocean +178.128.160.0/20 Digital Ocean +178.128.176.0/20 Digital Ocean +178.128.192.0/20 Digital Ocean +178.128.208.0/20 Digital Ocean +178.128.224.0/20 Digital Ocean +178.128.240.0/20 Digital Ocean +185.14.184.0/24 Digital Ocean +185.14.185.0/24 Digital Ocean +185.14.186.0/24 Digital Ocean +185.14.187.0/24 Digital Ocean +188.166.0.0/18 Digital Ocean +188.166.64.0/18 Digital Ocean +188.166.128.0/22 Digital Ocean +188.166.132.0/22 Digital Ocean +188.166.136.0/22 Digital Ocean +188.166.140.0/22 Digital Ocean +188.166.144.0/20 Digital Ocean +188.166.160.0/21 Digital Ocean +188.166.168.0/21 Digital Ocean +188.166.176.0/20 Digital Ocean +188.166.192.0/22 Digital Ocean +188.166.196.0/22 Digital Ocean +188.166.200.0/22 Digital Ocean +188.166.204.0/22 Digital Ocean +188.166.208.0/20 Digital Ocean +188.166.224.0/20 Digital Ocean +188.166.240.0/20 Digital Ocean +188.226.128.0/24 Digital Ocean +188.226.129.0/24 Digital Ocean +188.226.130.0/24 Digital Ocean +188.226.131.0/24 Digital Ocean +188.226.132.0/24 Digital Ocean +188.226.133.0/24 Digital Ocean +188.226.134.0/24 Digital Ocean +188.226.135.0/24 Digital Ocean +188.226.136.0/24 Digital Ocean +188.226.137.0/24 Digital Ocean +188.226.138.0/24 Digital Ocean +188.226.139.0/24 Digital Ocean +188.226.140.0/24 Digital Ocean +188.226.141.0/24 Digital Ocean +188.226.142.0/24 Digital Ocean +188.226.143.0/24 Digital Ocean +188.226.144.0/24 Digital Ocean +188.226.145.0/24 Digital Ocean +188.226.146.0/24 Digital Ocean +188.226.147.0/24 Digital Ocean +188.226.148.0/24 Digital Ocean +188.226.149.0/24 Digital Ocean +188.226.150.0/24 Digital Ocean +188.226.151.0/24 Digital Ocean +188.226.152.0/24 Digital Ocean +188.226.153.0/24 Digital Ocean +188.226.154.0/24 Digital Ocean +188.226.155.0/24 Digital Ocean +188.226.156.0/24 Digital Ocean +188.226.157.0/24 Digital Ocean +188.226.158.0/24 Digital Ocean +188.226.159.0/24 Digital Ocean +188.226.160.0/24 Digital Ocean +188.226.161.0/24 Digital Ocean +188.226.162.0/24 Digital Ocean +188.226.163.0/24 Digital Ocean +188.226.164.0/24 Digital Ocean +188.226.165.0/24 Digital Ocean +188.226.166.0/24 Digital Ocean +188.226.167.0/24 Digital Ocean +188.226.168.0/24 Digital Ocean +188.226.169.0/24 Digital Ocean +188.226.170.0/24 Digital Ocean +188.226.171.0/24 Digital Ocean +188.226.172.0/24 Digital Ocean +188.226.173.0/24 Digital Ocean +188.226.174.0/24 Digital Ocean +188.226.175.0/24 Digital Ocean +188.226.176.0/24 Digital Ocean +188.226.177.0/24 Digital Ocean +188.226.178.0/24 Digital Ocean +188.226.179.0/24 Digital Ocean +188.226.180.0/24 Digital Ocean +188.226.181.0/24 Digital Ocean +188.226.182.0/24 Digital Ocean +188.226.183.0/24 Digital Ocean +188.226.184.0/24 Digital Ocean +188.226.185.0/24 Digital Ocean +188.226.186.0/24 Digital Ocean +188.226.187.0/24 Digital Ocean +188.226.188.0/24 Digital Ocean +188.226.189.0/24 Digital Ocean +188.226.190.0/24 Digital Ocean +188.226.191.0/24 Digital Ocean +188.226.192.0/20 Digital Ocean +188.226.208.0/20 Digital Ocean +188.226.224.0/20 Digital Ocean +188.226.240.0/20 Digital Ocean +192.34.56.0/24 Digital Ocean +192.34.57.0/24 Digital Ocean +192.34.58.0/24 Digital Ocean +192.34.59.0/24 Digital Ocean +192.34.60.0/24 Digital Ocean +192.34.61.0/24 Digital Ocean +192.34.62.0/24 Digital Ocean +192.34.63.0/24 Digital Ocean +192.81.208.0/24 Digital Ocean +192.81.209.0/24 Digital Ocean +192.81.210.0/24 Digital Ocean +192.81.211.0/24 Digital Ocean +192.81.212.0/24 Digital Ocean +192.81.213.0/24 Digital Ocean +192.81.214.0/24 Digital Ocean +192.81.215.0/24 Digital Ocean +192.81.216.0/24 Digital Ocean +192.81.217.0/24 Digital Ocean +192.81.218.0/24 Digital Ocean +192.81.219.0/24 Digital Ocean +192.81.220.0/24 Digital Ocean +192.81.221.0/24 Digital Ocean +192.81.222.0/24 Digital Ocean +192.81.223.0/24 Digital Ocean +192.241.128.0/24 Digital Ocean +192.241.129.0/24 Digital Ocean +192.241.130.0/24 Digital Ocean +192.241.131.0/24 Digital Ocean +192.241.132.0/24 Digital Ocean +192.241.133.0/24 Digital Ocean +192.241.134.0/24 Digital Ocean +192.241.135.0/24 Digital Ocean +192.241.136.0/24 Digital Ocean +192.241.137.0/24 Digital Ocean +192.241.138.0/24 Digital Ocean +192.241.139.0/24 Digital Ocean +192.241.140.0/24 Digital Ocean +192.241.141.0/24 Digital Ocean +192.241.142.0/24 Digital Ocean +192.241.143.0/24 Digital Ocean +192.241.144.0/24 Digital Ocean +192.241.145.0/24 Digital Ocean +192.241.146.0/24 Digital Ocean +192.241.147.0/24 Digital Ocean +192.241.148.0/24 Digital Ocean +192.241.149.0/24 Digital Ocean +192.241.150.0/24 Digital Ocean +192.241.151.0/24 Digital Ocean +192.241.152.0/24 Digital Ocean +192.241.153.0/24 Digital Ocean +192.241.154.0/24 Digital Ocean +192.241.155.0/24 Digital Ocean +192.241.156.0/24 Digital Ocean +192.241.157.0/24 Digital Ocean +192.241.158.0/24 Digital Ocean +192.241.159.0/24 Digital Ocean +192.241.160.0/24 Digital Ocean +192.241.161.0/24 Digital Ocean +192.241.162.0/24 Digital Ocean +192.241.163.0/24 Digital Ocean +192.241.165.0/24 Digital Ocean +192.241.166.0/24 Digital Ocean +192.241.167.0/24 Digital Ocean +192.241.168.0/24 Digital Ocean +192.241.169.0/24 Digital Ocean +192.241.170.0/24 Digital Ocean +192.241.171.0/24 Digital Ocean +192.241.172.0/24 Digital Ocean +192.241.173.0/24 Digital Ocean +192.241.174.0/24 Digital Ocean +192.241.175.0/24 Digital Ocean +192.241.176.0/24 Digital Ocean +192.241.177.0/24 Digital Ocean +192.241.178.0/24 Digital Ocean +192.241.179.0/24 Digital Ocean +192.241.180.0/24 Digital Ocean +192.241.181.0/24 Digital Ocean +192.241.182.0/24 Digital Ocean +192.241.183.0/24 Digital Ocean +192.241.184.0/24 Digital Ocean +192.241.185.0/24 Digital Ocean +192.241.186.0/24 Digital Ocean +192.241.187.0/24 Digital Ocean +192.241.188.0/24 Digital Ocean +192.241.189.0/24 Digital Ocean +192.241.190.0/24 Digital Ocean +192.241.191.0/24 Digital Ocean +192.241.192.0/24 Digital Ocean +192.241.193.0/24 Digital Ocean +192.241.194.0/24 Digital Ocean +192.241.195.0/24 Digital Ocean +192.241.196.0/24 Digital Ocean +192.241.197.0/24 Digital Ocean +192.241.198.0/24 Digital Ocean +192.241.199.0/24 Digital Ocean +192.241.200.0/24 Digital Ocean +192.241.201.0/24 Digital Ocean +192.241.202.0/24 Digital Ocean +192.241.203.0/24 Digital Ocean +192.241.204.0/24 Digital Ocean +192.241.205.0/24 Digital Ocean +192.241.206.0/24 Digital Ocean +192.241.207.0/24 Digital Ocean +192.241.208.0/24 Digital Ocean +192.241.209.0/24 Digital Ocean +192.241.210.0/24 Digital Ocean +192.241.211.0/24 Digital Ocean +192.241.212.0/24 Digital Ocean +192.241.213.0/24 Digital Ocean +192.241.214.0/24 Digital Ocean +192.241.215.0/24 Digital Ocean +192.241.216.0/24 Digital Ocean +192.241.217.0/24 Digital Ocean +192.241.218.0/24 Digital Ocean +192.241.219.0/24 Digital Ocean +192.241.220.0/24 Digital Ocean +192.241.221.0/24 Digital Ocean +192.241.222.0/24 Digital Ocean +192.241.223.0/24 Digital Ocean +192.241.224.0/24 Digital Ocean +192.241.225.0/24 Digital Ocean +192.241.226.0/24 Digital Ocean +192.241.227.0/24 Digital Ocean +192.241.228.0/24 Digital Ocean +192.241.229.0/24 Digital Ocean +192.241.230.0/24 Digital Ocean +192.241.231.0/24 Digital Ocean +192.241.232.0/24 Digital Ocean +192.241.233.0/24 Digital Ocean +192.241.234.0/24 Digital Ocean +192.241.235.0/24 Digital Ocean +192.241.236.0/24 Digital Ocean +192.241.237.0/24 Digital Ocean +192.241.238.0/24 Digital Ocean +192.241.239.0/24 Digital Ocean +192.241.240.0/24 Digital Ocean +192.241.241.0/24 Digital Ocean +192.241.242.0/24 Digital Ocean +192.241.243.0/24 Digital Ocean +192.241.244.0/24 Digital Ocean +192.241.245.0/24 Digital Ocean +192.241.246.0/24 Digital Ocean +192.241.247.0/24 Digital Ocean +192.241.248.0/24 Digital Ocean +192.241.249.0/24 Digital Ocean +192.241.250.0/24 Digital Ocean +192.241.251.0/24 Digital Ocean +192.241.252.0/24 Digital Ocean +192.241.253.0/24 Digital Ocean +192.241.254.0/24 Digital Ocean +192.241.255.0/24 Digital Ocean +198.199.64.0/24 Digital Ocean +198.199.65.0/24 Digital Ocean +198.199.66.0/24 Digital Ocean +198.199.67.0/24 Digital Ocean +198.199.68.0/24 Digital Ocean +198.199.69.0/24 Digital Ocean +198.199.70.0/24 Digital Ocean +198.199.71.0/24 Digital Ocean +198.199.72.0/24 Digital Ocean +198.199.73.0/24 Digital Ocean +198.199.74.0/24 Digital Ocean +198.199.75.0/24 Digital Ocean +198.199.76.0/24 Digital Ocean +198.199.77.0/24 Digital Ocean +198.199.78.0/24 Digital Ocean +198.199.79.0/24 Digital Ocean +198.199.80.0/24 Digital Ocean +198.199.81.0/24 Digital Ocean +198.199.82.0/24 Digital Ocean +198.199.83.0/24 Digital Ocean +198.199.84.0/24 Digital Ocean +198.199.85.0/24 Digital Ocean +198.199.86.0/24 Digital Ocean +198.199.87.0/24 Digital Ocean +198.199.88.0/24 Digital Ocean +198.199.89.0/24 Digital Ocean +198.199.90.0/24 Digital Ocean +198.199.91.0/24 Digital Ocean +198.199.92.0/24 Digital Ocean +198.199.93.0/24 Digital Ocean +198.199.94.0/24 Digital Ocean +198.199.95.0/24 Digital Ocean +198.199.96.0/24 Digital Ocean +198.199.97.0/24 Digital Ocean +198.199.98.0/24 Digital Ocean +198.199.100.0/24 Digital Ocean +198.199.101.0/24 Digital Ocean +198.199.102.0/24 Digital Ocean +198.199.103.0/24 Digital Ocean +198.199.104.0/24 Digital Ocean +198.199.105.0/24 Digital Ocean +198.199.106.0/24 Digital Ocean +198.199.107.0/24 Digital Ocean +198.199.108.0/24 Digital Ocean +198.199.109.0/24 Digital Ocean +198.199.110.0/24 Digital Ocean +198.199.111.0/24 Digital Ocean +198.199.112.0/24 Digital Ocean +198.199.113.0/24 Digital Ocean +198.199.114.0/24 Digital Ocean +198.199.115.0/24 Digital Ocean +198.199.116.0/24 Digital Ocean +198.199.117.0/24 Digital Ocean +198.199.118.0/24 Digital Ocean +198.199.119.0/24 Digital Ocean +198.199.120.0/24 Digital Ocean +198.199.121.0/24 Digital Ocean +198.199.122.0/24 Digital Ocean +198.199.123.0/24 Digital Ocean +198.199.124.0/24 Digital Ocean +198.199.125.0/24 Digital Ocean +198.199.126.0/24 Digital Ocean +198.199.127.0/24 Digital Ocean +198.211.96.0/24 Digital Ocean +198.211.97.0/24 Digital Ocean +198.211.98.0/24 Digital Ocean +198.211.99.0/24 Digital Ocean +198.211.100.0/24 Digital Ocean +198.211.101.0/24 Digital Ocean +198.211.102.0/24 Digital Ocean +198.211.103.0/24 Digital Ocean +198.211.104.0/24 Digital Ocean +198.211.105.0/24 Digital Ocean +198.211.106.0/24 Digital Ocean +198.211.107.0/24 Digital Ocean +198.211.108.0/24 Digital Ocean +198.211.109.0/24 Digital Ocean +198.211.110.0/24 Digital Ocean +198.211.112.0/24 Digital Ocean +198.211.113.0/24 Digital Ocean +198.211.114.0/24 Digital Ocean +198.211.115.0/24 Digital Ocean +198.211.116.0/24 Digital Ocean +198.211.117.0/24 Digital Ocean +198.211.118.0/24 Digital Ocean +198.211.119.0/24 Digital Ocean +198.211.120.0/24 Digital Ocean +198.211.121.0/24 Digital Ocean +198.211.122.0/24 Digital Ocean +198.211.123.0/24 Digital Ocean +198.211.124.0/24 Digital Ocean +198.211.125.0/24 Digital Ocean +198.211.126.0/24 Digital Ocean +198.211.127.0/24 Digital Ocean +204.48.16.0/20 Digital Ocean +206.81.0.0/20 Digital Ocean +206.81.16.0/20 Digital Ocean +206.189.0.0/20 Digital Ocean +206.189.16.0/20 Digital Ocean +206.189.32.0/20 Digital Ocean +206.189.48.0/20 Digital Ocean +206.189.64.0/20 Digital Ocean +206.189.80.0/20 Digital Ocean +206.189.96.0/20 Digital Ocean +206.189.112.0/20 Digital Ocean +206.189.128.0/20 Digital Ocean +206.189.144.0/20 Digital Ocean +206.189.160.0/20 Digital Ocean +206.189.176.0/20 Digital Ocean +206.189.192.0/20 Digital Ocean +206.189.208.0/20 Digital Ocean +206.189.224.0/20 Digital Ocean +206.189.240.0/22 Digital Ocean +206.189.244.0/22 Digital Ocean +206.189.248.0/22 Digital Ocean +206.189.252.0/22 Digital Ocean +207.154.192.0/20 Digital Ocean +207.154.208.0/20 Digital Ocean +207.154.224.0/20 Digital Ocean +207.154.240.0/20 Digital Ocean +208.68.36.0/24 Digital Ocean +208.68.37.0/24 Digital Ocean +208.68.38.0/24 Digital Ocean +208.68.39.0/24 Digital Ocean +209.97.128.0/20 Digital Ocean +209.97.144.0/20 Digital Ocean +209.97.160.0/20 Digital Ocean +209.97.176.0/20 Digital Ocean
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fnettrace/tail.c ^
@@ -0,0 +1,63 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +/ +#include "fnettrace.h" + +void tail(const char logfile) { + assert(logfile); + + // wait for no more than 5 seconds for the logfile to appear in the filesystem + int cnt = 5; + while (access(logfile, R_OK) && cnt > 0) + cnt--; + if (cnt == 0) + exit(1); + + off_t last_size = 0; + + while (1) { + int fd = open(logfile, O_RDONLY); + if (fd == -1) + return; + + off_t size = lseek(fd, 0, SEEK_END); + if (size < 0) { + close(fd); + return; + } + + char content = NULL; + int mmapped = 0; + if (size && size != last_size) { + content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); + close(fd); + if (content != MAP_FAILED) + mmapped = 1; + } + + if (mmapped) { + printf("%.s", (int) (size - last_size), content + last_size); + fflush(0); + munmap(content, size); + last_size = size; + } + + sleep(1); + } +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fsec-optimize +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h +MOD_OBJS = ../lib/common.o ../lib/errno.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/fsec_optimize.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-optimize/optimizer.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fsec-print +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h +MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/fsec_print.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fsec-print/print.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fseccomp +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/syscall.h +MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/fseccomp.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -61,6 +61,10 @@ void memory_deny_write_execute(const char fname); void memory_deny_write_execute_32(const char fname); +// namespaces.c +void deny_ns(const char fname, const char list); +void deny_ns_32(const char fname, const char list); + // seccomp_print void filter_print(const char *fname);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -48,6 +48,8 @@ printf("\tfseccomp keep32 file1 file2 list\n"); printf("\tfseccomp memory-deny-write-execute file\n"); printf("\tfseccomp memory-deny-write-execute.32 file\n"); + printf("\tfseccomp restrict-namespaces file list\n"); + printf("\tfseccomp restrict-namespaces.32 file list\n"); } int main(int argc, char **argv) { @@ -135,6 +137,10 @@ memory_deny_write_execute(argv[2]); else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute.32") == 0) memory_deny_write_execute_32(argv[2]); + else if (argc == 4 && strcmp(argv[1], "restrict-namespaces") == 0) + deny_ns(argv[2], argv[3]); + else if (argc == 4 && strcmp(argv[1], "restrict-namespaces.32") == 0) + deny_ns_32(argv[2], argv[3]); else { fprintf(stderr, "Error fseccomp: invalid arguments\n"); return 1;
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/namespaces.c ^
@@ -0,0 +1,212 @@ +/* + * Copyright (C) 2014-2022 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + / +#define _GNU_SOURCE +#include "fseccomp.h" +#include "../include/seccomp.h" +#include <sys/syscall.h> + +#include <sched.h> +#ifndef CLONE_NEWCGROUP +#define CLONE_NEWCGROUP 0x02000000 +#endif +#ifndef CLONE_NEWTIME +#define CLONE_NEWTIME 0x00000080 +#endif + +// 64-bit architectures +#if INTPTR_MAX == INT64_MAX +#if defined __x86_64__ +// i386 syscalls +#define clone_32 120 +#define clone3_32 435 +#define unshare_32 310 +#define setns_32 346 +#else +#warning 32 bit namespaces filter not implemented yet for your architecture +#endif +#endif + + +static int build_ns_mask(const char list) { + int mask = 0; + + char dup = strdup(list); + if (!dup) + errExit("strdup"); + + char token = strtok(dup, ","); + while (token) { + if (strcmp(token, "cgroup") == 0) + mask \|= CLONE_NEWCGROUP; + else if (strcmp(token, "ipc") == 0) + mask \|= CLONE_NEWIPC; + else if (strcmp(token, "net") == 0) + mask \|= CLONE_NEWNET; + else if (strcmp(token, "mnt") == 0) + mask \|= CLONE_NEWNS; + else if (strcmp(token, "pid") == 0) + mask \|= CLONE_NEWPID; + else if (strcmp(token, "time") == 0) + mask \|= CLONE_NEWTIME; + else if (strcmp(token, "user") == 0) + mask \|= CLONE_NEWUSER; + else if (strcmp(token, "uts") == 0) + mask \|= CLONE_NEWUTS; + else { + fprintf(stderr, "Error fseccomp: %s is not a valid namespace\n", token); + exit(1); + } + + token = strtok(NULL, ","); + } + + free(dup); + return mask; +} + +void deny_ns(const char fname, const char list) { + int mask = build_ns_mask(list); + // CLONE_NEWTIME means something different for clone + // create a second mask without it + int clone_mask = mask & ~CLONE_NEWTIME; + + // open file + int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); + if (fd < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + filter_init(fd, true); + + // build filter + struct sock_filter filter[] = { +#ifdef SYS_clone + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_clone, 0, 4), + // s390 has first and second argument flipped +#if defined __s390__ + EXAMINE_ARGUMENT(1), +#else + EXAMINE_ARGUMENT(0), +#endif + BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, clone_mask, 0, 1), + KILL_OR_RETURN_ERRNO, + RETURN_ALLOW, +#endif +#ifdef SYS_clone3 + // cannot inspect clone3 argument because + // seccomp does not dereference pointers + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_clone3, 0, 1), + RETURN_ERRNO(ENOSYS), // hint to use clone instead +#endif +#ifdef SYS_unshare + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_unshare, 0, 4), + EXAMINE_ARGUMENT(0), + BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1), + KILL_OR_RETURN_ERRNO, + RETURN_ALLOW, +#endif +#ifdef SYS_setns + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_setns, 0, 4), + EXAMINE_ARGUMENT(1), + // always fail if argument is zero + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 1, 0), + BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1), + KILL_OR_RETURN_ERRNO, + RETURN_ALLOW +#endif + }; + if (sizeof(filter)) + write_to_file(fd, filter, sizeof(filter)); + + filter_end_blacklist(fd); + + // close file + close(fd); +} + +void deny_ns_32(const char fname, const char list) { + int mask = build_ns_mask(list); + // CLONE_NEWTIME means something different for clone + // create a second mask without it + int clone_mask = mask & ~CLONE_NEWTIME; + + // open file + int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH); + if (fd < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + filter_init(fd, false); + + // build filter + struct sock_filter filter[] = { +#ifdef clone_32 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, clone_32, 0, 4), + EXAMINE_ARGUMENT(0), + BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, clone_mask, 0, 1), + KILL_OR_RETURN_ERRNO, + RETURN_ALLOW, +#endif +#ifdef clone3_32 + // cannot inspect clone3 argument because + // seccomp does not dereference pointers + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, clone3_32, 0, 1), + RETURN_ERRNO(ENOSYS), // hint to use clone instead +#endif +#ifdef unshare_32 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, unshare_32, 0, 4), + EXAMINE_ARGUMENT(0), + BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1), + KILL_OR_RETURN_ERRNO, + RETURN_ALLOW, +#endif +#ifdef setns_32 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, setns_32, 0, 4), + EXAMINE_ARGUMENT(1), + // always fail if argument is zero + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 1, 0), + BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, mask, 0, 1), + KILL_OR_RETURN_ERRNO, + RETURN_ALLOW +#endif + }; + + // For Debian 10 and older, the size of the filter[] array will be 0. + // The following filter will end up being generated: + // + // FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32 + // line OP JT JF K + // ================================= + // 0000: 20 00 00 00000004 ld data.architecture + // 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) + // 0002: 06 00 00 7fff0000 ret ALLOW + // 0003: 20 00 00 00000000 ld data.syscall-number + // 0004: 06 00 00 7fff0000 ret ALLOW + // + if (sizeof(filter)) + write_to_file(fd, filter, sizeof(filter)); + + filter_end_blacklist(fd); + + // close file + close(fd); +}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/protocol.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -132,15 +132,18 @@ EXAMINE_SYSCALL, // 1 // checking SYS_socket only: filtering SYS_socketcall not possible with seccomp ONLY(359), // 1 + 2 - BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1 + BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 3 + 2), 0, 0), // 1 + 2 + 1 #else #warning 32 bit protocol filter not implemented yet for your architecture #endif VALIDATE_ARCHITECTURE, // 3 EXAMINE_SYSCALL, // 3 + 1 - ONLY(SYS_socket), // 3 + 1 + 2 +#if defined __x86_64__ + HANDLE_X32, // 3 + 1 + 3 +#endif + ONLY(SYS_socket), // 3 + 1 (+ 3) + 2 - EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1 + EXAMINE_ARGUMENT(0) // 3 + 1 (+ 3) + 2 + 1 }; memcpy(ptr, &filter_start[0], sizeof(filter_start)); ptr += sizeof(filter_start);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/seccomp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/seccomp_file.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fseccomp/seccomp_secondary.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fshaper/fshaper.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 TCFILE=""
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/ftee/Makefile ^
@@ -0,0 +1,7 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = ftee +TARGET = $(PROG) + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/ftee/ftee.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/ftee/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fzenity/Makefile ^
@@ -0,0 +1,9 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = fzenity +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h + +include $(ROOT)/src/prog.mk
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/fzenity/main.c ^
@@ -0,0 +1,176 @@ +#include "../include/common.h" +#include <sys/ioctl.h> + +static char arg_title = NULL; +static char arg_text = NULL; +static int arg_info = 0; +static int arg_question = 0; + +static inline void ansi_topleft(void) { + char str[] = {0x1b, '[', '1', ';', '1', 'H', '\0'}; + printf("%s", str); + fflush(0); +} + +static inline void ansi_clrscr(void) { + ansi_topleft(); + char str[] = {0x1b, '[', '0', 'J', '\0'}; + printf("%s", str); + fflush(0); +} + +char remove_markup(char in) { + char out = malloc(strlen(in) + 1); + if (!out) + errExit("malloc"); + memset(out, 0, strlen(in) + 1); + + char ptr = in; + char outptr = out; + while (ptr != '\0') { + // skip <> markup + if (ptr == '<') { + while (ptr != '\0' && ptr != '>') + ptr++; + if (ptr == '\0') { + fprintf(stderr, "Error: invalid markup\n"); + exit(0); + } + ptr++; + } + // replace literal \n with char '\n' + else if (ptr == '\\' && (ptr + 1) == 'n') { + ptr += 2; + outptr++ = '\n'; + continue; + } + // replace '/n' with ' ' + else if (ptr == '\n') { + if ((ptr + 1) == '\n') { + outptr++ = '\n'; + outptr++ = '\n'; + ptr += 2; + } + else { + outptr++ = ' '; + ptr++; + } + } + else + outptr++ = ptr++; + } + + return out; +} + +char print_line(char in, int col) { + char ptr = in; + int i = 0; + while (ptr != '\n' && ptr != '\0' && i < col) { + ptr++; + i++; + } + + if (ptr == '\n') { + ptr++ = '\0'; + printf("%s\n", in); + return ptr; + } + else if (i == col) { + while (ptr != ' ' && ptr != in) + ptr--; + ptr++ = '\0'; + printf("%s\n", in); + return ptr; + } + assert(0); + return NULL; +} + +void paginate(char in) { + struct winsize w; + unsigned col = 80; + if (ioctl(0, TIOCGWINSZ, &w) == 0) + col = w.ws_col; + + char ptr = in; + while (ptr != '\0') { + if (strlen(ptr) < col) { + printf("%s", ptr); + return; + } + ptr =print_line(ptr, col); + } + + return; +} + +static void info(void) { + ansi_clrscr(); + if (arg_text == NULL) { + fprintf(stderr, "Error: --text argument required\n"); + exit(1); + } + + if (arg_title) + printf("%s\n\n", arg_title); + + char ptr = strstr(arg_text, "Press OK to continue"); + if (ptr) + ptr = '\0'; + char out = remove_markup(arg_text); + paginate(out); + free(out); + + printf("\nContinue? (Y/N): "); + + int c = getchar(); + if (c == 'y' \|\| c == 'Y') + exit(0); + exit(1); +} + +static void question(void) { + ansi_clrscr(); + if (arg_text == NULL) { + fprintf(stderr, "Error: --text argument required\n"); + exit(1); + } + + if (arg_title) + printf("%s\n\n", arg_title); + + char ptr = strstr(arg_text, "Press OK to continue"); + if (ptr) + ptr = '\0'; + char out = remove_markup(arg_text); + paginate(out); + free(out); + + printf("\n\n(Y/N): "); + + int c = getchar(); + if (c == 'y' \|\| c == 'Y') + exit(0); + exit(1); +} + +int main(int argc, char **argv) { + int i; + for (i = 1; i < argc; i++) { +//printf("argv %d: #%s#\n", i, argv[i]); + if (strcmp(argv[i], "--info") == 0) + arg_info = 1; + else if (strcmp(argv[i], "--question") == 0) + arg_question = 1; + else if (strncmp(argv[i], "--text=", 7) == 0) + arg_text = argv[i] + 7; + } + + if (arg_question) + question(); + else if (arg_info) + info(); + + return 0; +}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/common.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -73,6 +73,25 @@ return 0; } +// read an IPv4 address in CIDR format, for example 192.168.1.0/24 +static inline int atocidr(const char str, uint32_t ip, uint32_t mask) { + unsigned a, b, c, d, e; + + // extract ip + int rv = sscanf(str, "%u.%u.%u.%u/%u", &a, &b, &c, &d, &e); + if (rv != 5 \|\| a > 255 \|\| b > 255 \|\| c > 255 \|\| d > 255 \|\| e > 32) + return 1; + ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d; + + // extract mask + uint32_t tmp; + unsigned i; + for (i = 0, mask = 0, tmp = 0x80000000; i < e; i++, tmp >>= 1) { + mask \|= tmp; + } + return 0; +} + // verify an ip address is in the network range given by ifip and mask static inline char in_netrange(uint32_t ip, uint32_t ifip, uint32_t ifmask) { if ((ip & ifmask) != (ifip & ifmask)) @@ -115,12 +134,19 @@ void timetrace_start(void); float timetrace_end(void); -int join_namespace(pid_t pid, char type); +int join_namespace_by_fd(int dirfd, char typestr); +int join_namespace(pid_t pid, char typestr); int name2pid(const char name, pid_t pid); char pid_proc_comm(const pid_t pid); char pid_proc_cmdline(const pid_t pid); int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); int pid_hidepid(void); +char do_replace_cntrl_chars(char str, char c); +char replace_cntrl_chars(const char str, char c); +int has_cntrl_chars(const char str); +void reject_cntrl_chars(const char fname); +void reject_meta_chars(const char fname, int globbing); void warn_dumpable(void); const char gnu_basename(const char path); +int str_to_int_array(const char str, size_t sz); #endif
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/euid_common.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/firejail_user.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/gcov_wrapper.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2021 Firejail Authors + * Copyright (C) 2022 Firejail Authors * * This file is part of firejail project * @@ -21,7 +21,7 @@ #ifndef GCOV_WRAPPER_H #define GCOV_WRAPPER_H -#ifdef HAS_GCOV +#ifdef HAVE_GCOV #include <gcov.h> /* @@ -41,6 +41,6 @@ #define __gcov_dump() ((void)0) #define __gcov_reset() ((void)0) #define __gcov_flush() ((void)0) -#endif /* HAS_GCOV / +#endif / HAVE_GCOV / #endif / GCOV_WRAPPER_H */
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/ldd_utils.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/pid.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -31,14 +31,23 @@ unsigned char zombie; pid_t parent; uid_t uid; - char user; - char cmd; - unsigned utime; - unsigned stime; - unsigned long long rx; // network rx, bytes - unsigned long long tx; // networking tx, bytes - unsigned rx_delta; - unsigned tx_delta; + + union { + struct event_t { + char user; + char cmd; + } event; + + struct top_t { + unsigned utime; + unsigned stime; + } top; + + struct netstats_t { + unsigned long long rx; // network rx, bytes + unsigned long long tx; // networking tx, bytes + } netstats; + } option; } Process; //extern Process pids[max_pids]; extern Process pids; @@ -52,7 +61,6 @@ // print functions void pid_print_tree(unsigned index, unsigned parent, int nowrap); void pid_print_list(unsigned index, int nowrap); -void pid_store_cpu(unsigned index, unsigned parent, unsigned utime, unsigned *stime); void pid_read(pid_t mon_pid); #endif
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/rundefs.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -23,6 +23,7 @@ // filesystem #define RUN_FIREJAIL_BASEDIR "/run" #define RUN_FIREJAIL_DIR RUN_FIREJAIL_BASEDIR "/firejail" +#define RUN_FIREJAIL_SANDBOX_DIR RUN_FIREJAIL_DIR "/sandbox" #define RUN_FIREJAIL_APPIMAGE_DIR RUN_FIREJAIL_DIR "/appimage" #define RUN_FIREJAIL_NAME_DIR RUN_FIREJAIL_DIR "/name" // also used in src/lib/pid.c - todo: move it in a common place #define RUN_FIREJAIL_LIB_DIR RUN_FIREJAIL_DIR "/lib" @@ -36,7 +37,6 @@ #define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir" #define RUN_RO_FILE RUN_FIREJAIL_DIR "/firejail.ro.file" #define RUN_MNT_DIR RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created -#define RUN_CGROUP_CFG RUN_MNT_DIR "/cgroup" #define RUN_CPU_CFG RUN_MNT_DIR "/cpu" #define RUN_GROUPS_CFG RUN_MNT_DIR "/groups" #define RUN_PROTOCOL_CFG RUN_MNT_DIR "/protocol" @@ -68,6 +68,8 @@ #define RUN_SECCOMP_32 RUN_SECCOMP_DIR "/seccomp.32" // 32bit arch filter installed on 64bit architectures #define RUN_SECCOMP_MDWX RUN_SECCOMP_DIR "/seccomp.mdwx" // filter for memory-deny-write-execute #define RUN_SECCOMP_MDWX_32 RUN_SECCOMP_DIR "/seccomp.mdwx.32" +#define RUN_SECCOMP_NS RUN_SECCOMP_DIR "/seccomp.namespaces" +#define RUN_SECCOMP_NS_32 RUN_SECCOMP_DIR "/seccomp.namespaces.32" #define RUN_SECCOMP_BLOCK_SECONDARY RUN_SECCOMP_DIR "/seccomp.block_secondary" // secondary arch blocking filter #define RUN_SECCOMP_POSTEXEC RUN_SECCOMP_DIR "/seccomp.postexec" // filter for post-exec library #define RUN_SECCOMP_POSTEXEC_32 RUN_SECCOMP_DIR "/seccomp.postexec32" // filter for post-exec library
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/seccomp.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -250,6 +250,9 @@ #define RETURN_ALLOW \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) +#define RETURN_KILL \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + #define RETURN_ERRNO(nr) \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO \| nr)
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall_armeabi.h ^
@@ -1,355 +1,401 @@ -{ "accept", 285 }, -{ "accept4", 366 }, -{ "access", 33 }, -{ "acct", 51 }, -{ "add_key", 309 }, -{ "adjtimex", 124 }, -{ "alarm", 27 }, -{ "arm_fadvise64_64", 270 }, -{ "arm_sync_file_range", 341 }, -{ "bdflush", 134 }, -{ "bind", 282 }, -{ "bpf", 386 }, -{ "brk", 45 }, -{ "capget", 184 }, -{ "capset", 185 }, +{ "exit", 1 }, +{ "fork", 2 }, +{ "read", 3 }, +{ "write", 4 }, +{ "open", 5 }, +{ "close", 6 }, +{ "creat", 8 }, +{ "link", 9 }, +{ "unlink", 10 }, +{ "execve", 11 }, { "chdir", 12 }, +{ "mknod", 14 }, { "chmod", 15 }, -{ "chown", 182 }, -{ "chown32", 212 }, +{ "lchown", 16 }, +{ "lseek", 19 }, +{ "getpid", 20 }, +{ "mount", 21 }, +{ "setuid", 23 }, +{ "getuid", 24 }, +{ "ptrace", 26 }, +{ "pause", 29 }, +{ "access", 33 }, +{ "nice", 34 }, +{ "sync", 36 }, +{ "kill", 37 }, +{ "rename", 38 }, +{ "mkdir", 39 }, +{ "rmdir", 40 }, +{ "dup", 41 }, +{ "pipe", 42 }, +{ "times", 43 }, +{ "brk", 45 }, +{ "setgid", 46 }, +{ "getgid", 47 }, +{ "geteuid", 49 }, +{ "getegid", 50 }, +{ "acct", 51 }, +{ "umount2", 52 }, +{ "ioctl", 54 }, +{ "fcntl", 55 }, +{ "setpgid", 57 }, +{ "umask", 60 }, { "chroot", 61 }, -{ "clock_adjtime", 372 }, -{ "clock_getres", 264 }, -{ "clock_gettime", 263 }, -{ "clock_nanosleep", 265 }, -{ "clock_settime", 262 }, -{ "clone", 120 }, -{ "close", 6 }, -{ "connect", 283 }, -{ "creat", 8 }, -{ "delete_module", 129 }, +{ "ustat", 62 }, { "dup2", 63 }, -{ "dup3", 358 }, -{ "dup", 41 }, -{ "epoll_create1", 357 }, -{ "epoll_create", 250 }, -{ "epoll_ctl", 251 }, -{ "epoll_pwait", 346 }, -{ "epoll_wait", 252 }, -{ "eventfd2", 356 }, -{ "eventfd", 351 }, -{ "execve", 11 }, -{ "exit", 1 }, -{ "exit_group", 248 }, -{ "faccessat", 334 }, -{ "faccessat2", 439 }, -{ "fallocate", 352 }, -{ "fanotify_init", 367 }, -{ "fanotify_mark", 368 }, -{ "fchdir", 133 }, +{ "getppid", 64 }, +{ "getpgrp", 65 }, +{ "setsid", 66 }, +{ "sigaction", 67 }, +{ "setreuid", 70 }, +{ "setregid", 71 }, +{ "sigsuspend", 72 }, +{ "sigpending", 73 }, +{ "sethostname", 74 }, +{ "setrlimit", 75 }, +{ "getrusage", 77 }, +{ "gettimeofday", 78 }, +{ "settimeofday", 79 }, +{ "getgroups", 80 }, +{ "setgroups", 81 }, +{ "symlink", 83 }, +{ "readlink", 85 }, +{ "uselib", 86 }, +{ "swapon", 87 }, +{ "reboot", 88 }, +{ "munmap", 91 }, +{ "truncate", 92 }, +{ "ftruncate", 93 }, { "fchmod", 94 }, -{ "fchmodat", 333 }, -{ "fchown32", 207 }, { "fchown", 95 }, -{ "fchownat", 325 }, -{ "fcntl", 55 }, -{ "fcntl64", 221 }, -{ "fdatasync", 148 }, -{ "fgetxattr", 231 }, -{ "finit_module", 379 }, -{ "flistxattr", 234 }, -{ "flock", 143 }, -{ "fork", 2 }, -{ "fremovexattr", 237 }, -{ "fsetxattr", 228 }, -{ "fstat", 108 }, -{ "fstat64", 197 }, -{ "fstatat64", 327 }, +{ "getpriority", 96 }, +{ "setpriority", 97 }, +{ "statfs", 99 }, { "fstatfs", 100 }, -{ "fstatfs64", 267 }, -{ "fsync", 118 }, -{ "ftruncate64", 194 }, -{ "ftruncate", 93 }, -{ "futex", 240 }, -{ "futimesat", 326 }, -{ "getcpu", 345 }, -{ "getcwd", 183 }, -{ "getdents", 141 }, -{ "getdents64", 217 }, -{ "getegid32", 202 }, -{ "getegid", 50 }, -{ "geteuid32", 201 }, -{ "geteuid", 49 }, -{ "getgid32", 200 }, -{ "getgid", 47 }, -{ "getgroups32", 205 }, -{ "getgroups", 80 }, +{ "syslog", 103 }, +{ "setitimer", 104 }, { "getitimer", 105 }, -{ "get_mempolicy", 320 }, -{ "getpeername", 287 }, -{ "getpgid", 132 }, -{ "getpgrp", 65 }, -{ "getpid", 20 }, -{ "getppid", 64 }, -{ "getpriority", 96 }, -{ "getrandom", 384 }, -{ "getresgid", 171 }, -{ "getresgid32", 211 }, -{ "getresuid", 165 }, -{ "getresuid32", 209 }, -{ "getrlimit", 76 }, -{ "get_robust_list", 339 }, -{ "getrusage", 77 }, -{ "getsid", 147 }, -{ "getsockname", 286 }, -{ "getsockopt", 295 }, -{ "gettid", 224 }, -{ "gettimeofday", 78 }, -{ "getuid", 24 }, -{ "getuid32", 199 }, -{ "getxattr", 229 }, -{ "init_module", 128 }, -{ "inotify_add_watch", 317 }, -{ "inotify_init1", 360 }, -{ "inotify_init", 316 }, -{ "inotify_rm_watch", 318 }, -{ "io_cancel", 247 }, -{ "ioctl", 54 }, -{ "io_destroy", 244 }, -{ "io_getevents", 245 }, -{ "ioprio_get", 315 }, -{ "ioprio_set", 314 }, -{ "io_setup", 243 }, -{ "io_submit", 246 }, -{ "ipc", 117 }, -{ "kcmp", 378 }, -{ "kexec_load", 347 }, -{ "keyctl", 311 }, -{ "kill", 37 }, -{ "lchown", 16 }, -{ "lchown32", 198 }, -{ "lgetxattr", 230 }, -{ "link", 9 }, -{ "linkat", 330 }, -{ "listen", 284 }, -{ "listxattr", 232 }, -{ "llistxattr", 233 }, -{ "_llseek", 140 }, -{ "lookup_dcookie", 249 }, -{ "lremovexattr", 236 }, -{ "lseek", 19 }, -{ "lsetxattr", 227 }, +{ "stat", 106 }, { "lstat", 107 }, -{ "lstat64", 196 }, -{ "madvise", 220 }, -{ "mbind", 319 }, -{ "memfd_create", 385 }, -{ "mincore", 219 }, -{ "mkdir", 39 }, -{ "mkdirat", 323 }, -{ "mknod", 14 }, -{ "mknodat", 324 }, -{ "mlock", 150 }, -{ "mlockall", 152 }, -{ "mmap2", 192 }, -{ "mmap", 90 }, -{ "mount", 21 }, -{ "move_pages", 344 }, +{ "fstat", 108 }, +{ "vhangup", 111 }, +{ "wait4", 114 }, +{ "swapoff", 115 }, +{ "sysinfo", 116 }, +{ "fsync", 118 }, +{ "sigreturn", 119 }, +{ "clone", 120 }, +{ "setdomainname", 121 }, +{ "uname", 122 }, +{ "adjtimex", 124 }, { "mprotect", 125 }, -{ "mq_getsetattr", 279 }, -{ "mq_notify", 278 }, -{ "mq_open", 274 }, -{ "mq_timedreceive", 277 }, -{ "mq_timedsend", 276 }, -{ "mq_unlink", 275 }, -{ "mremap", 163 }, -{ "msgctl", 304 }, -{ "msgget", 303 }, -{ "msgrcv", 302 }, -{ "msgsnd", 301 }, +{ "sigprocmask", 126 }, +{ "init_module", 128 }, +{ "delete_module", 129 }, +{ "quotactl", 131 }, +{ "getpgid", 132 }, +{ "fchdir", 133 }, +{ "bdflush", 134 }, +{ "sysfs", 