diff -Nru firejail-0.9.60/configure firejail-0.9.62/configure --- firejail-0.9.60/configure 2019-05-26 12:14:53.000000000 +0000 +++ firejail-0.9.62/configure 2019-12-14 13:49:05.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.60. +# Generated by GNU Autoconf 2.69 for firejail 0.9.62. # # Report bugs to . # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.60' -PACKAGE_STRING='firejail 0.9.60' +PACKAGE_VERSION='0.9.62' +PACKAGE_STRING='firejail 0.9.62' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='https://firejail.wordpress.com' @@ -625,6 +625,9 @@ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H +EGREP +GREP +CPP HAVE_CONTRIB_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND @@ -639,13 +642,16 @@ HAVE_CHROOT HAVE_SECCOMP HAVE_PRIVATE_HOME +HAVE_FIRETUNNEL HAVE_OVERLAYFS EXTRA_LDFLAGS -EGREP -GREP -CPP -HAVE_APPARMOR EXTRA_CFLAGS +HAVE_APPARMOR +AA_LIBS +AA_CFLAGS +PKG_CONFIG_LIBDIR +PKG_CONFIG_PATH +PKG_CONFIG RANLIB INSTALL_DATA INSTALL_SCRIPT @@ -676,7 +682,6 @@ docdir oldincludedir includedir -runstatedir localstatedir sharedstatedir sysconfdir @@ -701,6 +706,7 @@ enable_option_checking enable_apparmor enable_overlayfs +enable_firetunnel enable_private_home enable_seccomp enable_chroot @@ -724,6 +730,11 @@ LDFLAGS LIBS CPPFLAGS +PKG_CONFIG +PKG_CONFIG_PATH +PKG_CONFIG_LIBDIR +AA_CFLAGS +AA_LIBS CPP' @@ -763,7 +774,6 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1016,15 +1026,6 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1162,7 +1163,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir + libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1275,7 +1276,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.60 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.62 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1315,7 +1316,6 @@ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1337,7 +1337,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.60:";; + short | recursive ) echo "Configuration of firejail 0.9.62:";; esac cat <<\_ACEOF @@ -1347,6 +1347,7 @@ --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-apparmor enable apparmor --disable-overlayfs disable overlayfs + --disable-firetunnel disable firetunnel --disable-private-home disable private home feature --disable-seccomp disable seccomp --disable-chroot disable chroot @@ -1373,6 +1374,13 @@ LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory + PKG_CONFIG path to pkg-config utility + PKG_CONFIG_PATH + directories to add to pkg-config's search path + PKG_CONFIG_LIBDIR + path overriding pkg-config's built-in search path + AA_CFLAGS C compiler flags for AA, overriding pkg-config + AA_LIBS linker flags for AA, overriding pkg-config CPP C preprocessor Use these variables to override the choices made by `configure' or to help @@ -1442,7 +1450,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.60 +firejail configure 0.9.62 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1494,6 +1502,52 @@ } # ac_fn_c_try_compile +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. @@ -1694,57 +1748,11 @@ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile - -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.60, which was +It was created by firejail $as_me 0.9.62, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2093,7 +2101,8 @@ -#AC_CONFIG_HEADERS([config.h]) + + ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -2884,7 +2893,6 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu -#AC_PROG_CXX ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do if test -f "$ac_dir/install-sh"; then @@ -3101,43 +3109,149 @@ HAVE_SPECTRE="no" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Spectre mitigation support in gcc or clang compiler" >&5 -$as_echo_n "checking for Spectre mitigation support in gcc or clang compiler... " >&6; } -if test "$CC" = "gcc"; then : - HAVE_SPECTRE="yes" - $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no" - rm -f dummy.o - if test "$HAVE_SPECTRE" = "yes"; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mindirect-branch=thunk" >&5 +$as_echo_n "checking whether C compiler accepts -mindirect-branch=thunk... " >&6; } +if ${ax_cv_check_cflags___mindirect_branch_thunk+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -mindirect-branch=thunk" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ - EXTRA_CFLAGS+=" -mindirect-branch=thunk " +int +main () +{ + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___mindirect_branch_thunk=yes +else + ax_cv_check_cflags___mindirect_branch_thunk=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5 +$as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; } +if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then : + HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk" +else + : fi -if test "$CC" = "clang"; then : - HAVE_SPECTRE="yes" - $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no" - rm -f dummy.o - if test "$HAVE_SPECTRE" = "yes"; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5 +$as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; } +if ${ax_cv_check_cflags___mretpoline+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -mretpoline" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ - EXTRA_CFLAGS+=" -mretpoline " +int +main () +{ + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___mretpoline=yes +else + ax_cv_check_cflags___mretpoline=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5 +$as_echo "$ax_cv_check_cflags___mretpoline" >&6; } +if test "x$ax_cv_check_cflags___mretpoline" = xyes; then : + HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline" +else + : fi -if test "$HAVE_SPECTRE" = "yes"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5 +$as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; } +if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fstack-clash-protection" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fstack_clash_protection=yes +else + ax_cv_check_cflags___fstack_clash_protection=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5 +$as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; } +if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then : + HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection" +else + : fi -if test "$HAVE_SPECTRE" = "no"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: ... not available" >&5 -$as_echo "... not available" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 +$as_echo_n "checking whether C compiler accepts -fstack-protector-strong... " >&6; } +if ${ax_cv_check_cflags___fstack_protector_strong+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fstack-protector-strong" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fstack_protector_strong=yes +else + ax_cv_check_cflags___fstack_protector_strong=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 +$as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; } +if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then : + HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong" +else + : fi @@ -3147,71 +3261,539 @@ enableval=$enable_apparmor; fi -if test "x$enable_apparmor" = "xyes"; then : - HAVE_APPARMOR="-DHAVE_APPARMOR" -fi -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 -$as_echo_n "checking how to run the C preprocessor... " >&6; } -# On Suns, sometimes $CPP names a directory. -if test -n "$CPP" && test -d "$CPP"; then - CPP= -fi -if test -z "$CPP"; then - if ${ac_cv_prog_CPP+:} false; then : + + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PKG_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else - # Double quotes because CPP needs to be expanded - for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" - do - ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes + case $PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS -else - # Broken: fails on valid input. -continue + ;; +esac fi -rm -f conftest.err conftest.i conftest.$ac_ext - - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - # Broken: success on invalid input. -continue +PKG_CONFIG=$ac_cv_path_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } else - # Passes both tests. -ac_preproc_ok=: -break + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_PKG_CONFIG"; then + ac_pt_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG +if test -n "$ac_pt_PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 +$as_echo "$ac_pt_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_pt_PKG_CONFIG + fi +else + PKG_CONFIG="$ac_cv_path_PKG_CONFIG" +fi + +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=0.9.0 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + PKG_CONFIG="" + fi +fi +if test "x$enable_apparmor" = "xyes"; then : + + HAVE_APPARMOR="-DHAVE_APPARMOR" + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5 +$as_echo_n "checking for AA... " >&6; } + +if test -n "$AA_CFLAGS"; then + pkg_cv_AA_CFLAGS="$AA_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libapparmor\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libapparmor") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_AA_CFLAGS=`$PKG_CONFIG --cflags "libapparmor" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$AA_LIBS"; then + pkg_cv_AA_LIBS="$AA_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libapparmor\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libapparmor") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_AA_LIBS=`$PKG_CONFIG --libs "libapparmor" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + AA_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libapparmor" 2>&1` + else + AA_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libapparmor" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$AA_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (libapparmor) were not met: + +$AA_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables AA_CFLAGS +and AA_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables AA_CFLAGS +and AA_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + AA_CFLAGS=$pkg_cv_AA_CFLAGS + AA_LIBS=$pkg_cv_AA_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS" +fi + + +fi + + + + + +HAVE_OVERLAYFS="" +# Check whether --enable-overlayfs was given. +if test "${enable_overlayfs+set}" = set; then : + enableval=$enable_overlayfs; +fi + +if test "x$enable_overlayfs" != "xno"; then : + + HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" + + +fi + +HAVE_FIRETUNNEL="" +# Check whether --enable-firetunnel was given. +if test "${enable_firetunnel+set}" = set; then : + enableval=$enable_firetunnel; +fi + +if test "x$enable_firetunnel" != "xno"; then : + + HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" + + +fi + +HAVE_PRIVATEHOME="" +# Check whether --enable-private-home was given. +if test "${enable_private_home+set}" = set; then : + enableval=$enable_private_home; +fi + +if test "x$enable_private_home" != "xno"; then : + + HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" + + +fi + +HAVE_SECCOMP="" +# Check whether --enable-seccomp was given. +if test "${enable_seccomp+set}" = set; then : + enableval=$enable_seccomp; +fi + +if test "x$enable_seccomp" != "xno"; then : + + HAVE_SECCOMP="-DHAVE_SECCOMP" + + +fi + +HAVE_CHROOT="" +# Check whether --enable-chroot was given. +if test "${enable_chroot+set}" = set; then : + enableval=$enable_chroot; +fi + +if test "x$enable_chroot" != "xno"; then : + + HAVE_CHROOT="-DHAVE_CHROOT" + + +fi + +HAVE_GLOBALCFG="" +# Check whether --enable-globalcfg was given. +if test "${enable_globalcfg+set}" = set; then : + enableval=$enable_globalcfg; +fi + +if test "x$enable_globalcfg" != "xno"; then : + + HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" + + +fi + +HAVE_NETWORK="" +# Check whether --enable-network was given. +if test "${enable_network+set}" = set; then : + enableval=$enable_network; +fi + +if test "x$enable_network" != "xno"; then : + + HAVE_NETWORK="-DHAVE_NETWORK" + + +fi + +HAVE_USERNS="" +# Check whether --enable-userns was given. +if test "${enable_userns+set}" = set; then : + enableval=$enable_userns; +fi + +if test "x$enable_userns" != "xno"; then : + + HAVE_USERNS="-DHAVE_USERNS" + + +fi + +HAVE_X11="" +# Check whether --enable-x11 was given. +if test "${enable_x11+set}" = set; then : + enableval=$enable_x11; +fi + +if test "x$enable_x11" != "xno"; then : + + HAVE_X11="-DHAVE_X11" + + +fi + +HAVE_FILE_TRANSFER="" +# Check whether --enable-file-transfer was given. +if test "${enable_file_transfer+set}" = set; then : + enableval=$enable_file_transfer; +fi + +if test "x$enable_file_transfer" != "xno"; then : + + HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" + + +fi + +HAVE_WHITELIST="" +# Check whether --enable-whitelist was given. +if test "${enable_whitelist+set}" = set; then : + enableval=$enable_whitelist; +fi + +if test "x$enable_whitelist" != "xno"; then : + + HAVE_WHITELIST="-DHAVE_WHITELIST" + + +fi + +HAVE_SUID="" +# Check whether --enable-suid was given. +if test "${enable_suid+set}" = set; then : + enableval=$enable_suid; +fi + +if test "x$enable_suid" = "xno"; then : + HAVE_SUID="no" +else + HAVE_SUID="yes" + +fi + + +HAVE_FATAL_WARNINGS="" +# Check whether --enable-fatal_warnings was given. +if test "${enable_fatal_warnings+set}" = set; then : + enableval=$enable_fatal_warnings; +fi + +if test "x$enable_fatal_warnings" = "xyes"; then : + + HAVE_FATAL_WARNINGS="-W -Wall -Werror" + + +fi + +BUSYBOX_WORKAROUND="no" +# Check whether --enable-busybox-workaround was given. +if test "${enable_busybox_workaround+set}" = set; then : + enableval=$enable_busybox_workaround; +fi + +if test "x$enable_busybox_workaround" = "xyes"; then : + + BUSYBOX_WORKAROUND="yes" + + +fi + + +HAVE_GCOV="" +# Check whether --enable-gcov was given. +if test "${enable_gcov+set}" = set; then : + enableval=$enable_gcov; +fi + +if test "x$enable_gcov" = "xyes"; then : + + HAVE_GCOV="--coverage -DHAVE_GCOV " + EXTRA_LDFLAGS+=" -lgcov --coverage " + + +fi + +HAVE_CONTRIB_INSTALL="yes" +# Check whether --enable-contrib-install was given. +if test "${enable_contrib_install+set}" = set; then : + enableval=$enable_contrib_install; +fi + +if test "x$enable_contrib_install" = "xno"; then : + HAVE_CONTRIB_INSTALL="no" +else + HAVE_CONTRIB_INSTALL="yes" + +fi + + +# checking pthread library +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 +$as_echo_n "checking for main in -lpthread... " >&6; } +if ${ac_cv_lib_pthread_main+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +int +main () +{ +return main (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pthread_main=yes +else + ac_cv_lib_pthread_main=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 +$as_echo "$ac_cv_lib_pthread_main" >&6; } +if test "x$ac_cv_lib_pthread_main" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then + if ${ac_cv_prog_CPP+:} false; then : + $as_echo_n "(cached) " >&6 +else + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break fi rm -f conftest.err conftest.i conftest.$ac_ext @@ -3552,266 +4134,6 @@ done -if test "x$enable_apparmor" = "xyes"; then : - - ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default" -if test "x$ac_cv_header_sys_apparmor_h" = xyes; then : - -else - as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5 -fi - - - -fi -if test "x$enable_apparmor" = "xyes"; then : - - EXTRA_LDFLAGS+=" -lapparmor " - -fi - - -HAVE_OVERLAYFS="" -# Check whether --enable-overlayfs was given. -if test "${enable_overlayfs+set}" = set; then : - enableval=$enable_overlayfs; -fi - -if test "x$enable_overlayfs" != "xno"; then : - - HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" - - -fi - -HAVE_PRIVATEHOME="" -# Check whether --enable-private-home was given. -if test "${enable_private_home+set}" = set; then : - enableval=$enable_private_home; -fi - -if test "x$enable_private_home" != "xno"; then : - - HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" - - -fi - -HAVE_SECCOMP="" -# Check whether --enable-seccomp was given. -if test "${enable_seccomp+set}" = set; then : - enableval=$enable_seccomp; -fi - -if test "x$enable_seccomp" != "xno"; then : - - HAVE_SECCOMP="-DHAVE_SECCOMP" - - -fi - -HAVE_CHROOT="" -# Check whether --enable-chroot was given. -if test "${enable_chroot+set}" = set; then : - enableval=$enable_chroot; -fi - -if test "x$enable_chroot" != "xno"; then : - - HAVE_CHROOT="-DHAVE_CHROOT" - - -fi - -HAVE_GLOBALCFG="" -# Check whether --enable-globalcfg was given. -if test "${enable_globalcfg+set}" = set; then : - enableval=$enable_globalcfg; -fi - -if test "x$enable_globalcfg" != "xno"; then : - - HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" - - -fi - -HAVE_NETWORK="" -# Check whether --enable-network was given. -if test "${enable_network+set}" = set; then : - enableval=$enable_network; -fi - -if test "x$enable_network" != "xno"; then : - - HAVE_NETWORK="-DHAVE_NETWORK" - - -fi - -HAVE_USERNS="" -# Check whether --enable-userns was given. -if test "${enable_userns+set}" = set; then : - enableval=$enable_userns; -fi - -if test "x$enable_userns" != "xno"; then : - - HAVE_USERNS="-DHAVE_USERNS" - - -fi - -HAVE_X11="" -# Check whether --enable-x11 was given. -if test "${enable_x11+set}" = set; then : - enableval=$enable_x11; -fi - -if test "x$enable_x11" != "xno"; then : - - HAVE_X11="-DHAVE_X11" - - -fi - -HAVE_FILE_TRANSFER="" -# Check whether --enable-file-transfer was given. -if test "${enable_file_transfer+set}" = set; then : - enableval=$enable_file_transfer; -fi - -if test "x$enable_file_transfer" != "xno"; then : - - HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" - - -fi - -HAVE_WHITELIST="" -# Check whether --enable-whitelist was given. -if test "${enable_whitelist+set}" = set; then : - enableval=$enable_whitelist; -fi - -if test "x$enable_whitelist" != "xno"; then : - - HAVE_WHITELIST="-DHAVE_WHITELIST" - - -fi - -HAVE_SUID="" -# Check whether --enable-suid was given. -if test "${enable_suid+set}" = set; then : - enableval=$enable_suid; -fi - -if test "x$enable_suid" = "xno"; then : - HAVE_SUID="no" -else - HAVE_SUID="yes" - -fi - - -HAVE_FATAL_WARNINGS="" -# Check whether --enable-fatal_warnings was given. -if test "${enable_fatal_warnings+set}" = set; then : - enableval=$enable_fatal_warnings; -fi - -if test "x$enable_fatal_warnings" = "xyes"; then : - - HAVE_FATAL_WARNINGS="-W -Wall -Werror" - - -fi - -BUSYBOX_WORKAROUND="no" -# Check whether --enable-busybox-workaround was given. -if test "${enable_busybox_workaround+set}" = set; then : - enableval=$enable_busybox_workaround; -fi - -if test "x$enable_busybox_workaround" = "xyes"; then : - - BUSYBOX_WORKAROUND="yes" - - -fi - - -HAVE_GCOV="" -# Check whether --enable-gcov was given. -if test "${enable_gcov+set}" = set; then : - enableval=$enable_gcov; -fi - -if test "x$enable_gcov" = "xyes"; then : - - HAVE_GCOV="--coverage -DHAVE_GCOV " - EXTRA_LDFLAGS+=" -lgcov --coverage " - - -fi - -HAVE_CONTRIB_INSTALL="yes" -# Check whether --enable-contrib-install was given. -if test "${enable_contrib_install+set}" = set; then : - enableval=$enable_contrib_install; -fi - -if test "x$enable_contrib_install" = "xno"; then : - HAVE_CONTRIB_INSTALL="no" -else - HAVE_CONTRIB_INSTALL="yes" - -fi - - -# checking pthread library -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 -$as_echo_n "checking for main in -lpthread... " >&6; } -if ${ac_cv_lib_pthread_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpthread $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_pthread_main=yes -else - ac_cv_lib_pthread_main=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 -$as_echo "$ac_cv_lib_pthread_main" >&6; } -if test "x$ac_cv_lib_pthread_main" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPTHREAD 1 -_ACEOF - - LIBS="-lpthread $LIBS" - -else - as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 -fi - ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" if test "x$ac_cv_header_pthread_h" = xyes; then : @@ -4379,7 +4701,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.60, which was +This file was extended by firejail $as_me 0.9.62, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4433,7 +4755,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.60 +firejail config.status 0.9.62 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -5034,6 +5356,7 @@ echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" +echo " firetunnel support: $HAVE_FIRETUNNEL" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " Spectre compiler patch: $HAVE_SPECTRE" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" diff -Nru firejail-0.9.60/configure.ac firejail-0.9.62/configure.ac --- firejail-0.9.60/configure.ac 2019-05-26 12:14:37.000000000 +0000 +++ firejail-0.9.62/configure.ac 2019-12-14 13:49:05.000000000 +0000 @@ -1,56 +1,57 @@ +# +# Note: +# +# If for any reason autoconf fails, run "autoreconf -i --install " and try again. +# This is how the error looks like on Arch Linux: +# ./configure: line 3064: syntax error near unexpected token `newline' +# ./configure: line 3064: `AX_CHECK_COMPILE_FLAG(' +# +# We rely solely on autoconf, without automake. Apparently, in this case +# the macros from m4 directory are not picked up by default by automake. +# "autoreconf -i --install" seems to fix the problem. +# + AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.60, netblue30@yahoo.com, , https://firejail.wordpress.com) +AC_INIT(firejail, 0.9.62, netblue30@yahoo.com, , https://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) -#AC_CONFIG_HEADERS([config.h]) + +AC_CONFIG_MACRO_DIR([m4]) AC_PROG_CC -#AC_PROG_CXX AC_PROG_INSTALL AC_PROG_RANLIB HAVE_SPECTRE="no" -AC_MSG_CHECKING(for Spectre mitigation support in gcc or clang compiler) -AS_IF([test "$CC" = "gcc"], [ - HAVE_SPECTRE="yes" - $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no" - rm -f dummy.o - AS_IF([test "$HAVE_SPECTRE" = "yes"], [ - EXTRA_CFLAGS+=" -mindirect-branch=thunk " - ]) -]) -AS_IF([test "$CC" = "clang"], [ - HAVE_SPECTRE="yes" - $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no" - rm -f dummy.o - AS_IF([test "$HAVE_SPECTRE" = "yes"], [ - EXTRA_CFLAGS+=" -mretpoline " - ]) -]) -AS_IF([test "$HAVE_SPECTRE" = "yes"], [ - AC_MSG_RESULT(yes) -]) -AS_IF([test "$HAVE_SPECTRE" = "no"], [ - AC_MSG_RESULT(... not available) -]) -AC_SUBST([EXTRA_CFLAGS]) +AX_CHECK_COMPILE_FLAG( + [-mindirect-branch=thunk], + [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk"] +) +AX_CHECK_COMPILE_FLAG( + [-mretpoline], + [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline"] +) +AX_CHECK_COMPILE_FLAG( + [-fstack-clash-protection], + [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection"] +) +AX_CHECK_COMPILE_FLAG( + [-fstack-protector-strong], + [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"] +) HAVE_APPARMOR="" AC_ARG_ENABLE([apparmor], AS_HELP_STRING([--enable-apparmor], [enable apparmor])) AS_IF([test "x$enable_apparmor" = "xyes"], [ HAVE_APPARMOR="-DHAVE_APPARMOR" + PKG_CHECK_MODULES([AA], libapparmor, [EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS"]) AC_SUBST(HAVE_APPARMOR) ]) -AS_IF([test "x$enable_apparmor" = "xyes"], [ - AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( - [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) -]) -AS_IF([test "x$enable_apparmor" = "xyes"], [ - EXTRA_LDFLAGS+=" -lapparmor " -]) +AC_SUBST([EXTRA_CFLAGS]) AC_SUBST([EXTRA_LDFLAGS]) + HAVE_OVERLAYFS="" AC_ARG_ENABLE([overlayfs], AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) @@ -59,6 +60,14 @@ AC_SUBST(HAVE_OVERLAYFS) ]) +HAVE_FIRETUNNEL="" +AC_ARG_ENABLE([firetunnel], + AS_HELP_STRING([--disable-firetunnel], [disable firetunnel])) +AS_IF([test "x$enable_firetunnel" != "xno"], [ + HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" + AC_SUBST(HAVE_FIRETUNNEL) +]) + HAVE_PRIVATEHOME="" AC_ARG_ENABLE([private-home], AS_HELP_STRING([--disable-private-home], [disable private home feature])) @@ -206,6 +215,7 @@ echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" +echo " firetunnel support: $HAVE_FIRETUNNEL" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " Spectre compiler patch: $HAVE_SPECTRE" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" diff -Nru firejail-0.9.60/contrib/fix_private-bin.py firejail-0.9.62/contrib/fix_private-bin.py --- firejail-0.9.60/contrib/fix_private-bin.py 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/contrib/fix_private-bin.py 2019-12-14 13:30:32.000000000 +0000 @@ -61,7 +61,6 @@ if shouldUpdate: with open(filename, "w") as file: file.writelines(lines) - pass def createSetOfBinaries(files): @@ -70,7 +69,6 @@ """ s = set() for filename in files: - lines = None with open(filename, "r") as file: for line in file: if privRx.search(line): diff -Nru firejail-0.9.60/contrib/fjclip.py firejail-0.9.62/contrib/fjclip.py --- firejail-0.9.60/contrib/fjclip.py 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/contrib/fjclip.py 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 -import re import sys import subprocess import fjdisplay diff -Nru firejail-0.9.60/contrib/fjdisplay.py firejail-0.9.62/contrib/fjdisplay.py --- firejail-0.9.60/contrib/fjdisplay.py 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/contrib/fjdisplay.py 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import re import sys diff -Nru firejail-0.9.60/contrib/fjresize.py firejail-0.9.62/contrib/fjresize.py --- firejail-0.9.60/contrib/fjresize.py 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/contrib/fjresize.py 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import sys import fjdisplay diff -Nru firejail-0.9.60/contrib/gdb-firejail.sh firejail-0.9.62/contrib/gdb-firejail.sh --- firejail-0.9.60/contrib/gdb-firejail.sh 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/contrib/gdb-firejail.sh 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,21 @@ +#!/bin/bash +set -x + +# gdb setuid helper script. +# This script forks a background process as the current user which will +# immediately send itself a `STOP` signal. Then gdb running as root will +# attach to that process, which will send it the `CONT` signal to continue +# execution. Then the backgrounded process will exec the program with the +# given arguments. This will allow the root gdb to trace the unprivileged +# setuid firejail process from the absolute beginning. + +if [ -z "${1##*/firejail}" ]; then + FIREJAIL=$1 +else + # First argument is not named firejail, then add default unless environment + # variable already set. + set -- ${FIREJAIL:=$(which firejail)} "$@" +fi + +bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & +sudo gdb -e "$FIREJAIL" -p "$!" \ No newline at end of file diff -Nru firejail-0.9.60/contrib/sort.py firejail-0.9.62/contrib/sort.py --- firejail-0.9.60/contrib/sort.py 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/contrib/sort.py 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,122 @@ +#!/usr/bin/env python3 +""" +Sort the items of multi-item options in profiles, the following options are supported: + private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol + +Usage: + $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ] +Keep in mind that this will overwrite your profile(s). + +Examples: + $ ./sort.py MyAwesomeProfile.profile + $ ./sort.py new_profile.profile second_new_profile.profile + $ ./sort.py ~/.config/firejail/*.{profile,inc,local} + $ sudo ./sort.py /etc/firejail/*.{profile,inc,local} + +Exit-Codes: + 0: No Error; No Profile Fixed. + 1: Error, one or more profiles were not processed correctly. + 101: No Error; One or more profile were fixed. +""" + +# Requirements: +# python >= 3.6 +from sys import argv + + +def sort_alphabetical(raw_items): + items = raw_items.split(",") + items.sort(key=lambda s: s.casefold()) + return ",".join(items) + + +def sort_protocol(protocols): + """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet""" + # shortcut for common protocol lines + if protocols in ("unix", "unix,inet,inet6"): + return protocols + fixed_protocols = "" + present_protocols = { + "unix": False, + "inet": False, + "inet6": False, + "netlink": False, + "packet": False, + } + for protocol in protocols.split(","): + if protocol == "unix": + present_protocols["unix"] = True + elif protocol == "inet": + present_protocols["inet"] = True + elif protocol == "inet6": + present_protocols["inet6"] = True + elif protocol == "netlink": + present_protocols["netlink"] = True + elif protocol == "packet": + present_protocols["packet"] = True + if present_protocols["unix"]: + fixed_protocols += "unix," + if present_protocols["inet"]: + fixed_protocols += "inet," + if present_protocols["inet6"]: + fixed_protocols += "inet6," + if present_protocols["netlink"]: + fixed_protocols += "netlink," + if present_protocols["packet"]: + fixed_protocols += "packet," + return fixed_protocols[:-1] + + +def fix_profile(filename): + with open(filename, "r+") as profile: + lines = profile.read().split("\n") + was_fixed = False + fixed_profile = [] + for line in lines: + if line[:12] in ("private-bin ", "private-etc ", "private-lib "): + fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" + elif line[:13] in ("seccomp.drop ", "seccomp.keep "): + fixed_line = f"{line[:13]}{sort_alphabetical(line[13:])}" + elif line[:10] in ("caps.drop ", "caps.keep "): + fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}" + elif line[:8] == "protocol": + fixed_line = f"protocol {sort_protocol(line[9:])}" + elif line[:8] == "seccomp ": + fixed_line = f"{line[:8]}{sort_alphabetical(line[8:])}" + else: + fixed_line = line + if fixed_line != line: + was_fixed = True + fixed_profile.append(fixed_line) + if was_fixed: + profile.seek(0) + profile.truncate() + profile.write("\n".join(fixed_profile)) + profile.flush() + print(f"[ Fixed ] {filename}") + return 101 + return 0 + + +def main(args): + exit_code = 0 + for filename in args: + try: + if exit_code not in (1, 101): + exit_code = fix_profile(filename) + else: + fix_profile(filename) + except FileNotFoundError: + print(f"[ Error ] Can't find `{filename}'") + exit_code = 1 + except PermissionError: + print(f"[ Error ] Can't read/write `{filename}'") + exit_code = 1 + except: + print(f"[ Error ] An error occurred while processing `{filename}'") + exit_code = 1 + return exit_code + + +if __name__ == "__main__": + exit(main(argv[1:])) diff -Nru firejail-0.9.60/contrib/syscalls.sh firejail-0.9.62/contrib/syscalls.sh --- firejail-0.9.60/contrib/syscalls.sh 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/contrib/syscalls.sh 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,30 @@ +#!/bin/bash + +STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt" +SYSCALLS_OUTPUT_FILE="$(pwd)/syscalls.txt" + +if [ $# -eq 0 ] +then +echo +echo " *** No program specified!!! ***" +echo +echo -e "Make this file executable and execute it as:\\n" +echo -e "\\e[96m syscalls.sh /full/path/to/program\\n" +echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n" +echo -e "\\e[96m ./syscalls.sh /full/path/to/program\\n" +echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls." +echo +exit 0 + +else + +strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE" +echo +echo -e "\e[39mThese are the sorted syscalls:\n\e[93m" +cat "$SYSCALLS_OUTPUT_FILE" +echo +echo -e "\e[39mThe sorted syscalls were saved to:\n\n\e[96m$SYSCALLS_OUTPUT_FILE" +echo +exit 0 + +fi diff -Nru firejail-0.9.60/debian/changelog firejail-0.9.62/debian/changelog --- firejail-0.9.60/debian/changelog 2019-05-30 08:01:23.000000000 +0000 +++ firejail-0.9.62/debian/changelog 2019-12-30 19:23:06.000000000 +0000 @@ -1,8 +1,32 @@ -firejail (0.9.60-1~0ubuntu19.04.0) disco; urgency=medium +firejail (0.9.62-1~0ubuntu19.04.0) disco; urgency=medium - * Upload to Ubuntu PPA: + * Upload to Ubuntu PPA. - -- Reiner Herrmann Thu, 30 May 2019 10:01:23 +0200 + -- Reiner Herrmann Mon, 30 Dec 2019 20:23:06 +0100 + +firejail (0.9.62-1) unstable; urgency=medium + + * New upstream release. + - fixes ffplay profile (Closes: #941241) + - allows nc in ssh profile for usage in ProxyCommand (Closes: #941730) + * Refresh patches. + * Drop removed skype profile. + * Build-depend on pkg-config. + * Install profile templates to doc dir. + * Update copyrights. + * Bump Standards-Version to 4.4.1. + * Declare that d/rules does not require root. + * Cherry-pick m4 macro that was not included in orig tarball. + * Rename ADTTMP to AUTOPKGTEST_TMP in autopkgtests. + + -- Reiner Herrmann Mon, 30 Dec 2019 18:11:17 +0100 + +firejail (0.9.60-2) unstable; urgency=medium + + * Upload to unstable. + * Revert "Point to experimental branch in Vcs-Git". + + -- Reiner Herrmann Sun, 07 Jul 2019 15:19:13 +0200 firejail (0.9.60-1) experimental; urgency=medium diff -Nru firejail-0.9.60/debian/compat firejail-0.9.62/debian/compat --- firejail-0.9.60/debian/compat 2019-05-29 19:52:24.000000000 +0000 +++ firejail-0.9.62/debian/compat 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -11 diff -Nru firejail-0.9.60/debian/control firejail-0.9.62/debian/control --- firejail-0.9.60/debian/control 2019-05-29 20:05:05.000000000 +0000 +++ firejail-0.9.62/debian/control 2019-12-30 17:03:50.000000000 +0000 @@ -2,10 +2,11 @@ Section: utils Priority: optional Maintainer: Reiner Herrmann -Build-Depends: debhelper (>= 11), dh-apparmor, libapparmor-dev -Standards-Version: 4.3.0 +Build-Depends: debhelper-compat (= 12), dh-apparmor, libapparmor-dev, pkg-config +Standards-Version: 4.4.1 +Rules-Requires-Root: no Homepage: https://firejail.wordpress.com -Vcs-Git: https://salsa.debian.org/deki-guest/firejail.git -b experimental +Vcs-Git: https://salsa.debian.org/deki-guest/firejail.git Vcs-Browser: https://salsa.debian.org/deki-guest/firejail Package: firejail diff -Nru firejail-0.9.60/debian/copyright firejail-0.9.62/debian/copyright --- firejail-0.9.60/debian/copyright 2019-05-29 19:52:24.000000000 +0000 +++ firejail-0.9.62/debian/copyright 2019-12-30 17:03:50.000000000 +0000 @@ -24,6 +24,11 @@ Copyright: 2015-2019 Reiner Herrmann License: GPL-2+ +Files: debian/patches/m4_check_compile_flag.patch +Copyright: 2008 Guido U. Draheim + 2011 Maarten Bosmans +License: GPL-3+ with autoconf exception + License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -41,6 +46,36 @@ On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". +License: GPL-3+ with autoconf exception + This program is free software: you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation, either version 3 of the License, or (at your + option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program. If not, see . + . + As a special exception, the respective Autoconf Macro's copyright owner + gives unlimited permission to copy, distribute and modify the configure + scripts that are the output of Autoconf when processing the Macro. You + need not follow the terms of the GNU General Public License when using + or distributing such scripts, even though portions of the text of the + Macro appear in them. The GNU General Public License (GPL) does govern + all other use of the material that constitutes the Autoconf Macro. + . + This special exception to the GPL applies to versions of the Autoconf + Macro released by the Autoconf Archive. When you make and distribute a + modified version of the Autoconf Macro, you may extend this special + exception to the GPL to apply to your modified version as well. + . + On Debian systems, the complete text of the GNU General + Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". + License: Unlicense This is free and unencumbered software released into the public domain. . diff -Nru firejail-0.9.60/debian/firejail.docs firejail-0.9.62/debian/firejail.docs --- firejail-0.9.60/debian/firejail.docs 2019-05-29 19:52:24.000000000 +0000 +++ firejail-0.9.62/debian/firejail.docs 2019-12-30 17:03:50.000000000 +0000 @@ -1,2 +1,3 @@ README contrib +etc/templates diff -Nru firejail-0.9.60/debian/firejail-profiles.maintscript firejail-0.9.62/debian/firejail-profiles.maintscript --- firejail-0.9.60/debian/firejail-profiles.maintscript 2019-05-29 19:52:39.000000000 +0000 +++ firejail-0.9.62/debian/firejail-profiles.maintscript 2019-12-30 17:03:50.000000000 +0000 @@ -4,3 +4,4 @@ mv_conffile /etc/firejail/wire.profile /etc/firejail/wire-desktop.profile 0.9.56-2~ mv_conffile /etc/firejail/desktop.profile /etc/firejail/github-desktop.profile 0.9.58-1~ rm_conffile /etc/firejail/snap.profile 0.9.60-1~ +rm_conffile /etc/firejail/skype.profile 0.9.62-1~ diff -Nru firejail-0.9.60/debian/patches/apparmor-include.patch firejail-0.9.62/debian/patches/apparmor-include.patch --- firejail-0.9.60/debian/patches/apparmor-include.patch 2019-05-29 19:52:39.000000000 +0000 +++ firejail-0.9.62/debian/patches/apparmor-include.patch 2019-12-30 17:03:50.000000000 +0000 @@ -6,7 +6,7 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -134,8 +134,6 @@ +@@ -137,8 +137,6 @@ sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" @@ -17,8 +17,8 @@ install -m 0755 -d $(DESTDIR)/$(mandir)/man1 --- a/etc/firejail-default +++ b/etc/firejail-default -@@ -160,5 +160,5 @@ - pivot_root, +@@ -152,5 +152,5 @@ + #capability mac_admin, # Site-specific additions and overrides. See local/README for details. -#include @@ -26,7 +26,7 @@ } --- a/src/man/firejail.txt +++ b/src/man/firejail.txt -@@ -2484,7 +2484,7 @@ +@@ -2489,7 +2489,7 @@ .br $ ./configure --prefix=/usr --enable-apparmor .TP diff -Nru firejail-0.9.60/debian/patches/config-hardening.patch firejail-0.9.62/debian/patches/config-hardening.patch --- firejail-0.9.60/debian/patches/config-hardening.patch 2019-05-29 19:52:39.000000000 +0000 +++ firejail-0.9.62/debian/patches/config-hardening.patch 2019-12-30 17:03:50.000000000 +0000 @@ -17,7 +17,7 @@ # Enable or disable chroot support, default enabled. # chroot yes -@@ -85,7 +85,7 @@ +@@ -90,7 +90,7 @@ # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. diff -Nru firejail-0.9.60/debian/patches/disable-internet-tests.patch firejail-0.9.62/debian/patches/disable-internet-tests.patch --- firejail-0.9.60/debian/patches/disable-internet-tests.patch 2019-05-29 19:52:24.000000000 +0000 +++ firejail-0.9.62/debian/patches/disable-internet-tests.patch 2019-12-30 17:03:50.000000000 +0000 @@ -4,21 +4,21 @@ --- a/test/environment/dns.exp +++ b/test/environment/dns.exp -@@ -61,24 +61,4 @@ +@@ -107,24 +107,4 @@ send -- "exit\r" sleep 1 -send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" -expect { -- timeout {puts "TESTING ERROR 1.2\n";exit} +- timeout {puts "TESTING ERROR 6.1\n";exit} - "connect" -} -expect { -- timeout {puts "TESTING ERROR 1.2\n";exit} +- timeout {puts "TESTING ERROR 6.2\n";exit} - "208.67.222.222" -} -expect { -- timeout {puts "TESTING ERROR 1.2\n";exit} +- timeout {puts "TESTING ERROR 6.3\n";exit} - "53" -} -after 100 @@ -83,7 +83,7 @@ timeout {puts "TESTING ERROR 11\n";exit} --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh -@@ -81,8 +81,7 @@ +@@ -82,8 +82,7 @@ which ping 2>/dev/null if [ "$?" -eq 0 ]; then @@ -95,7 +95,7 @@ fi --- a/test/utils/utils.sh +++ b/test/utils/utils.sh -@@ -69,8 +69,7 @@ +@@ -71,8 +71,7 @@ echo "TESTING: fs.print (test/utils/fs-print.exp)" ./fs-print.exp diff -Nru firejail-0.9.60/debian/patches/m4_check_compile_flag.patch firejail-0.9.62/debian/patches/m4_check_compile_flag.patch --- firejail-0.9.60/debian/patches/m4_check_compile_flag.patch 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/debian/patches/m4_check_compile_flag.patch 2019-12-30 17:03:50.000000000 +0000 @@ -0,0 +1,81 @@ +Origin: upstream, https://github.com/netblue30/firejail/commit/75b4b95 +From: Reiner Herrmann +Subject: [PATCH] import ax_check_compile_flag macro from autoconf-archive + +--- /dev/null ++++ b/m4/ax_check_compile_flag.m4 +@@ -0,0 +1,74 @@ ++# =========================================================================== ++# https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html ++# =========================================================================== ++# ++# SYNOPSIS ++# ++# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) ++# ++# DESCRIPTION ++# ++# Check whether the given FLAG works with the current language's compiler ++# or gives an error. (Warnings, however, are ignored) ++# ++# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on ++# success/failure. ++# ++# If EXTRA-FLAGS is defined, it is added to the current language's default ++# flags (e.g. CFLAGS) when the check is done. The check is thus made with ++# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to ++# force the compiler to issue an error when a bad flag is given. ++# ++# INPUT gives an alternative input source to AC_COMPILE_IFELSE. ++# ++# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this ++# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. ++# ++# LICENSE ++# ++# Copyright (c) 2008 Guido U. Draheim ++# Copyright (c) 2011 Maarten Bosmans ++# ++# This program is free software: you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation, either version 3 of the License, or (at your ++# option) any later version. ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General ++# Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program. If not, see . ++# ++# As a special exception, the respective Autoconf Macro's copyright owner ++# gives unlimited permission to copy, distribute and modify the configure ++# scripts that are the output of Autoconf when processing the Macro. You ++# need not follow the terms of the GNU General Public License when using ++# or distributing such scripts, even though portions of the text of the ++# Macro appear in them. The GNU General Public License (GPL) does govern ++# all other use of the material that constitutes the Autoconf Macro. ++# ++# This special exception to the GPL applies to versions of the Autoconf ++# Macro released by the Autoconf Archive. When you make and distribute a ++# modified version of the Autoconf Macro, you may extend this special ++# exception to the GPL to apply to your modified version as well. ++ ++#serial 5 ++ ++AC_DEFUN([AX_CHECK_COMPILE_FLAG], ++[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF ++AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl ++AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ ++ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS ++ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" ++ AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], ++ [AS_VAR_SET(CACHEVAR,[yes])], ++ [AS_VAR_SET(CACHEVAR,[no])]) ++ _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) ++AS_VAR_IF(CACHEVAR,yes, ++ [m4_default([$2], :)], ++ [m4_default([$3], :)]) ++AS_VAR_POPDEF([CACHEVAR])dnl ++])dnl AX_CHECK_COMPILE_FLAGS diff -Nru firejail-0.9.60/debian/patches/series firejail-0.9.62/debian/patches/series --- firejail-0.9.60/debian/patches/series 2019-05-29 19:52:39.000000000 +0000 +++ firejail-0.9.62/debian/patches/series 2019-12-30 17:03:50.000000000 +0000 @@ -1,3 +1,4 @@ disable-internet-tests.patch config-hardening.patch apparmor-include.patch +m4_check_compile_flag.patch diff -Nru firejail-0.9.60/debian/tests/application-tests firejail-0.9.62/debian/tests/application-tests --- firejail-0.9.60/debian/tests/application-tests 2019-05-29 19:52:24.000000000 +0000 +++ firejail-0.9.62/debian/tests/application-tests 2019-12-30 17:03:50.000000000 +0000 @@ -1,10 +1,10 @@ #!/bin/bash -LOGFILE="$ADTTMP/test.log" +LOGFILE="$AUTOPKGTEST_TMP/test.log" # copy tests to temporary directory, as current one might be read-only -cp -a test "$ADTTMP" -cd "$ADTTMP/test" +cp -a test "$AUTOPKGTEST_TMP" +cd "$AUTOPKGTEST_TMP/test" # start Xvfb for X11 tests Xvfb :42 & diff -Nru firejail-0.9.60/debian/tests/network-test firejail-0.9.62/debian/tests/network-test --- firejail-0.9.60/debian/tests/network-test 2019-05-29 19:52:24.000000000 +0000 +++ firejail-0.9.62/debian/tests/network-test 2019-12-30 17:03:50.000000000 +0000 @@ -1,10 +1,10 @@ #!/bin/bash -LOGFILE="$ADTTMP/test-network.log" +LOGFILE="$AUTOPKGTEST_TMP/test-network.log" # copy tests to temporary directory, as current one might be read-only -cp -a test "$ADTTMP" -cd "$ADTTMP/test" +cp -a test "$AUTOPKGTEST_TMP" +cd "$AUTOPKGTEST_TMP/test" pushd network bash -x ./configure diff -Nru firejail-0.9.60/debian/tests/simple-tests firejail-0.9.62/debian/tests/simple-tests --- firejail-0.9.60/debian/tests/simple-tests 2019-05-29 19:52:24.000000000 +0000 +++ firejail-0.9.62/debian/tests/simple-tests 2019-12-30 17:03:50.000000000 +0000 @@ -1,10 +1,10 @@ #!/bin/bash -LOGFILE="$ADTTMP/test.log" +LOGFILE="$AUTOPKGTEST_TMP/test.log" # copy tests to temporary directory, as current one might be read-only -cp -a test "$ADTTMP" -cd "$ADTTMP/test" +cp -a test "$AUTOPKGTEST_TMP" +cd "$AUTOPKGTEST_TMP/test" # run tests for dir in arguments environment fcopy filters fs profiles sysutils utils; diff -Nru firejail-0.9.60/etc/0ad.profile firejail-0.9.62/etc/0ad.profile --- firejail-0.9.60/etc/0ad.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/0ad.profile 2019-12-14 13:30:32.000000000 +0000 @@ -23,7 +23,10 @@ whitelist ${HOME}/.cache/0ad whitelist ${HOME}/.config/0ad whitelist ${HOME}/.local/share/0ad +whitelist /usr/share/0ad include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all netfilter diff -Nru firejail-0.9.60/etc/7za.profile firejail-0.9.62/etc/7za.profile --- firejail-0.9.60/etc/7za.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/7za.profile 2019-12-28 13:14:56.000000000 +0000 @@ -1,5 +1,7 @@ # Firejail profile for 7za +# Description: File archiver with high compression ratio # This file is overwritten after every install/update +quiet # Persistent local customizations include 7za.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/7z.profile firejail-0.9.62/etc/7z.profile --- firejail-0.9.60/etc/7z.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/7z.profile 2019-12-28 13:14:56.000000000 +0000 @@ -1,26 +1,43 @@ # Firejail profile for 7z +# Description: File archiver with high compression ratio # This file is overwritten after every install/update quiet # Persistent local customizations include 7z.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -blacklist /tmp/.X11-unix +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc -ignore noroot +apparmor +caps.drop all +hostname 7z +ipc-namespace +machine-id net none no3d nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none +#private-bin 7z,7z*,p7zip +private-cache private-dev -include default.profile +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/7zr.profile firejail-0.9.62/etc/7zr.profile --- firejail-0.9.60/etc/7zr.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/7zr.profile 2019-12-28 13:14:56.000000000 +0000 @@ -1,5 +1,7 @@ # Firejail profile for 7zr +# Description: File archiver with high compression ratio # This file is overwritten after every install/update +quiet # Persistent local customizations include 7zr.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/abrowser.profile firejail-0.9.62/etc/abrowser.profile --- firejail-0.9.60/etc/abrowser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/abrowser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,5 @@ # private-etc must first be enabled in firefox-common.profile #private-etc abrowser - # Redirect include firefox-common.profile diff -Nru firejail-0.9.60/etc/acat.profile firejail-0.9.62/etc/acat.profile --- firejail-0.9.60/etc/acat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/acat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,6 @@ # Firejail profile for acat # This file is overwritten after every install/update +quiet # Persistent local customizations include acat.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/adiff.profile firejail-0.9.62/etc/adiff.profile --- firejail-0.9.60/etc/adiff.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/adiff.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,6 @@ # Firejail profile for adiff # This file is overwritten after every install/update +quiet # Persistent local customizations include adiff.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/akonadi_control.profile firejail-0.9.62/etc/akonadi_control.profile --- firejail-0.9.60/etc/akonadi_control.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/akonadi_control.profile 2019-12-14 13:30:32.000000000 +0000 @@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/contacts noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.local/share/notes +noblacklist /sbin noblacklist /tmp/akonadi-* noblacklist /usr/sbin @@ -45,8 +46,8 @@ notv nou2f novideo -# protocol unix,inet,inet6 -# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +# protocol unix,inet,inet6,netlink +# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set tracelog private-dev diff -Nru firejail-0.9.60/etc/akregator.profile firejail-0.9.62/etc/akregator.profile --- firejail-0.9.60/etc/akregator.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/akregator.profile 2019-12-14 13:30:32.000000000 +0000 @@ -36,11 +36,11 @@ novideo protocol unix,inet,inet6,netlink # chroot syscalls are needed for setting up the built-in sandbox -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt -private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper +private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5 private-dev private-tmp diff -Nru firejail-0.9.60/etc/allow-common-devel.inc firejail-0.9.62/etc/allow-common-devel.inc --- firejail-0.9.60/etc/allow-common-devel.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/allow-common-devel.inc 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,17 @@ +# Rust +noblacklist ${HOME}/.cargo/config +noblacklist ${HOME}/.cargo/registry + +# Git +noblacklist ${HOME}/.config/git +noblacklist ${HOME}/.gitconfig +noblacklist ${HOME}/.git-credentials + +# Python +noblacklist ${HOME}/.python-history +noblacklist ${HOME}/.python_history +noblacklist ${HOME}/.pythonhist + +# Java +noblacklist ${HOME}/.gradle +noblacklist ${HOME}/.java diff -Nru firejail-0.9.60/etc/allow-java.inc firejail-0.9.62/etc/allow-java.inc --- firejail-0.9.60/etc/allow-java.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/allow-java.inc 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,6 @@ +noblacklist ${HOME}/.java + +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java diff -Nru firejail-0.9.60/etc/allow-lua.inc firejail-0.9.62/etc/allow-lua.inc --- firejail-0.9.60/etc/allow-lua.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/allow-lua.inc 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,4 @@ +noblacklist ${PATH}/lua* +noblacklist /usr/include/lua* +noblacklist /usr/lib/lua +noblacklist /usr/share/lua diff -Nru firejail-0.9.60/etc/allow-perl.inc firejail-0.9.62/etc/allow-perl.inc --- firejail-0.9.60/etc/allow-perl.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/allow-perl.inc 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,7 @@ +noblacklist ${PATH}/cpan* +noblacklist ${PATH}/core_perl +noblacklist ${PATH}/perl +noblacklist ${PATH}/site_perl +noblacklist ${PATH}/vendor_perl +noblacklist /usr/lib/perl* +noblacklist /usr/share/perl* diff -Nru firejail-0.9.60/etc/allow-python2.inc firejail-0.9.62/etc/allow-python2.inc --- firejail-0.9.60/etc/allow-python2.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/allow-python2.inc 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +noblacklist ${PATH}/python2* +noblacklist /usr/include/python2* +noblacklist /usr/lib/python2* +noblacklist /usr/local/lib/python2* +noblacklist /usr/share/python2* diff -Nru firejail-0.9.60/etc/allow-python3.inc firejail-0.9.62/etc/allow-python3.inc --- firejail-0.9.60/etc/allow-python3.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/allow-python3.inc 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +noblacklist ${PATH}/python3* +noblacklist /usr/include/python3* +noblacklist /usr/lib/python3* +noblacklist /usr/local/lib/python3* +noblacklist /usr/share/python3* diff -Nru firejail-0.9.60/etc/als.profile firejail-0.9.62/etc/als.profile --- firejail-0.9.60/etc/als.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/als.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,6 @@ # Firejail profile for als # This file is overwritten after every install/update +quiet # Persistent local customizations include als.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/amarok.profile firejail-0.9.62/etc/amarok.profile --- firejail-0.9.60/etc/amarok.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/amarok.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,5 +31,5 @@ # private-bin amarok private-dev -# private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl private-tmp diff -Nru firejail-0.9.60/etc/amuled.profile firejail-0.9.62/etc/amuled.profile --- firejail-0.9.60/etc/amuled.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/amuled.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for amuled +# Description: Daemon for amule +# This file is overwritten after every install/update +# Persistent local customizations +include amule.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin amuled + +# Redirect +include amule.profile diff -Nru firejail-0.9.60/etc/amule.profile firejail-0.9.62/etc/amule.profile --- firejail-0.9.60/etc/amule.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/amule.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,7 +6,6 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.aMule include disable-common.inc @@ -16,6 +15,7 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.aMule whitelist ${DOWNLOADS} whitelist ${HOME}/.aMule include whitelist-common.inc diff -Nru firejail-0.9.60/etc/android-studio.profile firejail-0.9.62/etc/android-studio.profile --- firejail-0.9.60/etc/android-studio.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/android-studio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,17 +7,15 @@ noblacklist ${HOME}/.AndroidStudio* noblacklist ${HOME}/.android -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.gradle noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings -noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allows files commonly used by IDEs +include allow-common-devel.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff -Nru firejail-0.9.60/etc/anki.profile firejail-0.9.62/etc/anki.profile --- firejail-0.9.60/etc/anki.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/anki.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/Anki2 # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -25,6 +21,7 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.local/share/Anki2 whitelist ${DOCUMENTS} whitelist ${HOME}/.local/share/Anki2 include whitelist-common.inc @@ -53,5 +50,5 @@ private-bin anki,python* private-cache private-dev -private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,Trolltech.conf,ssl +private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf private-tmp diff -Nru firejail-0.9.60/etc/aosp.profile firejail-0.9.62/etc/aosp.profile --- firejail-0.9.60/etc/aosp.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/aosp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,21 +5,18 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.android noblacklist ${HOME}/.bash_history -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.gradle noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings -noblacklist ${HOME}/.java noblacklist ${HOME}/.repo_.gitconfig.json noblacklist ${HOME}/.repoconfig noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allows files commonly used by IDEs +include allow-common-devel.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff -Nru firejail-0.9.60/etc/apack.profile firejail-0.9.62/etc/apack.profile --- firejail-0.9.60/etc/apack.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/apack.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,6 @@ # Firejail profile for apack # This file is overwritten after every install/update +quiet # Persistent local customizations include apack.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/apktool.profile firejail-0.9.62/etc/apktool.profile --- firejail-0.9.60/etc/apktool.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/apktool.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,6 +31,6 @@ seccomp shell none -private-bin apktool,bash,java,dirname,basename,expr,sh +private-bin apktool,basename,bash,dirname,expr,java,sh private-cache private-dev diff -Nru firejail-0.9.60/etc/arch-audit.profile firejail-0.9.62/etc/arch-audit.profile --- firejail-0.9.60/etc/arch-audit.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/arch-audit.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,7 +7,6 @@ # Persistent global definitions include globals.local - noblacklist /var/lib/pacman include disable-common.inc @@ -18,6 +17,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/arch-audit +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace diff -Nru firejail-0.9.60/etc/archaudit-report.profile firejail-0.9.62/etc/archaudit-report.profile --- firejail-0.9.60/etc/archaudit-report.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/archaudit-report.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,7 +6,6 @@ # Persistent global definitions include globals.local - noblacklist /var/lib/pacman include disable-common.inc @@ -17,8 +16,6 @@ include disable-programs.inc include disable-xdg.inc -include whitelist-common.inc - caps.drop all ipc-namespace netfilter @@ -36,7 +33,7 @@ disable-mnt private -private-bin archaudit-report,arch-audit,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds +private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds #private-dev private-tmp diff -Nru firejail-0.9.60/etc/ardour4.profile firejail-0.9.62/etc/ardour4.profile --- firejail-0.9.60/etc/ardour4.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ardour4.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for ardour5 # This file is overwritten after every install/update - # Redirect include ardour5.profile diff -Nru firejail-0.9.60/etc/ardour5.profile firejail-0.9.62/etc/ardour5.profile --- firejail-0.9.60/etc/ardour5.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ardour5.profile 2019-12-14 13:30:32.000000000 +0000 @@ -34,9 +34,9 @@ seccomp shell none -#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +#private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh private-cache private-dev -#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf +#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11 private-tmp diff -Nru firejail-0.9.60/etc/arduino.profile firejail-0.9.62/etc/arduino.profile --- firejail-0.9.60/etc/arduino.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/arduino.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,15 +7,11 @@ include globals.local noblacklist ${HOME}/.arduino15 -noblacklist ${HOME}/.java noblacklist ${HOME}/Arduino noblacklist ${DOCUMENTS} -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/arepack.profile firejail-0.9.62/etc/arepack.profile --- firejail-0.9.60/etc/arepack.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/arepack.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,6 @@ # Firejail profile for arepack # This file is overwritten after every install/update +quiet # Persistent local customizations include arepack.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/aria2c.profile firejail-0.9.62/etc/aria2c.profile --- firejail-0.9.60/etc/aria2c.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/aria2c.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,7 +14,8 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc -# include disable-xdg.inc + +include whitelist-usr-share-common.inc caps.drop all ipc-namespace @@ -35,9 +36,10 @@ # disable-mnt private-bin aria2c,gzip -private-cache +# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) +#private-cache private-dev -private-etc alternatives,ca-certificates,ssl,resolv.conf +private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl private-lib libreadline.so.* private-tmp diff -Nru firejail-0.9.60/etc/ark.profile firejail-0.9.62/etc/ark.profile --- firejail-0.9.60/etc/ark.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ark.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,6 +15,8 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/ark +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -34,8 +36,8 @@ seccomp shell none -private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh -#private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg +private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo +#private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg private-dev private-tmp diff -Nru firejail-0.9.60/etc/arm.profile firejail-0.9.62/etc/arm.profile --- firejail-0.9.60/etc/arm.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/arm.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.arm # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -45,8 +41,8 @@ tracelog disable-mnt -private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig +private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor private-dev -private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor private-tmp diff -Nru firejail-0.9.60/etc/ar.profile firejail-0.9.62/etc/ar.profile --- firejail-0.9.60/etc/ar.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/ar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,43 @@ +# Firejail profile for ar +# Description: Create, modify, and extract from archives +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ar.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +apparmor +caps.drop all +hostname ar +ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +#noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +private-bin ar +private-cache +private-dev + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/artha.profile firejail-0.9.62/etc/artha.profile --- firejail-0.9.60/etc/artha.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/artha.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,16 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/artha.conf +mkdir ${HOME}/.config/enchant +whitelist ${HOME}/.config/artha.conf +whitelist ${HOME}/.config/enchant +whitelist /usr/share/artha +whitelist /usr/share/wordnet +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + apparmor caps.drop all ipc-namespace @@ -38,7 +48,7 @@ private-bin artha,enchant,notify-send private-cache private-dev -private-etc alternatives,machine-id,fonts +private-etc alternatives,fonts,machine-id private-lib libnotify.so.* private-tmp diff -Nru firejail-0.9.60/etc/assogiate.profile firejail-0.9.62/etc/assogiate.profile --- firejail-0.9.60/etc/assogiate.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/assogiate.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,7 +7,6 @@ include globals.local noblacklist ${PICTURES} -whitelist ${PICTURES} include disable-common.inc include disable-devel.inc @@ -16,7 +15,10 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc + +whitelist ${PICTURES} include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -42,7 +44,7 @@ private-bin assogiate,gtk-update-icon-cache,update-mime-database private-cache private-dev -private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* +private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.* private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/asunder.profile firejail-0.9.62/etc/asunder.profile --- firejail-0.9.60/etc/asunder.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/asunder.profile 2019-12-14 13:30:32.000000000 +0000 @@ -30,11 +30,11 @@ nonewprivs noroot nou2f +novideo protocol unix,inet,inet6 seccomp shell none -#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev private-tmp diff -Nru firejail-0.9.60/etc/atom-beta.profile firejail-0.9.62/etc/atom-beta.profile --- firejail-0.9.60/etc/atom-beta.