135 }, +{ "personality", 136 }, +{ "setfsuid", 138 }, +{ "setfsgid", 139 }, +{ "_llseek", 140 }, +{ "getdents", 141 }, +{ "_newselect", 142 }, +{ "flock", 143 }, { "msync", 144 }, +{ "readv", 145 }, +{ "writev", 146 }, +{ "getsid", 147 }, +{ "fdatasync", 148 }, +{ "_sysctl", 149 }, +{ "mlock", 150 }, { "munlock", 151 }, +{ "mlockall", 152 }, { "munlockall", 153 }, -{ "munmap", 91 }, -{ "name_to_handle_at", 370 }, +{ "sched_setparam", 154 }, +{ "sched_getparam", 155 }, +{ "sched_setscheduler", 156 }, +{ "sched_getscheduler", 157 }, +{ "sched_yield", 158 }, +{ "sched_get_priority_max", 159 }, +{ "sched_get_priority_min", 160 }, +{ "sched_rr_get_interval", 161 }, { "nanosleep", 162 }, -{ "_newselect", 142 }, -{ "nfsservctl", 169 }, -{ "nice", 34 }, -{ "open", 5 }, -{ "openat", 322 }, -{ "open_by_handle_at", 371 }, -{ "pause", 29 }, -{ "pciconfig_iobase", 271 }, -{ "pciconfig_read", 272 }, -{ "pciconfig_write", 273 }, -{ "perf_event_open", 364 }, -{ "personality", 136 }, -{ "pipe2", 359 }, -{ "pipe", 42 }, -{ "pivot_root", 218 }, +{ "mremap", 163 }, +{ "setresuid", 164 }, +{ "getresuid", 165 }, { "poll", 168 }, -{ "ppoll", 336 }, +{ "nfsservctl", 169 }, +{ "setresgid", 170 }, +{ "getresgid", 171 }, { "prctl", 172 }, -{ "pread64", 180 }, -{ "preadv", 361 }, -{ "prlimit64", 369 }, -{ "process_vm_readv", 376 }, -{ "process_vm_writev", 377 }, -{ "pselect6", 335 }, -{ "ptrace", 26 }, -{ "pwrite64", 181 }, -{ "pwritev", 362 }, -{ "quotactl", 131 }, -{ "read", 3 }, -{ "readahead", 225 }, -{ "readdir", 89 }, -{ "readlink", 85 }, -{ "readlinkat", 332 }, -{ "readv", 145 }, -{ "reboot", 88 }, -{ "recv", 291 }, -{ "recvfrom", 292 }, -{ "recvmmsg", 365 }, -{ "recvmsg", 297 }, -{ "remap_file_pages", 253 }, -{ "removexattr", 235 }, -{ "rename", 38 }, -{ "renameat2", 382 }, -{ "renameat", 329 }, -{ "request_key", 310 }, -{ "rmdir", 40 }, +{ "rt_sigreturn", 173 }, { "rt_sigaction", 174 }, -{ "rt_sigpending", 176 }, { "rt_sigprocmask", 175 }, +{ "rt_sigpending", 176 }, +{ "rt_sigtimedwait", 177 }, { "rt_sigqueueinfo", 178 }, -{ "rt_sigreturn", 173 }, { "rt_sigsuspend", 179 }, -{ "rt_sigtimedwait", 177 }, -{ "rt_tgsigqueueinfo", 363 }, -{ "sched_getaffinity", 242 }, -{ "sched_getattr", 381 }, -{ "sched_getparam", 155 }, -{ "sched_get_priority_max", 159 }, -{ "sched_get_priority_min", 160 }, -{ "sched_getscheduler", 157 }, -{ "sched_rr_get_interval", 161 }, -{ "sched_setaffinity", 241 }, -{ "sched_setattr", 380 }, -{ "sched_setparam", 154 }, -{ "sched_setscheduler", 156 }, -{ "sched_yield", 158 }, -{ "seccomp", 383 }, -{ "select", 82 }, -{ "semctl", 300 }, -{ "semget", 299 }, -{ "semop", 298 }, -{ "semtimedop", 312 }, -{ "send", 289 }, +{ "pread64", 180 }, +{ "pwrite64", 181 }, +{ "chown", 182 }, +{ "getcwd", 183 }, +{ "capget", 184 }, +{ "capset", 185 }, +{ "sigaltstack", 186 }, { "sendfile", 187 }, -{ "sendfile64", 239 }, -{ "sendmmsg", 374 }, -{ "sendmsg", 296 }, -{ "sendto", 290 }, -{ "setdomainname", 121 }, -{ "setfsgid", 139 }, -{ "setfsgid32", 216 }, -{ "setfsuid", 138 }, -{ "setfsuid32", 215 }, -{ "setgid32", 214 }, -{ "setgid", 46 }, -{ "setgroups32", 206 }, -{ "setgroups", 81 }, -{ "sethostname", 74 }, -{ "setitimer", 104 }, -{ "set_mempolicy", 321 }, -{ "setns", 375 }, -{ "setpgid", 57 }, -{ "setpriority", 97 }, +{ "vfork", 190 }, +{ "ugetrlimit", 191 }, +{ "mmap2", 192 }, +{ "truncate64", 193 }, +{ "ftruncate64", 194 }, +{ "stat64", 195 }, +{ "lstat64", 196 }, +{ "fstat64", 197 }, +{ "lchown32", 198 }, +{ "getuid32", 199 }, +{ "getgid32", 200 }, +{ "geteuid32", 201 }, +{ "getegid32", 202 }, +{ "setreuid32", 203 }, { "setregid32", 204 }, -{ "setregid", 71 }, -{ "setresgid", 170 }, -{ "setresgid32", 210 }, -{ "setresuid", 164 }, +{ "getgroups32", 205 }, +{ "setgroups32", 206 }, +{ "fchown32", 207 }, { "setresuid32", 208 }, -{ "setreuid32", 203 }, -{ "setreuid", 70 }, -{ "setrlimit", 75 }, -{ "set_robust_list", 338 }, -{ "setsid", 66 }, -{ "setsockopt", 294 }, -{ "set_tid_address", 256 }, -{ "settimeofday", 79 }, -{ "setuid", 23 }, +{ "getresuid32", 209 }, +{ "setresgid32", 210 }, +{ "getresgid32", 211 }, +{ "chown32", 212 }, { "setuid32", 213 }, +{ "setgid32", 214 }, +{ "setfsuid32", 215 }, +{ "setfsgid32", 216 }, +{ "getdents64", 217 }, +{ "pivot_root", 218 }, +{ "mincore", 219 }, +{ "madvise", 220 }, +{ "fcntl64", 221 }, +{ "gettid", 224 }, +{ "readahead", 225 }, { "setxattr", 226 }, +{ "lsetxattr", 227 }, +{ "fsetxattr", 228 }, +{ "getxattr", 229 }, +{ "lgetxattr", 230 }, +{ "fgetxattr", 231 }, +{ "listxattr", 232 }, +{ "llistxattr", 233 }, +{ "flistxattr", 234 }, +{ "removexattr", 235 }, +{ "lremovexattr", 236 }, +{ "fremovexattr", 237 }, +{ "tkill", 238 }, +{ "sendfile64", 239 }, +{ "futex", 240 }, +{ "sched_setaffinity", 241 }, +{ "sched_getaffinity", 242 }, +{ "io_setup", 243 }, +{ "io_destroy", 244 }, +{ "io_getevents", 245 }, +{ "io_submit", 246 }, +{ "io_cancel", 247 }, +{ "exit_group", 248 }, +{ "lookup_dcookie", 249 }, +{ "epoll_create", 250 }, +{ "epoll_ctl", 251 }, +{ "epoll_wait", 252 }, +{ "remap_file_pages", 253 }, +{ "set_tid_address", 256 }, +{ "timer_create", 257 }, +{ "timer_settime", 258 }, +{ "timer_gettime", 259 }, +{ "timer_getoverrun", 260 }, +{ "timer_delete", 261 }, +{ "clock_settime", 262 }, +{ "clock_gettime", 263 }, +{ "clock_getres", 264 }, +{ "clock_nanosleep", 265 }, +{ "statfs64", 266 }, +{ "fstatfs64", 267 }, +{ "tgkill", 268 }, +{ "utimes", 269 }, +{ "arm_fadvise64_64", 270 }, +{ "pciconfig_iobase", 271 }, +{ "pciconfig_read", 272 }, +{ "pciconfig_write", 273 }, +{ "mq_open", 274 }, +{ "mq_unlink", 275 }, +{ "mq_timedsend", 276 }, +{ "mq_timedreceive", 277 }, +{ "mq_notify", 278 }, +{ "mq_getsetattr", 279 }, +{ "waitid", 280 }, +{ "socket", 281 }, +{ "bind", 282 }, +{ "connect", 283 }, +{ "listen", 284 }, +{ "accept", 285 }, +{ "getsockname", 286 }, +{ "getpeername", 287 }, +{ "socketpair", 288 }, +{ "send", 289 }, +{ "sendto", 290 }, +{ "recv", 291 }, +{ "recvfrom", 292 }, +{ "shutdown", 293 }, +{ "setsockopt", 294 }, +{ "getsockopt", 295 }, +{ "sendmsg", 296 }, +{ "recvmsg", 297 }, +{ "semop", 298 }, +{ "semget", 299 }, +{ "semctl", 300 }, +{ "msgsnd", 301 }, +{ "msgrcv", 302 }, +{ "msgget", 303 }, +{ "msgctl", 304 }, { "shmat", 305 }, -{ "shmctl", 308 }, { "shmdt", 306 }, { "shmget", 307 }, -{ "shutdown", 293 }, -{ "sigaction", 67 }, -{ "sigaltstack", 186 }, -{ "signalfd", 349 }, -{ "signalfd4", 355 }, -{ "sigpending", 73 }, -{ "sigprocmask", 126 }, -{ "sigreturn", 119 }, -{ "sigsuspend", 72 }, -{ "socket", 281 }, -{ "socketcall", 102 }, -{ "socketpair", 288 }, -{ "splice", 340 }, -{ "stat", 106 }, -{ "stat64", 195 }, -{ "statfs64", 266 }, -{ "statfs", 99 }, -{ "stime", 25 }, -{ "swapoff", 115 }, -{ "swapon", 87 }, -{ "symlink", 83 }, +{ "shmctl", 308 }, +{ "add_key", 309 }, +{ "request_key", 310 }, +{ "keyctl", 311 }, +{ "semtimedop", 312 }, +{ "vserver", 313 }, +{ "ioprio_set", 314 }, +{ "ioprio_get", 315 }, +{ "inotify_init", 316 }, +{ "inotify_add_watch", 317 }, +{ "inotify_rm_watch", 318 }, +{ "mbind", 319 }, +{ "get_mempolicy", 320 }, +{ "set_mempolicy", 321 }, +{ "openat", 322 }, +{ "mkdirat", 323 }, +{ "mknodat", 324 }, +{ "fchownat", 325 }, +{ "futimesat", 326 }, +{ "fstatat64", 327 }, +{ "unlinkat", 328 }, +{ "renameat", 329 }, +{ "linkat", 330 }, { "symlinkat", 331 }, -{ "sync", 36 }, -{ "sync_file_range2", 341 }, -{ "syncfs", 373 }, -{ "syscall", 113 }, -{ "_sysctl", 149 }, -{ "sysfs", 135 }, -{ "sysinfo", 116 }, -{ "syslog", 103 }, +{ "readlinkat", 332 }, +{ "fchmodat", 333 }, +{ "faccessat", 334 }, +{ "pselect6", 335 }, +{ "ppoll", 336 }, +{ "unshare", 337 }, +{ "set_robust_list", 338 }, +{ "get_robust_list", 339 }, +{ "splice", 340 }, +{ "arm_sync_file_range", 341 }, { "tee", 342 }, -{ "tgkill", 268 }, -{ "time", 13 }, -{ "timer_create", 257 }, -{ "timer_delete", 261 }, +{ "vmsplice", 343 }, +{ "move_pages", 344 }, +{ "getcpu", 345 }, +{ "epoll_pwait", 346 }, +{ "kexec_load", 347 }, +{ "utimensat", 348 }, +{ "signalfd", 349 }, { "timerfd_create", 350 }, -{ "timerfd_gettime", 354 }, +{ "eventfd", 351 }, +{ "fallocate", 352 }, { "timerfd_settime", 353 }, -{ "timer_getoverrun", 260 }, -{ "timer_gettime", 259 }, -{ "timer_settime", 258 }, -{ "times", 43 }, -{ "tkill", 238 }, -{ "truncate64", 193 }, -{ "truncate", 92 }, -{ "ugetrlimit", 191 }, -{ "umask", 60 }, -{ "umount", 22 }, -{ "umount2", 52 }, -{ "uname", 122 }, -{ "unlink", 10 }, -{ "unlinkat", 328 }, -{ "unshare", 337 }, -{ "uselib", 86 }, -{ "ustat", 62 }, -{ "utime", 30 }, -{ "utimensat", 348 }, -{ "utimes", 269 }, -{ "vfork", 190 }, -{ "vhangup", 111 }, -{ "vmsplice", 343 }, -{ "vserver", 313 }, -{ "wait4", 114 }, -{ "waitid", 280 }, -{ "write", 4 }, -{ "writev", 146 }, +{ "timerfd_gettime", 354 }, +{ "signalfd4", 355 }, +{ "eventfd2", 356 }, +{ "epoll_create1", 357 }, +{ "dup3", 358 }, +{ "pipe2", 359 }, +{ "inotify_init1", 360 }, +{ "preadv", 361 }, +{ "pwritev", 362 }, +{ "rt_tgsigqueueinfo", 363 }, +{ "perf_event_open", 364 }, +{ "recvmmsg", 365 }, +{ "accept4", 366 }, +{ "fanotify_init", 367 }, +{ "fanotify_mark", 368 }, +{ "prlimit64", 369 }, +{ "name_to_handle_at", 370 }, +{ "open_by_handle_at", 371 }, +{ "clock_adjtime", 372 }, +{ "syncfs", 373 }, +{ "sendmmsg", 374 }, +{ "setns", 375 }, +{ "process_vm_readv", 376 }, +{ "process_vm_writev", 377 }, +{ "kcmp", 378 }, +{ "finit_module", 379 }, +{ "sched_setattr", 380 }, +{ "sched_getattr", 381 }, +{ "renameat2", 382 }, +{ "seccomp", 383 }, +{ "getrandom", 384 }, +{ "memfd_create", 385 }, +{ "bpf", 386 }, +{ "execveat", 387 }, +{ "userfaultfd", 388 }, +{ "membarrier", 389 }, +{ "mlock2", 390 }, +{ "copy_file_range", 391 }, +{ "preadv2", 392 }, +{ "pwritev2", 393 }, +{ "pkey_mprotect", 394 }, +{ "pkey_alloc", 395 }, +{ "pkey_free", 396 }, +{ "statx", 397 }, +{ "rseq", 398 }, +{ "io_pgetevents", 399 }, +{ "migrate_pages", 400 }, +{ "kexec_file_load", 401 }, +{ "clock_gettime64", 403 }, +{ "clock_settime64", 404 }, +{ "clock_adjtime64", 405 }, +{ "clock_getres_time64", 406 }, +{ "clock_nanosleep_time64", 407 }, +{ "timer_gettime64", 408 }, +{ "timer_settime64", 409 }, +{ "timerfd_gettime64", 410 }, +{ "timerfd_settime64", 411 }, +{ "utimensat_time64", 412 }, +{ "pselect6_time64", 413 }, +{ "ppoll_time64", 414 }, +{ "io_pgetevents_time64", 416 }, +{ "recvmmsg_time64", 417 }, +{ "mq_timedsend_time64", 418 }, +{ "mq_timedreceive_time64", 419 }, +{ "semtimedop_time64", 420 }, +{ "rt_sigtimedwait_time64", 421 }, +{ "futex_time64", 422 }, +{ "sched_rr_get_interval_time64", 423 }, +{ "pidfd_send_signal", 424 }, +{ "io_uring_setup", 425 }, +{ "io_uring_enter", 426 }, +{ "io_uring_register", 427 }, +{ "open_tree", 428 }, +{ "move_mount", 429 }, +{ "fsopen", 430 }, +{ "fsconfig", 431 }, +{ "fsmount", 432 }, +{ "fspick", 433 }, +{ "pidfd_open", 434 }, +{ "clone3", 435 }, +{ "close_range", 436 }, +{ "openat2", 437 }, +{ "pidfd_getfd", 438 }, +{ "faccessat2", 439 }, +{ "process_madvise", 440 }, +{ "epoll_pwait2", 441 }, +{ "mount_setattr", 442 }, +{ "quotactl_fd", 443 }, +{ "landlock_create_ruleset", 444 }, +{ "landlock_add_rule", 445 }, +{ "landlock_restrict_self", 446 }, +{ "process_mrelease", 448 }, +{ "futex_waitv", 449 },
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall_i386.h ^
@@ -1,426 +1,429 @@ -{ "_llseek", 140 }, -{ "_newselect", 142 }, -{ "_sysctl", 149 }, -{ "accept4", 364 }, -{ "access", 33 }, -{ "acct", 51 }, -{ "add_key", 286 }, -{ "adjtimex", 124 }, -{ "afs_syscall", 137 }, -{ "alarm", 27 }, -{ "arch_prctl", 384 }, -{ "bdflush", 134 }, -{ "bind", 361 }, -{ "bpf", 357 }, -{ "break", 17 }, -{ "brk", 45 }, -{ "capget", 184 }, -{ "capset", 185 }, -{ "chdir", 12 }, -{ "chmod", 15 }, -{ "chown", 182 }, -{ "chown32", 212 }, -{ "chroot", 61 }, -{ "clock_adjtime", 343 }, -{ "clock_adjtime64", 405 }, -{ "clock_getres", 266 }, -{ "clock_getres_time64", 406 }, -{ "clock_gettime", 265 }, -{ "clock_gettime64", 403 }, -{ "clock_nanosleep", 267 }, -{ "clock_nanosleep_time64", 407 }, -{ "clock_settime", 264 }, -{ "clock_settime64", 404 }, -{ "clone", 120 }, -{ "clone3", 435 }, +{ "exit", 1 }, +{ "fork", 2 }, +{ "read", 3 }, +{ "write", 4 }, +{ "open", 5 }, { "close", 6 }, -{ "connect", 362 }, -{ "copy_file_range", 377 }, +{ "waitpid", 7 }, { "creat", 8 }, -{ "create_module", 127 }, -{ "delete_module", 129 }, +{ "link", 9 }, +{ "unlink", 10 }, +{ "execve", 11 }, +{ "chdir", 12 }, +{ "time", 13 }, +{ "mknod", 14 }, +{ "chmod", 15 }, +{ "lchown", 16 }, +{ "break", 17 }, +{ "oldstat", 18 }, +{ "lseek", 19 }, +{ "getpid", 20 }, +{ "mount", 21 }, +{ "umount", 22 }, +{ "setuid", 23 }, +{ "getuid", 24 }, +{ "stime", 25 }, +{ "ptrace", 26 }, +{ "alarm", 27 }, +{ "oldfstat", 28 }, +{ "pause", 29 }, +{ "utime", 30 }, +{ "stty", 31 }, +{ "gtty", 32 }, +{ "access", 33 }, +{ "nice", 34 }, +{ "ftime", 35 }, +{ "sync", 36 }, +{ "kill", 37 }, +{ "rename", 38 }, +{ "mkdir", 39 }, +{ "rmdir", 40 }, { "dup", 41 }, +{ "pipe", 42 }, +{ "times", 43 }, +{ "prof", 44 }, +{ "brk", 45 }, +{ "setgid", 46 }, +{ "getgid", 47 }, +{ "signal", 48 }, +{ "geteuid", 49 }, +{ "getegid", 50 }, +{ "acct", 51 }, +{ "umount2", 52 }, +{ "lock", 53 }, +{ "ioctl", 54 }, +{ "fcntl", 55 }, +{ "mpx", 56 }, +{ "setpgid", 57 }, +{ "ulimit", 58 }, +{ "oldolduname", 59 }, +{ "umask", 60 }, +{ "chroot", 61 }, +{ "ustat", 62 }, { "dup2", 63 }, -{ "dup3", 330 }, -{ "epoll_create", 254 }, -{ "epoll_create1", 329 }, -{ "epoll_ctl", 255 }, -{ "epoll_pwait", 319 }, -{ "epoll_wait", 256 }, -{ "eventfd", 323 }, -{ "eventfd2", 328 }, -{ "execve", 11 }, -{ "execveat", 358 }, -{ "exit", 1 }, -{ "exit_group", 252 }, -{ "faccessat", 307 }, -{ "faccessat2", 439 }, -{ "fadvise64", 250 }, -{ "fadvise64_64", 272 }, -{ "fallocate", 324 }, -{ "fanotify_init", 338 }, -{ "fanotify_mark", 339 }, -{ "fchdir", 133 }, +{ "getppid", 64 }, +{ "getpgrp", 65 }, +{ "setsid", 66 }, +{ "sigaction", 67 }, +{ "sgetmask", 68 }, +{ "ssetmask", 69 }, +{ "setreuid", 70 }, +{ "setregid", 71 }, +{ "sigsuspend", 72 }, +{ "sigpending", 73 }, +{ "sethostname", 74 }, +{ "setrlimit", 75 }, +{ "getrlimit", 76 }, +{ "getrusage", 77 }, +{ "gettimeofday", 78 }, +{ "settimeofday", 79 }, +{ "getgroups", 80 }, +{ "setgroups", 81 }, +{ "select", 82 }, +{ "symlink", 83 }, +{ "oldlstat", 84 }, +{ "readlink", 85 }, +{ "uselib", 86 }, +{ "swapon", 87 }, +{ "reboot", 88 }, +{ "readdir", 89 }, +{ "mmap", 90 }, +{ "munmap", 91 }, +{ "truncate", 92 }, +{ "ftruncate", 93 }, { "fchmod", 94 }, -{ "fchmodat", 306 }, { "fchown", 95 }, -{ "fchown32", 207 }, -{ "fchownat", 298 }, -{ "fcntl", 55 }, -{ "fcntl64", 221 }, -{ "fdatasync", 148 }, -{ "fgetxattr", 231 }, -{ "finit_module", 350 }, -{ "flistxattr", 234 }, -{ "flock", 143 }, -{ "fork", 2 }, -{ "fremovexattr", 237 }, -{ "fsconfig", 431 }, -{ "fsetxattr", 228 }, -{ "fsmount", 432 }, -{ "fsopen", 430 }, -{ "fspick", 433 }, -{ "fstat", 108 }, -{ "fstat64", 197 }, -{ "fstatat64", 300 }, +{ "getpriority", 96 }, +{ "setpriority", 97 }, +{ "profil", 98 }, +{ "statfs", 99 }, { "fstatfs", 100 }, -{ "fstatfs64", 269 }, +{ "ioperm", 101 }, +{ "socketcall", 102 }, +{ "syslog", 103 }, +{ "setitimer", 104 }, +{ "getitimer", 105 }, +{ "stat", 106 }, +{ "lstat", 107 }, +{ "fstat", 108 }, +{ "olduname", 109 }, +{ "iopl", 110 }, +{ "vhangup", 111 }, +{ "idle", 112 }, +{ "vm86old", 113 }, +{ "wait4", 114 }, +{ "swapoff", 115 }, +{ "sysinfo", 116 }, +{ "ipc", 117 }, { "fsync", 118 }, -{ "ftime", 35 }, -{ "ftruncate", 93 }, -{ "ftruncate64", 194 }, -{ "futex", 240 }, -{ "futex_time64", 422 }, -{ "futimesat", 299 }, +{ "sigreturn", 119 }, +{ "clone", 120 }, +{ "setdomainname", 121 }, +{ "uname", 122 }, +{ "modify_ldt", 123 }, +{ "adjtimex", 124 }, +{ "mprotect", 125 }, +{ "sigprocmask", 126 }, +{ "create_module", 127 }, +{ "init_module", 128 }, +{ "delete_module", 129 }, { "get_kernel_syms", 130 }, -{ "get_mempolicy", 275 }, -{ "get_robust_list", 312 }, -{ "get_thread_area", 244 }, -{ "getcpu", 318 }, -{ "getcwd", 183 }, +{ "quotactl", 131 }, +{ "getpgid", 132 }, +{ "fchdir", 133 }, +{ "bdflush", 134 }, +{ "sysfs", 135 }, +{ "personality", 136 }, +{ "afs_syscall", 137 }, +{ "setfsuid", 138 }, +{ "setfsgid", 139 }, +{ "_llseek", 140 }, { "getdents", 141 }, -{ "getdents64", 220 }, -{ "getegid", 50 }, -{ "getegid32", 202 }, -{ "geteuid", 49 }, -{ "geteuid32", 201 }, -{ "getgid", 47 }, +{ "_newselect", 142 }, +{ "flock", 143 }, +{ "msync", 144 }, +{ "readv", 145 }, +{ "writev", 146 }, +{ "getsid", 147 }, +{ "fdatasync", 148 }, +{ "_sysctl", 149 }, +{ "mlock", 150 }, +{ "munlock", 151 }, +{ "mlockall", 152 }, +{ "munlockall", 153 }, +{ "sched_setparam", 154 }, +{ "sched_getparam", 155 }, +{ "sched_setscheduler", 156 }, +{ "sched_getscheduler", 157 }, +{ "sched_yield", 158 }, +{ "sched_get_priority_max", 159 }, +{ "sched_get_priority_min", 160 }, +{ "sched_rr_get_interval", 161 }, +{ "nanosleep", 162 }, +{ "mremap", 163 }, +{ "setresuid", 164 }, +{ "getresuid", 165 }, +{ "vm86", 166 }, +{ "query_module", 167 }, +{ "poll", 168 }, +{ "nfsservctl", 169 }, +{ "setresgid", 170 }, +{ "getresgid", 171 }, +{ "prctl", 172 }, +{ "rt_sigreturn", 173 }, +{ "rt_sigaction", 174 }, +{ "rt_sigprocmask", 175 }, +{ "rt_sigpending", 176 }, +{ "rt_sigtimedwait", 177 }, +{ "rt_sigqueueinfo", 178 }, +{ "rt_sigsuspend", 179 }, +{ "pread64", 180 }, +{ "pwrite64", 181 }, +{ "chown", 182 }, +{ "getcwd", 183 }, +{ "capget", 184 }, +{ "capset", 185 }, +{ "sigaltstack", 186 }, +{ "sendfile", 187 }, +{ "getpmsg", 188 }, +{ "putpmsg", 189 }, +{ "vfork", 190 }, +{ "ugetrlimit", 191 }, +{ "mmap2", 192 }, +{ "truncate64", 193 }, +{ "ftruncate64", 194 }, +{ "stat64", 195 }, +{ "lstat64", 196 }, +{ "fstat64", 197 }, +{ "lchown32", 198 }, +{ "getuid32", 199 }, { "getgid32", 200 }, -{ "getgroups", 80 }, +{ "geteuid32", 201 }, +{ "getegid32", 202 }, +{ "setreuid32", 203 }, +{ "setregid32", 204 }, { "getgroups32", 205 }, -{ "getitimer", 105 }, -{ "getpeername", 368 }, -{ "getpgid", 132 }, -{ "getpgrp", 65 }, -{ "getpid", 20 }, -{ "getpmsg", 188 }, -{ "getppid", 64 }, -{ "getpriority", 96 }, -{ "getrandom", 355 }, -{ "getresgid", 171 }, -{ "getresgid32", 211 }, -{ "getresuid", 165 }, +{ "setgroups32", 206 }, +{ "fchown32", 207 }, +{ "setresuid32", 208 }, { "getresuid32", 209 }, -{ "getrlimit", 76 }, -{ "getrusage", 77 }, -{ "getsid", 147 }, -{ "getsockname", 367 }, -{ "getsockopt", 365 }, +{ "setresgid32", 210 }, +{ "getresgid32", 211 }, +{ "chown32", 212 }, +{ "setuid32", 213 }, +{ "setgid32", 214 }, +{ "setfsuid32", 215 }, +{ "setfsgid32", 216 }, +{ "pivot_root", 217 }, +{ "mincore", 218 }, +{ "madvise", 219 }, +{ "getdents64", 220 }, +{ "fcntl64", 221 }, { "gettid", 224 }, -{ "gettimeofday", 78 }, -{ "getuid", 24 }, -{ "getuid32", 199 }, +{ "readahead", 225 }, +{ "setxattr", 226 }, +{ "lsetxattr", 227 }, +{ "fsetxattr", 228 }, { "getxattr", 229 }, -{ "gtty", 32 }, -{ "idle", 112 }, -{ "init_module", 128 }, -{ "inotify_add_watch", 292 }, -{ "inotify_init", 291 }, -{ "inotify_init1", 332 }, -{ "inotify_rm_watch", 293 }, -{ "io_cancel", 249 }, -{ "io_destroy", 246 }, -{ "io_getevents", 247 }, -{ "io_pgetevents", 385 }, -{ "io_pgetevents_time64", 416 }, -{ "io_setup", 245 }, -{ "io_submit", 248 }, -{ "io_uring_enter", 426 }, -{ "io_uring_register", 427 }, -{ "io_uring_setup", 425 }, -{ "ioctl", 54 }, -{ "ioperm", 101 }, -{ "iopl", 110 }, -{ "ioprio_get", 290 }, -{ "ioprio_set", 289 }, -{ "ipc", 117 }, -{ "kcmp", 349 }, -{ "kexec_load", 283 }, -{ "keyctl", 288 }, -{ "kill", 37 }, -{ "lchown", 16 }, -{ "lchown32", 198 }, { "lgetxattr", 230 }, -{ "link", 9 }, -{ "linkat", 303 }, -{ "listen", 363 }, +{ "fgetxattr", 231 }, { "listxattr", 232 }, { "llistxattr", 233 }, -{ "lock", 53 }, -{ "lookup_dcookie", 253 }, +{ "flistxattr", 234 }, +{ "removexattr", 235 }, { "lremovexattr", 236 }, -{ "lseek", 19 }, -{ "lsetxattr", 227 }, -{ "lstat", 107 }, -{ "lstat64", 196 }, -{ "madvise", 219 }, +{ "fremovexattr", 237 }, +{ "tkill", 238 }, +{ "sendfile64", 239 }, +{ "futex", 240 }, +{ "sched_setaffinity", 241 }, +{ "sched_getaffinity", 242 }, +{ "set_thread_area", 243 }, +{ "get_thread_area", 244 }, +{ "io_setup", 245 }, +{ "io_destroy", 246 }, +{ "io_getevents", 247 }, +{ "io_submit", 248 }, +{ "io_cancel", 249 }, +{ "fadvise64", 250 }, +{ "exit_group", 252 }, +{ "lookup_dcookie", 253 }, +{ "epoll_create", 254 }, +{ "epoll_ctl", 255 }, +{ "epoll_wait", 256 }, +{ "remap_file_pages", 257 }, +{ "set_tid_address", 258 }, +{ "timer_create", 259 }, +{ "timer_settime", 260 }, +{ "timer_gettime", 261 }, +{ "timer_getoverrun", 262 }, +{ "timer_delete", 263 }, +{ "clock_settime", 264 }, +{ "clock_gettime", 265 }, +{ "clock_getres", 266 }, +{ "clock_nanosleep", 267 }, +{ "statfs64", 268 }, +{ "fstatfs64", 269 }, +{ "tgkill", 270 }, +{ "utimes", 271 }, +{ "fadvise64_64", 272 }, +{ "vserver", 273 }, { "mbind", 274 }, -{ "membarrier", 375 }, -{ "memfd_create", 356 }, +{ "get_mempolicy", 275 }, +{ "set_mempolicy", 276 }, +{ "mq_open", 277 }, +{ "mq_unlink", 278 }, +{ "mq_timedsend", 279 }, +{ "mq_timedreceive", 280 }, +{ "mq_notify", 281 }, +{ "mq_getsetattr", 282 }, +{ "kexec_load", 283 }, +{ "waitid", 284 }, +{ "add_key", 286 }, +{ "request_key", 287 }, +{ "keyctl", 288 }, +{ "ioprio_set", 289 }, +{ "ioprio_get", 290 }, +{ "inotify_init", 291 }, +{ "inotify_add_watch", 292 }, +{ "inotify_rm_watch", 293 }, { "migrate_pages", 294 }, -{ "mincore", 218 }, -{ "mkdir", 39 }, +{ "openat", 295 }, { "mkdirat", 296 }, -{ "mknod", 14 }, { "mknodat", 297 }, -{ "mlock", 150 }, -{ "mlock2", 376 }, -{ "mlockall", 152 }, -{ "mmap", 90 }, -{ "mmap2", 192 }, -{ "modify_ldt", 123 }, -{ "mount", 21 }, -{ "move_mount", 429 }, +{ "fchownat", 298 }, +{ "futimesat", 299 }, +{ "fstatat64", 300 }, +{ "unlinkat", 301 }, +{ "renameat", 302 }, +{ "linkat", 303 }, +{ "symlinkat", 304 }, +{ "readlinkat", 305 }, +{ "fchmodat", 306 }, +{ "faccessat", 307 }, +{ "pselect6", 308 }, +{ "ppoll", 309 }, +{ "unshare", 310 }, +{ "set_robust_list", 311 }, +{ "get_robust_list", 312 }, +{ "splice", 313 }, +{ "sync_file_range", 314 }, +{ "tee", 315 }, +{ "vmsplice", 316 }, { "move_pages", 317 }, -{ "mprotect", 125 }, -{ "mpx", 56 }, -{ "mq_getsetattr", 282 }, -{ "mq_notify", 281 }, -{ "mq_open", 277 }, -{ "mq_timedreceive", 280 }, -{ "mq_timedreceive_time64", 419 }, -{ "mq_timedsend", 279 }, -{ "mq_timedsend_time64", 418 }, -{ "mq_unlink", 278 }, -{ "mremap", 163 }, -{ "msgctl", 402 }, -{ "msgget", 399 }, -{ "msgrcv", 401 }, -{ "msgsnd", 400 }, -{ "msync", 144 }, -{ "munlock", 151 }, -{ "munlockall", 153 }, -{ "munmap", 91 }, -{ "name_to_handle_at", 341 }, -{ "nanosleep", 162 }, -{ "nfsservctl", 169 }, -{ "nice", 34 }, -{ "oldfstat", 28 }, -{ "oldlstat", 84 }, -{ "oldolduname", 59 }, -{ "oldstat", 18 }, -{ "olduname", 109 }, -{ "open", 5 }, -{ "open_by_handle_at", 342 }, -{ "open_tree", 428 }, -{ "openat", 295 }, -{ "pause", 29 }, -{ "perf_event_open", 336 }, -{ "personality", 136 }, -{ "pidfd_open", 434 }, -{ "pidfd_send_signal", 424 }, -{ "pipe", 42 }, +{ "getcpu", 318 }, +{ "epoll_pwait", 319 }, +{ "utimensat", 320 }, +{ "signalfd", 321 }, +{ "timerfd_create", 322 }, +{ "eventfd", 323 }, +{ "fallocate", 324 }, +{ "timerfd_settime", 325 }, +{ "timerfd_gettime", 326 }, +{ "signalfd4", 327 }, +{ "eventfd2", 328 }, +{ "epoll_create1", 329 }, +{ "dup3", 330 }, { "pipe2", 331 }, -{ "pivot_root", 217 }, -{ "pkey_alloc", 381 }, -{ "pkey_free", 382 }, -{ "pkey_mprotect", 380 }, -{ "poll", 168 }, -{ "ppoll", 309 }, -{ "ppoll_time64", 414 }, -{ "prctl", 172 }, -{ "pread64", 180 }, +{ "inotify_init1", 332 }, { "preadv", 333 }, -{ "preadv2", 378 }, +{ "pwritev", 334 }, +{ "rt_tgsigqueueinfo", 335 }, +{ "perf_event_open", 336 }, +{ "recvmmsg", 337 }, +{ "fanotify_init", 338 }, +{ "fanotify_mark", 339 }, { "prlimit64", 340 }, +{ "name_to_handle_at", 341 }, +{ "open_by_handle_at", 342 }, +{ "clock_adjtime", 343 }, +{ "syncfs", 344 }, +{ "sendmmsg", 345 }, +{ "setns", 346 }, { "process_vm_readv", 347 }, { "process_vm_writev", 348 }, -{ "prof", 44 }, -{ "profil", 98 }, -{ "pselect6", 308 }, -{ "pselect6_time64", 413 }, -{ "ptrace", 26 }, -{ "putpmsg", 189 }, -{ "pwrite64", 181 }, -{ "pwritev", 334 }, -{ "pwritev2", 379 }, -{ "query_module", 167 }, -{ "quotactl", 131 }, -{ "read", 3 }, -{ "readahead", 225 }, -{ "readdir", 89 }, -{ "readlink", 85 }, -{ "readlinkat", 305 }, -{ "readv", 145 }, -{ "reboot", 88 }, +{ "kcmp", 349 }, +{ "finit_module", 350 }, +{ "sched_setattr", 351 }, +{ "sched_getattr", 352 }, +{ "renameat2", 353 }, +{ "seccomp", 354 }, +{ "getrandom", 355 }, +{ "memfd_create", 356 }, +{ "bpf", 357 }, +{ "execveat", 358 }, +{ "socket", 359 }, +{ "socketpair", 360 }, +{ "bind", 361 }, +{ "connect", 362 }, +{ "listen", 363 }, +{ "accept4", 364 }, +{ "getsockopt", 365 }, +{ "setsockopt", 366 }, +{ "getsockname", 367 }, +{ "getpeername", 368 }, +{ "sendto", 369 }, +{ "sendmsg", 370 }, { "recvfrom", 371 }, -{ "recvmmsg", 337 }, -{ "recvmmsg_time64", 417 }, { "recvmsg", 372 }, -{ "remap_file_pages", 257 }, -{ "removexattr", 235 }, -{ "rename", 38 }, -{ "renameat", 302 }, -{ "renameat2", 353 }, -{ "request_key", 287 }, -{ "restart_syscall", 0 }, -{ "rmdir", 40 }, +{ "shutdown", 373 }, +{ "userfaultfd", 374 }, +{ "membarrier", 375 }, +{ "mlock2", 376 }, +{ "copy_file_range", 377 }, +{ "preadv2", 378 }, +{ "pwritev2", 379 }, +{ "pkey_mprotect", 380 }, +{ "pkey_alloc", 381 }, +{ "pkey_free", 382 }, +{ "statx", 383 }, +{ "arch_prctl", 384 }, +{ "io_pgetevents", 385 }, { "rseq", 386 }, -{ "rt_sigaction", 174 }, -{ "rt_sigpending", 176 }, -{ "rt_sigprocmask", 175 }, -{ "rt_sigqueueinfo", 178 }, -{ "rt_sigreturn", 173 }, -{ "rt_sigsuspend", 179 }, -{ "rt_sigtimedwait", 177 }, -{ "rt_sigtimedwait_time64", 421 }, -{ "rt_tgsigqueueinfo", 335 }, -{ "sched_get_priority_max", 159 }, -{ "sched_get_priority_min", 160 }, -{ "sched_getaffinity", 242 }, -{ "sched_getattr", 352 }, -{ "sched_getparam", 155 }, -{ "sched_getscheduler", 157 }, -{ "sched_rr_get_interval", 161 }, -{ "sched_rr_get_interval_time64", 423 }, -{ "sched_setaffinity", 241 }, -{ "sched_setattr", 351 }, -{ "sched_setparam", 154 }, -{ "sched_setscheduler", 156 }, -{ "sched_yield", 158 }, -{ "seccomp", 354 }, -{ "select", 82 }, -{ "semctl", 394 }, { "semget", 393 }, -{ "semtimedop_time64", 420 }, -{ "sendfile", 187 }, -{ "sendfile64", 239 }, -{ "sendmmsg", 345 }, -{ "sendmsg", 370 }, -{ "sendto", 369 }, -{ "set_mempolicy", 276 }, -{ "set_robust_list", 311 }, -{ "set_thread_area", 243 }, -{ "set_tid_address", 258 }, -{ "setdomainname", 121 }, -{ "setfsgid", 139 }, -{ "setfsgid32", 216 }, -{ "setfsuid", 138 }, -{ "setfsuid32", 215 }, -{ "setgid", 46 }, -{ "setgid32", 214 }, -{ "setgroups", 81 }, -{ "setgroups32", 206 }, -{ "sethostname", 74 }, -{ "setitimer", 104 }, -{ "setns", 346 }, -{ "setpgid", 57 }, -{ "setpriority", 97 }, -{ "setregid", 71 }, -{ "setregid32", 204 }, -{ "setresgid", 170 }, -{ "setresgid32", 210 }, -{ "setresuid", 164 }, -{ "setresuid32", 208 }, -{ "setreuid", 70 }, -{ "setreuid32", 203 }, -{ "setrlimit", 75 }, -{ "setsid", 66 }, -{ "setsockopt", 366 }, -{ "settimeofday", 79 }, -{ "setuid", 23 }, -{ "setuid32", 213 }, -{ "setxattr", 226 }, -{ "sgetmask", 68 }, -{ "shmat", 397 }, +{ "semctl", 394 }, +{ "shmget", 395 }, { "shmctl", 396 }, +{ "shmat", 397 }, { "shmdt", 398 }, -{ "shmget", 395 }, -{ "shutdown", 373 }, -{ "sigaction", 67 }, -{ "sigaltstack", 186 }, -{ "signal", 48 }, -{ "signalfd", 321 }, -{ "signalfd4", 327 }, -{ "sigpending", 73 }, -{ "sigprocmask", 126 }, -{ "sigreturn", 119 }, -{ "sigsuspend", 72 }, -{ "socket", 359 }, -{ "socketcall", 102 }, -{ "socketpair", 360 }, -{ "splice", 313 }, -{ "ssetmask", 69 }, -{ "stat", 106 }, -{ "stat64", 195 }, -{ "statfs", 99 }, -{ "statfs64", 268 }, -{ "statx", 383 }, -{ "stime", 25 }, -{ "stty", 31 }, -{ "swapoff", 115 }, -{ "swapon", 87 }, -{ "symlink", 83 }, -{ "symlinkat", 304 }, -{ "sync", 36 }, -{ "sync_file_range", 314 }, -{ "syncfs", 344 }, -{ "sysfs", 135 }, -{ "sysinfo", 116 }, -{ "syslog", 103 }, -{ "tee", 315 }, -{ "tgkill", 270 }, -{ "time", 13 }, -{ "timer_create", 259 }, -{ "timer_delete", 263 }, -{ "timer_getoverrun", 262 }, -{ "timer_gettime", 261 }, +{ "msgget", 399 }, +{ "msgsnd", 400 }, +{ "msgrcv", 401 }, +{ "msgctl", 402 }, +{ "clock_gettime64", 403 }, +{ "clock_settime64", 404 }, +{ "clock_adjtime64", 405 }, +{ "clock_getres_time64", 406 }, +{ "clock_nanosleep_time64", 407 }, { "timer_gettime64", 408 }, -{ "timer_settime", 260 }, { "timer_settime64", 409 }, -{ "timerfd_create", 322 }, -{ "timerfd_gettime", 326 }, { "timerfd_gettime64", 410 }, -{ "timerfd_settime", 325 }, { "timerfd_settime64", 411 }, -{ "times", 43 }, -{ "tkill", 238 }, -{ "truncate", 92 }, -{ "truncate64", 193 }, -{ "ugetrlimit", 191 }, -{ "ulimit", 58 }, -{ "umask", 60 }, -{ "umount", 22 }, -{ "umount2", 52 }, -{ "uname", 122 }, -{ "unlink", 10 }, -{ "unlinkat", 301 }, -{ "unshare", 310 }, -{ "uselib", 86 }, -{ "userfaultfd", 374 }, -{ "ustat", 62 }, -{ "utime", 30 }, -{ "utimensat", 320 }, { "utimensat_time64", 412 }, -{ "utimes", 271 }, -{ "vfork", 190 }, -{ "vhangup", 111 }, -{ "vm86", 166 }, -{ "vm86old", 113 }, -{ "vmsplice", 316 }, -{ "vserver", 273 }, -{ "wait4", 114 }, -{ "waitid", 284 }, -{ "waitpid", 7 }, -{ "write", 4 }, -{ "writev", 146 }, +{ "pselect6_time64", 413 }, +{ "ppoll_time64", 414 }, +{ "io_pgetevents_time64", 416 }, +{ "recvmmsg_time64", 417 }, +{ "mq_timedsend_time64", 418 }, +{ "mq_timedreceive_time64", 419 }, +{ "semtimedop_time64", 420 }, +{ "rt_sigtimedwait_time64", 421 }, +{ "futex_time64", 422 }, +{ "sched_rr_get_interval_time64", 423 }, +{ "pidfd_send_signal", 424 }, +{ "io_uring_setup", 425 }, +{ "io_uring_enter", 426 }, +{ "io_uring_register", 427 }, +{ "open_tree", 428 }, +{ "move_mount", 429 }, +{ "fsopen", 430 }, +{ "fsconfig", 431 }, +{ "fsmount", 432 }, +{ "fspick", 433 }, +{ "pidfd_open", 434 }, +{ "clone3", 435 }, +{ "close_range", 436 }, +{ "openat2", 437 }, +{ "pidfd_getfd", 438 }, +{ "faccessat2", 439 }, +{ "process_madvise", 440 },
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/include/syscall_x86_64.h ^
@@ -1,348 +1,352 @@ -{ "_sysctl", 156 }, -{ "accept", 43 }, -{ "accept4", 288 }, +{ "read", 0 }, +{ "write", 1 }, +{ "open", 2 }, +{ "close", 3 }, +{ "stat", 4 }, +{ "fstat", 5 }, +{ "lstat", 6 }, +{ "poll", 7 }, +{ "lseek", 8 }, +{ "mmap", 9 }, +{ "mprotect", 10 }, +{ "munmap", 11 }, +{ "brk", 12 }, +{ "rt_sigaction", 13 }, +{ "rt_sigprocmask", 14 }, +{ "rt_sigreturn", 15 }, +{ "ioctl", 16 }, +{ "pread64", 17 }, +{ "pwrite64", 18 }, +{ "readv", 19 }, +{ "writev", 20 }, { "access", 21 }, -{ "acct", 163 }, -{ "add_key", 248 }, -{ "adjtimex", 159 }, -{ "afs_syscall", 183 }, +{ "pipe", 22 }, +{ "select", 23 }, +{ "sched_yield", 24 }, +{ "mremap", 25 }, +{ "msync", 26 }, +{ "mincore", 27 }, +{ "madvise", 28 }, +{ "shmget", 29 }, +{ "shmat", 30 }, +{ "shmctl", 31 }, +{ "dup", 32 }, +{ "dup2", 33 }, +{ "pause", 34 }, +{ "nanosleep", 35 }, +{ "getitimer", 36 }, { "alarm", 37 }, -{ "arch_prctl", 158 }, +{ "setitimer", 38 }, +{ "getpid", 39 }, +{ "sendfile", 40 }, +{ "socket", 41 }, +{ "connect", 42 }, +{ "accept", 43 }, +{ "sendto", 44 }, +{ "recvfrom", 45 }, +{ "sendmsg", 46 }, +{ "recvmsg", 47 }, +{ "shutdown", 48 }, { "bind", 49 }, -{ "bpf", 321 }, -{ "brk", 12 }, -{ "capget", 125 }, -{ "capset", 126 }, -{ "chdir", 80 }, -{ "chmod", 90 }, -{ "chown", 92 }, -{ "chroot", 161 }, -{ "clock_adjtime", 305 }, -{ "clock_getres", 229 }, -{ "clock_gettime", 228 }, -{ "clock_nanosleep", 230 }, -{ "clock_settime", 227 }, +{ "listen", 50 }, +{ "getsockname", 51 }, +{ "getpeername", 52 }, +{ "socketpair", 53 }, +{ "setsockopt", 54 }, +{ "getsockopt", 55 }, { "clone", 56 }, -{ "clone3", 435 }, -{ "close", 3 }, -{ "connect", 42 }, -{ "copy_file_range", 326 }, -{ "creat", 85 }, -{ "create_module", 174 }, -{ "delete_module", 176 }, -{ "dup", 32 }, -{ "dup2", 33 }, -{ "dup3", 292 }, -{ "epoll_create", 213 }, -{ "epoll_create1", 291 }, -{ "epoll_ctl", 233 }, -{ "epoll_ctl_old", 214 }, -{ "epoll_pwait", 281 }, -{ "epoll_wait", 232 }, -{ "epoll_wait_old", 215 }, -{ "eventfd", 284 }, -{ "eventfd2", 290 }, +{ "fork", 57 }, +{ "vfork", 58 }, { "execve", 59 }, -{ "execveat", 322 }, { "exit", 60 }, -{ "exit_group", 231 }, -{ "faccessat", 269 }, -{ "faccessat2", 439 }, -{ "fadvise64", 221 }, -{ "fallocate", 285 }, -{ "fanotify_init", 300 }, -{ "fanotify_mark", 301 }, -{ "fchdir", 81 }, -{ "fchmod", 91 }, -{ "fchmodat", 268 }, -{ "fchown", 93 }, -{ "fchownat", 260 }, +{ "wait4", 61 }, +{ "kill", 62 }, +{ "uname", 63 }, +{ "semget", 64 }, +{ "semop", 65 }, +{ "semctl", 66 }, +{ "shmdt", 67 }, +{ "msgget", 68 }, +{ "msgsnd", 69 }, +{ "msgrcv", 70 }, +{ "msgctl", 71 }, { "fcntl", 72 }, -{ "fdatasync", 75 }, -{ "fgetxattr", 193 }, -{ "finit_module", 313 }, -{ "flistxattr", 196 }, { "flock", 73 }, -{ "fork", 57 }, -{ "fremovexattr", 199 }, -{ "fsconfig", 431 }, -{ "fsetxattr", 190 }, -{ "fsmount", 432 }, -{ "fsopen", 430 }, -{ "fspick", 433 }, -{ "fstat", 5 }, -{ "fstatfs", 138 }, { "fsync", 74 }, +{ "fdatasync", 75 }, +{ "truncate", 76 }, { "ftruncate", 77 }, -{ "futex", 202 }, -{ "futimesat", 261 }, -{ "get_kernel_syms", 177 }, -{ "get_mempolicy", 239 }, -{ "get_robust_list", 274 }, -{ "get_thread_area", 211 }, -{ "getcpu", 309 }, -{ "getcwd", 79 }, { "getdents", 78 }, -{ "getdents64", 217 }, -{ "getegid", 108 }, -{ "geteuid", 107 }, +{ "getcwd", 79 }, +{ "chdir", 80 }, +{ "fchdir", 81 }, +{ "rename", 82 }, +{ "mkdir", 83 }, +{ "rmdir", 84 }, +{ "creat", 85 }, +{ "link", 86 }, +{ "unlink", 87 }, +{ "symlink", 88 }, +{ "readlink", 89 }, +{ "chmod", 90 }, +{ "fchmod", 91 }, +{ "chown", 92 }, +{ "fchown", 93 }, +{ "lchown", 94 }, +{ "umask", 95 }, +{ "gettimeofday", 96 }, +{ "getrlimit", 97 }, +{ "getrusage", 98 }, +{ "sysinfo", 99 }, +{ "times", 100 }, +{ "ptrace", 101 }, +{ "getuid", 102 }, +{ "syslog", 103 }, { "getgid", 104 }, -{ "getgroups", 115 }, -{ "getitimer", 36 }, -{ "getpeername", 52 }, -{ "getpgid", 121 }, -{ "getpgrp", 111 }, -{ "getpid", 39 }, -{ "getpmsg", 181 }, +{ "setuid", 105 }, +{ "setgid", 106 }, +{ "geteuid", 107 }, +{ "getegid", 108 }, +{ "setpgid", 109 }, { "getppid", 110 }, -{ "getpriority", 140 }, -{ "getrandom", 318 }, -{ "getresgid", 120 }, +{ "getpgrp", 111 }, +{ "setsid", 112 }, +{ "setreuid", 113 }, +{ "setregid", 114 }, +{ "getgroups", 115 }, +{ "setgroups", 116 }, +{ "setresuid", 117 }, { "getresuid", 118 }, -{ "getrlimit", 97 }, -{ "getrusage", 98 }, +{ "setresgid", 119 }, +{ "getresgid", 120 }, +{ "getpgid", 121 }, +{ "setfsuid", 122 }, +{ "setfsgid", 123 }, { "getsid", 124 }, -{ "getsockname", 51 }, -{ "getsockopt", 55 }, -{ "gettid", 186 }, -{ "gettimeofday", 96 }, -{ "getuid", 102 }, -{ "getxattr", 191 }, -{ "init_module", 175 }, -{ "inotify_add_watch", 254 }, -{ "inotify_init", 253 }, -{ "inotify_init1", 294 }, -{ "inotify_rm_watch", 255 }, -{ "io_cancel", 210 }, -{ "io_destroy", 207 }, -{ "io_getevents", 208 }, -{ "io_pgetevents", 333 }, -{ "io_setup", 206 }, -{ "io_submit", 209 }, -{ "io_uring_enter", 426 }, -{ "io_uring_register", 427 }, -{ "io_uring_setup", 425 }, -{ "ioctl", 16 }, -{ "ioperm", 173 }, -{ "iopl", 172 }, -{ "ioprio_get", 252 }, -{ "ioprio_set", 251 }, -{ "kcmp", 312 }, -{ "kexec_file_load", 320 }, -{ "kexec_load", 246 }, -{ "keyctl", 250 }, -{ "kill", 62 }, -{ "lchown", 94 }, -{ "lgetxattr", 192 }, -{ "link", 86 }, -{ "linkat", 265 }, -{ "listen", 50 }, -{ "listxattr", 194 }, -{ "llistxattr", 195 }, -{ "lookup_dcookie", 212 }, -{ "lremovexattr", 198 }, -{ "lseek", 8 }, -{ "lsetxattr", 189 }, -{ "lstat", 6 }, -{ "madvise", 28 }, -{ "mbind", 237 }, -{ "membarrier", 324 }, -{ "memfd_create", 319 }, -{ "migrate_pages", 256 }, -{ "mincore", 27 }, -{ "mkdir", 83 }, -{ "mkdirat", 258 }, +{ "capget", 125 }, +{ "capset", 126 }, +{ "rt_sigpending", 127 }, +{ "rt_sigtimedwait", 128 }, +{ "rt_sigqueueinfo", 129 }, +{ "rt_sigsuspend", 130 }, +{ "sigaltstack", 131 }, +{ "utime", 132 }, { "mknod", 133 }, -{ "mknodat", 259 }, +{ "uselib", 134 }, +{ "personality", 135 }, +{ "ustat", 136 }, +{ "statfs", 137 }, +{ "fstatfs", 138 }, +{ "sysfs", 139 }, +{ "getpriority", 140 }, +{ "setpriority", 141 }, +{ "sched_setparam", 142 }, +{ "sched_getparam", 143 }, +{ "sched_setscheduler", 144 }, +{ "sched_getscheduler", 145 }, +{ "sched_get_priority_max", 146 }, +{ "sched_get_priority_min", 147 }, +{ "sched_rr_get_interval", 148 }, { "mlock", 149 }, -{ "mlock2", 325 }, -{ "mlockall", 151 }, -{ "mmap", 9 }, -{ "modify_ldt", 154 }, -{ "mount", 165 }, -{ "move_mount", 429 }, -{ "move_pages", 279 }, -{ "mprotect", 10 }, -{ "mq_getsetattr", 245 }, -{ "mq_notify", 244 }, -{ "mq_open", 240 }, -{ "mq_timedreceive", 243 }, -{ "mq_timedsend", 242 }, -{ "mq_unlink", 241 }, -{ "mremap", 25 }, -{ "msgctl", 71 }, -{ "msgget", 68 }, -{ "msgrcv", 70 }, -{ "msgsnd", 69 }, -{ "msync", 26 }, { "munlock", 150 }, +{ "mlockall", 151 }, { "munlockall", 152 }, -{ "munmap", 11 }, -{ "name_to_handle_at", 303 }, -{ "nanosleep", 35 }, -{ "newfstatat", 262 }, -{ "nfsservctl", 180 }, -{ "open", 2 }, -{ "open_by_handle_at", 304 }, -{ "open_tree", 428 }, -{ "openat", 257 }, -{ "pause", 34 }, -{ "perf_event_open", 298 }, -{ "personality", 135 }, -{ "pidfd_open", 434 }, -{ "pidfd_send_signal", 424 }, -{ "pipe", 22 }, -{ "pipe2", 293 }, +{ "vhangup", 153 }, +{ "modify_ldt", 154 }, { "pivot_root", 155 }, -{ "pkey_alloc", 330 }, -{ "pkey_free", 331 }, -{ "pkey_mprotect", 329 }, -{ "poll", 7 }, -{ "ppoll", 271 }, +{ "_sysctl", 156 }, { "prctl", 157 }, -{ "pread64", 17 }, -{ "preadv", 295 }, -{ "preadv2", 327 }, -{ "prlimit64", 302 }, -{ "process_vm_readv", 310 }, -{ "process_vm_writev", 311 }, -{ "pselect6", 270 }, -{ "ptrace", 101 }, -{ "putpmsg", 182 }, -{ "pwrite64", 18 }, -{ "pwritev", 296 }, -{ "pwritev2", 328 }, +{ "arch_prctl", 158 }, +{ "adjtimex", 159 }, +{ "setrlimit", 160 }, +{ "chroot", 161 }, +{ "sync", 162 }, +{ "acct", 163 }, +{ "settimeofday", 164 }, +{ "mount", 165 }, +{ "umount2", 166 }, +{ "swapon", 167 }, +{ "swapoff", 168 }, +{ "reboot", 169 }, +{ "sethostname", 170 }, +{ "setdomainname", 171 }, +{ "iopl", 172 }, +{ "ioperm", 173 }, +{ "create_module", 174 }, +{ "init_module", 175 }, +{ "delete_module", 176 }, +{ "get_kernel_syms", 177 }, { "query_module", 178 }, { "quotactl", 179 }, -{ "read", 0 }, +{ "nfsservctl", 180 }, +{ "getpmsg", 181 }, +{ "putpmsg", 182 }, +{ "afs_syscall", 183 }, +{ "tuxcall", 184 }, +{ "security", 185 }, +{ "gettid", 186 }, { "readahead", 187 }, -{ "readlink", 89 }, -{ "readlinkat", 267 }, -{ "readv", 19 }, -{ "reboot", 169 }, -{ "recvfrom", 45 }, -{ "recvmmsg", 299 }, -{ "recvmsg", 47 }, -{ "remap_file_pages", 216 }, +{ "setxattr", 188 }, +{ "lsetxattr", 189 }, +{ "fsetxattr", 190 }, +{ "getxattr", 191 }, +{ "lgetxattr", 192 }, +{ "fgetxattr", 193 }, +{ "listxattr", 194 }, +{ "llistxattr", 195 }, +{ "flistxattr", 196 }, { "removexattr", 197 }, -{ "rename", 82 }, -{ "renameat", 264 }, -{ "renameat2", 316 }, -{ "request_key", 249 }, -{ "restart_syscall", 219 }, -{ "rmdir", 84 }, -{ "rseq", 334 }, -{ "rt_sigaction", 13 }, -{ "rt_sigpending", 127 }, -{ "rt_sigprocmask", 14 }, -{ "rt_sigqueueinfo", 129 }, -{ "rt_sigreturn", 15 }, -{ "rt_sigsuspend", 130 }, -{ "rt_sigtimedwait", 128 }, -{ "rt_tgsigqueueinfo", 297 }, -{ "sched_get_priority_max", 146 }, -{ "sched_get_priority_min", 147 }, -{ "sched_getaffinity", 204 }, -{ "sched_getattr", 315 }, -{ "sched_getparam", 143 }, -{ "sched_getscheduler", 145 }, -{ "sched_rr_get_interval", 148 }, +{ "lremovexattr", 198 }, +{ "fremovexattr", 199 }, +{ "tkill", 200 }, +{ "time", 201 }, +{ "futex", 202 }, { "sched_setaffinity", 203 }, -{ "sched_setattr", 314 }, -{ "sched_setparam", 142 }, -{ "sched_setscheduler", 144 }, -{ "sched_yield", 24 }, -{ "seccomp", 317 }, -{ "security", 185 }, -{ "select", 23 }, -{ "semctl", 66 }, -{ "semget", 64 }, -{ "semop", 65 }, +{ "sched_getaffinity", 204 }, +{ "set_thread_area", 205 }, +{ "io_setup", 206 }, +{ "io_destroy", 207 }, +{ "io_getevents", 208 }, +{ "io_submit", 209 }, +{ "io_cancel", 210 }, +{ "get_thread_area", 211 }, +{ "lookup_dcookie", 212 }, +{ "epoll_create", 213 }, +{ "epoll_ctl_old", 214 }, +{ "epoll_wait_old", 215 }, +{ "remap_file_pages", 216 }, +{ "getdents64", 217 }, +{ "set_tid_address", 218 }, +{ "restart_syscall", 219 }, { "semtimedop", 220 }, -{ "sendfile", 40 }, -{ "sendmmsg", 307 }, -{ "sendmsg", 46 }, -{ "sendto", 44 }, +{ "fadvise64", 221 }, +{ "timer_create", 222 }, +{ "timer_settime", 223 }, +{ "timer_gettime", 224 }, +{ "timer_getoverrun", 225 }, +{ "timer_delete", 226 }, +{ "clock_settime", 227 }, +{ "clock_gettime", 228 }, +{ "clock_getres", 229 }, +{ "clock_nanosleep", 230 }, +{ "exit_group", 231 }, +{ "epoll_wait", 232 }, +{ "epoll_ctl", 233 }, +{ "tgkill", 234 }, +{ "utimes", 235 }, +{ "vserver", 236 }, +{ "mbind", 237 }, { "set_mempolicy", 238 }, +{ "get_mempolicy", 239 }, +{ "mq_open", 240 }, +{ "mq_unlink", 241 }, +{ "mq_timedsend", 242 }, +{ "mq_timedreceive", 243 }, +{ "mq_notify", 244 }, +{ "mq_getsetattr", 245 }, +{ "kexec_load", 246 }, +{ "waitid", 247 }, +{ "add_key", 248 }, +{ "request_key", 249 }, +{ "keyctl", 250 }, +{ "ioprio_set", 251 }, +{ "ioprio_get", 252 }, +{ "inotify_init", 253 }, +{ "inotify_add_watch", 254 }, +{ "inotify_rm_watch", 255 }, +{ "migrate_pages", 256 }, +{ "openat", 257 }, +{ "mkdirat", 258 }, +{ "mknodat", 259 }, +{ "fchownat", 260 }, +{ "futimesat", 261 }, +{ "newfstatat", 262 }, +{ "unlinkat", 263 }, +{ "renameat", 264 }, +{ "linkat", 265 }, +{ "symlinkat", 266 }, +{ "readlinkat", 267 }, +{ "fchmodat", 268 }, +{ "faccessat", 269 }, +{ "pselect6", 270 }, +{ "ppoll", 271 }, +{ "unshare", 272 }, { "set_robust_list", 273 }, -{ "set_thread_area", 205 }, -{ "set_tid_address", 218 }, -{ "setdomainname", 171 }, -{ "setfsgid", 123 }, -{ "setfsuid", 122 }, -{ "setgid", 106 }, -{ "setgroups", 116 }, -{ "sethostname", 170 }, -{ "setitimer", 38 }, -{ "setns", 308 }, -{ "setpgid", 109 }, -{ "setpriority", 141 }, -{ "setregid", 114 }, -{ "setresgid", 119 }, -{ "setresuid", 117 }, -{ "setreuid", 113 }, -{ "setrlimit", 160 }, -{ "setsid", 112 }, -{ "setsockopt", 54 }, -{ "settimeofday", 164 }, -{ "setuid", 105 }, -{ "setxattr", 188 }, -{ "shmat", 30 }, -{ "shmctl", 31 }, -{ "shmdt", 67 }, -{ "shmget", 29 }, -{ "shutdown", 48 }, -{ "sigaltstack", 131 }, -{ "signalfd", 282 }, -{ "signalfd4", 289 }, -{ "socket", 41 }, -{ "socketpair", 53 }, +{ "get_robust_list", 274 }, { "splice", 275 }, -{ "stat", 4 }, -{ "statfs", 137 }, -{ "statx", 332 }, -{ "swapoff", 168 }, -{ "swapon", 167 }, -{ "symlink", 88 }, -{ "symlinkat", 266 }, -{ "sync", 162 }, -{ "sync_file_range", 277 }, -{ "syncfs", 306 }, -{ "sysfs", 139 }, -{ "sysinfo", 99 }, -{ "syslog", 103 }, { "tee", 276 }, -{ "tgkill", 234 }, -{ "time", 201 }, -{ "timer_create", 222 }, -{ "timer_delete", 226 }, -{ "timer_getoverrun", 225 }, -{ "timer_gettime", 224 }, -{ "timer_settime", 223 }, +{ "sync_file_range", 277 }, +{ "vmsplice", 278 }, +{ "move_pages", 279 }, +{ "utimensat", 280 }, +{ "epoll_pwait", 281 }, +{ "signalfd", 282 }, { "timerfd_create", 283 }, -{ "timerfd_gettime", 287 }, +{ "eventfd", 284 }, +{ "fallocate", 285 }, { "timerfd_settime", 286 }, -{ "times", 100 }, -{ "tkill", 200 }, -{ "truncate", 76 }, -{ "tuxcall", 184 }, -{ "umask", 95 }, -{ "umount2", 166 }, -{ "uname", 63 }, -{ "unlink", 87 }, -{ "unlinkat", 263 }, -{ "unshare", 272 }, -{ "uselib", 134 }, +{ "timerfd_gettime", 287 }, +{ "accept4", 288 }, +{ "signalfd4", 289 }, +{ "eventfd2", 290 }, +{ "epoll_create1", 291 }, +{ "dup3", 292 }, +{ "pipe2", 293 }, +{ "inotify_init1", 294 }, +{ "preadv", 295 }, +{ "pwritev", 296 }, +{ "rt_tgsigqueueinfo", 297 }, +{ "perf_event_open", 298 }, +{ "recvmmsg", 299 }, +{ "fanotify_init", 300 }, +{ "fanotify_mark", 301 }, +{ "prlimit64", 302 }, +{ "name_to_handle_at", 303 }, +{ "open_by_handle_at", 304 }, +{ "clock_adjtime", 305 }, +{ "syncfs", 306 }, +{ "sendmmsg", 307 }, +{ "setns", 308 }, +{ "getcpu", 309 }, +{ "process_vm_readv", 310 }, +{ "process_vm_writev", 311 }, +{ "kcmp", 312 }, +{ "finit_module", 313 }, +{ "sched_setattr", 314 }, +{ "sched_getattr", 315 }, +{ "renameat2", 316 }, +{ "seccomp", 317 }, +{ "getrandom", 318 }, +{ "memfd_create", 319 }, +{ "kexec_file_load", 320 }, +{ "bpf", 321 }, +{ "execveat", 322 }, { "userfaultfd", 323 }, -{ "ustat", 136 }, -{ "utime", 132 }, -{ "utimensat", 280 }, -{ "utimes", 235 }, -{ "vfork", 58 }, -{ "vhangup", 153 }, -{ "vmsplice", 278 }, -{ "vserver", 236 }, -{ "wait4", 61 }, -{ "waitid", 247 }, -{ "write", 1 }, -{ "writev", 20 }, +{ "membarrier", 324 }, +{ "mlock2", 325 }, +{ "copy_file_range", 326 }, +{ "preadv2", 327 }, +{ "pwritev2", 328 }, +{ "pkey_mprotect", 329 }, +{ "pkey_alloc", 330 }, +{ "pkey_free", 331 }, +{ "statx", 332 }, +{ "io_pgetevents", 333 }, +{ "rseq", 334 }, +{ "pidfd_send_signal", 424 }, +{ "io_uring_setup", 425 }, +{ "io_uring_enter", 426 }, +{ "io_uring_register", 427 }, +{ "open_tree", 428 }, +{ "move_mount", 429 }, +{ "fsopen", 430 }, +{ "fsconfig", 431 }, +{ "fsmount", 432 }, +{ "fspick", 433 }, +{ "pidfd_open", 434 }, +{ "clone3", 435 }, +{ "close_range", 436 }, +{ "openat2", 437 }, +{ "pidfd_getfd", 438 }, +{ "faccessat2", 439 }, +{ "process_madvise", 440 },
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/Makefile ^
@@ -0,0 +1,10 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = jailcheck +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h ../include/pid.h +MOD_OBJS = ../lib/common.o ../lib/pid.o + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/access.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/apparmor.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/jailcheck.h ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -61,4 +61,4 @@ int find_child(pid_t pid); pid_t switch_to_child(pid_t pid); -#endif \ No newline at end of file +#endif
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/network.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -40,6 +40,7 @@ for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { if (strcmp(ifa->ifa_name, "lo") == 0) continue; + found = 1; break; }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/noexec.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -110,4 +110,4 @@ wait(&status); int rv = unlink(fname); (void) rv; -} \ No newline at end of file +}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/seccomp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/sysfiles.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/utils.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/jailcheck/virtual.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/Makefile ^
@@ -0,0 +1,9 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +TARGET = lib + +include $(ROOT)/src/prog.mk + +.PHONY: lib +lib: $(OBJS)
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/common.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -22,7 +22,6 @@ #include <sys/types.h> #include <sys/stat.h> #include <sys/wait.h> -#include <fcntl.h> #include <sys/syscall.h> #include <errno.h> #include <unistd.h> @@ -31,32 +30,95 @@ #include <dirent.h> #include <string.h> #include <time.h> +#include <limits.h> +#include <sched.h> #include "../include/common.h" + +#include <fcntl.h> +#ifndef O_PATH +#define O_PATH 010000000 +#endif + +#include <sys/ioctl.h> +#ifndef NSIO +#define NSIO 0xb7 +#endif +#ifndef NS_GET_USERNS +#define NS_GET_USERNS _IO(NSIO, 0x1) +#endif + #define BUFLEN 4096 -int join_namespace(pid_t pid, char type) { + +int join_namespace_by_fd(int dirfd, char typestr) { + int type; + if (strcmp(typestr, "net") == 0) + type = CLONE_NEWNET; + else if (strcmp(typestr, "mnt") == 0) + type = CLONE_NEWNS; + else if (strcmp(typestr, "ipc") == 0) + type = CLONE_NEWIPC; + else if (strcmp(typestr, "pid") == 0) + type = CLONE_NEWPID; + else if (strcmp(typestr, "uts") == 0) + type = CLONE_NEWUTS; + else if (strcmp(typestr, "user") == 0) + type = CLONE_NEWUSER; + else + assert(0); + char path; - if (asprintf(&path, "/proc/%u/ns/%s", pid, type) == -1) + if (asprintf(&path, "ns/%s", typestr) == -1) errExit("asprintf"); - int fd = open(path, O_RDONLY); + int fd = openat(dirfd, path, O_RDONLY\|O_CLOEXEC); + free(path); if (fd < 0) goto errout; - if (syscall(__NR_setns, fd, 0) < 0) { + // require that target namespace is owned by + // the current user namespace (Linux >= 4.9) + struct stat self_userns; + if (stat("/proc/self/ns/user", &self_userns) == 0) { + int usernsfd = ioctl(fd, NS_GET_USERNS); + if (usernsfd != -1) { + struct stat dest_userns; + if (fstat(usernsfd, &dest_userns) < 0) + errExit("fstat"); + close(usernsfd); + if (dest_userns.st_ino != self_userns.st_ino \|\| + dest_userns.st_dev != self_userns.st_dev) { + close(fd); + goto errout; + } + } + } + + if (syscall(__NR_setns, fd, type) < 0) { close(fd); goto errout; } close(fd); - free(path); return 0; errout: - free(path); - fprintf(stderr, "Error: cannot join namespace %s\n", type); + fprintf(stderr, "Error: cannot join namespace %s\n", typestr); return -1; +} + +int join_namespace(pid_t pid, char typestr) { + char path[64]; + snprintf(path, sizeof(path), "/proc/%d", pid); + int fd = open(path, O_PATH\|O_CLOEXEC); + if (fd < 0) { + fprintf(stderr, "Error: cannot open %s: %s\n", path, strerror(errno)); + exit(1); + } + int rv = join_namespace_by_fd(fd, typestr); + close(fd); + return rv; } // return 1 if error @@ -320,6 +382,115 @@ return last_slash+1; } +char do_replace_cntrl_chars(char str, char c) { + if (str) { + size_t i; + for (i = 0; str[i]; i++) { + if (iscntrl((unsigned char) str[i])) + str[i] = c; + } + } + return str; +} + +char replace_cntrl_chars(const char str, char c) { + assert(str); + + char rv = strdup(str); + if (!rv) + errExit("strdup"); + + do_replace_cntrl_chars(rv, c); + return rv; +} + +int has_cntrl_chars(const char str) { + assert(str); + + size_t i; + for (i = 0; str[i]; i++) { + if (iscntrl((unsigned char) str[i])) + return 1; + } + return 0; +} + +void reject_cntrl_chars(const char fname) { + assert(fname); + + if (has_cntrl_chars(fname)) { + char fname_print = replace_cntrl_chars(fname, '?'); + + fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters are allowed\n", fname_print); + exit(1); + } +} + +void reject_meta_chars(const char fname, int globbing) { + assert(fname); + + reject_cntrl_chars(fname); + + const char reject = "\\&!?\"<>%^{};,[]"; + if (globbing) + reject = "\\&!\"<>%^{};,"; // file globbing ('?[]') is allowed + + const char c = strpbrk(fname, reject); + if (c) { + fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, c); + exit(1); + } +} + +// takes string with comma separated int values, returns int array +int str_to_int_array(const char str, size_t sz) { + assert(str && sz); + + size_t curr_sz = 0; + size_t arr_sz = 16; + int rv = malloc(arr_sz * sizeof(int)); + if (!rv) + errExit("malloc"); + + char dup = strdup(str); + if (!dup) + errExit("strdup"); + char tok = strtok(dup, ","); + if (!tok) { + free(dup); + free(rv); + goto errout; + } + + while (tok) { + char end; + long val = strtol(tok, &end, 10); + if (end == tok \|\| end != '\0' \|\| val < INT_MIN \|\| val > INT_MAX) { + free(dup); + free(rv); + goto errout; + } + + if (curr_sz == arr_sz) { + arr_sz = 2; + rv = realloc(rv, arr_sz sizeof(int)); + if (!rv) + errExit("realloc"); + } + rv[curr_sz++] = val; + + tok = strtok(NULL, ","); + } + free(dup); + + sz = curr_sz; + return rv; + +errout: + sz = 0; + return NULL; +} + //************************ // time trace based on getticks function //************************
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/errno.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -31,7 +31,7 @@ static ErrnoEntry errnolist[] = { // -// code generated using tools/extract-errnos +// code generated using ../tools/extract_errnos.sh // {"EPERM", EPERM}, {"ENOENT", ENOENT},
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/firejail_user.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/ldd_utils.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -47,7 +47,7 @@ if (fd < 0) return 0; - unsigned char buf[EI_NIDENT]; + unsigned char buf[EI_NIDENT] = {0}; ssize_t len = 0; while (len < EI_NIDENT) { ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/pid.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -30,7 +30,7 @@ #define PIDS_BUFLEN 4096 //Process pids[max_pids]; Process pids = NULL; -int max_pids=32769; +int max_pids=32769; // recalculated for every read_pid() call // get the memory associated with this pid void pid_getmem(unsigned pid, unsigned rss, unsigned shared) { @@ -74,8 +74,14 @@ if (fgets(line, PIDS_BUFLEN - 1, fp)) { char ptr = line; // jump 13 fields + + // end of comm string + ptr = strchr(ptr, ')'); + if (ptr == NULL) + goto myexit; + int i; - for (i = 0; i < 13; i++) { + for (i = 0; i < 11; i++) { while (ptr != ' ' && ptr != '\t' && ptr != '\0') ptr++; if (ptr == '\0') @@ -273,51 +279,27 @@ print_elem(index, nowrap); } -// recursivity!!! -void pid_store_cpu(unsigned index, unsigned parent, unsigned utime, unsigned stime) { - if (pids[index].level == 1) { - utime = 0; - stime = 0; - } - - // Remove unused parameter warning - (void)parent; - - unsigned utmp = 0; - unsigned stmp = 0; - pid_get_cpu_time(index, &utmp, &stmp); - utime += utmp; - stime += stmp; - - unsigned i; - for (i = index + 1; i < (unsigned)max_pids; i++) { - if (pids[i].parent == (pid_t)index) - pid_store_cpu(i, index, utime, stime); - } - - if (pids[index].level == 1) { - pids[index].utime = utime; - pids[index].stime = stime; - } -} - // mon_pid: pid of sandbox to be monitored, 0 if all sandboxes are included void pid_read(pid_t mon_pid) { - if (pids == NULL) { - FILE fp = fopen("/proc/sys/kernel/pid_max", "r"); - if (fp) { - int val; - if (fscanf(fp, "%d", &val) == 1) { - if (val >= max_pids) - max_pids = val + 1; - } - fclose(fp); + unsigned old_max_pids = max_pids; + FILE fp = fopen("/proc/sys/kernel/pid_max", "r"); + if (fp) { + int val; + if (fscanf(fp, "%d", &val) == 1) { + if (val >= max_pids) + max_pids = val + 1; } + fclose(fp); + } + + if (pids == NULL) { + old_max_pids = max_pids; pids = malloc(sizeof(Process) * max_pids); if (pids == NULL) errExit("malloc"); } - memset(pids, 0, sizeof(Process) * max_pids); + + memset(pids, 0, sizeof(Process) * old_max_pids); pid_t mypid = getpid(); DIR dir; @@ -332,9 +314,12 @@ struct dirent entry; char end; + pid_t new_max_pids = 0; while ((entry = readdir(dir))) { pid_t pid = strtol(entry->d_name, &end, 10); pid %= max_pids; + if (pid > new_max_pids) + new_max_pids = pid; if (end == entry->d_name \|\| end) continue; if (pid == mypid) @@ -418,6 +403,9 @@ } closedir(dir); + // update max_pid + max_pids = new_max_pids + 1; + pid_t pid; for (pid = 0; pid < max_pids; pid++) { int parent = pids[pid].parent;
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/lib/syscall.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -92,7 +92,16 @@ "io_setup," #endif #ifdef SYS_io_submit - "io_submit" + "io_submit," +#endif +#ifdef SYS_io_uring_enter + "io_uring_enter," +#endif +#ifdef SYS_io_uring_register + "io_uring_register," +#endif +#ifdef SYS_io_uring_setup + "io_uring_setup" #endif }, { .name = "@basic-io", .list = @@ -102,6 +111,9 @@ #ifdef SYS_close "close," #endif +#ifdef SYS_close_range + "close_range," +#endif #ifdef SYS_dup "dup," #endif @@ -212,6 +224,9 @@ #ifdef SYS_perf_event_open "perf_event_open," #endif +#ifdef SYS_pidfd_getfd + "pidfd_getfd," +#endif #ifdef SYS_process_vm_writev "process_vm_writev," #endif @@ -290,7 +305,7 @@ "remap_file_pages," #endif #ifdef SYS_set_mempolicy - "set_mempolicy" + "set_mempolicy," #endif #ifdef SYS_vmsplice "vmsplice," @@ -350,6 +365,9 @@ #ifdef SYS_close "close," #endif +#ifdef SYS_close_range + "close_range," +#endif #ifdef SYS_creat "creat," #endif @@ -503,6 +521,9 @@ #ifdef SYS_openat "openat," #endif +#ifdef SYS_openat2 + "openat2," +#endif #ifdef SYS_readlink "readlink," #endif @@ -657,6 +678,9 @@ #ifdef SYS_pipe2 "pipe2," #endif +#ifdef SYS_process_madvise + "process_madvise," +#endif #ifdef SYS_process_vm_readv "process_vm_readv," #endif @@ -731,9 +755,27 @@ #ifdef SYS_chroot "chroot," #endif +#ifdef SYS_fsconfig + "fsconfig," +#endif +#ifdef SYS_fsmount + "fsmount," +#endif +#ifdef SYS_fsopen + "fsopen," +#endif +#ifdef SYS_fspick + "fspick," +#endif #ifdef SYS_mount "mount," #endif +#ifdef SYS_move_mount + "move_mount," +#endif +#ifdef SYS_open_tree + "open_tree," +#endif #ifdef SYS_pivot_root "pivot_root," #endif @@ -985,6 +1027,9 @@ #ifdef SYS_clone "clone," #endif +#ifdef SYS_clone3 + "clone3," +#endif #ifdef SYS_execveat "execveat," #endif @@ -997,6 +1042,9 @@ #ifdef SYS_kill "kill," #endif +#ifdef SYS_pidfd_open + "pidfd_open," +#endif #ifdef SYS_pidfd_send_signal "pidfd_send_signal," #endif @@ -1678,14 +1726,14 @@ sl.postlist = NULL; syscall_check_list(list, syscall_in_list, 0, 0, &sl, native); if (!arg_quiet) { - printf("Seccomp list in: %s,", list); + fprintf(stderr, "Seccomp list in: %s,", list); if (sl.slist) - printf(" check list: %s,", sl.slist); + fprintf(stderr, " check list: %s,", sl.slist); if (sl.prelist) - printf(" prelist: %s,", sl.prelist); + fprintf(stderr, " prelist: %s,", sl.prelist); if (sl.postlist) - printf(" postlist: %s", sl.postlist); - printf("\n"); + fprintf(stderr, " postlist: %s", sl.postlist); + fprintf(stderr, "\n"); } prelist = sl.prelist; postlist = sl.postlist;
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libpostexecseccomp/Makefile ^
@@ -0,0 +1,9 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +SO = libpostexecseccomp.so +TARGET = $(SO) + +MOD_HDRS = ../include/seccomp.h ../include/rundefs.h + +include $(ROOT)/src/so.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libpostexecseccomp/libpostexecseccomp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -55,6 +55,10 @@ }; prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); +#ifdef SECCOMP_FILTER_FLAG_LOG + syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &prog); +#else prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); +#endif munmap(filter, size); }
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtrace/Makefile ^
@@ -0,0 +1,7 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +SO = libtrace.so +TARGET = $(SO) + +include $(ROOT)/src/so.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtrace/libtrace.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -18,12 +18,12 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. / #define _GNU_SOURCE +#include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <dlfcn.h> #include <sys/types.h> -#include <limits.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> @@ -44,8 +44,6 @@ // break recursivity on fopen call typedef FILE (orig_fopen_t)(const char pathname, const char mode); static orig_fopen_t orig_fopen = NULL; -typedef FILE (orig_fopen64_t)(const char pathname, const char mode); -static orig_fopen64_t orig_fopen64 = NULL; typedef int (orig_access_t)(const char pathname, int mode); static orig_access_t orig_access = NULL; @@ -341,7 +339,9 @@ return rv; } -#ifdef __GLIBC__ +#ifndef fopen64 +typedef FILE (orig_fopen64_t)(const char pathname, const char mode); +static orig_fopen64_t orig_fopen64 = NULL; FILE fopen64(const char pathname, const char mode) { if (!orig_fopen64) orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); @@ -350,7 +350,7 @@ tprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv); return rv; } -#endif /* __GLIBC__ / +#endif // freopen @@ -365,7 +365,7 @@ return rv; } -#ifdef __GLIBC__ +#ifndef freopen64 typedef FILE (orig_freopen64_t)(const char pathname, const char mode, FILE stream); static orig_freopen64_t orig_freopen64 = NULL; FILE freopen64(const char pathname, const char mode, FILE stream) { @@ -376,7 +376,7 @@ tprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv); return rv; } -#endif /* __GLIBC__ / +#endif // unlink typedef int (orig_unlink_t)(const char pathname); @@ -447,7 +447,7 @@ return rv; } -#ifdef __GLIBC__ +#ifndef stat64 typedef int (orig_stat64_t)(const char pathname, struct stat64 statbuf); static orig_stat64_t orig_stat64 = NULL; int stat64(const char pathname, struct stat64 statbuf) { @@ -458,7 +458,7 @@ tprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv); return rv; } -#endif /* __GLIBC__ / +#endif // lstat typedef int (orig_lstat_t)(const char pathname, struct stat statbuf); @@ -472,7 +472,7 @@ return rv; } -#ifdef __GLIBC__ +#ifndef lstat64 typedef int (orig_lstat64_t)(const char pathname, struct stat64 statbuf); static orig_lstat64_t orig_lstat64 = NULL; int lstat64(const char pathname, struct stat64 statbuf) { @@ -483,7 +483,7 @@ tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); return rv; } -#endif / __GLIBC__ / +#endif // opendir typedef DIR (orig_opendir_t)(const char pathname); @@ -706,10 +706,14 @@ static void log_exec(int argc, char** argv) { (void) argc; (void) argv; - static char buf[PATH_MAX + 1]; - int rv = readlink("/proc/self/exe", buf, PATH_MAX); - if (rv != -1) { - buf[rv] = '\0'; // readlink does not add a '\0' at the end + char *buf = realpath("/proc/self/exe", NULL); + if (buf == NULL) { + if (errno == ENOMEM) { + tprintf(ftty, "realpath: %s\n", strerror(errno)); + exit(1); + } + } else { tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); + free(buf); } }
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtracelog/Makefile ^
@@ -0,0 +1,9 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +SO = libtracelog.so +TARGET = $(SO) + +MOD_HDRS = ../include/rundefs.h + +include $(ROOT)/src/so.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/libtracelog/libtracelog.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -39,8 +39,6 @@ // break recursivity on fopen call typedef FILE (orig_fopen_t)(const char pathname, const char mode); static orig_fopen_t orig_fopen = NULL; -typedef FILE (orig_fopen64_t)(const char pathname, const char mode); -static orig_fopen64_t orig_fopen64 = NULL; // // blacklist storage @@ -405,7 +403,9 @@ return rv; } -#ifdef __GLIBC__ +#ifndef fopen64 +typedef FILE (orig_fopen64_t)(const char pathname, const char mode); +static orig_fopen64_t orig_fopen64 = NULL; FILE fopen64(const char pathname, const char mode) { #ifdef DEBUG printf("%s %s\n", __FUNCTION__, pathname); @@ -420,7 +420,7 @@ FILE rv = orig_fopen64(pathname, mode); return rv; } -#endif /* __GLIBC__ / +#endif // freopen @@ -441,7 +441,7 @@ return rv; } -#ifdef __GLIBC__ +#ifndef freopen64 typedef FILE (orig_freopen64_t)(const char pathname, const char mode, FILE stream); static orig_freopen64_t orig_freopen64 = NULL; FILE freopen64(const char pathname, const char mode, FILE stream) { @@ -458,7 +458,7 @@ FILE rv = orig_freopen64(pathname, mode, stream); return rv; } -#endif / __GLIBC__ / +#endif // unlink typedef int (orig_unlink_t)(const char pathname); @@ -565,7 +565,7 @@ return rv; } -#ifdef __GLIBC__ +#ifndef stat64 typedef int (orig_stat64_t)(const char pathname, struct stat64 buf); static orig_stat64_t orig_stat64 = NULL; int stat64(const char pathname, struct stat64 buf) { @@ -582,7 +582,7 @@ int rv = orig_stat64(pathname, buf); return rv; } -#endif /* __GLIBC__ / +#endif typedef int (orig_lstat_t)(const char pathname, struct stat buf); static orig_lstat_t orig_lstat = NULL; @@ -601,7 +601,7 @@ return rv; } -#ifdef __GLIBC__ +#ifndef lstat64 typedef int (orig_lstat64_t)(const char pathname, struct stat64 buf); static orig_lstat64_t orig_lstat64 = NULL; int lstat64(const char pathname, struct stat64 buf) { @@ -618,7 +618,7 @@ int rv = orig_lstat64(pathname, buf); return rv; } -#endif / __GLIBC__ / +#endif // access typedef int (orig_access_t)(const char *pathname, int mode);
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/Makefile ^
@@ -0,0 +1,14 @@ +.PHONY: all +all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man + +ROOT = ../.. +-include $(ROOT)/config.mk + +%.man: %.txt $(ROOT)/config.mk + gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ + +.PHONY: clean +clean:; rm -fr *.man + +.PHONY: distclean +distclean: clean
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firecfg.txt ^
@@ -27,7 +27,7 @@ To set it up, run "sudo firecfg" after installing Firejail software. The same command should also be run after installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin -will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config". +will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config". For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. .SH DEFAULT ACTIONS @@ -82,6 +82,16 @@ reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run "firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes. .TP +\fB\-\-guide +Guided configuration for new users. +.br + +.br +Example: +.br +$ sudo firecfg --guide +.br +.TP \fB\-\-debug Print debug messages. .TP @@ -136,3 +146,4 @@ .BR firejail-login (5), .BR firejail-users (5), .BR jailcheck (1) +.\" vim: set filetype=groff :
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail-login.txt ^
@@ -40,3 +40,4 @@ .BR firejail-profile (5), .BR firejail-users (5), .BR jailcheck (1) +.\" vim: set filetype=groff :
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail-profile.txt ^
@@ -14,7 +14,7 @@ .br Example: .br -$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage +$ firejail --appimage --profile=/etc/firejail/kdenlive.profile kdenlive.appimage .br .br @@ -25,7 +25,7 @@ .br Example: .br -$ firejail --profile=kdenlive --appimage kdenlive.appimage +$ firejail --appimage --profile=kdenlive kdenlive.appimage .br .br @@ -78,7 +78,7 @@ Several command line options can be passed to the program using profile files. Firejail chooses the profile file as follows: -\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. +\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. Example: .PP .RS @@ -174,11 +174,16 @@ This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM +Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM can be enabled or disabled globally in Firejail's configuration file. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. +Note: When using one or more conditionals and \fB--profile\fR, it is +recommended that the relevant option(s) (such as \fB--appimage\fR) be specified +before \fB--profile\fR, so that their respective conditional(s) (such as +\fB?HAS_APPIMAGE\fR) inside of the profile evaluate to true. + .TP \fBinclude other.profile Include other.profile file. @@ -324,16 +329,16 @@ #ifdef HAVE_OVERLAYFS .TP \fBoverlay -Mount a filesystem overlay on top of the current filesystem. -The overlay is stored in $HOME/.firejail/<PID> directory. +Mount a filesystem overlay on top of the current filesystem. +The overlay is stored in $HOME/.firejail/<PID> directory. .TP \fBoverlay-named name -Mount a filesystem overlay on top of the current filesystem. -The overlay is stored in $HOME/.firejail/name directory. +Mount a filesystem overlay on top of the current filesystem. +The overlay is stored in $HOME/.firejail/name directory. .TP \fBoverlay-tmpfs -Mount a filesystem overlay on top of the current filesystem. -All filesystem modifications are discarded when the sandbox is closed. +Mount a filesystem overlay on top of the current filesystem. +All filesystem modifications are discarded when the sandbox is closed. #endif .TP \fBprivate @@ -343,12 +348,25 @@ .TP \fBprivate directory Use directory as user home. +--private and --private=directory cannot be used together. +.br + +.br +Bug: Even with this enabled, some commands (such as mkdir, mkfile and +private-cache) will still operate on the original home directory. +Workaround: Disable the incompatible commands, such as by using "ignore mkdir" +and "ignore mkfile". +For details, see +.UR https://github.com/netblue30/firejail/issues/903 +#903 +.UE .TP \fBprivate-bin file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. The files in the list must be expressed as relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. +Multiple private-bin commands are allowed and they accumulate. .TP \fBprivate-cache Mount an empty temporary filesystem on top of the .cache directory in user home. All @@ -358,7 +376,7 @@ Set working directory inside jail to the home directory, and failing that, the root directory. .TP \fBprivate-cwd directory -Set working directory inside the jail. +Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed. .TP \fBprivate-dev Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, @@ -374,6 +392,7 @@ (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed. +Multiple private-etc commands are allowed and they accumulate. #ifdef HAVE_PRIVATE_HOME .TP \fBprivate-home file,directory @@ -436,6 +455,11 @@ .br Symbolic link handling: with the exception of user home, both the link and the real file should be in the same top directory. For user home, both the link and the real file should be owned by the user. + +.TP +\fBwhitelist-ro file_or_directory +Equivalent to "whitelist file_or_directory" followed by "read-only file_or_directory" + .TP \fBwritable-etc Mount /etc directory read-write. @@ -459,11 +483,16 @@ #ifdef HAVE_APPARMOR .TP \fBapparmor -Enable AppArmor confinement. +Enable AppArmor confinement with the "firejail-default" AppArmor profile. +.TP +\fBapparmor profile_name +Enable AppArmor confinement with a custom AppArmor profile. +Note that the profile in question must already be loaded into the kernel. #endif .TP \fBcaps Enable default Linux capabilities filter. +See capabilities(7) for details. .TP \fBcaps.drop capability,capability,capability Blacklist given Linux capabilities. @@ -484,17 +513,27 @@ cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (or one with file capabilities) does not result in an increase of privilege. +.TP +\fBnoprinters +Disable printers. #ifdef HAVE_USERNS .TP \fBnoroot -Use this command to enable an user namespace. The namespace has only one user, the current user. +Use this command to enable an user namespace. The namespace has only one user, the current user. There is no root account (uid 0) defined in the namespace. #endif .TP \fBprotocol protocol1,protocol2,protocol3 -Enable protocol filter. The filter is based on seccomp and checks the +Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. Recognized values: \fBunix\fR, -\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. +\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR. +Multiple protocol commands are allowed and they accumulate. +.TP +\fBrestrict-namespaces +Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces. +.TP +\fBrestrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts +Install a seccomp filter that blocks attempts to create any of the specified namespaces. .TP \fBseccomp Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. @@ -606,7 +645,7 @@ Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. .TP \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications -Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. +Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. .TP \fBdbus-user filter Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. @@ -659,18 +698,14 @@ .br [...] #endif -.SH Resource limits, CPU affinity, Control Groups +.SH Resource limits, CPU affinity These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command -configures the CPU cores available, and \fBcgroup\fR command -place the sandbox in an existing control group. +configures the CPU cores available. Examples: .TP -\fBcgroup /sys/fs/cgroup/g1/tasks -The sandbox is placed in g1 control group. -.TP \fBcpu 0,1,2 Use only CPU cores 0, 1 and 2. .TP @@ -716,6 +751,11 @@ .TP \fBipc-namespace Enable IPC namespace. + +.TP +\fBkeep-fd +Inherit open file descriptors to sandbox. + .TP \fBname sandboxname Set sandbox name. Example: @@ -752,6 +792,9 @@ \fBnovideo Disable video capture devices. .TP +\fBmachine-id +Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. +.TP \fBshell none Run the program directly, without a shell. @@ -870,8 +913,8 @@ .TP \fBiprange address,address -Assign an IP address in the provided range to the last network -interface defined by a net command. A default gateway is assigned by default. +Assign an IP address in the provided range to the last network +interface defined by a net command. A default gateway is assigned by default. .br .br @@ -889,10 +932,6 @@ Assign MAC addresses to the last network interface defined by a net command. .TP -\fBmachine-id -Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. - -.TP \fBmtu number Assign a MTU value to the last network interface defined by a net command. @@ -938,6 +977,10 @@ \fBnetfilter filename If a new network namespace is created, enabled the network filter in filename. +.TP +\fBnetlock +Generate a custom network filter and enable it. + .TP \fBnetmask address @@ -955,12 +998,17 @@ Use this name for the interface connected to the bridge for --net=bridge_interface commands, instead of the default one. #endif + .SH Other .TP \fBdeterministic-exit-code Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. .TP +\fBdeterministic-shutdown +Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. + +.TP \fBjoin-or-start sandboxname Join the sandbox identified by name or start a new one. Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". @@ -996,3 +1044,4 @@ .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles .UE +.\" vim: set filetype=groff :