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/atom-beta.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,5 +2,9 @@ # This file is overwritten after every install/update # Persistent local customizations include atom-beta.local -# Profile redirect +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect include atom.profile diff -Nru firejail-0.9.60/etc/atom.profile firejail-0.9.62/etc/atom.profile --- firejail-0.9.60/etc/atom.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/atom.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,12 +8,9 @@ noblacklist ${HOME}/.atom noblacklist ${HOME}/.config/Atom -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.cargo/config -noblacklist ${HOME}/.cargo/registry -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.pythonrc.py + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc include disable-exec.inc diff -Nru firejail-0.9.60/etc/atool.profile firejail-0.9.62/etc/atool.profile --- firejail-0.9.60/etc/atool.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/atool.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,20 +1,14 @@ # Firejail profile for atool # Description: Tool for managing file archives of various types -quiet # This file is overwritten after every install/update +quiet # Persistent local customizations include atool.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - # Allow perl (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/cpan* -noblacklist ${PATH}/core_perl -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +include allow-perl.inc include disable-common.inc # include disable-devel.inc @@ -44,12 +38,13 @@ seccomp shell none tracelog +x11 none # private-bin atool,perl private-cache private-dev # without login.defs atool complains and uses UID/GID 1000 by default -private-etc alternatives,passwd,group,login.defs +private-etc alternatives,group,login.defs,passwd private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/atril-previewer.profile firejail-0.9.62/etc/atril-previewer.profile --- firejail-0.9.60/etc/atril-previewer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/atril-previewer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include atril-previewer.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include atril.profile diff -Nru firejail-0.9.60/etc/atril.profile firejail-0.9.62/etc/atril.profile --- firejail-0.9.60/etc/atril.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/atril.profile 2019-12-14 13:30:32.000000000 +0000 @@ -40,7 +40,7 @@ shell none tracelog -private-bin atril, atril-previewer, atril-thumbnailer +private-bin atril,atril-previewer,atril-thumbnailer private-dev private-etc alternatives,fonts,ld.so.cache # atril uses webkit gtk to display epub files diff -Nru firejail-0.9.60/etc/atril-thumbnailer.profile firejail-0.9.62/etc/atril-thumbnailer.profile --- firejail-0.9.60/etc/atril-thumbnailer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/atril-thumbnailer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include atril-thumbnailer.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include atril.profile diff -Nru firejail-0.9.60/etc/audio-recorder.profile firejail-0.9.62/etc/audio-recorder.profile --- firejail-0.9.60/etc/audio-recorder.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/audio-recorder.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,51 @@ +# Firejail profile for audio-recorder +# Description: Audio Recorder Application +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include audio-recorder.local +# Persistent global definitions +include globals.local + +noblacklist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${MUSIC} +whitelist ${DOWNLOADS} +whitelist /usr/share/audio-recorder +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +# private-bin audio-recorder +private-cache +private-etc alternatives,fonts +private-tmp + +# memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/aunpack.profile firejail-0.9.62/etc/aunpack.profile --- firejail-0.9.60/etc/aunpack.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/aunpack.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,6 @@ # Firejail profile for aunpack # This file is overwritten after every install/update +quiet # Persistent local customizations include aunpack.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/authenticator.profile firejail-0.9.62/etc/authenticator.profile --- firejail-0.9.60/etc/authenticator.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/authenticator.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/Authenticator # Allow python (blacklisted by disable-interpreters.inc) -#noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -#noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -#noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +#include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -47,4 +43,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl private-tmp -# memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/autokey-common.profile firejail-0.9.62/etc/autokey-common.profile --- firejail-0.9.60/etc/autokey-common.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/autokey-common.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,20 +4,15 @@ # Persistent local customizations include autokey-common.local # Persistent global definitions -include globals.local +# added by caller profile +#include globals.local noblacklist ${HOME}/.config/autokey noblacklist ${HOME}/.local/share/autokey # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* -noblacklist /usr/share/python2* -noblacklist /usr/share/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -44,4 +39,4 @@ private-dev private-tmp -# memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/autokey-gtk.profile firejail-0.9.62/etc/autokey-gtk.profile --- firejail-0.9.60/etc/autokey-gtk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/autokey-gtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,8 +4,7 @@ # Persistent local customizations include autokey-gtk.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -#Redirect +# Redirect include autokey-common.profile diff -Nru firejail-0.9.60/etc/autokey-qt.profile firejail-0.9.62/etc/autokey-qt.profile --- firejail-0.9.60/etc/autokey-qt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/autokey-qt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,8 +4,7 @@ # Persistent local customizations include autokey-qt.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -#Redirect +# Redirect include autokey-common.profile diff -Nru firejail-0.9.60/etc/autokey-run.profile firejail-0.9.62/etc/autokey-run.profile --- firejail-0.9.60/etc/autokey-run.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/autokey-run.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,8 +4,7 @@ # Persistent local customizations include autokey-run.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -#Redirect +# Redirect include autokey-common.profile diff -Nru firejail-0.9.60/etc/autokey-shell.profile firejail-0.9.62/etc/autokey-shell.profile --- firejail-0.9.60/etc/autokey-shell.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/autokey-shell.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,8 +4,7 @@ # Persistent local customizations include autokey-shell.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -#Redirect +# Redirect include autokey-common.profile diff -Nru firejail-0.9.60/etc/baloo_filemetadata_temp_extractor.profile firejail-0.9.62/etc/baloo_filemetadata_temp_extractor.profile --- firejail-0.9.60/etc/baloo_filemetadata_temp_extractor.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/baloo_filemetadata_temp_extractor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,7 +4,8 @@ # Persistent local customizations include baloo_filemetadata_temp_extractor.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local ignore read-write read-only ${HOME} diff -Nru firejail-0.9.60/etc/baloo_file.profile firejail-0.9.62/etc/baloo_file.profile --- firejail-0.9.60/etc/baloo_file.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/baloo_file.profile 2019-12-14 13:30:32.000000000 +0000 @@ -26,7 +26,10 @@ include whitelist-var-common.inc +apparmor caps.drop all +machine-id +# net none netfilter no3d nodvd @@ -39,7 +42,7 @@ novideo protocol unix # blacklisting of ioprio_set system calls breaks baloo_file -seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +seccomp !ioprio_set shell none # x11 xorg diff -Nru firejail-0.9.60/etc/baobab.profile firejail-0.9.62/etc/baobab.profile --- firejail-0.9.60/etc/baobab.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/baobab.profile 2019-12-14 13:30:32.000000000 +0000 @@ -32,5 +32,3 @@ private-bin baobab private-dev private-tmp - -#memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/basilisk.profile firejail-0.9.62/etc/basilisk.profile --- firejail-0.9.60/etc/basilisk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/basilisk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,13 +10,12 @@ mkdir ${HOME}/.cache/moonchild productions/basilisk mkdir ${HOME}/.moonchild productions -whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/moonchild productions/basilisk whitelist ${HOME}/.moonchild productions # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) -ignore seccomp.drop seccomp +ignore seccomp #private-bin basilisk # private-etc must first be enabled in firefox-common.profile diff -Nru firejail-0.9.60/etc/beaker.profile firejail-0.9.62/etc/beaker.profile --- firejail-0.9.60/etc/beaker.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/beaker.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include beaker.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.config/Beaker Browser diff -Nru firejail-0.9.60/etc/bibletime.profile firejail-0.9.62/etc/bibletime.profile --- firejail-0.9.60/etc/bibletime.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bibletime.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,12 +6,12 @@ # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc - noblacklist ${HOME}/.bibletime noblacklist ${HOME}/.sword noblacklist ${HOME}/.local/share/bibletime +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -25,7 +25,10 @@ whitelist ${HOME}/.bibletime whitelist ${HOME}/.sword whitelist ${HOME}/.local/share/bibletime +whitelist /usr/share/bibletime +whitelist /usr/share/sword include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -42,7 +45,7 @@ nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff -Nru firejail-0.9.60/etc/bitcoin-qt.profile firejail-0.9.62/etc/bitcoin-qt.profile --- firejail-0.9.60/etc/bitcoin-qt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bitcoin-qt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -43,7 +43,7 @@ private-bin bitcoin-qt private-dev # Causes problem with loading of libGL.so -#private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies +#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/bitlbee.profile firejail-0.9.62/etc/bitlbee.profile --- firejail-0.9.60/etc/bitlbee.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bitlbee.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,12 +6,15 @@ # Persistent global definitions include globals.local +ignore noexec ${HOME} + noblacklist /sbin noblacklist /usr/sbin # noblacklist /var/log include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -33,6 +36,5 @@ private-cache private-dev private-tmp -read-write /var/lib/bitlbee -noexec /tmp +read-write /var/lib/bitlbee diff -Nru firejail-0.9.60/etc/bitwarden.profile firejail-0.9.62/etc/bitwarden.profile --- firejail-0.9.60/etc/bitwarden.profile 2019-05-06 13:13:29.000000000 +0000 +++ firejail-0.9.62/etc/bitwarden.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,9 +6,10 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/Bitwarden ignore noexec /tmp +noblacklist ${HOME}/.config/Bitwarden + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -17,11 +18,11 @@ include disable-programs.inc include disable-xdg.inc -include whitelist-common.inc -include whitelist-var-common.inc - +mkdir ${HOME}/.config/Bitwarden whitelist ${HOME}/.config/Bitwarden whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-var-common.inc apparmor caps.drop all @@ -46,8 +47,8 @@ private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -private-etc alternatives,ca-certificates,crypto-policies,hosts,nsswitch.conf,fonts,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl private-opt Bitwarden private-tmp -#memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/bleachbit.profile firejail-0.9.62/etc/bleachbit.profile --- firejail-0.9.60/etc/bleachbit.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bleachbit.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,12 +7,8 @@ include globals.local # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/blender-2.8.profile firejail-0.9.62/etc/blender-2.8.profile --- firejail-0.9.60/etc/blender-2.8.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/blender-2.8.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for blender # This file is overwritten after every install/update - # Redirect include blender.profile diff -Nru firejail-0.9.60/etc/blender.profile firejail-0.9.62/etc/blender.profile --- firejail-0.9.60/etc/blender.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/blender.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/blender # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/bless.profile firejail-0.9.62/etc/bless.profile --- firejail-0.9.60/etc/bless.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bless.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,7 +33,7 @@ seccomp shell none -# private-bin bless,sh,bash,mono +# private-bin bash,bless,mono,sh private-cache private-dev private-etc alternatives,fonts,mono diff -Nru firejail-0.9.60/etc/brackets.profile firejail-0.9.62/etc/brackets.profile --- firejail-0.9.60/etc/brackets.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/brackets.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,15 +6,11 @@ include globals.local noblacklist ${HOME}/.config/Brackets -#noblacklist /opt/brackets/ -#noblacklist /opt/google/ -# Uncomment the the next two lines if you are developing rust. -# or put it in your brackets.local -#noblacklist ${HOME}/.cargo/config -#noblacklist ${HOME}/.cargo/registry -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials +#noblacklist /opt/brackets +#noblacklist /opt/google + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc include disable-passwdmgr.inc @@ -31,7 +27,7 @@ nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot,!ioperm shell none private-cache diff -Nru firejail-0.9.60/etc/brasero.profile firejail-0.9.62/etc/brasero.profile --- firejail-0.9.60/etc/brasero.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/brasero.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,7 +31,4 @@ # private-bin brasero private-cache # private-dev -# private-etc alternatives,fonts # private-tmp - -memory-deny-write-execute diff -Nru firejail-0.9.60/etc/brave-browser-beta.profile firejail-0.9.62/etc/brave-browser-beta.profile --- firejail-0.9.60/etc/brave-browser-beta.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/brave-browser-beta.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for brave (beta channel) +# This file is overwritten after every install/update + +# Redirect +include brave.profile diff -Nru firejail-0.9.60/etc/brave-browser-dev.profile firejail-0.9.62/etc/brave-browser-dev.profile --- firejail-0.9.60/etc/brave-browser-dev.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/brave-browser-dev.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for brave (development channel) +# This file is overwritten after every install/update + +# Redirect +include brave.profile diff -Nru firejail-0.9.60/etc/brave-browser-nightly.profile firejail-0.9.62/etc/brave-browser-nightly.profile --- firejail-0.9.60/etc/brave-browser-nightly.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/brave-browser-nightly.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for brave (nightly channel) +# This file is overwritten after every install/update + +# Redirect +include brave.profile diff -Nru firejail-0.9.60/etc/brave-browser.profile firejail-0.9.62/etc/brave-browser.profile --- firejail-0.9.60/etc/brave-browser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/brave-browser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for brave # This file is overwritten after every install/update - # Redirect include brave.profile diff -Nru firejail-0.9.60/etc/brave-browser-stable.profile firejail-0.9.62/etc/brave-browser-stable.profile --- firejail-0.9.60/etc/brave-browser-stable.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/brave-browser-stable.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for brave (release channel) +# This file is overwritten after every install/update + +# Redirect +include brave.profile diff -Nru firejail-0.9.60/etc/brave.profile firejail-0.9.62/etc/brave.profile --- firejail-0.9.60/etc/brave.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/brave.profile 2019-12-28 13:14:56.000000000 +0000 @@ -1,24 +1,32 @@ # Firejail profile for brave -# This file is overwritten after every install/update # Description: Web browser that blocks ads and trackers by default. +# This file is overwritten after every install/update # Persistent local customizations include brave.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/brave +# noexec /tmp is included in chromium-common.profile and breaks Brave +ignore noexec /tmp + +noblacklist ${HOME}/.cache/BraveSoftware noblacklist ${HOME}/.config/BraveSoftware +noblacklist ${HOME}/.config/brave +noblacklist ${HOME}/.config/brave-flags.conf # brave uses gpg for built-in password manager noblacklist ${HOME}/.gnupg -mkdir ${HOME}/.config/brave +mkdir ${HOME}/.cache/BraveSoftware mkdir ${HOME}/.config/BraveSoftware -whitelist ${HOME}/.config/brave +mkdir ${HOME}/.config/brave +whitelist ${HOME}/.cache/BraveSoftware whitelist ${HOME}/.config/BraveSoftware +whitelist ${HOME}/.config/brave +whitelist ${HOME}/.config/brave-flags.conf whitelist ${HOME}/.gnupg -# noexec /tmp is included in chromium-common.profile and breaks Brave -ignore noexec /tmp +# Brave sandbox needs read access to /proc/config.gz +noblacklist /proc/config.gz # Redirect include chromium-common.profile diff -Nru firejail-0.9.60/etc/bsdcat.profile firejail-0.9.62/etc/bsdcat.profile --- firejail-0.9.60/etc/bsdcat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bsdcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for bsdtar # This file is overwritten after every install/update - # Redirect include bsdtar.profile diff -Nru firejail-0.9.60/etc/bsdcpio.profile firejail-0.9.62/etc/bsdcpio.profile --- firejail-0.9.60/etc/bsdcpio.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bsdcpio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for bsdtar # This file is overwritten after every install/update - # Redirect include bsdtar.profile diff -Nru firejail-0.9.60/etc/bsdtar.profile firejail-0.9.62/etc/bsdtar.profile --- firejail-0.9.60/etc/bsdtar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bsdtar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - include disable-common.inc # include disable-devel.inc include disable-exec.inc @@ -20,10 +18,10 @@ hostname bsdtar ipc-namespace machine-id -netfilter +net none no3d -nodvd nodbus +nodvd nogroups nonewprivs # noroot @@ -35,11 +33,12 @@ seccomp shell none tracelog +x11 none # support compressed archives -private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive +private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz private-cache private-dev -private-etc alternatives,passwd,group,localtime +private-etc alternatives,group,localtime,passwd memory-deny-write-execute diff -Nru firejail-0.9.60/etc/Builder.profile firejail-0.9.62/etc/Builder.profile --- firejail-0.9.60/etc/Builder.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Builder.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,6 @@ # Firejail profile for gnome-builder # This file is overwritten after every install/update - # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect include gnome-builder.profile diff -Nru firejail-0.9.60/etc/bunzip2.profile firejail-0.9.62/etc/bunzip2.profile --- firejail-0.9.60/etc/bunzip2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bunzip2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for bunzip2 # Description: A high-quality data compression program # This file is overwritten after every install/update +quiet # Persistent local customizations include bunzip2.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/bzcat.profile firejail-0.9.62/etc/bzcat.profile --- firejail-0.9.60/etc/bzcat.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/bzcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,15 @@ +# Firejail profile for bzcat +# Description: A high-quality data compression program +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include bzcat.local +# Persistent global definitions +# added by included profile +#include globals.local + +ignore read-write +read-only ${HOME} + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/bzflag.profile firejail-0.9.62/etc/bzflag.profile --- firejail-0.9.60/etc/bzflag.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bzflag.profile 2019-12-14 13:30:32.000000000 +0000 @@ -38,7 +38,7 @@ tracelog disable-mnt -private-bin bzflag,bzflag-wrapper,bzfs,bzadmin +private-bin bzadmin,bzflag,bzflag-wrapper,bzfs private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/bzip2.profile firejail-0.9.62/etc/bzip2.profile --- firejail-0.9.60/etc/bzip2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/bzip2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for bzip2 # Description: A high-quality data compression program # This file is overwritten after every install/update +quiet # Persistent local customizations include bzip2.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/caja.profile firejail-0.9.62/etc/caja.profile --- firejail-0.9.60/etc/caja.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/caja.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,12 +14,8 @@ # noblacklist ${HOME}/.local/share/caja-python # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -27,6 +23,7 @@ include disable-passwdmgr.inc # include disable-programs.inc +allusers caps.drop all netfilter nodvd @@ -43,5 +40,4 @@ # caja needs to be able to start arbitrary applications so we cannot blacklist their files # private-bin caja # private-dev -# private-etc alternatives,fonts # private-tmp diff -Nru firejail-0.9.60/etc/calibre.profile firejail-0.9.62/etc/calibre.profile --- firejail-0.9.60/etc/calibre.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calibre.profile 2019-12-14 13:30:32.000000000 +0000 @@ -21,7 +21,6 @@ caps.drop all netfilter -no3d nodvd nogroups nonewprivs @@ -30,10 +29,9 @@ notv nou2f novideo -protocol unix,inet,inet6 -seccomp +protocol unix,inet,inet6,netlink +seccomp !chroot shell none -tracelog private-dev private-tmp diff -Nru firejail-0.9.60/etc/calligraauthor.profile firejail-0.9.62/etc/calligraauthor.profile --- firejail-0.9.60/etc/calligraauthor.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligraauthor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/calligraconverter.profile firejail-0.9.62/etc/calligraconverter.profile --- firejail-0.9.60/etc/calligraconverter.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligraconverter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/calligraflow.profile firejail-0.9.62/etc/calligraflow.profile --- firejail-0.9.60/etc/calligraflow.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligraflow.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/calligraplan.profile firejail-0.9.62/etc/calligraplan.profile --- firejail-0.9.60/etc/calligraplan.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligraplan.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/calligraplanwork.profile firejail-0.9.62/etc/calligraplanwork.profile --- firejail-0.9.60/etc/calligraplanwork.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligraplanwork.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/calligrasheets.profile firejail-0.9.62/etc/calligrasheets.profile --- firejail-0.9.60/etc/calligrasheets.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligrasheets.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/calligrastage.profile firejail-0.9.62/etc/calligrastage.profile --- firejail-0.9.60/etc/calligrastage.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligrastage.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/calligrawords.profile firejail-0.9.62/etc/calligrawords.profile --- firejail-0.9.60/etc/calligrawords.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/calligrawords.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Redirect include calligra.profile diff -Nru firejail-0.9.60/etc/cameramonitor.profile firejail-0.9.62/etc/cameramonitor.profile --- firejail-0.9.60/etc/cameramonitor.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/cameramonitor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,53 @@ +# Firejail profile for cameramonitor +# Description: A little monitor to check your webcam status +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cameramonitor.local +# Persistent global definitions +include globals.local + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist /usr/share/cameramonitor +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +#nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin cameramonitor,python* +private-cache +private-etc alternatives,fonts +private-tmp + +# memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/cantata.profile firejail-0.9.62/etc/cantata.profile --- firejail-0.9.60/etc/cantata.profile 2019-05-17 12:37:47.000000000 +0000 +++ firejail-0.9.62/etc/cantata.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,9 +11,8 @@ noblacklist ${HOME}/.local/share/cantata noblacklist ${MUSIC} -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -35,6 +34,6 @@ seccomp shell none -# private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl +# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg private-bin cantata,mpd,perl private-dev diff -Nru firejail-0.9.60/etc/catfish.profile firejail-0.9.62/etc/catfish.profile --- firejail-0.9.60/etc/catfish.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/catfish.profile 2019-12-14 13:30:32.000000000 +0000 @@ -12,18 +12,14 @@ noblacklist ${HOME}/.config/catfish # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc -include disable-common.inc +# include disable-common.inc # include disable-devel.inc include disable-interpreters.inc include disable-passwdmgr.inc -include disable-programs.inc +# include disable-programs.inc whitelist /var/lib/mlocate include whitelist-var-common.inc diff -Nru firejail-0.9.60/etc/celluloid.profile firejail-0.9.62/etc/celluloid.profile --- firejail-0.9.60/etc/celluloid.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/celluloid.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,18 +6,15 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/gnome-mpv noblacklist ${HOME}/.config/celluloid +noblacklist ${HOME}/.config/gnome-mpv +noblacklist ${HOME}/.config/youtube-dl noblacklist ${MUSIC} noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -42,9 +39,9 @@ shell none tracelog -private-bin celluloid,gnome-mpv,youtube-dl,python*,env +private-bin celluloid,env,gnome-mpv,python*,youtube-dl private-cache -private-etc alternatives,ca-certificates,ssl,pki,pkcs11,hosts,machine-id,localtime,libva.conf,drirc,fonts,gtk-3.0,dconf,crypto-policies,xdg,selinux,resolv.conf +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg private-dev private-tmp diff -Nru firejail-0.9.60/etc/checkbashisms.profile firejail-0.9.62/etc/checkbashisms.profile --- firejail-0.9.60/etc/checkbashisms.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/checkbashisms.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,11 +10,7 @@ noblacklist ${DOCUMENTS} # Allow perl (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/cpan* -noblacklist ${PATH}/core_perl -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -24,6 +20,8 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/perl5 +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -44,10 +42,11 @@ protocol unix seccomp shell none +x11 none private-cache private-dev -private-lib perl* +private-lib libfreebl3.so,perl* private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/cheese.profile firejail-0.9.62/etc/cheese.profile --- firejail-0.9.60/etc/cheese.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cheese.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,7 @@ include globals.local noblacklist ${VIDEOS} +noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc @@ -17,6 +18,7 @@ include disable-xdg.inc whitelist ${VIDEOS} +whitelist ${PICTURES} include whitelist-common.inc include whitelist-var-common.inc @@ -39,5 +41,5 @@ disable-mnt private-bin cheese private-cache -private-etc alternatives,fonts,drirc,clutter-1.0,gtk-3.0,dconf +private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 private-tmp diff -Nru firejail-0.9.60/etc/Cheese.profile firejail-0.9.62/etc/Cheese.profile --- firejail-0.9.60/etc/Cheese.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Cheese.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,6 @@ # Firejail profile for cheese # This file is overwritten after every install/update - # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect include cheese.profile diff -Nru firejail-0.9.60/etc/cherrytree.profile firejail-0.9.62/etc/cherrytree.profile --- firejail-0.9.60/etc/cherrytree.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cherrytree.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/chromium-browser.profile firejail-0.9.62/etc/chromium-browser.profile --- firejail-0.9.60/etc/chromium-browser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/chromium-browser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for chromium # This file is overwritten after every install/update - # Redirect include chromium.profile diff -Nru firejail-0.9.60/etc/chromium-common.profile firejail-0.9.62/etc/chromium-common.profile --- firejail-0.9.60/etc/chromium-common.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/chromium-common.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,7 @@ # Persistent local customizations include chromium-common.local # Persistent global definitions -# already included by caller profile +# added by caller profile #include globals.local # noexec ${HOME} breaks DRM binaries. @@ -27,10 +27,9 @@ include whitelist-var-common.inc apparmor -caps.keep sys_chroot,sys_admin +caps.keep sys_admin,sys_chroot netfilter -# Breaks Gnome connector - disable if you use that -nodbus +# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector nodvd nogroups notv @@ -42,4 +41,4 @@ # private-tmp - problems with multiple browser sessions # the file dialog needs to work without d-bus -env NO_CHROME_KDE_FILE_DIALOG=1 +?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 diff -Nru firejail-0.9.60/etc/cinelerra.profile firejail-0.9.62/etc/cinelerra.profile --- firejail-0.9.60/etc/cinelerra.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cinelerra.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for cin # This file is overwritten after every install/update - # Redirect include cin.profile diff -Nru firejail-0.9.60/etc/clamdscan.profile firejail-0.9.62/etc/clamdscan.profile --- firejail-0.9.60/etc/clamdscan.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/clamdscan.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update - # Redirect include clamav.profile diff -Nru firejail-0.9.60/etc/clamdtop.profile firejail-0.9.62/etc/clamdtop.profile --- firejail-0.9.60/etc/clamdtop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/clamdtop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update - # Redirect include clamav.profile diff -Nru firejail-0.9.60/etc/clamscan.profile firejail-0.9.62/etc/clamscan.profile --- firejail-0.9.60/etc/clamscan.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/clamscan.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update - # Redirect include clamav.profile diff -Nru firejail-0.9.60/etc/clawsker.profile firejail-0.9.62/etc/clawsker.profile --- firejail-0.9.60/etc/clawsker.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/clawsker.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,11 +9,7 @@ noblacklist ${HOME}/.claws-mail # Allow perl (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/cpan* -noblacklist ${PATH}/core_perl -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -24,7 +20,9 @@ mkdir ${HOME}/.claws-mail whitelist ${HOME}/.claws-mail +whitelist /usr/share/perl5 include whitelist-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all @@ -51,4 +49,4 @@ private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* private-tmp -# memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/claws-mail.profile firejail-0.9.62/etc/claws-mail.profile --- firejail-0.9.60/etc/claws-mail.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/claws-mail.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,11 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/doc +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +include whitelist-usr-share-common.inc + caps.drop all netfilter no3d diff -Nru firejail-0.9.60/etc/clementine.profile firejail-0.9.62/etc/clementine.profile --- firejail-0.9.60/etc/clementine.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/clementine.profile 2019-12-14 13:30:32.000000000 +0000 @@ -27,7 +27,7 @@ novideo protocol unix,inet,inet6 # blacklisting of ioprio_set system calls breaks clementine -seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +seccomp !ioprio_set private-dev private-tmp diff -Nru firejail-0.9.60/etc/clipit.profile firejail-0.9.62/etc/clipit.profile --- firejail-0.9.60/etc/clipit.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/clipit.profile 2019-12-14 13:30:32.000000000 +0000 @@ -17,6 +17,14 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.config/clipit +mkdir ${HOME}/.local/share/clipit +whitelist ${HOME}/.config/clipit +whitelist ${HOME}/.local/share/clipit +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + apparmor caps.drop all ipc-namespace diff -Nru firejail-0.9.60/etc/clocks.profile firejail-0.9.62/etc/clocks.profile --- firejail-0.9.60/etc/clocks.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/clocks.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,6 @@ # Firejail profile for gnome-clocks # This file is overwritten after every install/update - # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect include gnome-clocks.profile diff -Nru firejail-0.9.60/etc/cmus.profile firejail-0.9.62/etc/cmus.profile --- firejail-0.9.60/etc/cmus.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cmus.profile 2019-12-14 13:30:32.000000000 +0000 @@ -27,4 +27,4 @@ shell none private-bin cmus -private-etc alternatives,group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl diff -Nru firejail-0.9.60/etc/code.profile firejail-0.9.62/etc/code.profile --- firejail-0.9.60/etc/code.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/code.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,23 +5,19 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.cargo/config -noblacklist ${HOME}/.cargo/registry noblacklist ${HOME}/.config/Code noblacklist ${HOME}/.config/Code - OSS -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.pythonrc.py noblacklist ${HOME}/.vscode noblacklist ${HOME}/.vscode-oss +# Allows files commonly used by IDEs +include allow-common-devel.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc caps.drop all -net none netfilter nodvd nogroups diff -Nru firejail-0.9.60/etc/conkeror.profile firejail-0.9.62/etc/conkeror.profile --- firejail-0.9.60/etc/conkeror.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/conkeror.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,9 +10,10 @@ include disable-common.inc include disable-programs.inc +mkdir ${HOME}/.conkeror.mozdev.org +mkfile ${HOME}/.conkerorrc whitelist ${HOME}/.conkeror.mozdev.org whitelist ${HOME}/.conkerorrc -whitelist ${HOME}/.gtkrc-2.0 whitelist ${HOME}/.lastpass whitelist ${HOME}/.pentadactyl whitelist ${HOME}/.pentadactylrc diff -Nru firejail-0.9.60/etc/conky.profile firejail-0.9.62/etc/conky.profile --- firejail-0.9.60/etc/conky.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/conky.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,8 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + caps.drop all ipc-namespace netfilter diff -Nru firejail-0.9.60/etc/conplay.profile firejail-0.9.62/etc/conplay.profile --- firejail-0.9.60/etc/conplay.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/conplay.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,18 @@ +# Firejail profile for conplay +# Description: MPEG audio player/decoder +# This file is overwritten after every install/update +# Persistent local customizations +include conplay.local +# Persistent global definitions +# added by included profile +#include globals.local + +## system-wide profile +#+ overrides +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +whitelist /usr/share/perl5 + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/cower.profile firejail-0.9.62/etc/cower.profile --- firejail-0.9.60/etc/cower.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cower.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,20 +1,13 @@ # Firejail profile for cower +# Description: a simple AUR agent with a pretentious name # This file is overwritten after every install/update - -# This profile could be significantly strengthened by adding the following to cower.local -# whitelist ${HOME}/ -# whitelist ${HOME}/.config/cower/ - quiet - # Persistent local customizations include cower.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/cower/config -read-only ${HOME}/.config/cower/config - +noblacklist ${HOME}/.config/cower noblacklist /var/lib/pacman include disable-common.inc @@ -23,6 +16,11 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc + +# This profile could be significantly strengthened by adding the following to cower.local +# whitelist ${HOME}/ +# whitelist ${HOME}/.config/cower caps.drop all ipc-namespace @@ -42,7 +40,10 @@ disable-mnt private-bin cower +private-cache private-dev private-tmp memory-deny-write-execute + +read-only ${HOME}/.config/cower/config diff -Nru firejail-0.9.60/etc/cpio.profile firejail-0.9.62/etc/cpio.profile --- firejail-0.9.60/etc/cpio.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cpio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,8 +7,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin @@ -36,6 +34,7 @@ seccomp shell none tracelog +x11 none private-cache private-dev diff -Nru firejail-0.9.60/etc/crow.profile firejail-0.9.62/etc/crow.profile --- firejail-0.9.60/etc/crow.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/crow.profile 2019-12-14 13:30:32.000000000 +0000 @@ -38,7 +38,7 @@ disable-mnt private-bin crow private-dev -private-etc alternatives,ca-certificates,ssl,machine-id,dconf,nsswitch.conf,resolv.conf,fonts,asound.conf,pulse,pki,crypto-policies +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt none private-tmp private-srv none diff -Nru firejail-0.9.60/etc/cryptocat.profile firejail-0.9.62/etc/cryptocat.profile --- firejail-0.9.60/etc/cryptocat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cryptocat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for Cryptocat # This file is overwritten after every install/update - # Redirect include Cryptocat.profile diff -Nru firejail-0.9.60/etc/curl.profile firejail-0.9.62/etc/curl.profile --- firejail-0.9.60/etc/curl.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/curl.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,8 +7,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.curlrc include disable-common.inc @@ -16,9 +14,14 @@ include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc + caps.drop all +ipc-namespace +machine-id netfilter no3d +nodbus nodvd nogroups nonewprivs @@ -27,12 +30,12 @@ notv nou2f novideo -protocol unix,inet,inet6 +protocol inet,inet6 seccomp shell none # private-bin curl private-cache private-dev -# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/cvlc.profile firejail-0.9.62/etc/cvlc.profile --- firejail-0.9.60/etc/cvlc.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cvlc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include cvlc.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local # cvlc doesn't like private-bin ignore private-bin diff -Nru firejail-0.9.60/etc/cyberfox.profile firejail-0.9.62/etc/cyberfox.profile --- firejail-0.9.60/etc/cyberfox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/cyberfox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -13,7 +13,7 @@ whitelist ${HOME}/.8pecxstudios whitelist ${HOME}/.cache/8pecxstudios -# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env +# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which # private-etc must first be enabled in firefox-common.profile #private-etc cyberfox diff -Nru firejail-0.9.60/etc/Cyberfox.profile firejail-0.9.62/etc/Cyberfox.profile --- firejail-0.9.60/etc/Cyberfox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Cyberfox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for cyberfox # This file is overwritten after every install/update - # Redirect include cyberfox.profile diff -Nru firejail-0.9.60/etc/dconf-editor.profile firejail-0.9.62/etc/dconf-editor.profile --- firejail-0.9.60/etc/dconf-editor.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dconf-editor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -whitelist ${HOME}/.local/share/glib-2.0 - include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -16,7 +14,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist ${HOME}/.local/share/glib-2.0 include whitelist-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all @@ -39,8 +39,6 @@ private-bin dconf-editor private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,dconf,fonts,gtk-3.0,machine-id private-lib private-tmp - -# memory-deny-write-execute diff -Nru firejail-0.9.60/etc/dconf.profile firejail-0.9.62/etc/dconf.profile --- firejail-0.9.60/etc/dconf.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dconf.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -whitelist ${HOME}/.local/share/glib-2.0 - include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -16,8 +14,10 @@ include disable-programs.inc include disable-xdg.inc +whitelist ${HOME}/.local/share/glib-2.0 # dconf paths are whitelisted by the following include whitelist-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all @@ -37,6 +37,7 @@ seccomp shell none tracelog +x11 none disable-mnt private-bin dconf,gsettings diff -Nru firejail-0.9.60/etc/ddgtk.profile firejail-0.9.62/etc/ddgtk.profile --- firejail-0.9.60/etc/ddgtk.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/ddgtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,54 @@ +# Firejail profile for ddgtk +# Description: A frontend GUI to dd for making bootable USB disks +# This file is overwritten after every install/update +# Persistent local customizations +include ddgtk.local +# Persistent global definitions +include globals.local + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +whitelist /usr/share/ddgtk +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr +private-cache +private-etc alternatives,fonts +private-tmp + +# memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/deluge.profile firejail-0.9.62/etc/deluge.profile --- firejail-0.9.60/etc/deluge.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/deluge.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/deluge # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc # include disable-devel.inc @@ -43,6 +39,6 @@ shell none # deluge is using python on Debian -private-bin deluge,deluge-console,deluged,deluge-gtk,deluge-web,sh,python*,uname +private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname private-dev private-tmp diff -Nru firejail-0.9.60/etc/devhelp.profile firejail-0.9.62/etc/devhelp.profile --- firejail-0.9.60/etc/devhelp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/devhelp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,7 +15,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/devhelp include whitelist-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all @@ -41,6 +43,6 @@ private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl private-tmp -# memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) read-only ${HOME} diff -Nru firejail-0.9.60/etc/devilspie2.profile firejail-0.9.62/etc/devilspie2.profile --- firejail-0.9.60/etc/devilspie2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/devilspie2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,6 +8,9 @@ noblacklist ${HOME}/.config/devilspie2 +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -16,6 +19,12 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.config/devilspie2 +whitelist ${HOME}/.config/devilspie2 +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + apparmor caps.drop all ipc-namespace diff -Nru firejail-0.9.60/etc/devilspie.profile firejail-0.9.62/etc/devilspie.profile --- firejail-0.9.60/etc/devilspie.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/devilspie.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,12 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.devilspie +whitelist ${HOME}/.devilspie +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + apparmor caps.drop all ipc-namespace diff -Nru firejail-0.9.60/etc/dex2jar.profile firejail-0.9.62/etc/dex2jar.profile --- firejail-0.9.60/etc/dex2jar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dex2jar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,11 +6,8 @@ # Persistent global definitions include globals.local -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc @@ -38,7 +35,7 @@ seccomp shell none -private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep +private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname private-cache private-dev diff -Nru firejail-0.9.60/etc/d-feet.profile firejail-0.9.62/etc/d-feet.profile --- firejail-0.9.60/etc/d-feet.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/d-feet.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/d-feet # Allow python (disabled by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -26,7 +22,9 @@ mkdir ${HOME}/.config/d-feet whitelist ${HOME}/.config/d-feet +whitelist /usr/share/d-feet include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -53,4 +51,4 @@ private-etc alternatives,dbus-1,fonts,machine-id private-tmp -# memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/dia.profile firejail-0.9.62/etc/dia.profile --- firejail-0.9.60/etc/dia.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dia.profile 2019-12-14 13:30:32.000000000 +0000 @@ -12,6 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc +include allow-python2.inc +include allow-python3.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc diff -Nru firejail-0.9.60/etc/digikam.profile firejail-0.9.62/etc/digikam.profile --- firejail-0.9.60/etc/digikam.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/digikam.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,11 +33,8 @@ notv protocol unix,inet,inet6,netlink seccomp -# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group shell none -# private-bin program # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device -# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl private-tmp - diff -Nru firejail-0.9.60/etc/dig.profile firejail-0.9.62/etc/dig.profile --- firejail-0.9.60/etc/dig.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dig.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,7 @@ # Firejail profile for dig # Description: DNS lookup utility -quiet # This file is overwritten after every install/update +quiet # Persistent local customizations include dig.local # Persistent global definitions @@ -17,9 +17,10 @@ include disable-programs.inc include disable-xdg.inc -mkfile ${HOME}/.digrc +#mkfile ${HOME}/.digrc -- see #903 whitelist ${HOME}/.digrc include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -42,11 +43,11 @@ disable-mnt private -private-bin sh,bash,dig +private-bin bash,dig,sh private-cache private-dev -# private-etc alternatives,resolv.conf -private-lib +# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) +#private-lib private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/dino.profile firejail-0.9.62/etc/dino.profile --- firejail-0.9.60/etc/dino.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dino.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,5 @@ # Firejail profile for dino +# Description: Modern XMPP Chat Client using GTK+/Vala # This file is overwritten after every install/update # Persistent local customizations include dino.local @@ -37,6 +38,6 @@ disable-mnt private-bin dino private-dev -# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection +# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection private-tmp diff -Nru firejail-0.9.60/etc/disable-common.inc firejail-0.9.62/etc/disable-common.inc --- firejail-0.9.60/etc/disable-common.inc 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/disable-common.inc 2019-12-28 13:14:56.000000000 +0000 @@ -19,7 +19,10 @@ blacklist-nolog ${HOME}/.local/share/klipper blacklist-nolog ${HOME}/.macromedia blacklist-nolog ${HOME}/.python-history +blacklist-nolog ${HOME}/.python_history blacklist-nolog ${HOME}/.pythonhist +blacklist-nolog ${HOME}/.lesshst +blacklist-nolog ${HOME}/.viminfo blacklist-nolog /tmp/clipmenu* # X11 session autostart @@ -59,11 +62,16 @@ blacklist /etc/xdg/autostart read-only ${HOME}/.Xauthority +# Session manager +?HAS_X11: blacklist ${HOME}/.ICEauthority +?HAS_X11: blacklist /tmp/.ICE-unix + # KDE config blacklist ${HOME}/.config/khotkeysrc blacklist ${HOME}/.config/krunnerrc blacklist ${HOME}/.config/kscreenlockerrc blacklist ${HOME}/.config/ksslcertificatemanager +blacklist ${HOME}/.config/kwalletrc blacklist ${HOME}/.config/kwinrc blacklist ${HOME}/.config/kwinrulesrc blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc @@ -76,6 +84,7 @@ blacklist ${HOME}/.kde/share/config/krunnerrc blacklist ${HOME}/.kde/share/config/kscreensaverrc blacklist ${HOME}/.kde/share/config/ksslcertificatemanager +blacklist ${HOME}/.kde/share/config/kwalletrc blacklist ${HOME}/.kde/share/config/kwinrc blacklist ${HOME}/.kde/share/config/kwinrulesrc blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc @@ -86,6 +95,7 @@ blacklist ${HOME}/.kde4/share/config/krunnerrc blacklist ${HOME}/.kde4/share/config/kscreensaverrc blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager +blacklist ${HOME}/.kde4/share/config/kwalletrc blacklist ${HOME}/.kde4/share/config/kwinrc blacklist ${HOME}/.kde4/share/config/kwinrulesrc blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc @@ -131,6 +141,8 @@ # gnome # contains extensions, last used times of applications, and notifications blacklist ${HOME}/.local/share/gnome-shell +# no direct modification of dconf database +read-only ${HOME}/.config/dconf # systemd blacklist ${HOME}/.config/systemd @@ -144,6 +156,10 @@ blacklist ${HOME}/.config/VirtualBox blacklist ${HOME}/VirtualBox VMs +# GNOME Boxes +blacklist ${HOME}/.config/gnome-boxes +blacklist ${HOME}/.local/share/gnome-boxes + # VeraCrypt blacklist ${HOME}/.VeraCrypt blacklist ${PATH}/veracrypt @@ -242,6 +258,7 @@ # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc +read-only ${HOME}/.cargo/env read-only ${HOME}/.dotfiles read-only ${HOME}/.emacs read-only ${HOME}/.emacs.d @@ -249,6 +266,7 @@ read-only ${HOME}/.gvimrc read-only ${HOME}/.homesick read-only ${HOME}/.iscreenrc +read-only ${HOME}/.local/share/cool-retro-term read-only ${HOME}/.mailcap read-only ${HOME}/.msmtprc read-only ${HOME}/.mutt/muttrc @@ -276,11 +294,10 @@ read-only ${HOME}/.local/bin read-only ${HOME}/.cargo/bin read-only ${HOME}/.cargo/env -blacklist ${HOME}/.cargo/registry -blacklist ${HOME}/.cargo/config # Write-protection for desktop entries read-only ${HOME}/.config/menus +read-only ${HOME}/.gnome/apps read-only ${HOME}/.local/share/applications # Write-protection for thumbnailer dir @@ -292,12 +309,18 @@ blacklist ${HOME}/*.key blacklist ${HOME}/.Private blacklist ${HOME}/.caff +blacklist ${HOME}/.cargo/credentials blacklist ${HOME}/.cert blacklist ${HOME}/.config/keybase +blacklist ${HOME}/.davfs2/secrets blacklist ${HOME}/.ecryptfs blacklist ${HOME}/.fetchmailrc +blacklist ${HOME}/.fscrypt +blacklist ${HOME}/.git-credential-cache +blacklist ${HOME}/.git-credentials blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.gnupg +blacklist ${HOME}/.config/hub blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.local/share/keyrings @@ -313,6 +336,8 @@ blacklist ${HOME}/.smbcredentials blacklist ${HOME}/.ssh blacklist ${HOME}/.vaults +blacklist /.fscrypt +blacklist /etc/davfs2/secrets blacklist /etc/group+ blacklist /etc/group- blacklist /etc/gshadow @@ -325,6 +350,7 @@ blacklist /etc/shadow- blacklist /etc/ssh blacklist /home/.ecryptfs +blacklist /home/.fscrypt blacklist /var/backup # cloud provider configuration @@ -350,7 +376,10 @@ blacklist ${PATH}/evtest blacklist ${PATH}/expiry blacklist ${PATH}/fusermount +blacklist ${PATH}/gksu +blacklist ${PATH}/gksudo blacklist ${PATH}/gpasswd +blacklist ${PATH}/kdesudo blacklist ${PATH}/ksu blacklist ${PATH}/mount blacklist ${PATH}/mount.ecryptfs_private @@ -414,3 +443,15 @@ blacklist /var/lib/flatpak # most of the time bwrap is SUID binary blacklist ${PATH}/bwrap + +# mail directories used by mutt +blacklist ${HOME}/.Mail +blacklist ${HOME}/.mail +blacklist ${HOME}/.signature +blacklist ${HOME}/Mail +blacklist ${HOME}/mail +blacklist ${HOME}/postponed +blacklist ${HOME}/sent + +# kernel configuration +blacklist /proc/config.gz diff -Nru firejail-0.9.60/etc/disable-interpreters.inc firejail-0.9.62/etc/disable-interpreters.inc --- firejail-0.9.60/etc/disable-interpreters.inc 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/disable-interpreters.inc 2019-12-14 13:30:32.000000000 +0000 @@ -19,6 +19,8 @@ blacklist ${PATH}/cpan* blacklist ${PATH}/core_perl blacklist ${PATH}/perl +blacklist ${PATH}/site_perl +blacklist ${PATH}/vendor_perl blacklist /usr/lib/perl* blacklist /usr/share/perl* diff -Nru firejail-0.9.60/etc/disable-programs.inc firejail-0.9.62/etc/disable-programs.inc --- firejail-0.9.60/etc/disable-programs.inc 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/disable-programs.inc 2019-12-28 13:14:56.000000000 +0000 @@ -3,10 +3,12 @@ include disable-programs.local blacklist ${HOME}/Arduino +blacklist ${HOME}/i2p blacklist ${HOME}/Monero/wallets blacklist ${HOME}/Nextcloud/Notes blacklist ${HOME}/SoftMaker blacklist ${HOME}/Standard Notes Backups +blacklist ${HOME}/mps blacklist ${HOME}/wallet.dat blacklist ${HOME}/.