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail-users.txt ^
@@ -60,3 +60,4 @@ .BR firejail-profile (5), .BR firejail-login (5), .BR jailcheck (1) +.\" vim: set filetype=groff :
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firejail.txt ^
@@ -11,7 +11,7 @@ Start an AppImage program: .PP .RS -firejail [OPTIONS] --appimage [appimage-file and arguments] +firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and arguments] .RE .PP #ifdef HAVE_FILE_TRANSFER @@ -45,7 +45,7 @@ #ifdef HAVE_LTS This is Firejail long-term support (LTS), an enterprise focused version of the software, LTS is usually supported for two or three years. -During this time only bugs and the occasional documentation problems are fixed. +During this time only bugs and the occasional documentation problems are fixed. The attack surface of the SUID executable was greatly reduced by removing some of the features. .br @@ -67,6 +67,17 @@ Each profile defines a set of permissions for a specific application or group of applications. The software includes security profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. +.\" TODO: Explain the security/usability tradeoffs from #4601. +.PP +Firejail is currently implemented as an SUID binary, which means that if a +malicious or compromised user account manages to exploit a bug in Firejail, +that could ultimately lead to a privilege escalation to root. +To mitigate this, it is recommended to only allow trusted users to run firejail +(see firejail-users(5) for details on how to achieve that). +For more details on the security/usability tradeoffs of Firejail, see: +.UR https://github.com/netblue30/firejail/discussions/4601 +#4601 +.UE .PP Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) are not supported. Snap and flatpak packages have their own native management tools and will @@ -109,7 +120,7 @@ .br Example: .br -$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox +$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP \fB\-\-allusers All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. @@ -122,7 +133,13 @@ #ifdef HAVE_APPARMOR .TP \fB\-\-apparmor -Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. +Enable AppArmor confinement with the "firejail-default" AppArmor profile. +For more information, please see \fBAPPARMOR\fR section below. +.TP +\fB\-\-apparmor=profile_name +Enable AppArmor confinement with a custom AppArmor profile. +Note that profile in question must already be loaded into the kernel. +For more information, please see \fBAPPARMOR\fR section below. .TP \fB\-\-apparmor.print=name\|pid Print the AppArmor confinement status for the sandbox identified by name or by PID. @@ -149,13 +166,20 @@ .br $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage .br -$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage +$ firejail --quiet --appimage --private --profile=krita krita-3.0-x86_64.appimage .br #ifdef HAVE_X11 $ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage #endif -.TP +.br + +.br +Note: When using both \fB--appimage\fR and \fB--profile\fR, it is recommended +to always specify the former before the latter, so that any \fB?HAS_APPIMAGE\fR +conditionals inside of the profile evaluate to true (see \fB?CONDITIONAL\fR in +firejail-profile(5)). #ifdef HAVE_NETWORK +.TP \fB\-\-bandwidth=name\|pid Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. #endif @@ -174,6 +198,13 @@ .br .br +Symbolic link handling: Blacklisting a path that is a symbolic link will also +blacklist the path that it points to. +For example, if ~/foo is blacklisted and it points to /bar, then /bar will also +be blacklisted. +.br + +.br Example: .br $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin @@ -185,28 +216,27 @@ $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines .TP \fB\-\-build -The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also -builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, -with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported -in order to allow strace to run. Chromium and Chromium-based browsers will not work. +The command builds a whitelisted profile. The profile is printed on the screen. The program is run in a very relaxed sandbox, with only \-\-caps.drop=all and \-\-seccomp=!chroot. Programs that raise user privileges are not supported. .br .br Example: .br -$ firejail --build vlc ~/Videos/test.mp4 +$ firejail \-\-build vlc ~/Videos/test.mp4 +.br +$ firejail \-\-build \-\-appimage ~/Downloads/Subsurface.AppImage .TP \fB\-\-build=profile-file -The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also -builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, -with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported -in order to allow strace to run. Chromium and Chromium-based browsers will not work. +The command builds a whitelisted profile, and saves it in profile-file. The program is run in a very relaxed sandbox, +with only \-\-caps.drop=all and \-\-seccomp=!chroot. Programs that raise user privileges are not supported. .br .br Example: .br -$ firejail --build=vlc.profile vlc ~/Videos/test.mp4 +$ firejail \-\-build=vlc.profile vlc ~/Videos/test.mp4 +.br +$ firejail \-\-build=Subsurface.profile \-\-appimage ~/Downloads/Subsurface.AppImage .TP \fB\-c Login shell compatibility option. This option is use by some login programs when executing @@ -217,6 +247,7 @@ Linux capabilities is a kernel feature designed to split up the root privilege into a set of distinct privileges. These privileges can be enabled or disabled independently, thus restricting what a process running as root can do in the system. +See capabilities(7) for details. By default root programs run with all capabilities enabled. \-\-caps option disables the following capabilities: CAP_SYS_MODULE, CAP_SYS_RAWIO, @@ -289,15 +320,6 @@ \fB\-\-cat=name\|pid filename Print content of file from sandbox container, see FILE TRANSFER section for more details. #endif -.TP -\fB\-\-cgroup=tasks-file -Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. -.br - -.br -Example: -.br -# firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks #ifdef HAVE_CHROOT .TP \fB\-\-chroot=dirname @@ -310,6 +332,16 @@ Example: .br $ firejail \-\-chroot=/media/ubuntu warzone2100 +.br + +.br +For automatic mounting of X11 and PulseAudio sockets set environment variables +FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE. +.br + +.br +Note: Support for this command is controlled in firejail.config with the +\fBchroot\fR option. #endif .TP \fB\-\-cpu=cpu-number,cpu-number,cpu-number @@ -390,7 +422,7 @@ .TP \fB\-\-dbus-system.broadcast=name=[member][@path] -Allows the application to receive broadcast signals from theindicated interface +Allows the application to receive broadcast signals from the indicated interface member at the indicated object path exposed by the indicated bus name on the system DBus. The name may have a .* suffix to match all names underneath it, including @@ -517,7 +549,7 @@ .TP \fB\-\-dbus-user.broadcast=name=[member][@path] -Allows the application to receive broadcast signals from theindicated interface +Allows the application to receive broadcast signals from the indicated interface member at the indicated object path exposed by the indicated bus name on the session DBus. The name may have a .* suffix to match all names underneath it, including @@ -697,10 +729,17 @@ .br $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox #endif + .TP \fB\-\-deterministic-exit-code Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. .br + +.TP +\fB\-\-deterministic-shutdown +Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. +.br + .TP \fB\-\-disable-mnt Blacklist /mnt, /media, /run/mount and /run/media access. @@ -747,6 +786,48 @@ .br $ firejail \-\-dns.print=3272 +#ifdef HAVE_NETWORK +.TP +\fB\-\-dnstrace[=name\|pid] +Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. +.br + +.br +Example: +.br +$ sudo firejail --dnstrace +.br +11:31:43 9.9.9.9 linux.com (type 1) +.br +11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN +.br +11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN +.br +11:31:45 9.9.9.9 www.linux.com (type 1) +.br +11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN +.br +11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN +.br +11:32:05 9.9.9.9 secure.gravatar.com (type 1) +.br +11:32:06 9.9.9.9 secure.gravatar.com (type 1) +.br +11:32:08 9.9.9.9 taikai.network (type 1) +.br +11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) +.br +11:32:08 9.9.9.9 taikai.azureedge.net (type 1) +.br +11:32:08 9.9.9.9 www.youtube.com (type 1) +.br +#endif + .TP \fB\-\-env=name=value Set environment variable in the new sandbox. @@ -809,6 +890,28 @@ .br $ firejail \-\-hosts-file=~/myhosts firefox +#ifdef HAVE_IDS +.TP +\fB\-\-ids-check +Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. +.br + +.br +Example: +.br +$ firejail \-\-ids-check + +.TP +\fB\-\-ids-init +Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. +.br + +.br +Example: +.br +$ firejail \-\-ids-init +#endif + .TP \fB\-\-ignore=command Ignore command in profile file. @@ -817,12 +920,40 @@ .br Example: .br -$ firejail \-\-ignore=shell --ignore=seccomp firefox +$ firejail --ignore=seccomp --ignore=caps firefox #ifdef HAVE_NETWORK .br $ firejail \-\-ignore="net eth0" firefox #endif +#ifdef HAVE_NETWORK +.TP +\fB\-\-icmptrace[=name\|pid] +Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. +.br + +.br +Example +.br +$ sudo firejail --icmptrace +.br +20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 +.br +20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 +.br +20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 +.br +20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 +.br +20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable +.br +#endif + .TP \fB\-\-\include=file.profile Include a profile file before the regular profiles are used. @@ -947,7 +1078,7 @@ .TP \fB\-\-ipc-namespace -Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default +Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default for sandboxes started as root. .br @@ -961,7 +1092,7 @@ Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, all security filters are configured for the new process the same they are configured in the sandbox. -If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied +If \-\-join command is issued as root, the security filters and cpus configurations are not applied to the process joining the sandbox. .br @@ -986,13 +1117,13 @@ \fB\-\-join-filesystem=name\|pid Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. -Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. +Security filters and cpus configurations are not applied to the process joining the sandbox. #ifdef HAVE_NETWORK .TP \fB\-\-join-network=name\|pid Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. -Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: +Security filters and cpus configurations are not applied to the process joining the sandbox. Example: .br .br @@ -1014,7 +1145,7 @@ .br .br -# verify IP addresses +# verify IP addresses .br $ sudo firejail --join-network=browser ip addr .br @@ -1073,6 +1204,26 @@ $ firejail --keep-dev-shm --private-dev .TP +\fB\-\-keep-fd=all +Inherit all open file descriptors to the sandbox. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed. +.br + +.br +Example: +.br +$ firejail --keep-fd=all + +.TP +\fB\-\-keep-fd=file_descriptor +Don't close specified open file descriptors. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed. +.br + +.br +Example: +.br +$ firejail --keep-fd=3,4,5 + +.TP \fB\-\-keep-var-tmp /var/tmp directory is untouched. .br @@ -1225,7 +1376,7 @@ .TP \fB\-\-net=ethernet_interface\|wireless_interface Enable a new network namespace and connect it -to this ethernet interface using the standard Linux macvlan\|ipvaln +to this ethernet interface using the standard Linux macvlan\|ipvlan driver. Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned automatically to the sandbox. The IP address is verified using ARP before @@ -1412,6 +1563,30 @@ $ firejail --netfilter6.print=browser .TP +\fB\-\-netlock +Several type of programs (email clients, multiplayer games etc.) talk to a very small +number of IP addresses. But the best example is tor browser. It only talks to a guard node, +and there are two or three more on standby in case the main one fails. +During startup, the browser contacts all of them, after that it keeps talking to the main +one... for weeks! + +Use the network locking feature to build and deploy a custom network firewall in your sandbox. +The firewall allows only the traffic to the IP addresses detected during the program +startup. Traffic to any other address is quietly dropped. By default the network monitoring +time is one minute. + +A network namespace (\-\-net=eth0) is required for this feature to work. Example: +.br + +.br +$ firejail --net=eth0 --netlock \\ +.br +--private=~/tor-browser_en-US ./start-tor-browser.desktop +.br + +.br + +.TP \fB\-\-netmask=address Use this option when you want to assign an IP address in a new namespace and the parent interface specified by --net is not configured. An IP address and @@ -1448,6 +1623,40 @@ 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox .br 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission +.TP +\fB\-\-nettrace[=name\|pid] +Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. +.br + +.br +Example: +.br +$ sudo firejail --nettrace +.br + 95 KB/s geoip 457, IP database 4436 +.br + 52 KB/s ********* 64.222.84.207:443 United States +.br + 33 KB/s ***** 89.147.74.105:63930 Hungary +.br + 0 B/s 45.90.28.0:443 NextDNS +.br + 0 B/s 94.70.122.176:52309(UDP) Greece +.br + 339 B/s 104.26.7.35:443 Cloudflare +.br + +.br +If /usr/bin/geoiplookup is installed (geoip-bin package in Debian), +the country the traffic originates from is added to the trace. +We also use the static IP map in /usr/lib/firejail/static-ip-map +to print the domain names for some of the more common websites and cloud platforms. +No external services are contacted for reverse IP lookup. #endif .TP \fB\-\-nice=value @@ -1580,6 +1789,10 @@ is enabled by default if seccomp filter is activated. .TP +\fB\-\-noprinters +Disable printers. + +.TP \fB\-\-noprofile Do not use a security profile. .br @@ -1670,6 +1883,17 @@ \fB\-\-nowhitelist=dirname_or_filename Disable whitelist for this directory or file. +.TP +\fB\-\-oom=value +Configure kernel's OutOfMemory-killer score for this sandbox. The acceptable score values are between 0 and 1000 +for regular users, and -1000 to 1000 for root. For more information on OOM kernel feature see \fBman choom\fR. +.br + +.br +Example: +.br +$ firejail \-\-oom=300 firefox + #ifdef HAVE_OUTPUT .TP \fB\-\-output=logfile @@ -1793,6 +2017,17 @@ Example: .br $ firejail \-\-private=/home/netblue/firefox-home firefox +.br + +.br +Bug: Even with this enabled, some commands (such as mkdir, mkfile and +private-cache) will still operate on the original home directory. +Workaround: Disable the incompatible commands, such as by using "ignore mkdir" +and "ignore mkfile". +For details, see +.UR https://github.com/netblue30/firejail/issues/903 +#903 +.UE .TP \fB\-\-private-bin=file,file @@ -1801,8 +2036,9 @@ /sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories. If no listed files are found, /bin directory will be empty. The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. -All modifications are discarded when the sandbox is closed. File globbing is supported, -see \fBFILE GLOBBING\fR section for more details. +All modifications are discarded when the sandbox is closed. +Multiple private-bin commands are allowed and they accumulate. +File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br .br @@ -1832,7 +2068,6 @@ .TP \fB\-\-private-cwd Set working directory inside jail to the home directory, and failing that, the root directory. -.br Does not impact working directory of profile include paths. .br @@ -1853,7 +2088,7 @@ .TP \fB\-\-private-cwd=directory Set working directory inside the jail. -.br +Full directory path is required. Symbolic links are not allowed. Does not impact working directory of profile include paths. .br @@ -1899,6 +2134,7 @@ the /etc directory (e.g., /etc/foo must be expressed as foo). If no listed file is found, /etc directory will be empty. All modifications are discarded when the sandbox is closed. +Multiple private-etc commands are allowed and they accumulate. .br .br @@ -1976,6 +2212,9 @@ $ .br +.br +Note: Support for this command is controlled in firejail.config with the +\fBprivate-lib\fR option. .TP \fB\-\-private-opt=file,directory Build a new /opt in a temporary @@ -2057,7 +2296,8 @@ .TP \fB\-\-protocol=protocol,protocol,protocol Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. -Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture. +Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture. +Multiple protocol commands are allowed and they accumulate. .br .br @@ -2127,6 +2367,29 @@ .TP +\fB\-\-restrict-namespaces +Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces. +.br + +.br +Example: +.br +$ firejail \-\-restrict-namespaces + +.TP +\fB\-\-restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts +Install a seccomp filter that blocks attempts to create any of the specified namespaces. The filter examines +the arguments of clone, unshare and setns system calls and returns error EPERM to the process +(or kills it or logs the attempt, see \-\-seccomp-error-action below) if necessary. Note that the filter is not +able to examine the arguments of clone3 system calls, and always responds to these calls with error ENOSYS. +.br + +.br +Example: +.br +$ firejail \-\-restrict-namespaces=user,net + +.TP \fB\-\-rlimit-as=number Set the maximum size of the process's virtual memory (address space) in bytes. Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). @@ -2134,7 +2397,7 @@ .TP \fB\-\-rlimit-cpu=number Set the maximum limit, in seconds, for the amount of CPU time each -sandboxed process can consume. When the limit is reached, the processes are killed. +sandboxed process can consume. When the limit is reached, the processes are killed. The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps @@ -2178,7 +2441,7 @@ .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list, -which is @default-nodebuggers unless \-\-allow-debuggers is specified, +which is @default-nodebuggers unless \-\-allow-debuggers is specified, then it is @default. .br @@ -2192,6 +2455,11 @@ .br .br +The default list can be customized, see \-\-seccomp= for a description. +It can be customized also globally in /etc/firejail/firejail.config file. +.br + +.br System architecture is strictly imposed only if flag \-\-seccomp.block-secondary is used. The filter is applied at run time only if the correct architecture was detected. For the case of I386 @@ -2206,11 +2474,7 @@ Example: .br $ firejail \-\-seccomp -.br -.br -The default list can be customized, see \-\-seccomp= for a description. It can be customized -also globally in /etc/firejail/firejail.config file. .TP \fB\-\-seccomp=syscall,@group,!syscall2 @@ -2274,7 +2538,7 @@ .br Example: .br -$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh +$ firejail \-\-noprofile \-\-seccomp=execve sh .br Parent pid 32751, child pid 32752 .br @@ -2351,7 +2615,7 @@ .br Example: .br -$ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk +$ firejail \-\-seccomp.keep=poll,select,[...] transmission-gtk .TP \fB\-\-seccomp.print=name\|pid @@ -2533,45 +2797,78 @@ .br .TP -\fB\-\-shell=none -Run the program directly, without a user shell. +\fB\-\-shutdown=name\|pid +Shutdown the sandbox identified by name or PID. .br .br Example: .br -$ firejail \-\-shell=none script.sh -.TP -\fB\-\-shell=program -Set default user shell. Use this shell to run the application using \-c shell option. -For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". -By default the user's preferred shell is used. +$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & +.br +$ firejail \-\-shutdown=mygame .br .br Example: -$firejail \-\-shell=/bin/dash script.sh +.br +$ firejail \-\-list +.br +3272:netblue::firejail \-\-private firefox +.br +$ firejail \-\-shutdown=3272 + +#ifdef HAVE_NETWORK .TP -\fB\-\-shutdown=name\|pid -Shutdown the sandbox identified by name or PID. +\fB\-\-snitrace[=name\|pid] +Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. .br .br Example: .br -$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & +$ sudo firejail --snitrace .br -$ firejail \-\-shutdown=mygame +07:49:51 23.185.0.3 linux.com .br - +07:49:51 23.185.0.3 www.linux.com .br -Example: +07:50:05 192.0.73.2 secure.gravatar.com .br -$ firejail \-\-list +07:52:35 172.67.68.93 www.howtoforge.com .br -3272:netblue::firejail \-\-private firefox +07:52:37 13.225.103.59 sf.ezoiccdn.com .br -$ firejail \-\-shutdown=3272 +07:52:42 142.250.176.3 www.gstatic.com +.br +07:53:03 173.236.250.32 www.linuxlinks.com +.br +07:53:05 192.0.77.37 c0.wp.com +.br +07:53:08 192.0.78.32 jetpack.wordpress.com +.br +07:53:09 192.0.77.32 s0.wp.com +.br +07:53:09 192.0.77.2 i0.wp.com +.br +07:53:10 192.0.77.2 i0.wp.com +.br +07:53:11 192.0.73.2 1.gravatar.com +.br +#endif + +.TP +\fB\-\-tab +Enable shell tab completion in sandboxes using private or whitelisted home directories. +.br + +.br +$ firejail \-\-private --tab .TP \fB\-\-timeout=hh:mm:ss Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. @@ -2651,6 +2948,11 @@ Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot .br [...] +.br + +.br +Note: Support for this command is controlled in firejail.config with the +\fBtracelog\fR option. .TP \fB\-\-tree Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. @@ -2743,8 +3045,14 @@ .br .br -Symbolic link handling: with the exception of user home, both the link and the real file should be in -the same top directory. For user home, both the link and the real file should be owned by the user. +Symbolic link handling: Whitelisting a path that is a symbolic link will also +whitelist the path that it points to. +For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will +also be whitelisted. +Restrictions: With the exception of the user home directory, both the link and +the real file should be in the same top directory. +For symbolic links in the user home directory, both the link and the real file +should be owned by the user. .br .br @@ -2756,7 +3064,7 @@ .br $ firejail \-\-noprofile \-\-whitelist=~/.mozilla .br -$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null +$ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null .br $ firejail "\-\-whitelist=/home/username/My Virtual Machines" .br @@ -2865,7 +3173,7 @@ connection model. Untrusted clients are restricted in certain ways to prevent them from reading window contents of other clients, stealing input events, etc. -The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients +The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. Firefox and transmission-gtk seem to be working fine. A network namespace is not required for this option. @@ -3196,6 +3504,67 @@ $ firejail \-\-cat=mybrowser ~/.bashrc .br #endif + +#ifdef HAVE_IDS +.SH INTRUSION DETECTION SYSTEM (IDS) +The host-based intrusion detection system tracks down and audits user and system file modifications. +The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, +where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing. + +As a regular user, initialize the database: +.br + +.br +$ firejail --ids-init +.br +Opening config file /etc/firejail/ids.config +.br +Loading config file /etc/firejail/ids.config +.br +Opening config file /etc/firejail/ids.config.local +.br +500 1000 1500 2000 +.br +2466 files scanned +.br +IDS database initialized +.br + +.br +The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory +such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed. +.br + +.br +Run --ids-check to audit the system: +.br + +.br +$ firejail --ids-check +.br +Opening config file /etc/firejail/ids.config +.br +Loading config file /etc/firejail/ids.config +.br +Opening config file /etc/firejail/ids.config.local +.br +500 1000 1500 +.br +Warning: modified /home/netblue/.bashrc +.br +2000 +.br +2466 files scanned: modified 1, permissions 0, new 0, removed 0 +.br + +.br +The program will print the files that have been modified since the database was created, or the files with different access permissions. +New files and deleted files are also flagged. + +Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. +The program can also be run as root (sudo firejail --ids-init/--ids-check). +#endif + .SH MONITORING Option \-\-list prints a list of all sandboxes. The format for each process entry is as follows: @@ -3256,7 +3625,7 @@ .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in /etc/passwd file for each user that needs to be restricted. Alternatively, -you can specify /usr/bin/firejail in adduser command: +you can specify /usr/bin/firejail in adduser command: adduser \-\-shell /usr/bin/firejail username @@ -3266,7 +3635,7 @@ Several command line options can be passed to the program using profile files. Firejail chooses the profile file as follows: -1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. +1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. Example: .PP .RS @@ -3388,3 +3757,4 @@ .UE , .UR https://github.com/netblue30/firejail .UE +.\" vim: set filetype=groff :
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/firemon.txt ^
@@ -21,9 +21,6 @@ \fB\-\-caps Print capabilities configuration for each sandbox. .TP -\fB\-\-cgroup -Print control group information for each sandbox. -.TP \fB\-\-cpu Print CPU affinity for each sandbox. .TP @@ -56,7 +53,7 @@ Print seccomp configuration for each sandbox. .TP \fB\-\-top -Monitor the most CPU-intensive sandboxes. This command is similar to +Monitor the most CPU-intensive sandboxes. This command is similar to the regular UNIX top command, however it applies only to sandboxes. .TP \fB\-\-tree @@ -121,3 +118,4 @@ .BR firejail-login (5), .BR firejail-users (5), .BR jailcheck (1) +.\" vim: set filetype=groff :
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/jailcheck.txt ^
@@ -115,3 +115,4 @@ .BR firejail-profile (5), .BR firejail-login (5), .BR firejail-users (5), +.\" vim: set filetype=groff :
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/man/preproc.awk ^
@@ -1,6 +1,6 @@ #!/usr/bin/gawk -E -# Copyright (c) 2019-2021 rusty-snake +# Copyright (c) 2019-2022 rusty-snake # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/profstats/Makefile ^
@@ -0,0 +1,9 @@ +ROOT = ../.. +-include $(ROOT)/config.mk + +PROG = profstats +TARGET = $(PROG) + +MOD_HDRS = ../include/common.h + +include $(ROOT)/src/prog.mk
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/profstats/main.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project * @@ -17,16 +17,15 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. / -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <assert.h> + +#include "../include/common.h" #define MAXBUF 2048 // stats static int cnt_profiles = 0; static int cnt_apparmor = 0; static int cnt_seccomp = 0; +static int cnt_restrict_namespaces = 0; static int cnt_caps = 0; static int cnt_dbus_system_none = 0; static int cnt_dbus_user_none = 0; @@ -40,6 +39,7 @@ static int cnt_privatedev = 0; static int cnt_privatetmp = 0; static int cnt_privateetc = 0; +static int cnt_privatelib = 0; static int cnt_whitelistvar = 0; // include whitelist-var-common.inc static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc @@ -58,6 +58,7 @@ static int arg_privatedev = 0; static int arg_privatetmp = 0; static int arg_privateetc = 0; +static int arg_privatelib = 0; static int arg_whitelistvar = 0; static int arg_whitelistrunuser = 0; static int arg_whitelistusrshare = 0; @@ -67,19 +68,20 @@ static int arg_dbus_user_none = 0; static int arg_whitelisthome = 0; static int arg_noroot = 0; - +static int arg_print_blacklist = 0; +static int arg_print_whitelist = 0; +static int arg_restrict_namespaces = 0; static char profile = NULL; - static void usage(void) { - printf("proftool - print profile statistics\n"); - printf("Usage: proftool [options] file[s]\n"); + printf("profstats - print profile statistics\n"); + printf("Usage: profstats [options] file[s]\n"); printf("Options:\n"); printf(" --apparmor - print profiles without apparmor\n"); printf(" --caps - print profiles without caps\n"); - printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); - printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); + printf(" --dbus-system-none - print profiles without \"dbus-system none\"\n"); + printf(" --dbus-user-none - print profiles without \"dbus-user none\"\n"); printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); printf(" --noroot - print profiles without \"noroot\"\n"); @@ -87,8 +89,11 @@ printf(" --private-dev - print profiles without private-dev\n"); printf(" --private-etc - print profiles without private-etc\n"); printf(" --private-tmp - print profiles without private-tmp\n"); + printf(" --print-blacklist - print all --blacklist for a profile\n"); + printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); printf(" --seccomp - print profiles without seccomp\n"); - printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); + printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); + printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); printf(" --whitelist-home - print profiles whitelisting home directory\n"); printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); @@ -97,8 +102,9 @@ printf("\n"); } -void process_file(const char fname) { +static void process_file(char fname) { assert(fname); + char tmpfname = NULL; if (arg_debug) printf("processing #%s#\n", fname); @@ -107,9 +113,19 @@ FILE fp = fopen(fname, "r"); if (!fp) { - fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile); - level--; - return; + // the file was not found in the current directory + // look for it in /etc/firejail directory + if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1) + errExit("asprintf"); + + fp = fopen(tmpfname, "r"); + if (!fp) { + fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile); + free(tmpfname); + level--; + return; + } + fname = tmpfname; } int have_include_local = 0; @@ -125,8 +141,22 @@ if (ptr == '\n' \|\| ptr == '#') continue; + if (arg_print_blacklist) { + if (strncmp(ptr, "blacklist", 9) == 0 \|\| + strncmp(ptr, "noblacklist", 11) == 0) + printf("%s: %s\n", fname, ptr); + } + else if (arg_print_whitelist) { + if (strncmp(ptr, "whitelist", 9) == 0 \|\| + strncmp(ptr, "nowhitelist", 11) == 0 \|\| + strncmp(ptr, "private", 7) == 0) + printf("%s: %s\n", fname, ptr); + } + if (strncmp(ptr, "seccomp", 7) == 0) cnt_seccomp++; + if (strncmp(ptr, "restrict-namespaces", 19) == 0) + cnt_restrict_namespaces++; else if (strncmp(ptr, "caps", 4) == 0) cnt_caps++; else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) @@ -158,6 +188,8 @@ cnt_privatetmp++; else if (strncmp(ptr, "private-etc", 11) == 0) cnt_privateetc++; + else if (strncmp(ptr, "private-lib", 11) == 0) + cnt_privatelib++; else if (strncmp(ptr, "dbus-system none", 16) == 0) cnt_dbus_system_none++; else if (strncmp(ptr, "dbus-system", 11) == 0) @@ -190,6 +222,8 @@ if (!have_include_local) printf("No include .local found in %s\n", fname); level--; + if (tmpfname) + free(tmpfname); } int main(int argc, char **argv) { @@ -213,6 +247,8 @@ arg_caps = 1; else if (strcmp(argv[i], "--seccomp") == 0) arg_seccomp = 1; + else if (strcmp(argv[i], "--restrict-namespaces") == 0) + arg_restrict_namespaces = 1; else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) arg_mdwx = 1; else if (strcmp(argv[i], "--noexec") == 0) @@ -227,6 +263,10 @@ arg_privatetmp = 1; else if (strcmp(argv[i], "--private-etc") == 0) arg_privateetc = 1; + else if (strcmp(argv[i], "--print-blacklist") == 0) + arg_print_blacklist = 1; + else if (strcmp(argv[i], "--print-whitelist") == 0) + arg_print_whitelist = 1; else if (strcmp(argv[i], "--whitelist-home") == 0) arg_whitelisthome = 1; else if (strcmp(argv[i], "--whitelist-var") == 0) @@ -258,7 +298,7 @@ for (i = start; i < argc; i++) { cnt_profiles++; - // watch seccomp + int restrict_namespaces = cnt_restrict_namespaces; int seccomp = cnt_seccomp; int caps = cnt_caps; int apparmor = cnt_apparmor; @@ -268,6 +308,7 @@ int privatetmp = cnt_privatetmp; int privatedev = cnt_privatedev; int privateetc = cnt_privateetc; + int privatelib = cnt_privatelib; int dotlocal = cnt_dotlocal; int globalsdotlocal = cnt_globalsdotlocal; int whitelisthome = cnt_whitelisthome; @@ -300,6 +341,8 @@ cnt_whitelistrunuser = whitelistrunuser + 1; if (cnt_seccomp > (seccomp + 1)) cnt_seccomp = seccomp + 1; + if (cnt_restrict_namespaces > (restrict_namespaces + 1)) + cnt_seccomp = restrict_namespaces + 1; if (cnt_dbus_user_none > (dbususernone + 1)) cnt_dbus_user_none = dbususernone + 1; if (cnt_dbus_user_filter > (dbususerfilter + 1)) @@ -319,6 +362,8 @@ printf("No caps found in %s\n", argv[i]); if (arg_seccomp && seccomp == cnt_seccomp) printf("No seccomp found in %s\n", argv[i]); + if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces) + printf("No restrict-namespaces found in %s\n", argv[i]); if (arg_noexec && noexec == cnt_noexec) printf("No include disable-exec.inc found in %s\n", argv[i]); if (arg_noroot && noroot == cnt_noroot) @@ -331,6 +376,8 @@ printf("No private-tmp found in %s\n", argv[i]); if (arg_privateetc && privateetc == cnt_privateetc) printf("No private-etc found in %s\n", argv[i]); + if (arg_privatelib && privatelib == cnt_privatelib) + printf("No private-lib found in %s\n", argv[i]); if (arg_whitelisthome && whitelisthome == cnt_whitelisthome) printf("Home directory not whitelisted in %s\n", argv[i]); if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) @@ -347,6 +394,9 @@ assert(level == 0); } + if (arg_print_blacklist \|\| arg_print_whitelist) + return 0; + printf("\n"); printf("Stats:\n"); printf(" profiles\t\t\t%d\n", cnt_profiles); @@ -358,10 +408,12 @@ printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); printf(" noroot\t\t\t%d\n", cnt_noroot); printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); + printf(" restrict-namespaces\t\t%d\n", cnt_restrict_namespaces); printf(" apparmor\t\t\t%d\n", cnt_apparmor); printf(" private-bin\t\t\t%d\n", cnt_privatebin); printf(" private-dev\t\t\t%d\n", cnt_privatedev); printf(" private-etc\t\t\t%d\n", cnt_privateetc); + printf(" private-lib\t\t\t%d\n", cnt_privatelib); printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); printf(" whitelist home directory\t%d\n", cnt_whitelisthome); printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar);
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/prog.mk ^