*coin blacklist ${HOME}/.8pecxstudios @@ -22,14 +24,13 @@ blacklist ${HOME}/.PlayOnLinux blacklist ${HOME}/.PyCharm* blacklist ${HOME}/.Sayonara -blacklist ${HOME}/.Skype blacklist ${HOME}/.Steam blacklist ${HOME}/.Steampath blacklist ${HOME}/.Steampid blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.VSCodium blacklist ${HOME}/.ViberPC blacklist ${HOME}/.VirtualBox -blacklist ${HOME}/.VSCodium blacklist ${HOME}/.WebStorm* blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.ZAP @@ -50,6 +51,8 @@ blacklist ${HOME}/.bitcoin blacklist ${HOME}/.bogofilter blacklist ${HOME}/.bzf +blacklist ${HOME}/.cargo/registry +blacklist ${HOME}/.cargo/config blacklist ${HOME}/.claws-mail blacklist ${HOME}/.cliqz blacklist ${HOME}/.clonk @@ -93,8 +96,9 @@ blacklist ${HOME}/.config/Nathan Osman blacklist ${HOME}/.config/Nylas Mail blacklist ${HOME}/.config/PBE -blacklist ${HOME}/.config/Qlipper +blacklist ${HOME}/.config/QGIS blacklist ${HOME}/.config/QMediathekView +blacklist ${HOME}/.config/Qlipper blacklist ${HOME}/.config/QuiteRss blacklist ${HOME}/.config/QuiteRssrc blacklist ${HOME}/.config/Rambox @@ -108,6 +112,7 @@ blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/VirtualBox blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/Zeal blacklist ${HOME}/.config/akonadi* blacklist ${HOME}/.config/akregatorrc blacklist ${HOME}/.config/ardour4 @@ -117,6 +122,7 @@ blacklist ${HOME}/.config/asunder blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/audacious +blacklist ${HOME}/.config/autokey blacklist ${HOME}/.config/aweather blacklist ${HOME}/.config/baloofilerc blacklist ${HOME}/.config/baloorc @@ -126,6 +132,7 @@ blacklist ${HOME}/.config/borg blacklist ${HOME}/.config/brasero blacklist ${HOME}/.config/brave +blacklist ${HOME}/.config/brave-flags.conf blacklist ${HOME}/.config/caja blacklist ${HOME}/.config/calibre blacklist ${HOME}/.config/cantata @@ -139,6 +146,7 @@ blacklist ${HOME}/.config/cliqz blacklist ${HOME}/.config/cmus blacklist ${HOME}/.config/corebird +blacklist ${HOME}/.config/cower blacklist ${HOME}/.config/darktable blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/deluge @@ -147,10 +155,13 @@ blacklist ${HOME}/.config/digikamrc blacklist ${HOME}/.config/discord blacklist ${HOME}/.config/discordcanary +blacklist ${HOME}/.config/dkl blacklist ${HOME}/.config/dnox blacklist ${HOME}/.config/dolphinrc blacklist ${HOME}/.config/dragonplayerrc +blacklist ${HOME}/.config/draw.io blacklist ${HOME}/.config/d-feet +blacklist ${HOME}/.config/electron-mail blacklist ${HOME}/.config/emaildefaults blacklist ${HOME}/.config/emailidentities blacklist ${HOME}/.config/enchant @@ -173,9 +184,13 @@ blacklist ${HOME}/.config/ghostwriter blacklist ${HOME}/.config/git blacklist ${HOME}/.config/globaltime +blacklist ${HOME}/.config/gmpc +blacklist ${HOME}/.config/gnome-builder +blacklist ${HOME}/.config/gnome-latex blacklist ${HOME}/.config/gnome-mplayer blacklist ${HOME}/.config/gnome-mpv blacklist ${HOME}/.config/gnome-pie +blacklist ${HOME}/.config/godot blacklist ${HOME}/.config/google-chrome blacklist ${HOME}/.config/google-chrome-beta blacklist ${HOME}/.config/google-chrome-unstable @@ -183,6 +198,7 @@ blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/gwenviewrc blacklist ${HOME}/.config/hexchat +blacklist ${HOME}/.config/i2p blacklist ${HOME}/.config/inkscape blacklist ${HOME}/.config/inox blacklist ${HOME}/.config/iridium @@ -190,26 +206,28 @@ blacklist ${HOME}/.config/jd-gui.cfg blacklist ${HOME}/.config/k3brc blacklist ${HOME}/.config/kaffeinerc +blacklist ${HOME}/.config/kalgebrarc blacklist ${HOME}/.config/katemetainfos blacklist ${HOME}/.config/katepartrc blacklist ${HOME}/.config/katerc blacklist ${HOME}/.config/kateschemarc blacklist ${HOME}/.config/katesyntaxhighlightingrc blacklist ${HOME}/.config/katevirc +blacklist ${HOME}/.config/kdeconnect blacklist ${HOME}/.config/kdenliverc +blacklist ${HOME}/.config/kfindrc blacklist ${HOME}/.config/kgetrc blacklist ${HOME}/.config/kid3rc blacklist ${HOME}/.config/klavaro blacklist ${HOME}/.config/klipperrc blacklist ${HOME}/.config/kmail2rc blacklist ${HOME}/.config/kmailsearchindexingrc -blacklist ${HOME}/.config/kritarc -blacklist ${HOME}/.config/kwriterc -blacklist ${HOME}/.config/kdeconnect blacklist ${HOME}/.config/knotesrc blacklist ${HOME}/.config/konversationrc +blacklist ${HOME}/.config/kritarc blacklist ${HOME}/.config/ktorrentrc blacklist ${HOME}/.config/ktouch2rc +blacklist ${HOME}/.config/kwriterc blacklist ${HOME}/.config/leafpad blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/liferea @@ -220,12 +238,13 @@ blacklist ${HOME}/.config/mate-calc blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/mate/mate-dictionary +blacklist ${HOME}/.config/meld blacklist ${HOME}/.config/meteo-qt blacklist ${HOME}/.config/mfusion blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/mono -blacklist ${HOME}/.config/mpd blacklist ${HOME}/.config/mpDris2 +blacklist ${HOME}/.config/mpd blacklist ${HOME}/.config/mps-youtube blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/mupen64plus @@ -234,6 +253,7 @@ blacklist ${HOME}/.config/nautilus blacklist ${HOME}/.config/nemo blacklist ${HOME}/.config/netsurf +blacklist ${HOME}/.config/newsbeuter blacklist ${HOME}/.config/nheko blacklist ${HOME}/.config/NitroShare blacklist ${HOME}/.config/nomacs @@ -245,6 +265,7 @@ blacklist ${HOME}/.config/opera-beta blacklist ${HOME}/.config/orage blacklist ${HOME}/.config/org.kde.gwenviewrc +blacklist ${HOME}/.config/pavucontrol-qt blacklist ${HOME}/.config/pavucontrol.ini blacklist ${HOME}/.config/pcmanfm blacklist ${HOME}/.config/pdfmod @@ -254,6 +275,7 @@ blacklist ${HOME}/.config/pluma blacklist ${HOME}/.config/ppsspp blacklist ${HOME}/.config/pragha +blacklist ${HOME}/.config/profanity blacklist ${HOME}/.config/psi+ blacklist ${HOME}/.config/qBittorrent blacklist ${HOME}/.config/qBittorrentrc @@ -266,6 +288,7 @@ blacklist ${HOME}/.config/remmina blacklist ${HOME}/.config/ristretto blacklist ${HOME}/.config/scribus +blacklist ${HOME}/.config/scribusrc blacklist ${HOME}/.config/sinew.in blacklist ${HOME}/.config/skypeforlinux blacklist ${HOME}/.config/slimjet @@ -274,17 +297,17 @@ blacklist ${HOME}/.config/snox blacklist ${HOME}/.config/specialmailcollectionsrc blacklist ${HOME}/.config/spotify -blacklist ${HOME}/.config/supertuxkart blacklist ${HOME}/.config/sqlitebrowser blacklist ${HOME}/.config/stellarium +blacklist ${HOME}/.config/supertuxkart blacklist ${HOME}/.config/synfig blacklist ${HOME}/.config/telepathy-account-widgets blacklist ${HOME}/.config/torbrowser blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/tox blacklist ${HOME}/.config/transgui -blacklist ${HOME}/.config/truecraft blacklist ${HOME}/.config/transmission +blacklist ${HOME}/.config/truecraft blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/uzbl blacklist ${HOME}/.config/viewnior @@ -292,6 +315,7 @@ blacklist ${HOME}/.config/vivaldi-snapshot blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth +blacklist ${HOME}/.config/Whalebird blacklist ${HOME}/.config/wireshark blacklist ${HOME}/.config/xchat blacklist ${HOME}/.config/xed @@ -309,8 +333,10 @@ blacklist ${HOME}/.config/yandex-browser blacklist ${HOME}/.config/yandex-browser-beta blacklist ${HOME}/.config/yelp +blacklist ${HOME}/.config/youtube-dl blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/zoomus.conf +blacklist ${HOME}/.config/Zulip blacklist ${HOME}/.conkeror.mozdev.org blacklist ${HOME}/.crawl blacklist ${HOME}/.curlrc @@ -327,7 +353,6 @@ blacklist ${HOME}/.electrum* blacklist ${HOME}/.elinks blacklist ${HOME}/.emacs -blacklist ${HOME}/.emacs blacklist ${HOME}/.emacs.d blacklist ${HOME}/.ethereum blacklist ${HOME}/.etr @@ -340,12 +365,11 @@ blacklist ${HOME}/.freemind blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.gimp* -blacklist ${HOME}/.git-credentials -blacklist ${HOME}/.git-credential-cache +blacklist ${HOME}/.gist blacklist ${HOME}/.gitconfig blacklist ${HOME}/.gnome/gnome-schedule -blacklist ${HOME}/.googleearth/Cache/ -blacklist ${HOME}/.googleearth/Temp/ +blacklist ${HOME}/.googleearth/Cache +blacklist ${HOME}/.googleearth/Temp blacklist ${HOME}/.googleearth/myplaces.backup.kml blacklist ${HOME}/.googleearth/myplaces.kml blacklist ${HOME}/.gradle @@ -354,9 +378,11 @@ blacklist ${HOME}/.hashcat blacklist ${HOME}/.hedgewars blacklist ${HOME}/.hugin +blacklist ${HOME}/.i2p blacklist ${HOME}/.icedove blacklist ${HOME}/.imagej blacklist ${HOME}/.inkscape +blacklist ${HOME}/.itch blacklist ${HOME}/.jack-server blacklist ${HOME}/.jack-settings blacklist ${HOME}/.jak @@ -369,10 +395,10 @@ blacklist ${HOME}/.kde/share/apps/kcookiejar blacklist ${HOME}/.kde/share/apps/kget blacklist ${HOME}/.kde/share/apps/khtml +blacklist ${HOME}/.kde/share/apps/klatexformula blacklist ${HOME}/.kde/share/apps/konqsidebartng blacklist ${HOME}/.kde/share/apps/konqueror blacklist ${HOME}/.kde/share/apps/kopete -blacklist ${HOME}/.kde/share/apps/khtml blacklist ${HOME}/.kde/share/apps/ktorrent blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/baloofilerc @@ -382,6 +408,7 @@ blacklist ${HOME}/.kde/share/config/k3brc blacklist ${HOME}/.kde/share/config/kaffeinerc blacklist ${HOME}/.kde/share/config/kcookiejarrc +blacklist ${HOME}/.kde/share/config/kfindrc blacklist ${HOME}/.kde/share/config/kgetrc blacklist ${HOME}/.kde/share/config/khtmlrc blacklist ${HOME}/.kde/share/config/klipperrc @@ -399,18 +426,19 @@ blacklist ${HOME}/.kde4/share/apps/kcookiejar blacklist ${HOME}/.kde4/share/apps/kget blacklist ${HOME}/.kde4/share/apps/khtml -blacklist ${HOME}/.kde4/share/apps/konqueror blacklist ${HOME}/.kde4/share/apps/konqsidebartng +blacklist ${HOME}/.kde4/share/apps/konqueror blacklist ${HOME}/.kde4/share/apps/kopete blacklist ${HOME}/.kde4/share/apps/ktorrent blacklist ${HOME}/.kde4/share/apps/okular -blacklist ${HOME}/.kde4/share/config/baloorc blacklist ${HOME}/.kde4/share/config/baloofilerc +blacklist ${HOME}/.kde4/share/config/baloorc blacklist ${HOME}/.kde4/share/config/digikam blacklist ${HOME}/.kde4/share/config/gwenviewrc blacklist ${HOME}/.kde4/share/config/k3brc blacklist ${HOME}/.kde4/share/config/kaffeinerc blacklist ${HOME}/.kde4/share/config/kcookiejarrc +blacklist ${HOME}/.kde4/share/config/kfindrc blacklist ${HOME}/.kde4/share/config/kgetrc blacklist ${HOME}/.kde4/share/config/khtmlrc blacklist ${HOME}/.kde4/share/config/klipperrc @@ -425,8 +453,10 @@ blacklist ${HOME}/.killingfloor blacklist ${HOME}/.kino-history blacklist ${HOME}/.kinorc +blacklist ${HOME}/.klatexformula blacklist ${HOME}/.kodi blacklist ${HOME}/.lincity-ng +blacklist ${HOME}/.links blacklist ${HOME}/.linphone-history.db blacklist ${HOME}/.linphonerc blacklist ${HOME}/.lmmsrc.xml @@ -440,6 +470,7 @@ blacklist ${HOME}/.local/share/Mendeley Ltd. blacklist ${HOME}/.local/share/Mumble blacklist ${HOME}/.local/share/PBE +blacklist ${HOME}/.local/share/QGIS blacklist ${HOME}/.local/share/QMediathekView blacklist ${HOME}/.local/share/QuiteRss blacklist ${HOME}/.local/share/Ricochet @@ -448,10 +479,12 @@ blacklist ${HOME}/.local/share/TelegramDesktop blacklist ${HOME}/.local/share/Terraria blacklist ${HOME}/.local/share/TpLogger +blacklist ${HOME}/.local/share/Zeal blacklist ${HOME}/.local/share/akonadi* blacklist ${HOME}/.local/share/akregator blacklist ${HOME}/.local/share/apps/korganizer blacklist ${HOME}/.local/share/aspyr-media +blacklist ${HOME}/.local/share/autokey blacklist ${HOME}/.local/share/baloo blacklist ${HOME}/.local/share/bibletime blacklist ${HOME}/.local/share/caja-python @@ -476,26 +509,34 @@ blacklist ${HOME}/.local/share/gajim blacklist ${HOME}/.local/share/geary blacklist ${HOME}/.local/share/geeqie +blacklist ${HOME}/.local/share/ghostwriter blacklist ${HOME}/.local/share/gitg blacklist ${HOME}/.local/share/gnome-2048 blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/gnome-builder +blacklist ${HOME}/.local/share/gnome-latex blacklist ${HOME}/.local/share/gnome-music blacklist ${HOME}/.local/share/gnome-photos blacklist ${HOME}/.local/share/gnome-recipes blacklist ${HOME}/.local/share/gnome-ring blacklist ${HOME}/.local/share/gnome-twitch +blacklist ${HOME}/.local/share/godot blacklist ${HOME}/.local/share/gradio blacklist ${HOME}/.local/share/gwenview +blacklist ${HOME}/.local/share/i2p blacklist ${HOME}/.local/share/kaffeine +blacklist ${HOME}/.local/share/kalgebra blacklist ${HOME}/.local/share/kate blacklist ${HOME}/.local/share/kdenlive blacklist ${HOME}/.local/share/kget +blacklist ${HOME}/.local/share/kiwix +blacklist ${HOME}/.local/share/kiwix-desktop blacklist ${HOME}/.local/share/klavaro blacklist ${HOME}/.local/share/kmail2 blacklist ${HOME}/.local/share/knotes blacklist ${HOME}/.local/share/krita -blacklist ${HOME}/.local/share/ktorrentrc blacklist ${HOME}/.local/share/ktorrent +blacklist ${HOME}/.local/share/ktorrentrc blacklist ${HOME}/.local/share/ktouch blacklist ${HOME}/.local/share/kwrite blacklist ${HOME}/.local/share/liferea @@ -520,14 +561,16 @@ blacklist ${HOME}/.local/share/okular blacklist ${HOME}/.local/share/orage blacklist ${HOME}/.local/share/org.kde.gwenview -blacklist ${HOME}/.local/share/rhythmbox blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/plasma_notes +blacklist ${HOME}/.local/share/profanity blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/qutebrowser blacklist ${HOME}/.local/share/remmina +blacklist ${HOME}/.local/share/rhythmbox blacklist ${HOME}/.local/share/scribus +blacklist ${HOME}/.local/share/signal-cli blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/supertux2 @@ -564,9 +607,11 @@ blacklist ${HOME}/.nanorc blacklist ${HOME}/.netactview blacklist ${HOME}/.neverball +blacklist ${HOME}/.newsbeuter blacklist ${HOME}/.newsboat blacklist ${HOME}/.nv blacklist ${HOME}/.nylas-mail +blacklist ${HOME}/.openarena blacklist ${HOME}/.opencity blacklist ${HOME}/.openinvaders blacklist ${HOME}/.openshot @@ -579,6 +624,7 @@ blacklist ${HOME}/.pioneer blacklist ${HOME}/.purple blacklist ${HOME}/.qemu-launcher +blacklist ${HOME}/.qgis2 blacklist ${HOME}/.qmmp blacklist ${HOME}/.quodlibet blacklist ${HOME}/.redeclipse @@ -600,13 +646,14 @@ blacklist ${HOME}/.sword blacklist ${HOME}/.sylpheed-2.0 blacklist ${HOME}/.synfig +blacklist ${HOME}/.config/teams-for-linux +blacklist ${HOME}/.tb blacklist ${HOME}/.tconn blacklist ${HOME}/.teeworlds blacklist ${HOME}/.thunderbird blacklist ${HOME}/.tilp blacklist ${HOME}/.tooling -blacklist ${HOME}/.tor-browser-* -blacklist ${HOME}/.tor-browser_* +blacklist ${HOME}/.tor-browser* blacklist ${HOME}/.torcs blacklist ${HOME}/.tremulous blacklist ${HOME}/.ts3client @@ -614,6 +661,8 @@ blacklist ${HOME}/.unknown-horizons blacklist ${HOME}/.viking blacklist ${HOME}/.viking-maps +blacklist ${HOME}/.vim +blacklist ${HOME}/.vimrc blacklist ${HOME}/.vscode blacklist ${HOME}/.vscode-oss blacklist ${HOME}/.vst @@ -626,8 +675,8 @@ blacklist ${HOME}/.wgetrc blacklist ${HOME}/.widelands blacklist ${HOME}/.wine -blacklist ${HOME}/.wireshark blacklist ${HOME}/.wine64 +blacklist ${HOME}/.wireshark blacklist ${HOME}/.xiphos blacklist ${HOME}/.xmind blacklist ${HOME}/.xmms @@ -637,11 +686,17 @@ blacklist ${HOME}/.zoom blacklist /tmp/akonadi-* blacklist /tmp/ssh-* +blacklist /var/games/nethack +blacklist /var/games/slashem +blacklist /var/games/vulturesclaw +blacklist /var/games/vultureseye +blacklist /var/lib/games/Maelstrom-Scores # ${HOME}/.cache directory blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios blacklist ${HOME}/.cache/Authenticator +blacklist ${HOME}/.cache/BraveSoftware blacklist ${HOME}/.cache/Clementine blacklist ${HOME}/.cache/Enox blacklist ${HOME}/.cache/Enpass @@ -649,9 +704,12 @@ blacklist ${HOME}/.cache/INRIA blacklist ${HOME}/.cache/MusicBrainz blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/Tox +blacklist ${HOME}/.cache/Zeal blacklist ${HOME}/.cache/akonadi* blacklist ${HOME}/.cache/atril blacklist ${HOME}/.cache/attic +blacklist ${HOME}/.cache/babl blacklist ${HOME}/.cache/bnox blacklist ${HOME}/.cache/borg blacklist ${HOME}/.cache/calibre @@ -672,10 +730,14 @@ blacklist ${HOME}/.cache/fossamail blacklist ${HOME}/.cache/freecol blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.cache/gegl-0.4 blacklist ${HOME}/.cache/geeqie +blacklist ${HOME}/.cache/gimp +blacklist ${HOME}/.cache/godot blacklist ${HOME}/.cache/google-chrome blacklist ${HOME}/.cache/google-chrome-beta blacklist ${HOME}/.cache/google-chrome-unstable +blacklist ${HOME}/.cache/gnome-builder blacklist ${HOME}/.cache/gnome-recipes blacklist ${HOME}/.cache/gnome-twitch blacklist ${HOME}/.cache/gradio @@ -684,7 +746,9 @@ blacklist ${HOME}/.cache/inkscape blacklist ${HOME}/.cache/inox blacklist ${HOME}/.cache/iridium +blacklist ${HOME}/.cache/kcmshell5 blacklist ${HOME}/.cache/kdenlive +blacklist ${HOME}/.cache/kfind blacklist ${HOME}/.cache/kinfocenter blacklist ${HOME}/.cache/kmail2 blacklist ${HOME}/.cache/krunner @@ -697,6 +761,7 @@ blacklist ${HOME}/.cache/liferea blacklist ${HOME}/.cache/Mendeley Ltd. blacklist ${HOME}/.cache/midori +blacklist ${HOME}/.cache/minetest blacklist ${HOME}/.cache/moonchild productions/basilisk blacklist ${HOME}/.cache/moonchild productions/pale moon blacklist ${HOME}/.cache/mozilla @@ -715,6 +780,7 @@ blacklist ${HOME}/.cache/opera blacklist ${HOME}/.cache/opera-beta blacklist ${HOME}/.cache/org.gnome.Books +blacklist ${HOME}/.cache/org.gnome.Maps blacklist ${HOME}/.cache/pdfmod blacklist ${HOME}/.cache/peek blacklist ${HOME}/.cache/plasmashell @@ -722,6 +788,7 @@ blacklist ${HOME}/.cache/qBittorrent blacklist ${HOME}/.cache/qupzilla blacklist ${HOME}/.cache/qutebrowser +blacklist ${HOME}/.cache/rhythmbox blacklist ${HOME}/.cache/simple-scan blacklist ${HOME}/.cache/slimjet blacklist ${HOME}/.cache/snox @@ -742,9 +809,4 @@ blacklist ${HOME}/.cache/xreader blacklist ${HOME}/.cache/yandex-browser blacklist ${HOME}/.cache/yandex-browser-beta - -blacklist /var/games/nethack -blacklist /var/games/slashem -blacklist /var/games/vulturesclaw -blacklist /var/games/vultureseye -blacklist /var/lib/games/Maelstrom-Scores +blacklist ${HOME}/.cache/youtube-dl diff -Nru firejail-0.9.60/etc/discord-canary.profile firejail-0.9.62/etc/discord-canary.profile --- firejail-0.9.60/etc/discord-canary.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/discord-canary.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,6 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.config/discordcanary mkdir ${HOME}/.config/discordcanary @@ -14,5 +13,5 @@ private-bin discord-canary private-opt discord-canary -#Redirect +# Redirect include discord-common.profile diff -Nru firejail-0.9.60/etc/DiscordCanary.profile firejail-0.9.62/etc/DiscordCanary.profile --- firejail-0.9.60/etc/DiscordCanary.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/DiscordCanary.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,6 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.config/discordcanary mkdir ${HOME}/.config/discordcanary @@ -14,5 +13,5 @@ private-bin DiscordCanary private-opt DiscordCanary -#Redirect +# Redirect include discord-common.profile diff -Nru firejail-0.9.60/etc/discord-common.profile firejail-0.9.62/etc/discord-common.profile --- firejail-0.9.60/etc/discord-common.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/discord-common.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,7 @@ # Persistent local customizations include discord-common.local # Persistent global definitions -# already included by caller profile +# added by caller profile #include globals.local include disable-common.inc @@ -27,9 +27,9 @@ protocol unix,inet,inet6,netlink seccomp -private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh +private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,ld.so.cache,localtime,login.defs,password,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl private-tmp noexec /tmp diff -Nru firejail-0.9.60/etc/discord.profile firejail-0.9.62/etc/discord.profile --- firejail-0.9.60/etc/discord.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/discord.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,6 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.config/discord mkdir ${HOME}/.config/discord @@ -14,5 +13,5 @@ private-bin discord private-opt discord -#Redirect +# Redirect include discord-common.profile diff -Nru firejail-0.9.60/etc/Discord.profile firejail-0.9.62/etc/Discord.profile --- firejail-0.9.60/etc/Discord.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Discord.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,6 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.config/discord mkdir ${HOME}/.config/discord @@ -14,5 +13,5 @@ private-bin Discord private-opt Discord -#Redirect +# Redirect include discord-common.profile diff -Nru firejail-0.9.60/etc/display.profile firejail-0.9.62/etc/display.profile --- firejail-0.9.60/etc/display.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/display.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,12 +8,8 @@ noblacklist ${PICTURES} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -23,6 +19,7 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/dnscrypt-proxy.profile firejail-0.9.62/etc/dnscrypt-proxy.profile --- firejail-0.9.60/etc/dnscrypt-proxy.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dnscrypt-proxy.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,32 +1,39 @@ # Firejail profile for dnscrypt-proxy # Description: Tool for securing communications between a client and a DNS resolver # This file is overwritten after every install/update +quiet # Persistent local customizations include dnscrypt-proxy.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/dnscrypt-proxy +include whitelist-usr-share-common.inc + caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot +ipc-namespace +machine-id no3d +nodbus nodvd nonewprivs nosound notv nou2f novideo -seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open +protocol inet,inet6 +seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice disable-mnt private diff -Nru firejail-0.9.60/etc/dnsmasq.profile firejail-0.9.62/etc/dnsmasq.profile --- firejail-0.9.60/etc/dnsmasq.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dnsmasq.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,16 +1,17 @@ # Firejail profile for dnsmasq # Description: Small caching DNS proxy and DHCP/TFTP server # This file is overwritten after every install/update +quiet # Persistent local customizations include dnsmasq.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff -Nru firejail-0.9.60/etc/Documents.profile firejail-0.9.62/etc/Documents.profile --- firejail-0.9.60/etc/Documents.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Documents.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,6 @@ # Firejail profile for gnome-documents # This file is overwritten after every install/update - # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect include gnome-documents.profile diff -Nru firejail-0.9.60/etc/dolphin.profile firejail-0.9.62/etc/dolphin.profile --- firejail-0.9.60/etc/dolphin.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dolphin.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,12 +18,14 @@ # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files # include disable-programs.inc +allusers caps.drop all # net none netfilter nodvd nogroups nonewprivs +# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012) noroot notv novideo diff -Nru firejail-0.9.60/etc/dooble.profile firejail-0.9.62/etc/dooble.profile --- firejail-0.9.60/etc/dooble.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dooble.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,11 +1,12 @@ # Firejail profile for dooble # This file is overwritten after every install/update # Persistent local customizations +include dooble.local +# Backward compatibility include dooble-qt4.local # Persistent global definitions include globals.local - noblacklist ${HOME}/.dooble include disable-common.inc diff -Nru firejail-0.9.60/etc/dooble-qt4.profile firejail-0.9.62/etc/dooble-qt4.profile --- firejail-0.9.60/etc/dooble-qt4.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dooble-qt4.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for dooble # This file is overwritten after every install/update - # Redirect include dooble.profile diff -Nru firejail-0.9.60/etc/dragon.profile firejail-0.9.62/etc/dragon.profile --- firejail-0.9.60/etc/dragon.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/dragon.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,6 +18,8 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/dragonplayer +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/drawio.profile firejail-0.9.62/etc/drawio.profile --- firejail-0.9.60/etc/drawio.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/drawio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,51 @@ +# Firejail profile for drawio +# Description: Diagram drawing application built on web technology - desktop version +# This file is overwritten after every install/update +# Persistent local customizations +include drawio.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/draw.io + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/draw.io +whitelist ${HOME}/.config/draw.io +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp !chroot +shell none +# tracelog - breaks on Arch + +private-bin drawio +private-cache +private-dev +private-etc alternatives,fonts +private-tmp + +# memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/easystroke.profile firejail-0.9.62/etc/easystroke.profile --- firejail-0.9.60/etc/easystroke.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/easystroke.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,8 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + apparmor caps.drop all machine-id diff -Nru firejail-0.9.60/etc/ebook-viewer.profile firejail-0.9.62/etc/ebook-viewer.profile --- firejail-0.9.60/etc/ebook-viewer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ebook-viewer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,7 @@ # Firejail profile alias for calibre # This file is overwritten after every install/update +# Persistent local customizations +include ebook-viewer.local net none nodbus diff -Nru firejail-0.9.60/etc/electron-mail.profile firejail-0.9.62/etc/electron-mail.profile --- firejail-0.9.60/etc/electron-mail.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/electron-mail.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,52 @@ +# Firejail profile for electron-mail +# Description: Unofficial desktop app for several E2E encrypted email providers +# This file is overwritten after every install/update +# Persistent local customizations +include electron-mail.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/electron-mail + +whitelist ${DOWNLOADS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/electron-mail +whitelist ${HOME}/.config/electron-mail + +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +# nodbus - breaks tray functionality +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none +# tracelog - breaks on Arch + +private-bin electron-mail +private-cache +private-dev +private-etc alternatives,fonts +private-opt ElectronMail +private-tmp + +# memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/electrum.profile firejail-0.9.62/etc/electrum.profile --- firejail-0.9.60/etc/electrum.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/electrum.profile 2019-12-29 15:05:17.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.electrum # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -49,7 +45,8 @@ disable-mnt private-bin electrum,python* private-cache +?HAS_APPIMAGE: ignore private-dev private-dev -private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id,resolv.conf +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/elinks.profile firejail-0.9.62/etc/elinks.profile --- firejail-0.9.60/etc/elinks.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/elinks.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,10 +6,10 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.elinks +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -36,5 +36,5 @@ # private-bin elinks private-cache private-dev -# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl private-tmp diff -Nru firejail-0.9.60/etc/emacs.profile firejail-0.9.62/etc/emacs.profile --- firejail-0.9.60/etc/emacs.profile 2019-04-27 15:28:10.000000000 +0000 +++ firejail-0.9.62/etc/emacs.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,7 +11,9 @@ # if you need gpg uncomment the following line # or put it into your emacs.local #noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.python-history + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc include disable-passwdmgr.inc @@ -24,5 +26,6 @@ nonewprivs noroot notv +novideo protocol unix,inet,inet6 seccomp diff -Nru firejail-0.9.60/etc/enchant.profile firejail-0.9.62/etc/enchant.profile --- firejail-0.9.60/etc/enchant.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/enchant.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,8 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace @@ -35,6 +37,7 @@ seccomp shell none tracelog +x11 none private-bin enchant,enchant-* private-cache diff -Nru firejail-0.9.60/etc/engrampa.profile firejail-0.9.62/etc/engrampa.profile --- firejail-0.9.60/etc/engrampa.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/engrampa.profile 2019-12-14 13:30:32.000000000 +0000 @@ -35,7 +35,6 @@ # private-bin engrampa private-dev -# private-etc alternatives,fonts # private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/enpass.profile firejail-0.9.62/etc/enpass.profile --- firejail-0.9.60/etc/enpass.profile 2019-05-06 13:13:29.000000000 +0000 +++ firejail-0.9.62/etc/enpass.profile 2019-12-14 13:30:32.000000000 +0000 @@ -20,12 +20,16 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.cache/Enpass +mkfile ${HOME}/.config/sinew.in +mkdir ${HOME}/.config/Sinew Software Systems +mkdir ${HOME}/.local/share/Enpass whitelist ${HOME}/.cache/Enpass whitelist ${HOME}/.config/sinew.in whitelist ${HOME}/.config/Sinew Software Systems whitelist ${HOME}/.local/share/Enpass whitelist ${DOCUMENTS} - +include whitelist-common.inc include whitelist-var-common.inc # machine-id and nosound break audio notification functionality @@ -49,10 +53,10 @@ shell none tracelog -private-bin dirname,Enpass,importer_enpass,sh,readlink +private-bin dirname,Enpass,importer_enpass,readlink,sh ?HAS_APPIMAGE: ignore private-dev private-dev private-opt Enpass private-tmp -#memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/eo-common.profile firejail-0.9.62/etc/eo-common.profile --- firejail-0.9.60/etc/eo-common.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/eo-common.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,7 +4,7 @@ # Persistent local customizations include eo-common.local # Persistent global definitions -# already included by caller profile +# added by caller profile #include globals.local noblacklist ${HOME}/.local/share/Trash @@ -18,6 +18,7 @@ include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -43,5 +44,3 @@ private-etc alternatives,dconf,fonts,gtk-3.0 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* private-tmp - -#memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/eog.profile firejail-0.9.62/etc/eog.profile --- firejail-0.9.60/etc/eog.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/eog.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,6 +8,8 @@ noblacklist ${HOME}/.config/eog +whitelist /usr/share/eog + # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' # comment those if you need that functionality # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local diff -Nru firejail-0.9.60/etc/eom.profile firejail-0.9.62/etc/eom.profile --- firejail-0.9.60/etc/eom.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/eom.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,6 +8,8 @@ noblacklist ${HOME}/.config/mate/eom +whitelist /usr/share/eom + # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' # comment those if you need that functionality # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local diff -Nru firejail-0.9.60/etc/ephemeral.profile firejail-0.9.62/etc/ephemeral.profile --- firejail-0.9.60/etc/ephemeral.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/ephemeral.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,61 @@ +# Firejail profile for ephemeral +# Description: The always-incognito web browser +# This file is overwritten after every install/update +# Persistent local customizations +include ephemeral.local +# Persistent global definitions +include globals.local + +# enforce private-cache +#noblacklist ${HOME}/.cache/ephemeral + +noblacklist ${HOME}/.pki +noblacklist ${HOME}/.local/share/pki + +# noexec ${HOME} breaks DRM binaries. +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc + +# enforce private-cache +#mkdir ${HOME}/.cache/ephemeral +mkdir ${HOME}/.pki +mkdir ${HOME}/.local/share/pki +# enforce private-cache +#whitelist ${HOME}/.cache/ephemeral +whitelist ${HOME}/.pki +whitelist ${HOME}/.local/share/pki +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +# machine-id breaks pulse audio; it should work fine in setups where sound is not required. +#machine-id +netfilter +# nodbus breaks preferences +#nodbus +nodvd +nogroups +nonewprivs +# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. +noroot +notv +?BROWSER_DISABLE_U2F: nou2f +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-dev +# private-etc below works fine on most distributions. There are some problems on CentOS. +#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp diff -Nru firejail-0.9.60/etc/epiphany.profile firejail-0.9.62/etc/epiphany.profile --- firejail-0.9.60/etc/epiphany.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/epiphany.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,11 +1,14 @@ # Firejail profile for epiphany -# Description: Clone of Boulder Dash game +# Description: The GNOME Web browser # This file is overwritten after every install/update # Persistent local customizations include epiphany.local # Persistent global definitions include globals.local +# Note: Epiphany use bwrap since 3.34 and can not be firejailed any more. +# See https://github.com/netblue30/firejail/issues/2995 + noblacklist ${HOME}/.cache/epiphany noblacklist ${HOME}/.config/epiphany noblacklist ${HOME}/.local/share/epiphany diff -Nru firejail-0.9.60/etc/etr.profile firejail-0.9.62/etc/etr.profile --- firejail-0.9.60/etc/etr.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/etr.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,5 @@ # Firejail profile for etr +# Description: High speed arctic racing game # This file is overwritten after every install/update # Persistent local customizations include etr.local @@ -29,6 +30,7 @@ noroot notv nou2f +novideo protocol unix,netlink seccomp shell none diff -Nru firejail-0.9.60/etc/evince-previewer.profile firejail-0.9.62/etc/evince-previewer.profile --- firejail-0.9.60/etc/evince-previewer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/evince-previewer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,6 +6,5 @@ # added by included profile #include globals.local - # Redirect include evince.profile diff -Nru firejail-0.9.60/etc/evince.profile firejail-0.9.62/etc/evince.profile --- firejail-0.9.60/etc/evince.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/evince.profile 2019-12-14 13:30:32.000000000 +0000 @@ -17,6 +17,10 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/evince +whitelist /usr/share/poppler +whitelist /usr/share/tracker +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -43,7 +47,6 @@ private-cache private-dev private-etc alternatives,fonts,group,machine-id,passwd -private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv +# private-lib might break two-page-view on some systems +private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* private-tmp - -# memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) diff -Nru firejail-0.9.60/etc/evince-thumbnailer.profile firejail-0.9.62/etc/evince-thumbnailer.profile --- firejail-0.9.60/etc/evince-thumbnailer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/evince-thumbnailer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,6 +6,5 @@ # added by included profile #include globals.local - # Redirect include evince.profile diff -Nru firejail-0.9.60/etc/exfalso.profile firejail-0.9.62/etc/exfalso.profile --- firejail-0.9.60/etc/exfalso.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/exfalso.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,11 @@ noblacklist ${MUSIC} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc + +whitelist ${DOWNLOADS} +whitelist ${MUSIC} include disable-common.inc include disable-devel.inc @@ -25,6 +24,12 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.quodlibet +whitelist ${HOME}/.quodlibet +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + caps.drop all machine-id netfilter @@ -49,4 +54,4 @@ private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* private-tmp -# memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/exiftool.profile firejail-0.9.62/etc/exiftool.profile --- firejail-0.9.60/etc/exiftool.profile 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/exiftool.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,12 +6,8 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - -# Allow access to perl -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -20,6 +16,9 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/perl5 +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace @@ -39,6 +38,7 @@ seccomp shell none tracelog +x11 none # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. diff -Nru firejail-0.9.60/etc/falkon.profile firejail-0.9.62/etc/falkon.profile --- firejail-0.9.60/etc/falkon.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/falkon.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,8 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.cache/falkon +mkdir ${HOME}/.config/falkon whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/falkon whitelist ${HOME}/.config/falkon @@ -32,9 +34,10 @@ nou2f protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks falkon -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot # tracelog private-dev +# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies # private-tmp - interferes with the opening of downloaded files diff -Nru firejail-0.9.60/etc/feedreader.profile firejail-0.9.62/etc/feedreader.profile --- firejail-0.9.60/etc/feedreader.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/feedreader.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,12 +15,15 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.cache/feedreader mkdir ${HOME}/.local/share/feedreader whitelist ${HOME}/.cache/feedreader whitelist ${HOME}/.local/share/feedreader +whitelist /usr/share/feedreader include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/feh-network.inc firejail-0.9.62/etc/feh-network.inc --- firejail-0.9.60/etc/feh-network.inc 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/feh-network.inc 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,4 @@ ignore net none netfilter protocol unix,inet,inet6 -private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies +private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl diff -Nru firejail-0.9.60/etc/fetchmail.profile firejail-0.9.62/etc/fetchmail.profile --- firejail-0.9.60/etc/fetchmail.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/fetchmail.profile 2019-12-14 13:30:32.000000000 +0000 @@ -30,5 +30,5 @@ seccomp shell none -#private-bin fetchmail,procmail,bash,chmod +#private-bin bash,chmod,fetchmail,procmail private-dev diff -Nru firejail-0.9.60/etc/ffmpeg.profile firejail-0.9.62/etc/ffmpeg.profile --- firejail-0.9.60/etc/ffmpeg.profile 2019-04-27 15:28:10.000000000 +0000 +++ firejail-0.9.62/etc/ffmpeg.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,6 +18,10 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/devedeng +whitelist /usr/share/ffmpeg +whitelist /usr/share/qtchooser +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -35,15 +39,15 @@ nou2f novideo protocol inet,inet6 -seccomp -# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom +# allow set_mempolicy, which is required to encode using libx265 +seccomp !set_mempolicy shell none tracelog private-bin ffmpeg private-cache private-dev -private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf +private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl private-tmp # memory-deny-write-execute - it breaks old versions of ffmpeg diff -Nru firejail-0.9.60/etc/ffmpegthumbnailer.profile firejail-0.9.62/etc/ffmpegthumbnailer.profile --- firejail-0.9.60/etc/ffmpegthumbnailer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ffmpegthumbnailer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for ffmpegthumbnailer # Description: FFmpeg-based video thumbnailer # This file is overwritten after every install/update +quiet # Persistent local customizations include ffmpegthumbnailer.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/ffplay.profile firejail-0.9.62/etc/ffplay.profile --- firejail-0.9.60/etc/ffplay.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ffplay.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,14 +1,20 @@ # Firejail profile for ffplay # Description: FFmpeg-based media player # This file is overwritten after every install/update +quiet # Persistent local customizations include ffplay.local # Persistent global definitions # added by included profile #include globals.local -private-bin ffplay +protocol unix,inet,inet6 +ignore ipc-namespace +ignore nogroups +ignore nosound +private-bin ffplay +private-etc alsa,asound.conf,group # Redirect include ffmpeg.profile diff -Nru firejail-0.9.60/etc/ffprobe.profile firejail-0.9.62/etc/ffprobe.profile --- firejail-0.9.60/etc/ffprobe.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ffprobe.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,14 +1,14 @@ # Firejail profile for ffprobe # Description: FFmpeg-based media prober # This file is overwritten after every install/update +quiet # Persistent local customizations include ffprobe.local # Persistent global definitions # added by included profile #include globals.local -private-bin ffprobe - +ignore private-bin # Redirect include ffmpeg.profile diff -Nru firejail-0.9.60/etc/file.profile firejail-0.9.62/etc/file.profile --- firejail-0.9.60/etc/file.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/file.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,8 +7,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc @@ -35,10 +33,11 @@ tracelog x11 none -#private-bin file +#private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd private-cache private-dev -private-etc alternatives,magic.mgc,magic,localtime -private-lib libarchive.so.*,libfakeroot,libmagic.so.* +private-etc alternatives,localtime,magic,magic.mgc +private-lib file,libarchive.so.*,libfakeroot,libmagic.so.* memory-deny-write-execute +read-only ${HOME} diff -Nru firejail-0.9.60/etc/file-roller.profile firejail-0.9.62/etc/file-roller.profile --- firejail-0.9.60/etc/file-roller.profile 2019-04-27 15:28:10.000000000 +0000 +++ firejail-0.9.62/etc/file-roller.profile 2019-12-14 13:30:32.000000000 +0000 @@ -13,6 +13,8 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/file-roller +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -21,9 +23,6 @@ machine-id # net none - breaks on older Ubuntu versions no3d -# nodbus - makes settings immutable - comment if you need settings support -# or put 'ignore nodbus' in your file-roller.local -nodbus nodvd nogroups nonewprivs @@ -39,7 +38,4 @@ # private-bin file-roller private-dev -# private-etc alternatives,fonts # private-tmp - -# memory-deny-write-execute diff -Nru firejail-0.9.60/etc/filezilla.profile firejail-0.9.62/etc/filezilla.profile --- firejail-0.9.60/etc/filezilla.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/filezilla.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.filezilla # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -37,6 +33,6 @@ shell none # private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin -private-bin filezilla,uname,sh,bash,zsh,python*,lsb_release,fzputtygen,fzsftp +private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh private-dev private-tmp diff -Nru firejail-0.9.60/etc/firefox-beta.profile firejail-0.9.62/etc/firefox-beta.profile --- firejail-0.9.60/etc/firefox-beta.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firefox-beta.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include firefox-beta.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include firefox.profile diff -Nru firejail-0.9.60/etc/firefox-common-addons.inc firejail-0.9.62/etc/firefox-common-addons.inc --- firejail-0.9.60/etc/firefox-common-addons.inc 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firefox-common-addons.inc 2019-12-14 13:30:32.000000000 +0000 @@ -43,8 +43,10 @@ whitelist ${HOME}/.local/share/kget whitelist ${HOME}/.local/share/okular whitelist ${HOME}/.local/share/qpdfview +whitelist ${HOME}/.local/share/tridactyl whitelist ${HOME}/.pentadactyl whitelist ${HOME}/.pentadactylrc +whitelist ${HOME}/.tridactylrc whitelist ${HOME}/.vimperator whitelist ${HOME}/.vimperatorrc whitelist ${HOME}/.wine-pipelight @@ -56,8 +58,10 @@ noblacklist ${HOME}/.local/share/gnome-shell whitelist ${HOME}/.local/share/gnome-shell ignore nodbus -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python3* +include allow-python3.inc + +# KeePassXC Browser Integration +#private-bin keepassxc-proxy # Flash plugin # private-etc must first be enabled in firefox-common.profile and in profiles including it. diff -Nru firejail-0.9.60/etc/firefox-common.profile firejail-0.9.62/etc/firefox-common.profile --- firejail-0.9.60/etc/firefox-common.profile 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/firefox-common.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,7 @@ # Persistent local customizations include firefox-common.local # Persistent global definitions -# already included by caller profile +# added by caller profile #include globals.local # noexec ${HOME} breaks DRM binaries. @@ -34,11 +34,8 @@ # machine-id breaks pulse audio; it should work fine in setups where sound is not required. #machine-id netfilter -# Breaks Gnome connector and KDE Connect. -# Also seems to break Ubuntu titlebar menu. -# Also breaks enigmail apparently? -# During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on. -# Therefore disable if you use that. +# nodbus breaks various desktop integration features +# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma nodbus nodvd nogroups @@ -49,7 +46,7 @@ ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. #tracelog @@ -57,5 +54,5 @@ disable-mnt private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. -#private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache +#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp diff -Nru firejail-0.9.60/etc/firefox-developer-edition.profile firejail-0.9.62/etc/firefox-developer-edition.profile --- firejail-0.9.60/etc/firefox-developer-edition.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firefox-developer-edition.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,8 +4,8 @@ # Persistent local customizations include firefox-developer-edition.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include firefox.profile diff -Nru firejail-0.9.60/etc/firefox-esr.profile firejail-0.9.62/etc/firefox-esr.profile --- firejail-0.9.60/etc/firefox-esr.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firefox-esr.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include firefox-esr.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include firefox.profile diff -Nru firejail-0.9.60/etc/firefox-nightly.profile firejail-0.9.62/etc/firefox-nightly.profile --- firejail-0.9.60/etc/firefox-nightly.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firefox-nightly.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include firefox-nightly.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include firefox.profile diff -Nru firejail-0.9.60/etc/firefox.profile firejail-0.9.62/etc/firefox.profile --- firejail-0.9.60/etc/firefox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firefox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,8 +14,13 @@ whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla +whitelist /usr/share/mozilla +include whitelist-usr-share-common.inc + # firefox requires a shell to launch on Arch. -#private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash +#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which +# Fedora use shell scripts to launch firefox, at least this is required +#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname # private-etc must first be enabled in firefox-common.profile #private-etc firefox diff -Nru firejail-0.9.60/etc/firefox-wayland.profile firejail-0.9.62/etc/firefox-wayland.profile --- firejail-0.9.60/etc/firefox-wayland.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firefox-wayland.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,10 +1,10 @@ -# Firejail profile for firefox-wayland +# Firejail profile alias for firefox-wayland # This file is overwritten after every install/update # Persistent local customizations include firefox-wayland.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include firefox.profile diff -Nru firejail-0.9.60/etc/firejail.config firejail-0.9.62/etc/firejail.config --- firejail-0.9.60/etc/firejail.config 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/firejail.config 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,4 @@ -# This is Firejail system-wide configuration file. The file contains +# This is Firejail system-wide configuration file. The file contains # keyword-argument pairs, one per line. Most features are enabled by default. # Use 'yes' or 'no' as configuration values. @@ -35,6 +35,11 @@ # cannot be overridden by --noblacklist or --ignore. # disable-mnt no +# Set the limit for file copy in several --private-* options. The size is set +# in megabytes. By default we allow up to 500MB. +# Note: the files are copied in RAM. +# file-copy-limit 500 + # Enable or disable file transfer support, default enabled. # file-transfer yes diff -Nru firejail-0.9.60/etc/firejail-default firejail-0.9.62/etc/firejail-default --- firejail-0.9.60/etc/firejail-default 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/firejail-default 2019-12-14 13:30:32.000000000 +0000 @@ -22,12 +22,11 @@ ########## # With ptrace it is possible to inspect and hijack running programs. -# Some browsers are also using ptrace for their sandboxing. ########## # Uncomment this line to allow all ptrace access #ptrace, # Allow obtaining some process information, but not ptrace(2) -ptrace (read,readby) peer=firejail-default, +ptrace (read,readby) peer=@{profile_name}, ########## # Allow read access to whole filesystem and control it from firejail. @@ -44,10 +43,8 @@ ########## # Whitelist writable paths under /run, /proc and /sys. ########## +owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, -owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, -owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, - owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, # Allow writing to removable media @@ -57,23 +54,23 @@ /{,var/}run/systemd/journal/socket w, /{,var/}run/systemd/journal/dev-log w, -# Needed for wine -/{,var/}run/firejail/profile/@{PID} w, - # Allow access to cups printing socket. /{,var/}run/cups/cups.sock w, +# Allow access to pcscd socket (smartcards) +/{,var/}run/pcscd/pcscd.comm w, + # Needed for firefox sandbox -/proc/[0-9]*/{uid_map,gid_map,setgroups} w, +/proc/@{PID}/{uid_map,gid_map,setgroups} w, + +# Needed for electron apps +/proc/@{PID}/comm w, # Silence noise deny /proc/@{PID}/oom_adj w, deny /proc/@{PID}/oom_score_adj w, # Uncomment to silence all denied write warnings -#deny /proc/** w, - -# Uncomment to silence all denied write warnings #deny /sys/** w, ########## @@ -93,8 +90,10 @@ ########## # Blacklist specific sensitive paths. ########## -# Common backup directory -deny /**/.snapshots/ rwx, +deny /**/.fscrypt/ rw, +deny /**/.fscrypt/** rwklmx, +deny /**/.snapshots/ rw, +deny /**/.snapshots/** rwklmx, ########## # Allow all networking functionality, and control it from Firejail. @@ -110,7 +109,8 @@ ########## # There is no equivalent in Firejail for filtering signals. ########## -signal, +signal (send) peer=@{profile_name}, +signal (receive), ########## # We let Firejail deal with capabilities, but ensure that @@ -151,14 +151,6 @@ #capability mac_override, #capability mac_admin, -########## -# We let Firejail deal with mount/umount functionality. -########## -mount, -remount, -umount, -pivot_root, - # Site-specific additions and overrides. See local/README for details. #include } diff -Nru firejail-0.9.60/etc/flameshot.profile firejail-0.9.62/etc/flameshot.profile --- firejail-0.9.60/etc/flameshot.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/flameshot.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,7 +37,7 @@ disable-mnt private-bin flameshot private-cache -private-etc alternatives,fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl private-dev private-tmp diff -Nru firejail-0.9.60/etc/flowblade.profile firejail-0.9.62/etc/flowblade.profile --- firejail-0.9.60/etc/flowblade.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/flowblade.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.flowblade # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/fontforge.profile firejail-0.9.62/etc/fontforge.profile --- firejail-0.9.60/etc/fontforge.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/fontforge.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/font-manager.profile firejail-0.9.62/etc/font-manager.profile --- firejail-0.9.60/etc/font-manager.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/font-manager.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/font-manager # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -29,7 +25,9 @@ mkdir ${HOME}/.config/font-manager whitelist ${HOME}/.cache/font-manager whitelist ${HOME}/.config/font-manager +whitelist /usr/share/font-manager include whitelist-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all @@ -54,4 +52,4 @@ private-dev private-tmp -#memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/fossamail.profile firejail-0.9.62/etc/fossamail.profile --- firejail-0.9.60/etc/fossamail.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/fossamail.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include fossamail.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/fossamail noblacklist ${HOME}/.fossamail diff -Nru firejail-0.9.60/etc/FossaMail.profile firejail-0.9.62/etc/FossaMail.profile --- firejail-0.9.60/etc/FossaMail.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/FossaMail.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for fossamail # This file is overwritten after every install/update - # Redirect include fossamail.profile diff -Nru firejail-0.9.60/etc/franz.profile firejail-0.9.62/etc/franz.profile --- firejail-0.9.60/etc/franz.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/franz.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,8 @@ # Persistent global definitions include globals.local +ignore noexec /tmp + noblacklist ${HOME}/.cache/Franz noblacklist ${HOME}/.config/Franz noblacklist ${HOME}/.pki @@ -12,6 +14,7 @@ include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc @@ -35,11 +38,9 @@ notv nou2f protocol unix,inet,inet6,netlink -seccomp +seccomp !chroot shell none disable-mnt private-dev private-tmp - -noexec ${HOME} diff -Nru firejail-0.9.60/etc/freecadcmd.profile firejail-0.9.62/etc/freecadcmd.profile --- firejail-0.9.60/etc/freecadcmd.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/freecadcmd.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for freecad # This file is overwritten after every install/update - # Redirect include freecad.profile diff -Nru firejail-0.9.60/etc/freeciv.profile firejail-0.9.62/etc/freeciv.profile --- firejail-0.9.60/etc/freeciv.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/freeciv.profile 2019-12-14 13:30:32.000000000 +0000 @@ -38,7 +38,7 @@ tracelog disable-mnt -private-bin freeciv-gtk3,freeciv-mp-gtk3,freeciv-server,freeciv-manual +private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/freecol.profile firejail-0.9.62/etc/freecol.profile --- firejail-0.9.60/etc/freecol.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/freecol.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,16 +7,12 @@ include globals.local noblacklist ${HOME}/.freecol -noblacklist ${HOME}/.java noblacklist ${HOME}/.cache/freecol noblacklist ${HOME}/.config/freecol noblacklist ${HOME}/.local/share/freecol -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/freemind.profile firejail-0.9.62/etc/freemind.profile --- firejail-0.9.60/etc/freemind.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/freemind.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,12 +7,11 @@ include globals.local noblacklist ${DOCUMENTS} -noblacklist ${PATH}/java -noblacklist /etc/java -noblacklist /usr/lib/java -noblacklist /usr/share/java noblacklist ${HOME}/.freemind +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -43,7 +42,7 @@ tracelog disable-mnt -private-bin freemind,java,bash,sed,sh,grep,mkdir,echo,cp,uname,which,lsb_release,rpm,dpkg,dirname,readlink +private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which private-cache private-dev #private-etc alternatives,fonts,java diff -Nru firejail-0.9.60/etc/frozen-bubble.profile firejail-0.9.62/etc/frozen-bubble.profile --- firejail-0.9.60/etc/frozen-bubble.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/frozen-bubble.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,11 +9,7 @@ noblacklist ${HOME}/.frozen-bubble # Allow perl (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/cpan* -noblacklist ${PATH}/core_perl -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -35,6 +31,7 @@ noroot notv nou2f +novideo protocol unix,netlink seccomp shell none @@ -42,5 +39,4 @@ disable-mnt # private-bin frozen-bubble private-dev -# private-etc alternatives private-tmp diff -Nru firejail-0.9.60/etc/gajim.profile firejail-0.9.62/etc/gajim.profile --- firejail-0.9.60/etc/gajim.profile 2019-05-06 13:13:29.000000000 +0000 +++ firejail-0.9.62/etc/gajim.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,12 +11,8 @@ noblacklist ${HOME}/.local/share/gajim # Allow python (blacklisted by disable-interpreters.inc) -#noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -#noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -#noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +#include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -24,6 +20,7 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +# Comment the following line if you need to whitelist other folders than ~/Downloads include disable-xdg.inc mkdir ${HOME}/.cache/gajim @@ -50,7 +47,7 @@ tracelog disable-mnt -private-bin python,python3,sh,gpg,gpg2,gajim,bash,zsh,paplay,gajim-history-manager +private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh private-dev private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/galculator.profile firejail-0.9.62/etc/galculator.profile --- firejail-0.9.60/etc/galculator.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/galculator.profile 2019-12-14 13:30:32.000000000 +0000 @@ -24,7 +24,7 @@ apparmor caps.drop all #hostname galculator - breaks Arch Linux -ipc-namespace +#ipc-namespace net none nodbus nodvd @@ -47,4 +47,4 @@ private-lib private-tmp -memory-deny-write-execute +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/gcloud.profile firejail-0.9.62/etc/gcloud.profile --- firejail-0.9.60/etc/gcloud.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gcloud.profile 2019-12-14 13:30:32.000000000 +0000 @@ -36,5 +36,5 @@ disable-mnt private-dev -private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/gconf-editor.profile firejail-0.9.62/etc/gconf-editor.profile --- firejail-0.9.60/etc/gconf-editor.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gconf-editor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,10 @@ # added by included profile #include globals.local +blacklist /tmp/.X11-unix + +ignore net none +ignore x11 none # Redirect include gconf.profile diff -Nru firejail-0.9.60/etc/gconf-merge-schema.profile firejail-0.9.62/etc/gconf-merge-schema.profile --- firejail-0.9.60/etc/gconf-merge-schema.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gconf-merge-schema.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include gconf.profile diff -Nru firejail-0.9.60/etc/gconf-merge-tree.profile firejail-0.9.62/etc/gconf-merge-tree.profile --- firejail-0.9.60/etc/gconf-merge-tree.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gconf-merge-tree.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include gconf.profile diff -Nru firejail-0.9.60/etc/gconfpkg.profile firejail-0.9.62/etc/gconfpkg.profile --- firejail-0.9.60/etc/gconfpkg.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gconfpkg.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include gconf.profile diff -Nru firejail-0.9.60/etc/gconf.profile firejail-0.9.62/etc/gconf.profile --- firejail-0.9.60/etc/gconf.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gconf.profile 2019-12-28 13:14:56.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/gconf # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -#noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -#noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -#noblacklist /usr/local/lib/python3* +include allow-python2.inc +#include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -26,7 +22,10 @@ mkdir ${HOME}/.config/gconf whitelist ${HOME}/.config/gconf +whitelist /usr/share/GConf +whitelist /usr/share/gconf include whitelist-common.inc +include whitelist-usr-share-common.inc apparmor caps.drop all @@ -46,13 +45,14 @@ seccomp shell none tracelog +x11 none disable-mnt private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* private-cache private-dev private-etc alternatives,fonts,gconf -private-lib libpython*,python2* +private-lib GConf,libpython*,python2* private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/gconftool-2.profile firejail-0.9.62/etc/gconftool-2.profile --- firejail-0.9.60/etc/gconftool-2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gconftool-2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include gconf.profile diff -Nru firejail-0.9.60/etc/geany.profile firejail-0.9.62/etc/geany.profile --- firejail-0.9.60/etc/geany.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/geany.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,11 +7,9 @@ include globals.local noblacklist ${HOME}/.config/geany -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.python-history -noblacklist ${HOME}/.pythonrc.py + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc include disable-passwdmgr.inc diff -Nru firejail-0.9.60/etc/geary.profile firejail-0.9.62/etc/geary.profile --- firejail-0.9.60/etc/geary.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/geary.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,29 +4,29 @@ # Persistent local customizations include geary.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local # Users have Geary set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories +ignore nodbus +ignore private-tmp + noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/geary mkdir ${HOME}/.gnupg mkdir ${HOME}/.config/geary mkdir ${HOME}/.local/share/geary - whitelist ${HOME}/.gnupg whitelist ${HOME}/.config/geary whitelist ${HOME}/.local/share/geary -include whitelist-common.inc - -ignore nodbus -ignore private-tmp - read-only ${HOME}/.config/mimeapps.list -# allow browsers +whitelist /usr/share/geary + +# allow Mozilla browsers # Redirect include firefox.profile diff -Nru firejail-0.9.60/etc/gedit.profile firejail-0.9.62/etc/gedit.profile --- firejail-0.9.60/etc/gedit.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/gedit.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,11 +8,9 @@ noblacklist ${HOME}/.config/enchant noblacklist ${HOME}/.config/gedit -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.python-history -noblacklist ${HOME}/.pythonrc.py + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc # include disable-devel.inc @@ -44,7 +42,6 @@ # private-bin gedit private-dev -# private-etc alternatives,fonts -private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell +private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.* private-tmp diff -Nru firejail-0.9.60/etc/geekbench.profile firejail-0.9.62/etc/geekbench.profile --- firejail-0.9.60/etc/geekbench.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/geekbench.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,6 +14,7 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -41,11 +42,11 @@ private-bin bash,geekbenc*,sh private-cache private-dev -private-etc alternatives,group,passwd,lsb-release +private-etc alternatives,group,lsb-release,passwd private-lib libstdc++.so.* private-opt none private-tmp -# memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) read-only ${HOME} diff -Nru firejail-0.9.60/etc/geeqie.profile firejail-0.9.62/etc/geeqie.profile --- firejail-0.9.60/etc/geeqie.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/geeqie.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,4 +31,3 @@ # private-bin geeqie private-dev -# private-etc alternatives,X11 diff -Nru firejail-0.9.60/etc/ghb.profile firejail-0.9.62/etc/ghb.profile --- firejail-0.9.60/etc/ghb.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ghb.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for handbrake # This file is overwritten after every install/update - # Redirect include handbrake.profile diff -Nru firejail-0.9.60/etc/ghostwriter.profile firejail-0.9.62/etc/ghostwriter.profile --- firejail-0.9.60/etc/ghostwriter.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ghostwriter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,7 @@ include globals.local noblacklist ${HOME}/.config/ghostwriter +noblacklist ${HOME}/.local/share/ghostwriter noblacklist ${DOCUMENTS} noblacklist ${PICTURES} @@ -18,20 +19,16 @@ include disable-programs.inc include disable-xdg.inc -#mkdir ${HOME}/.config/ghostwriter -#whitelist ${HOME}/.config/ghostwriter -#whitelist ${DESKTOP} -#whitelist ${DOCUMENTS} -#whitelist ${DOWNLOADS} -#whitelist ${PICTURES} -#include whitelist-common.inc +#whitelist /usr/share/ghostwriter +#whitelist /usr/share/mozilla-dicts +#whitelist /usr/share/texlive +#whitelist /usr/share/pandoc* +#include whitelist-usr-share-common.inc apparmor caps.drop all machine-id netfilter -#no3d -#nodbus nodvd nogroups nonewprivs @@ -40,17 +37,14 @@ notv nou2f novideo -protocol unix,inet,netlink -seccomp +protocol unix,inet,inet6,netlink +seccomp !chroot shell none -tracelog +#tracelog -- breaks -# Breaks Translation -#private-bin ghostwriter,pandoc +private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf private-cache private-dev -private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dconf,machine-id -# Breaks Translation -#private-lib +# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed +private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg private-tmp - diff -Nru firejail-0.9.60/etc/gimp-2.10.profile firejail-0.9.62/etc/gimp-2.10.profile --- firejail-0.9.60/etc/gimp-2.10.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gimp-2.10.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for gimp # This file is overwritten after every install/update - # Redirect include gimp.profile diff -Nru firejail-0.9.60/etc/gimp-2.8.profile firejail-0.9.62/etc/gimp-2.8.profile --- firejail-0.9.60/etc/gimp-2.8.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gimp-2.8.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for gimp # This file is overwritten after every install/update - # Redirect include gimp.profile diff -Nru firejail-0.9.60/etc/gimp.profile firejail-0.9.62/etc/gimp.profile --- firejail-0.9.60/etc/gimp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gimp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,9 +7,13 @@ include globals.local # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory -# if you are not using external plugins, you can disable ignore noexec statement below +# if you are not using external plugins, you can comment 'ignore noexec' statement below +# or put 'noexec ${HOME}' in your gimp.local ignore noexec ${HOME} +noblacklist ${HOME}/.cache/babl +noblacklist ${HOME}/.cache/gegl-0.4 +noblacklist ${HOME}/.cache/gimp noblacklist ${HOME}/.config/GIMP noblacklist ${HOME}/.gimp* noblacklist ${DOCUMENTS} @@ -21,6 +25,11 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/gegl-0.4 +whitelist /usr/share/gimp +whitelist /usr/share/mypaint-data +whitelist /usr/share/lensfun +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -37,6 +46,7 @@ protocol unix seccomp shell none +tracelog private-dev private-tmp diff -Nru firejail-0.9.60/etc/gist-paste.profile firejail-0.9.62/etc/gist-paste.profile --- firejail-0.9.60/etc/gist-paste.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gist-paste.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,12 @@ +# Firejail profile for gist-paste +# Description: Potentially the best command line gister +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gist-paste.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gist.profile diff -Nru firejail-0.9.60/etc/gist.profile firejail-0.9.62/etc/gist.profile --- firejail-0.9.60/etc/gist.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gist.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,58 @@ +# Firejail profile for gist +# Description: Potentially the best command line gister +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gist.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix + +noblacklist ${HOME}/.gist + +# Allow ruby (blacklisted by disable-interpreters.inc) +include allow-ruby.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.gist +whitelist ${HOME}/.gist +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alternatives +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/gitg.profile firejail-0.9.62/etc/gitg.profile --- firejail-0.9.60/etc/gitg.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/gitg.profile 2019-12-14 13:30:32.000000000 +0000 @@ -19,9 +19,12 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/gitg +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all +netfilter no3d nodvd nogroups @@ -34,11 +37,9 @@ protocol unix,inet,inet6 seccomp shell none +tracelog -private-bin gitg,git,ssh +private-bin git,gitg,ssh private-cache private-dev private-tmp - -# mdwe breaks diff in older versions -#memory-deny-write-execute diff -Nru firejail-0.9.60/etc/github-desktop.profile firejail-0.9.62/etc/github-desktop.profile --- firejail-0.9.60/etc/github-desktop.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/github-desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -42,7 +42,6 @@ private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -# private-etc alternatives # private-lib private-tmp diff -Nru firejail-0.9.60/etc/git.profile firejail-0.9.62/etc/git.profile --- firejail-0.9.60/etc/git.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/git.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,8 +7,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/nano noblacklist ${HOME}/.emacs @@ -17,16 +15,24 @@ noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.nanorc -noblacklist ${HOME}/.oh-my-zsh noblacklist ${HOME}/.ssh noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo +blacklist /tmp/.X11-unix + include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/git +whitelist /usr/share/git-core +whitelist /usr/share/gitgui +whitelist /usr/share/gitweb +whitelist /usr/share/nano +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace diff -Nru firejail-0.9.60/etc/gitter.profile firejail-0.9.62/etc/gitter.profile --- firejail-0.9.60/etc/gitter.