@@ -0,0 +1,37 @@ +# Common definitions for building C programs and non-shared objects. +# +# Note: $(ROOT)/config.mk must be included before this file. +# +# The includer should probably define PROG and TARGET and may also want to +# define MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN. + +HDRS := $(sort $(wildcard .h)) $(MOD_HDRS) +SRCS := $(sort $(wildcard .c)) $(MOD_SRCS) +OBJS := $(SRCS:.c=.o) $(MOD_OBJS) + +PROG_CFLAGS = \ + -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \ + -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \ + -fPIE \ + -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' \ + -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \ + -DVARDIR='"/var/lib/firejail"' \ + $(HAVE_GCOV) $(MANFLAGS) \ + $(EXTRA_CFLAGS) + +PROG_LDFLAGS = -pie -fPIE -Wl,-z,relro -Wl,-z,now $(EXTRA_LDFLAGS) + +.PHONY: all +all: $(TARGET) + +%.o : %.c $(HDRS) $(ROOT)/config.mk + $(CC) $(PROG_CFLAGS) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +$(PROG): $(OBJS) $(ROOT)/config.mk + $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) + +.PHONY: clean +clean:; rm -fr .o $(PROG) .gcov .gcda .gcno *.plist $(TOCLEAN) + +.PHONY: distclean +distclean: clean; rm -fr $(TODISTCLEAN)
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/so.mk ^
@@ -0,0 +1,32 @@ +# Common definitions for making shared objects. +# +# Note: $(ROOT)/config.mk must be included before this file. +# +# The includer should probably define SO and TARGET and may also want to define +# MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN. + +HDRS := $(sort $(wildcard .h)) $(MOD_HDRS) +SRCS := $(sort $(wildcard .c)) $(MOD_SRCS) +OBJS := $(SRCS:.c=.o) $(MOD_OBJS) + +SO_CFLAGS = \ + -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \ + -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \ + -fPIC + +SO_LDFLAGS = -pie -fPIE -Wl,-z,relro -Wl,-z,now + +.PHONY: all +all: $(TARGET) + +%.o : %.c $(HDRS) $(ROOT)/config.mk + $(CC) $(SO_CFLAGS) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +$(SO): $(OBJS) $(ROOT)/config.mk + $(CC) $(SO_LDFLAGS) -shared -fPIC -z relro $(LDFLAGS) -o $@ $(OBJS) -ldl + +.PHONY: clean +clean:; rm -fr $(OBJS) $(SO) *.plist $(TOCLEAN) + +.PHONY: distclean +distclean: clean; rm -fr $(TODISTCLEAN)
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/check-caps.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 if [ $# -eq 0 ]
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/extract_caps.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/extract_errnos.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 echo -e "#include <errno.h>\n#include <attr/xattr.h>" \| \
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/extract_seccomp.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/extract_syscalls.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/mkcoverit.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # unpack firejail archive
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/testuid.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/ttytest.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/tools/unixsocket.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/zsh_completion/Makefile ^
@@ -0,0 +1,17 @@ +.PHONY: all +all: _firejail + +ROOT = ../.. +-include $(ROOT)/config.mk + +_firejail: _firejail.in $(ROOT)/config.mk + gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp + sed "s\|_SYSCONFDIR_\|$(sysconfdir)\|" < $@.tmp > $@ + rm $@.tmp + +.PHONY: clean +clean: + rm -fr _firejail + +.PHONY: distclean +distclean: clean
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/src/zsh_completion/_firejail.in ^
@@ -62,6 +62,9 @@ '--tree[print a tree of all sandboxed processes]' '--version[print program version and exit]' + '--ids-check[verify file system]' + '--ids-init[initialize IDS database]' + '--debug[print sandbox debug messages]' '--debug-blacklists[debug blacklisting]' '--debug-caps[print all recognized capabilities]' @@ -88,9 +91,9 @@ '--caps.drop=all[drop all capabilities]' '--caps.drop=-[drop capabilities: all\|cap1,cap2,...]: :_caps' '--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' - '--cgroup=-[place the sandbox in the specified control group]: :' '--cpu=-[set cpu affinity]: :->cpus' "--deterministic-exit-code[always exit with first child's status code]" + '--deterministic-shutdown[terminate orphan processes]' '--dns=-[set DNS server]: :' '--env=-[set environment variable]: :' '--hostname=-[set sandbox hostname]: :' @@ -100,8 +103,9 @@ '--join-or-start=-[join the sandbox or start a new one name\|pid]: :_all_firejails' '--keep-config-pulse[disable automatic ~/.config/pulse init]' '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' + '--keep-fd[inherit open file descriptors to sandbox]: :' '--keep-var-tmp[/var/tmp directory is untouched]' - '--machine-id[preserve /etc/machine-id]' + '--machine-id[spoof /etc/machine-id with a random id]' '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' '--mkdir=-[create a directory]:' '--mkfile=-[create a file]:' @@ -119,6 +123,7 @@ '--nogroups[disable supplementary groups]' '--noinput[disable input devices]' '--nonewprivs[sets the NO_NEW_PRIVS prctl]' + '--noprinters[disable printers]' '--nosound[disable sound system]' '--nou2f[disable U2F devices]' '--novideo[disable video devices]' @@ -136,6 +141,8 @@ "--quiet[turn off Firejail's output.]" '--read-only=-[set directory or file read-only]: :_files' '--read-write=-[set directory or file read-write]: :_files' + '--restrict-namespaces[seccomp filter that blocks attempts to create new namespaces]' + '--restrict-namespaces=-[seccomp filter that blocks attempts to create specified namespaces]: :' "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :" '--rlimit-cpu=-[set the maximum CPU time in seconds]: :' '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :' @@ -164,7 +171,8 @@ '--writable-var-log[use the real /var/log directory, not a clone]' #ifdef HAVE_APPARMOR - '--apparmor[enable AppArmor confinement]' + '--apparmor[enable AppArmor confinement with the default profile]' + '--apparmor=-[enable AppArmor confinement with a custom profile]: :' '--apparmor.print=-[print apparmor status name\|pid]:firejail:_all_firejails' #endif @@ -215,7 +223,7 @@ '--netfilter.print=-[print the firewall name\|pid]: :_all_firejails' '--netfilter6=-[enable IPv6 firewall]: :' '--netfilter6.print=-[print the IPv6 firewall name\|pid]: :_all_firejails' - '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' + '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :' '--netns=-[Run the program in a named, persistent network namespace]: :' '--netstats[monitor network statistics]' '--interface=-[move interface in sandbox]: :' @@ -251,10 +259,8 @@ '--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' #endif -#ifdef HAVE_WHITELIST '--nowhitelist=-[disable whitelist for file or directory]: :_files' '*--whitelist=-[whitelist directory or file]: :_files' -#endif #ifdef HAVE_X11 '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/Makefile ^
@@ -0,0 +1,13 @@ +TESTS=$(patsubst %/,%,$(wildcard */)) + +.PHONY: $(TESTS) +$(TESTS): + cd $@ && ./$@.sh 2>&1 \| tee $@.log + cd $@ && grep -a TESTING $@.log && ! grep -a -q "TESTING ERROR" $@.log + +.PHONY: clean +clean: + for test in $(TESTS); do rm -f "$$test/$$test.log"; done + +.PHONY: distclean +distclean: clean
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-args.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -23,7 +23,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -51,7 +51,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-trace.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 2\n";exit} @@ -38,7 +38,7 @@ send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 11\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 12\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-v1.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -39,7 +39,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage-v2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=appimage-test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -39,7 +39,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/appimage.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -13,7 +13,7 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" ./appimage-v2.exp -echo "TESTING: AppImage file name (test/appimage/filename.exp)"; +echo "TESTING: AppImage file name (test/appimage/filename.exp)" ./filename.exp echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/appimage/filename.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/apps-x11-xorg.sh ^
@@ -1,14 +1,13 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v firefox then echo "TESTING: firefox x11 xorg" ./firefox.exp @@ -16,8 +15,7 @@ echo "TESTING SKIP: firefox not found" fi -which transmission-gtk 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v transmission-gtk then echo "TESTING: transmission-gtk x11 xorg" ./transmission-gtk.exp @@ -25,8 +23,7 @@ echo "TESTING SKIP: transmission-gtk not found" fi -which transmission-qt 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v transmission-qt then echo "TESTING: transmission-qt x11 xorg" ./transmission-qt.exp @@ -34,8 +31,7 @@ echo "TESTING SKIP: transmission-qt not found" fi -which thunderbird 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v thunderbird then echo "TESTING: thunderbird x11 xorg" ./thunderbird.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/firefox.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -36,7 +36,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/thunderbird.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/transmission-gtk.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11-xorg/transmission-qt.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/apps-x11.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -10,49 +10,42 @@ echo "TESTING: no x11 (test/apps-x11/x11-none.exp)" ./x11-none.exp - -which xterm 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v xterm then echo "TESTING: xterm x11 xorg" ./xterm-xorg.exp - which xpra 2>/dev/null - if [ "$?" -eq 0 ]; + if command -v xpra then - echo "TESTING: xterm x11 xpra" - ./xterm-xpra.exp + echo "TESTING: xterm x11 xpra" + ./xterm-xpra.exp fi - which Xephyr 2>/dev/null - if [ "$?" -eq 0 ]; + if command -v Xephyr then - echo "TESTING: xterm x11 xephyr" - ./xterm-xephyr.exp + echo "TESTING: xterm x11 xephyr" + ./xterm-xephyr.exp fi else echo "TESTING SKIP: xterm not found" fi # check xpra/xephyr -which xpra 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v xpra then - echo "xpra found" + echo "xpra found" else - echo "xpra not found" - which Xephyr 2>/dev/null - if [ "$?" -eq 0 ]; + echo "xpra not found" + if command -v Xephyr then - echo "Xephyr found" + echo "Xephyr found" else - echo "TESTING SKIP: xpra and/or Xephyr not found" + echo "TESTING SKIP: xpra and/or Xephyr not found" exit fi fi -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v firefox then echo "TESTING: firefox x11" ./firefox.exp @@ -60,8 +53,7 @@ echo "TESTING SKIP: firefox not found" fi -which chromium 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v chromium then echo "TESTING: chromium x11" ./chromium.exp @@ -69,8 +61,7 @@ echo "TESTING SKIP: chromium not found" fi -which transmission-gtk 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v transmission-gtk then echo "TESTING: transmission-gtk x11" ./transmission-gtk.exp @@ -78,8 +69,7 @@ echo "TESTING SKIP: transmission-gtk not found" fi -which thunderbird 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v thunderbird then echo "TESTING: thunderbird x11" ./thunderbird.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/chromium.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -32,7 +32,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/firefox.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -36,7 +36,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/thunderbird.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/transmission-gtk.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/x11-none.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -17,7 +17,7 @@ send -- "firejail --name=test --net=none --x11=none\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/x11-xephyr.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test --x11=xephyr xterm\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } exit @@ -28,7 +28,7 @@ send -- "firejail --name=test --net=none --x11=none\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/xterm-xephyr.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/xterm-xorg.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps-x11/xterm-xpra.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -33,7 +33,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/apps.sh ^
@@ -1,18 +1,16 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird " -LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat" +apps=(firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat) -for app in $LIST; do - which $app 2>/dev/null - if [ "$?" -eq 0 ]; +for app in "${apps[@]}"; do + if command -v "$app" then echo "TESTING: $app" ./$app.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/chromium.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 10 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/deluge.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 10 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/fbreader.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/filezilla.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/firefox.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 10 @@ -47,7 +47,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/gnome-mplayer.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 5 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/gthumb.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/hexchat.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/kcalc.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/ktorrent.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/midori.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 5 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/opera.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 10 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/qbittorrent.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/thunderbird.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 5 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/transmission-qt.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/uget-gtk.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/vlc.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/wine.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 2\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/apps/xchat.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/chroot.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -17,6 +17,4 @@ echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)" sudo ./unchroot-as-root.exp - - rm -f unchroot
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/configure ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # build a very small chroot
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/fs_chroot.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} - "Child process initialized" {puts "chroot available\n"}; + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"}; } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/unchroot-as-root.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} - "Child process initialized" {puts "chroot available\n"}; + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"}; } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/chroot/unchroot.c ^
@@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2021 Firejail Authors +// Copyright (C) 2014-2022 Firejail Authors // License GPL v2 // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/compile/compile.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # not currently covered @@ -31,6 +31,7 @@ arr[16]="TEST 16: compile disable manpages" arr[17]="TEST 17: disable tmpfs as regular user" arr[18]="TEST 18: disable private home" +arr[19]="TEST 19: enable ids" # remove previous reports and output file cleanup() { @@ -46,23 +47,23 @@ echo echo echo "************************************************" - echo $1 + echo "$1" echo "**********************************************" } DIST="$1" -while [ $# -gt 0 ]; do # Until you run out of parameters . . . - case "$1" in - --clean) - cleanup - exit - ;; - --help) - echo "./compile.sh [--clean\|--help]" - exit - ;; - esac - shift # Check next set of parameters. +while [[ $# -gt 0 ]]; do # Until you run out of parameters . . . + case "$1" in + --clean) + cleanup + exit + ;; + --help) + echo "./compile.sh [--clean\|--help]" + exit + ;; + esac + shift # Check next set of parameters. done cleanup @@ -75,8 +76,8 @@ #************************************************************* print_title "${arr[1]}" echo "$DIST" -tar -xJvf ../../$DIST.tar.xz -mv $DIST firejail +tar -xJvf ../../"$DIST.tar.xz" +mv "$DIST" firejail cd firejail ./configure --prefix=/usr --enable-fatal-warnings 2>&1 \| tee ../output-configure @@ -88,7 +89,6 @@ cp output-make om1 rm output-configure output-make - #************************************************************* # TEST 2 #************************************************************* @@ -97,7 +97,7 @@ print_title "${arr[2]}" cd firejail make distclean -./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test2 @@ -114,7 +114,7 @@ print_title "${arr[3]}" cd firejail make distclean -./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test3 @@ -131,7 +131,7 @@ print_title "${arr[4]}" cd firejail make distclean -./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test4 @@ -148,7 +148,7 @@ print_title "${arr[5]}" cd firejail make distclean -./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test5 @@ -166,7 +166,7 @@ print_title "${arr[6]}" cd firejail make distclean -./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test6 @@ -183,7 +183,7 @@ print_title "${arr[7]}" cd firejail make distclean -./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test7 @@ -217,7 +217,7 @@ print_title "${arr[9]}" cd firejail make distclean -./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test9 @@ -234,7 +234,7 @@ print_title "${arr[10]}" cd firejail make distclean -./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test10 @@ -251,7 +251,7 @@ print_title "${arr[11]}" cd firejail make distclean -./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test11 @@ -268,7 +268,7 @@ print_title "${arr[12]}" cd firejail make distclean -./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test12 @@ -353,7 +353,7 @@ print_title "${arr[17]}" cd firejail make distclean -./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 \| tee ../output-configure +./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 \| tee ../output-configure make -j4 2>&1 \| tee ../output-make cd .. grep Warning output-configure output-make > ./report-test17 @@ -380,6 +380,23 @@ rm output-configure output-make #************************************************************* +# TEST 19 +#************************************************************* +# - enable ids +#************************************************************* +print_title "${arr[19]}" +cd firejail +make distclean +./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 \| tee ../output-configure +make -j4 2>&1 \| tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test19 +grep Error output-configure output-make >> ./report-test19 +cp output-configure oc19 +cp output-make om19 +rm output-configure output-make + +#************************************************************* # PRINT REPORTS #*************************************************************** echo @@ -392,22 +409,23 @@ wc -l report-test* echo -echo "Legend:" -echo ${arr[1]} -echo ${arr[2]} -echo ${arr[3]} -echo ${arr[4]} -echo ${arr[5]} -echo ${arr[6]} -echo ${arr[7]} -echo ${arr[8]} -echo ${arr[9]} -echo ${arr[10]} -echo ${arr[11]} -echo ${arr[12]} -echo ${arr[13]} -echo ${arr[14]} -echo ${arr[15]} -echo ${arr[16]} -echo ${arr[17]} -echo ${arr[18]} +echo "Legend:" +echo "${arr[1]}" +echo "${arr[2]}" +echo "${arr[3]}" +echo "${arr[4]}" +echo "${arr[5]}" +echo "${arr[6]}" +echo "${arr[7]}" +echo "${arr[8]}" +echo "${arr[9]}" +echo "${arr[10]}" +echo "${arr[11]}" +echo "${arr[12]}" +echo "${arr[13]}" +echo "${arr[14]}" +echo "${arr[15]}" +echo "${arr[16]}" +echo "${arr[17]}" +echo "${arr[18]}" +echo "${arr[19]}"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/allow-debuggers.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --allow-debuggers\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" { puts "\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" { puts "\n"} "is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit } } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/deterministic-exit-code.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 4 @@ -10,7 +10,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -32,7 +32,7 @@ send -- "firejail --deterministic-exit-code\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/deterministic-shutdown.exp ^
@@ -0,0 +1,17 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --deterministic-shutdown bash -c \"sleep 100 & exec sleep 1\"\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Parent is shutting down, bye..." +} +after 100 + +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/dns.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -30,7 +30,7 @@ } expect { timeout {puts "TESTING ERROR 1.5\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 1.6\n";exit} @@ -47,7 +47,7 @@ "DNS server 8.8.8.8" {puts "TESTING ERROR 2.3\n";exit} "DNS server 4.2.2.1" {puts "TESTING ERROR 2.4\n";exit} "DNS server ::2" {puts "TESTING ERROR 2.5\n";exit} - "Child process initialized" {puts "TESTING ERROR 2.6\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "TESTING ERROR 2.6\n";exit} "Parent is shutting down, bye..." {puts "TESTING ERROR 2.7\n";exit} "root" } @@ -56,7 +56,7 @@ send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -85,7 +85,7 @@ send -- "firejail --profile=dns.profile\r" expect { timeout {puts "TESTING ERROR 5.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -110,23 +110,23 @@ send -- "exit\r" sleep 1 -send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "connect" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "208.67.222.222" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "53" -} -after 100 +# test disabled, as Github CI uses systemd-resolved, which does not work +# properly with --dns=, so curl does not use the specified nameserver +#send -- "firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org\r" +#expect { +# timeout {puts "TESTING ERROR 6.1\n";exit} +# "connect" +#} +#expect { +# timeout {puts "TESTING ERROR 6.2\n";exit} +# "208.67.222.222" +#} +#expect { +# timeout {puts "TESTING ERROR 6.3\n";exit} +# "53" +#} +#after 100 -send -- "rm index.html\r" -after 100 send -- "exit\r" sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/doubledash.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail -- ls -- -testdir\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 2\n";exit} @@ -26,7 +26,7 @@ send -- "firejail --name=testing -- -testdir/bash\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/env.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -37,7 +37,7 @@ send -- "firejail --profile=env.profile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "env \| grep LD_LIBRARY_PATH\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/environment.sh ^
@@ -1,13 +1,12 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C - echo "TESTING: timeout (test/environment/timeout.exp)" ./timeout.exp @@ -36,46 +35,15 @@ echo "TESTING: environment variables (test/environment/env.exp)" ./env.exp -echo "TESTING: shell none(test/environment/shell-none.exp)" -./shell-none.exp - -which dash 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: dash (test/environment/dash.exp)" - ./dash.exp -else - echo "TESTING SKIP: dash not found" -fi - -which csh 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: csh (test/environment/csh.exp)" - ./csh.exp -else - echo "TESTING SKIP: csh not found" -fi - -which zsh 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: zsh (test/environment/zsh.exp)" - ./zsh.exp -else - echo "TESTING SKIP: zsh not found" -fi - echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" ./firejail-in-firejail.exp -which aplay 2>/dev/null -if [ "$?" -eq 0 ] && [ "$(aplay -l \| grep -c "List of PLAYBACK")" -gt 0 ]; +if command -v aplay && [[ $(aplay -l \| grep -c "List of PLAYBACK") -gt 0 ]] then - echo "TESTING: sound (test/environment/sound.exp)" - ./sound.exp + echo "TESTING: sound (test/environment/sound.exp)" + ./sound.exp else - echo "TESTING SKIP: no aplay or sound card found" + echo "TESTING SKIP: no aplay or sound card found" fi echo "TESTING: nice (test/environment/nice.exp)" @@ -84,26 +52,24 @@ echo "TESTING: quiet (test/environment/quiet.exp)" ./quiet.exp -which strace 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v strace then - echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)" - ./allow-debuggers.exp + echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)" + ./allow-debuggers.exp else - echo "TESTING SKIP: strace not found" + echo "TESTING SKIP: strace not found" fi # to install ibus: # $ sudo apt-get install ibus-table-array30 # $ ibus-setup -find ~/.config/ibus/bus \| grep unix-0 -if [ "$?" -eq 0 ]; +if find ~/.config/ibus/bus \| grep unix-0 then echo "TESTING: ibus (test/environment/ibus.exp)" ./ibus.exp else - echo "TESTING SKIP: ibus not configured" + echo "TESTING SKIP: ibus not configured" fi echo "TESTING: rlimit (test/environment/rlimit.exp)" @@ -112,14 +78,26 @@ echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" ./rlimit-profile.exp +echo "TESTING: rlimit join (test/environment/rlimit-join.exp)" +./rlimit-join.exp + echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" ./rlimit-bad.exp echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" ./rlimit-bad-profile.exp -echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" +echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)" ./deterministic-exit-code.exp -echo "TESTING: retain umask (test/environment/umask.exp" +echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)" +./deterministic-shutdown.exp + +echo "TESTING: keep fd (test/environment/keep-fd.exp)" +./keep-fd.exp + +echo "TESTING: keep fd errors (test/environment/keep-fd-bad.exp)" +./keep-fd-bad.exp + +echo "TESTING: retain umask (test/environment/umask.exp)" (umask 123 && ./umask.exp)
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/extract_command.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 2\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/firejail-in-firejail.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/hostfile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 @@ -15,7 +15,7 @@ } expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/ibus.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/keep-fd-bad.exp ^
@@ -0,0 +1,40 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --noprofile --keep-fd=\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error: invalid keep-fd option" +} +after 100 + +send -- "firejail --noprofile --keep-fd=,,,\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Error: invalid keep-fd option" +} +after 100 + +send -- "firejail --noprofile --keep-fd=dall\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Error: invalid keep-fd option" +} +after 100 + +send -- "firejail --noprofile --keep-fd=6,7,8,10b,11\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Error: invalid keep-fd option" +} +after 100 + + +puts "\nall done\n"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/keep-fd.exp ^
@@ -0,0 +1,223 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +# +# obtain some open file descriptors +# +send -- "exec {WRITE_FD}> blabla\r" +after 100 + +send -- "readlink -v /proc/self/fd/\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "/blabla" +} +after 100 + +send -- "exec {READ_FD}< blabla\r" +after 100 + +send -- "readlink -v /proc/self/fd/\$READ_FD\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/blabla" +} +after 100 + + +# +# inherit environment variables +# +send -- "export READ_FD\r" +send -- "export WRITE_FD\r" +after 100 + + +# +# close all file descriptors +# 0, 1, 2 stay open +# +send -- "firejail --noprofile\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re {Child process initialized in [0-9]+.[0-9]+ ms} +} +after 100 + +# off by one because of ls +send -- "ls /proc/self/fd \| wc -w\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "4" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$READ_FD\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "No such file or directory" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "No such file or directory" +} +after 100 + +send -- "exit\r" +after 500 + + +# +# keep one file descriptor +# +send -- "firejail --noprofile --keep-fd=\$READ_FD\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + -re {Child process initialized in [0-9]+.[0-9]+ ms} +} +after 100 + +# off by one because of ls +send -- "ls /proc/self/fd \| wc -w\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "5" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$READ_FD\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "/blabla" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "No such file or directory" +} +after 100 + +send -- "exit\r" +after 500 + + +# +# keep other file descriptor +# +send -- "firejail --noprofile --keep-fd=\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + -re {Child process initialized in [0-9]+.[0-9]+ ms} +} +after 100 + +# off by one because of ls +send -- "ls /proc/self/fd \| wc -w\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "5" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$READ_FD\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "No such file or directory" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "/blabla" +} +after 100 + +send -- "exit\r" +after 500 + + +# +# keep both file descriptors +# +send -- "firejail --noprofile --keep-fd=\$READ_FD,\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 14\n";exit} + -re {Child process initialized in [0-9]+.[0-9]+ ms} +} +after 100 + +# off by one because of ls +send -- "ls /proc/self/fd \| wc -w\r" +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "6" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$READ_FD\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "/blabla" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "/blabla" +} +after 100 + +send -- "exit\r" +after 500 + + +# +# keep all file descriptors +# +send -- "firejail --noprofile --keep-fd=all\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + -re {Child process initialized in [0-9]+.[0-9]+ ms} +} +after 100 + +send -- "readlink -v /proc/self/fd/\$READ_FD\r" +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "/blabla" +} +after 100 + +send -- "readlink -v /proc/self/fd/\$WRITE_FD\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "/blabla" +} +after 100 + +send -- "exit\r" +after 500 + + +# +# cleanup +# +send -- "rm -f blabla\r" +after 100 + + +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/machineid.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 @@ -15,7 +15,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/nice.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --nice=15\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -39,7 +39,7 @@ send -- "firejail --profile=nice.profile\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -70,7 +70,7 @@ send -- "firejail --nice=-5\r" expect { timeout {puts "TESTING ERROR 17\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/output.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/output.sh ^
@@ -1,12 +1,12 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 i="0" -while [ $i -lt 150000 ] +while [[ $i -lt 150000 ]] do - echo message number $i - i=$[$i+1] + echo "message number $i" + i=$((i+1)) done
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/quiet.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 4
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-bad-profile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-bad.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-join.exp ^
@@ -0,0 +1,40 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --name=\"rlimit testing\"\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +sleep 1 + +send -- "cat /proc/self/limits\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Max open files 1234 1234" +} +after 100 + +send -- "exit\r" +after 100 + +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit-profile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --profile=rlimit.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/rlimit.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=1234567890\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/sound.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 @@ -11,7 +11,7 @@ send -- "firejail --nosound speaker-test\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 2\n";exit} @@ -22,7 +22,7 @@ send -- "firejail --nosound aplay -l\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 4\n";exit} @@ -39,7 +39,7 @@ send -- "firejail --profile=sound.profile speaker-test\r" expect { timeout {puts "TESTING ERROR 11\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 12\n";exit} @@ -50,7 +50,7 @@ send -- "firejail --profile=sound.profile aplay -l\r" expect { timeout {puts "TESTING ERROR 13\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 14\n";exit} @@ -67,7 +67,7 @@ send -- "firejail aplay -l\r" expect { timeout {puts "TESTING ERROR 23\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 24\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/timeout.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "time firejail --timeout=00:00:05\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/environment/umask.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/cmdline.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -32,14 +32,22 @@ send -- "fcopy f%oo1 foo2\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "invalid source file name" + "Error:" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "is an invalid filename" } after 100 send -- "fcopy foo1 f,oo2\r" expect { - timeout {puts "TESTING ERROR 5\n";exit} - "invalid dest file name" + timeout {puts "TESTING ERROR 6\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "is an invalid filename" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/dircopy.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # @@ -12,9 +12,21 @@ send -- "rm -fr dest/\r" after 100 +send -- "cd src\r" +after 100 +send -- "ln -s ../dircopy.exp dircopy.exp\r" +after 100 +send -- "cd ..\r" +after 100 send -- "fcopy src dest\r" after 100 +send -- "cd src\r" +after 100 +send -- "ln -s ../dircopy.exp dircopy.exp\r" +after 100 +send -- "cd ..\r" +after 100 send -- "find dest\r" expect { @@ -135,5 +147,7 @@ send -- "rm -fr dest/\r" after 100 +send -- "rm -f src/dircopy.exp\r" +after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/fcopy.sh ^
@@ -1,13 +1,13 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -if [ -f /etc/debian_version ]; then +if [[ -f /etc/debian_version ]]; then libdir=$(dirname "$(dpkg -L firejail \| grep fcopy)") export PATH="$PATH:$libdir" fi @@ -19,13 +19,14 @@ echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)" ./cmdline.exp -echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)" -./dircopy.exp - echo "TESTING: fcopy file (test/fcopy/filecopy.exp)" ./filecopy.exp echo "TESTING: fcopy link (test/fcopy/linkcopy.exp)" ./linkcopy.exp +echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)" +./dircopy.exp + rm -fr dest/* +rm -f src/dircopy.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/filecopy.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 #