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gitter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,7 +37,7 @@ disable-mnt private-bin bash,env,gitter -private-etc alternatives,fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl private-opt Gitter private-dev private-tmp diff -Nru firejail-0.9.60/etc/Gitter.profile firejail-0.9.62/etc/Gitter.profile --- firejail-0.9.60/etc/Gitter.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Gitter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for Gitter # This file is overwritten after every install/update - # Redirect include gitter.profile diff -Nru firejail-0.9.60/etc/gjs.profile firejail-0.9.62/etc/gjs.profile --- firejail-0.9.60/etc/gjs.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gjs.profile 2019-12-14 13:30:32.000000000 +0000 @@ -19,6 +19,8 @@ include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc + caps.drop all netfilter nodvd @@ -32,7 +34,7 @@ shell none tracelog -# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather +# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather private-dev -# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl private-tmp diff -Nru firejail-0.9.60/etc/gmpc.profile firejail-0.9.62/etc/gmpc.profile --- firejail-0.9.60/etc/gmpc.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gmpc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,53 @@ +# Firejail profile for gmpc +# Description: MPD client +# This file is overwritten after every install/update +# Persistent local customizations +include gmpc.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/gmpc +noblacklist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/gmpc +whitelist ${HOME}/.config/gmpc +whitelist ${MUSIC} +whitelist /usr/share/gmpc +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +no3d +#nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +#private-bin gmpc +private-cache +private-etc alternatives,fonts +private-tmp +writable-run-user + +# memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.60/etc/gnome-books.profile firejail-0.9.62/etc/gnome-books.profile --- firejail-0.9.60/etc/gnome-books.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-books.profile 2019-12-14 13:30:32.000000000 +0000 @@ -36,8 +36,7 @@ shell none tracelog -# private-bin gjs gnome-books +# private-bin gjs,gnome-books private-dev -# private-etc alternatives,fonts private-tmp diff -Nru firejail-0.9.60/etc/gnome-builder.profile firejail-0.9.62/etc/gnome-builder.profile --- firejail-0.9.60/etc/gnome-builder.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/gnome-builder.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,13 +6,12 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.cargo/config -noblacklist ${HOME}/.cargo/registry -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.python-history -noblacklist ${HOME}/.pythonrc.py +noblacklist ${HOME}/.cache/gnome-builder +noblacklist ${HOME}/.config/gnome-builder +noblacklist ${HOME}/.local/share/gnome-builder + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc include disable-passwdmgr.inc diff -Nru firejail-0.9.60/etc/gnome-calculator.profile firejail-0.9.62/etc/gnome-calculator.profile --- firejail-0.9.60/etc/gnome-calculator.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-calculator.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,7 @@ include disable-xdg.inc include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/gnome-character-map.profile firejail-0.9.62/etc/gnome-character-map.profile --- firejail-0.9.60/etc/gnome-character-map.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gnome-character-map.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,10 @@ +# Firejail profile for gnome-character-map +# This file is overwritten after every install/update +# Persistent local customizations +include gnome-character-map.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gucharmap.profile diff -Nru firejail-0.9.60/etc/gnome-characters.profile firejail-0.9.62/etc/gnome-characters.profile --- firejail-0.9.60/etc/gnome-characters.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gnome-characters.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,52 @@ +# Firejail profile for gnome-characters +# Description: Character map application for GNOME +# This file is overwritten after every install/update +# Persistent local customizations +include gnome-characters.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist /usr/share/org.gnome.Characters +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +machine-id +net none +no3d +# Uncomment the next line (or add it to your gnome-characters.local) +# if you don't need recently used chars +#nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +# Uncomment the next line (or add it to your gnome-characters.local) +# if you don't need recently used chars +#private +private-bin gjs,gnome-characters +private-cache +private-dev +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg +private-tmp + +read-only ${HOME} diff -Nru firejail-0.9.60/etc/gnome-chess.profile firejail-0.9.62/etc/gnome-chess.profile --- firejail-0.9.60/etc/gnome-chess.profile 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/gnome-chess.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,7 +37,7 @@ tracelog disable-mnt -private-bin fairymax,gnome-chess,hoichess,gnuchess +private-bin fairymax,gnome-chess,gnuchess,hoichess private-cache private-dev private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 diff -Nru firejail-0.9.60/etc/gnome-clocks.profile firejail-0.9.62/etc/gnome-clocks.profile --- firejail-0.9.60/etc/gnome-clocks.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-clocks.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,7 +14,10 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/gnome-clocks +whitelist /usr/share/libgweather include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -37,6 +40,6 @@ private-bin gnome-clocks,gsound-play private-cache private-dev -private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl private-tmp diff -Nru firejail-0.9.60/etc/gnome-keyring.profile firejail-0.9.62/etc/gnome-keyring.profile --- firejail-0.9.60/etc/gnome-keyring.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-keyring.profile 2019-12-14 13:30:32.000000000 +0000 @@ -17,7 +17,10 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 #include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/gnome-latex.profile firejail-0.9.62/etc/gnome-latex.profile --- firejail-0.9.60/etc/gnome-latex.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gnome-latex.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,50 @@ +# Firejail profile for gnome-latex +# Description: LaTeX editor for the GNOME desktop +# This file is overwritten after every install/update +# Persistent local customizations +include gnome-latex.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/gnome-latex +noblacklist ${HOME}/.local/share/gnome-latex + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +whitelist /usr/share/gnome-latex +whitelist /usr/share/perl5 +whitelist /usr/share/texlive +include whitelist-usr-share-common.inc +# May cause issues. +#include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-cache +private-dev +# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed +private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive diff -Nru firejail-0.9.60/etc/gnome-logs.profile firejail-0.9.62/etc/gnome-logs.profile --- firejail-0.9.60/etc/gnome-logs.profile 2019-05-06 13:13:29.000000000 +0000 +++ firejail-0.9.62/etc/gnome-logs.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,6 +15,7 @@ include disable-xdg.inc whitelist /var/log/journal +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -37,6 +38,7 @@ protocol unix seccomp shell none +tracelog disable-mnt private-bin gnome-logs diff -Nru firejail-0.9.60/etc/gnome-maps.profile firejail-0.9.62/etc/gnome-maps.profile --- firejail-0.9.60/etc/gnome-maps.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-maps.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,7 +9,9 @@ # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them noblacklist ${HOME}/.cache/champlain +noblacklist ${HOME}/.cache/org.gnome.Maps noblacklist ${HOME}/.local/share/flatpak +noblacklist ${HOME}/.local/share/maps-places.json include disable-common.inc include disable-devel.inc @@ -19,6 +21,15 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.cache/champlain +mkfile ${HOME}/.local/share/maps-places.json +whitelist ${HOME}/.cache/champlain +whitelist ${HOME}/.local/share/maps-places.json +whitelist ${DOWNLOADS} +whitelist ${PICTURES} +whitelist /usr/share/gnome-maps +include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -39,8 +50,9 @@ tracelog disable-mnt -# private-bin gjs gnome-maps +private-bin gjs,gnome-maps +# private-cache -- gnome-maps cache all maps/satelite-images private-dev -# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg private-tmp diff -Nru firejail-0.9.60/etc/gnome-music.profile firejail-0.9.62/etc/gnome-music.profile --- firejail-0.9.60/etc/gnome-music.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-music.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${MUSIC} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -41,8 +37,8 @@ shell none tracelog -private-bin gnome-music,python*,env,gio-launch-desktop,yelp +private-bin env,gio-launch-desktop,gnome-music,python*,yelp private-dev -private-etc alternatives,fonts,machine-id,pulse,asound.conf +private-etc alternatives,asound.conf,fonts,machine-id,pulse private-tmp diff -Nru firejail-0.9.60/etc/gnome-nettool.profile firejail-0.9.62/etc/gnome-nettool.profile --- firejail-0.9.60/etc/gnome-nettool.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/gnome-nettool.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,7 +14,9 @@ include disable-programs.inc include disable-xdg.inc -include whitelist-common.inc +whitelist /usr/share/gnome-nettool +#include whitelist-common.inc -- see #903 +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.keep net_raw @@ -39,6 +41,6 @@ private private-cache private-dev -private-lib libgtk-3.so.*,libgtop*,libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* +private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* private-tmp diff -Nru firejail-0.9.60/etc/gnome-photos.profile firejail-0.9.62/etc/gnome-photos.profile --- firejail-0.9.60/etc/gnome-photos.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-photos.profile 2019-12-14 13:30:32.000000000 +0000 @@ -28,13 +28,13 @@ nosound notv nou2f +novideo protocol unix seccomp shell none tracelog -# private-bin gjs gnome-photos +# private-bin gjs,gnome-photos private-dev -# private-etc alternatives,fonts private-tmp diff -Nru firejail-0.9.60/etc/gnome-recipes.profile firejail-0.9.62/etc/gnome-recipes.profile --- firejail-0.9.60/etc/gnome-recipes.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-recipes.profile 2019-12-14 13:30:32.000000000 +0000 @@ -21,7 +21,9 @@ mkdir ${HOME}/.local/share/gnome-recipes whitelist ${HOME}/.cache/gnome-recipes whitelist ${HOME}/.local/share/gnome-recipes +whitelist /usr/share/gnome-recipes include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -43,7 +45,7 @@ disable-mnt private-bin gnome-recipes,tar private-dev -private-etc alternatives,ca-certificates,fonts,ssl,crypto-policies,pki +private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* private-tmp diff -Nru firejail-0.9.60/etc/gnome-schedule.profile firejail-0.9.62/etc/gnome-schedule.profile --- firejail-0.9.60/etc/gnome-schedule.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-schedule.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,30 +18,12 @@ noblacklist /etc/shadow noblacklist /var/spool/cron -# Needs a terminal for cron job test execution -noblacklist ${PATH}/lxterminal -noblacklist ${PATH}/gnome-terminal -noblacklist ${PATH}/gnome-terminal.wrapper -noblacklist ${PATH}/lilyterm -noblacklist ${PATH}/mate-terminal -noblacklist ${PATH}/mate-terminal.wrapper -noblacklist ${PATH}/pantheon-terminal -noblacklist ${PATH}/roxterm -noblacklist ${PATH}/roxterm-config -noblacklist ${PATH}/terminix -noblacklist ${PATH}/tilix -noblacklist ${PATH}/urxvtc -noblacklist ${PATH}/urxvtcd -noblacklist ${PATH}/xfce4-terminal -noblacklist ${PATH}/xfce4-terminal.wrapper +# cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc) +# add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -53,7 +35,12 @@ mkfile ${HOME}/.gnome/gnome-schedule whitelist ${HOME}/.gnome/gnome-schedule +whitelist /usr/share/gnome-schedule +whitelist /var/spool/atd +whitelist /var/spool/cron include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc apparmor caps.keep chown,dac_override,setgid,setuid @@ -73,6 +60,5 @@ disable-mnt private-cache private-dev -# private-etc alternatives writable-var diff -Nru firejail-0.9.60/etc/gnome-sound-recorder.profile firejail-0.9.62/etc/gnome-sound-recorder.profile --- firejail-0.9.60/etc/gnome-sound-recorder.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gnome-sound-recorder.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,41 @@ +# Firejail profile for gnome-sound-recorder +# Description: simple sound recordings for GNOME +# This file is overwritten after every install/update +# Persistent local customizations +include gnome-sound-recorder.local +# Persistent global definitions +include globals.local + +noblacklist ${MUSIC} +noblacklist ${HOME}/.local/share/flatpak +noblacklist ${HOME}/.local/share/Trash + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-var-common.inc + +caps.drop all +net none +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg +private-tmp diff -Nru firejail-0.9.60/etc/gnome-system-log.profile firejail-0.9.62/etc/gnome-system-log.profile --- firejail-0.9.60/etc/gnome-system-log.profile 2019-05-06 13:13:29.000000000 +0000 +++ firejail-0.9.62/etc/gnome-system-log.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -noblacklist /var/log - include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -18,6 +16,7 @@ whitelist /var/log include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/gnome-weather.profile firejail-0.9.62/etc/gnome-weather.profile --- firejail-0.9.60/etc/gnome-weather.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gnome-weather.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,8 +37,8 @@ tracelog disable-mnt -# private-bin gjs gnome-weather +# private-bin gjs,gnome-weather private-dev -# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl private-tmp diff -Nru firejail-0.9.60/etc/godot.profile firejail-0.9.62/etc/godot.profile --- firejail-0.9.60/etc/godot.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/godot.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,43 @@ +# Firejail profile for godot +# Description: multi-platform 2D and 3D game engine with a feature-rich editor +# This file is overwritten after every install/update +# Persistent local customizations +include godot.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/godot +noblacklist ${HOME}/.config/godot +noblacklist ${HOME}/.local/share/godot + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-var-common.inc + +caps.drop all +netfilter +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + + +# private-bin godot +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl +private-tmp diff -Nru firejail-0.9.60/etc/goobox.profile firejail-0.9.62/etc/goobox.profile --- firejail-0.9.60/etc/goobox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/goobox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,5 +31,5 @@ # private-bin goobox private-dev -# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl # private-tmp diff -Nru firejail-0.9.60/etc/google-chrome-stable.profile firejail-0.9.62/etc/google-chrome-stable.profile --- firejail-0.9.60/etc/google-chrome-stable.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/google-chrome-stable.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for google-chrome # This file is overwritten after every install/update - # Redirect include google-chrome.profile diff -Nru firejail-0.9.60/etc/google-earth.profile firejail-0.9.62/etc/google-earth.profile --- firejail-0.9.60/etc/google-earth.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/google-earth.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,8 @@ include globals.local noblacklist ${HOME}/.config/Google -noblacklist ${HOME}/.googleearth/Cache/ -noblacklist ${HOME}/.googleearth/Temp/ +noblacklist ${HOME}/.googleearth/Cache +noblacklist ${HOME}/.googleearth/Temp noblacklist ${HOME}/.googleearth/myplaces.backup.kml noblacklist ${HOME}/.googleearth/myplaces.kml @@ -19,13 +19,13 @@ include disable-programs.inc mkdir ${HOME}/.config/Google -mkdir ${HOME}/.googleearth/Cache/ -mkdir ${HOME}/.googleearth/Temp/ +mkdir ${HOME}/.googleearth/Cache +mkdir ${HOME}/.googleearth/Temp mkfile ${HOME}/.googleearth/myplaces.backup.kml mkfile ${HOME}/.googleearth/myplaces.kml whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth/Cache/ -whitelist ${HOME}/.googleearth/Temp/ +whitelist ${HOME}/.googleearth/Cache +whitelist ${HOME}/.googleearth/Temp whitelist ${HOME}/.googleearth/myplaces.backup.kml whitelist ${HOME}/.googleearth/myplaces.kml include whitelist-common.inc @@ -45,7 +45,7 @@ shell none disable-mnt -private-bin google-earth,sh,bash,grep,sed,ls,dirname +private-bin bash,dirname,google-earth,grep,ls,sed,sh private-dev private-opt google diff -Nru firejail-0.9.60/etc/google-earth-pro.profile firejail-0.9.62/etc/google-earth-pro.profile --- firejail-0.9.60/etc/google-earth-pro.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/google-earth-pro.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,7 @@ -# Redirect -include google-earth.profile +# Firejail profile alias for google-earth +# This file is overwritten after every install/update private-bin google-earth-pro + +# Redirect +include google-earth.profile diff -Nru firejail-0.9.60/etc/google-play-music-desktop-player.profile firejail-0.9.62/etc/google-play-music-desktop-player.profile --- firejail-0.9.60/etc/google-play-music-desktop-player.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/google-play-music-desktop-player.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,14 +5,19 @@ # Persistent global definitions include globals.local +# noexec /tmp breaks mpris support +ignore noexec /tmp + noblacklist ${HOME}/.config/Google Play Music Desktop Player include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/Google Play Music Desktop Player # whitelist ${HOME}/.config/pulse # whitelist ${HOME}/.pulse whitelist ${HOME}/.config/Google Play Music Desktop Player @@ -35,7 +40,3 @@ disable-mnt private-dev private-tmp - -noexec ${HOME} -# noexec /tmp breaks mpris support -#noexec /tmp diff -Nru firejail-0.9.60/etc/gpg2.profile firejail-0.9.62/etc/gpg2.profile --- firejail-0.9.60/etc/gpg2.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gpg2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for gpg2 +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gpg2.local +# Persistent global definitions +# added by included profile +#include globals.local + +# private-bin gpg2 + +# Redirect +include gpg.profile diff -Nru firejail-0.9.60/etc/gpg-agent.profile firejail-0.9.62/etc/gpg-agent.profile --- firejail-0.9.60/etc/gpg-agent.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gpg-agent.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,21 +1,26 @@ # Firejail profile for gpg-agent # Description: GNU privacy guard - cryptographic agent # This file is overwritten after every install/update +quiet # Persistent local customizations include gpg-agent.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.gnupg +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +include whitelist-usr-share-common.inc + caps.drop all netfilter no3d diff -Nru firejail-0.9.60/etc/gpg.profile firejail-0.9.62/etc/gpg.profile --- firejail-0.9.60/etc/gpg.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/gpg.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,21 +1,27 @@ # Firejail profile for gpg # Description: GNU Privacy Guard -- minimalist public key operations # This file is overwritten after every install/update +quiet # Persistent local customizations include gpg.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.gnupg +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/pacman/keyrings +include whitelist-usr-share-common.inc + caps.drop all netfilter no3d diff -Nru firejail-0.9.60/etc/gpicview.profile firejail-0.9.62/etc/gpicview.profile --- firejail-0.9.60/etc/gpicview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gpicview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,6 +15,8 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/gpicview +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/gpredict.profile firejail-0.9.62/etc/gpredict.profile --- firejail-0.9.60/etc/gpredict.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gpredict.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,6 +15,7 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/Gpredict whitelist ${HOME}/.config/Gpredict include whitelist-common.inc @@ -34,6 +35,6 @@ private-bin gpredict private-dev -private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/gradio.profile firejail-0.9.62/etc/gradio.profile --- firejail-0.9.60/etc/gradio.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gradio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -35,6 +35,6 @@ seccomp shell none -private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp diff -Nru firejail-0.9.60/etc/gramps.profile firejail-0.9.62/etc/gramps.profile --- firejail-0.9.60/etc/gramps.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gramps.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.gramps # Allow python (blacklisted by disable-interpreters.inc) -#noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -#noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -#noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +#include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/gsettings-data-convert.profile firejail-0.9.62/etc/gsettings-data-convert.profile --- firejail-0.9.60/etc/gsettings-data-convert.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gsettings-data-convert.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include gconf.profile diff -Nru firejail-0.9.60/etc/gsettings-schema-convert.profile firejail-0.9.62/etc/gsettings-schema-convert.profile --- firejail-0.9.60/etc/gsettings-schema-convert.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gsettings-schema-convert.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include gconf.profile diff -Nru firejail-0.9.60/etc/gtar.profile firejail-0.9.62/etc/gtar.profile --- firejail-0.9.60/etc/gtar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gtar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for tar # This file is overwritten after every install/update - # Redirect include tar.profile diff -Nru firejail-0.9.60/etc/gucharmap.profile firejail-0.9.62/etc/gucharmap.profile --- firejail-0.9.60/etc/gucharmap.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gucharmap.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,7 +6,6 @@ # Persistent global definitions include globals.local - include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -16,6 +15,7 @@ include disable-xdg.inc include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -23,6 +23,7 @@ machine-id #net none - breaks dbus no3d +#nodbus - breaks state saveing nodvd nogroups nonewprivs @@ -34,15 +35,14 @@ protocol unix seccomp shell none +tracelog disable-mnt -private-bin gucharmap +private-bin gnome-character-map,gucharmap private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,X11,xdg private-lib private-tmp -memory-deny-write-execute - read-only ${HOME} diff -Nru firejail-0.9.60/etc/gunzip.profile firejail-0.9.62/etc/gunzip.profile --- firejail-0.9.60/etc/gunzip.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gunzip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,6 @@ # Firejail profile for gunzip # This file is overwritten after every install/update +quiet # Persistent local customizations include gunzip.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/gwenview.profile firejail-0.9.62/etc/gwenview.profile --- firejail-0.9.60/etc/gwenview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gwenview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -43,8 +43,8 @@ shell none # tracelog -private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 +private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 private-dev -private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg +private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg # memory-deny-write-execute diff -Nru firejail-0.9.60/etc/gzexe.profile firejail-0.9.62/etc/gzexe.profile --- firejail-0.9.60/etc/gzexe.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/gzexe.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for gzexe +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gzexe.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/gzip.profile firejail-0.9.62/etc/gzip.profile --- firejail-0.9.60/etc/gzip.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/gzip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,14 +7,18 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix +# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. +noblacklist /var/lib/pacman +include disable-common.inc +include disable-devel.inc include disable-exec.inc include disable-interpreters.inc - -ignore noroot +include disable-passwdmgr.inc +include disable-programs.inc apparmor +caps.drop all hostname gzip ipc-namespace machine-id @@ -23,16 +27,19 @@ nodbus nodvd nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none private-cache private-dev memory-deny-write-execute - -include default.profile diff -Nru firejail-0.9.60/etc/handbrake-gtk.profile firejail-0.9.62/etc/handbrake-gtk.profile --- firejail-0.9.60/etc/handbrake-gtk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/handbrake-gtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for handbrake # This file is overwritten after every install/update - # Redirect include handbrake.profile diff -Nru firejail-0.9.60/etc/hashcat.profile firejail-0.9.62/etc/hashcat.profile --- firejail-0.9.60/etc/hashcat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/hashcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,6 +33,7 @@ protocol unix seccomp shell none +x11 none disable-mnt private-bin hashcat diff -Nru firejail-0.9.60/etc/hedgewars.profile firejail-0.9.62/etc/hedgewars.profile --- firejail-0.9.60/etc/hedgewars.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/hedgewars.profile 2019-12-14 13:30:32.000000000 +0000 @@ -26,6 +26,7 @@ noroot notv nou2f +novideo seccomp tracelog diff -Nru firejail-0.9.60/etc/hexchat.profile firejail-0.9.62/etc/hexchat.profile --- firejail-0.9.60/etc/hexchat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/hexchat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist /usr/share/perl* # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/highlight.profile firejail-0.9.62/etc/highlight.profile --- firejail-0.9.60/etc/highlight.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/highlight.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -30,9 +28,9 @@ seccomp shell none tracelog +x11 none private-bin highlight private-cache private-dev -# private-etc alternatives private-tmp diff -Nru firejail-0.9.60/etc/hugin.profile firejail-0.9.62/etc/hugin.profile --- firejail-0.9.60/etc/hugin.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/hugin.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,7 +33,7 @@ seccomp shell none -private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend +private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/i2prouter.profile firejail-0.9.62/etc/i2prouter.profile --- firejail-0.9.60/etc/i2prouter.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/i2prouter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,71 @@ +# Firejail profile for I2P +# Description: A distributed anonymous network +# This file is overwritten after every install/update +# Persistent local customizations +include i2prouter.local +# Persistent global definitions +include globals.local + +# Notice: default browser will not be able to automatically open, due to sandbox. +# Auto-opening default browser can be disabled in the I2P router console. +# This profile will not currently work with any Arch User Repository i2p packages, +# use the distro-independent official java installer instead + +# Only needed if i2prouter binary is in home directory, java installer does this +ignore noexec ${HOME} + +noblacklist ${HOME}/.config/i2p +noblacklist ${HOME}/.i2p +noblacklist ${HOME}/.local/share/i2p +noblacklist ${HOME}/i2p +# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this +noblacklist /usr/sbin + +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/i2p +mkdir ${HOME}/.i2p +mkdir ${HOME}/.local/share/i2p +mkdir ${HOME}/i2p +whitelist ${HOME}/.config/i2p +whitelist ${HOME}/.i2p +whitelist ${HOME}/.local/share/i2p +whitelist ${HOME}/i2p +# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this +whitelist /usr/sbin/wrapper* + +include whitelist-common.inc + +# May break I2P if wrapper is placed in the home directory +# If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ +#apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +nonewprivs +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl +private-tmp diff -Nru firejail-0.9.60/etc/icedove.profile firejail-0.9.62/etc/icedove.profile --- firejail-0.9.60/etc/icedove.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/icedove.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include icedove.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local # Users have icedove set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories diff -Nru firejail-0.9.60/etc/iceweasel.profile firejail-0.9.62/etc/iceweasel.profile --- firejail-0.9.60/etc/iceweasel.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/iceweasel.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include iceweasel.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local # private-etc must first be enabled in firefox-common.profile #private-etc iceweasel diff -Nru firejail-0.9.60/etc/ideaIC.profile firejail-0.9.62/etc/ideaIC.profile --- firejail-0.9.60/etc/ideaIC.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ideaIC.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include ideaIC.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include idea.sh.profile diff -Nru firejail-0.9.60/etc/idea.profile firejail-0.9.62/etc/idea.profile --- firejail-0.9.60/etc/idea.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/idea.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include idea.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include idea.sh.profile diff -Nru firejail-0.9.60/etc/idea.sh.profile firejail-0.9.62/etc/idea.sh.profile --- firejail-0.9.60/etc/idea.sh.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/idea.sh.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,17 +7,15 @@ noblacklist ${HOME}/.IdeaIC* noblacklist ${HOME}/.android -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.gradle noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings -noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allows files commonly used by IDEs +include allow-common-devel.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff -Nru firejail-0.9.60/etc/imagej.profile firejail-0.9.62/etc/imagej.profile --- firejail-0.9.60/etc/imagej.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/imagej.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,11 +8,8 @@ noblacklist ${HOME}/.imagej -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc @@ -37,7 +34,7 @@ seccomp shell none -private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln +private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop private-dev private-tmp diff -Nru firejail-0.9.60/etc/img2txt.profile firejail-0.9.62/etc/img2txt.profile --- firejail-0.9.60/etc/img2txt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/img2txt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/imlib2 +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace @@ -34,11 +37,11 @@ seccomp shell none tracelog +x11 none # private-bin img2txt private-cache private-dev -# private-etc alternatives private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/inkscape.profile firejail-0.9.62/etc/inkscape.profile --- firejail-0.9.60/etc/inkscape.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/inkscape.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,14 +11,14 @@ noblacklist ${HOME}/.inkscape noblacklist ${DOCUMENTS} noblacklist ${PICTURES} +# Allow exporting .xcf files +noblacklist ${HOME}/.config/GIMP +noblacklist ${HOME}/.gimp* + # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -28,6 +28,8 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/inkscape +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -47,8 +49,10 @@ protocol unix seccomp shell none +tracelog # private-bin inkscape,potrace,python* - problems on Debian stretch +private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/inkview.profile firejail-0.9.62/etc/inkview.profile --- firejail-0.9.60/etc/inkview.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/inkview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,6 +3,9 @@ # This file is overwritten after every install/update # Persistent local customizations include inkview.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include inkscape.profile diff -Nru firejail-0.9.60/etc/iridium-browser.profile firejail-0.9.62/etc/iridium-browser.profile --- firejail-0.9.60/etc/iridium-browser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/iridium-browser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for iridium # This file is overwritten after every install/update - # Redirect include iridium.profile diff -Nru firejail-0.9.60/etc/itch.profile firejail-0.9.62/etc/itch.profile --- firejail-0.9.60/etc/itch.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/itch.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,6 +8,7 @@ # itch.io has native firejail/sandboxing support bundled in # See https://itch.io/docs/itch/using/sandbox/linux.html +noblacklist ${HOME}/.itch noblacklist ${HOME}/.config/itch include disable-common.inc @@ -16,7 +17,9 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.itch mkdir ${HOME}/.config/itch +whitelist ${HOME}/.itch whitelist ${HOME}/.config/itch include whitelist-common.inc diff -Nru firejail-0.9.60/etc/jd-gui.profile firejail-0.9.62/etc/jd-gui.profile --- firejail-0.9.60/etc/jd-gui.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/jd-gui.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,13 +6,9 @@ include globals.local noblacklist ${HOME}/.config/jd-gui.cfg -noblacklist ${HOME}/.java -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc @@ -40,7 +36,7 @@ seccomp shell none -private-bin jd-gui,sh,bash +private-bin bash,jd-gui,sh private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/jdownloader.profile firejail-0.9.62/etc/jdownloader.profile --- firejail-0.9.60/etc/jdownloader.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/jdownloader.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include jdownloader.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include JDownloader.profile diff -Nru firejail-0.9.60/etc/JDownloader.profile firejail-0.9.62/etc/JDownloader.profile --- firejail-0.9.60/etc/JDownloader.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/JDownloader.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,14 +5,10 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.jd -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/jerry.profile firejail-0.9.62/etc/jerry.profile --- firejail-0.9.60/etc/jerry.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/jerry.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,41 @@ +# Firejail profile for jerry +# Description: Chess GUI +# This file is overwritten after every install/update +# Persistent local customizations +include jerry.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/dkl + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +caps.drop all +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix +seccomp +shell none +tracelog + +private-bin bash,jerry,sh,stockfish +private-dev +private-etc fonts,gtk-2.0,gtk-3.0 +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/jitsi.profile firejail-0.9.62/etc/jitsi.profile --- firejail-0.9.60/etc/jitsi.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/jitsi.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,11 +7,8 @@ noblacklist ${HOME}/.jitsi -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/k3b.profile firejail-0.9.62/etc/k3b.profile --- firejail-0.9.60/etc/k3b.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/k3b.profile 2019-12-14 13:30:32.000000000 +0000 @@ -20,17 +20,18 @@ include whitelist-var-common.inc -caps.drop all +caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource +# net none netfilter no3d -nonewprivs -noroot +# nonewprivs - breaks privileged helpers +# noroot - breaks privileged helpers nosound notv novideo -protocol unix -seccomp +# protocol unix - breaks privileged helpers +# seccomp - breaks privileged helpers shell none -tracelog +private-dev # private-tmp diff -Nru firejail-0.9.60/etc/kalgebramobile.profile firejail-0.9.62/etc/kalgebramobile.profile --- firejail-0.9.60/etc/kalgebramobile.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/kalgebramobile.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile for kalgebramobile +# This file is overwritten after every install/update + +# Redirect +include kalgebra.profile diff -Nru firejail-0.9.60/etc/kalgebra.profile firejail-0.9.62/etc/kalgebra.profile --- firejail-0.9.60/etc/kalgebra.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/kalgebra.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,47 @@ +# Firejail profile for kalgebra +# Description: 2D and 3D Graph Calculator +# This file is overwritten after every install/update +# Persistent local customizations +include kalgebra.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/kalgebrarc +noblacklist ${HOME}/.local/share/kalgebra + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist /usr/share/kalgebramobile +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,netlink +seccomp !chroot +shell none +# tracelog + +disable-mnt +private-bin kalgebra,kalgebramobile +private-cache +private-dev +private-etc fonts,machine-id +private-tmp diff -Nru firejail-0.9.60/etc/karbon.profile firejail-0.9.62/etc/karbon.profile --- firejail-0.9.60/etc/karbon.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/karbon.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for krita # This file is overwritten after every install/update - # Redirect include krita.profile diff -Nru firejail-0.9.60/etc/kdeinit4.profile firejail-0.9.62/etc/kdeinit4.profile --- firejail-0.9.60/etc/kdeinit4.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kdeinit4.profile 2019-12-14 13:30:32.000000000 +0000 @@ -30,7 +30,7 @@ seccomp shell none -private-bin kdeinit4,kbuildsycoca4,kded4,knotify4 +private-bin kbuildsycoca4,kded4,kdeinit4,knotify4 private-dev private-tmp diff -Nru firejail-0.9.60/etc/kdenlive.profile firejail-0.9.62/etc/kdenlive.profile --- firejail-0.9.60/etc/kdenlive.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kdenlive.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,6 +33,6 @@ seccomp shell none -private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt +private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine private-dev -# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 +# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg diff -Nru firejail-0.9.60/etc/keepass2.profile firejail-0.9.62/etc/keepass2.profile --- firejail-0.9.60/etc/keepass2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/keepass2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for keepass # This file is overwritten after every install/update - # Redirect include keepass.profile diff -Nru firejail-0.9.60/etc/keepassxc-cli.profile firejail-0.9.62/etc/keepassxc-cli.profile --- firejail-0.9.60/etc/keepassxc-cli.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/keepassxc-cli.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for keepassxc-cli +# Description: command line interface for KeePassXC +# This file is overwritten after every install/update +# Persistent local customizations +include keepassxc-cli.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include keepassxc.profile diff -Nru firejail-0.9.60/etc/keepassxc.profile firejail-0.9.62/etc/keepassxc.profile --- firejail-0.9.60/etc/keepassxc.profile 2019-05-17 12:37:47.000000000 +0000 +++ firejail-0.9.62/etc/keepassxc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -22,6 +22,8 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/keepassxc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -29,7 +31,10 @@ net none no3d nodvd -nodbus +# Breaks 'Lock database when session is locked or lid is closed' (#2899). +# Also breaks (Plasma) tray icon, +# you can safely uncomment it or add to keepassxc.local if you don't need these features. +#nodbus nogroups nonewprivs noroot @@ -37,17 +42,15 @@ notv nou2f novideo -protocol netlink,unix +protocol unix,netlink seccomp shell none +tracelog -private-bin keepassxc,keepassxc-proxy +private-bin keepassxc,keepassxc-cli,keepassxc-proxy private-dev private-etc alternatives,fonts,ld.so.cache,machine-id private-tmp -# 2.2.4 crashes on database open -# memory-deny-write-execute - # Mutex is stored in /tmp by default, which is broken by private-tmp join-or-start keepassxc diff -Nru firejail-0.9.60/etc/keepassxc-proxy.profile firejail-0.9.62/etc/keepassxc-proxy.profile --- firejail-0.9.60/etc/keepassxc-proxy.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/keepassxc-proxy.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,10 @@ +# Firejail profile for keepassxc-cli +# This file is overwritten after every install/update +# Persistent local customizations +include keepassxc-proxy.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include keepassxc.profile diff -Nru firejail-0.9.60/etc/kfind.profile firejail-0.9.62/etc/kfind.profile --- firejail-0.9.60/etc/kfind.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/kfind.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,45 @@ +# Firejail profile for kfind +# Description: File search utility +# This file is overwritten after every install/update +# Persistent local customizations +include kfind.local +# Persistent global definitions +include globals.local + +# searching in blacklisted or masked paths fails silently +# adjust filesystem restrictions as necessary + +# noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below +# noblacklist ${HOME}/.config/kfindrc +# noblacklist ${HOME}/.kde/share/config/kfindrc +# noblacklist ${HOME}/.kde4/share/config/kfindrc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# include disable-programs.inc + +apparmor +caps.drop all +machine-id +# net none +netfilter +no3d +# nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none + +# private-bin kbuildsycoca4,kdeinit4,kfind +private-dev +private-tmp diff -Nru firejail-0.9.60/etc/kid3.profile firejail-0.9.62/etc/kid3.profile --- firejail-0.9.60/etc/kid3.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kid3.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,7 +37,7 @@ private-cache private-dev -private-etc alternatives,drirc,fonts,kde5rc,gtk-3.0,dconf,machine-id,ca-certificates,ssl,pki,hostname,hosts,resolv.conf,pulse,,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl private-tmp private-opt none private-srv none diff -Nru firejail-0.9.60/etc/kiwix-desktop.profile firejail-0.9.62/etc/kiwix-desktop.profile --- firejail-0.9.60/etc/kiwix-desktop.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/kiwix-desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,49 @@ +# Firejail profile for kiwix-desktop +# Description: view/manage ZIM files +# This file is overwritten after every install/update +# Persistent local customizations +include kiwix-desktop.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/kiwix +noblacklist ${HOME}/.local/share/kiwix-desktop + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/kiwix +mkdir ${HOME}/.local/share/kiwix-desktop +whitelist ${HOME}/.local/share/kiwix +whitelist ${HOME}/.local/share/kiwix-desktop +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +# no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +# nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none + +disable-mnt +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl +private-tmp diff -Nru firejail-0.9.60/etc/klatexformula_cmdl.profile firejail-0.9.62/etc/klatexformula_cmdl.profile --- firejail-0.9.60/etc/klatexformula_cmdl.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/klatexformula_cmdl.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for klatexformula_cmdl +# This file is overwritten after every install/update + +# Redirect +include klatexformula.profile diff -Nru firejail-0.9.60/etc/klatexformula.profile firejail-0.9.62/etc/klatexformula.profile --- firejail-0.9.60/etc/klatexformula.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/klatexformula.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,43 @@ +# Firejail profile for klatexformula +# Description: generating images from LaTeX equations +# This file is overwritten after every install/update +# Persistent local customizations +include klatexformula.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.kde/share/apps/klatexformula +noblacklist ${HOME}/.klatexformula + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +apparmor +caps.drop all +machine-id +net none +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-cache +private-dev +private-tmp diff -Nru firejail-0.9.60/etc/kmail.profile firejail-0.9.62/etc/kmail.profile --- firejail-0.9.60/etc/kmail.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kmail.profile 2019-12-14 13:30:32.000000000 +0000 @@ -51,11 +51,10 @@ novideo protocol unix,inet,inet6,netlink # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set # tracelog -# writable-run-user is needed for signing and encrypting emails -writable-run-user private-dev # private-tmp - interrupts connection to akonadi, breaks opening of email attachments - +# writable-run-user is needed for signing and encrypting emails +writable-run-user diff -Nru firejail-0.9.60/etc/knotes.profile firejail-0.9.62/etc/knotes.profile --- firejail-0.9.60/etc/knotes.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/knotes.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,7 +4,8 @@ # Persistent local customizations include knotes.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local # knotes has problems launching akonadi in debian and ubuntu. # one solution is to have akonadi already running when knotes is started @@ -12,6 +13,5 @@ noblacklist ${HOME}/.config/knotesrc noblacklist ${HOME}/.local/share/knotes - # Redirect include kmail.profile diff -Nru firejail-0.9.60/etc/kodi.profile firejail-0.9.62/etc/kodi.profile --- firejail-0.9.60/etc/kodi.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kodi.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,12 +15,8 @@ noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/konversation.profile firejail-0.9.62/etc/konversation.profile --- firejail-0.9.60/etc/konversation.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/konversation.profile 2019-12-14 13:30:32.000000000 +0000 @@ -34,7 +34,7 @@ shell none tracelog -private-bin konversation,kbuildsycoca4 +private-bin kbuildsycoca4,konversation private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/kopete.profile firejail-0.9.62/etc/kopete.profile --- firejail-0.9.60/etc/kopete.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kopete.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,8 +31,8 @@ nou2f protocol unix,inet,inet6,netlink seccomp -writable-var private-dev private-tmp +writable-var diff -Nru firejail-0.9.60/etc/krita.profile firejail-0.9.62/etc/krita.profile --- firejail-0.9.60/etc/krita.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/krita.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,12 +15,8 @@ noblacklist ${PICTURES} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/ktorrent.profile firejail-0.9.62/etc/ktorrent.profile --- firejail-0.9.60/etc/ktorrent.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ktorrent.profile 2019-12-14 13:30:32.000000000 +0000 @@ -52,7 +52,7 @@ seccomp shell none -private-bin ktorrent,kbuildsycoca4,kdeinit4 +private-bin kbuildsycoca4,kdeinit4,ktorrent private-dev # private-lib - problems on Arch private-tmp diff -Nru firejail-0.9.60/etc/kwin_x11.profile firejail-0.9.62/etc/kwin_x11.profile --- firejail-0.9.60/etc/kwin_x11.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kwin_x11.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,9 @@ # Persistent global definitions include globals.local +# fix automatical kwin_x11 sandboxing: +# echo KDEWM=kwin_x11 >> ~/.pam_environment + noblacklist ${HOME}/.cache/kwin noblacklist ${HOME}/.config/kwinrc noblacklist ${HOME}/.config/kwinrulesrc diff -Nru firejail-0.9.60/etc/kwrite.profile firejail-0.9.62/etc/kwrite.profile --- firejail-0.9.60/etc/kwrite.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/kwrite.profile 2019-12-14 13:30:32.000000000 +0000 @@ -43,7 +43,7 @@ shell none tracelog -private-bin kwrite,kbuildsycoca4,kdeinit4 +private-bin kbuildsycoca4,kdeinit4,kwrite private-dev private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg private-tmp diff -Nru firejail-0.9.60/etc/lbunzip2.profile firejail-0.9.62/etc/lbunzip2.profile --- firejail-0.9.60/etc/lbunzip2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lbunzip2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: GNU compression utilities # This file is overwritten after every install/update - # Redirect include gzip.profile diff -Nru firejail-0.9.60/etc/lbzcat.profile firejail-0.9.62/etc/lbzcat.profile --- firejail-0.9.60/etc/lbzcat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lbzcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: GNU compression utilities # This file is overwritten after every install/update - # Redirect include gzip.profile diff -Nru firejail-0.9.60/etc/lbzip2.profile firejail-0.9.62/etc/lbzip2.profile --- firejail-0.9.60/etc/lbzip2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lbzip2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: GNU compression utilities # This file is overwritten after every install/update - # Redirect include gzip.profile diff -Nru firejail-0.9.60/etc/less.profile firejail-0.9.62/etc/less.profile --- firejail-0.9.60/etc/less.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/less.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,27 +5,34 @@ # Persistent local customizations include less.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -blacklist /tmp/.X11-unix +noblacklist ${HOME}/.lesshst + +include disable-devel.inc include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc -ignore noroot apparmor +caps.drop all ipc-namespace machine-id net none no3d nodbus nodvd +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog -writable-var-log +x11 none # The user can have a custom coloring script configured in ${HOME}/.lessfilter. # Enable private-bin and private-lib if you are not using any filter. @@ -33,7 +40,8 @@ # private-lib private-cache private-dev +writable-var-log memory-deny-write-execute - -include default.profile +read-only ${HOME} +read-write ${HOME}/.lesshst diff -Nru firejail-0.9.60/etc/libreoffice.profile firejail-0.9.62/etc/libreoffice.profile --- firejail-0.9.60/etc/libreoffice.profile 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/libreoffice.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,16 +6,13 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.java noblacklist /usr/local/sbin noblacklist ${HOME}/.config/libreoffice -# libreoffice uses java; if you don't care about java functionality, -# comment the next four lines -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# libreoffice uses java for some certain operations +# comment if you don't care about java functionality +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc @@ -37,6 +34,7 @@ noroot notv nou2f +novideo # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile protocol unix,inet,inet6 # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile diff -Nru firejail-0.9.60/etc/liferea.profile firejail-0.9.62/etc/liferea.profile --- firejail-0.9.60/etc/liferea.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/liferea.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,12 +11,8 @@ noblacklist ${HOME}/.local/share/liferea # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -31,7 +27,9 @@ whitelist ${HOME}/.cache/liferea whitelist ${HOME}/.config/liferea whitelist ${HOME}/.local/share/liferea +whitelist /usr/share/liferea include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/links.profile firejail-0.9.62/etc/links.profile --- firejail-0.9.60/etc/links.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/links.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,64 @@ +# Firejail profile for links +# Description: Text WWW browser +# This file is overwritten after every install/update +# Persistent local customizations +include links.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.links + +blacklist /tmp/.X11-unix + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# you may want to noblacklist files/directories blacklisted in +# disable-programs.inc and used as associated programs +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.links +whitelist ${HOME}/.links +whitelist ${DOWNLOADS} +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +# comment machine-id (or put 'ignore machine-id' in your links.local) if you want +# to allow access only to user-configured associated media player +machine-id +netfilter +# comment no3d (or put 'ignore no3d' in your links.local) if you want +# to allow access only to user-configured associated media player +no3d +nodvd +nogroups +nonewprivs +noroot +# comment nosound (or put 'ignore nosound' in your links.local) if you want +# to allow access only to user-configured associated media player +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local +# or append 'PROGRAM1,PROGRAM2' to this private-bin line +private-bin links,sh +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +# Uncomment the following line (or put it in your links.local) allow external +# media players +# private-etc alsa,asound.conf,machine-id,openal,pulse +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/lobase.profile firejail-0.9.62/etc/lobase.profile --- firejail-0.9.60/etc/lobase.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lobase.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/localc.profile firejail-0.9.62/etc/localc.profile --- firejail-0.9.60/etc/localc.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/localc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/lodraw.profile firejail-0.9.62/etc/lodraw.profile --- firejail-0.9.60/etc/lodraw.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lodraw.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/loffice.profile firejail-0.9.62/etc/loffice.profile --- firejail-0.9.60/etc/loffice.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/loffice.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/lofromtemplate.profile firejail-0.9.62/etc/lofromtemplate.profile --- firejail-0.9.60/etc/lofromtemplate.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lofromtemplate.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/Logs.profile firejail-0.9.62/etc/Logs.profile --- firejail-0.9.60/etc/Logs.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Logs.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,6 @@ # Firejail profile for gnome-logs # This file is overwritten after every install/update - # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect include gnome-logs.profile diff -Nru firejail-0.9.60/etc/loimpress.profile firejail-0.9.62/etc/loimpress.profile --- firejail-0.9.60/etc/loimpress.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/loimpress.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/lollypop.profile firejail-0.9.62/etc/lollypop.profile --- firejail-0.9.60/etc/lollypop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lollypop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${MUSIC} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -41,6 +37,6 @@ shell none private-dev -private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp diff -Nru firejail-0.9.60/etc/lomath.profile firejail-0.9.62/etc/lomath.profile --- firejail-0.9.60/etc/lomath.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lomath.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/loweb.profile firejail-0.9.62/etc/loweb.profile --- firejail-0.9.60/etc/loweb.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/loweb.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/lowriter.profile firejail-0.9.62/etc/lowriter.profile --- firejail-0.9.60/etc/lowriter.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lowriter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/lrunzip.profile firejail-0.9.62/etc/lrunzip.profile --- firejail-0.9.60/etc/lrunzip.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lrunzip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,12 @@ # Firejail profile for lrunzip # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq # This file is overwritten after every install/update +quiet # Persistent local customizations include lrunzip.local # Persistent global definitions # added by included profile #include globals.local - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lrzcat.profile firejail-0.9.62/etc/lrzcat.profile --- firejail-0.9.60/etc/lrzcat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lrzcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,12 @@ # Firejail profile for lrzcat # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq # This file is overwritten after every install/update +quiet # Persistent local customizations include lrzcat.local # Persistent global definitions # added by included profile #include globals.local - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lrzip.profile firejail-0.9.62/etc/lrzip.profile --- firejail-0.9.60/etc/lrzip.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lrzip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,12 @@ # Firejail profile for lrzip # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq # This file is overwritten after every install/update +quiet # Persistent local customizations include lrzip.local # Persistent global definitions # added by included profile #include globals.local - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lrz.profile firejail-0.9.62/etc/lrz.profile --- firejail-0.9.60/etc/lrz.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lrz.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,12 @@ # Firejail profile for lrz # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq # This file is overwritten after every install/update +quiet # Persistent local customizations include lrz.local # Persistent global definitions # added by included profile #include globals.local - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lrztar.profile firejail-0.9.62/etc/lrztar.profile --- firejail-0.9.60/etc/lrztar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lrztar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,12 @@ # Firejail profile for lrztar # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq # This file is overwritten after every install/update +quiet # Persistent local customizations include lrztar.local # Persistent global definitions # added by included profile #include globals.local - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lrzuntar.profile firejail-0.9.62/etc/lrzuntar.profile --- firejail-0.9.60/etc/lrzuntar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lrzuntar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,12 @@ # Firejail profile for lrzuntar # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq # This file is overwritten after every install/update +quiet # Persistent local customizations include lrzuntar.local # Persistent global definitions # added by included profile #include globals.local - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lynx.profile firejail-0.9.62/etc/lynx.profile --- firejail-0.9.60/etc/lynx.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lynx.profile 2019-12-14 13:30:32.000000000 +0000 @@ -34,5 +34,5 @@ # private-bin lynx private-cache private-dev -# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl private-tmp diff -Nru firejail-0.9.60/etc/lzcat.profile firejail-0.9.62/etc/lzcat.profile --- firejail-0.9.60/etc/lzcat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzcmp.profile firejail-0.9.62/etc/lzcmp.profile --- firejail-0.9.60/etc/lzcmp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzcmp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzdiff.profile firejail-0.9.62/etc/lzdiff.profile --- firejail-0.9.60/etc/lzdiff.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzdiff.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzegrep.profile firejail-0.9.62/etc/lzegrep.profile --- firejail-0.9.60/etc/lzegrep.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzegrep.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzfgrep.profile firejail-0.9.62/etc/lzfgrep.profile --- firejail-0.9.60/etc/lzfgrep.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzfgrep.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzgrep.profile firejail-0.9.62/etc/lzgrep.profile --- firejail-0.9.60/etc/lzgrep.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzgrep.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzip.profile firejail-0.9.62/etc/lzip.profile --- firejail-0.9.60/etc/lzip.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzless.profile firejail-0.9.62/etc/lzless.profile --- firejail-0.9.60/etc/lzless.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzless.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzmadec.profile firejail-0.9.62/etc/lzmadec.profile --- firejail-0.9.60/etc/lzmadec.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzmadec.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include xzdec.profile diff -Nru firejail-0.9.60/etc/lzmainfo.profile firejail-0.9.62/etc/lzmainfo.profile --- firejail-0.9.60/etc/lzmainfo.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzmainfo.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzma.profile firejail-0.9.62/etc/lzma.profile --- firejail-0.9.60/etc/lzma.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzma.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/lzmore.profile firejail-0.9.62/etc/lzmore.profile --- firejail-0.9.60/etc/lzmore.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/lzmore.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/macrofusion.profile firejail-0.9.62/etc/macrofusion.profile --- firejail-0.9.60/etc/macrofusion.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/macrofusion.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${PICTURES} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -40,7 +36,7 @@ seccomp shell none -private-bin python*,macrofusion,env,enfuse,exiftool,align_image_stack +private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python* private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/makepkg.profile firejail-0.9.62/etc/makepkg.profile --- firejail-0.9.60/etc/makepkg.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/makepkg.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,10 @@ # Firejail profile for makepkg # This file is overwritten after every install/update +quiet +# Persistent local customizations +include makepkg.local +# Persistent global definitions +include globals.local # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 # for potential issues and their solutions when Firejailing makepkg @@ -8,13 +13,6 @@ # whitelist ${HOME}/ # whitelist ${HOME}/.gnupg -quiet -# Persistent local customizations -include makepkg.local -# Persistent global definitions -include globals.local - - # Enable severely restricted access to ${HOME}/.gnupg noblacklist ${HOME}/.gnupg read-only ${HOME}/.gnupg/gpg.conf @@ -26,8 +24,7 @@ blacklist ${HOME}/.gnupg/crls.d blacklist ${HOME}/.gnupg/openpgp-revocs.d - -# Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only} +# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. noblacklist /var/lib/pacman include disable-common.inc diff -Nru firejail-0.9.60/etc/Maps.profile firejail-0.9.62/etc/Maps.profile --- firejail-0.9.60/etc/Maps.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Maps.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,6 @@ # Firejail profile for gnome-maps # This file is overwritten after every install/update - # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect include gnome-maps.profile diff -Nru firejail-0.9.60/etc/masterpdfeditor4.profile firejail-0.9.62/etc/masterpdfeditor4.profile --- firejail-0.9.60/etc/masterpdfeditor4.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/masterpdfeditor4.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include masterpdfeditor.profile diff -Nru firejail-0.9.60/etc/masterpdfeditor5.profile firejail-0.9.62/etc/masterpdfeditor5.profile --- firejail-0.9.60/etc/masterpdfeditor5.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/masterpdfeditor5.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,6 +7,5 @@ # added by included profile #include globals.local - # Redirect include masterpdfeditor.profile diff -Nru firejail-0.9.60/etc/masterpdfeditor.profile firejail-0.9.62/etc/masterpdfeditor.profile --- firejail-0.9.60/etc/masterpdfeditor.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/masterpdfeditor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -20,9 +20,7 @@ apparmor caps.drop all -ipc-namespace machine-id -no3d nodvd nogroups nonewprivs @@ -36,7 +34,6 @@ shell none tracelog -private-bin masterpdfedito* private-cache private-dev private-etc alternatives,fonts diff -Nru firejail-0.9.60/etc/mate-calc.profile firejail-0.9.62/etc/mate-calc.profile --- firejail-0.9.60/etc/mate-calc.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mate-calc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,12 +15,13 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.cache/mate-calc +mkdir ${HOME}/.config/caja +mkdir ${HOME}/.config/mate-menu whitelist ${HOME}/.cache/mate-calc whitelist ${HOME}/.config/caja -whitelist ${HOME}/.config/gtk-3.0 -whitelist ${HOME}/.config/dconf whitelist ${HOME}/.config/mate-menu -whitelist ${HOME}/.themes +include whitelist-common.inc caps.drop all net none @@ -40,7 +41,7 @@ disable-mnt private-bin mate-calc,mate-calculator -private-etc alternatives,fonts +private-etc alternatives,dconf,fonts,gtk-3.0 private-dev private-opt none private-tmp diff -Nru firejail-0.9.60/etc/mate-calculator.profile firejail-0.9.62/etc/mate-calculator.profile --- firejail-0.9.60/etc/mate-calculator.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mate-calculator.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for mate-calc # This file is overwritten after every install/update - # Redirect include mate-calc.profile diff -Nru firejail-0.9.60/etc/mate-color-select.profile firejail-0.9.62/etc/mate-color-select.profile --- firejail-0.9.60/etc/mate-color-select.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mate-color-select.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,6 @@ # Persistent global definitions include globals.local - include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -13,10 +12,7 @@ include disable-passwdmgr.inc include disable-programs.inc -whitelist ${HOME}/.config/gtk-3.0 -whitelist ${HOME}/.fonts -whitelist ${HOME}/.icons -whitelist ${HOME}/.themes +include whitelist-common.inc caps.drop all netfilter diff -Nru firejail-0.9.60/etc/mate-dictionary.profile firejail-0.9.62/etc/mate-dictionary.profile --- firejail-0.9.60/etc/mate-dictionary.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mate-dictionary.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,11 +14,9 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/mate/mate-dictionary whitelist ${HOME}/.config/mate/mate-dictionary -whitelist ${HOME}/.config/gtk-3.0 -whitelist ${HOME}/.fonts -whitelist ${HOME}/.icons -whitelist ${HOME}/.themes +include whitelist-common.inc caps.drop all netfilter @@ -37,7 +35,7 @@ disable-mnt private-bin mate-dictionary -private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl private-opt mate-dictionary private-dev private-tmp diff -Nru firejail-0.9.60/etc/mathematica.profile firejail-0.9.62/etc/mathematica.profile --- firejail-0.9.60/etc/mathematica.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mathematica.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for Mathematica # This file is overwritten after every install/update - # Redirect include Mathematica.profile diff -Nru firejail-0.9.60/etc/Mathematica.profile firejail-0.9.62/etc/Mathematica.profile --- firejail-0.9.60/etc/Mathematica.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Mathematica.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,7 @@ mkdir ${HOME}/.Mathematica mkdir ${HOME}/.Wolfram Research +mkdir ${HOME}/Documents/Wolfram Mathematica whitelist ${HOME}/.Mathematica whitelist ${HOME}/.Wolfram Research whitelist ${HOME}/Documents/Wolfram Mathematica diff -Nru firejail-0.9.60/etc/mcabber.profile firejail-0.9.62/etc/mcabber.profile --- firejail-0.9.60/etc/mcabber.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mcabber.profile 2019-12-14 13:30:32.000000000 +0000 @@ -30,4 +30,4 @@ private-bin mcabber private-dev -private-etc alternatives,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,pki,ssl diff -Nru firejail-0.9.60/etc/mediainfo.profile firejail-0.9.62/etc/mediainfo.profile --- firejail-0.9.60/etc/mediainfo.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mediainfo.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -15,6 +13,8 @@ include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace @@ -34,6 +34,7 @@ seccomp shell none tracelog +x11 none private-bin mediainfo private-cache diff -Nru firejail-0.9.60/etc/mediathekview.profile firejail-0.9.62/etc/mediathekview.profile --- firejail-0.9.60/etc/mediathekview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mediathekview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,18 +11,14 @@ noblacklist ${HOME}/.config/totem noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.config/xplayer -noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/totem noblacklist ${HOME}/.local/share/xplayer noblacklist ${HOME}/.mediathek3 noblacklist ${HOME}/.mplayer noblacklist ${VIDEOS} -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/meld.profile firejail-0.9.62/etc/meld.profile --- firejail-0.9.60/etc/meld.profile 2019-04-27 15:28:10.000000000 +0000 +++ firejail-0.9.62/etc/meld.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,22 +6,25 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.local/share/meld - -# Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +# If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need +# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path +# Removing the symlink: +# sudo rm /usr/local/bin/meld +# Calling by its absolute path (example for git-mergetool): +# git config --global mergetool.meld.cmd /usr/bin/meld +noblacklist ${HOME}/.config/meld noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials +noblacklist ${HOME}/.local/share/meld noblacklist ${HOME}/.ssh noblacklist ${HOME}/.subversion +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. #include disable-common.inc include disable-devel.inc @@ -31,7 +34,12 @@ # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. #include disable-programs.inc -include whitelist-var-common.inc +# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. +#whitelist /usr/share/meld +#include whitelist-usr-share-common.inc + +# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. +#include whitelist-var-common.inc apparmor caps.drop all @@ -59,3 +67,4 @@ #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion private-tmp +read-only ${HOME}/.ssh diff -Nru firejail-0.9.60/etc/mencoder.profile firejail-0.9.62/etc/mencoder.profile --- firejail-0.9.60/etc/mencoder.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mencoder.profile 2019-12-14 13:30:32.000000000 +0000 @@ -25,4 +25,5 @@ private-bin mencoder +# Redirect include mplayer.profile diff -Nru firejail-0.9.60/etc/mendeleydesktop.profile firejail-0.9.62/etc/mendeleydesktop.profile --- firejail-0.9.60/etc/mendeleydesktop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mendeleydesktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/pki # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -47,7 +43,7 @@ tracelog disable-mnt -private-bin mendeleydesktop,python*,env,gconftool-2,which,sh,ln,cat,update-desktop-database +private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-database,which private-dev private-tmp diff -Nru firejail-0.9.60/etc/meteo-qt.profile firejail-0.9.62/etc/meteo-qt.profile --- firejail-0.9.60/etc/meteo-qt.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/meteo-qt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,9 +10,7 @@ noblacklist ${HOME}/.config/meteo-qt # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python3* +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -22,8 +20,8 @@ include disable-programs.inc include disable-xdg.inc -whitelist ${HOME}/.config/autostart mkdir ${HOME}/.config/meteo-qt +whitelist ${HOME}/.config/autostart whitelist ${HOME}/.config/meteo-qt include whitelist-common.inc include whitelist-var-common.inc diff -Nru firejail-0.9.60/etc/midori.profile firejail-0.9.62/etc/midori.profile --- firejail-0.9.60/etc/midori.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/midori.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,6 +6,9 @@ # Persistent global definitions include globals.local +# noexec ${HOME} breaks DRM binaries. +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} + noblacklist ${HOME}/.config/midori noblacklist ${HOME}/.local/share/midori # noblacklist ${HOME}/.local/share/webkit @@ -13,9 +16,6 @@ noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki -# noexec ${HOME} breaks DRM binaries. -?BROWSER_ALLOW_DRM: ignore noexec ${HOME} - include disable-common.inc include disable-devel.inc include disable-exec.inc diff -Nru firejail-0.9.60/etc/minetest.profile firejail-0.9.62/etc/minetest.profile --- firejail-0.9.60/etc/minetest.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/minetest.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,6 +6,7 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/minetest noblacklist ${HOME}/.minetest include disable-common.inc @@ -16,7 +17,9 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.cache/minetest mkdir ${HOME}/.minetest +whitelist ${HOME}/.cache/minetest whitelist ${HOME}/.minetest include whitelist-common.inc include whitelist-var-common.inc @@ -42,5 +45,5 @@ private-cache private-dev # private-etc needs to be updated, see #1702 -#private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id +#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/mousepad.profile firejail-0.9.62/etc/mousepad.profile --- firejail-0.9.60/etc/mousepad.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mousepad.profile 2019-12-14 13:30:32.000000000 +0000 @@ -26,6 +26,7 @@ nosound notv nou2f +novideo protocol unix seccomp shell none diff -Nru firejail-0.9.60/etc/mp3splt-gtk.profile firejail-0.9.62/etc/mp3splt-gtk.profile --- firejail-0.9.60/etc/mp3splt-gtk.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/mp3splt-gtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,5 +37,5 @@ private-bin mp3splt-gtk private-cache private-dev -private-etc alsa,alternatives,asound.conf,fonts,gtk-3.0,dconf,machine-id,openal,pulse +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse private-tmp diff -Nru firejail-0.9.60/etc/mp3splt.profile firejail-0.9.62/etc/mp3splt.profile --- firejail-0.9.60/etc/mp3splt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mp3splt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,6 +37,7 @@ seccomp shell none tracelog +x11 none disable-mnt private-bin flacsplt,mp3splt,mp3wrap,oggsplt diff -Nru firejail-0.9.60/etc/mp3wrap.profile firejail-0.9.62/etc/mp3wrap.profile --- firejail-0.9.60/etc/mp3wrap.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mp3wrap.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,9 @@ # Firejail profile for mp3wrap # This file is overwritten after every install/update include mp3wrap.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include mp3splt.profile diff -Nru firejail-0.9.60/etc/mpd.profile firejail-0.9.62/etc/mpd.profile --- firejail-0.9.60/etc/mpd.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mpd.profile 2019-12-14 13:30:32.000000000 +0000 @@ -19,6 +19,8 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + caps.drop all netfilter no3d @@ -31,10 +33,10 @@ protocol unix,inet,inet6 # blacklisting of ioprio_set system calls breaks auto-updating of # MPD's database when files in music_directory are changed -seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +seccomp !ioprio_set shell none -#private-bin mpd,bash +#private-bin bash,mpd private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/mpDris2.profile firejail-0.9.62/etc/mpDris2.profile --- firejail-0.9.60/etc/mpDris2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mpDris2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,10 @@ noblacklist ${HOME}/.config/mpDris2 # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc + +noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc @@ -24,6 +22,13 @@ include disable-programs.inc include disable-xdg.inc +whitelist ${MUSIC} + +mkdir ${HOME}/.config/mpDris2 +whitelist ${HOME}/.config/mpDris2 +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + caps.drop all machine-id netfilter @@ -47,6 +52,6 @@ private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* private-tmp -# memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) read-only ${HOME} diff -Nru firejail-0.9.60/etc/mpg123-alsa.profile firejail-0.9.62/etc/mpg123-alsa.profile --- firejail-0.9.60/etc/mpg123-alsa.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-alsa.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-alsa +# Persistent local customizations +include mpg123-alsa.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123.bin.profile firejail-0.9.62/etc/mpg123.bin.profile --- firejail-0.9.60/etc/mpg123.bin.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123.bin.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123.bin +# Persistent local customizations +include mpg123.bin.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123-id3dump.profile firejail-0.9.62/etc/mpg123-id3dump.profile --- firejail-0.9.60/etc/mpg123-id3dump.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-id3dump.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,12 @@ +# Firejail profile for mpg123-id3dump +# Persistent local customizations +include mpg123-id3dump.local +# Persistent global definitions +# added by included profile +#include globals.local + +machine-id +nosound + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123-jack.profile firejail-0.9.62/etc/mpg123-jack.profile --- firejail-0.9.60/etc/mpg123-jack.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-jack.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-jack +# Persistent local customizations +include mpg123-jack.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123-nas.profile firejail-0.9.62/etc/mpg123-nas.profile --- firejail-0.9.60/etc/mpg123-nas.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-nas.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-nas +# Persistent local customizations +include mpg123-nas.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123-openal.profile firejail-0.9.62/etc/mpg123-openal.profile --- firejail-0.9.60/etc/mpg123-openal.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-openal.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-openal +# Persistent local customizations +include mpg123-openal.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123-oss.profile firejail-0.9.62/etc/mpg123-oss.profile --- firejail-0.9.60/etc/mpg123-oss.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-oss.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-oss +# Persistent local customizations +include mpg123-oss.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123-portaudio.profile firejail-0.9.62/etc/mpg123-portaudio.profile --- firejail-0.9.60/etc/mpg123-portaudio.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-portaudio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-portaudio +# Persistent local customizations +include mpg123-portaudio.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123.profile firejail-0.9.62/etc/mpg123.profile --- firejail-0.9.60/etc/mpg123.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,39 @@ +# Firejail profile for mpg123 +# Description: MPEG audio player/decoder +# This file is overwritten after every install/update +# Persistent local customizations +include mpg123.local +# Persistent global definitions +include globals.local + +noblacklist ${MUSIC} +noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodbus +nogroups +nonewprivs +noroot +nou2f +protocol unix,inet,inet6,netlink +seccomp +shell none + +#private-bin mpg123* +private-dev +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/mpg123-pulse.profile firejail-0.9.62/etc/mpg123-pulse.profile --- firejail-0.9.60/etc/mpg123-pulse.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-pulse.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-pulse +# Persistent local customizations +include mpg123-pulse.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mpg123-strip.profile firejail-0.9.62/etc/mpg123-strip.profile --- firejail-0.9.60/etc/mpg123-strip.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/mpg123-strip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for mpg123-strip +# Persistent local customizations +include mpg123-strip.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/mplayer.profile firejail-0.9.62/etc/mplayer.profile --- firejail-0.9.60/etc/mplayer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mplayer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,6 +18,7 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/mpsyt.profile firejail-0.9.62/etc/mpsyt.profile --- firejail-0.9.60/etc/mpsyt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mpsyt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,19 +6,17 @@ # Persistent global definitions include globals.local -# Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* - +noblacklist ${HOME}/.config/mps-youtube noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.mplayer -noblacklist ${HOME}/.config/mps-youtube noblacklist ${HOME}/.netrc noblacklist ${HOME}/mps + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + noblacklist ${MUSIC} noblacklist ${VIDEOS} @@ -31,30 +29,41 @@ include disable-xdg.inc mkdir ${HOME}/.config/mps-youtube +mkdir ${HOME}/.config/mpv +mkdir ${HOME}/.config/youtube-dl +mkdir ${HOME}/.mplayer +mkdir ${HOME}/mps +whitelist ${HOME}/.config/mps-youtube whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.config/youtube-dl whitelist ${HOME}/.mplayer -whitelist ${HOME}/.config/mps-youtube whitelist ${HOME}/.netrc whitelist ${HOME}/mps +whitelist ${DOWNLOADS} whitelist ${MUSIC} whitelist ${VIDEOS} -whitelist ${DOWNLOADS} include whitelist-common.inc include whitelist-var-common.inc apparmor caps.drop all netfilter +nodbus +nodvd # Seems to cause issues with Nvidia drivers sometimes nogroups nonewprivs noroot +notv +nou2f +novideo protocol unix,inet,inet6 seccomp shell none tracelog -private-bin mpsyt,mplayer,mpv,youtube-dl,python*,env,ffmpeg +private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl +#private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/mpv.profile firejail-0.9.62/etc/mpv.profile --- firejail-0.9.60/etc/mpv.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mpv.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,17 +8,16 @@ include globals.local noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.netrc -noblacklist ${MUSIC} -noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc + +noblacklist ${MUSIC} +noblacklist ${PICTURES} +noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc @@ -28,6 +27,7 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -39,11 +39,12 @@ nonewprivs noroot nou2f -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp shell none tracelog -private-bin mpv,youtube-dl,python*,env -private-cache +private-bin env,mpv,python*,youtube-dl +# Causes slow OSD, see #2838 +#private-cache private-dev diff -Nru firejail-0.9.60/etc/ms-excel.profile firejail-0.9.62/etc/ms-excel.profile --- firejail-0.9.60/etc/ms-excel.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ms-excel.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include ms-excel.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/ms-excel-online private-bin ms-excel diff -Nru firejail-0.9.60/etc/ms-office.profile firejail-0.9.62/etc/ms-office.profile --- firejail-0.9.60/etc/ms-office.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ms-office.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,8 @@ noblacklist ${HOME}/.jak # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -39,8 +35,8 @@ tracelog disable-mnt -private-bin bash,fonts,env,jak,ms-office,python*,sh -private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies +private-bin bash,env,fonts,jak,ms-office,python*,sh +private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl private-dev private-tmp diff -Nru firejail-0.9.60/etc/ms-onenote.profile firejail-0.9.62/etc/ms-onenote.profile --- firejail-0.9.60/etc/ms-onenote.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ms-onenote.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include ms-onenote.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/ms-onenote-online private-bin ms-onenote diff -Nru firejail-0.9.60/etc/ms-outlook.profile firejail-0.9.62/etc/ms-outlook.profile --- firejail-0.9.60/etc/ms-outlook.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ms-outlook.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include ms-outlook.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/ms-outlook-online private-bin ms-outlook diff -Nru firejail-0.9.60/etc/ms-powerpoint.profile firejail-0.9.62/etc/ms-powerpoint.profile --- firejail-0.9.60/etc/ms-powerpoint.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ms-powerpoint.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include ms-powerpoint.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/ms-powerpoint-online private-bin ms-powerpoint diff -Nru firejail-0.9.60/etc/ms-skype.profile firejail-0.9.62/etc/ms-skype.profile --- firejail-0.9.60/etc/ms-skype.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ms-skype.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,10 +3,13 @@ # Persistent local customizations include ms-skype.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -noblacklist ${HOME}/.cache/ms-skype-online ignore novideo + +noblacklist ${HOME}/.cache/ms-skype-online + private-bin ms-skype # Redirect diff -Nru firejail-0.9.60/etc/ms-word.profile firejail-0.9.62/etc/ms-word.profile --- firejail-0.9.60/etc/ms-word.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ms-word.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include ms-word.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/ms-word-online private-bin ms-word diff -Nru firejail-0.9.60/etc/multimc5.profile firejail-0.9.62/etc/multimc5.profile --- firejail-0.9.60/etc/multimc5.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/multimc5.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,16 +5,12 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/multimc noblacklist ${HOME}/.local/share/multimc5 noblacklist ${HOME}/.multimc5 -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc @@ -24,6 +20,8 @@ include disable-programs.inc mkdir ${HOME}/.local/share/multimc +mkdir ${HOME}/.local/share/multimc5 +mkdir ${HOME}/.multimc5 whitelist ${HOME}/.local/share/multimc whitelist ${HOME}/.local/share/multimc5 whitelist ${HOME}/.multimc5 @@ -44,7 +42,7 @@ disable-mnt # private-bin works, but causes weirdness -# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname +# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper private-dev private-tmp diff -Nru firejail-0.9.60/etc/mumble.profile firejail-0.9.62/etc/mumble.profile --- firejail-0.9.60/etc/mumble.profile 2019-05-06 13:13:29.000000000 +0000 +++ firejail-0.9.62/etc/mumble.profile 2019-12-14 13:30:32.000000000 +0000 @@ -43,4 +43,4 @@ private-bin mumble private-tmp -memory-deny-write-execute +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/mupdf.profile firejail-0.9.62/etc/mupdf.profile --- firejail-0.9.60/etc/mupdf.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mupdf.profile 2019-12-14 13:30:32.000000000 +0000 @@ -36,7 +36,7 @@ shell none tracelog -# private-bin mupdf,sh,tempfile,rm +# private-bin mupdf,rm,sh,tempfile private-dev private-etc alternatives,fonts private-tmp diff -Nru firejail-0.9.60/etc/mupen64plus.profile firejail-0.9.62/etc/mupen64plus.profile --- firejail-0.9.60/etc/mupen64plus.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mupen64plus.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,8 +18,8 @@ # you'll need to manually whitelist ROM files mkdir ${HOME}/.config/mupen64plus mkdir ${HOME}/.local/share/mupen64plus -whitelist ${HOME}/.config/mupen64plus/ -whitelist ${HOME}/.local/share/mupen64plus/ +whitelist ${HOME}/.config/mupen64plus +whitelist ${HOME}/.local/share/mupen64plus include whitelist-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/musixmatch.profile firejail-0.9.62/etc/musixmatch.profile --- firejail-0.9.60/etc/musixmatch.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/musixmatch.profile 2019-12-14 13:30:32.000000000 +0000 @@ -32,5 +32,5 @@ disable-mnt private-dev -private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl diff -Nru firejail-0.9.60/etc/mutt.profile firejail-0.9.62/etc/mutt.profile --- firejail-0.9.60/etc/mutt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mutt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.Mail @@ -19,7 +17,6 @@ noblacklist ${HOME}/.emacs.d noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mail -noblacklist ${HOME}/.mailcap noblacklist ${HOME}/.msmtprc noblacklist ${HOME}/.mutt noblacklist ${HOME}/.muttrc @@ -34,6 +31,8 @@ noblacklist ${HOME}/postponed noblacklist ${HOME}/sent +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -54,6 +53,6 @@ protocol unix,inet,inet6 seccomp shell none -writable-run-user private-dev +writable-run-user diff -Nru firejail-0.9.60/etc/mypaint.profile firejail-0.9.62/etc/mypaint.profile --- firejail-0.9.60/etc/mypaint.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/mypaint.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,10 +9,12 @@ noblacklist ${HOME}/.cache/mypaint noblacklist ${HOME}/.config/mypaint noblacklist ${HOME}/.local/share/mypaint -noblacklist ${PATH}/python2* -noblacklist /usr/lib/python2* noblacklist ${PICTURES} +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -42,6 +44,6 @@ private-cache private-dev -private-etc alternatives,fonts,gtk-3.0,dconf +private-etc alternatives,dconf,fonts,gtk-3.0 private-tmp diff -Nru firejail-0.9.60/etc/nano.profile firejail-0.9.62/etc/nano.profile --- firejail-0.9.60/etc/nano.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nano.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for nano # Description: nano is an easy text editor for the terminal # This file is overwritten after every install/update +quiet # Persistent local customizations include nano.local # Persistent global definitions @@ -16,6 +17,9 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/nano +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace @@ -35,6 +39,7 @@ seccomp shell none tracelog +x11 none # disable-mnt private-bin nano,rnano diff -Nru firejail-0.9.60/etc/natron.profile firejail-0.9.62/etc/natron.profile --- firejail-0.9.60/etc/natron.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/natron.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,18 +5,13 @@ # Persistent global definitions include globals.local -# Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* - noblacklist ${HOME}/.Natron noblacklist ${HOME}/.cache/INRIA/Natron noblacklist ${HOME}/.config/INRIA -noblacklist /opt/natron + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -33,9 +28,9 @@ nonewprivs noroot notv -protocol unix,inet,inet6 +nou2f +protocol unix seccomp shell none private-bin natron,Natron,NatronRenderer - diff -Nru firejail-0.9.60/etc/Natron.profile firejail-0.9.62/etc/Natron.profile --- firejail-0.9.60/etc/Natron.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Natron.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for natron # This file is overwritten after every install/update - # Redirect include natron.profile diff -Nru firejail-0.9.60/etc/nautilus.profile firejail-0.9.62/etc/nautilus.profile --- firejail-0.9.60/etc/nautilus.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nautilus.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/nautilus-python # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -28,6 +24,7 @@ include disable-passwdmgr.inc # include disable-programs.inc +allusers caps.drop all netfilter nodvd @@ -44,5 +41,4 @@ # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files # private-bin nautilus # private-dev -# private-etc alternatives,fonts # private-tmp diff -Nru firejail-0.9.60/etc/ncdu.profile firejail-0.9.62/etc/ncdu.profile --- firejail-0.9.60/etc/ncdu.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ncdu.profile 2019-12-14 13:30:32.000000000 +0000 @@ -24,6 +24,7 @@ protocol unix seccomp shell none +x11 none private-dev # private-tmp diff -Nru firejail-0.9.60/etc/nemo.profile firejail-0.9.62/etc/nemo.profile --- firejail-0.9.60/etc/nemo.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nemo.profile 2019-12-14 13:30:32.000000000 +0000 @@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/nemo-python # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -25,6 +21,7 @@ include disable-interpreters.inc include disable-passwdmgr.inc +allusers caps.drop all netfilter no3d diff -Nru firejail-0.9.60/etc/netactview.profile firejail-0.9.62/etc/netactview.profile --- firejail-0.9.60/etc/netactview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/netactview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,7 +18,9 @@ mkfile ${HOME}/.netactview whitelist ${HOME}/.netactview +whitelist /usr/share/netactview include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/nethack.profile firejail-0.9.62/etc/nethack.profile --- firejail-0.9.60/etc/nethack.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nethack.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,7 +6,6 @@ # Persistent global definitions include globals.local - noblacklist /var/games/nethack include disable-common.inc diff -Nru firejail-0.9.60/etc/nethack-vultures.profile firejail-0.9.62/etc/nethack-vultures.profile --- firejail-0.9.60/etc/nethack-vultures.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nethack-vultures.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,9 +6,7 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.vultures -noblacklist /var/log include disable-common.inc include disable-devel.inc @@ -43,4 +41,3 @@ private-dev private-tmp writable-var - diff -Nru firejail-0.9.60/etc/neverputt.profile firejail-0.9.62/etc/neverputt.profile --- firejail-0.9.60/etc/neverputt.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/neverputt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for neverputt +# This file is overwritten after every install/update +# Persistent local customizations +include neverputt.local +# added by included profile +#include globals.local + +# Redirect +include neverball.profile diff -Nru firejail-0.9.60/etc/newsbeuter.profile firejail-0.9.62/etc/newsbeuter.profile --- firejail-0.9.60/etc/newsbeuter.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/newsbeuter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,21 @@ +# Firejail profile for Newsboat +# Description: Text based Atom/RSS feed reader +# This file is overwritten after every install/update +# Persistent local customizations +include newsbeuter.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.config/newsbeuter +noblacklist ${HOME}/.newsbeuter + +mkdir ${HOME}/.config/newsbeuter +mkdir ${HOME}/.newsbeuter +whitelist ${HOME}/.config/newsbeuter +whitelist ${HOME}/.newsbeuter + +private-bin newsbeuter + +# Redirect +include newsboat.profile diff -Nru firejail-0.9.60/etc/nheko.profile firejail-0.9.62/etc/nheko.profile --- firejail-0.9.60/etc/nheko.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nheko.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,11 +18,9 @@ mkdir ${HOME}/.config/nheko mkdir ${HOME}/.cache/nheko/nheko - whitelist ${HOME}/.config/nheko whitelist ${HOME}/.cache/nheko/nheko whitelist ${DOWNLOADS} - include whitelist-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/nitroshare-cli.profile firejail-0.9.62/etc/nitroshare-cli.profile --- firejail-0.9.60/etc/nitroshare-cli.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nitroshare-cli.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Network File Transfer Application # This file is overwritten after every install/update - # Redirect include nitroshare.profile diff -Nru firejail-0.9.60/etc/nitroshare-nmh.profile firejail-0.9.62/etc/nitroshare-nmh.profile --- firejail-0.9.60/etc/nitroshare-nmh.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nitroshare-nmh.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Network File Transfer Application # This file is overwritten after every install/update - # Redirect include nitroshare.profile diff -Nru firejail-0.9.60/etc/nitroshare.profile firejail-0.9.62/etc/nitroshare.profile --- firejail-0.9.60/etc/nitroshare.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nitroshare.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/NitroShare # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -24,6 +20,8 @@ include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc + caps.drop all netfilter no3d diff -Nru firejail-0.9.60/etc/nitroshare-send.profile firejail-0.9.62/etc/nitroshare-send.profile --- firejail-0.9.60/etc/nitroshare-send.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nitroshare-send.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Network File Transfer Application # This file is overwritten after every install/update - # Redirect include nitroshare.profile diff -Nru firejail-0.9.60/etc/nitroshare-ui.profile firejail-0.9.62/etc/nitroshare-ui.profile --- firejail-0.9.60/etc/nitroshare-ui.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nitroshare-ui.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Network File Transfer Application # This file is overwritten after every install/update - # Redirect include nitroshare.profile diff -Nru firejail-0.9.60/etc/nomacs.profile firejail-0.9.62/etc/nomacs.profile --- firejail-0.9.60/etc/nomacs.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nomacs.profile 2019-12-14 13:30:32.000000000 +0000 @@ -41,7 +41,7 @@ #private-bin nomacs private-cache private-dev -private-etc alternatives,hosts,ca-certificates,ssl,pki,crypto-policies,resolv.conf,drirc,fonts,gtk-3.0,dconf,machine-id,login.defs +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/nylas.profile firejail-0.9.62/etc/nylas.profile --- firejail-0.9.60/etc/nylas.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nylas.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,6 +14,8 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/Nylas Mail +mkdir ${HOME}/.nylas-mail whitelist ${DOWNLOADS} whitelist ${HOME}/.config/Nylas Mail whitelist ${HOME}/.nylas-mail diff -Nru firejail-0.9.60/etc/nyx.profile firejail-0.9.62/etc/nyx.profile --- firejail-0.9.60/etc/nyx.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/nyx.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,14 +6,11 @@ # Persistent global definitions include globals.local -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc noblacklist ${HOME}/.nyx -mkdir ${HOME}/.nyx -whitelist ${HOME}/.nyx include disable-common.inc include disable-devel.inc @@ -23,6 +20,11 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.nyx +whitelist ${HOME}/.nyx +include whitelist-common.inc +include whitelist-var-common.inc + caps.drop all netfilter no3d @@ -43,7 +45,7 @@ private-bin nyx,python* private-cache private-dev -private-etc alternatives,passwd,tor,fonts +private-etc alternatives,fonts,passwd,tor private-opt none private-srv none private-tmp diff -Nru firejail-0.9.60/etc/obs.profile firejail-0.9.62/etc/obs.profile --- firejail-0.9.60/etc/obs.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/obs.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,12 +11,8 @@ noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -40,7 +36,7 @@ shell none tracelog -private-bin obs,python* +private-bin bash,obs,obs-ffmpeg-mux,python*,sh private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/ocenaudio.profile firejail-0.9.62/etc/ocenaudio.profile --- firejail-0.9.60/etc/ocenaudio.profile 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/ocenaudio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,10 +18,14 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace -# net none breaks AppArmor on Ubuntu systems +# net none - breaks update functionality and AppArmor on Ubuntu systems +# uncomment (or put 'net none' in your ocenaudio.local) when needed +#net none netfilter no3d # nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed @@ -38,11 +42,10 @@ shell none tracelog -# disable-mnt private-bin ocenaudio private-cache private-dev private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse private-tmp -# memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/odt2txt.profile firejail-0.9.62/etc/odt2txt.profile --- firejail-0.9.60/etc/odt2txt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/odt2txt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,8 +8,6 @@ noblacklist ${DOCUMENTS} -blacklist /tmp/.X11-unix - include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -33,6 +31,7 @@ seccomp shell none tracelog +x11 none private-bin odt2txt private-cache diff -Nru firejail-0.9.60/etc/oggsplt.profile firejail-0.9.62/etc/oggsplt.profile --- firejail-0.9.60/etc/oggsplt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/oggsplt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,9 @@ # Firejail profile for oggsplt # This file is overwritten after every install/update include oggsplt.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include mp3splt.profile diff -Nru firejail-0.9.60/etc/okular.profile firejail-0.9.62/etc/okular.profile --- firejail-0.9.60/etc/okular.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/okular.profile 2019-12-14 13:30:32.000000000 +0000 @@ -26,6 +26,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/poppler +whitelist /usr/share/okular +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -47,9 +50,9 @@ shell none tracelog -private-bin okular,kbuildsycoca4,kdeinit4,lpr +private-bin kbuildsycoca4,kdeinit4,lpr,okular private-dev -private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg +private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients # memory-deny-write-execute diff -Nru firejail-0.9.60/etc/onionshare-gui.profile firejail-0.9.62/etc/onionshare-gui.profile --- firejail-0.9.60/etc/onionshare-gui.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/onionshare-gui.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,9 +8,7 @@ noblacklist ${HOME}/.config/onionshare # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python3* +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/ooffice.profile firejail-0.9.62/etc/ooffice.profile --- firejail-0.9.60/etc/ooffice.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/ooffice.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update + +# Redirect +include libreoffice.profile diff -Nru firejail-0.9.60/etc/ooviewdoc.profile firejail-0.9.62/etc/ooviewdoc.profile --- firejail-0.9.60/etc/ooviewdoc.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/ooviewdoc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update + +# Redirect +include libreoffice.profile diff -Nru firejail-0.9.60/etc/openarena.profile firejail-0.9.62/etc/openarena.profile --- firejail-0.9.60/etc/openarena.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/openarena.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,43 @@ +# Firejail profile for OpenArena +# Description: deathmatch FPS game based on GPL idTech3 technology +# This file is overwritten after every install/update +# Persistent local customizations +include openarena.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.openarena + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-var-common.inc + +apparmor +caps.drop all +# ipc-namespace +# netfilter +# nodbus +# nodvd +# nogroups +nonewprivs +noroot +notv +# nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +# tracelog + +# disable-mnt +# private-bin openarena +private-cache +private-dev +# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg +private-tmp diff -Nru firejail-0.9.60/etc/openclonk.profile firejail-0.9.62/etc/openclonk.profile --- firejail-0.9.60/etc/openclonk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/openclonk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -38,7 +38,7 @@ tracelog disable-mnt -private-bin openclonk,c4group +private-bin c4group,openclonk private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/open-invaders.profile firejail-0.9.62/etc/open-invaders.profile --- firejail-0.9.60/etc/open-invaders.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/open-invaders.profile 2019-12-14 13:30:32.000000000 +0000 @@ -27,11 +27,11 @@ noroot notv nou2f +novideo protocol unix,netlink seccomp shell none # private-bin open-invaders private-dev -# private-etc alternatives private-tmp diff -Nru firejail-0.9.60/etc/openoffice.org.profile firejail-0.9.62/etc/openoffice.org.profile --- firejail-0.9.60/etc/openoffice.org.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/openoffice.org.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update + +# Redirect +include libreoffice.profile diff -Nru firejail-0.9.60/etc/openshot.profile firejail-0.9.62/etc/openshot.profile --- firejail-0.9.60/etc/openshot.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/openshot.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.openshot_qt # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/openshot-qt.profile firejail-0.9.62/etc/openshot-qt.profile --- firejail-0.9.60/etc/openshot-qt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/openshot-qt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for openshot # This file is overwritten after every install/update - # Redirect include openshot.profile diff -Nru firejail-0.9.60/etc/out123.profile firejail-0.9.62/etc/out123.profile --- firejail-0.9.60/etc/out123.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/out123.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for out123 +# Persistent local customizations +include out123.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mpg123.profile diff -Nru firejail-0.9.60/etc/p7zip.profile firejail-0.9.62/etc/p7zip.profile --- firejail-0.9.60/etc/p7zip.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/p7zip.profile 2019-12-28 13:14:56.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for p7zip -# Description: 7zr file archiver with high compression ratio +# Description: File archiver with high compression ratio # This file is overwritten after every install/update +quiet # Persistent local customizations include p7zip.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/palemoon.profile firejail-0.9.62/etc/palemoon.profile --- firejail-0.9.60/etc/palemoon.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/palemoon.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,8 +14,8 @@ whitelist ${HOME}/.moonchild productions # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) -ignore seccomp.drop seccomp +ignore seccomp #private-bin palemoon # private-etc must first be enabled in firefox-common.profile diff -Nru firejail-0.9.60/etc/pandoc.profile firejail-0.9.62/etc/pandoc.profile --- firejail-0.9.60/etc/pandoc.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/pandoc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,51 @@ +# Firejail profile for pandoc +# Description: general markup converter +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include pandoc.local +# Persistent global definitions +include globals.local + +noblacklist ${DOCUMENTS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +# breaks pdf output +#include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf +private-cache +private-dev +private-etc alternatives,texlive +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/parole.profile firejail-0.9.62/etc/parole.profile --- firejail-0.9.60/etc/parole.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/parole.profile 2019-12-14 13:30:32.000000000 +0000 @@ -25,6 +25,6 @@ seccomp shell none -private-bin parole,dbus-launch +private-bin dbus-launch,parole private-cache -private-etc alternatives,passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl diff -Nru firejail-0.9.60/etc/patch.profile firejail-0.9.62/etc/patch.profile --- firejail-0.9.60/etc/patch.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/patch.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,7 @@ include disable-passwdmgr.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -34,6 +35,8 @@ protocol unix seccomp shell none +tracelog +x11 none private-bin patch,red private-dev diff -Nru firejail-0.9.60/etc/pavucontrol.profile firejail-0.9.62/etc/pavucontrol.profile --- firejail-0.9.60/etc/pavucontrol.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pavucontrol.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,5 @@ # Firejail profile for pavucontrol -# Description: PulseAudio Volume Control +# Description: PulseAudio Volume Control [GTK] # This file is overwritten after every install/update # Persistent local customizations include pavucontrol.local @@ -16,12 +16,17 @@ include disable-programs.inc include disable-xdg.inc +mkfile ${HOME}/.config/pavucontrol.ini +whitelist ${HOME}/.config/pavucontrol.ini +whitelist /usr/share/pavucontrol +whitelist /usr/share/pavucontrol-qt +include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all -#ipc-namespace -net none +netfilter no3d nodbus nodvd @@ -31,7 +36,7 @@ notv nou2f novideo -protocol unix +protocol unix,inet,inet6 seccomp shell none @@ -39,8 +44,8 @@ private-bin pavucontrol private-cache private-dev -private-etc alternatives,asound.conf,fonts,machine-id,pulse +private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse private-lib private-tmp -memory-deny-write-execute +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/pavucontrol-qt.profile firejail-0.9.62/etc/pavucontrol-qt.profile --- firejail-0.9.60/etc/pavucontrol-qt.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/pavucontrol-qt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,19 @@ +# Firejail profile for pavucontrol-qt +# Description: PulseAudio Volume Control [Qt] +# This file is overwritten after every install/update +# Persistent local customizations +include pavucontrol-qt.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.config/pavucontrol-qt + +mkdir ${HOME}/.config/pavucontrol-qt +whitelist ${HOME}/.config/pavucontrol-qt + +private-bin pavucontrol-qt +ignore private-lib + +# Redirect +include pavucontrol.profile diff -Nru firejail-0.9.60/etc/pcmanfm.profile firejail-0.9.62/etc/pcmanfm.profile --- firejail-0.9.60/etc/pcmanfm.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pcmanfm.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,7 @@ include disable-passwdmgr.inc # include disable-programs.inc +allusers caps.drop all # net none - see issue #1467, computer:/// location broken no3d diff -Nru firejail-0.9.60/etc/pdfsam.profile firejail-0.9.62/etc/pdfsam.profile --- firejail-0.9.60/etc/pdfsam.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pdfsam.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,14 +6,10 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.java noblacklist ${DOCUMENTS} -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc @@ -40,7 +36,7 @@ seccomp shell none -private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config +private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/pdftotext.profile firejail-0.9.62/etc/pdftotext.profile --- firejail-0.9.60/etc/pdftotext.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pdftotext.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,5 @@ # Firejail profile for pdftotext +# Description: Portable Document Format (PDF) to text converter # This file is overwritten after every install/update # Persistent local customizations include pdftotext.local @@ -7,8 +8,6 @@ noblacklist ${DOCUMENTS} -blacklist /tmp/.X11-unix - include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -16,6 +15,10 @@ include disable-programs.inc include disable-xdg.inc +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist /usr/share/poppler +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -35,6 +38,7 @@ seccomp shell none tracelog +x11 none private-bin pdftotext private-dev diff -Nru firejail-0.9.60/etc/peek.profile firejail-0.9.62/etc/peek.profile --- firejail-0.9.60/etc/peek.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/peek.profile 2019-12-14 13:30:32.000000000 +0000 @@ -34,7 +34,7 @@ shell none # private-bin breaks gif mode, mp4 and webm mode work fine however -# private-bin peek,convert,ffmpeg +# private-bin convert,ffmpeg,peek private-dev private-tmp diff -Nru firejail-0.9.60/etc/picard.profile firejail-0.9.62/etc/picard.profile --- firejail-0.9.60/etc/picard.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/picard.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,12 +11,8 @@ noblacklist ${MUSIC} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/pidgin.profile firejail-0.9.62/etc/pidgin.profile --- firejail-0.9.60/etc/pidgin.profile 2019-05-17 12:37:47.000000000 +0000 +++ firejail-0.9.62/etc/pidgin.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,11 +6,11 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.purple - ignore noexec ${RUNUSER} ignore noexec /dev/shm +noblacklist ${HOME}/.purple + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -22,6 +22,7 @@ mkdir ${HOME}/.purple whitelist ${HOME}/.purple include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/ping.profile firejail-0.9.62/etc/ping.profile --- firejail-0.9.60/etc/ping.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ping.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,5 @@ # Firejail profile for ping +# Description: send ICMP ECHO_REQUEST to network hosts # This file is overwritten after every install/update quiet # Persistent local customizations @@ -13,6 +14,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc + +include whitelist-usr-share-common.inc include whitelist-common.inc caps.keep net_raw @@ -30,10 +33,8 @@ notv nou2f novideo - # protocol command is built using seccomp; nonewprivs will kill it #protocol unix,inet,inet6,netlink,packet - # killed by no-new-privs #seccomp @@ -42,7 +43,7 @@ #private-bin has mammoth problems with execvp: "No such file or directory" private-dev # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! -#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies +#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl private-tmp # memory-deny-write-execute is built using seccomp; nonewprivs will kill it diff -Nru firejail-0.9.60/etc/pingus.profile firejail-0.9.62/etc/pingus.profile --- firejail-0.9.60/etc/pingus.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pingus.profile 2019-12-14 13:30:32.000000000 +0000 @@ -27,11 +27,11 @@ noroot notv nou2f +novideo protocol unix,netlink seccomp shell none # private-bin pingus private-dev -# private-etc alternatives private-tmp diff -Nru firejail-0.9.60/etc/pioneer.profile firejail-0.9.62/etc/pioneer.profile --- firejail-0.9.60/etc/pioneer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pioneer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -38,7 +38,7 @@ tracelog disable-mnt -private-bin pioneer,modelcompiler,savegamedump +private-bin modelcompiler,pioneer,savegamedump private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/pithos.profile firejail-0.9.62/etc/pithos.profile --- firejail-0.9.60/etc/pithos.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pithos.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,12 +7,8 @@ include globals.local # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -40,7 +36,7 @@ shell none disable-mnt -private-bin pithos,env,python* +private-bin env,pithos,python* private-dev private-tmp diff -Nru firejail-0.9.60/etc/pitivi.profile firejail-0.9.62/etc/pitivi.profile --- firejail-0.9.60/etc/pitivi.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pitivi.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/pitivi # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/playonlinux.profile firejail-0.9.62/etc/playonlinux.profile --- firejail-0.9.60/etc/playonlinux.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/playonlinux.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,19 +16,11 @@ noblacklist ${PATH}/nc # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc # Allow perl (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/cpan* -noblacklist ${PATH}/core_perl -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +include allow-perl.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/pluma.profile firejail-0.9.62/etc/pluma.profile --- firejail-0.9.60/etc/pluma.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pluma.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,8 +6,11 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/enchant noblacklist ${HOME}/.config/pluma -noblacklist ${HOME}/.pythonrc.py + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc include disable-devel.inc @@ -39,8 +42,7 @@ private-bin pluma private-dev -# private-etc alternatives,fonts -private-lib pluma +private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/pngquant.profile firejail-0.9.62/etc/pngquant.profile --- firejail-0.9.60/etc/pngquant.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/pngquant.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,47 @@ +# Firejail profile for pngquant +# Description: PNG converter and lossy image compressor +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include pngquant.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +# protocol can be empty, but this is not yet supported see #639 +protocol inet +seccomp +shell none +tracelog +x11 none + +private-bin pngquant +private-cache +private-dev +private-etc alternatives +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/ppsspp.profile firejail-0.9.62/etc/ppsspp.profile --- firejail-0.9.60/etc/ppsspp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ppsspp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -8,8 +8,6 @@ noblacklist ${HOME}/.config/ppsspp noblacklist ${DOCUMENTS} -# with >=llvm-4 mesa drivers need llvm stuff -noblacklist /usr/lib/llvm* include disable-common.inc include disable-devel.inc @@ -38,7 +36,7 @@ # private-dev is disabled to allow controller support #private-dev -private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-opt ppsspp private-tmp diff -Nru firejail-0.9.60/etc/PPSSPPQt.profile firejail-0.9.62/etc/PPSSPPQt.profile --- firejail-0.9.60/etc/PPSSPPQt.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/PPSSPPQt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for PPSSPPQt +# This file is overwritten after every install/update +# Persistent local customizations +include PPSSPPQt.local +# added by included profile +#include globals.local + +# Redirect +include ppsspp.profile diff -Nru firejail-0.9.60/etc/pragha.profile firejail-0.9.62/etc/pragha.profile --- firejail-0.9.60/etc/pragha.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pragha.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,6 +33,6 @@ shell none private-dev -private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp diff -Nru firejail-0.9.60/etc/profanity.profile firejail-0.9.62/etc/profanity.profile --- firejail-0.9.60/etc/profanity.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/profanity.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,50 @@ +# Firejail profile for profanity +# Description: profanity is an XMPP chat client for the terminal +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include profanity.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/profanity +noblacklist ${HOME}/.local/share/profanity + +# Allow Python +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none + +private-bin profanity +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/pybitmessage.profile firejail-0.9.62/etc/pybitmessage.profile --- firejail-0.9.60/etc/pybitmessage.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pybitmessage.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist /usr/sbin # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -43,8 +39,8 @@ shell none disable-mnt -private-bin pybitmessage,python*,sh,ldconfig,env,bash,stat +private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat private-dev -private-etc alternatives,PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg private-tmp diff -Nru firejail-0.9.60/etc/pycharm-community.profile firejail-0.9.62/etc/pycharm-community.profile --- firejail-0.9.60/etc/pycharm-community.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/pycharm-community.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,15 +6,12 @@ include globals.local noblacklist ${HOME}/.PyCharmCE* -noblacklist ${HOME}/.python-history -noblacklist ${HOME}/.pythonrc.py -noblacklist ${HOME}/.java -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc + +# Allows files commonly used by IDEs +include allow-common-devel.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/pzstd.profile firejail-0.9.62/etc/pzstd.profile --- firejail-0.9.60/etc/pzstd.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/pzstd.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for zstd +# This file is overwritten after every install/update + +# Redirect +include zstd.profile diff -Nru firejail-0.9.60/etc/qbittorrent.profile firejail-0.9.62/etc/qbittorrent.profile --- firejail-0.9.60/etc/qbittorrent.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qbittorrent.profile 2019-12-14 13:30:32.000000000 +0000 @@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/data/qBittorrent # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -55,10 +51,9 @@ seccomp shell none -private-bin qbittorrent,python* +private-bin python*,qbittorrent private-dev -# private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies -# private-lib - problems on Arch +# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg private-tmp -# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo +# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo diff -Nru firejail-0.9.60/etc/qemu-system-x86_64.profile firejail-0.9.62/etc/qemu-system-x86_64.profile --- firejail-0.9.60/etc/qemu-system-x86_64.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qemu-system-x86_64.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,5 @@ # Firejail profile for qemu-system-x86_64 +# Description: QEMU system emulator for x86_64 # This file is overwritten after every install/update # Persistent local customizations include qemu-system-x86_64.local diff -Nru firejail-0.9.60/etc/qgis.profile firejail-0.9.62/etc/qgis.profile --- firejail-0.9.60/etc/qgis.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/qgis.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,57 @@ +# Firejail profile for qgis +# Description: GIS application +# This file is overwritten after every install/update +# Persistent local customizations +include qgis.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/QGIS +noblacklist ${HOME}/.local/share/QGIS +noblacklist ${HOME}/.qgis2 +noblacklist ${DOCUMENTS} + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/QGIS +mkdir ${HOME}/.qgis2 +mkdir ${HOME}/.config/QGIS +whitelist ${HOME}/.local/share/QGIS +whitelist ${HOME}/.qgis2 +whitelist ${HOME}/.config/QGIS +whitelist ${DOCUMENTS} +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +machine-id +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +# blacklisting of mbind system calls breaks old version +seccomp !mbind +protocol unix,inet,inet6,netlink +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf +private-tmp diff -Nru firejail-0.9.60/etc/QMediathekView.profile firejail-0.9.62/etc/QMediathekView.profile --- firejail-0.9.60/etc/QMediathekView.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/QMediathekView.profile 2019-12-14 13:30:32.000000000 +0000 @@ -27,6 +27,8 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/qtchooser +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -39,17 +41,16 @@ noroot notv nou2f +novideo protocol unix,inet,inet6,netlink seccomp shell none tracelog disable-mnt -private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer +private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer private-cache private-dev -# private-etc alternatives -# private-lib private-tmp -# memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/qmmp.profile firejail-0.9.62/etc/qmmp.profile --- firejail-0.9.60/etc/qmmp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qmmp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,7 +31,7 @@ shell none tracelog -private-bin qmmp,tar,unzip,bzip2,gzip +private-bin bzip2,gzip,qmmp,tar,unzip private-dev private-tmp diff -Nru firejail-0.9.60/etc/QOwnNotes.profile firejail-0.9.62/etc/QOwnNotes.profile --- firejail-0.9.60/etc/QOwnNotes.