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fcopy/linkcopy.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # @@ -12,6 +12,12 @@ send -- "rm -fr dest/\r" after 100 +send -- "cd src\r" +after 100 +send -- "ln -s ../dircopy.exp dircopy.exp\r" +after 100 +send -- "cd ..\r" +after 100 send -- "fcopy src/dircopy.exp dest\r" after 100 @@ -19,7 +25,7 @@ send -- "find dest\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "dest/" + "dest" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -27,11 +33,11 @@ } after 100 - send -- "ls -al dest\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "lrwxrwxrwx" + "rwxr-xr-x" { puts "umask 0022\n" } + "rwxrwxr-x" { puts "umask 0002\n" } } after 100 send -- "stty -echo\r" @@ -52,5 +58,7 @@ send -- "rm -fr dest/\r" after 100 +send -- "rm -f src/dircopy.exp\r" +after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.1.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # disable /boot @@ -18,7 +18,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -40,7 +40,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -61,7 +61,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.10.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # disable /selinux @@ -18,7 +18,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -41,7 +41,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -63,7 +63,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # new /proc @@ -18,7 +18,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -64,7 +64,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -105,7 +105,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.4.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # mask other users @@ -18,7 +18,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -53,7 +53,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -86,7 +86,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.5.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # PID namespace @@ -18,7 +18,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -40,7 +40,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -61,7 +61,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.6.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # new /var/log @@ -18,7 +18,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -40,7 +40,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -61,7 +61,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.7.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # new /var/tmp @@ -20,7 +20,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -42,7 +42,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -63,7 +63,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/1.8.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # disable /etc/firejail and ~/.config/firejail @@ -19,7 +19,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -71,7 +71,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 send -- "ls ~/.config/firejail\r" @@ -122,7 +122,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "ls ~/.config/firejail\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.1.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # hostname @@ -18,7 +18,7 @@ send -- "firejail --noprofile --hostname=bingo\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -56,7 +56,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -93,7 +93,7 @@ send -- "firejail --noprofile --hostname=bingo --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # DNS @@ -18,7 +18,7 @@ send -- "firejail --noprofile --dns=4.2.2.1\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -48,7 +48,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -77,7 +77,7 @@ send -- "firejail --noprofile --dns=4.2.2.1 --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.3.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # mac-vlan @@ -18,7 +18,7 @@ send -- "firejail --noprofile --net=eth0 --dns=8.8.8.8 --dns=8.8.4.4\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -62,7 +62,7 @@ send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --dns=8.8.8.8 --dns=8.8.4.4\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -111,7 +111,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -155,7 +155,7 @@ send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --overlay --dns=8.8.8.8 --dns=8.8.4.4\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -205,7 +205,7 @@ send -- "firejail --noprofile --net=eth0 --chroot=/tmp/chroot --dns=8.8.8.8 --dns=8.8.4.4\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -249,7 +249,7 @@ send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --chroot=/tmp/chroot --dns=8.8.8.8 --dns=8.8.4.4\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.4.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # bridge @@ -19,7 +19,7 @@ send -- "firejail --noprofile --net=br0\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -56,7 +56,7 @@ send -- "firejail --noprofile --net=br0 --ip=10.10.20.4\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -99,7 +99,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -136,7 +136,7 @@ send -- "firejail --noprofile --net=br0 --ip=10.10.20.4 --overlay\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -179,7 +179,7 @@ send -- "firejail --noprofile --net=br0 --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -208,7 +208,7 @@ send -- "firejail --noprofile --net=br0 --ip=10.10.20.4 --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.5.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # interface @@ -18,7 +18,7 @@ send -- "firejail --noprofile --interface=eth0.5\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -51,7 +51,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -84,7 +84,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --interface=eth0.7\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/2.6.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # default gateway @@ -18,7 +18,7 @@ send -- "firejail --noprofile --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -39,7 +39,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -60,7 +60,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.1.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # private @@ -18,7 +18,7 @@ send -- "firejail --noprofile --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -70,7 +70,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -120,7 +120,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --private\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.10.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # whitelist tmp @@ -22,7 +22,7 @@ send -- "firejail --noprofile --whitelist=/tmp/test1dir\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -78,7 +78,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -136,7 +136,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/tmp/test1dir\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.11.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # mkdir @@ -21,7 +21,7 @@ send -- "firejail --profile=3.11.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -73,7 +73,7 @@ expect { timeout {puts "TESTING ERROR 10\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -127,7 +127,7 @@ send -- "firejail --profile=3.11.profile\r" expect { timeout {puts "TESTING ERROR 20\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # read-only @@ -20,7 +20,7 @@ send -- "firejail --noprofile --read-only=/home/netblue/.config\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -41,7 +41,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -64,7 +64,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --read-only=/home/netblue/.config\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.3.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # blacklist @@ -18,7 +18,7 @@ send -- "firejail --noprofile --blacklist=/home/netblue/.config\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -40,7 +40,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -61,7 +61,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --blacklist=/home/netblue/.config\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.4.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # whitelist home @@ -18,7 +18,7 @@ send -- "firejail --noprofile --whitelist=/home/netblue/.config\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -83,7 +83,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -147,7 +147,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/home/netblue/.config\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.5.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # private-dev @@ -18,7 +18,7 @@ send -- "firejail --noprofile --private-dev\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -41,7 +41,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -64,7 +64,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --private-dev\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.6.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # private-etc @@ -18,7 +18,7 @@ send -- "firejail --noprofile --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -40,7 +40,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -68,7 +68,7 @@ expect { timeout {puts "TESTING ERROR 5\n";exit} "chroot option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.7.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # private-tmp @@ -22,7 +22,7 @@ send -- "firejail --noprofile --private-tmp\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -49,7 +49,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -76,7 +76,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --private-tmp\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.8.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # private-bin @@ -18,7 +18,7 @@ send -- "firejail --noprofile --private-bin=bash,cat,cp,ls,wc\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -41,7 +41,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -68,7 +68,7 @@ } expect { timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/3.9.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # whitelist dev @@ -18,7 +18,7 @@ send -- "firejail --noprofile --whitelist=/dev/tty --whitelist=/dev/null\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -42,7 +42,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "overlay option is not available" {puts "grsecurity\n"; exit} - "Child process initialized" {puts "normal system\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"} } sleep 1 @@ -65,7 +65,7 @@ send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/dev/tty --whitelist=/dev/null\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/features/test.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export LC_ALL=C @@ -8,28 +8,25 @@ CHROOT="chroot" NETWORK="network" -while [ $# -gt 0 ]; do # Until you run out of parameters . . . - case "$1" in - --nooverlay) - OVERLAY="none" - ;; - --nochroot) - CHROOT="none" - ;; - --nonetwork) - NETWORK="none" - ;; - --help) - echo "./test.sh [--nooverlay\|--nochroot\|--nonetwork\|--help] \| grep TESTING" - exit - ;; - esac - shift # Check next set of parameters. +while [[ $# -gt 0 ]]; do # Until you run out of parameters . . . + case "$1" in + --nooverlay) + OVERLAY="none" + ;; + --nochroot) + CHROOT="none" + ;; + --nonetwork) + NETWORK="none" + ;; + --help) + echo "./test.sh [--nooverlay\|--nochroot\|--nonetwork\|--help] \| grep TESTING" + exit + ;; + esac + shift # Check next set of parameters. done - - - # # Feature testing # @@ -38,85 +35,85 @@ # Default features #################### echo "TESTING: 1.1 disable /boot" -./1.1.exp $OVERLAY $CHROOT +./1.1.exp "$OVERLAY" "$CHROOT" echo "TESTING: 1.2 new /proc" -./1.2.exp $OVERLAY $CHROOT +./1.2.exp "$OVERLAY" "$CHROOT" echo "TESTING: 1.4 mask other users" -./1.4.exp $OVERLAY $CHROOT +./1.4.exp "$OVERLAY" "$CHROOT" echo "TESTING: 1.5 PID namespace" -./1.5.exp $OVERLAY $CHROOT +./1.5.exp "$OVERLAY" "$CHROOT" echo "TESTING: 1.6 new /var/log" -./1.6.exp $OVERLAY $CHROOT +./1.6.exp "$OVERLAY" "$CHROOT" echo "TESTING: 1.7 new /var/tmp" -./1.7.exp $OVERLAY $CHROOT +./1.7.exp "$OVERLAY" "$CHROOT" echo "TESTING: 1.8 disable firejail config and run time information" -./1.8.exp $OVERLAY $CHROOT +./1.8.exp "$OVERLAY" "$CHROOT" echo "TESTING: 1.10 disable /selinux" -./1.10.exp $OVERLAY $CHROOT +./1.10.exp "$OVERLAY" "$CHROOT" #################### # networking features #################### -if [ $NETWORK == "network" ] +if [[ $NETWORK == "network" ]] then echo "TESTING: 2.1 hostname" - ./2.1.exp $OVERLAY $CHROOT + ./2.1.exp "$OVERLAY" "$CHROOT" echo "TESTING: 2.2 DNS" - ./2.2.exp $OVERLAY $CHROOT + ./2.2.exp "$OVERLAY" "$CHROOT" echo "TESTING: 2.3 mac-vlan" - ./2.3.exp $OVERLAY $CHROOT + ./2.3.exp "$OVERLAY" "$CHROOT" echo "TESTING: 2.4 bridge" - ./2.4.exp $OVERLAY $CHROOT + ./2.4.exp "$OVERLAY" "$CHROOT" echo "TESTING: 2.5 interface" - ./2.5.exp $OVERLAY $CHROOT + ./2.5.exp "$OVERLAY" "$CHROOT" echo "TESTING: 2.6 Default gateway" - ./2.6.exp $OVERLAY $CHROOT + ./2.6.exp "$OVERLAY" "$CHROOT" fi #################### # filesystem features #################### echo "TESTING: 3.1 private (fails on OpenSUSE)" -./3.1.exp $OVERLAY $CHROOT +./3.1.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.2 read-only" -./3.2.exp $OVERLAY $CHROOT +./3.2.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.3 blacklist" -./3.3.exp $OVERLAY $CHROOT +./3.3.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.4 whitelist home (fails on OpenSUSE)" -./3.4.exp $OVERLAY $CHROOT +./3.4.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.5 private-dev" -./3.5.exp $OVERLAY $CHROOT +./3.5.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.6 private-etc" -./3.6.exp notworking $CHROOT +./3.6.exp notworking "$CHROOT" echo "TESTING: 3.7 private-tmp" -./3.7.exp $OVERLAY $CHROOT +./3.7.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.8 private-bin" ./3.8.exp notworking notworking echo "TESTING: 3.9 whitelist dev" -./3.9.exp $OVERLAY $CHROOT +./3.9.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.10 whitelist tmp" -./3.10.exp $OVERLAY $CHROOT +./3.10.exp "$OVERLAY" "$CHROOT" echo "TESTING: 3.11 mkdir" -./3.11.exp $OVERLAY $CHROOT +./3.11.exp "$OVERLAY" "$CHROOT"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/apparmor.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test1 --apparmor\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --name=test2 --apparmor\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -30,7 +30,7 @@ } expect { timeout {puts "TESTING ERROR 3\n";exit} - "AppArmor: firejail-default enforce" + "AppArmor: firejail-default//&unconfined enforce" } expect { timeout {puts "TESTING ERROR 4\n";exit} @@ -38,21 +38,21 @@ } expect { timeout {puts "TESTING ERROR 5\n";exit} - "AppArmor: firejail-default enforce" + "AppArmor: firejail-default//&unconfined enforce" } after 100 send -- "firejail --apparmor.print=test1\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - "AppArmor: firejail-default enforce" + "AppArmor: firejail-default//&unconfined enforce" } after 100 send -- "firejail --apparmor.print=test2\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "AppArmor: firejail-default enforce" + "AppArmor: firejail-default//&unconfined enforce" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/caps-join.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -20,7 +20,7 @@ send -- "firejail --name=jointesting\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -44,7 +44,7 @@ send -- "firejail --name=jointesting --noprofile\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -76,7 +76,7 @@ send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r" expect { timeout {puts "TESTING ERROR20\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/caps-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -42,7 +42,7 @@ } expect { timeout {puts "TESTING ERROR 8\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/caps.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --caps.keep=chown,fowner --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -29,7 +29,7 @@ send -- "firejail --caps.drop=all --noprofile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -48,7 +48,7 @@ send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -81,7 +81,7 @@ expect { timeout {puts "TESTING ERROR 13\n";exit} "Drop CAP_" {puts "TESTING ERROR 14\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r" @@ -93,7 +93,7 @@ #send -- "firejail --profile=caps2.profile\r" #expect { # timeout {puts "TESTING ERROR 15\n";exit} -# "Child process initialized" +# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" #} #after 100 # @@ -113,7 +113,7 @@ send -- "firejail --profile=caps3.profile\r" expect { timeout {puts "TESTING ERROR 18\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/debug.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/filters.sh ^
@@ -1,40 +1,54 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -if [ -f /etc/debian_version ]; then +if [[ -f /etc/debian_version ]]; then libdir=$(dirname "$(dpkg -L firejail \| grep fseccomp)") export PATH="$PATH:$libdir" fi export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" -if [ -f /sys/kernel/security/apparmor/profiles ]; then +if [[ -f /sys/kernel/security/apparmor/profiles ]]; then echo "TESTING: apparmor (test/filters/apparmor.exp)" ./apparmor.exp else echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" fi -if [ "$(uname -m)" = "x86_64" ]; then - echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" - ./memwrexe.exp -elif [ "$(uname -m)" = "i686" ]; then - echo "TESTING: memory-deny-write-execute (test/filters/memwrexe-32.exp)" - ./memwrexe-32.exp +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" + ./memwrexe.exp +elif [[ $(uname -m) == "i686" ]]; then + echo "TESTING: memory-deny-write-execute (test/filters/memwrexe-32.exp)" + ./memwrexe-32.exp +else + echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." +fi + +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)" + ./namespaces.exp +elif [[ $(uname -m) == "i686" ]]; then + echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)" + ./namespaces-32.exp else - echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." + echo "TESTING SKIP: namespaces binary only running on x86_64 and i686." fi echo "TESTING: debug options (test/filters/debug.exp)" ./debug.exp -echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)" -./seccomp-run-files.exp +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)" + ./seccomp-run-files.exp +else + echo "TESTING SKIP: seccomp-run-files test implemented only for x86_64." +fi echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" ./seccomp-postexec.exp @@ -57,33 +71,33 @@ ./caps-join.exp rm -f seccomp-test-file -if [ "$(uname -m)" = "x86_64" ]; then - echo "TESTING: fseccomp (test/filters/fseccomp.exp)" - ./fseccomp.exp +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: fseccomp (test/filters/fseccomp.exp)" + ./fseccomp.exp else - echo "TESTING SKIP: fseccomp test implemented only for x86_64" + echo "TESTING SKIP: fseccomp test implemented only for x86_64" fi rm -f seccomp-test-file -if [ "$(uname -m)" = "x86_64" ]; then - echo "TESTING: protocol (test/filters/protocol.exp)" - ./protocol.exp +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: protocol (test/filters/protocol.exp)" + ./protocol.exp else - echo "TESTING SKIP: protocol, running only on x86_64" + echo "TESTING SKIP: protocol, running only on x86_64" fi echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" ./seccomp-bad-empty.exp -if [ "$(uname -m)" = "x86_64" ]; then - echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" ./seccomp-debug.exp -elif [ "$(uname -m)" = "i686" ]; then - echo "TESTING: seccomp debug (test/filters/seccomp-debug-32.exp)" +elif [[ $(uname -m) == "i686" ]]; then + echo "TESTING: seccomp debug (test/filters/seccomp-debug-32.exp)" ./seccomp-debug-32.exp else - echo "TESTING SKIP: protocol, running only on x86_64 and i686" + echo "TESTING SKIP: protocol, running only on x86_64 and i686" fi echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" @@ -92,12 +106,11 @@ echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" ./seccomp-su.exp -which strace 2>/dev/null -if [ $? -eq 0 ]; then - echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" - ./seccomp-ptrace.exp +if command -v strace; then + echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" + ./seccomp-ptrace.exp else - echo "TESTING SKIP: ptrace, strace not found" + echo "TESTING SKIP: ptrace, strace not found" fi echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" @@ -111,19 +124,16 @@ echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" ./seccomp-empty.exp -echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" -./seccomp-numeric.exp - -if [ "$(uname -m)" = "x86_64" ]; then - echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" - ./seccomp-dualfilter.exp +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" + ./seccomp-numeric.exp else - echo "TESTING SKIP: seccomp dual, not running on x86_64" + echo "TESTING SKIP: seccomp numeric test implemented only for x86_64" fi -if [ "$(uname -m)" = "x86_64" ]; then - echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" - ./seccomp-join.exp +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" + ./seccomp-join.exp else - echo "TESTING SKIP: seccomp join test implemented only for x86_64" + echo "TESTING SKIP: seccomp join test implemented only for x86_64" fi
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/fseccomp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -111,7 +111,7 @@ } expect { timeout {puts "TESTING ERROR 9.3\n";exit} - "ret KILL" + "ret ERRNO" }
	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe ^
	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe-32 ^
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe-32.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --memory-deny-write-execute ./memwrexe-32 mmap\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -22,7 +22,7 @@ send -- "firejail --memory-deny-write-execute ./memwrexe-32 mprotect\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 11\n";exit} @@ -34,7 +34,7 @@ send -- "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r" expect { timeout {puts "TESTING ERROR 20\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 21\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe.c ^
@@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2021 Firejail Authors +// Copyright (C) 2014-2022 Firejail Authors // License GPL v2 #include <stdio.h> @@ -42,6 +42,11 @@ } void *p = mmap (0, size, PROT_WRITE\|PROT_READ\|PROT_EXEC, MAP_SHARED, fd, 0); + if (p == MAP_FAILED) { + printf("mmap failed\n"); + return 0; + } + printf("mmap successful\n"); // wait for expect to timeout @@ -70,7 +75,12 @@ return 1; } - mprotect(p, size, PROT_READ\|PROT_WRITE\|PROT_EXEC); + int rv = mprotect(p, size, PROT_READ\|PROT_WRITE\|PROT_EXEC); + if (rv) { + printf("mprotect failed\n"); + return 1; + } + printf("mprotect successful\n"); // wait for expect to timeout @@ -82,7 +92,7 @@ else if (strcmp(argv[1], "memfd_create") == 0) { int fd = syscall(SYS_memfd_create, "memfd_create", 0); if (fd == -1) { - fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n"); + printf("memfd_create failed\n"); return 1; } printf("memfd_create successful\n");
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/memwrexe.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --memory-deny-write-execute ./memwrexe mmap\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -22,7 +22,7 @@ send -- "firejail --memory-deny-write-execute ./memwrexe mprotect\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 11\n";exit} @@ -34,7 +34,7 @@ send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r" expect { timeout {puts "TESTING ERROR 20\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 21\n";exit}
	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces ^
	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces-32 ^
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces-32.exp ^
@@ -0,0 +1,173 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +# clone +# + +send -- "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "clone successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "clone successful" +} +after 100 + +# +# unshare +# + +send -- "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 14\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "unshare successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 26\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "unshare successful" +} + + +after 100 +puts "\nall done\n"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces.c ^
@@ -0,0 +1,96 @@ +#define _GNU_SOURCE +#include <errno.h> +#include <sched.h> +#include <signal.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/mman.h> +#include <unistd.h> + +#ifndef CLONE_NEWTIME +#define CLONE_NEWTIME 0x00000080 +#endif + +#define STACK_SIZE 1024 * 1024 + +static int usage() { + fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); + exit(1); +} + +static void die(const char msg) { + fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); + exit(1); +} + +static int ns_flags(const char list) { + int flags = 0; + + char dup = strdup(list); + if (!dup) + die("cannot allocate memory"); + + char token = strtok(dup, ","); + while (token) { + if (strcmp(token, "cgroup") == 0) + flags \|= CLONE_NEWCGROUP; + else if (strcmp(token, "ipc") == 0) + flags \|= CLONE_NEWIPC; + else if (strcmp(token, "net") == 0) + flags \|= CLONE_NEWNET; + else if (strcmp(token, "mnt") == 0) + flags \|= CLONE_NEWNS; + else if (strcmp(token, "pid") == 0) + flags \|= CLONE_NEWPID; + else if (strcmp(token, "time") == 0) + flags \|= CLONE_NEWTIME; + else if (strcmp(token, "user") == 0) + flags \|= CLONE_NEWUSER; + else if (strcmp(token, "uts") == 0) + flags \|= CLONE_NEWUTS; + else + usage(); + + token = strtok(NULL, ","); + } + + free(dup); + return flags; +} + +static int child(void arg) { + (void) arg; + + fprintf(stderr, "clone successful\n"); + return 0; +} + +int main (int argc, char argv) { + if (argc != 3) + usage(); + + int flags = ns_flags(argv[2]); + if (getuid() != 0) + flags \|= CLONE_NEWUSER; + + if (strcmp(argv[1], "clone") == 0) { + void stack = mmap(NULL, STACK_SIZE, PROT_READ \| PROT_WRITE, + MAP_PRIVATE \| MAP_ANONYMOUS, -1, 0); + if (stack == MAP_FAILED) + die("mmap"); + + if (clone(child, stack + STACK_SIZE, flags \| SIGCHLD, NULL) < 0) + die("clone"); + } + else if (strcmp(argv[1], "unshare") == 0) { + if (unshare(flags)) + die("unshare"); + + fprintf(stderr, "unshare successful\n"); + } + else + usage(); + + return 0; +}
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/namespaces.exp ^
@@ -0,0 +1,173 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +# clone +# + +send -- "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "clone successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "clone successful" +} +after 100 + +# +# unshare +# + +send -- "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 14\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "unshare successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 26\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "unshare successful" +} + + +after 100 +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/noroot.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test --noroot --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -72,7 +72,7 @@ send -- "cat /proc/self/gid_map \| wc -l\r" expect { timeout {puts "TESTING ERROR 12\n";exit} - "5" + "9" } @@ -81,11 +81,11 @@ send -- "firejail --debug --join=test\r" expect { timeout {puts "TESTING ERROR 13\n";exit} - "User namespace detected" + "Joining user namespace" } expect { timeout {puts "TESTING ERROR 14\n";exit} - "Joining user namespace" + "Child process initialized" } sleep 1 @@ -104,7 +104,7 @@ send -- "cat /proc/self/gid_map \| wc -l\r" expect { timeout {puts "TESTING ERROR 17\n";exit} - "5" + "9" } # check seccomp disabled and all caps enabled
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/protocol.exp ^
@@ -1,185 +1,97 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" +send -- "firejail --noprofile --protocol=unix --debug\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} - "Child process initialized" + "0009: 20 00 00 00000000" } expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 1.6\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.7\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 1.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 1.9\n";exit} - "Operation not supported" -} -sleep 1 - -send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" -expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 2.5\n";exit} - "Operation not supported" + "000f: 20 00 00 00000010" } expect { - timeout {puts "TESTING ERROR 2.6\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 2.7\n";exit} - "Operation not supported" + timeout {puts "TESTING ERROR 3\n";exit} + "0010: 15 00 01 00000001" } expect { - timeout {puts "TESTING ERROR 2.8\n";exit} - "socket AF_PACKETX" + timeout {puts "TESTING ERROR 4\n";exit} + "0011: 06 00 00 7fff0000" } expect { - timeout {puts "TESTING ERROR 2.9\n";exit} - "after socket" + timeout {puts "TESTING ERROR 5\n";exit} + "0012: 06 00 00 0005005f" } + +after 100 +send -- "exit\r" sleep 1 -# profile testing -send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "socket AF_INET6" -} +send -- "firejail --noprofile --protocol=bluetooth --debug\r" expect { - timeout {puts "TESTING ERROR 3.4\n";exit} - "Operation not supported" + timeout {puts "TESTING ERROR 11\n";exit} + "0009: 20 00 00 00000000" } expect { - timeout {puts "TESTING ERROR 3.5\n";exit} - "socket AF_NETLINK" + timeout {puts "TESTING ERROR 12\n";exit} + "000f: 20 00 00 00000010" } expect { - timeout {puts "TESTING ERROR 3.6\n";exit} - "Operation not supported" + timeout {puts "TESTING ERROR 13\n";exit} + "0010: 15 00 01 0000001f" } expect { - timeout {puts "TESTING ERROR 3.7\n";exit} - "socket AF_UNIX" + timeout {puts "TESTING ERROR 14\n";exit} + "0011: 06 00 00 7fff0000" } expect { - timeout {puts "TESTING ERROR 3.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 3.9\n";exit} - "Operation not supported" + timeout {puts "TESTING ERROR1 5\n";exit} + "0012: 06 00 00 0005005f" } + +after 100 +send -- "exit\r" sleep 1 -send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} +send -- "firejail --noprofile --protocol=inet,inet6 --debug\r" expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "socket AF_INET" + timeout {puts "TESTING ERROR 31\n";exit} + "0009: 20 00 00 00000000" } expect { - timeout {puts "TESTING ERROR 4.2\n";exit} - "Operation not supported" + timeout {puts "TESTING ERROR 32\n";exit} + "000f: 20 00 00 00000010" } expect { - timeout {puts "TESTING ERROR 4.3\n";exit} - "socket AF_INET6" + timeout {puts "TESTING ERROR 33\n";exit} + "0010: 15 00 01 00000002" } expect { - timeout {puts "TESTING ERROR 4.4\n";exit} - "socket AF_NETLINK" + timeout {puts "TESTING ERROR 34\n";exit} + "0011: 06 00 00 7fff0000" } expect { - timeout {puts "TESTING ERROR 4.5\n";exit} - "Operation not supported" + timeout {puts "TESTING ERROR1 35\n";exit} + "0012: 15 00 01 0000000a" } expect { - timeout {puts "TESTING ERROR 4.6\n";exit} - "socket AF_UNIX" + timeout {puts "TESTING ERROR 36\n";exit} + "0013: 06 00 00 7fff0000" } expect { - timeout {puts "TESTING ERROR 4.7\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 4.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 4.9\n";exit} - "after socket" + timeout {puts "TESTING ERROR 37\n";exit} + "0014: 06 00 00 0005005f" } + after 100 +send -- "exit\r" + +after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-bad-empty.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-chmod-profile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --profile=seccomp.profile --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-chmod.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-chown.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-debug-32.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -13,19 +13,15 @@ send -- "firejail --debug sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "SECCOMP Filter" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "BLACKLIST" + "seccomp entries in /run/firejail/mnt/seccomp/seccomp" } expect { timeout {puts "TESTING ERROR 2\n";exit} - "open_by_handle_at" + "jeq open_by_handle_at" } expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 4\n";exit} @@ -34,58 +30,30 @@ after 100 -# i686 architecture -send -- "firejail --debug sleep 1; echo done\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Installing /run/firejail/mnt/seccomp seccomp filter" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "done" -} -after 100 - -# i686 architecture - ignore seccomp +# 64 bit architecture - ignore seccomp send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit} - "Child process initialized" + "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} + "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { - timeout {puts "TESTING ERROR 13\n";exit} - "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit} + timeout {puts "TESTING ERROR 16\n";exit} "done" } after 100 -# i686 architecture - ignore protocol +# 64 bit architecture - ignore protocol send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 17\n";exit} - "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 19\n";exit} - "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit} - "Installing /run/firejail/mnt/seccomp seccomp filter" -} -expect { - timeout {puts "TESTING ERROR 21\n";exit} - "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" + "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit} + "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" } expect { timeout {puts "TESTING ERROR 23\n";exit} @@ -97,11 +65,11 @@ send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 24\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 25\n";exit} - "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" + "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" } expect { timeout {puts "TESTING ERROR 26\n";exit} @@ -109,17 +77,22 @@ } -# i686 architecture - seccomp.block-secondary +# 64 bit architecture - seccomp.block-secondary send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 27\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit} - "Child process initialized" + "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 29\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit} - "Installing /run/firejail/mnt/seccomp seccomp filter" + "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} + "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" +} +expect { + timeout {puts "TESTING ERROR 31\n";exit} + "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} + "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" } expect { timeout {puts "TESTING ERROR 33\n";exit} @@ -127,17 +100,17 @@ } after 100 -# i686 architecture - seccomp.block-secondary, profile +# 64 bit architecture - seccomp.block-secondary, profile send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 33\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit} - "Child process initialized" + "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 35\n";exit} - "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit} - "Installing /run/firejail/mnt/seccomp seccomp filter" + "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} + "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" } expect { timeout {puts "TESTING ERROR 37\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-debug.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -21,7 +21,7 @@ } expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 4\n";exit} @@ -34,7 +34,7 @@ send -- "firejail --debug sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -60,7 +60,7 @@ timeout {puts "TESTING ERROR 10\n";exit} "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 13\n";exit} @@ -79,7 +79,7 @@ expect { timeout {puts "TESTING ERROR 17\n";exit} "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 19\n";exit} @@ -101,7 +101,7 @@ send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r" expect { timeout {puts "TESTING ERROR 24\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 25\n";exit} @@ -118,7 +118,7 @@ expect { timeout {puts "TESTING ERROR 27\n";exit} "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 29\n";exit} @@ -141,7 +141,7 @@ expect { timeout {puts "TESTING ERROR 33\n";exit} "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 35\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-empty.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -42,7 +42,7 @@ } expect { timeout {puts "TESTING ERROR 0.7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 send -- "exit\r" @@ -78,7 +78,7 @@ } expect { timeout {puts "TESTING ERROR 1.7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 send -- "exit\r" @@ -120,7 +120,7 @@ } expect { timeout {puts "TESTING ERROR 2.7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 send -- "exit\r" @@ -156,7 +156,7 @@ } expect { timeout {puts "TESTING ERROR 3.7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-errno.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -31,7 +31,7 @@ send -- "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "rm seccomp-test-file\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-join.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-numeric.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-postexec.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,20 +14,17 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "data.architecture" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} "monitoring pid" } +sleep 1 + +send -- "ls\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Sandbox monitor: waitpid" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Parent is shutting down" + timeout {puts "TESTING ERROR 2\n";exit} + "not permitted" } -sleep 1 + +send -- "exit\r" +after 100 puts "all done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-ptrace.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,15 +10,14 @@ send -- "firejail --noprofile --seccomp\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 send -- "strace ls\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" {puts "version 1\n";} - " unexpected signal 31" {puts "version 2\n"} + "not permitted" } send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-run-files.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -24,7 +24,7 @@ send -- "ls -l /run/firejail/mnt/seccomp \| grep -c seccomp\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "6" + "8" } send -- "exit\r" sleep 1 @@ -90,7 +90,7 @@ send -- "ls -l /run/firejail/mnt/seccomp \| grep -c seccomp\r" expect { timeout {puts "TESTING ERROR 18\n";exit} - "8" + "10" } send -- "exit\r" sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/filters/seccomp-su.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --noprofile --seccomp\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/cmdline.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/copy.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/default.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -31,9 +31,14 @@ send -- "fnetfilter test1.net,33\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "cannot open test1.net,33" + "Error:" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "is an invalid filename" } after 100 + send -- "rm outfile\r" after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/fnetfilter.sh ^