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/QOwnNotes.profile 2019-12-14 13:30:32.000000000 +0000 @@ -20,7 +20,7 @@ include disable-xdg.inc mkdir ${HOME}/Nextcloud/Notes -mkdir ${HOME}.config/PBE +mkdir ${HOME}/.config/PBE mkdir ${HOME}/.local/share/PBE whitelist ${DOCUMENTS} whitelist ${HOME}/Nextcloud/Notes @@ -47,8 +47,8 @@ tracelog disable-mnt -private-bin QOwnNotes,gio +private-bin gio,QOwnNotes private-dev -private-etc alternatives,fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/qpdfview.profile firejail-0.9.62/etc/qpdfview.profile --- firejail-0.9.60/etc/qpdfview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qpdfview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -22,6 +22,8 @@ caps.drop all machine-id +# needs D-Bus when started from a file manager +#nodbus nodvd nogroups nonewprivs @@ -38,5 +40,3 @@ private-bin qpdfview private-dev private-tmp - -memory-deny-write-execute diff -Nru firejail-0.9.60/etc/qt-faststart.profile firejail-0.9.62/etc/qt-faststart.profile --- firejail-0.9.60/etc/qt-faststart.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qt-faststart.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for qt-faststart # Description: FFmpeg-based media utility # This file is overwritten after every install/update +quiet # Persistent local customizations include qt-faststart.local # Persistent global definitions @@ -9,6 +10,5 @@ private-bin qt-faststart - # Redirect include ffmpeg.profile diff -Nru firejail-0.9.60/etc/qtox.profile firejail-0.9.62/etc/qtox.profile --- firejail-0.9.60/etc/qtox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qtox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,6 +6,7 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/Tox noblacklist ${HOME}/.config/tox include disable-common.inc @@ -42,7 +43,7 @@ private-bin qtox private-cache private-dev -private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp -memory-deny-write-execute +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/quiterss.profile firejail-0.9.62/etc/quiterss.profile --- firejail-0.9.60/etc/quiterss.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/quiterss.profile 2019-12-14 13:30:32.000000000 +0000 @@ -22,8 +22,10 @@ mkdir ${HOME}/.config/QuiteRss mkdir ${HOME}/.local/share/data mkdir ${HOME}/.local/share/data/QuiteRss +mkdir ${HOME}/.local/share/QuiteRss +mkfile ${HOME}/quiterssfeeds.opml whitelist ${HOME}/.cache/QuiteRss -whitelist ${HOME}/.config/QuiteRss/ +whitelist ${HOME}/.config/QuiteRss whitelist ${HOME}/.config/QuiteRssrc whitelist ${HOME}/.local/share/data/QuiteRss whitelist ${HOME}/.local/share/QuiteRss @@ -48,5 +50,5 @@ disable-mnt private-bin quiterss private-dev -# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 diff -Nru firejail-0.9.60/etc/qupzilla.profile firejail-0.9.62/etc/qupzilla.profile --- firejail-0.9.60/etc/qupzilla.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qupzilla.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,8 @@ # Persistent local customizations include qupzilla.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/qupzilla noblacklist ${HOME}/.config/qupzilla @@ -15,26 +16,10 @@ include disable-passwdmgr.inc include disable-programs.inc -whitelist ${DOWNLOADS} +mkdir ${HOME}/.cache/qupzilla +mkdir ${HOME}/.config/qupzilla whitelist ${HOME}/.cache/qupzilla whitelist ${HOME}/.config/qupzilla -include whitelist-common.inc -include whitelist-var-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -protocol unix,inet,inet6,netlink -# blacklisting of chroot system calls breaks qupzilla -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice -# tracelog - -private-dev -# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies -# private-tmp - interferes with the opening of downloaded files +# Redirect +include falkon.profile diff -Nru firejail-0.9.60/etc/qutebrowser.profile firejail-0.9.62/etc/qutebrowser.profile --- firejail-0.9.60/etc/qutebrowser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/qutebrowser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,15 +11,8 @@ noblacklist ${HOME}/.local/share/qutebrowser # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* - -# with >=llvm-4 mesa drivers need llvm stuff -noblacklist /usr/lib/llvm* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -43,5 +36,5 @@ notv protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks qt webengine -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot # tracelog diff -Nru firejail-0.9.60/etc/ranger.profile firejail-0.9.62/etc/ranger.profile --- firejail-0.9.60/etc/ranger.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ranger.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,18 +11,11 @@ noblacklist ${HOME}/.nanorc # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc # Allow perl -# noblacklist ${PATH}/cpan* -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -30,6 +23,7 @@ include disable-passwdmgr.inc include disable-programs.inc +allusers caps.drop all net none nodbus @@ -43,5 +37,6 @@ novideo protocol unix seccomp +#x11 none private-dev diff -Nru firejail-0.9.60/etc/redshift.profile firejail-0.9.62/etc/redshift.profile --- firejail-0.9.60/etc/redshift.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/redshift.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,6 +18,9 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.config/redshift +whitelist ${HOME}/.config/redshift +whitelist ${HOME}/.config/redshift.conf include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/regextester.profile firejail-0.9.62/etc/regextester.profile --- firejail-0.9.60/etc/regextester.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/regextester.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,6 +14,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/com.github.artemanufrij.regextester +include whitelist-usr-share-common.inc + include whitelist-common.inc include whitelist-var-common.inc diff -Nru firejail-0.9.60/etc/remmina.profile firejail-0.9.62/etc/remmina.profile --- firejail-0.9.60/etc/remmina.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/remmina.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,7 +31,6 @@ novideo protocol unix,inet,inet6 seccomp -# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev shell none private-cache diff -Nru firejail-0.9.60/etc/rhythmbox-client.profile firejail-0.9.62/etc/rhythmbox-client.profile --- firejail-0.9.60/etc/rhythmbox-client.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/rhythmbox-client.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for rhythmbox-client +# Description: controls a running instance of rhythmbox +# This file is overwritten after every install/update +# Persistent local customizations +include rhythmbox-client.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include rhythmbox.profile diff -Nru firejail-0.9.60/etc/rhythmbox.profile firejail-0.9.62/etc/rhythmbox.profile --- firejail-0.9.60/etc/rhythmbox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/rhythmbox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,23 +7,30 @@ include globals.local noblacklist ${MUSIC} +noblacklist ${HOME}/.cache/rhythmbox noblacklist ${HOME}/.local/share/rhythmbox +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + include disable-common.inc include disable-devel.inc -# rhythmbox is using Python include disable-exec.inc -#include disable-interpreters.inc +include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/rhythmbox +whitelist /usr/share/lua +whitelist /usr/share/libquvi-scripts +include whitelist-usr-share-common.inc include whitelist-var-common.inc # apparmor - makes settings immutable caps.drop all netfilter -# no3d # nodbus - makes settings immutable nogroups nonewprivs @@ -36,7 +43,6 @@ shell none tracelog -private-bin rhythmbox +private-bin rhythmbox,rhythmbox-client private-dev private-tmp - diff -Nru firejail-0.9.60/etc/ricochet.profile firejail-0.9.62/etc/ricochet.profile --- firejail-0.9.60/etc/ricochet.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ricochet.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,6 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.local/share/Ricochet include disable-common.inc @@ -15,6 +14,7 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.local/share/Ricochet whitelist ${DOWNLOADS} whitelist ${HOME}/.local/share/Ricochet include whitelist-common.inc @@ -37,5 +37,5 @@ disable-mnt private-bin ricochet,tor private-dev -#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies +#private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 diff -Nru firejail-0.9.60/etc/riot-desktop.profile firejail-0.9.62/etc/riot-desktop.profile --- firejail-0.9.60/etc/riot-desktop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/riot-desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,7 +4,10 @@ # Persistent local customizations include riot-desktop.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local + +seccomp !chroot # Redirect include riot-web.profile diff -Nru firejail-0.9.60/etc/riot-web.profile firejail-0.9.62/etc/riot-web.profile --- firejail-0.9.60/etc/riot-web.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/riot-web.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,7 +4,8 @@ # Persistent local customizations include riot-web.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.config/Riot diff -Nru firejail-0.9.60/etc/rnano.profile firejail-0.9.62/etc/rnano.profile --- firejail-0.9.60/etc/rnano.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/rnano.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,11 +1,12 @@ # Firejail profile for rnano # Description: A restricted nano # This file is overwritten after every install/update +quiet # Persistent local customizations include rnano.local # Persistent global definitions +# added by included profile #include globals.local - # Redirect include nano.profile diff -Nru firejail-0.9.60/etc/rocketchat.profile firejail-0.9.62/etc/rocketchat.profile --- firejail-0.9.60/etc/rocketchat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/rocketchat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,10 +3,12 @@ # Persistent local customizations include rocketchat.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.config/Rocket.Chat +mkdir ${HOME}/.config/Rocket.Chat whitelist ${HOME}/.config/Rocket.Chat include whitelist-common.inc diff -Nru firejail-0.9.60/etc/rsync-download_only.profile firejail-0.9.62/etc/rsync-download_only.profile --- firejail-0.9.60/etc/rsync-download_only.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/rsync-download_only.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,55 @@ +# Firejail profile for rsync +# Description: a fast, versatile, remote (and local) file-copying tool +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include rsync.local +# Persistent global definitions +include globals.local + +# Warning: This profile is writte to use rsync as an client for downloading, +# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. + +# Usage: firejail --profile=rsync-download_only rsync + +blacklist /tmp/.X11-unix + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +# Uncomment or add to rsync.local to enable extra hardening +#whitelist ${DOWNLOADS} +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin rsync +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/runenpass.sh.profile firejail-0.9.62/etc/runenpass.sh.profile --- firejail-0.9.60/etc/runenpass.sh.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/runenpass.sh.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail alias profile for enpass # This file is overwritten after every install/update - # Redirect include enpass.profile diff -Nru firejail-0.9.60/etc/rview.profile firejail-0.9.62/etc/rview.profile --- firejail-0.9.60/etc/rview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/rview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include rview.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include vim.profile diff -Nru firejail-0.9.60/etc/rvim.profile firejail-0.9.62/etc/rvim.profile --- firejail-0.9.60/etc/rvim.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/rvim.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include rvim.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include vim.profile diff -Nru firejail-0.9.60/etc/scallion.profile firejail-0.9.62/etc/scallion.profile --- firejail-0.9.60/etc/scallion.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/scallion.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,7 +7,6 @@ include globals.local noblacklist ${PATH}/llvm* -noblacklist /usr/lib/llvm* noblacklist ${PATH}/openssl noblacklist ${PATH}/openssl-1.0 noblacklist ${DOCUMENTS} diff -Nru firejail-0.9.60/etc/scp.profile firejail-0.9.62/etc/scp.profile --- firejail-0.9.60/etc/scp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/scp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for scp # Description: Secure shell copy # This file is overwritten after every install/update +quiet # Persistent local customizations include scp.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/scribus.profile firejail-0.9.62/etc/scribus.profile --- firejail-0.9.60/etc/scribus.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/scribus.profile 2019-12-14 13:30:32.000000000 +0000 @@ -27,12 +27,8 @@ noblacklist ${PICTURES} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -60,7 +56,7 @@ shell none tracelog -# private-bin scribus,gs,gimp* +# private-bin gimp*,gs,scribus private-dev private-tmp diff -Nru firejail-0.9.60/etc/sdat2img.profile firejail-0.9.62/etc/sdat2img.profile --- firejail-0.9.60/etc/sdat2img.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/sdat2img.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,12 +7,8 @@ include globals.local # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -40,7 +36,7 @@ seccomp shell none -private-bin sdat2img,env,python* +private-bin env,python*,sdat2img private-cache private-dev diff -Nru firejail-0.9.60/etc/seahorse-daemon.profile firejail-0.9.62/etc/seahorse-daemon.profile --- firejail-0.9.60/etc/seahorse-daemon.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/seahorse-daemon.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,14 +1,13 @@ # Firejail profile for seahorse-daemon # Description: PGP encryption and signing # This file is overwritten after every install/update +quiet # Persistent local customizations include seahorse-daemon.local # Persistent global definitions # added by included profile #include globals.local -blacklist /tmp/.X11-unix - memory-deny-write-execute # Redirect diff -Nru firejail-0.9.60/etc/seahorse.profile firejail-0.9.62/etc/seahorse.profile --- firejail-0.9.60/etc/seahorse.profile 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/etc/seahorse.profile 2019-12-28 13:14:56.000000000 +0000 @@ -6,24 +6,11 @@ # Persistent global definitions include globals.local -# dconf -noblacklist ${HOME}/.config/dconf -whitelist ${HOME}/.config/dconf +blacklist /tmp/.X11-unix -# gpg -mkdir ${HOME}/.gnupg noblacklist ${HOME}/.gnupg -whitelist ${HOME}/.gnupg - -# ssh -whitelist /etc/ld.so.preload -noblacklist /etc/ssh -whitelist /etc/ssh -noblacklist /tmp/ssh-* -whitelist /tmp/ssh-* -mkdir ${HOME}/.ssh noblacklist ${HOME}/.ssh -whitelist ${HOME}/.ssh +noblacklist /tmp/ssh-* include disable-common.inc include disable-devel.inc @@ -32,7 +19,20 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -include whitelist-common.inc + +# whitelisting in ${HOME} breaks file encryption feature of nautilus. +# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile +#mkdir ${HOME}/.gnupg +#mkdir ${HOME}/.ssh +#whitelist ${HOME}/.gnupg +#whitelist ${HOME}/.ssh +whitelist /tmp/ssh-* +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/seahorse +whitelist /usr/share/seahorse-nautilus +#include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -56,5 +56,5 @@ disable-mnt private-cache private-dev - +private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 writable-run-user diff -Nru firejail-0.9.60/etc/seahorse-tool.profile firejail-0.9.62/etc/seahorse-tool.profile --- firejail-0.9.60/etc/seahorse-tool.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/seahorse-tool.profile 2019-12-28 13:14:56.000000000 +0000 @@ -7,11 +7,9 @@ # added by included profile #include globals.local -noblacklist ${DOWNLOADS} - +# private-etc workaround for: #2877 +private-etc firejail,login.defs,passwd private-tmp -memory-deny-write-execute - # Redirect include seahorse.profile diff -Nru firejail-0.9.60/etc/seamonkey-bin.profile firejail-0.9.62/etc/seamonkey-bin.profile --- firejail-0.9.60/etc/seamonkey-bin.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/seamonkey-bin.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for seamonkey # This file is overwritten after every install/update - # Redirect include seamonkey.profile diff -Nru firejail-0.9.60/etc/seamonkey.profile firejail-0.9.62/etc/seamonkey.profile --- firejail-0.9.60/etc/seamonkey.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/seamonkey.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,6 +18,8 @@ mkdir ${HOME}/.cache/mozilla mkdir ${HOME}/.mozilla +mkdir ${HOME}/.pki +mkdir ${HOME}/.local/share/pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/gnome-mplayer/plugin whitelist ${HOME}/.cache/mozilla @@ -50,4 +52,4 @@ tracelog disable-mnt -# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies +# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl diff -Nru firejail-0.9.60/etc/server.profile firejail-0.9.62/etc/server.profile --- firejail-0.9.60/etc/server.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/server.profile 2019-12-14 13:30:32.000000000 +0000 @@ -9,12 +9,12 @@ # it allows /sbin and /usr/sbin directories - this is where servers are installed # depending on your usage, you can enable some of the commands below: -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin # noblacklist /var/opt +blacklist /tmp/.X11-unix + include disable-common.inc # include disable-devel.inc # include disable-exec.inc diff -Nru firejail-0.9.60/etc/sftp.profile firejail-0.9.62/etc/sftp.profile --- firejail-0.9.60/etc/sftp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/sftp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for sftp # Description: Secure file transport protocol # This file is overwritten after every install/update +quiet # Persistent local customizations include sftp.local # Persistent global definitions diff -Nru firejail-0.9.60/etc/shellcheck.profile firejail-0.9.62/etc/shellcheck.profile --- firejail-0.9.60/etc/shellcheck.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/shellcheck.profile 2019-12-14 13:30:32.000000000 +0000 @@ -17,10 +17,13 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/shellcheck +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all ipc-namespace +machine-id net none no3d nodbus @@ -35,7 +38,10 @@ protocol unix seccomp shell none +tracelog +x11 none +private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/shotcut.profile firejail-0.9.62/etc/shotcut.profile --- firejail-0.9.60/etc/shotcut.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/shotcut.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,14 +1,18 @@ # Firejail profile for shotcut +# Description: A free, open source, cross-platform video editor # This file is overwritten after every install/update # Persistent local customizations include shotcut.local # Persistent global definitions include globals.local +ignore noexec ${HOME} + noblacklist ${HOME}/.config/Meltytech include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -26,9 +30,6 @@ seccomp shell none -#private-bin shotcut,melt,qmelt,nice +#private-bin melt,nice,qmelt,shotcut private-cache private-dev - -#noexec ${HOME} -noexec /tmp diff -Nru firejail-0.9.60/etc/signal-cli.profile firejail-0.9.62/etc/signal-cli.profile --- firejail-0.9.60/etc/signal-cli.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/signal-cli.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,50 @@ +# Firejail profile for signal-cli +# Description: signal-cli provides a commandline and dbus interface for signalapp/libsignal-service-java +# This file is overwritten after every install/update +# Persistent local customizations +include signal-cli.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix + +noblacklist ${HOME}/.local/share/signal-cli + +include allow-java.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/signal-cli +whitelist ${HOME}/.local/share/signal-cli +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin java,sh,signal-cli +private-cache +private-dev +# Does not work with all Java configurations. You will notice immediately, so you might want to give it a try +#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl +private-tmp diff -Nru firejail-0.9.60/etc/signal-desktop.profile firejail-0.9.62/etc/signal-desktop.profile --- firejail-0.9.60/etc/signal-desktop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/signal-desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,10 +5,13 @@ # Persistent global definitions include globals.local +ignore noexec /tmp + noblacklist ${HOME}/.config/Signal include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-passwdmgr.inc @@ -19,20 +22,14 @@ include whitelist-common.inc include whitelist-var-common.inc -caps.drop all +caps.keep sys_admin,sys_chroot netfilter nodvd nogroups -nonewprivs -noroot notv nou2f -protocol unix,inet,inet6,netlink -seccomp shell none disable-mnt private-dev private-tmp - -noexec ${HOME} diff -Nru firejail-0.9.60/etc/silentarmy.profile firejail-0.9.62/etc/silentarmy.profile --- firejail-0.9.60/etc/silentarmy.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/silentarmy.profile 2019-12-14 13:30:32.000000000 +0000 @@ -32,7 +32,7 @@ disable-mnt private -private-bin silentarmy,sa-solver,python* +private-bin python*,sa-solver,silentarmy private-dev private-opt none private-tmp diff -Nru firejail-0.9.60/etc/simple-scan.profile firejail-0.9.62/etc/simple-scan.profile --- firejail-0.9.60/etc/simple-scan.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/simple-scan.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/simple-scan +include whitelist-usr-share-common.inc + caps.drop all netfilter nodvd @@ -27,11 +30,11 @@ # novideo protocol unix,inet,inet6,netlink # blacklisting of ioperm system calls breaks simple-scan -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !ioperm shell none tracelog # private-bin simple-scan # private-dev -# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl # private-tmp diff -Nru firejail-0.9.60/etc/simplescreenrecorder.profile firejail-0.9.62/etc/simplescreenrecorder.profile --- firejail-0.9.60/etc/simplescreenrecorder.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/simplescreenrecorder.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/simplescreenrecorder +include whitelist-usr-share-common.inc + apparmor caps.drop all nodvd @@ -31,7 +34,6 @@ private-cache private-dev -# private-etc alternatives private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/simutrans.profile firejail-0.9.62/etc/simutrans.profile --- firejail-0.9.60/etc/simutrans.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/simutrans.profile 2019-12-14 13:30:32.000000000 +0000 @@ -27,11 +27,11 @@ noroot notv nou2f +novideo protocol unix seccomp shell none # private-bin simutrans private-dev -# private-etc alternatives private-tmp diff -Nru firejail-0.9.60/etc/skanlite.profile firejail-0.9.62/etc/skanlite.profile --- firejail-0.9.60/etc/skanlite.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/skanlite.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,7 +16,6 @@ include disable-xdg.inc caps.drop all -# net none netfilter # nodbus nodvd @@ -28,9 +27,9 @@ # novideo protocol unix,inet,inet6,netlink # blacklisting of ioperm system calls breaks skanlite -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !ioperm shell none -# private-bin skanlite,kbuildsycoca4,kdeinit4 +# private-bin kbuildsycoca4,kdeinit4,skanlite # private-dev # private-tmp diff -Nru firejail-0.9.60/etc/skypeforlinux.profile firejail-0.9.62/etc/skypeforlinux.profile --- firejail-0.9.60/etc/skypeforlinux.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/skypeforlinux.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,29 +5,27 @@ # Persistent global definitions include globals.local +# breaks Skype +ignore noexec /tmp + noblacklist ${HOME}/.config/skypeforlinux include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc -caps.drop all +caps.keep sys_admin,sys_chroot netfilter nodvd nogroups -nonewprivs -noroot notv -protocol unix,inet,inet6,netlink -seccomp shell none disable-mnt private-cache # private-dev - needs /dev/disk private-tmp - -noexec ${HOME} -# noexec /tmp - breaks Skype diff -Nru firejail-0.9.60/etc/skype.profile firejail-0.9.62/etc/skype.profile --- firejail-0.9.60/etc/skype.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/skype.profile 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ -# Firejail profile for skype -# This file is overwritten after every install/update -# Persistent local customizations -include skype.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.Skype - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-devel.inc -include disable-exec.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -protocol unix,inet,inet6 -seccomp -shell none - -disable-mnt -#private-bin skype,bash -private-cache -private-dev -private-tmp - diff -Nru firejail-0.9.60/etc/slack.profile firejail-0.9.62/etc/slack.profile --- firejail-0.9.60/etc/slack.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/slack.profile 2019-12-14 13:30:32.000000000 +0000 @@ -13,7 +13,6 @@ include disable-passwdmgr.inc include disable-programs.inc -mkdir ${HOME}/.config mkdir ${HOME}/.config/Slack whitelist ${HOME}/.config/Slack whitelist ${DOWNLOADS} @@ -21,7 +20,6 @@ include whitelist-var-common.inc caps.drop all -name slack netfilter nodvd nogroups @@ -34,7 +32,8 @@ shell none disable-mnt -private-bin slack,locale +private-bin locale,slack +private-cache private-dev -private-etc alternatives,asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe private-tmp diff -Nru firejail-0.9.60/etc/slashem.profile firejail-0.9.62/etc/slashem.profile --- firejail-0.9.60/etc/slashem.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/slashem.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,7 +6,6 @@ # Persistent global definitions include globals.local - noblacklist /var/games/slashem include disable-common.inc diff -Nru firejail-0.9.60/etc/smplayer.profile firejail-0.9.62/etc/smplayer.profile --- firejail-0.9.60/etc/smplayer.profile 2019-04-23 11:39:18.000000000 +0000 +++ firejail-0.9.62/etc/smplayer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,17 +7,15 @@ include globals.local noblacklist ${HOME}/.config/smplayer +noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.mplayer -noblacklist ${MUSIC} -noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc + +noblacklist ${MUSIC} +noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc @@ -27,6 +25,8 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/smplayer +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -41,7 +41,7 @@ seccomp shell none -private-bin smplayer,smtube,mplayer,mpv,youtube-dl,python*,env +private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl private-dev private-tmp diff -Nru firejail-0.9.60/etc/smtube.profile firejail-0.9.62/etc/smtube.profile --- firejail-0.9.60/etc/smtube.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/smtube.profile 2019-12-14 13:30:32.000000000 +0000 @@ -23,6 +23,9 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/smplayer +whitelist /usr/share/smtube +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all diff -Nru firejail-0.9.60/etc/soffice.profile firejail-0.9.62/etc/soffice.profile --- firejail-0.9.60/etc/soffice.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/soffice.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Redirect include libreoffice.profile diff -Nru firejail-0.9.60/etc/soundconverter.profile firejail-0.9.62/etc/soundconverter.profile --- firejail-0.9.60/etc/soundconverter.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/soundconverter.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,15 +6,11 @@ # Persistent global definitions include globals.local -noblacklist ${MUSIC} - # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc + +noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc @@ -24,6 +20,11 @@ include disable-programs.inc include disable-xdg.inc +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +whitelist /usr/share/soundconverter +include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/spectre-meltdown-checker.profile firejail-0.9.62/etc/spectre-meltdown-checker.profile --- firejail-0.9.60/etc/spectre-meltdown-checker.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/spectre-meltdown-checker.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,17 +6,11 @@ # Persistent global definitions include globals.local -# sudo firejail --allow-debuggers spectre-meltdown-checker - noblacklist ${PATH}/mount noblacklist ${PATH}/umount -# Allow access to perl -noblacklist ${PATH}/cpan* -noblacklist ${PATH}/core_perl -noblacklist ${PATH}/perl -noblacklist /usr/lib/perl* -noblacklist /usr/share/perl* +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -26,8 +20,11 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/perl5 +include whitelist-usr-share-common.inc include whitelist-var-common.inc +allow-debuggers caps.keep sys_rawio ipc-namespace net none @@ -42,6 +39,7 @@ protocol unix seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap shell none +x11 none disable-mnt private diff -Nru firejail-0.9.60/etc/spotify.profile firejail-0.9.62/etc/spotify.profile --- firejail-0.9.60/etc/spotify.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/spotify.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,15 +5,12 @@ # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc -blacklist /lost+found -blacklist /sbin -blacklist /srv - noblacklist ${HOME}/.cache/spotify noblacklist ${HOME}/.config/spotify noblacklist ${HOME}/.local/share/spotify +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -45,9 +42,11 @@ tracelog disable-mnt -private-bin spotify,bash,sh,zenity +private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity private-dev -private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies +# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt spotify +private-srv none private-tmp diff -Nru firejail-0.9.60/etc/sqlitebrowser.profile firejail-0.9.62/etc/sqlitebrowser.profile --- firejail-0.9.60/etc/sqlitebrowser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/sqlitebrowser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -17,6 +17,7 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -42,4 +43,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl private-tmp -memory-deny-write-execute +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/ssh-agent.profile firejail-0.9.62/etc/ssh-agent.profile --- firejail-0.9.60/etc/ssh-agent.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ssh-agent.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,25 +6,30 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /etc/ssh noblacklist /tmp/ssh-* noblacklist ${HOME}/.ssh +blacklist /tmp/.X11-unix + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc + caps.drop all netfilter no3d +nodbus nodvd nonewprivs noroot notv +novideo protocol unix,inet,inet6 seccomp shell none +tracelog writable-run-user diff -Nru firejail-0.9.60/etc/ssh.profile firejail-0.9.62/etc/ssh.profile --- firejail-0.9.60/etc/ssh.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/ssh.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,16 +10,21 @@ noblacklist /etc/ssh noblacklist /tmp/ssh-* noblacklist ${HOME}/.ssh +# nc can be used as ProxyCommand, e.g. when using tor +noblacklist ${PATH}/nc include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc + caps.drop all ipc-namespace netfilter no3d +nodbus nodvd nogroups nonewprivs @@ -27,6 +32,7 @@ nosound notv nou2f +novideo protocol unix,inet,inet6 seccomp shell none @@ -35,6 +41,6 @@ private-cache private-dev # private-tmp # Breaks when exiting +writable-run-user memory-deny-write-execute -writable-run-user diff -Nru firejail-0.9.60/etc/standardnotes-desktop.profile firejail-0.9.62/etc/standardnotes-desktop.profile --- firejail-0.9.60/etc/standardnotes-desktop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/standardnotes-desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -34,10 +34,10 @@ notv nou2f protocol unix,inet,inet6,netlink -seccomp +seccomp !chroot disable-mnt private-dev private-tmp -private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg diff -Nru firejail-0.9.60/etc/start-tor-browser.desktop.profile firejail-0.9.62/etc/start-tor-browser.desktop.profile --- firejail-0.9.60/etc/start-tor-browser.desktop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/start-tor-browser.desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,10 +2,11 @@ # This file is overwritten after every install/update # Persistent local customizations include start-tor-browser.desktop.local +# Persistent global definitions +# added by included profile +#include globals.local - -noblacklist ${HOME}/.tor-browser-* -noblacklist ${HOME}/.tor-browser_* +noblacklist ${HOME}/.tor-browser* whitelist ${HOME}/.tor-browser-ar whitelist ${HOME}/.tor-browser-ca diff -Nru firejail-0.9.60/etc/start-tor-browser.profile firejail-0.9.62/etc/start-tor-browser.profile --- firejail-0.9.60/etc/start-tor-browser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/start-tor-browser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -28,13 +28,13 @@ nou2f novideo protocol unix,inet,inet6 -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # tracelog may cause issues, see github issue #1930 #tracelog disable-mnt -private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity private-dev -private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/steam-native.profile firejail-0.9.62/etc/steam-native.profile --- firejail-0.9.60/etc/steam-native.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/steam-native.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for steam # This file is overwritten after every install/update - # Redirect include steam.profile diff -Nru firejail-0.9.60/etc/steam.profile firejail-0.9.62/etc/steam.profile --- firejail-0.9.60/etc/steam.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/steam.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,7 +6,6 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.java noblacklist ${HOME}/.killingfloor noblacklist ${HOME}/.local/share/3909/PapersPlease noblacklist ${HOME}/.local/share/aspyr-media @@ -20,24 +19,16 @@ noblacklist ${HOME}/.steam noblacklist ${HOME}/.steampath noblacklist ${HOME}/.steampid -# with >=llvm-4 mesa drivers need llvm stuff -noblacklist /usr/lib/llvm* # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work noblacklist /sbin +noblacklist /usr/sbin -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -47,6 +38,8 @@ include whitelist-var-common.inc +# allow-debuggers needed for running some games with proton +allow-debuggers caps.drop all #ipc-namespace netfilter @@ -61,13 +54,15 @@ # novideo should be commented for VR novideo protocol unix,inet,inet6,netlink +# seccomp cause sometimes issues (see #2860, #2951), +# comment it or add 'ignore seccomp' to steam.local if so. seccomp shell none # tracelog disabled as it breaks integrated browser #tracelog # private-bin is disabled while in testing, but has been tested working with multiple games -#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity +#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity # extra programs are available which might be needed for select games #private-bin java,java-config,mono # picture viewers are needed for viewing screenshots @@ -76,5 +71,5 @@ # private-dev should be commented for controllers private-dev # private-etc breaks a small selection of games on some systems, comment to support those -private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release +private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl private-tmp diff -Nru firejail-0.9.60/etc/strings.profile firejail-0.9.62/etc/strings.profile --- firejail-0.9.60/etc/strings.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/strings.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,33 +1,51 @@ # Firejail profile for strings +# Description: print the strings of printable characters in files # This file is overwritten after every install/update quiet # Persistent local customizations include strings.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -blacklist /tmp/.X11-unix +#include disable-common.inc +include disable-devel.inc include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +#include disable-programs.inc +#include disable-xdg.inc -ignore noroot +#include whitelist-usr-share-common.inc +#include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id net none no3d nodbus nodvd +nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none -private-bin strings +#private +#private-bin strings private-cache private-dev -private-etc alternatives -private-lib libfakeroot +#private-etc alternatives +#private-lib libfakeroot +private-tmp memory-deny-write-execute - -include default.profile +read-only ${HOME} diff -Nru firejail-0.9.60/etc/studio.sh.profile firejail-0.9.62/etc/studio.sh.profile --- firejail-0.9.60/etc/studio.sh.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/studio.sh.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for Android Studio # This file is overwritten after every install/update - # Redirect include android-studio.profile diff -Nru firejail-0.9.60/etc/subdownloader.profile firejail-0.9.62/etc/subdownloader.profile --- firejail-0.9.60/etc/subdownloader.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/subdownloader.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -25,6 +21,8 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + apparmor caps.drop all netfilter @@ -35,6 +33,7 @@ noroot notv nou2f +novideo protocol unix,inet,inet6 seccomp shell none @@ -44,4 +43,4 @@ private-etc alternatives,fonts private-tmp -# memory-deny-write-execute - Breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/supertux2.profile firejail-0.9.62/etc/supertux2.profile --- firejail-0.9.60/etc/supertux2.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/supertux2.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,5 @@ # Firejail profile for supertux2 +# Description: Jump'n run like game # This file is overwritten after every install/update # Persistent local customizations include supertux2.local @@ -27,6 +28,7 @@ noroot notv nou2f +novideo protocol unix,netlink seccomp shell none @@ -34,5 +36,4 @@ disable-mnt # private-bin supertux2 private-dev -# private-etc alternatives private-tmp diff -Nru firejail-0.9.60/etc/supertuxkart.profile firejail-0.9.62/etc/supertuxkart.profile --- firejail-0.9.60/etc/supertuxkart.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/supertuxkart.profile 2019-12-14 13:30:32.000000000 +0000 @@ -24,7 +24,9 @@ whitelist ${HOME}/.config/supertuxkart whitelist ${HOME}/.cache/supertuxkart whitelist ${HOME}/.local/share/supertuxkart +whitelist /usr/share/supertuxkart include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -47,7 +49,7 @@ private-bin supertuxkart private-cache private-dev -private-etc alternatives,resolv.conf,ca-certificates,ssl,hosts,machine-id,xdg,openal,crypto-policies,pki,drirc,system-fips,selinux +private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl private-tmp private-opt none private-srv none diff -Nru firejail-0.9.60/etc/surf.profile firejail-0.9.62/etc/surf.profile --- firejail-0.9.60/etc/surf.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/surf.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,6 +15,7 @@ include disable-programs.inc mkdir ${HOME}/.surf +whitelist ${HOME}/.surf whitelist ${DOWNLOADS} include whitelist-common.inc @@ -31,8 +32,8 @@ tracelog disable-mnt -private-bin ls,surf,sh,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop +private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop private-dev -private-etc alternatives,passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/synfigstudio.profile firejail-0.9.62/etc/synfigstudio.profile --- firejail-0.9.60/etc/synfigstudio.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/synfigstudio.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,7 +31,7 @@ seccomp shell none -#private-bin synfigstudio,synfig,ffmpeg +#private-bin ffmpeg,synfig,synfigstudio private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/sysprof-cli.profile firejail-0.9.62/etc/sysprof-cli.profile --- firejail-0.9.60/etc/sysprof-cli.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/sysprof-cli.profile 2019-12-14 13:30:32.000000000 +0000 @@ -15,6 +15,5 @@ memory-deny-write-execute - # Redirect include sysprof.profile diff -Nru firejail-0.9.60/etc/sysprof.profile firejail-0.9.62/etc/sysprof.profile --- firejail-0.9.60/etc/sysprof.profile 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/sysprof.profile 2019-12-14 13:30:32.000000000 +0000 @@ -14,6 +14,8 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + apparmor caps.drop all ipc-namespace diff -Nru firejail-0.9.60/etc/tar.profile firejail-0.9.62/etc/tar.profile --- firejail-0.9.60/etc/tar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/tar.profile 2019-12-28 13:14:56.000000000 +0000 @@ -5,17 +5,20 @@ # Persistent local customizations include tar.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -blacklist /tmp/.X11-unix +# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. +noblacklist /var/lib/pacman +include disable-common.inc +include disable-devel.inc include disable-exec.inc include disable-interpreters.inc - -ignore noroot +include disable-passwdmgr.inc +include disable-programs.inc apparmor +caps.drop all hostname tar ipc-namespace machine-id @@ -24,23 +27,25 @@ nodbus nodvd nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none # support compressed archives -private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz private-cache private-dev -private-etc alternatives,passwd,group,localtime +private-etc alternatives,group,localtime,login.defs,passwd private-lib libfakeroot - -memory-deny-write-execute - # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) writable-var -include default.profile +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/tb-starter-wrapper.profile firejail-0.9.62/etc/tb-starter-wrapper.profile --- firejail-0.9.60/etc/tb-starter-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/tb-starter-wrapper.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,19 @@ +# Firejail profile for tb-starter-wrapper +# Description: wrapper-script used by whonix to start the tor browser +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include tb-starter-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.tb + +mkdir ${HOME}/.tb +whitelist ${HOME}/.tb + +private-bin tb-starter-wrapper + +# Redirect +include torbrowser-launcher.profile diff -Nru firejail-0.9.60/etc/tcpdump.profile firejail-0.9.62/etc/tcpdump.profile --- firejail-0.9.60/etc/tcpdump.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/tcpdump.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,44 @@ +# Firejail profile for tcpdump +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include tcpdump.local +# Persistent global definitions +include globals.local + +noblacklist /sbin +noblacklist /usr/sbin + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-common.inc + +caps.keep net_raw +ipc-namespace +#net tun0 +netfilter +no3d +nodvd +#nogroups +nonewprivs +#noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink,packet +seccomp + +disable-mnt +#private +#private-bin tcpdump +private-dev +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/teams-for-linux.profile firejail-0.9.62/etc/teams-for-linux.profile --- firejail-0.9.60/etc/teams-for-linux.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/teams-for-linux.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,42 @@ +# Firejail profile for teams-for-linux +# Description: Teams for Linux is an Electron application for Microsoft's team collaboration and chat program +# This file is overwritten after every install/update +# Persistent local customizations +include teams-for-linux.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/teams-for-linux + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +mkdir ${HOME}/.config/teams-for-linux +whitelist ${HOME}/.config/teams-for-linux +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none + +disable-mnt +private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh +private-cache +private-dev +private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl +private-tmp diff -Nru firejail-0.9.60/etc/teamspeak3.profile firejail-0.9.62/etc/teamspeak3.profile --- firejail-0.9.60/etc/teamspeak3.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/teamspeak3.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,7 +33,7 @@ nou2f novideo protocol unix,inet,inet6,netlink -seccomp +seccomp !chroot shell none disable-mnt diff -Nru firejail-0.9.60/etc/telegram-desktop.profile firejail-0.9.62/etc/telegram-desktop.profile --- firejail-0.9.60/etc/telegram-desktop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/telegram-desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Official Telegram Desktop client # This file is overwritten after every install/update - # Redirect include telegram.profile diff -Nru firejail-0.9.60/etc/Telegram.profile firejail-0.9.62/etc/Telegram.profile --- firejail-0.9.60/etc/Telegram.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Telegram.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for telegram # This file is overwritten after every install/update - # Redirect include telegram.profile diff -Nru firejail-0.9.60/etc/templates/profile.template firejail-0.9.62/etc/templates/profile.template --- firejail-0.9.60/etc/templates/profile.template 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/templates/profile.template 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,180 @@ +# Firejail profile for PROGRAM_NAME +# Description: DESCRIPTION +# This file is overwritten after every install/update +# --- CUT HERE --- +# This is a generic template to help you with creation of profiles +# for new programs. PRs welcome at https://github.com/netblue30/firejail/. +# +# Rules to follow: +# - lines with one # are often used in profiles +# - lines with two ## are only needed in special situations +# - make the profile as restrictive as possible while still keeping the program useful +# (e. g. a program that is unable to save user's work is considered bad practice) +# - dedicate some time (based on the complexity of the application) to profile testing before raising +# a pull request +# - keep the sections structure, use a single empty line as separator +# - entries within sections are alphabetically sorted +# - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware +# to not do this for essential utilities as this may *break* your OS! (related discussion: +# https://github.com/netblue30/firejail/issues/2507) +# - remove this comment section and any generic comment past 'Persistent global definitions' +# +# Sections structure +# HEADER +# COMMENTS +# IGNORES +# NOBLACKLISTS +# ALLOW INCLUDES +# BLACKLISTS +# DISABLE INCLUDES +# MKDIRS +# WHITELISTS +# WHITELIST INCLUDES +# OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) +# PRIVATE OPTIONS (disable-mnt, private-*, writable-*) +# SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) +# REDIRECT INCLUDES +# +# The following macros may be used in path names to substitute common locations: +# ${DESKTOP} +# ${DOCUMENTS} +# ${DOWNLOADS} +# ${HOME} (user's home) +# ${PATH} (contents of PATH envvar) +# ${MUSIC} +# ${VIDEOS} +# +# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. +# +# --- CUT HERE --- +##quiet +# Persistent local customizations +include PROFILE.local +# Persistent global definitions +include globals.local + +##ignore noexec ${HOME} +##ignore noexec /tmp + +##blacklist PATH +# Disable X11 (CLI only), see also 'x11 none' below +#blacklist /tmp/.X11-unix + +# It is common practice to add files/dirs containing program-specific configuration +# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc +# (keep list sorted) and then disable blacklisting below. +# One way to retrieve the files a program uses is: +# - launch binary with --private naming a sandbox +# `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` +# - work with the program, make some configuration changes and save them, open new documents, +# install plugins if they exists, etc. +# - join the sandbox with bash: +# `firejail --join=test bash` +# - look what has changed and use that information to populate blacklist and whitelist sections +# `ls -aR` +#noblacklist PATH + +# Allow python (blacklisted by disable-interpreters.inc) +#include allow-python2.inc +#include allow-python3.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +#include allow-perl.inc + +# Allow java (blacklisted by disable-devel.inc) +#include allow-java.inc + +# Allow lua (blacklisted by disable-interpreters.inc) +#include allow-lua.inc + +# Allows files commonly used by IDEs +#include allow-common-devel.inc + +#include disable-common.inc +#include disable-devel.inc +#include disable-exec.inc +#include disable-interpreters.inc +#include disable-passwdmgr.inc +#include disable-programs.inc +#include disable-xdg.inc + +# This section often mirrors noblacklist section above. The idea is +# that if a user feels too restricted (he's unable to save files into +# home directory for instance) he/she may disable whitelist (nowhitelist) +# in PROFILE.local but still be protected by BLACKLISTS section +# (further explanation at https://github.com/netblue30/firejail/issues/1569) +#mkdir PATH +##mkfile PATH +#whitelist PATH +#include whitelist-common.inc +#include whitelist-usr-share-common.inc +#include whitelist-var-common.inc + +##allusers +#apparmor +#caps.drop all +##caps.keep CAPS +##hostname NAME +# CLI only +##ipc-namespace +# breaks sound and sometime dbus related functions +#machine-id +# 'net none' or 'netfilter' +#net none +#netfilter +#no3d +#nodbus +#nodvd +#nogroups +#nonewprivs +#noroot +#nosound +#notv +#nou2f +#novideo +# Remove each unneeded protocol: +# - unix is usually needed +# - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) +# - netlink is rarely needed +# - packet almost never +#protocol unix,inet,inet6,netlink,packet +#seccomp +##seccomp !chroot +##seccomp.drop SYSCALLS (see syscalls.txt) +#shell none +#tracelog +# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set +##x11 none + +#disable-mnt +##private +# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 +#private-bin PROGRAMS +#private-cache +#private-dev +#private-etc FILES +# private-etc templates (see also #1734, #2093) +# Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg +# Extra: magic,magic.mgc,passwd,group +# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc +# Extra: proxychains.conf,gai.conf +# Sound: alsa,asound.conf,pulse,machine-id +# GUI: fonts,pango,X11 +# GTK: dconf,gconf,gtk-2.0,gtk-3.0 +# Qt: Trolltech.conf +# KDE: kde4rc,kde5rc +# 3D: drirc,glvnd,bumblebee,nvidia +# D-Bus: dbus-1,machine-id +##private-lib LIBS +##private-opt NAME +#private-tmp +##writable-etc +##writable-run-user +##writable-var +##writable-var-log + +##env VAR=VALUE +#memory-deny-write-execute +##noexec PATH +##read-only ${HOME} +##join-or-start NAME diff -Nru firejail-0.9.60/etc/templates/redirect_alias-profile.template firejail-0.9.62/etc/templates/redirect_alias-profile.template --- firejail-0.9.60/etc/templates/redirect_alias-profile.template 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/templates/redirect_alias-profile.template 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,44 @@ +# Firejail profile for PROGRAM_NAME +# Description: DESCRIPTION +# This file is overwritten after every install/update +# Persistent local customizations +include PROFILE.local +# Persistent global definitions +# added by included profile +#include globals.local +#NOTE: keep include globals.local commented, except when redirecting to a *-common.profile + +# For more information, see profile.template + +# Ignoring option(s) from the included profile +#ignore net none +#ignore private-bin +#ignore seccomp +#... + +# Additional noblacklisting (when needed) +#noblacklist PATH + +# Additional allow includes (when needed) + +# Additional blacklisting (when needed) +#blacklist PATH + +# Additional whitelisting (when needed) +#NOTE: never use mkdir/mkfile when 'private' is set (see https://github.com/netblue30/firejail/issues/903) +#mkdir PATH +##mkfile PATH +#whitelist PATH + +# Additional options (when needed) + +# Additional private-options (when needed) +# Add programs to private-bin (when needed) +#private-bin PROGRAMS +# Add files to private-etc (when needed) +#private-etc FILES + +# Additional special options (when needed) + +# Redirect +include PROFILE.profile diff -Nru firejail-0.9.60/etc/templates/syscalls.txt firejail-0.9.62/etc/templates/syscalls.txt --- firejail-0.9.60/etc/templates/syscalls.txt 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/templates/syscalls.txt 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,107 @@ +Hints to write own seccomp filters +================================== + + +The different seccomp commands +------------------------------ + +Always have a look at 'man 1 firejail'. + + - seccomp + Blocks all syscalls in the default-group. + - The default-group is @default-nodebuggers, unless allow-debuggers is + specified, then @default is used. + - Listed syscalls and groups are also blocked. + - Exceptions are possible by putting a ! in before the name of a syscall. + - seccomp.block-secondary + Allows only native syscalls, all syscalls for other architectures are blocked. + - seccomp.drop + Blocks all listed syscalls. + - Exceptions are possible by putting a ! in before the name of a syscall. + - seccomp.keep + Allows only listed syscalls. + To write your own seccomp.keep line, see: + - https://firejail.wordpress.com/documentation-2/seccomp-guide/ + - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh + +Definition of groups +-------------------- + +@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit +@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev +@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 +@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime +@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old +@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext +@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup +@default-nodebuggers=@default,ptrace,personality,process_vm_readv +@default-keep=execve,prctl +@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes +@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select +@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget +@keyring=add_key,keyctl,request_key +@memlock=mlock,mlock2,mlockall,munlock,munlockall +@module=delete_module,finit_module,init_module +@mount=chroot,mount,pivot_root,umount,umount2 +@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair +@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver +@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup +@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid +@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write +@reboot=kexec_load,kexec_file_load,reboot +@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy +@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32 +@signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend +@swap=swapon,swapoff +@sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs +@system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice +@timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times + +Inheritance of groups +--------------------- + ++---------------+ +| @default-keep | +| @mount | ++---------------+ + ++----------------+ +---------+ +--------+ +--------------+ +| @cpu-emulation | | @clock | | @chown | | @aio | +| @debug | | @module | +--------+ | @basic-io | +| @obsolete | | @raw-io | : : | @file-system | ++----------------+ | @reboot | : : | @io-event | + : | @swap | : : | @ipc | + : +---------+ : : | @keyring | + : : : : : | @memlock | + : ..............: : : : | @network-io | + : : : ........: : | @process | + : : : : : | @resources | ++----------+ +-------------+ : | @setuid | +| @default | | @privileged | : | @signal | ++----------+ +-------------+ : | @sync | + : : : | @timer | + : :........................... : +--------------+ + : : : : ++----------------------+ +-----------------+ +| @default-nodebuggers | | @system-service | ++----------------------+ +-----------------+ + + +What to do if seccomp breaks a program +-------------------------------------- + +``` +$ journalctl --grep=syscall --follow +<...> audit[…]: SECCOMP <...> syscall=161 <...> +$ firejail --debug-syscalls | grep 161 +161 - chroot +``` +Profile: `seccomp -> seccomp !chroot` + +Start `journalctl --grep=syscall --follow` in a terminal, then start the broken +program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. +Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You +will see something like `NUMBER - NAME`, because you now know the name of the +syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. + +If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. diff -Nru firejail-0.9.60/etc/terasology.profile firejail-0.9.62/etc/terasology.profile --- firejail-0.9.60/etc/terasology.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/terasology.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,17 +5,16 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.java +ignore noexec /tmp + noblacklist ${HOME}/.local/share/terasology -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,7 +43,5 @@ disable-mnt private-dev -private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl private-tmp - -noexec ${HOME} diff -Nru firejail-0.9.60/etc/thunar.profile firejail-0.9.62/etc/thunar.profile --- firejail-0.9.60/etc/thunar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/thunar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Modern file manager for Xfce # This file is overwritten after every install/update - # Redirect include Thunar.profile diff -Nru firejail-0.9.60/etc/Thunar.profile firejail-0.9.62/etc/Thunar.profile --- firejail-0.9.60/etc/Thunar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Thunar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,7 @@ include disable-passwdmgr.inc # include disable-programs.inc +allusers caps.drop all netfilter no3d diff -Nru firejail-0.9.60/etc/thunderbird-beta.profile firejail-0.9.62/etc/thunderbird-beta.profile --- firejail-0.9.60/etc/thunderbird-beta.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/thunderbird-beta.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,7 @@ # Firejail profile alias for thunderbird-beta # This file is overwritten after every install/update -whitelist /opt/thunderbird-beta +private-opt thunderbird-beta # Redirect include thunderbird.profile diff -Nru firejail-0.9.60/etc/thunderbird.profile firejail-0.9.62/etc/thunderbird.profile --- firejail-0.9.60/etc/thunderbird.profile 2019-04-27 15:28:10.000000000 +0000 +++ firejail-0.9.62/etc/thunderbird.profile 2019-12-28 13:14:56.000000000 +0000 @@ -14,6 +14,13 @@ # noblacklist ${HOME}/.icedove noblacklist ${HOME}/.thunderbird +# Uncomment the next 4 lines or put them in your thunderbird.local to +# allow Firefox to load your profile when clicking a link in an email +#noblacklist ${HOME}/.cache/mozilla +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.cache/mozilla/firefox +#whitelist ${HOME}/.mozilla + # If you have setup Thunderbird to archive emails to a local folder, # make sure you add the path to that folder to the mkdir and whitelist # rules below. Otherwise they will be deleted when you close Thunderbird. @@ -27,22 +34,23 @@ # whitelist ${HOME}/.icedove whitelist ${HOME}/.thunderbird +#whitelist /usr/share/mozilla +#include whitelist-usr-share-common.inc + # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE ignore private-tmp -# machine-id breaks audio in browsers; enable it when sound is not required +# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required # machine-id read-only ${HOME}/.config/mimeapps.list -# writable-run-user is needed for signing and encrypting emails +# writable-run-user and dbus are needed by enigmail writable-run-user +ignore nodbus # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: # noblacklist /var/mail # noblacklist /var/spool/mail # writable-var -# Uncomment (or put in thunderbird.local) if you use enigmail -#ignore nodbus - # allow browsers # Redirect include firefox-common.profile diff -Nru firejail-0.9.60/etc/thunderbird-wayland.profile firejail-0.9.62/etc/thunderbird-wayland.profile --- firejail-0.9.60/etc/thunderbird-wayland.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/thunderbird-wayland.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,10 @@ # Firejail profile alias for thunderbird-wayland # This file is overwritten after every install/update +# Persistent local customizations +include thunderbird-wayland.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include thunderbird.profile diff -Nru firejail-0.9.60/etc/torbrowser-launcher.profile firejail-0.9.62/etc/torbrowser-launcher.profile --- firejail-0.9.60/etc/torbrowser-launcher.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/torbrowser-launcher.profile 2019-12-14 13:30:32.000000000 +0000 @@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/torbrowser # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -46,13 +42,13 @@ nou2f novideo protocol unix,inet,inet6 -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # tracelog may cause issues, see github issue #1930 #tracelog disable-mnt -private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz +private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity private-dev -private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/tor-browser.profile firejail-0.9.62/etc/tor-browser.profile --- firejail-0.9.60/etc/tor-browser.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/tor-browser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,10 @@ +# Firejail profile alias for torbrowser-launcher +# This file is overwritten after every install/update + +noblacklist ${HOME}/.tor-browser + +mkdir ${HOME}/.tor-browser +whitelist ${HOME}/.tor-browser + +# Redirect +include torbrowser-launcher.profile diff -Nru firejail-0.9.60/etc/tor.profile firejail-0.9.62/etc/tor.profile --- firejail-0.9.60/etc/tor.