@@ -1,13 +1,13 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -if [ -f /etc/debian_version ]; then +if [[ -f /etc/debian_version ]]; then libdir=$(dirname "$(dpkg -L firejail \| grep fcopy)") export PATH="$PATH:$libdir" fi
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fnetfilter/template.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -66,13 +66,17 @@ send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r" expect { timeout {puts "TESTING ERROR 12\n";exit} - "cannot open test2.net," + "Error:" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "is an invalid filename" } after 100 send -- "fnetfilter test3.net,44 outfile\r" expect { - timeout {puts "TESTING ERROR 13\n";exit} + timeout {puts "TESTING ERROR 14\n";exit} "invalid template argument on line 1" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -10,25 +10,31 @@ # These directories are required by some tests: mkdir -p ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Videos +echo "TESTING: tab completion (test/fs/tab.exp)" +./tab.exp + rm -fr ~/_firejail_test_* echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)" ./mkdir_mkfile.exp rm -fr ~/_firejail_test_* -mkdir ~/_firejail_test_dir -touch ~/_firejail_test_dir/a -mkdir ~/_firejail_test_dir/test1 -touch ~/_firejail_test_dir/test1/b +echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" +./mkdir.exp +rm -fr ~/_firejail_test_* +rm -fr /tmp/_firejail_test_* + echo "TESTING: read/write (test/fs/read-write.exp)" ./read-write.exp +rm -fr ~/_firejail_test_dir + echo "TESTING: whitelist readonly (test/fs/whitelist-readonly.exp)" ./whitelist-readonly.exp -rm -fr ~/_firejail_test_* +rm -f ~/_firejail_test_dir echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" ./sys_fs.exp -if [ -c /dev/kmsg ]; then +if [[ -c /dev/kmsg ]]; then echo "TESTING: kmsg access (test/fs/kmsg.exp)" ./kmsg.exp else @@ -37,18 +43,18 @@ echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" ./fs_var_tmp.exp - -echo "TESTING: private-lib (test/fs/private-lib.exp)" -./private-lib.exp +rm -f /var/tmp/_firejail_test_file echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" ./fs_var_lock.exp +rm -f /var/lock/_firejail_test_file -if [ -w /dev/shm ]; then - echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" - ./fs_dev_shm.exp +if [[ -w /dev/shm ]]; then + echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" + ./fs_dev_shm.exp + rm -f /dev/shm/_firejail_test_file else - echo "TESTING SKIP: /dev/shm not writable" + echo "TESTING SKIP: /dev/shm not writable" fi echo "TESTING: private (test/fs/private.exp)" @@ -56,12 +62,23 @@ echo "TESTING: private home (test/fs/private-home.exp)" ./private-home.exp +rm -f ~/_firejail_test_file1 +rm -f ~/_firejail_test_file2 +rm -fr ~/_firejail_test_dir1 +rm -f ~/_firejail_test_link1 +rm -f ~/_firejail_test_link2 echo "TESTING: private home dir (test/fs/private-home-dir.exp)" ./private-home-dir.exp +rm -fr ~/_firejail_test_dir1 echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)" ./private-homedir.exp +rm -f ~/_firejail_test_file1 +rm -f ~/_firejail_test_file2 +rm -fr ~/_firejail_test_dir1 +rm -f ~/_firejail_test_link1 +rm -f ~/_firejail_test_link2 echo "TESTING: private-etc (test/fs/private-etc.exp)" ./private-etc.exp @@ -74,6 +91,7 @@ echo "TESTING: private-cache (test/fs/private-cache.exp)" ./private-cache.exp +rm -f ~/.cache/abcdefg echo "TESTING: private-cwd (test/fs/private-cwd.exp)" ./private-cwd.exp @@ -83,6 +101,12 @@ echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" ./whitelist-empty.exp +rm -f ~/Videos/_firejail_test_fil +rm -f ~/Pictures/_firejail_test_file +rm -f ~/Music/_firejail_test_file +rm -f ~/Downloads/_firejail_test_file +rm -f ~/Documents/_firejail_test_file +rm -f ~/Desktop/_firejail_test_file echo "TESTING: private whitelist (test/fs/private-whitelist.exp)" ./private-whitelist.exp @@ -95,9 +119,11 @@ echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)" ./option_blacklist_file.exp +rm -fr ~/_firejail_test_dir echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" ./option_blacklist_glob.exp +rm -fr ~/_firejail_test_dir echo "TESTING: noblacklist blacklist noexec (test/fs/noblacklist-blacklist-noexec.exp)" ./noblacklist-blacklist-noexec.exp @@ -108,17 +134,17 @@ echo "TESTING: bind as user (test/fs/option_bind_user.exp)" ./option_bind_user.exp -echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" -./mkdir.exp - echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" ./whitelist-double.exp +rm -f /tmp/_firejail_test_file echo "TESTING: whitelist (test/fs/whitelist.exp)" ./whitelist.exp +rm -fr ~/_firejail_test_* -echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" -./whitelist-dev.exp +# TODO: whitelist /dev broken in 0.9.72 +#echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" +#./whitelist-dev.exp echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)" ./whitelist-noexec.exp @@ -131,6 +157,8 @@ echo "TESTING: fscheck --tmpfs non root (test/fs/fscheck-tmpfs.exp)" ./fscheck-tmpfs.exp +rm -fr ~/_firejail_test_dir +rm -fr /tmp/_firejail_test_dir echo "TESTING: fscheck --private= (test/fs/fscheck-private.exp)" ./fscheck-private.exp @@ -139,10 +167,4 @@ ./fscheck-readonly.exp #cleanup -rm -fr ~/fjtest-dir -rm -fr ~/fjtest-dir-lnk -rm -f ~/fjtest-file -rm -f ~/fjtest-file-lnk -rm -f /tmp/fjtest-file -rm -fr /tmp/fjtest-dir -rm -fr ~/_firejail_test_* +rm -fr ~/_firejail_test*
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs_dev_shm.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,18 +11,18 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "stty -echo\r" -send -- "echo mytest > /dev/shm/ttt;echo done\r" +send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "mytest" @@ -32,13 +32,13 @@ "done" } -send -- "rm /dev/shm/ttt;echo done\r" +send -- "rm /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "mytest" {puts "TESTING ERROR 6\n";exit} @@ -52,18 +52,18 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "stty -echo\r" -send -- "echo mytest > /dev/shm/ttt;echo done\r" +send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 8\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 9\n";exit} "mytest" @@ -73,13 +73,13 @@ "done" } -send -- "rm /dev/shm/ttt;echo done\r" +send -- "rm /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 11\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "mytest" {puts "TESTING ERROR 13\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs_var_lock.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "stty -echo\r" @@ -53,7 +53,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "stty -echo\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fs_var_tmp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,18 +11,18 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "stty -echo\r" -send -- "echo mytest > /var/tmp/ttt;echo done\r" +send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "mytest" @@ -32,13 +32,13 @@ "done" } -send -- "rm /var/tmp/ttt;echo done\r" +send -- "rm /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "mytest" {puts "TESTING ERROR 6\n";exit} @@ -53,18 +53,18 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "stty -echo\r" -send -- "echo mytest > /var/tmp/ttt;echo done\r" +send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 8\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 9\n";exit} "mytest" @@ -74,13 +74,13 @@ "done" } -send -- "rm /var/tmp/ttt;echo done\r" +send -- "rm /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 11\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "mytest" {puts "TESTING ERROR 13\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-bindnoroot.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-private.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-readonly.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/fscheck-tmpfs.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -24,7 +24,7 @@ send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 500
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/invalid_filename.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -18,28 +18,6 @@ } after 100 -send -- "firejail --noprofile --cgroup=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --noprofile --chroot=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "is an invalid filename" -} -after 100 - send -- "firejail --noprofile --netfilter=\"bla&&bla\"\r" expect { timeout {puts "TESTING ERROR 4.2\n";exit} @@ -124,18 +102,6 @@ } after 100 -send -- "firejail --shell=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 12.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 12.3\n";exit} - "is an invalid filename" -} -after 100 - - send -- "firejail --whitelist=\"bla&&bla\"\r" expect { timeout {puts "TESTING ERROR 14.2\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/kmsg.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/macro.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --profile=macro-whitelist.profile ls ~\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -42,7 +42,7 @@ send -- "firejail --profile=macro-blacklist.profile ls ~/Desktop\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 8\n";exit} @@ -53,7 +53,7 @@ send -- "firejail --profile=macro-blacklist.profile ls ~/Documents\r" expect { timeout {puts "TESTING ERROR 9n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 10\n";exit} @@ -64,7 +64,7 @@ send -- "firejail --profile=macro-blacklist.profile ls ~/Downloads\r" expect { timeout {puts "TESTING ERROR 11n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 12n";exit} @@ -75,7 +75,7 @@ send -- "firejail --profile=macro-blacklist.profile ls ~/Music\r" expect { timeout {puts "TESTING ERROR 13\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 14\n";exit} @@ -86,7 +86,7 @@ send -- "firejail --profile=macro-blacklist.profile ls ~/Pictures\r" expect { timeout {puts "TESTING ERROR 15\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 16\n";exit} @@ -97,7 +97,7 @@ send -- "firejail --profile=macro-blacklist.profile ls ~/Videos\r" expect { timeout {puts "TESTING ERROR 17\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 18\n";exit} @@ -108,7 +108,7 @@ send -- "firejail --profile=macro-readonly.profile touch ~/Desktop/blablabla\r" expect { timeout {puts "TESTING ERROR 19\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 20\n";exit} @@ -119,7 +119,7 @@ send -- "firejail --profile=macro-readonly.profile touch ~/Documents/blablabla\r" expect { timeout {puts "TESTING ERROR 21\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 22\n";exit} @@ -130,7 +130,7 @@ send -- "firejail --profile=macro-readonly.profile touch ~/Downloads/blablabla\r" expect { timeout {puts "TESTING ERROR 23\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 24\n";exit} @@ -141,7 +141,7 @@ send -- "firejail --profile=macro-readonly.profile touch ~/Music/blablabla\r" expect { timeout {puts "TESTING ERROR 25\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 26\n";exit} @@ -152,7 +152,7 @@ send -- "firejail --profile=macro-readonly.profile touch ~/Pictures/blablabla\r" expect { timeout {puts "TESTING ERROR 27\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 28\n";exit} @@ -163,7 +163,7 @@ send -- "firejail --profile=macro-readonly.profile touch ~/Videos/blablabla\r" expect { timeout {puts "TESTING ERROR 29\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 30\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/mkdir.exp ^
@@ -1,40 +1,40 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 3 spawn $env(SHELL) match_max 100000 -send -- "rm -fr ~/.firejail_test\r" +send -- "rm -fr ~/_firejail_test_dir\r" after 100 -send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r" +send -- "firejail --profile=mkdir.profile find ~/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} - ".firejail_test/a/b/c/d.txt" + "_firejail_test_dir/_firejail_test_file" } -send -- "rm -rf ~/.firejail_test\r" +send -- "rm -rf ~/_firejail_test_dir\r" after 100 -send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r" +send -- "firejail --profile=mkdir.profile find /tmp/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 2.1\n";exit} - "/tmp/.firejail_test/a/b/c/d.txt" + "_firejail_test_dir/_firejail_test_file" } -send -- "rm -rf /tmp/.firejail_test\r" +send -- "rm -rf /tmp/_firejail_test_dir\r" after 100 set UID [exec id -u] set fexist [file exist /run/user/$UID] if { $fexist } { - send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r" + send -- "firejail --profile=mkdir.profile find /run/user/$UID/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 3.1\n";exit} - "/run/user/$UID/.firejail_test/a/b/c/d.txt" + "_firejail_test_dir/_firejail_test_file" } - send -- "rm -rf /run/user/$UID/.firejail_test\r" + send -- "rm -rf /run/user/$UID/_firejail_test_dir\r" after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/mkdir.profile ^
@@ -1,6 +1,6 @@ -mkdir ~/.firejail_test/a/b/c -mkfile ~/.firejail_test/a/b/c/d.txt -mkdir /tmp/.firejail_test/a/b/c -mkfile /tmp/.firejail_test/a/b/c/d.txt -mkdir ${RUNUSER}/.firejail_test/a/b/c -mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt +mkdir ~/_firejail_test_dir +mkfile ~/_firejail_test_dir/_firejail_test_file +mkdir /tmp/_firejail_test_dir +mkfile /tmp/_firejail_test_dir/_firejail_test_file +mkdir ${RUNUSER}/_firejail_test_dir +mkfile ${RUNUSER}/_firejail_test_dir/_firejail_test_file
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/mkdir_mkfile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ send -- "firejail --private --profile=mkdir_mkfile.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/noblacklist-blacklist-noexec.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ send -- "firejail --noprofile --noblacklist=$PWD --blacklist=$PWD --noexec=$PWD\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/noblacklist-blacklist-readonly.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --noprofile --noblacklist=~ --blacklist=~ --read-only=~\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_bind_user.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_blacklist.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --blacklist=/var\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "stty -echo\r" @@ -35,4 +35,4 @@ } after 100 -puts "\n" +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_blacklist_file.exp ^
@@ -1,16 +1,21 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --blacklist=/etc/passwd\r" +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 + +send -- "firejail --blacklist=/etc/passwd --blacklist=~/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -24,5 +29,21 @@ "done" } after 100 +send -- "cat ~/_firejail_test_dir/a;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 -puts "\n" +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/option_blacklist_glob.exp ^
@@ -1,32 +1,47 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --blacklist=testdir1/\r" +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 +send -- "mkdir ~/_firejail_test_dir/test1\r" +after 100 +send -- "touch ~/_firejail_test_dir/test1/b\r" +after 100 + +send -- "firejail --blacklist=~/_firejail_test_dir/\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 -send -- "cd testdir1\r" +send -- "cd ~/_firejail_test_dir\r" sleep 1 -send -- "cat .file\r" +send -- "cat a\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Permission denied" } -send -- "ls .directory\r" +send -- "ls test1\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "Permission denied" } after 100 -puts "\n" +send -- "exit\r" +sleep 1 + +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 + +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-bin.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --private-bin=bash,ls,sh\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -40,7 +40,7 @@ send -- "firejail --profile=private-bin.profile\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-cache.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -21,7 +21,7 @@ send -- "firejail --noprofile --private-cache\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-cwd.exp ^
@@ -1,52 +1,54 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "cd /tmp\r" -after 100 - -# testing profile and private -send -- "firejail --private-cwd\r" +send -- "firejail --private-cwd pwd\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + timeout {puts "TESTING ERROR 1\n";exit} + "$env(HOME)" } sleep 1 -send -- "pwd\r" +send -- "firejail --private-cwd=/etc pwd\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} - "$env(HOME)" + timeout {puts "TESTING ERROR 2\n";exit} + "/etc" } -after 100 - -send -- "exit\r" sleep 1 -send -- "cd /\r" -after 100 - -# testing profile and private -send -- "firejail --private-cwd=/tmp\r" +send -- "firejail --private --private-cwd=. pwd\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + "invalid private working directory" } sleep 1 -send -- "pwd\r" +after 100 +send -- "firejail --private-cwd='\${HOME}' pwd\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "/tmp" + "$env(HOME)" } -after 100 +sleep 1 -send -- "exit\r" +after 100 +send -- "firejail --private-cwd=\"\${HOME}\" pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "$env(HOME)" +} sleep 1 +send -- "firejail --profile=private-cwd.profile pwd\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "$env(HOME)" +} +after 100 + puts "all done\n"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-cwd.profile ^
@@ -0,0 +1 @@ +private-cwd ${HOME}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-etc-empty.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --private-etc=blablabla\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -26,7 +26,7 @@ send -- "firejail --profile=private-etc-empty.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-etc.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -64,9 +64,6 @@ } after 100 - - - - +send -- "exit\r" after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-home-dir.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -21,16 +21,16 @@ send -- "touch ~/.Xauthority\r" } after 100 -send -- "rm -fr ~/_firejail_test_dir_\r" +send -- "rm -fr ~/_firejail_test_dir1_\r" after 100 -send -- "mkdir ~/_firejail_test_dir_\r" +send -- "mkdir ~/_firejail_test_dir1_\r" sleep 1 # testing profile and private -send -- "firejail --private=~/_firejail_test_dir_\r" +send -- "firejail --private=~/_firejail_test_dir1_\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -67,12 +67,12 @@ "private directory is not owned by the current user" } sleep 1 -send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" +send -- "mkdir ~/_firejail_test_dir1_/test_dir_2\r" after 100 -send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r" +send -- "touch ~/_firejail_test_dir1_/test_dir_2/testfile\r" sleep 1 -send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" +send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir1_\r" expect { timeout {puts "TESTING ERROR 10\n";exit} "Disable" @@ -83,7 +83,7 @@ } expect { timeout {puts "TESTING ERROR 12\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -98,7 +98,8 @@ send "exit\r" sleep 1 -send -- "rm -fr ~/_firejail_test_dir_\r" +send -- "rm -fr ~/_firejail_test_dir1\r" after 100 + puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-home.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -26,7 +26,7 @@ send -- "firejail --private-home=_firejail_test_file1,_firejail_test_file2,_firejail_test_dir1\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -86,7 +86,7 @@ send -- "firejail --private-home=_firejail_test_link2\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "file ~/_firejail_test_link2\r" @@ -95,8 +95,19 @@ "broken symbolic link" } send -- "exit\r" +sleep 1 -send -- "rm -f ~/_firejail_test*\r" +send -- "echo cleanup\r" +after 100 +send -- "rm -f ~/_firejail_test_file1\r" +after 100 +send -- "rm -f ~/_firejail_test_file2\r" +after 100 +send -- "rm -fr ~/_firejail_test_dir1\r" +after 100 +send -- "rm -f ~/_firejail_test_link1\r" +after 100 +send -- "rm -f ~/_firejail_test_link2\r" after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-homedir.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --private=~\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private-whitelist.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --private --whitelist=/tmp/.X11-unix\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/private.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -26,7 +26,7 @@ send -- "firejail --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/read-write.exp ^
@@ -1,17 +1,25 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 +send -- "mkdir ~/_firejail_test_dir/test1\r" +after 100 +send -- "touch ~/_firejail_test_dir/test1/b\r" +after 100 send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -32,4 +40,9 @@ } after 100 +send -- "exit\r" +sleep 1 + +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/sys_fs.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -27,7 +27,7 @@ send -- "firejail --noblacklist=/sys/fs\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/tab.exp ^
@@ -0,0 +1,46 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --private ls -al\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + ".inputrc" +} +sleep 1 + +send -- "firejail --private --tab ls -al\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ".inputrc" {puts "TESTING ERROR 4\n";exit} + "Parent is shutting down" +} +sleep 1 + +send -- "firejail --private --profile=tab.profile ls -al\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ".inputrc" {puts "TESTING ERROR 7\n";exit} + "Parent is shutting down" +} +sleep 1 + +puts "\nall done\n"
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/tab.profile ^
@@ -0,0 +1 @@ +tab
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-dev.exp ^
@@ -1,16 +1,16 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --whitelist=/dev/null --debug\r" +send -- "firejail --whitelist=/dev/null\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -26,7 +26,7 @@ send -- "firejail --whitelist=/dev/null --whitelist=/dev/random\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -42,7 +42,7 @@ send -- "firejail --private-dev --debug\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -61,6 +61,9 @@ "19" {puts "OK\n"} "20" {puts "OK\n"} "21" {puts "OK\n"} + "22" {puts "OK\n"} + "23" {puts "OK\n"} + "24" {puts "OK\n"} } after 100 @@ -94,7 +97,7 @@ send -- "firejail --private-dev --nosound ls /dev\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 8\n";exit} @@ -111,7 +114,7 @@ send -- "firejail --private-dev --nodvd ls /dev\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 11\n";exit} @@ -132,7 +135,7 @@ send -- "firejail --private-dev --no3d ls /dev\r" expect { timeout {puts "TESTING ERROR 17\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 18\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-double.exp ^
@@ -1,23 +1,23 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "echo 123 > /tmp/firejal-deleteme\r" +send -- "echo 123 > /tmp/_firejail_test_file\r" sleep 1 -send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r" +send -- "firejail --whitelist=/tmp/_firejail_test_file --whitelist=/tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 -send -- "cat /tmp/firejal-deleteme\r" +send -- "cat /tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "123" @@ -26,13 +26,13 @@ send -- "exit\r" sleep 1 -send -- "cat /tmp/firejal-deleteme\r" +send -- "cat /tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "123" } -send -- "rm -v /tmp/firejal-deleteme\r" +send -- "rm -v /tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "removed"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-empty.exp ^
@@ -1,16 +1,16 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 30 spawn $env(SHELL) match_max 100000 -send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" +send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/opt/blablabla\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-noexec.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ send -- "firejail --noprofile --whitelist=$PWD --noexec=$PWD\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-readonly.exp ^
@@ -1,17 +1,25 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 +send -- "mkdir ~/_firejail_test_dir/test1\r" +after 100 +send -- "touch ~/_firejail_test_dir/test1/b\r" +after 100 send -- "firejail --noprofile --whitelist=~/_firejail_test_dir --read-only=~\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -25,4 +33,6 @@ send -- "exit\r" sleep 1 +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist-whitespace.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -13,7 +13,7 @@ send -- "firejail --noprofile --whitelist=~/filewith\\\ \\\ many\\\ whitespaces\\\ \r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/fs/whitelist.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -36,7 +36,7 @@ send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -73,7 +73,7 @@ send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -98,7 +98,7 @@ send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" expect { timeout {puts "TESTING ERROR 20\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/4bridges_arp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -27,7 +27,7 @@ } expect { timeout {puts "TESTING ERROR 0.4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -53,7 +53,7 @@ } expect { timeout {puts "TESTING ERROR 1.4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -80,7 +80,7 @@ } expect { timeout {puts "TESTING ERROR 2.4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -108,7 +108,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -137,7 +137,7 @@ } expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/4bridges_ip.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -27,7 +27,7 @@ } expect { timeout {puts "TESTING ERROR 0.4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -53,7 +53,7 @@ } expect { timeout {puts "TESTING ERROR 1.4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -80,7 +80,7 @@ } expect { timeout {puts "TESTING ERROR 2.4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -108,7 +108,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -137,7 +137,7 @@ } expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } # check default gateway
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/bandwidth.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test --net=br0\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/configure ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 brctl addbr br0
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/dns-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/firemon-arp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -17,7 +17,7 @@ send -- "firejail --name=test1\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -25,7 +25,7 @@ send -- "firejail --name=test2\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/firemon-interfaces.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --net=eth0 --name=test1\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --net=eth0 --name=test2\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/firemon-route.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test1\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --name=test2\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/hostname.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --hostname=bingo --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "stty -echo\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/interface.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # # interface @@ -20,7 +20,7 @@ send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/ip6.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -23,7 +23,7 @@ } expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -64,7 +64,7 @@ } expect { timeout {puts "TESTING ERROR 13\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -90,7 +90,7 @@ expect { timeout {puts "TESTING ERROR 11\n";exit} "Installing IPv6 firewall" {puts "TESTING ERROR 12\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/iprange.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -27,7 +27,7 @@ } expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r" @@ -53,7 +53,7 @@ } expect { timeout {puts "TESTING ERROR 8\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_arp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,27 +10,27 @@ send -- "firejail --net=br0 sleep 20 &\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "firejail --net=br0 sleep 20 &\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "firejail --net=br0 sleep 20 &\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "firejail --net=br0 sleep 20 &\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "firejail --net=br0 sleep 20 &\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } # will fail
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_badip.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_defaultgw.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -27,7 +27,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_defaultgw2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -15,7 +15,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_defaultgw3.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_ip.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -27,7 +27,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -53,7 +53,7 @@ } expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_local.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -15,7 +15,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -25,7 +25,7 @@ send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_mac.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -31,7 +31,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "exit\r" after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_macvlan2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -30,7 +30,7 @@ } expect { timeout {puts "TESTING ERROR 0.6\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_mtu.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --net=br0 --mtu=1000 --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_netfilter.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -27,7 +27,7 @@ } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -41,7 +41,7 @@ "Chain INPUT (policy DROP" {puts "TESTING ERROR 5.1\n";exit} "ACCEPT all -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit} "ACCEPT icmp -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -55,7 +55,7 @@ } expect { timeout {puts "TESTING ERROR 6.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "ping -c 1 -w 3 10.10.20.1\r" @@ -75,7 +75,7 @@ } expect { timeout {puts "TESTING ERROR 7.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 send -- "ping -c 1 -w 3 10.10.20.1\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_noip.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "bash\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_noip2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "bash\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_none.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -47,7 +47,7 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "eth0" {puts "TESTING ERROR 3.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_profile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -31,7 +31,7 @@ } expect { timeout {puts "TESTING ERROR 0.4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_scan.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -23,7 +23,7 @@ } expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -43,7 +43,7 @@ } expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -63,7 +63,7 @@ } expect { timeout {puts "TESTING ERROR 11\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_unconfigured.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "bash\r" @@ -53,7 +53,7 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "eth0" {puts "TESTING ERROR 8\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "bash\r" @@ -93,7 +93,7 @@ expect { timeout {puts "TESTING ERROR 14\n";exit} "eth0" {puts "TESTING ERROR 15\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "bash\r" @@ -133,7 +133,7 @@ expect { timeout {puts "TESTING ERROR 21\n";exit} "eth0" {puts "TESTING ERROR 22\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "bash\r" @@ -180,7 +180,7 @@ } expect { timeout {puts "TESTING ERROR 30\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "bash\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/net_veth.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -42,7 +42,7 @@ } expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r" @@ -119,7 +119,7 @@ } expect { timeout {puts "TESTING ERROR 27\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/netfilter-template.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -18,7 +18,7 @@ send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5555 ./tcpserver 5555\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/netns.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --netns=red --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/netstats.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --net=eth0 --name=test1\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --net=eth0 --name=test2\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/network.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/tcpserver.c ^