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/tor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -25,7 +25,7 @@ include disable-programs.inc include disable-xdg.inc -caps.keep setuid,setgid,net_bind_service,dac_read_search +caps.keep dac_read_search,net_bind_service,setgid,setuid ipc-namespace machine-id netfilter @@ -40,13 +40,12 @@ protocol unix,inet,inet6 seccomp shell none -writable-var disable-mnt private -private-bin tor,bash +private-bin bash,tor private-cache private-dev -private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor private-tmp - +writable-var diff -Nru firejail-0.9.60/etc/totem.profile firejail-0.9.62/etc/totem.profile --- firejail-0.9.60/etc/totem.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/totem.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,6 +6,9 @@ # Persistent global definitions include globals.local +# Allow lua (required for youtube video) +include allow-lua.inc + noblacklist ${HOME}/.config/totem noblacklist ${HOME}/.local/share/totem noblacklist ${MUSIC} @@ -37,6 +40,6 @@ # totem needs access to ~/.cache/tracker or it exits #private-cache private-dev -# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl private-tmp diff -Nru firejail-0.9.60/etc/tracker.profile firejail-0.9.62/etc/tracker.profile --- firejail-0.9.60/etc/tracker.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/tracker.profile 2019-12-14 13:30:32.000000000 +0000 @@ -33,5 +33,4 @@ # private-bin tracker # private-dev -# private-etc alternatives,fonts # private-tmp diff -Nru firejail-0.9.60/etc/transgui.profile firejail-0.9.62/etc/transgui.profile --- firejail-0.9.60/etc/transgui.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transgui.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,7 +2,7 @@ # Description: Cross-platform Transmission BitTorrent client # This file is overwritten after every install/update # Persistent local customizations -include /etc/firejail/transgui.local +include transgui.local # Persistent global definitions include globals.local @@ -20,6 +20,7 @@ whitelist ${HOME}/.config/transgui whitelist ${DOWNLOADS} include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/transmission-cli.profile firejail-0.9.62/etc/transmission-cli.profile --- firejail-0.9.60/etc/transmission-cli.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-cli.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,37 +7,8 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/transmission -noblacklist ${HOME}/.config/transmission - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -machine-id -netfilter -nodbus -nodvd -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol inet,inet6 -seccomp -shell none -tracelog - -# private-bin transmission-cli -private-dev +private-bin transmission-cli private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl -private-lib -private-tmp -memory-deny-write-execute +# Redirect +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-common.profile firejail-0.9.62/etc/transmission-common.profile --- firejail-0.9.60/etc/transmission-common.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/transmission-common.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,47 @@ +# Firejail profile for transmission-common +# Description: Fast, easy and free BitTorrent client +# This file is overwritten after every install/update +# Persistent local customizations +include transmission-common.local + +noblacklist ${HOME}/.cache/transmission +noblacklist ${HOME}/.config/transmission + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +mkdir ${HOME}/.cache/transmission +mkdir ${HOME}/.config/transmission +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/transmission +whitelist ${HOME}/.config/transmission +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodbus +nodvd +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-dev +private-lib +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/transmission-create.profile firejail-0.9.62/etc/transmission-create.profile --- firejail-0.9.60/etc/transmission-create.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-create.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,13 @@ # Firejail profile for transmission-create # Description: CLI utility to create BitTorrent .torrent files # This file is overwritten after every install/update +quiet # Persistent local customizations include transmission-create.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local +private-bin transmission-create # Redirect -include transmission-cli.profile +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-daemon.profile firejail-0.9.62/etc/transmission-daemon.profile --- firejail-0.9.60/etc/transmission-daemon.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-daemon.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,5 @@ # Firejail profile for transmission-daemon -# Description: Fast, easy and free BitTorrent client (daemon) +# Description: Fast, easy and free BitTorrent client (daemon) # This file is overwritten after every install/update quiet # Persistent local customizations @@ -7,38 +7,16 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/transmission -noblacklist ${HOME}/.config/transmission +whitelist /var/lib/transmission -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc +caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot -apparmor -caps.drop all -machine-id -netfilter -nodbus -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol inet,inet6 -seccomp -shell none -tracelog - -# private-bin transmission-daemon -private-dev +private-bin transmission-daemon private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl -private-lib -private-tmp -memory-deny-write-execute +read-write /var/lib/transmission +writable-var-log +writable-run-user + +# Redirect +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-edit.profile firejail-0.9.62/etc/transmission-edit.profile --- firejail-0.9.60/etc/transmission-edit.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-edit.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,12 +1,13 @@ # Firejail profile for transmission-edit # Description: CLI utility to modify BitTorrent .torrent files' announce URLs # This file is overwritten after every install/update +quiet # Persistent local customizations include transmission-edit.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local +private-bin transmission-edit # Redirect -include transmission-cli.profile +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-gtk.profile firejail-0.9.62/etc/transmission-gtk.profile --- firejail-0.9.60/etc/transmission-gtk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-gtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,50 +1,15 @@ # Firejail profile for transmission-gtk # Description: Fast, easy and free BitTorrent client (GTK GUI) # This file is overwritten after every install/update +quiet # Persistent local customizations include transmission-gtk.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/transmission -noblacklist ${HOME}/.config/transmission - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -mkdir ${HOME}/.cache/transmission -mkdir ${HOME}/.config/transmission -whitelist ${DOWNLOADS} -whitelist ${HOME}/.cache/transmission -whitelist ${HOME}/.config/transmission -include whitelist-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -machine-id -netfilter -nodbus -nodvd -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - private-bin transmission-gtk -private-dev -private-lib -private-tmp -# Causes freeze during opening file dialog in Archlinux, see issue #1855 -# memory-deny-write-execute +ignore memory-deny-write-execute + +# Redirect +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-qt.profile firejail-0.9.62/etc/transmission-qt.profile --- firejail-0.9.60/etc/transmission-qt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-qt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,49 +1,18 @@ # Firejail profile for transmission-qt # Description: Fast, easy and free BitTorrent client (Qt GUI) # This file is overwritten after every install/update +quiet # Persistent local customizations include transmission-qt.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/transmission -noblacklist ${HOME}/.config/transmission - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -mkdir ${HOME}/.cache/transmission -mkdir ${HOME}/.config/transmission -whitelist ${DOWNLOADS} -whitelist ${HOME}/.cache/transmission -whitelist ${HOME}/.config/transmission -include whitelist-common.inc -include whitelist-var-common.inc +private-bin transmission-qt -apparmor -caps.drop all -machine-id -netfilter -nodbus -nodvd -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog +# private-lib - breaks on Arch +ignore private-lib -private-bin transmission-qt -private-dev -# private-lib - problems on Arch -private-tmp +ignore memory-deny-write-execute -# memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 +# Redirect +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-remote-cli.profile firejail-0.9.62/etc/transmission-remote-cli.profile --- firejail-0.9.60/etc/transmission-remote-cli.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-remote-cli.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,30 +1,17 @@ # Firejail profile for transmission-remote-cli # Description: A remote control utility for transmission-daemon (CLI) # This file is overwritten after every install/update +quiet # Persistent local customizations include transmission-remote-cli.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* - -mkdir ${HOME}/.cache/transmission -mkdir ${HOME}/.config/transmission -whitelist ${HOME}/.cache/transmission -whitelist ${HOME}/.config/transmission -include whitelist-common.inc -include whitelist-var-common.inc - -# private-bin python* -private-etc fonts +include allow-python2.inc +include allow-python3.inc +private-bin python*,transmission-remote-cli # Redirect -include transmission-remote.profile +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-remote-gtk.profile firejail-0.9.62/etc/transmission-remote-gtk.profile --- firejail-0.9.60/etc/transmission-remote-gtk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-remote-gtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,21 +1,22 @@ # Firejail profile for transmission-remote-gtk # Description: A remote control utility for transmission-daemon (GTK GUI) # This file is overwritten after every install/update +quiet # Persistent local customizations include transmission-remote-gtk.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -mkdir ${HOME}/.cache/transmission -mkdir ${HOME}/.config/transmission -whitelist ${HOME}/.cache/transmission -whitelist ${HOME}/.config/transmission -include whitelist-common.inc -include whitelist-var-common.inc +noblacklist ${HOME}/.config/transmission-remote-gtk -private-etc fonts +mkdir ${HOME}/.config/transmission-remote-gtk +whitelist ${HOME}/.config/transmission-remote-gtk +private-etc fonts,hostname,hosts,resolv.conf +# Problems with private-lib (see issue #2889) +ignore private-lib + +ignore memory-deny-write-execute # Redirect -include transmission-remote.profile +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-remote.profile firejail-0.9.62/etc/transmission-remote.profile --- firejail-0.9.60/etc/transmission-remote.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-remote.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,37 +7,8 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/transmission -noblacklist ${HOME}/.config/transmission - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -machine-id -netfilter -nodbus -nodvd -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol inet,inet6 -seccomp -shell none -tracelog - -# private-bin transmission-remote -private-dev +private-bin transmission-remote private-etc alternatives,hosts,nsswitch.conf -private-lib -private-tmp -memory-deny-write-execute +# Redirect +include transmission-common.profile diff -Nru firejail-0.9.60/etc/transmission-show.profile firejail-0.9.62/etc/transmission-show.profile --- firejail-0.9.60/etc/transmission-show.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/transmission-show.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,41 +1,14 @@ # Firejail profile for transmission-show # Description: CLI utility to show BitTorrent .torrent file metadata # This file is overwritten after every install/update +quiet # Persistent local customizations include transmission-show.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/transmission -noblacklist ${HOME}/.config/transmission - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -machine-id -netfilter -nodbus -nodvd -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol inet,inet6 -seccomp -shell none -tracelog - -private-dev +private-bin transmission-show private-etc alternatives,hosts,nsswitch.conf -private-lib -private-tmp -memory-deny-write-execute +# Redirect +include transmission-common.profile diff -Nru firejail-0.9.60/etc/tremulous.profile firejail-0.9.62/etc/tremulous.profile --- firejail-0.9.60/etc/tremulous.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/tremulous.profile 2019-12-14 13:30:32.000000000 +0000 @@ -38,7 +38,7 @@ tracelog disable-mnt -private-bin tremulous,tremulous-wrapper,tremded +private-bin tremded,tremulous,tremulous-wrapper private-cache private-dev private-tmp diff -Nru firejail-0.9.60/etc/tshark.profile firejail-0.9.62/etc/tshark.profile --- firejail-0.9.60/etc/tshark.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/tshark.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,43 @@ +# Firejail profile for tshark +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include tshark.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist /usr/share/wireshark +include whitelist-common.inc +include whitelist-usr-share-common.inc + +#caps.keep net_raw +caps.keep dac_override,net_admin,net_raw +ipc-namespace +#net tun0 +netfilter +no3d +nodvd +# nogroups - breaks network traffic capture for unprivileged users +# nonewprivs - breaks network traffic capture for unprivileged users +# noroot +nosound +notv +nou2f +novideo +#protocol unix,inet,inet6,netlink,packet +#seccomp + +disable-mnt +#private +private-cache +#private-bin tshark +private-dev +private-tmp diff -Nru firejail-0.9.60/etc/tuxguitar.profile firejail-0.9.62/etc/tuxguitar.profile --- firejail-0.9.60/etc/tuxguitar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/tuxguitar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,16 +6,12 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.java noblacklist ${HOME}/.tuxguitar* noblacklist ${DOCUMENTS} noblacklist ${MUSIC} -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/udiskie.profile firejail-0.9.62/etc/udiskie.profile --- firejail-0.9.60/etc/udiskie.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/udiskie.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,45 @@ +# Firejail profile for udiskie +# Description: Removable disk automounter using udisks +# This file is overwritten after every install/update +# Persistent local customizations +include udiskie.local +# Persistent global definitions +include globals.local + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-var-common.inc + +caps.drop all +machine-id +net none +no3d +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop +# add your configured file browser in udiskie.local, e. g. +# private-bin nautilus +# private-bin thunar +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg +private-tmp diff -Nru firejail-0.9.60/etc/uget-gtk.profile firejail-0.9.62/etc/uget-gtk.profile --- firejail-0.9.60/etc/uget-gtk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/uget-gtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,6 +16,7 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.config/uGet include whitelist-common.inc +include whitelist-usr-share-common.inc caps.drop all netfilter diff -Nru firejail-0.9.60/etc/unbound.profile firejail-0.9.62/etc/unbound.profile --- firejail-0.9.60/etc/unbound.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/unbound.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,35 +6,44 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc + whitelist /var/lib/unbound whitelist /var/run caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource +ipc-namespace +machine-id +netfilter no3d +nodbus nodvd nonewprivs nosound notv nou2f novideo -seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open -writable-var +protocol inet,inet6 +seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice disable-mnt private private-dev +private-tmp +writable-var # mdwe can break modules/plugins memory-deny-write-execute diff -Nru firejail-0.9.60/etc/uncompress.profile firejail-0.9.62/etc/uncompress.profile --- firejail-0.9.60/etc/uncompress.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/uncompress.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for uncompress +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include uncompress.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/unf.profile firejail-0.9.62/etc/unf.profile --- firejail-0.9.60/etc/unf.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/unf.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,54 @@ +# Firejail profile for unf +# Description: UNixize Filename -- replace annoying anti-unix characters in filenames +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include unf.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +hostname unf +ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +private-bin unf +private-cache +?HAS_APPIMAGE: ignore private-dev +private-dev +private-etc alternatives +private-lib libgcc_s.so.* +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/unknown-horizons.profile firejail-0.9.62/etc/unknown-horizons.profile --- firejail-0.9.60/etc/unknown-horizons.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/unknown-horizons.profile 2019-12-14 13:30:32.000000000 +0000 @@ -23,11 +23,12 @@ noroot notv nou2f -protocol unix,netlink,inet,inet6 +novideo +protocol unix,inet,inet6,netlink seccomp shell none # private-bin unknown-horizons private-dev -# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl private-tmp diff -Nru firejail-0.9.60/etc/unlzma.profile firejail-0.9.62/etc/unlzma.profile --- firejail-0.9.60/etc/unlzma.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/unlzma.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/unrar.profile firejail-0.9.62/etc/unrar.profile --- firejail-0.9.60/etc/unrar.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/unrar.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,27 +5,37 @@ # Persistent local customizations include unrar.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -blacklist /tmp/.X11-unix +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +caps.drop all hostname unrar -ignore noroot +ipc-namespace +machine-id net none no3d nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none private-bin unrar private-dev -private-etc alternatives,passwd,group,localtime +private-etc alternatives,group,localtime,passwd private-tmp - -include default.profile diff -Nru firejail-0.9.60/etc/unxz.profile firejail-0.9.62/etc/unxz.profile --- firejail-0.9.60/etc/unxz.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/unxz.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/unzip.profile firejail-0.9.62/etc/unzip.profile --- firejail-0.9.60/etc/unzip.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/unzip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,29 +5,39 @@ # Persistent local customizations include unzip.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -blacklist /tmp/.X11-unix +# GNOME Shell integration (chrome-gnome-shell) +noblacklist ${HOME}/.local/share/gnome-shell +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.drop all hostname unzip -ignore noroot +ipc-namespace +machine-id net none no3d nodbus nodvd +#nogroups +nonewprivs +noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none private-bin unzip private-dev -private-etc alternatives,passwd,group,localtime - -# GNOME Shell integration (chrome-gnome-shell) -noblacklist ${HOME}/.local/share/gnome-shell - -include default.profile +private-etc alternatives,group,localtime,passwd diff -Nru firejail-0.9.60/etc/unzstd.profile firejail-0.9.62/etc/unzstd.profile --- firejail-0.9.60/etc/unzstd.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/unzstd.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for zstd +# This file is overwritten after every install/update + +# Redirect +include zstd.profile diff -Nru firejail-0.9.60/etc/utox.profile firejail-0.9.62/etc/utox.profile --- firejail-0.9.60/etc/utox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/utox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,6 +6,7 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/Tox noblacklist ${HOME}/.config/tox include disable-common.inc @@ -41,7 +42,7 @@ private-bin utox private-cache private-dev -private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse,openal +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/uudeview.profile firejail-0.9.62/etc/uudeview.profile --- firejail-0.9.60/etc/uudeview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/uudeview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,24 +5,38 @@ # Persistent local customizations include uudeview.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +include whitelist-usr-share-common.inc + +caps.drop all hostname uudeview -ignore noroot +ipc-namespace +machine-id net none nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none private-bin uudeview private-cache private-dev private-etc alternatives,ld.so.preload - -include default.profile diff -Nru firejail-0.9.60/etc/uzbl-browser.profile firejail-0.9.62/etc/uzbl-browser.profile --- firejail-0.9.60/etc/uzbl-browser.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/uzbl-browser.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/uzbl # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/Viber.profile firejail-0.9.62/etc/Viber.profile --- firejail-0.9.60/etc/Viber.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Viber.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,6 @@ # Persistent global definitions include globals.local - noblacklist ${HOME}/.ViberPC include disable-common.inc @@ -15,6 +14,7 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.ViberPC whitelist ${DOWNLOADS} whitelist ${HOME}/.ViberPC include whitelist-common.inc @@ -28,13 +28,10 @@ noroot notv protocol unix,inet,inet6 -seccomp +seccomp !chroot shell none disable-mnt -private-bin sh,bash,dig,awk,Viber -private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf +private-bin awk,bash,dig,sh,Viber +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 private-tmp - - -env QTWEBENGINE_DISABLE_SANDBOX=1 diff -Nru firejail-0.9.60/etc/viewnior.profile firejail-0.9.62/etc/viewnior.profile --- firejail-0.9.60/etc/viewnior.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/viewnior.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,12 +6,12 @@ # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc - noblacklist ${HOME}/.Steam noblacklist ${HOME}/.config/viewnior noblacklist ${HOME}/.steam +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -19,6 +19,8 @@ include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc + apparmor caps.drop all net none @@ -43,5 +45,4 @@ private-etc alternatives,fonts,machine-id private-tmp -# memory-deny-write-executes breaks on Arch - see issue #1808 -#memory-deny-write-execute +#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) diff -Nru firejail-0.9.60/etc/vimcat.profile firejail-0.9.62/etc/vimcat.profile --- firejail-0.9.60/etc/vimcat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vimcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include vimcat.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include vim.profile diff -Nru firejail-0.9.60/etc/vimdiff.profile firejail-0.9.62/etc/vimdiff.profile --- firejail-0.9.60/etc/vimdiff.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vimdiff.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include vimdiff.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include vim.profile diff -Nru firejail-0.9.60/etc/vimpager.profile firejail-0.9.62/etc/vimpager.profile --- firejail-0.9.60/etc/vimpager.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vimpager.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,8 +4,8 @@ # Persistent local customizations include vimpager.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include vim.profile diff -Nru firejail-0.9.60/etc/vim.profile firejail-0.9.62/etc/vim.profile --- firejail-0.9.60/etc/vim.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vim.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,11 +6,13 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.python-history noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo noblacklist ${HOME}/.vimrc +# Allows files commonly used by IDEs +include allow-common-devel.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff -Nru firejail-0.9.60/etc/vimtutor.profile firejail-0.9.62/etc/vimtutor.profile --- firejail-0.9.60/etc/vimtutor.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vimtutor.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include vimtutor.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include vim.profile diff -Nru firejail-0.9.60/etc/virtualbox.profile firejail-0.9.62/etc/virtualbox.profile --- firejail-0.9.60/etc/virtualbox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/virtualbox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -26,7 +26,7 @@ include whitelist-common.inc include whitelist-var-common.inc -caps.drop all +caps.keep net_raw,sys_admin,sys_nice netfilter nodvd notv diff -Nru firejail-0.9.60/etc/VirtualBox.profile firejail-0.9.62/etc/VirtualBox.profile --- firejail-0.9.60/etc/VirtualBox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/VirtualBox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: x86 virtualization solution # This file is overwritten after every install/update - # Redirect include virtualbox.profile diff -Nru firejail-0.9.60/etc/vivaldi-beta.profile firejail-0.9.62/etc/vivaldi-beta.profile --- firejail-0.9.60/etc/vivaldi-beta.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vivaldi-beta.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for vivaldi # This file is overwritten after every install/update - # Redirect include vivaldi.profile diff -Nru firejail-0.9.60/etc/vivaldi.profile firejail-0.9.62/etc/vivaldi.profile --- firejail-0.9.60/etc/vivaldi.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vivaldi.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,13 @@ # Persistent global definitions include globals.local +# Allow HTML5 Proprietary Media & DRM/EME (Widevine) +ignore apparmor +ignore noexec /var +noblacklist /var/opt +whitelist /var/opt/vivaldi +writable-var + noblacklist ${HOME}/.cache/vivaldi noblacklist ${HOME}/.config/vivaldi noblacklist ${HOME}/.local/lib/vivaldi diff -Nru firejail-0.9.60/etc/vivaldi-stable.profile firejail-0.9.62/etc/vivaldi-stable.profile --- firejail-0.9.60/etc/vivaldi-stable.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vivaldi-stable.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for vivaldi # This file is overwritten after every install/update - # Redirect include vivaldi.profile diff -Nru firejail-0.9.60/etc/vlc.profile firejail-0.9.62/etc/vlc.profile --- firejail-0.9.60/etc/vlc.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vlc.profile 2019-12-14 13:30:32.000000000 +0000 @@ -34,7 +34,7 @@ seccomp shell none -private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc +private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc private-dev private-tmp diff -Nru firejail-0.9.60/etc/vscodium.profile firejail-0.9.62/etc/vscodium.profile --- firejail-0.9.60/etc/vscodium.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/vscodium.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,6 @@ # Firejail profile alias for Visual Studio Code # This file is overwritten after every install/update - noblacklist ${HOME}/.VSCodium # Redirect diff -Nru firejail-0.9.60/etc/w3m.profile firejail-0.9.62/etc/w3m.profile --- firejail-0.9.60/etc/w3m.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/w3m.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,9 +6,11 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.w3m + blacklist /tmp/.X11-unix -noblacklist ${HOME}/.w3m +include allow-perl.inc include disable-common.inc include disable-devel.inc @@ -36,5 +38,5 @@ # private-bin w3m private-cache private-dev -private-etc alternatives,resolv.conf,ssl,pki,ca-certificates,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/warzone2100.profile firejail-0.9.62/etc/warzone2100.profile --- firejail-0.9.60/etc/warzone2100.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/warzone2100.profile 2019-12-14 13:30:32.000000000 +0000 @@ -30,6 +30,7 @@ noroot notv nou2f +novideo protocol unix,inet,inet6,netlink seccomp shell none diff -Nru firejail-0.9.60/etc/waterfox-classic.profile firejail-0.9.62/etc/waterfox-classic.profile --- firejail-0.9.60/etc/waterfox-classic.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/waterfox-classic.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,7 @@ +# Firejail profile for waterfox-classic +# This file is overwritten after every install/update +# Persistent local customizations +include waterfox-classic.local + +# Redirect +include waterfox.profile diff -Nru firejail-0.9.60/etc/waterfox-current.profile firejail-0.9.62/etc/waterfox-current.profile --- firejail-0.9.60/etc/waterfox-current.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/waterfox-current.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,7 @@ +# Firejail profile for waterfox-current +# This file is overwritten after every install/update +# Persistent local customizations +include waterfox-current.local + +# Redirect +include waterfox.profile diff -Nru firejail-0.9.60/etc/waterfox.profile firejail-0.9.62/etc/waterfox.profile --- firejail-0.9.60/etc/waterfox.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/waterfox.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,22 +5,21 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.cache/waterfox -noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.waterfox -mkdir ${HOME}/.cache/mozilla/firefox -mkdir ${HOME}/.mozilla mkdir ${HOME}/.cache/waterfox mkdir ${HOME}/.waterfox -whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.cache/waterfox -whitelist ${HOME}/.mozilla whitelist ${HOME}/.waterfox +# Uncomment (or add to watefox.local) the following lines if you want to +# use the migration wizard. +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.mozilla + # waterfox requires a shell to launch on Arch. We can possibly remove sh though. -#private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash +#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which # private-etc must first be enabled in firefox-common.profile #private-etc waterfox diff -Nru firejail-0.9.60/etc/webstorm.profile firejail-0.9.62/etc/webstorm.profile --- firejail-0.9.60/etc/webstorm.profile 2019-04-26 12:25:00.000000000 +0000 +++ firejail-0.9.62/etc/webstorm.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,15 +7,13 @@ noblacklist ${HOME}/.WebStorm* noblacklist ${HOME}/.android -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.git-credentials -noblacklist ${HOME}/.gradle -noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allows files commonly used by IDEs +include allow-common-devel.inc + noblacklist ${PATH}/node noblacklist ${HOME}/.nvm diff -Nru firejail-0.9.60/etc/weechat-curses.profile firejail-0.9.62/etc/weechat-curses.profile --- firejail-0.9.60/etc/weechat-curses.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/weechat-curses.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for weechat # This file is overwritten after every install/update - # Redirect include weechat.profile diff -Nru firejail-0.9.60/etc/weechat.profile firejail-0.9.62/etc/weechat.profile --- firejail-0.9.60/etc/weechat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/weechat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,6 +11,8 @@ include disable-common.inc include disable-programs.inc +include whitelist-usr-share-common.inc + caps.drop all netfilter nodvd diff -Nru firejail-0.9.60/etc/wesnoth.profile firejail-0.9.62/etc/wesnoth.profile --- firejail-0.9.60/etc/wesnoth.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/wesnoth.profile 2019-12-14 13:30:32.000000000 +0000 @@ -30,6 +30,7 @@ noroot notv nou2f +novideo protocol unix,inet,inet6 seccomp diff -Nru firejail-0.9.60/etc/wget.profile firejail-0.9.62/etc/wget.profile --- firejail-0.9.60/etc/wget.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/wget.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,8 +7,6 @@ # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.wget-hsts noblacklist ${HOME}/.wgetrc @@ -17,6 +15,7 @@ include disable-passwdmgr.inc include disable-programs.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -36,6 +35,6 @@ # private-bin wget private-dev -# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl # private-tmp diff -Nru firejail-0.9.60/etc/whalebird.profile firejail-0.9.62/etc/whalebird.profile --- firejail-0.9.60/etc/whalebird.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/whalebird.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,45 @@ +# Firejail profile for whalebird +# Description: Electron-based Mastodon/Pleroma client +# This file is overwritten after every install/update +# Persistent local customizations +include whalebird.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/Whalebird + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/Whalebird +whitelist ${HOME}/.config/Whalebird +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-bin whalebird +private-cache +private-dev +private-etc fonts,machine-id +private-tmp diff -Nru firejail-0.9.60/etc/whitelist-usr-share-common.inc firejail-0.9.62/etc/whitelist-usr-share-common.inc --- firejail-0.9.60/etc/whitelist-usr-share-common.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/whitelist-usr-share-common.inc 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,54 @@ +# Local customizations come here +include whitelist-usr-share-common.local + +# common /usr/share whitelist for all profiles + +whitelist /usr/share/alsa +whitelist /usr/share/applications +whitelist /usr/share/ca-certificates +whitelist /usr/share/crypto-policies +whitelist /usr/share/cursors +whitelist /usr/share/dconf +whitelist /usr/share/distro-info +whitelist /usr/share/drirc.d +whitelist /usr/share/enchant +whitelist /usr/share/enchant-2 +whitelist /usr/share/fontconfig +whitelist /usr/share/fonts +whitelist /usr/share/gir-1.0 +whitelist /usr/share/gjs-1.0 +whitelist /usr/share/glib-2.0 +whitelist /usr/share/glvnd +whitelist /usr/share/gtk-2.0 +whitelist /usr/share/gtk-3.0 +whitelist /usr/share/gtksourceview-3.0 +whitelist /usr/share/gtksourceview-4 +whitelist /usr/share/hunspell +whitelist /usr/share/hwdata +whitelist /usr/share/icons +whitelist /usr/share/knotifications5 +whitelist /usr/share/kservices5 +whitelist /usr/share/Kvantum +whitelist /usr/share/kxmlgui5 +whitelist /usr/share/libdrm +whitelist /usr/share/libthai +whitelist /usr/share/locale +whitelist /usr/share/mime +whitelist /usr/share/misc +whitelist /usr/share/Modules +whitelist /usr/share/myspell +whitelist /usr/share/p11-kit +whitelist /usr/share/pixmaps +whitelist /usr/share/pki +whitelist /usr/share/plasma +whitelist /usr/share/qt +whitelist /usr/share/qt4 +whitelist /usr/share/qt5 +whitelist /usr/share/sounds +whitelist /usr/share/tcl8.6 +whitelist /usr/share/terminfo +whitelist /usr/share/themes +whitelist /usr/share/thumbnail.so +whitelist /usr/share/X11 +whitelist /usr/share/xml +whitelist /usr/share/zoneinfo diff -Nru firejail-0.9.60/etc/whois.profile firejail-0.9.62/etc/whois.profile --- firejail-0.9.60/etc/whois.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/whois.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,7 +1,7 @@ # Firejail profile for whois # Description: Intelligent WHOIS client -quiet # This file is overwritten after every install/update +quiet # Persistent local customizations include whois.local # Persistent global definitions @@ -15,6 +15,7 @@ include disable-programs.inc #include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -36,7 +37,7 @@ disable-mnt private -private-bin sh,bash,whois +private-bin bash,sh,whois private-cache private-dev # private-etc alternatives,hosts,services,whois.conf diff -Nru firejail-0.9.60/etc/wine.profile firejail-0.9.62/etc/wine.profile --- firejail-0.9.60/etc/wine.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/wine.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,19 +11,25 @@ noblacklist ${HOME}/.local/share/steam noblacklist ${HOME}/.steam noblacklist ${HOME}/.wine -# with >=llvm-4 mesa drivers need llvm stuff -noblacklist /usr/lib/llvm* include disable-common.inc include disable-devel.inc include disable-interpreters.inc +include disable-passwdmgr.inc include disable-programs.inc +# some applications don't need allow-debuggers, comment the next line +# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) +allow-debuggers caps.drop all +# net none netfilter nodvd nogroups nonewprivs noroot notv +# novideo seccomp + +private-dev diff -Nru firejail-0.9.60/etc/wire-desktop.profile firejail-0.9.62/etc/wire-desktop.profile --- firejail-0.9.60/etc/wire-desktop.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/wire-desktop.profile 2019-12-14 13:30:32.000000000 +0000 @@ -16,7 +16,6 @@ mkdir ${HOME}/.config/Wire whitelist ${HOME}/.config/Wire whitelist ${DOWNLOADS} - include whitelist-common.inc caps.drop all @@ -35,7 +34,7 @@ # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" disable-mnt -private-bin wire-desktop,bash,sh,env,electron +private-bin bash,electron,electron4,env,sh,wire-desktop private-dev -private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/wireshark-gtk.profile firejail-0.9.62/etc/wireshark-gtk.profile --- firejail-0.9.60/etc/wireshark-gtk.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/wireshark-gtk.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Network protocol analyzer # This file is overwritten after every install/update - # Redirect include wireshark.profile diff -Nru firejail-0.9.60/etc/wireshark.profile firejail-0.9.62/etc/wireshark.profile --- firejail-0.9.60/etc/wireshark.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/wireshark.profile 2019-12-14 13:30:32.000000000 +0000 @@ -10,11 +10,8 @@ noblacklist ${HOME}/.wireshark noblacklist ${DOCUMENTS} -# Wireshark can use Lua for scripting -noblacklist ${PATH}/lua* -noblacklist /usr/lib/lua -noblacklist /usr/include/lua* -noblacklist /usr/share/lua +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc include disable-common.inc include disable-devel.inc @@ -24,6 +21,8 @@ include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/wireshark +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -46,6 +45,6 @@ # private-bin wireshark private-dev -# private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl private-tmp diff -Nru firejail-0.9.60/etc/wireshark-qt.profile firejail-0.9.62/etc/wireshark-qt.profile --- firejail-0.9.60/etc/wireshark-qt.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/wireshark-qt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Network protocol analyzer # This file is overwritten after every install/update - # Redirect include wireshark.profile diff -Nru firejail-0.9.60/etc/xed.profile firejail-0.9.62/etc/xed.profile --- firejail-0.9.60/etc/xed.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xed.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,15 +6,13 @@ include globals.local noblacklist ${HOME}/.config/xed -noblacklist ${HOME}/.pythonrc.py +noblacklist ${HOME}/.python-history +noblacklist ${HOME}/.python_history +noblacklist ${HOME}/.pythonhist # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -46,7 +44,6 @@ private-bin xed private-dev -# private-etc alternatives,fonts private-tmp # xed uses python plugins, memory-deny-write-execute breaks python diff -Nru firejail-0.9.60/etc/Xephyr.profile firejail-0.9.62/etc/Xephyr.profile --- firejail-0.9.60/etc/Xephyr.profile 2019-05-27 12:24:51.000000000 +0000 +++ firejail-0.9.62/etc/Xephyr.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,22 +1,20 @@ # Firejail profile for Xephyr # This file is overwritten after every install/update # Persistent local customizations +quiet include Xephyr.local # Persistent global definitions include globals.local # # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. -# To enable it, create a firejail-Xephyr symlink in /usr/local/bin: +# To enable it, create a firejail-Xephyr symlink in /usr/local/bin: # # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr # # or run "sudo firecfg" # - -blacklist /media - whitelist /var/lib/xkb include whitelist-common.inc @@ -34,10 +32,11 @@ seccomp shell none +disable-mnt # using a private home directory private -# private-bin Xephyr,sh,xkbcomp -# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls +# private-bin sh,Xephyr,xkbcomp +# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp private-dev -# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname +# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf #private-tmp diff -Nru firejail-0.9.60/etc/xfburn.profile firejail-0.9.62/etc/xfburn.profile --- firejail-0.9.60/etc/xfburn.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xfburn.profile 2019-12-14 13:30:32.000000000 +0000 @@ -29,5 +29,4 @@ # private-bin xfburn # private-dev -# private-etc alternatives,fonts # private-tmp diff -Nru firejail-0.9.60/etc/xfce4-mixer.profile firejail-0.9.62/etc/xfce4-mixer.profile --- firejail-0.9.60/etc/xfce4-mixer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xfce4-mixer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,7 +18,10 @@ mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml +whitelist /usr/share/xfce4 +whitelist /usr/share/xfce4-mixer include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -42,7 +45,7 @@ private-bin xfce4-mixer,xfconf-query private-cache private-dev -private-etc alternatives,asound.conf,fonts,pulse,machine-id +private-etc alternatives,asound.conf,fonts,machine-id,pulse private-tmp memory-deny-write-execute diff -Nru firejail-0.9.60/etc/xiphos.profile firejail-0.9.62/etc/xiphos.profile --- firejail-0.9.60/etc/xiphos.profile 2019-05-17 12:37:47.000000000 +0000 +++ firejail-0.9.62/etc/xiphos.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,11 +6,11 @@ # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc - noblacklist ${HOME}/.sword noblacklist ${HOME}/.xiphos +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -18,6 +18,8 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.sword +mkdir ${HOME}/.xiphos whitelist ${HOME}/.sword whitelist ${HOME}/.xiphos include whitelist-common.inc @@ -44,5 +46,5 @@ private-bin xiphos private-cache private-dev -private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssli,sword.conf,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf private-tmp diff -Nru firejail-0.9.60/etc/xlinks.profile firejail-0.9.62/etc/xlinks.profile --- firejail-0.9.60/etc/xlinks.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/xlinks.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,21 @@ +# Firejail profile for xlinks +# Description: Text WWW browser (X11) +# This file is overwritten after every install/update +# Persistent local customizations +include xlinks.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist /tmp/.X11-unix +noblacklist ${HOME}/.links + +include whitelist-common.inc + +# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' +# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line +private-bin xlinks +private-etc fonts + +# Redirect +include links.profile diff -Nru firejail-0.9.60/etc/XMind.profile firejail-0.9.62/etc/XMind.profile --- firejail-0.9.60/etc/XMind.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/XMind.profile 2019-12-14 13:30:32.000000000 +0000 @@ -32,7 +32,7 @@ shell none disable-mnt -private-bin XMind,sh,cp +private-bin cp,sh,XMind private-tmp private-dev diff -Nru firejail-0.9.60/etc/xmr-stak.profile firejail-0.9.62/etc/xmr-stak.profile --- firejail-0.9.60/etc/xmr-stak.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xmr-stak.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,7 +6,6 @@ include globals.local noblacklist ${HOME}/.xmr-stak -noblacklist /usr/lib/llvm* include disable-common.inc include disable-devel.inc diff -Nru firejail-0.9.60/etc/xonotic-glx.profile firejail-0.9.62/etc/xonotic-glx.profile --- firejail-0.9.60/etc/xonotic-glx.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xonotic-glx.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for xonotic # This file is overwritten after every install/update - # Redirect include xonotic.profile diff -Nru firejail-0.9.60/etc/xonotic.profile firejail-0.9.62/etc/xonotic.profile --- firejail-0.9.60/etc/xonotic.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xonotic.profile 2019-12-14 13:30:32.000000000 +0000 @@ -37,6 +37,6 @@ disable-mnt private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl private-dev -private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.60/etc/xonotic-sdl.profile firejail-0.9.62/etc/xonotic-sdl.profile --- firejail-0.9.60/etc/xonotic-sdl.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xonotic-sdl.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,5 @@ # Firejail profile alias for xonotic # This file is overwritten after every install/update - # Redirect include xonotic.profile diff -Nru firejail-0.9.60/etc/xplayer-audio-preview.profile firejail-0.9.62/etc/xplayer-audio-preview.profile --- firejail-0.9.60/etc/xplayer-audio-preview.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xplayer-audio-preview.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include xplayer-audio-preview.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include xplayer.profile diff -Nru firejail-0.9.60/etc/xplayer.profile firejail-0.9.62/etc/xplayer.profile --- firejail-0.9.60/etc/xplayer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xplayer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -11,12 +11,8 @@ noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -43,6 +39,6 @@ private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer private-dev -# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies +# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl private-tmp diff -Nru firejail-0.9.60/etc/xplayer-video-thumbnailer.profile firejail-0.9.62/etc/xplayer-video-thumbnailer.profile --- firejail-0.9.60/etc/xplayer-video-thumbnailer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xplayer-video-thumbnailer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include xplayer-video-thumbnailer.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include xplayer.profile diff -Nru firejail-0.9.60/etc/xpra.profile firejail-0.9.62/etc/xpra.profile --- firejail-0.9.60/etc/xpra.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xpra.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for xpra # Description: Tool to detach/reattach running X programs # This file is overwritten after every install/update +quiet # Persistent local customizations include xpra.local # Persistent global definitions @@ -8,21 +9,15 @@ # # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. -# To enable it, create a firejail-xpra symlink in /usr/local/bin: +# To enable it, create a firejail-xpra symlink in /usr/local/bin: # # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra # # or run "sudo firecfg" -blacklist /media - # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -49,10 +44,11 @@ seccomp shell none +disable-mnt # private home directory doesn't work on some distros, so we go for a regular home # private # older Xpra versions also use Xvfb -# private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls +# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb private-dev -# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 +# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra private-tmp diff -Nru firejail-0.9.60/etc/xreader-previewer.profile firejail-0.9.62/etc/xreader-previewer.profile --- firejail-0.9.60/etc/xreader-previewer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xreader-previewer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include xreader-previewer.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include xreader.profile diff -Nru firejail-0.9.60/etc/xreader-thumbnailer.profile firejail-0.9.62/etc/xreader-thumbnailer.profile --- firejail-0.9.60/etc/xreader-thumbnailer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xreader-thumbnailer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -3,8 +3,8 @@ # Persistent local customizations include xreader-thumbnailer.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include xreader.profile diff -Nru firejail-0.9.60/etc/Xvfb.profile firejail-0.9.62/etc/Xvfb.profile --- firejail-0.9.60/etc/Xvfb.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/Xvfb.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for Xvfb # Description: Virtual Framebuffer 'fake' X server # This file is overwritten after every install/update +quiet # Persistent local customizations include Xvfb.local # Persistent global definitions @@ -9,7 +10,7 @@ # # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. # The target program is sandboxed with its own profile. By default the this functionality -# is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: +# is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: # # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb # @@ -17,8 +18,6 @@ # some Linux distributions. Also, older versions of Xpra use Xvfb. # -blacklist /media - whitelist /var/lib/xkb include whitelist-common.inc @@ -32,14 +31,16 @@ nosound notv nou2f +novideo protocol unix seccomp shell none +disable-mnt # using a private home directory private -# private-bin Xvfb,sh,xkbcomp -# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls +# private-bin sh,xkbcomp,Xvfb +# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb private-dev -private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname +private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf private-tmp diff -Nru firejail-0.9.60/etc/xviewer.profile firejail-0.9.62/etc/xviewer.profile --- firejail-0.9.60/etc/xviewer.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xviewer.profile 2019-12-14 13:30:32.000000000 +0000 @@ -39,7 +39,6 @@ private-bin xviewer private-dev -#private-etc alternatives,fonts private-lib private-tmp diff -Nru firejail-0.9.60/etc/xxd.profile firejail-0.9.62/etc/xxd.profile --- firejail-0.9.60/etc/xxd.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xxd.profile 2019-12-14 13:30:32.000000000 +0000 @@ -4,8 +4,8 @@ # Persistent local customizations include xxd.local # Persistent global definitions -include globals.local - +# added by included profile +#include globals.local # Redirect include vim.profile diff -Nru firejail-0.9.60/etc/xzcat.profile firejail-0.9.62/etc/xzcat.profile --- firejail-0.9.60/etc/xzcat.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xzcmp.profile firejail-0.9.62/etc/xzcmp.profile --- firejail-0.9.60/etc/xzcmp.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzcmp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xzdec.profile firejail-0.9.62/etc/xzdec.profile --- firejail-0.9.60/etc/xzdec.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzdec.profile 2019-12-14 13:30:32.000000000 +0000 @@ -5,23 +5,33 @@ # Persistent local customizations include xzdec.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -blacklist /tmp/.X11-unix +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc -ignore noroot +caps.drop all +ipc-namespace +machine-id net none no3d nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +x11 none private-dev - -include default.profile diff -Nru firejail-0.9.60/etc/xzdiff.profile firejail-0.9.62/etc/xzdiff.profile --- firejail-0.9.60/etc/xzdiff.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzdiff.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xzegrep.profile firejail-0.9.62/etc/xzegrep.profile --- firejail-0.9.60/etc/xzegrep.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzegrep.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xzfgrep.profile firejail-0.9.62/etc/xzfgrep.profile --- firejail-0.9.60/etc/xzfgrep.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzfgrep.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xzgrep.profile firejail-0.9.62/etc/xzgrep.profile --- firejail-0.9.60/etc/xzgrep.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzgrep.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xzless.profile firejail-0.9.62/etc/xzless.profile --- firejail-0.9.60/etc/xzless.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzless.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xzmore.profile firejail-0.9.62/etc/xzmore.profile --- firejail-0.9.60/etc/xzmore.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xzmore.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/xz.profile firejail-0.9.62/etc/xz.profile --- firejail-0.9.60/etc/xz.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/xz.profile 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,5 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/yelp.profile firejail-0.9.62/etc/yelp.profile --- firejail-0.9.60/etc/yelp.profile 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/etc/yelp.profile 2019-12-14 13:30:32.000000000 +0000 @@ -18,7 +18,11 @@ mkdir ${HOME}/.config/yelp whitelist ${HOME}/.config/yelp +whitelist /usr/share/help +whitelist /usr/share/yelp +whitelist /usr/share/yelp-xsl include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff -Nru firejail-0.9.60/etc/youtube-dl.profile firejail-0.9.62/etc/youtube-dl.profile --- firejail-0.9.60/etc/youtube-dl.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/youtube-dl.profile 2019-12-14 13:30:32.000000000 +0000 @@ -7,20 +7,20 @@ # Persistent global definitions include globals.local +# breaks when installed under ${HOME} via `pip install --user` (see #2833) +ignore noexec ${HOME} + +noblacklist ${HOME}/.cache/youtube-dl +noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.netrc noblacklist ${MUSIC} noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python2* -noblacklist /usr/local/lib/python3* +include allow-python2.inc +include allow-python3.inc -# breaks when installed via pip -ignore noexec ${HOME} +blacklist /tmp/.X11-unix include disable-common.inc include disable-devel.inc @@ -30,6 +30,7 @@ include disable-programs.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -52,11 +53,10 @@ shell none tracelog -disable-mnt -private-bin youtube-dl,python*,ffmpeg +private-bin env,ffmpeg,python*,youtube-dl private-cache private-dev -private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types +private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf private-tmp -# memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff -Nru firejail-0.9.60/etc/zaproxy.profile firejail-0.9.62/etc/zaproxy.profile --- firejail-0.9.60/etc/zaproxy.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/zaproxy.profile 2019-12-14 13:30:32.000000000 +0000 @@ -6,14 +6,10 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.java noblacklist ${HOME}/.ZAP -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java +# Allow java (blacklisted by disable-devel.inc) +include allow-java.inc include disable-common.inc include disable-devel.inc @@ -22,6 +18,7 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.java mkdir ${HOME}/.ZAP whitelist ${HOME}/.java whitelist ${HOME}/.ZAP diff -Nru firejail-0.9.60/etc/zart.profile firejail-0.9.62/etc/zart.profile --- firejail-0.9.60/etc/zart.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/zart.profile 2019-12-14 13:30:32.000000000 +0000 @@ -31,6 +31,6 @@ seccomp shell none -private-bin zart,ffmpeg,melt,ffprobe,ffplay +private-bin ffmpeg,ffplay,ffprobe,melt,zart private-dev diff -Nru firejail-0.9.60/etc/zathura.profile firejail-0.9.62/etc/zathura.profile --- firejail-0.9.60/etc/zathura.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/zathura.profile 2019-12-14 13:30:32.000000000 +0000 @@ -12,6 +12,7 @@ include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -28,9 +29,11 @@ nosound notv nou2f +novideo protocol unix seccomp shell none +tracelog private-bin zathura private-cache @@ -38,5 +41,8 @@ private-etc alternatives,fonts,machine-id private-tmp -read-only ${HOME}/ -read-write ${HOME}/.local/share/zathura/ +mkdir ${HOME}/.config/zathura +mkdir ${HOME}/.local/share/zathura +read-only ${HOME} +read-write ${HOME}/.config/zathura +read-write ${HOME}/.local/share/zathura diff -Nru firejail-0.9.60/etc/zcat.profile firejail-0.9.62/etc/zcat.profile --- firejail-0.9.60/etc/zcat.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zcat.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zcat +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zcat.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zcmp.profile firejail-0.9.62/etc/zcmp.profile --- firejail-0.9.60/etc/zcmp.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zcmp.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zcmp +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zcmp.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zdiff.profile firejail-0.9.62/etc/zdiff.profile --- firejail-0.9.60/etc/zdiff.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zdiff.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zdiff +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zdiff.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zeal.profile firejail-0.9.62/etc/zeal.profile --- firejail-0.9.60/etc/zeal.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zeal.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,56 @@ +# Firejail profile for zeal +# Description: Offline documentation browser +# This file is overwritten after every install/update +# Persistent local customizations +include zeal.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/Zeal +noblacklist ${HOME}/.cache/Zeal +noblacklist ${HOME}/.local/share/Zeal + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/Zeal +mkdir ${HOME}/.cache/Zeal +mkdir ${HOME}/.local/share/Zeal +whitelist ${HOME}/.config/Zeal +whitelist ${HOME}/.cache/Zeal +whitelist ${HOME}/.local/share/Zeal +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin zeal +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg +private-tmp + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/zegrep.profile firejail-0.9.62/etc/zegrep.profile --- firejail-0.9.60/etc/zegrep.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zegrep.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zegrep +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zegrep.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zfgrep.profile firejail-0.9.62/etc/zfgrep.profile --- firejail-0.9.60/etc/zfgrep.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zfgrep.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zfgrep +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zfgrep.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zforce.profile firejail-0.9.62/etc/zforce.profile --- firejail-0.9.60/etc/zforce.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zforce.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zforce +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zforce.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zgrep.profile firejail-0.9.62/etc/zgrep.profile --- firejail-0.9.60/etc/zgrep.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zgrep.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zgrep +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zgrep.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zless.profile firejail-0.9.62/etc/zless.profile --- firejail-0.9.60/etc/zless.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zless.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zless +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zless.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zmore.profile firejail-0.9.62/etc/zmore.profile --- firejail-0.9.60/etc/zmore.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zmore.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for zmore +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zmore.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/znew.profile firejail-0.9.62/etc/znew.profile --- firejail-0.9.60/etc/znew.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/znew.profile 2019-12-28 13:14:56.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for znew +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include znew.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include gzip.profile diff -Nru firejail-0.9.60/etc/zoom.profile firejail-0.9.62/etc/zoom.profile --- firejail-0.9.60/etc/zoom.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/zoom.profile 2019-12-14 13:30:32.000000000 +0000 @@ -13,6 +13,8 @@ include disable-interpreters.inc include disable-programs.inc +mkdir ${HOME}/.cache/zoom +mkfile ${HOME}/.config/zoomus.conf mkdir ${HOME}/.zoom whitelist ${HOME}/.cache/zoom whitelist ${HOME}/.config/zoomus.conf diff -Nru firejail-0.9.60/etc/zpaq.profile firejail-0.9.62/etc/zpaq.profile --- firejail-0.9.60/etc/zpaq.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/etc/zpaq.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for zpaq # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. # This file is overwritten after every install/update +quiet # Persistent local customizations include zpaq.local # Persistent global definitions @@ -10,6 +11,5 @@ # mdwx breaks 'list' functionality ignore memory-deny-write-execute - # Redirect include cpio.profile diff -Nru firejail-0.9.60/etc/zstdcat.profile firejail-0.9.62/etc/zstdcat.profile --- firejail-0.9.60/etc/zstdcat.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zstdcat.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for zstd +# This file is overwritten after every install/update + +# Redirect +include zstd.profile diff -Nru firejail-0.9.60/etc/zstdgrep.profile firejail-0.9.62/etc/zstdgrep.profile --- firejail-0.9.60/etc/zstdgrep.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zstdgrep.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for zstd +# This file is overwritten after every install/update + +# Redirect +include zstd.profile diff -Nru firejail-0.9.60/etc/zstdless.profile firejail-0.9.62/etc/zstdless.profile --- firejail-0.9.60/etc/zstdless.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zstdless.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for zstd +# This file is overwritten after every install/update + +# Redirect +include zstd.profile diff -Nru firejail-0.9.60/etc/zstdmt.profile firejail-0.9.62/etc/zstdmt.profile --- firejail-0.9.60/etc/zstdmt.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zstdmt.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,5 @@ +# Firejail profile alias for zstd +# This file is overwritten after every install/update + +# Redirect +include zstd.profile diff -Nru firejail-0.9.60/etc/zstd.profile firejail-0.9.62/etc/zstd.profile --- firejail-0.9.60/etc/zstd.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zstd.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,42 @@ +# Firejail profile for zstd +# Description: Zstandard - Fast real-time compression algorithm +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zstd.