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2021 Firejail Authors + * Copyright (C) 2014-2022 Firejail Authors * * This file is part of firejail project *
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/network/veth-name.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -23,7 +23,7 @@ } expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -55,7 +55,7 @@ } expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/firefox-x11-xorg.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -36,7 +36,7 @@ send -- "firejail --overlay --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/firefox-x11.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -36,7 +36,7 @@ send -- "firejail --name=blablabla --overlay\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/firefox.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 10 @@ -47,7 +47,7 @@ send -- "firejail --name=blablabla --overlay\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/fs-named.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ timeout {puts "TESTING ERROR 2\n";exit} "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"} } sleep 1 send -- "stty -echo\r" @@ -52,7 +52,7 @@ timeout {puts "TESTING ERROR 2\n";exit} "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"} } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/fs-tmpfs.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -21,7 +21,7 @@ timeout {puts "TESTING ERROR 1\n";exit} "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"} } sleep 1 send -- "stty -echo\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/fs.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ timeout {puts "TESTING ERROR 2\n";exit} "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"} } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/overlay/overlay.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -22,8 +22,7 @@ ./fs-tmpfs.exp rm -fr ~/_firejail_test_* -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v firefox then echo "TESTING: overlay firefox" ./firefox.exp @@ -31,8 +30,7 @@ echo "TESTING SKIP: firefox not found" fi -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v firefox then echo "TESTING: overlay firefox x11 xorg" ./firefox.exp @@ -40,26 +38,22 @@ echo "TESTING SKIP: firefox not found" fi - # check xpra/xephyr -which xpra 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v xpra then - echo "xpra found" + echo "xpra found" else - echo "xpra not found" - which Xephyr 2>/dev/null - if [ "$?" -eq 0 ]; + echo "xpra not found" + if command -v Xephyr then - echo "Xephyr found" + echo "Xephyr found" else - echo "TESTING SKIP: xpra and/or Xephyr not found" + echo "TESTING SKIP: xpra and/or Xephyr not found" exit fi fi -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v firefox then echo "TESTING: overlay firefox x11" ./firefox-x11.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/atril.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/dig.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/eog.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/eom.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/evince.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/galculator.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gedit.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-calculator.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -16,7 +16,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -43,7 +43,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-logs.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-nettool.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gnome-system-log.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/gpicview.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/leafpad.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/mousepad.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/pavucontrol.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/pluma.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/private-lib.exp ^
@@ -0,0 +1,48 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +after 100 +send -- "stty -echo\r" +after 100 + +send -- "cd /bin; find .\; echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} +# "grep" {puts "TESTING ERROR 3\n";exit} + "rm" {puts "TESTING ERROR 3\n";exit} + "cp" {puts "TESTING ERROR 4\n";exit} + "done" +} +after 100 + +send -- "cd /lib; find .\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "./modules" {puts "TESTING ERROR 6\n";exit} + "./firmware" {puts "TESTING ERROR 7\n";exit} + "libc.so" +} +after 100 + +send -- "cd /usr/lib; find .\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "grub" {puts "TESTING ERROR 9\n";exit} + "mozilla" {puts "TESTING ERROR 10\n";exit} + "libdl.so" +} +after 100 + +puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/private-lib.sh ^
@@ -1,18 +1,16 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3g export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" +apps=(gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog) - -for app in $LIST; do - which $app 2>/dev/null - if [ "$?" -eq 0 ]; +for app in "${apps[@]}"; do + if command -v "$app" then echo "TESTING: private-lib $app" ./$app.exp @@ -20,3 +18,15 @@ echo "TESTING SKIP: $app not found" fi done + +if [[ $(uname -m) == "x86_64" ]]; then + fjconfig=/etc/firejail/firejail.config + printf 'private-lib yes\n' \| sudo tee -a "$fjconfig" >/dev/null + echo "TESTING: private-lib (test/fs/private-lib.exp)" + ./private-lib.exp + printf '%s\n' "$(sed '/^private-lib yes$/d' "$fjconfig")" \| + sudo tee "$fjconfig" >/dev/null +else + echo "TESTING SKIP: private-lib test implemented only for x86_64." +fi +
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/transmission-gtk.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/whois.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/private-lib/xcalc.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 3 @@ -41,7 +41,7 @@ send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Added	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/all-profiles.sh ^
@@ -0,0 +1,47 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C + +echo "TESTING: profile comments (test/profiles/profilecomment.exp)" +./profile_comment.exp + +echo "TESTING: profile conditional (test/profiles/conditional.exp)" +./conditional.exp + +echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)" +./profile_recursivity.exp + +echo "TESTING: profile application name (test/profiles/profile_appname.exp)" +./profile_appname.exp + +echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" +./profile_syntax.exp + +echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" +./profile_syntax2.exp + +echo "TESTING: ignore command (test/profiles/ignore.exp)" +./ignore.exp + +echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" +./profile_readonly.exp + +echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" +./profile_followlnk.exp + +echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" +./profile_noperm.exp + +profiles=( /etc/firejail/*.profile ) +echo "TESTING: default profiles installed in /etc" + +for profile in "${profiles[@]}" +do + echo "TESTING: $profile" + ./test-profile.exp "$profile" +done
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/conditional.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ } expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r" @@ -24,7 +24,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "conditional HAS_NODBUS, private" {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/ignore.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -17,7 +17,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} BLACKLIST {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 send -- "exit\r" @@ -26,7 +26,7 @@ send -- "firejail --ignore=seccomp --ignore=shell --profile=ignore.profile \r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -42,7 +42,7 @@ send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} BLACKLIST {puts "TESTING ERROR 8\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -69,7 +69,7 @@ send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_appname.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -16,10 +16,6 @@ timeout {puts "TESTING ERROR 1\n";exit} "Reading profile /etc/firejail/firefox-common.profile" } -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "shell=none configured, but no program specified" -} after 100 puts "\nall done\n"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_comment.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -15,7 +15,7 @@ send -- "firejail --profile=comment.profile /usr/bin/true\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -36,7 +36,7 @@ send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 4\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_followlnk.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -16,7 +16,7 @@ send -- "firejail --profile=readonly-lnk.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "ls > /tmp/firejailtestdirlnk/ttt\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_noperm.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_readonly.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ send -- "firejail --profile=readonly.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_recursivity.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_syntax.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --profile=test.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -22,7 +22,7 @@ } sleep 1 -send -- "ls -l /etc/shadow\r" +send -- "ls -l /dev/console\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "root root"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profile_syntax2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/profiles.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -37,18 +37,11 @@ echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" ./profile_noperm.exp -# GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles. -UID=`id -u` -if [ -d "/run/user/$UID" ]; then - PROFILES=`ls /etc/firejail/.profile` - echo "TESTING: default profiles installed in /etc" -else - PROFILES=`ls /etc/firejail/transmission.profile /etc/firejail/fi.profile /etc/firejail/fl.profile /etc/firejail/free.profile` - echo "TESTING: small number of default profiles installed in /etc" -fi +profiles=( /etc/firejail/transmission.profile /etc/firejail/fi.profile /etc/firejail/fl.profile /etc/firejail/free*.profile ) +echo "TESTING: small number of default profiles installed in /etc" -for PROFILE in $PROFILES +for profile in "${profiles[@]}" do - echo "TESTING: $PROFILE" - ./test-profile.exp $PROFILE + echo "TESTING: $profile" + ./test-profile.exp "$profile" done
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/test-profile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/profiles/test.profile ^
@@ -1,5 +1,5 @@ blacklist /sbin/iptables -blacklist /etc/shadow +blacklist /dev/console blacklist /bin/rmdir blacklist ${PATH}/umount blacklist ${PATH}/mount
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/apache2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 5 @@ -10,7 +10,7 @@ send -- "firejail --name=apache /etc/init.d/apache2 start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/checkcfg.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/firecfg.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/firemon-events.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -18,7 +18,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } # get messages on firemon
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/isc-dhcp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 5 @@ -10,7 +10,7 @@ send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/join.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=jointesting --cpu=0 --nice=2\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -21,14 +21,18 @@ timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} sleep 1 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "/bin/bash" } @@ -36,15 +40,15 @@ sleep 1 send -- "firejail --join-network=jointesting\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + timeout {puts "TESTING ERROR 5\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "exit\r" sleep 1 send -- "firejail --join-filesystem=jointesting\r" expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + timeout {puts "TESTING ERROR 6\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/login_nobody.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "su - nobody -s /usr/bin/firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/nginx.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 5 @@ -10,7 +10,7 @@ send -- "firejail --name=nginx /etc/init.d/nginx start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/option_bind_directory.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --bind=/tmp/chroot,mntpoint\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/option_bind_file.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --bind=tmpfile,/etc/passwd\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/option_tmpfs.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --tmpfs=/var\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/private.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -42,7 +42,7 @@ send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -57,7 +57,7 @@ send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 3.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -80,7 +80,7 @@ send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -95,7 +95,7 @@ send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 5.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/profile_tmpfs.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --profile=tmpfs.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/root.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 # set a new firejail config file @@ -11,8 +11,7 @@ #****************************** # firecfg #**************************** -which less 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v less then echo "TESTING: firecfg (test/root/firecfg.exp)" mv /home/netblue/.local/share/applications /home/netblue/.local/share/applications-store @@ -25,24 +24,24 @@ #**************************** # servers #**************************** -if [ -f /etc/init.d/snmpd ] +if [[ -f /etc/init.d/snmpd ]] then echo "TESTING: snmpd (test/root/snmpd.exp)" ./snmpd.exp else - echo "TESTING SKIP: snmpd not found" + echo "TESTING SKIP: snmpd not found" fi -if [ -f /etc/init.d/apache2 ] +if [[ -f /etc/init.d/apache2 ]] then echo "TESTING: apache2 (test/root/apache2.exp)" ./apache2.exp else - echo "TESTING SKIP: apache2 not found" + echo "TESTING SKIP: apache2 not found" fi -if [ -f /etc/init.d/isc-dhcp-server ] +if [[ -f /etc/init.d/isc-dhcp-server ]] then echo "TESTING: isc dhcp server (test/root/isc-dhscp.exp)" ./isc-dhcp.exp @@ -50,20 +49,20 @@ echo "TESTING SKIP: isc dhcp server not found" fi -if [ -f /etc/init.d/unbound ] +if [[ -f /etc/init.d/unbound ]] then echo "TESTING: unbound (test/root/unbound.exp)" ./unbound.exp else - echo "TESTING SKIP: unbound not found" + echo "TESTING SKIP: unbound not found" fi -if [ -f /etc/init.d/nginx ] +if [[ -f /etc/init.d/nginx ]] then echo "TESTING: nginx (test/root/nginx.exp)" ./nginx.exp else - echo "TESTING SKIP: nginx not found" + echo "TESTING SKIP: nginx not found" fi #****************************** @@ -103,9 +102,6 @@ ./checkcfg.exp cp ../../etc/firejail.config /etc/firejail/. -echo "TESTING: cgroup (test/root/cgroup.exp)" -./cgroup.exp - echo "TESTING: tmpfs (test/root/option_tmpfs.exp)" ./option_tmpfs.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/seccomp-chmod.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/seccomp-chown.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/seccomp-umount.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --seccomp --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/snmpd.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 5 @@ -10,7 +10,7 @@ send -- "firejail --name=snmpd /etc/init.d/snmpd start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/unbound.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 5 @@ -10,7 +10,7 @@ send -- "firejail --name=unbound unbound\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/root/whitelist.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -16,7 +16,7 @@ send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -39,7 +39,7 @@ send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -61,7 +61,7 @@ send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -78,7 +78,7 @@ send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -100,7 +100,7 @@ send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" expect { timeout {puts "TESTING ERROR 8\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/login.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "ssh firejail-test@0\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" {puts "OK\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"} "an existing sandbox was detected" {puts "OK\n"} } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/scp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "ssh firejail-test@0\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" {puts "OK\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"} "an existing sandbox was detected" {puts "OK\n"} } sleep 1 @@ -33,7 +33,7 @@ send -- "ssh firejail-test@0\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" {puts "OK\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"} "an existing sandbox was detected" {puts "OK\n"} } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/sftp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "ssh firejail-test@0\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" {puts "OK\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"} "an existing sandbox was detected" {puts "OK\n"} } sleep 1 @@ -45,7 +45,7 @@ send -- "ssh firejail-test@0\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" {puts "OK\n"} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"} "an existing sandbox was detected" {puts "OK\n"} } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/ssh/ssh.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/blacklist.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ send -- "firejail --profile=blacklist.profile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } while { $i <= $MAXi } { @@ -36,7 +36,7 @@ send -- "firejail --profile=noblacklist.profile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } while { $i <= $MAXi } {
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/env.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --profile=env.profile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } send -- "env \| grep FJSTRESS77\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/net_macvlan.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -15,7 +15,7 @@ send -- "firejail --net=eth0 --ip=192.168.1.$i\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } incr i after 100 @@ -30,7 +30,7 @@ send -- "firejail --net=eth0 --iprange=192.168.1.201,192.168.1.220\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } puts "********** $i ****************\n" incr i
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/stress/stress.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -14,7 +14,7 @@ rm blacklist.profile rm noblacklist.profile rm env.profile -for i in `seq 1 100`; +for i in {1..100} do echo "hello" > ~/fj-stress-test/testfile$i echo "blacklist ~/fj-stress-test/testfile$i" >> blacklist.profile
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/cpio.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/file.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/gzip.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/less.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,6 +11,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} + "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit} "MALLOC_CHECK" } expect {
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/ping.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/strings.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/sysutils.sh ^
@@ -1,14 +1,13 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -which cpio 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v cpio then echo "TESTING: cpio" ./cpio.exp @@ -16,8 +15,7 @@ echo "TESTING SKIP: cpio not found" fi -#which strings -#if [ "$?" -eq 0 ]; +#if command -v strings #then # echo "TESTING: strings" # ./strings.exp @@ -25,8 +23,7 @@ # echo "TESTING SKIP: strings not found" #fi -which gzip 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v gzip then echo "TESTING: gzip" ./gzip.exp @@ -34,8 +31,7 @@ echo "TESTING SKIP: gzip not found" fi -which xzdec 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v xzdec then echo "TESTING: xzdec" ./xzdec.exp @@ -43,8 +39,7 @@ echo "TESTING SKIP: xzdec not found" fi -which xz 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v xz then echo "TESTING: xz" ./xz.exp @@ -52,8 +47,7 @@ echo "TESTING SKIP: xz not found" fi -which less 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v less then echo "TESTING: less" ./less.exp @@ -61,8 +55,7 @@ echo "TESTING SKIP: less not found" fi -which file 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v file then echo "TESTING: file" ./file.exp @@ -70,8 +63,7 @@ echo "TESTING SKIP: file not found" fi -which tar 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v tar then echo "TESTING: tar" ./tar.exp @@ -79,8 +71,7 @@ echo "TESTING SKIP: tar not found" fi -which ping 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v ping then echo "TESTING: ping" ./ping.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/tar.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/xz.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 60
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/sysutils/xzdec.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/build.exp ^
@@ -1,19 +1,19 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "echo testing > ~/firejail-test-file-7699\r" +send -- "echo testing > ~/_firejail-test-file\r" after 100 -send -- "firejail --build cat ~/firejail-test-file-7699\r" +send -- "firejail --build cat ~/_firejail-test-file\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "whitelist $\{HOME\}/firejail-test-file-7699" + "whitelist $\{HOME\}/_firejail-test-file" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -77,7 +77,8 @@ } after 100 - +send -- "rm -f ~/_firejail-test-file\r" +after 100 send -- "firejail --build cat /etc/passwd\r" expect {
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/caps-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/catchsignal-master.sh ^
@@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 ./catchsignal.sh &
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/catchsignal.sh ^
@@ -1,23 +1,23 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 _term() { - echo "Caught Signal" - echo 1 - sleep 1 - echo 2 - sleep 1 - echo 3 - sleep 1 - echo 4 - sleep 1 - echo 5 - sleep 1 + echo "Caught Signal" + echo 1 + sleep 1 + echo 2 + sleep 1 + echo 3 + sleep 1 + echo 4 + sleep 1 + echo 5 + sleep 1 - kill $pid - exit + kill $pid + exit } trap _term SIGTERM
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/catchsignal2.sh ^
@@ -1,45 +1,45 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 _term() { - echo "Caught Signal" - echo 1 - sleep 1 - echo 2 - sleep 1 - echo 3 - sleep 1 - echo 4 - sleep 1 - echo 5 - sleep 1 + echo "Caught Signal" + echo 1 + sleep 1 + echo 2 + sleep 1 + echo 3 + sleep 1 + echo 4 + sleep 1 + echo 5 + sleep 1 - echo 10 - sleep 1 - echo 20 - sleep 1 - echo 30 - sleep 1 - echo 40 - sleep 1 - echo 50 - sleep 1 + echo 10 + sleep 1 + echo 20 + sleep 1 + echo 30 + sleep 1 + echo 40 + sleep 1 + echo 50 + sleep 1 - echo 100 - sleep 1 - echo 200 - sleep 1 - echo 300 - sleep 1 - echo 400 - sleep 1 - echo 500 - sleep 1 + echo 100 + sleep 1 + echo 200 + sleep 1 + echo 300 + sleep 1 + echo 400 + sleep 1 + echo 500 + sleep 1 - kill $pid - exit + kill $pid + exit } trap _term SIGTERM
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/command.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/cpu-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test --cpu=0\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "cat /proc/self/status \| grep Cpus\r" @@ -30,7 +30,7 @@ send -- "firejail --name=test --cpu=1\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/dns-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test --dns=1.2.3.4 --dns=::2\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-caps.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=bingo1 --noprofile --caps\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --name=bingo2 --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -26,7 +26,7 @@ send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -34,7 +34,7 @@ send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -42,7 +42,7 @@ send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -50,7 +50,7 @@ send -- "firejail --name=bingo6 --profile=caps1.profile\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -58,7 +58,7 @@ send -- "firejail --name=bingo7 --profile=caps2.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-cpu.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test1\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --name=test2\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-interface.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-name.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-seccomp.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --noprofile --name=bingo1 --seccomp\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --noprofile --name=bingo2\r" expect { timeout {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/firemon-version.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/fs-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/help.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join-profile.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --profile=name.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -21,14 +21,18 @@ timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} sleep 1 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "/bin/bash" }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,32 +11,28 @@ send -- "firejail --name=jointesting --cpu=0 --nice=2\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 spawn $env(SHELL) -send -- "firejail --shell=none --join=jointesting\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "shell=none set, but no command specified" -} -after 100 - - send -- "firejail --join=jointesting\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "Switching to pid" } +expect { + timeout {puts "TESTING ERROR 3\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} sleep 1 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "/bin/bash" } @@ -44,13 +40,13 @@ sleep 1 send -- "firejail --join-network=jointesting\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 6\n";exit} "is only available to root user" } after 100 send -- "firejail --join-filesystem=jointesting\r" expect { - timeout {puts "TESTING ERROR 5\n";exit} + timeout {puts "TESTING ERROR 7\n";exit} "is only available to root user" }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=\"join testing\"\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -21,14 +21,18 @@ timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} sleep 1 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "/bin/bash" }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join3.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=join\\ testing\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -21,14 +21,18 @@ timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} sleep 1 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "/bin/bash" }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join4.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=123test\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -21,14 +21,18 @@ timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} sleep 1 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "/bin/bash" }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/join5.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -9,8 +9,8 @@ send -- "firejail --name=test123 --profile=join5.profile\r" expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 spawn $env(SHELL) @@ -19,14 +19,18 @@ timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} sleep 1 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "/bin/bash" } @@ -35,11 +39,11 @@ send -- "firejail --protocol.print=test123\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "Switching to pid" } expect { - timeout {puts "TESTING ERROR 5\n";exit} + timeout {puts "TESTING ERROR 6\n";exit} "unix" }
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/list.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -18,7 +18,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -26,7 +26,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/ls.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -14,7 +14,7 @@ send -- "firejail --private --name=test\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 send -- "echo my_testing > ~/lstesting\r"
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/man.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,6 +11,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} + "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit} "Linux namespaces sandbox program" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/name.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -19,7 +19,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -27,7 +27,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -35,7 +35,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -43,7 +43,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -51,7 +51,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -59,7 +59,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -67,7 +67,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -75,7 +75,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 8\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -83,7 +83,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -91,7 +91,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -99,7 +99,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 11\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/profile_print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --name=ftest\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/protocol-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/seccomp-print.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 15 @@ -11,7 +11,7 @@ send -- "firejail --name=shutdowntesting\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2 @@ -44,7 +44,7 @@ send -- "firejail --shutdown=1\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "this is not a firejail sandbox" + "Error: no valid sandbox" } after 100
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown2.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ send -- "firejail --name=shutdowntesting ./catchsignal.sh\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown3.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ send -- "firejail --name=shutdowntesting ./catchsignal-master.sh\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/shutdown4.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -12,7 +12,7 @@ send -- "firejail --name=shutdowntesting ./catchsignal2.sh\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 2
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/top.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --name=test1\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1 @@ -18,7 +18,7 @@ send -- "firejail --name=test2\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/trace.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 30 @@ -10,7 +10,7 @@ send -- "firejail --trace mkdir ttt\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -21,7 +21,7 @@ send -- "firejail --trace rmdir ttt\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 3\n";exit} @@ -32,7 +32,7 @@ send -- "firejail --trace touch ttt\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 5\n";exit} @@ -44,7 +44,7 @@ send -- "firejail --trace rm ttt\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 7\n";exit} @@ -55,7 +55,7 @@ send -- "firejail --trace wget -q debian.org\r" #expect { # timeout {puts "TESTING ERROR 8.1\n";exit} -# "Child process initialized" +# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" #} #expect { # timeout {puts "TESTING ERROR 8.2\n";exit} @@ -68,10 +68,6 @@ "wget:fopen /etc/wgetrc" {puts "OK\n";} } expect { - timeout {puts "TESTING ERROR 8.4\n";exit} - "wget:fopen /etc/hosts" -} -expect { timeout {puts "TESTING ERROR 8.5\n";exit} "wget:connect" } @@ -86,7 +82,7 @@ send -- "firejail --trace rm index.html\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 10\n";exit} @@ -98,7 +94,7 @@ send -- "firejail --trace\r" expect { timeout {puts "TESTING ERROR 11\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 12\n";exit}
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/tree.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -18,7 +18,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } after 100 @@ -26,7 +26,7 @@ send -- "firejail\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } sleep 1
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/utils.sh ^
@@ -1,13 +1,13 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -if [ -f /etc/debian_version ]; then +if [[ -f /etc/debian_version ]]; then libdir=$(dirname "$(dpkg -L firejail \| grep fcopy)") export PATH="$PATH:$libdir" fi @@ -15,8 +15,8 @@ echo "TESTING: build (test/utils/build.exp)" ./build.exp -rm -f ~/firejail-test-file-7699 -rm -f firejail-test-file-4388 +rm -f ~/_firejail-test-file +rm -f _firejail-test-file echo "TESTING: name (test/utils/name.exp)" ./name.exp @@ -33,13 +33,12 @@ echo "TESTING: help (test/utils/help.exp)" ./help.exp -which man 2>/dev/null -if [ "$?" -eq 0 ]; +if command -v man then - echo "TESTING: man (test/utils/man.exp)" - ./man.exp + echo "TESTING: man (test/utils/man.exp)" + ./man.exp else - echo "TESTING SKIP: man not found" + echo "TESTING SKIP: man not found" fi echo "TESTING: list (test/utils/list.exp)" @@ -48,12 +47,12 @@ echo "TESTING: tree (test/utils/tree.exp)" ./tree.exp -if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ]; +if [[ $(grep -c ^processor /proc/cpuinfo) -gt 1 ]] then - echo "TESTING: cpu.print (test/utils/cpu-print.exp)" - ./cpu-print.exp + echo "TESTING: cpu.print (test/utils/cpu-print.exp)" + ./cpu-print.exp else - echo "TESTING SKIP: cpu.print, not enough CPUs" + echo "TESTING SKIP: cpu.print, not enough CPUs" fi echo "TESTING: fs.print (test/utils/fs-print.exp)" @@ -129,9 +128,6 @@ echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" ./firemon-cpu.exp -echo "TESTING: firemon cgroup (test/utils/firemon-cgroup.exp)" -./firemon-cgroup.exp - echo "TESTING: firemon version (test/utils/firemon-version.exp)" ./firemon-version.exp
[-] [+]	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2/upstream/test/utils/version.exp ^
@@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2021 Firejail Authors +# Copyright (C) 2014-2022 Firejail Authors # License GPL v2 set timeout 10