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +apparmor +caps.drop all +hostname zstd +ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +#noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +private-cache +private-dev + +memory-deny-write-execute diff -Nru firejail-0.9.60/etc/zulip.profile firejail-0.9.62/etc/zulip.profile --- firejail-0.9.60/etc/zulip.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/etc/zulip.profile 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,47 @@ +# Firejail profile for zulip +# Description: Real-time team chat based on the email threading model +# This file is overwritten after every install/update +# Persistent local customizations +include zulip.local +# Persistent global definitions +include globals.local + +ignore noexec /tmp + +noblacklist ${HOME}/.config/Zulip + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/Zulip +whitelist ${HOME}/.config/Zulip +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-bin locale,zulip +private-cache +private-dev +private-etc asound.conf,fonts,machine-id +private-tmp diff -Nru firejail-0.9.60/Makefile.in firejail-0.9.62/Makefile.in --- firejail-0.9.60/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -115,12 +115,15 @@ install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 contrib/syscalls.sh $(DESTDIR)/$(libdir)/firejail/. endif # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. + install -c -m 0644 etc/templates/* $(DESTDIR)/$(DOCDIR)/. # etc files ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail @@ -190,6 +193,7 @@ rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg + @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" @@ -215,12 +219,6 @@ deb-apparmor: dist ./mkdeb-apparmor.sh $(NAME) $(VERSION) -snap: all - cd platform/snap; ./snap.sh - -install-snap: snap - sudo snap remove faudit; sudo snap install faudit*.snap - test-compile: dist cd test/compile; ./compile.sh $(NAME)-$(VERSION) @@ -232,10 +230,10 @@ $(MAKE) -C extras/firetools cppcheck: clean - cppcheck --force . + cppcheck --force --error-exitcode=1 --enable=warning,performance . scan-build: clean - scan-build make + NO_EXTRA_CFLAGS="yes" scan-build make # @@ -287,6 +285,9 @@ test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" +test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments + echo "TEST COMPLETE" + test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments echo "TEST COMPLETE" diff -Nru firejail-0.9.60/mkdeb-apparmor.sh firejail-0.9.62/mkdeb-apparmor.sh --- firejail-0.9.60/mkdeb-apparmor.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/mkdeb-apparmor.sh 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,8 @@ # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ # a code archive should already be available +set -e + TOP=`pwd` CODE_ARCHIVE="$1-$2.tar.xz" CODE_DIR="$1-$2" diff -Nru firejail-0.9.60/mkdeb.sh firejail-0.9.62/mkdeb.sh --- firejail-0.9.60/mkdeb.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/mkdeb.sh 2019-12-14 13:30:32.000000000 +0000 @@ -2,6 +2,8 @@ # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ # a code archive should already be available +set -e + TOP=`pwd` CODE_ARCHIVE="$1-$2.tar.xz" CODE_DIR="$1-$2" diff -Nru firejail-0.9.60/platform/rpm/mkrpm.sh firejail-0.9.62/platform/rpm/mkrpm.sh --- firejail-0.9.60/platform/rpm/mkrpm.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/platform/rpm/mkrpm.sh 2019-12-14 13:30:32.000000000 +0000 @@ -33,7 +33,7 @@ # FIXME: We could parse RELNOTES and create a %changelog section here # Copy the source to build into a tarball -tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='./.git*' --exclude='./test*' +tar --exclude='./.git*' --exclude='./test' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . # Build the files (rpm, debug rpm and source rpm) rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} diff -Nru firejail-0.9.60/README firejail-0.9.62/README --- firejail-0.9.60/README 2019-05-26 12:46:03.000000000 +0000 +++ firejail-0.9.62/README 2019-12-14 13:30:32.000000000 +0000 @@ -23,9 +23,11 @@ $ cd firejail $ ./configure && make && sudo make install-strip -On Debian/Ubuntu you will need to install git and a compiler: +On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor +development libraries and pkg-config are required when using --apparmor +./configure option: -$ sudo apt-get install build-essential +$ sudo apt-get install git build-essential libapparmor-dev pkg-config @@ -56,6 +58,8 @@ - fix flameshot raw screenshots 1dnrr (https://github.com/1dnrr) - add pybitmessage profile +Adrian L. Shaw (https://github.com/adrianlshaw) + - add profanity profile Aidan Gauland (https://github.com/aidalgol) - added electron and riot-web profiles Akhil Hans Maulloo (https://github.com/kouul) @@ -97,7 +101,9 @@ Antonio Russo (https://github.com/aerusso) - enumerate root directories in apparmor profile - fix join-or-start -Austin Morton +aoand (https://github.com/aoand) + - seccomp fix: allow numeric syscalls +Austin Morton (https://github.com/apmorton) - deterministic-exit-code option - private-cwd options Austin S. Hemmelgarn (https://github.com/Ferroin) @@ -119,6 +125,10 @@ - various other fixes Bader Zaidan (https://github.com/BaderSZ) - Telegram profile +Bandie (https://github.com/Bandie) + - fixed riot-desktop +Barış Ekin Yıldırım (https://github.com/circuitshaker) + - removing net none from code.profile Benjamin Kampmann (https://github.com/ligthyear) - Forward exit code from child process bitfreak25 (https://github.com/bitfreak25) @@ -161,6 +171,9 @@ - evolution profile fix Clayton Williams (https://github.com/gosre) - addition of RLIMIT_AS +corecontingency (https://https://github.com/corecontingency) + - tighten private-bin and etc for torbrowser-launcher.profile + - added i2prouter profile crass (https://github.com/crass) - extract_command_name fixes - update appimage size calculation to newest code from libappimage @@ -181,6 +194,7 @@ - added freeoffice-textmaker, freeoffice-presentations profiles - added cantata profile - updated keypassxc profile + - added syscalls.sh, which determine the necessary syscalls for a program da2x (https://github.com/da2x) - matched RPM license tag Daan Bakker (https://github.com/dbakker) @@ -193,24 +207,36 @@ Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix +David Thole (https://github.com/TheDarkTrumpet) + - added profile for teams-for-linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) - added xpdf profile +Denys Havrysh (https://github.com/vutny) + - update SkypeForLinux profile for latest version + - removed outdated Skype profile dewbasaur (https://github.com/dewbasaur) - block access to history files - Firefox PDF.js exploit (CVE-2015-4495) fixes - Steam profile DiGitHubCap (https://github.com/DiGitHubCap) - deluge profile fix +Disconnect3d (https://github.com/disconnect3d) + - code cleanup dshmgh (https://github.com/dshmgh) - overlayfs fix for systems with /home mounted on a separate partition Duncan Overbruck (https://github.com/Duncaen) - musl libc fix - utmp fix - fix install for --disable-seccomp software configurations +Eduard Tolosa (https://github.com/Edu4rdSHL) + - fixed and hardened qpdfview.profile + - fixed gajim.profile emacsomancer (https://github.com/emacsomancer) - added profile for Conkeror browser eventyrer (https://github.com/eventyrer) - update gnome-mplayer.profile +Ethan R (https://github.com/AN3223) + - add allow-perl.inc to w3m.profile Fabian Würfl (https://github.com/BafDyce) - fixed race condition when creating a new directory - Liferea profile @@ -220,6 +246,8 @@ - fixed qml disk cache issue Franco (nextime) Lanza (https://github.com/nextime) - added --private-template/--private-home +František Polášek (https://github.com/fandaa) + - fix QOwnNotes profile fuelflo (https://github.com/fuelflo) - added rambox profile Fred-Barclay (https://github.com/Fred-Barclay) @@ -302,6 +330,8 @@ - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie - new profiles: masterpdfeditor +gm10 (https://github.com/gm10) + - get_user() do not use the unreliable getlogin() graywolf (https://github.com/graywolf) - spelling fix greigdp (https://github.com/greigdp) @@ -353,14 +383,19 @@ - add AnyDesk profile - add WebStorm profile - add XMind profile + - add Whalebird profile + - add zulip profile - add nvm to list of disabled interpreters - fixes for tor-browser-* profiles - alias for riot-desktop - add gnome-mpv profile - fix wire profile + - fix itch profile - add Beaker profile - fixes for gnome-music - allow reading of system-wide Flatpak locale in gajim profile +Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth) + - fixed spotify.profile Jericho (https://github.com/attritionorg) - spelling Jesse Smith (https://github.com/slicer69) @@ -378,6 +413,13 @@ - fixed franz profile Jose Riha (https://github.com/jose1711) - added meteo-qt profile + - created qgis, links, xlinks profiles + - extended profile.template with comments + - some typo and comment fixes in profile.template + - Make it possible for cheese app to save pictures too + - Add davfs2 secrets file to blacklist + - Add profile for udiskie + - fix udiskie.profile jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile @@ -427,6 +469,8 @@ mahdi1234 (https://github.com/mahdi1234) - cherrytree profile - Seamonkey profiles +Manuel Dipolt (https://github.com/xeniter) + - stack alignment for the ARM Architecture Martin Carpenter (https://github.com/mcarpenter) - security audit and bug fixes - Centos 6.x support @@ -441,6 +485,7 @@ - rpm spec and several fixes matu3ba (https://github.com/matu3ba) - evince hardening, dbus removed + - fix dia profile maxice8 (https://github.com/maxice8) - fixed missing header Melvin Vermeeren (https://github.com/melvinvermeeren) @@ -450,6 +495,8 @@ - bugfixes Mike Frysinger (vapier@gentoo.org) - Gentoo compile patch +mirabellette (https://github.com/mirabellette) + - add comment to thunderbird.profile to allow Firefox to load profiles mjudtmann (https://github.com/mjudtmann) - lock firejail configuration in disable-mgmt.inc mustaqimM (https://github.com/mustaqimM) @@ -459,10 +506,13 @@ Nick Fox (https://github.com/njfox) - add a profile alias for code-oss - add code-oss config directory + - fix wire-desktop.profile on arch NickMolloy (https://github.com/NickMolloy) - ARP address length fix Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client +Niklas Goerke (https://github.com/Niklas974) + - update QOwnNotes profile nyancat18 (https://github.com/nyancat18) - added ardour4, dooble, karbon, krita profiles Ondra Nekola (https://github.com/satai) @@ -473,6 +523,8 @@ - fixes to keepassxc, thunderbird and pluma Panzerfather (https://github.com/Panzerfather) - allow eog to access user's trash +Patrick Schleizer (https://github.com/adrelanos) + - fix tb-starter-wrapper profile Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) - user namespace implementation Paul Moore @@ -565,36 +617,28 @@ - added profiles: gajim-history-manager, freemind, nomacs, kid3 - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk - - added profiles: ktouch, yelp - - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse - - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool - - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany - - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro - - fixed profiles: default, mpv, authenticator, gramps, webstorm - - fixed profiles: freeoffice-planmaker, freeoffice-presentations - - fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion - - fixed profiles: android-studio, git, gitg, github-desktop, idea.sh - - fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller - - fixed profiles: eog, eom, xiphos, firefox-common, libreoffice - - fixed profiles: ocenaudio, sysprof, exiftool - - hardened profiles: disable-common.inc, disable-programs.inc - - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox - - hardened profiles: gnome-clocks, meld, minetest, youtube-dl - - hardened profiles: bibletime, whois, etr, display, feh, mpv, xiphos - - hardened profiles: gnome-chess - - gnome-mpv was renamed to celluloid + - added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl + - added profiles: pandoc, gnome-sound-recorder, godot, newsbeuter + - added profiles: keepassxc-cli, keepassxc-proxy, rhythmbox-client + - added profiles: zeal, gnome-characters, gnome-character-map + - many profile fixing and hardening - some typo fixes + - added profile templates + - added sort.py to contrib Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) - fixed ktorrent profile sarneaud (https://github.com/sarneaud) - rewrite globbing code to fix various minor issues - added noblacklist command for profile files - various enhancements and bug fixes +Sebastian Hafner (https://github.com/DropNib) + - profile support for allow-debuggers Senemu (https://github.com/Senemu) - protection for .pythonrc.py - fixed evince Sergey Alirzaev (https://github.com/l29ah) - firejail.h enum fix + - firefox-common-addons.inc: + tridactyl Tobias Schmidl (https://github.com/schtobia) - added profile for webui-aria2 Simon Peter (https://github.com/probonopd) @@ -691,6 +735,11 @@ - handbrake profile - mplayer and smplayer profiles - kwrite and geary profiles +StelFux (https://github.com/StelFux) + - Fix youtube video in totem +the-antz (https://github.com/the-antz) + - Fix libx265 encoding in ffmpeg profile + - Profile tweaks thewisenerd (https://github.com/thewisenerd) - allow multiple private-home commands - use $SHELL variable if the shell is not specified @@ -705,6 +754,9 @@ - added lstat() / lstat64() support to libtrace - include mkuid.sh in make dist - cppcheck bugfixes +Timo Hardebusch (https://github.com/tihadot) + - add signal-cli profile + - KeePassXC: added a warning regarding tray icon tinmanx (https://github.com/tinmanx) - remove network access from cherrytree.profile Tom Mellor (https://github.com/kalegrill) @@ -718,6 +770,7 @@ - seccomp default list update - improve loading of seccomp filter and memory-deny-write-execute feature - private-lib feature + - make --nodbus block also system D-Bus socket user1024 (user1024@tut.by) - electron profile whitelisting - fixed Rocket.Chat profile diff -Nru firejail-0.9.60/RELNOTES firejail-0.9.62/RELNOTES --- firejail-0.9.60/RELNOTES 2019-05-26 21:03:42.000000000 +0000 +++ firejail-0.9.62/RELNOTES 2019-12-28 13:25:09.000000000 +0000 @@ -1,3 +1,31 @@ +firejail (0.9.62) baseline; urgency=low + * added file-copy-limit in /etc/firejail/firejail.config + * profile templates (/usr/share/doc/firejail) + * allow-debuggers support in profiles + * several seccomp enhancements + * compiler flags autodetection + * move chroot entirely from path based to file descriptor based mounts + * whitelisting /usr/share in a large number of profiles + * new scripts in conrib: gdb-firejail.sh and sort.py + * enhancement: whitelist /usr/share in some profiles + * added signal mediation to apparmor profile + * new conditions: HAS_X11, HAS_NET + * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks + * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder + * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli + * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123 + * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123 + * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss + * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt + * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird, + * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, + * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless + * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra + * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity + * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc + * new profiles: electron-mail, gist, gist-paste + -- netblue30 Sat, 28 Dec 2019 08:00:00 -0500 + firejail (0.9.60) baseline; urgency=low * security bug reported by Austin Morton: Seccomp filters are copied into /run/firejail/mnt, and are writable diff -Nru firejail-0.9.60/src/common.mk.in firejail-0.9.62/src/common.mk.in --- firejail-0.9.60/src/common.mk.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/common.mk.in 2019-12-14 13:30:32.000000000 +0000 @@ -3,6 +3,7 @@ CC=@CC@ prefix=@prefix@ exec_prefix=@exec_prefix@ +bindir=@bindir@ libdir=@libdir@ sysconfdir=@sysconfdir@ @@ -20,6 +21,7 @@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ HAVE_GCOV=@HAVE_GCOV@ @@ -28,7 +30,14 @@ OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) +CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' +CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) +CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ + +ifdef NO_EXTRA_CFLAGS +else EXTRA_CFLAGS +=@EXTRA_CFLAGS@ +endif diff -Nru firejail-0.9.60/src/faudit/dbus.c firejail-0.9.62/src/faudit/dbus.c --- firejail-0.9.60/src/faudit/dbus.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/faudit/dbus.c 2019-12-14 13:30:32.000000000 +0000 @@ -35,7 +35,7 @@ struct sockaddr_un remote; memset(&remote, 0, sizeof(struct sockaddr_un)); remote.sun_family = AF_UNIX; - strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path)); + strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1); int len = strlen(remote.sun_path) + sizeof(remote.sun_family); if (*sockfile == '@') remote.sun_path[0] = '\0'; diff -Nru firejail-0.9.60/src/faudit/Makefile.in firejail-0.9.62/src/faudit/Makefile.in --- firejail-0.9.60/src/faudit/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/faudit/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ faudit: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o faudit *.gcov *.gcda *.gcno +clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/fbuilder/build_profile.c firejail-0.9.62/src/fbuilder/build_profile.c --- firejail-0.9.60/src/fbuilder/build_profile.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fbuilder/build_profile.c 2019-12-14 13:30:32.000000000 +0000 @@ -61,19 +61,18 @@ char *output; char *stroutput; - if(asprintf(&output,"--output=%s",trace_output) == -1) + if(asprintf(&output,"--trace=%s",trace_output) == -1) errExit("asprintf"); - if(asprintf(&stroutput,"-o %s",strace_output) == -1) + if(asprintf(&stroutput,"-o%s",strace_output) == -1) errExit("asprintf"); char *cmdlist[] = { - "/usr/bin/firejail", + BINDIR "/firejail", "--quiet", - output, "--noprofile", "--caps.drop=all", "--nonewprivs", - "--trace", + output, "--shell=none", "/usr/bin/strace", // also used as a marker in build_profile() "-c", @@ -110,7 +109,7 @@ if (arg_debug) { for (i = 0; i < len; i++) - printf("\t%s\n", cmd[i]); + printf("%s%s\n", (i)?"\t":"", cmd[i]); } // fork and execute @@ -130,7 +129,8 @@ errExit("waitpid"); if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { - printf("\n\n\n"); + if (fp == stdout) + printf("--- Built profile beings after this line ---\n"); fprintf(fp, "############################################\n"); fprintf(fp, "# %s profile\n", argv[index]); fprintf(fp, "############################################\n"); @@ -177,9 +177,10 @@ fprintf(fp, "### environment\n"); fprintf(fp, "shell none\n"); - unlink(trace_output); - unlink(strace_output); - + if (!arg_debug) { + unlink(trace_output); + unlink(strace_output); + } } else { fprintf(stderr, "Error: cannot run the sandbox\n"); diff -Nru firejail-0.9.60/src/fbuilder/Makefile.in firejail-0.9.62/src/fbuilder/Makefile.in --- firejail-0.9.60/src/fbuilder/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fbuilder/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fbuilder: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fbuilder *.gcov *.gcda *.gcno +clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/fcopy/main.c firejail-0.9.62/src/fcopy/main.c --- firejail-0.9.60/src/fcopy/main.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fcopy/main.c 2019-12-14 13:30:32.000000000 +0000 @@ -25,12 +25,13 @@ #include int arg_quiet = 0; +int arg_debug = 0; static int arg_follow_link = 0; -#define COPY_LIMIT (500 * 1024 *1024) +static unsigned long copy_limit = 500 * 1024 * 1024; // 500 MB +static unsigned long size_cnt = 0; static int size_limit_reached = 0; static unsigned file_cnt = 0; -static unsigned size_cnt = 0; static char *outpath = NULL; static char *inpath = NULL; @@ -184,8 +185,8 @@ mode_t mode = s.st_mode; // recalculate size - if ((s.st_size + size_cnt) > COPY_LIMIT) { - fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024); + if ((s.st_size + size_cnt) > copy_limit) { + fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024); size_limit_reached = 1; free(outfname); return 0; @@ -330,6 +331,9 @@ char *quiet = getenv("FIREJAIL_QUIET"); if (quiet && strcmp(quiet, "yes") == 0) arg_quiet = 1; + char *debug = getenv("FIREJAIL_DEBUG"); + if (debug && strcmp(debug, "yes") == 0) + arg_debug = 1; char *src; char *dest; @@ -384,6 +388,14 @@ exit(1); } + // extract copy limit size from env variable, if any + char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); + if (cl) { + copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024; + if (arg_debug) + printf("file copy limit %lu bytes\n", copy_limit); + } + // copy files if ((arg_follow_link ? stat : lstat)(src, &s) == -1) { fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); diff -Nru firejail-0.9.60/src/fcopy/Makefile.in firejail-0.9.62/src/fcopy/Makefile.in --- firejail-0.9.60/src/fcopy/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fcopy/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fcopy: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fcopy *.gcov *.gcda *.gcno +clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/firecfg/firecfg.config firejail-0.9.62/src/firecfg/firecfg.config --- firejail-0.9.60/src/firecfg/firecfg.config 2019-05-26 16:58:51.000000000 +0000 +++ firejail-0.9.62/src/firecfg/firecfg.config 2019-12-28 13:23:31.000000000 +0000 @@ -20,21 +20,24 @@ Maps Mathematica Natron +PPSSPPQt QMediathekView QOwnNotes Telegram Viber VirtualBox -Xephyr XMind +Xephyr abrowser akonadi_control akregator amarok amule +amuled android-studio anydesk apktool +# ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) arch-audit archaudit-report ardour4 @@ -48,12 +51,13 @@ asunder # atom # atom-beta -atool +# atool - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) atril atril-previewer atril-thumbnailer audacious audacity +audio-recorder authenticator autokey-gtk autokey-qt @@ -79,9 +83,14 @@ brasero brave brave-browser -bunzip2 +brave-browser-beta +brave-browser-dev +brave-browser-nightly +brave-browser-stable +# bunzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) bzflag -bzip2 +# bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) calibre calligra calligraauthor @@ -92,6 +101,7 @@ calligrasheets calligrastage calligrawords +cameramonitor cantata catfish celluloid @@ -118,6 +128,7 @@ code-oss conkeror conky +conplay corebird crawl crawl-tiles @@ -127,6 +138,7 @@ cyberfox darktable dconf-editor +ddgtk deadbeef deluge devhelp @@ -146,10 +158,12 @@ dooble-qt4 dosbox dragon +drawio dropbox d-feet easystroke ebook-viewer +electron-mail electrum elinks empathy @@ -162,7 +176,8 @@ enpass eog eom -epiphany +ephemeral +#epiphany etr evince evince-previewer @@ -186,8 +201,8 @@ firefox-esr firefox-nightly firefox-wayland -flameshot flacsplt +flameshot flashpeak-slimjet flowblade font-manager @@ -222,20 +237,26 @@ gimp gimp-2.10 gimp-2.8 +gist +gist-paste gitg github-desktop gitter gjs globaltime +gmpc gnome-2048 gnome-books gnome-builder gnome-calculator +gnome-character-map +gnome-characters gnome-chess gnome-clocks gnome-contacts gnome-documents gnome-font-viewer +gnome-latex gnome-logs gnome-maps gnome-mplayer @@ -248,6 +269,7 @@ gnome-system-log gnome-twitch gnome-weather +godot goobox google-chrome google-chrome-beta @@ -272,6 +294,7 @@ hexchat highlight hugin +i2prouter icecat icedove iceweasel @@ -287,9 +310,12 @@ iridium-browser jd-gui jdownloader +jerry jitsi k3b kaffeine +kalgebra +kalgebramobile karbon kate kcalc @@ -300,11 +326,17 @@ keepassx keepassx2 keepassxc +keepassxc-cli +keepassxc-proxy +# kfind kget kid3 kid3-cli kid3-qt kino +kiwix-desktop +klatexformula +klatexformula_cmdl klavaro kmail knotes @@ -322,6 +354,7 @@ libreoffice liferea lincity-ng +links linphone lmms lobase @@ -334,12 +367,12 @@ lomath loweb lowriter -lrunzip -lrz -lrzcat -lrzip -lrztar -lrzuntar +# lrunzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# lrz - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# lrzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) luminance-hdr lximage-qt lxmusic @@ -371,6 +404,17 @@ mp3splt-gtk mp3wrap mpDris2 +mpg123 +mpg123.bin +mpg123-alsa +mpg123-id3dump +mpg123-jack +mpg123-nas +mpg123-openal +mpg123-oss +mpg123-portaudio +mpg123-pulse +mpg123-strip mplayer mpsyt mpv @@ -396,6 +440,8 @@ nethack netsurf neverball +neverputt +newsbeuter newsboat nheko nitroshare @@ -412,8 +458,12 @@ oggsplt okular onionshare-gui +ooffice +ooviewdoc open-invaders +openarena opencity +openoffice.org openshot openshot-qt openttd @@ -421,10 +471,13 @@ opera-beta orage ostrichriders +out123 palemoon +pandoc parole patch pavucontrol +pavucontrol-qt pdfchain pdfmod pdfsam @@ -441,15 +494,19 @@ pix playonlinux pluma +pngquant polari ppsspp pragha +profanity psi-plus pybitmessage # pycharm-community - FB note: may enable later # pycharm-professional +# pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) qbittorrent qemu-launcher +qgis qlipper qmmp qpdfview @@ -465,6 +522,7 @@ regextester remmina rhythmbox +rhythmbox-client ricochet riot-desktop riot-web @@ -485,13 +543,13 @@ secret-tool shellcheck shotcut +signal-cli signal-desktop silentarmy simple-scan simplescreenrecorder simutrans skanlite -skype skypeforlinux slack slashem @@ -520,6 +578,8 @@ synfigstudio sysprof sysprof-cli +tb-starter-wrapper +teams-for-linux teamspeak3 teeworlds telegram @@ -529,6 +589,7 @@ thunderbird-beta thunderbird-wayland tilp +tor-browser tor-browser-ar tor-browser-ca tor-browser-cs @@ -577,11 +638,15 @@ transmission-show tremulous truecraft +tshark tuxguitar +udiskie uefitool uget-gtk unbound +unf unknown-horizons +# unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) utox uudeview uzbl-browser @@ -601,11 +666,14 @@ warsow warzone2100 waterfox +waterfox-classic +waterfox-current webstorm weechat weechat-curses wesnoth wget +whalebird whois widelands wine @@ -621,6 +689,7 @@ xfce4-mixer xfce4-notes xiphos +xlinks xmms xmr-stak xonotic @@ -641,5 +710,12 @@ zaproxy zart zathura +zeal zoom -zpaq +# zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# zstdcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# zstdgrep - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# zstdless - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +# zstdmt - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +zulip diff -Nru firejail-0.9.60/src/firecfg/main.c firejail-0.9.62/src/firecfg/main.c --- firejail-0.9.60/src/firecfg/main.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firecfg/main.c 2019-12-14 13:30:32.000000000 +0000 @@ -284,9 +284,9 @@ } static char *get_user(void) { - char *user = getlogin(); + char *user = getenv("SUDO_USER"); if (!user) { - user = getenv("SUDO_USER"); + user = getpwuid(getuid())->pw_name; if (!user) { fprintf(stderr, "Error: cannot detect login user\n"); exit(1); @@ -443,15 +443,33 @@ // set new symlinks based on /usr/lib/firejail/firecfg.cfg set_links_firecfg(); - // add user to firejail access database - only for root if (getuid() == 0) { + // add user to firejail access database - only for root printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); // temporarily set the umask, access database must be world-readable mode_t orig_umask = umask(022); firejail_user_add(user); umask(orig_umask); + +#ifdef HAVE_APPARMOR + // enable firejail apparmor profile + struct stat s; + if (stat("/sbin/apparmor_parser", &s) == 0) { + char *cmd; + + // SYSCONFDIR points to /etc/firejail, we have to go on level up (..) + printf("\nLoading AppArmor profile\n"); + if (asprintf(&cmd, "/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default %s/../apparmor.d/firejail-default", SYSCONFDIR) == -1) + errExit("asprintf"); + int rv = system(cmd); + (void) rv; + free(cmd); + } +#endif } + + // set new symlinks based on ~/.config/firejail directory set_links_homedir(home); diff -Nru firejail-0.9.60/src/firecfg/Makefile.in firejail-0.9.62/src/firecfg/Makefile.in --- firejail-0.9.60/src/firecfg/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firecfg/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno +clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/firejail/appimage.c firejail-0.9.62/src/firejail/appimage.c --- firejail-0.9.60/src/firejail/appimage.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/appimage.c 2019-12-14 13:30:32.000000000 +0000 @@ -113,12 +113,12 @@ EUID_ROOT(); if (size == 0) { fmessage("Mounting appimage type 1\n"); - if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) + if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) errExit("mounting appimage"); } else { fmessage("Mounting appimage type 2\n"); - if (mount(devloop, mntdir, "squashfs", flags, mode) < 0) + if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0) errExit("mounting appimage"); } @@ -126,16 +126,25 @@ printf("appimage mounted on %s\n", mntdir); EUID_USER(); + char* abspath = realpath(appimage, NULL); + if (abspath == NULL) + errExit("Failed to obtain absolute path"); + // set environment - if (setenv("APPIMAGE", appimage, 1) < 0) + if (setenv("APPIMAGE", abspath, 1) < 0) errExit("setenv"); if (mntdir && setenv("APPDIR", mntdir, 1) < 0) errExit("setenv"); + if (size != 0 && setenv("ARGV0", appimage, 1) < 0) + errExit("setenv"); + if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0) + errExit("setenv"); // build new command line if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) errExit("asprintf"); + free(abspath); free(mode); #ifdef HAVE_GCOV __gcov_flush(); diff -Nru firejail-0.9.60/src/firejail/arp.c firejail-0.9.62/src/firejail/arp.c --- firejail-0.9.60/src/firejail/arp.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/arp.c 2019-12-14 13:30:32.000000000 +0000 @@ -45,7 +45,7 @@ void arp_announce(const char *dev, Bridge *br) { // RFC 5227 - using a source and destination IP address of the interface uint32_t srcaddr = br->ipsandbox; - uint32_t destaddr = br->ipsandbox; + uint32_t destaddr = srcaddr; if (strlen(dev) > IFNAMSIZ) { fprintf(stderr, "Error: invalid network device name %s\n", dev); diff -Nru firejail-0.9.60/src/firejail/checkcfg.c firejail-0.9.62/src/firejail/checkcfg.c --- firejail-0.9.60/src/firejail/checkcfg.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/checkcfg.c 2019-12-14 13:30:32.000000000 +0000 @@ -207,6 +207,12 @@ goto errout; cfg_val[CFG_ARP_PROBES] = arp_probes; } + + // file copy limit + else if (strncmp(ptr, "file-copy-limit ", 16) == 0) { + if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1) + errExit("setenv"); + } else goto errout; @@ -275,6 +281,14 @@ "enabled" #else "disabled" +#endif + ); + + printf("\t- firetunnel support is %s\n", +#ifdef HAVE_FIRETUNNEL + "enabled" +#else + "disabled" #endif ); diff -Nru firejail-0.9.60/src/firejail/chroot.c firejail-0.9.62/src/firejail/chroot.c --- firejail-0.9.60/src/firejail/chroot.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/src/firejail/chroot.c 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,277 @@ +/* + * Copyright (C) 2014-2019 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CHROOT +#include "firejail.h" +#include +#include +#include + +#include +#ifndef O_PATH +# define O_PATH 010000000 +#endif + + +// exit if error +void fs_check_chroot_dir(void) { + EUID_ASSERT(); + assert(cfg.chrootdir); + if (strstr(cfg.chrootdir, "..") || + is_link(cfg.chrootdir) || + !is_dir(cfg.chrootdir)) + goto errout; + + // check chroot dirname exists, chrooting into the root directory is not allowed + char *rpath = realpath(cfg.chrootdir, NULL); + if (rpath == NULL || strcmp(rpath, "/") == 0) + goto errout; + + char *overlay; + if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + if (strncmp(rpath, overlay, strlen(overlay)) == 0) { + fprintf(stderr, "Error: invalid chroot directory: no directories in %s are allowed\n", overlay); + exit(1); + } + free(overlay); + cfg.chrootdir = rpath; + return; + +errout: + fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir); + exit(1); +} + +// copy /etc/resolv.conf in chroot directory +static void copy_resolvconf(int parentfd) { + int in = open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC); + if (in == -1) + goto errout; + struct stat src; + if (fstat(in, &src) == -1) + errExit("fstat"); + // try to detect if resolv.conf has been bind mounted into the chroot + // do nothing in this case in order to not unlink the real file + struct stat dst; + if (fstatat(parentfd, "etc/resolv.conf", &dst, 0) == 0) { + if (src.st_dev == dst.st_dev && src.st_ino == dst.st_ino) { + close(in); + return; + } + } + if (arg_debug) + printf("Updating /etc/resolv.conf in chroot\n"); + unlinkat(parentfd, "etc/resolv.conf", 0); + int out = openat(parentfd, "etc/resolv.conf", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); + if (out == -1) { + close(in); + goto errout; + } + if (sendfile(out, in, NULL, src.st_size) == -1) + errExit("sendfile"); + close(in); + close(out); + return; + +errout: + fwarning("/etc/resolv.conf not initialized\n"); +} + +// exit if error +static void check_subdir(int parentfd, const char *subdir, int check_writable) { + assert(subdir); + struct stat s; + if (fstatat(parentfd, subdir, &s, AT_SYMLINK_NOFOLLOW) != 0) { + fprintf(stderr, "Error: cannot find /%s in chroot directory\n", subdir); + exit(1); + } + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) + fprintf(stderr, "Error: chroot /%s is a symbolic link\n", subdir); + else + fprintf(stderr, "Error: chroot /%s is not a directory\n", subdir); + exit(1); + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot /%s should be owned by root\n", subdir); + exit(1); + } + if (check_writable && ((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { + fprintf(stderr, "Error: only root user should be given write permission on chroot /%s\n", subdir); + exit(1); + } +} + +// chroot into an existing directory; mount existing /dev and update /etc/resolv.conf +void fs_chroot(const char *rootdir) { + assert(rootdir); + + // fails if there is any symlink or if rootdir is not a directory + int parentfd = safe_fd(rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (parentfd == -1) + errExit("safe_fd"); + // rootdir has to be owned by root and is not allowed to be generally writable, + // this also excludes /tmp and friends + struct stat s; + if (fstat(parentfd, &s) == -1) + errExit("fstat"); + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot directory should be owned by root\n"); + exit(1); + } + if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { + fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n"); + exit(1); + } + // check chroot subdirectories; /tmp/.X11-unix and /run are treated separately + check_subdir(parentfd, "dev", 0); + check_subdir(parentfd, "etc", 1); + check_subdir(parentfd, "proc", 0); + check_subdir(parentfd, "tmp", 0); + check_subdir(parentfd, "var/tmp", 0); + + // mount-bind a /dev in rootdir + if (arg_debug) + printf("Mounting /dev on chroot /dev\n"); + // open chroot /dev to get a file descriptor, + // then use this descriptor as a mount target + int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("open"); + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev"); + free(proc); + close(fd); + + // x11 + if (getenv("FIREJAIL_X11")) { + if (arg_debug) + printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); + check_subdir(parentfd, "tmp/.X11-unix", 0); + fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("open"); + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /tmp/.X11-unix"); + free(proc); + close(fd); + } + + // some older distros don't have a /run directory, create one by default + if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST) + errExit("mkdir"); + check_subdir(parentfd, "run", 1); + + // create /run/firejail directory in chroot + if (mkdirat(parentfd, RUN_FIREJAIL_DIR+1, 0755) == -1 && errno != EEXIST) + errExit("mkdir"); + check_subdir(parentfd, RUN_FIREJAIL_DIR+1, 1); + + // create /run/firejail/lib directory in chroot + if (mkdirat(parentfd, RUN_FIREJAIL_LIB_DIR+1, 0755) == -1 && errno != EEXIST) + errExit("mkdir"); + check_subdir(parentfd, RUN_FIREJAIL_LIB_DIR+1, 1); + // mount lib directory into the chroot + fd = openat(parentfd, RUN_FIREJAIL_LIB_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("open"); + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + free(proc); + close(fd); + + // create /run/firejail/mnt directory in chroot + if (mkdirat(parentfd, RUN_MNT_DIR+1, 0755) == -1 && errno != EEXIST) + errExit("mkdir"); + check_subdir(parentfd, RUN_MNT_DIR+1, 1); + // mount the current mnt directory into the chroot + fd = openat(parentfd, RUN_MNT_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("open"); + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + free(proc); + close(fd); + + // update chroot resolv.conf + copy_resolvconf(parentfd); + +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + // create /run/firejail/mnt/oroot + char *oroot = RUN_OVERLAY_ROOT; + if (mkdir(oroot, 0755) == -1) + errExit("mkdir"); + // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay + if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1) + errExit("asprintf"); + if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting rootdir oroot"); + free(proc); + close(parentfd); + // chroot into the new directory + if (arg_debug) + printf("Chrooting into %s\n", rootdir); + if (chroot(oroot) < 0) + errExit("chroot"); + + // create all other /run/firejail files and directories + preproc_build_firejail_dir(); + + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc filesystem representing the PID namespace\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + + // update /var directory in order to support multiple sandboxes running on the same root directory + // if (!arg_private_dev) + // fs_dev_shm(); + fs_var_lock(); + if (!arg_keep_var_tmp) + fs_var_tmp(); + if (!arg_writable_var_log) + fs_var_log(); + + fs_var_lib(); + fs_var_cache(); + fs_var_utmp(); + fs_machineid(); + + // don't leak user information + restrict_users(); + + // when starting as root, firejail config is not disabled; + if (getuid() != 0) + disable_config(); +} + +#endif // HAVE_CHROOT diff -Nru firejail-0.9.60/src/firejail/firejail.h firejail-0.9.62/src/firejail/firejail.h --- firejail-0.9.60/src/firejail/firejail.h 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/firejail/firejail.h 2019-12-14 13:30:32.000000000 +0000 @@ -124,19 +124,21 @@ // whitelist command parameters char *link; // link name - set if the file is a link - unsigned home_dir:1; // whitelist in /home/user directory - unsigned tmp_dir:1; // whitelist in /tmp directory - unsigned media_dir:1; // whitelist in /media directory - unsigned mnt_dir:1; // whitelist in /mnt directory - unsigned var_dir:1; // whitelist in /var directory - unsigned dev_dir:1; // whitelist in /dev directory - unsigned opt_dir:1; // whitelist in /opt directory - unsigned srv_dir:1; // whitelist in /srv directory - unsigned etc_dir:1; // whitelist in /etc directory - unsigned share_dir:1; // whitelist in /usr/share directory - unsigned module_dir:1; // whitelist in /sys/module directory - unsigned run_dir:1; // whitelist in /run/user/$uid directory -}ProfileEntry; + enum { + WLDIR_HOME = 1, // whitelist in home directory + WLDIR_TMP, // whitelist in /tmp directory + WLDIR_MEDIA, // whitelist in /media directory + WLDIR_MNT, // whitelist in /mnt directory + WLDIR_VAR, // whitelist in /var directory + WLDIR_DEV, // whitelist in /dev directory + WLDIR_OPT, // whitelist in /opt directory + WLDIR_SRV, // whitelist in /srv directory + WLDIR_ETC, // whitelist in /etc directory + WLDIR_SHARE, // whitelist in /usr/share directory + WLDIR_MODULE, // whitelist in /sys/module directory + WLDIR_RUN // whitelist in /run/user/$uid directory + } wldir; +} ProfileEntry; typedef struct config_t { // user data @@ -258,6 +260,7 @@ extern char *arg_caps_list; // optional caps list extern int arg_trace; // syscall tracing support +extern char *arg_tracefile; // syscall tracing file extern int arg_tracelog; // blacklist tracing support extern int arg_rlimit_cpu; // rlimit cpu extern int arg_rlimit_nofile; // rlimit nofile @@ -316,7 +319,7 @@ extern int arg_nodvd; // --nodvd extern int arg_nou2f; // --nou2f extern int arg_nodbus; // -nodbus -extern int arg_deterministic_exit_code; // always exit with first childs exit status +extern int arg_deterministic_exit_code; // always exit with first child's exit status extern int login_shell; extern int parent_to_child_fds[2]; @@ -364,30 +367,41 @@ void preproc_clean_run(void); // fs.c +typedef enum { + BLACKLIST_FILE, + BLACKLIST_NOLOG, + MOUNT_READONLY, + MOUNT_TMPFS, + MOUNT_NOEXEC, + MOUNT_RDWR, + OPERATION_MAX +} OPERATION; + // blacklist files or directories by mounting empty files on top of them void fs_blacklist(void); // mount a writable tmpfs void fs_tmpfs(const char *dir, unsigned check_owner); -// remount a directory read-only -void fs_rdonly(const char *dir); -void fs_rdonly_rec(const char *dir); -// remount a directory noexec, nodev and nosuid -void fs_noexec(const char *dir); -void fs_noexec_rec(const char *dir); +// remount noexec/nodev/nosuid or read-only or read-write +void fs_remount(const char *dir, OPERATION op, unsigned check_mnt); +void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt); // mount /proc and /sys directories void fs_proc_sys_dev_boot(void); +// blacklist firejail configuration and runtime directories +void disable_config(void); // build a basic read-only filesystem void fs_basic_fs(void); // mount overlayfs on top of / directory char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); void fs_overlayfs(void); -// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf -void fs_chroot(const char *rootdir); -void fs_check_chroot_dir(const char *rootdir); void fs_private_tmp(void); void fs_private_cache(void); void fs_mnt(const int enforce); +// chroot.c +// chroot into an existing directory; mount existing /dev and update /etc/resolv.conf +void fs_check_chroot_dir(void); +void fs_chroot(const char *rootdir); + // profile.c // find and read the profile specified by name from dir directory int profile_find_firejail(const char *name, int add_ext); @@ -550,6 +564,7 @@ // fs_trace.c void fs_trace_preload(void); +void fs_tracefile(void); void fs_trace(void); // fs_hostname.c @@ -713,6 +728,7 @@ CFG_PRIVATE_CACHE, CFG_CGROUP, CFG_NAME_CHANGE, + // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff -Nru firejail-0.9.60/src/firejail/fs.c firejail-0.9.62/src/firejail/fs.c --- firejail-0.9.60/src/firejail/fs.c 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/src/firejail/fs.c 2019-12-28 13:14:56.000000000 +0000 @@ -28,6 +28,7 @@ #include #include + #include #ifndef O_PATH # define O_PATH 010000000 @@ -39,24 +40,17 @@ //#define TEST_NO_BLACKLIST_MATCHING -static int mount_warning = 0; -static void fs_rdwr(const char *dir); -static void fs_rdwr_rec(const char *dir); - - - //*********************************************** // process profile file //*********************************************** -typedef enum { - BLACKLIST_FILE, - BLACKLIST_NOLOG, - MOUNT_READONLY, - MOUNT_TMPFS, - MOUNT_NOEXEC, - MOUNT_RDWR, - OPERATION_MAX -} OPERATION; +static char *opstr[] = { + [BLACKLIST_FILE] = "blacklist", + [BLACKLIST_NOLOG] = "blacklist-nolog", + [MOUNT_READONLY] = "read-only", + [MOUNT_TMPFS] = "tmpfs", + [MOUNT_NOEXEC] = "noexec", + [MOUNT_RDWR] = "read-write", +}; typedef enum { UNSUCCESSFUL, @@ -153,17 +147,9 @@ fs_logger2("blacklist-nolog", fname); } } - else if (op == MOUNT_READONLY) { - fs_rdonly_rec(fname); -// todo: last_disable = SUCCESSFUL; - } - else if (op == MOUNT_RDWR) { - fs_rdwr_rec(fname); -// todo: last_disable = SUCCESSFUL; - } - else if (op == MOUNT_NOEXEC) { - fs_noexec_rec(fname); -// todo: last_disable = SUCCESSFUL; + else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) { + fs_remount_rec(fname, op, 1); + // todo: last_disable = SUCCESSFUL; } else if (op == MOUNT_TMPFS) { if (S_ISDIR(s.st_mode)) { @@ -219,21 +205,23 @@ continue; // noblacklist is expected to be short in normal cases, so stupid and correct brute force is okay bool okay_to_blacklist = true; - for (j = 0; j < noblacklist_len; j++) { - int result = fnmatch(noblacklist[j], path, FNM_PATHNAME); - if (result == FNM_NOMATCH) - continue; - else if (result == 0) { - okay_to_blacklist = false; + if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { + for (j = 0; j < noblacklist_len; j++) { + int result = fnmatch(noblacklist[j], path, FNM_PATHNAME); + if (result == FNM_NOMATCH) + continue; + else if (result == 0) { + okay_to_blacklist = false; #ifdef TEST_NO_BLACKLIST_MATCHING - if (j < nbcheck_size) // noblacklist checking - nbcheck[j] = 1; + if (j < nbcheck_size) // noblacklist checking + nbcheck[j] = 1; #endif - break; - } - else { - fprintf(stderr, "Error: failed to compare path %s with pattern %s\n", path, noblacklist[j]); - exit(1); + break; + } + else { + fprintf(stderr, "Error: failed to compare path %s with pattern %s\n", path, noblacklist[j]); + exit(1); + } } } @@ -454,20 +442,19 @@ // mount a writable tmpfs on directory void fs_tmpfs(const char *dir, unsigned check_owner) { assert(dir); + if (arg_debug) + printf("Mounting tmpfs on %s\n", dir); // get a file descriptor for dir, fails if there is any symlink int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) - errExit("safe_fd"); + errExit("while opening directory"); struct stat s; if (fstat(fd, &s) == -1) errExit("fstat"); if (check_owner && s.st_uid != getuid()) { - fwarning("no tmpfs mounted on %s: not owned by the current user\n", dir); - close(fd); - return; + fprintf(stderr, "Error: cannot mount tmpfs on %s: not owned by the current user\n", dir); + exit(1); } - if (arg_debug) - printf("Mounting tmpfs on %s\n", dir); // preserve ownership, mode char *options; if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1) @@ -493,157 +480,81 @@ close(fd); } -// remount directory read-only -void fs_rdonly(const char *dir) { +void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { assert(dir); // check directory exists struct stat s; int rv = stat(dir, &s); if (rv == 0) { unsigned long flags = 0; - get_mount_flags(dir, &flags); - if ((flags & MS_RDONLY) == MS_RDONLY) + if (get_mount_flags(dir, &flags) != 0) { + fwarning("cannot remount %s\n", dir); return; - flags |= MS_RDONLY; - if (arg_debug) - printf("Mounting read-only %s\n", dir); - // mount --bind /bin /bin - // mount --bind -o remount,ro /bin - if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) - errExit("mount read-only"); - fs_logger2("read-only", dir); - } -} - -// remount directory read-only recursively -void fs_rdonly_rec(const char *dir) { - assert(dir); - // get mount point of the directory - int mountid = get_mount_id(dir); - if (mountid == -1) - return; - if (mountid == -2) { - // falling back to a simple remount on old kernels - if (!mount_warning) { - fwarning("read-only, read-write and noexec options are not applied recursively\n"); - mount_warning = 1; } - fs_rdonly(dir); - return; - } - // build array with all mount points that need to get remounted - char **arr = build_mount_array(mountid, dir); - assert(arr); - // remount - char **tmp = arr; - while (*tmp) { - fs_rdonly(*tmp); - free(*tmp++); - } - free(arr); -} - -// remount directory read-write -static void fs_rdwr(const char *dir) { - assert(dir); - // check directory exists - struct stat s; - int rv = stat(dir, &s); - if (rv == 0) { - // allow only user owned directories, except the user is root - uid_t u = getuid(); - if (u != 0 && s.st_uid != u) { - fwarning("you are not allowed to change %s to read-write\n", dir); - return; + if (op == MOUNT_RDWR) { + // allow only user owned directories, except the user is root + if (getuid() != 0 && s.st_uid != getuid()) { + fwarning("you are not allowed to change %s to read-write\n", dir); + return; + } + if ((flags & MS_RDONLY) == 0) + return; + flags &= ~MS_RDONLY; + } + else if (op == MOUNT_NOEXEC) { + if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) + return; + flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; + } + else if (op == MOUNT_READONLY) { + if ((flags & MS_RDONLY) == MS_RDONLY) + return; + flags |= MS_RDONLY; } - unsigned long flags = 0; - get_mount_flags(dir, &flags); - if ((flags & MS_RDONLY) == 0) - return; - flags &= ~MS_RDONLY; + else + assert(0); + if (arg_debug) - printf("Mounting read-write %s\n", dir); + printf("Mounting %s %s\n", opstr[op], dir); // mount --bind /bin /bin // mount --bind -o remount,rw /bin if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) - errExit("mount read-write"); - fs_logger2("read-write", dir); - // run a sanity check on /proc/self/mountinfo - MountData *mptr = get_last_mount(); - size_t len = strlen(dir); - if (strncmp(mptr->dir, dir, len) != 0 || - (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) - errLogExit("invalid read-write mount"); - } -} - -// remount directory read-write recursively -static void fs_rdwr_rec(const char *dir) { - assert(dir); - // get mount point of the directory - int mountid = get_mount_id(dir); - if (mountid == -1) - return; - if (mountid == -2) { - // falling back to a simple remount on old kernels - if (!mount_warning) { - fwarning("read-only, read-write and noexec options are not applied recursively\n"); - mount_warning = 1; + errExit("remounting"); + if (check_mnt) { + // run a sanity check on /proc/self/mountinfo + MountData *mptr = get_last_mount(); + size_t len = strlen(dir); + if (strncmp(mptr->dir, dir, len) != 0 || + (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) + errLogExit("invalid %s mount", opstr[op]); } - fs_rdwr(dir); - return; - } - // build array with all mount points that need to get remounted - char **arr = build_mount_array(mountid, dir); - assert(arr); - // remount - char **tmp = arr; - while (*tmp) { - fs_rdwr(*tmp); - free(*tmp++); + fs_logger2(opstr[op], dir); } - free(arr); } -// remount directory noexec, nodev, nosuid -void fs_noexec(const char *dir) { +void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { assert(dir); - // check directory exists struct stat s; - int rv = stat(dir, &s); - if (rv == 0) { - unsigned long flags = 0; - get_mount_flags(dir, &flags); - if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) - return; - flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; - if (arg_debug) - printf("Mounting noexec %s\n", dir); - // mount --bind /bin /bin - // mount --bind -o remount,noexec /bin - if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) - errExit("mount noexec"); - fs_logger2("noexec", dir); + if (stat(dir, &s) != 0) + return; + if (!S_ISDIR(s.st_mode)) { + // no need to search in /proc/self/mountinfo for submounts if not a directory + fs_remount(dir, op, check_mnt); + return; } -} - -// remount directory noexec, nodev, nosuid recursively -void fs_noexec_rec(const char *dir) { - assert(dir); // get mount point of the directory int mountid = get_mount_id(dir); if (mountid == -1) return; if (mountid == -2) { // falling back to a simple remount on old kernels + static int mount_warning = 0; if (!mount_warning) { fwarning("read-only, read-write and noexec options are not applied recursively\n"); mount_warning = 1; } - fs_noexec(dir); + fs_remount(dir, op, check_mnt); return; } // build array with all mount points that need to get remounted @@ -652,7 +563,7 @@ // remount char **tmp = arr; while (*tmp) { - fs_noexec(*tmp); + fs_remount(*tmp, op, check_mnt); free(*tmp++); } free(arr); @@ -682,13 +593,9 @@ // mount /proc and /sys directories void fs_proc_sys_dev_boot(void) { - if (arg_debug) - printf("Remounting /proc and /proc/sys filesystems\n"); - if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) - errExit("mounting /proc"); - fs_logger("remount /proc"); - // remount /proc/sys readonly + if (arg_debug) + printf("Mounting read-only /proc/sys\n"); if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mounting /proc/sys"); @@ -698,7 +605,8 @@ /* Mount a version of /sys that describes the network namespace */ if (arg_debug) printf("Remounting /sys directory\n"); - // if this is an overlay, don't try to unmount, just mount a new sysfs + // sysfs not yet mounted in overlays, so don't try to unmount it + // expect that unmounting /sys fails in a chroot, no need to print a warning in that case if (!arg_overlay) { if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir) fwarning("failed to unmount /sys\n"); @@ -734,7 +642,8 @@ // various /proc files disable_file(BLACKLIST_FILE, "/proc/irq"); disable_file(BLACKLIST_FILE, "/proc/bus"); - disable_file(BLACKLIST_FILE, "/proc/config.gz"); + // move /proc/config.gz to disable-common.inc + //disable_file(BLACKLIST_FILE, "/proc/config.gz"); disable_file(BLACKLIST_FILE, "/proc/sched_debug"); disable_file(BLACKLIST_FILE, "/proc/timer_list"); disable_file(BLACKLIST_FILE, "/proc/timer_stats"); @@ -797,8 +706,8 @@ } } -// disable firejail configuration in /etc/firejail and in ~/.config/firejail -static void disable_config(void) { +// disable firejail configuration in ~/.config/firejail +void disable_config(void) { struct stat s; char *fname; @@ -815,34 +724,43 @@ disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0) disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); + if (stat(RUN_FIREJAIL_PROFILE_DIR, &s) == 0) + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); } // build a basic read-only filesystem +// top level directories could be links, run no after-mount checks void fs_basic_fs(void) { uid_t uid = getuid(); + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc filesystem representing the PID namespace\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + if (arg_debug) printf("Basic read-only filesystem:\n"); if (!arg_writable_etc) { - fs_rdonly("/etc"); + fs_remount("/etc", MOUNT_READONLY, 0); if (uid) - fs_noexec("/etc"); + fs_remount("/etc", MOUNT_NOEXEC, 0); } if (!arg_writable_var) { - fs_rdonly("/var"); + fs_remount("/var", MOUNT_READONLY, 0); if (uid) - fs_noexec("/var"); + fs_remount("/var", MOUNT_NOEXEC, 0); } - fs_rdonly("/bin"); - fs_rdonly("/sbin"); - fs_rdonly("/lib"); - fs_rdonly("/lib64"); - fs_rdonly("/lib32"); - fs_rdonly("/libx32"); - fs_rdonly("/usr"); + fs_remount("/bin", MOUNT_READONLY, 0); + fs_remount("/sbin", MOUNT_READONLY, 0); + fs_remount("/lib", MOUNT_READONLY, 0); + fs_remount("/lib64", MOUNT_READONLY, 0); + fs_remount("/lib32", MOUNT_READONLY, 0); + fs_remount("/libx32", MOUNT_READONLY, 0); + fs_remount("/usr", MOUNT_READONLY, 0); // update /var directory in order to support multiple sandboxes running on the same root directory fs_var_lock(); @@ -851,7 +769,7 @@ if (!arg_writable_var_log) fs_var_log(); else - fs_rdwr("/var/log"); + fs_remount("/var/log", MOUNT_RDWR, 0); fs_var_lib(); fs_var_cache(); @@ -980,6 +898,13 @@ if (major == 3 && minor < 18) oldkernel = 1; + // mounting an overlayfs on top of / seems to be broken for kernels > 4.19 + // we disable overlayfs for now, pending fixing + if (major >= 4 &&minor >= 19) { + fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n"); + exit(1); + } + char *oroot = RUN_OVERLAY_ROOT; mkdir_attr(oroot, 0755, 0, 0); @@ -1073,8 +998,10 @@ else { // kernel 3.18 or newer if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1) errExit("asprintf"); - if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) + if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) { + fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor); errExit("mounting overlayfs"); + } //*************************** // issue #263 start code @@ -1183,6 +1110,12 @@ if (chroot(oroot) == -1) errExit("chroot"); + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc filesystem representing the PID namespace\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) // fs_dev_shm(); @@ -1213,296 +1146,11 @@ } #endif - -#ifdef HAVE_CHROOT -// exit if error -void fs_check_chroot_dir(const char *rootdir) { - EUID_ASSERT(); - assert(rootdir); - char *dir = EMPTY_STRING; - struct stat s; - - char *overlay; - if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - if (strncmp(rootdir, overlay, strlen(overlay)) == 0) { - fprintf(stderr, "Error: invalid chroot directory: no directories in %s are allowed\n", overlay); - exit(1); - } - free(overlay); - - // fails if there is any symlink or if rootdir is not a directory - int parentfd = safe_fd(rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (parentfd == -1) { - fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); - exit(1); - } - // rootdir has to be owned by root and is not allowed to be generally writable, - // this also excludes /tmp, /var/tmp and such - if (fstat(parentfd, &s) == -1) - errExit("fstat"); - if (s.st_uid != 0) { - fprintf(stderr, "Error: chroot directory should be owned by root\n"); - exit(1); - } - if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { - fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n"); - exit(1); - } - - // check /dev - dir = "dev"; - int fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); - if (fd == -1) - goto error1; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISDIR(s.st_mode) || s.st_uid != 0) - goto error2; - close(fd); - - // check /var/tmp - dir = "var/tmp"; - fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); - if (fd == -1) - goto error1; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISDIR(s.st_mode) || s.st_uid != 0) - goto error2; - close(fd); - - // check /proc - dir = "proc"; - fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); - if (fd == -1) - goto error1; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISDIR(s.st_mode) || s.st_uid != 0) - goto error2; - close(fd); - - // check /tmp - dir = "tmp"; - fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); - if (fd == -1) - goto error1; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISDIR(s.st_mode) || s.st_uid != 0) - goto error2; - close(fd); - - // check /etc - dir = "etc"; - fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); - if (fd == -1) - goto error1; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISDIR(s.st_mode) || s.st_uid != 0) - goto error2; - if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { - fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n"); - exit(1); - } - close(fd); - - // there should be no checking on /etc/resolv.conf - // the file is replaced with the real /etc/resolv.conf anyway -#if 0 - if (asprintf(&name, "%s/etc/resolv.conf", rootdir) == -1) - errExit("asprintf"); - if (stat(name, &s) == 0) { - if (s.st_uid != 0) { - fprintf(stderr, "Error: chroot /etc/resolv.conf should be owned by root\n"); - exit(1); - } - } - else { - fprintf(stderr, "Error: chroot /etc/resolv.conf not found\n"); - exit(1); - } - // on Arch /etc/resolv.conf could be a symlink to /run/systemd/resolve/resolv.conf - // on Ubuntu 17.04 /etc/resolv.conf could be a symlink to /run/resolveconf/resolv.conf - if (is_link(name)) { - // check the link points in chroot - char *rname = realpath(name, NULL); - if (!rname || strncmp(rname, rootdir, strlen(rootdir)) != 0) { - fprintf(stderr, "Error: chroot /etc/resolv.conf is pointing outside chroot\n"); - exit(1); - } - } - free(name); -#endif - - // check x11 socket directory - if (getenv("FIREJAIL_X11")) { - dir = "tmp/.X11-unix"; - fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); - if (fd == -1) - goto error1; - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISDIR(s.st_mode) || s.st_uid != 0) - goto error2; - close(fd); - } - - close(parentfd); - return; - -error1: - if (errno == ENOENT) - fprintf(stderr, "Error: cannot find /%s in chroot directory\n", dir); - else { - perror("open"); - fprintf(stderr, "Error: cannot open /%s in chroot directory\n", dir); - } - exit(1); -error2: - fprintf(stderr, "Error: chroot /%s should be a directory owned by root\n", dir); - exit(1); -} - -// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf -void fs_chroot(const char *rootdir) { - assert(rootdir); - - // mount-bind a /dev in rootdir - char *newdev; - if (asprintf(&newdev, "%s/dev", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Mounting /dev on %s\n", newdev); - if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev"); - free(newdev); - - // x11 - if (getenv("FIREJAIL_X11")) { - char *newx11; - if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Mounting /tmp/.X11-unix on %s\n", newx11); - if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /tmp/.X11-unix"); - free(newx11); - } - - // some older distros don't have a /run directory - // create one by default - char *rundir; - if (asprintf(&rundir, "%s/run", rootdir) == -1) - errExit("asprintf"); - struct stat s; - if (lstat(rundir, &s) == 0) { - if (S_ISLNK(s.st_mode)) { - fprintf(stderr, "Error: chroot /run is a symbolic link\n"); - exit(1); - } - if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { - fprintf(stderr, "Error: chroot /run should be a directory owned by root\n"); - exit(1); - } - if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { - fprintf(stderr, "Error: only root user should be given write permission on chroot /run\n"); - exit(1); - } - } - else { - // several sandboxes could race to create /run - if (mkdir(rundir, 0755) == -1 && errno != EEXIST) - errExit("mkdir"); - ASSERT_PERMS(rundir, 0, 0, 0755); - } - free(rundir); - - // create /run/firejail directory in chroot - if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) - errExit("asprintf"); - if (mkdir(rundir, 0755) == -1 && errno != EEXIST) - errExit("mkdir"); - ASSERT_PERMS(rundir, 0, 0, 0755); - free(rundir); - - // create /run/firejail/lib directory in chroot and mount it - if (asprintf(&rundir, "%s%s", rootdir, RUN_FIREJAIL_LIB_DIR) == -1) - errExit("asprintf"); - if (mkdir(rundir, 0755) == -1 && errno != EEXIST) - errExit("mkdir"); - ASSERT_PERMS(rundir, 0, 0, 0755); - if (mount(RUN_FIREJAIL_LIB_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(rundir); - - // create /run/firejail/mnt directory in chroot and mount the current one - if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) - errExit("asprintf"); - if (mkdir(rundir, 0755) == -1 && errno != EEXIST) - errExit("mkdir"); - ASSERT_PERMS(rundir, 0, 0, 0755); - if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(rundir); - - // copy /etc/resolv.conf in chroot directory - char *fname; - if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Updating /etc/resolv.conf in %s\n", fname); - unlink(fname); - if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed - fwarning("/etc/resolv.conf not initialized\n"); - free(fname); - - // chroot into the new directory -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay - // and chroot into this new directory - if (arg_debug) - printf("Chrooting into %s\n", rootdir); - char *oroot = RUN_OVERLAY_ROOT; - if (mkdir(oroot, 0755) == -1) - errExit("mkdir"); - if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting rootdir oroot"); - if (chroot(oroot) < 0) - errExit("chroot"); - - // create all other /run/firejail files and directories - preproc_build_firejail_dir(); - - // update /var directory in order to support multiple sandboxes running on the same root directory -// if (!arg_private_dev) -// fs_dev_shm(); - fs_var_lock(); - if (!arg_keep_var_tmp) - fs_var_tmp(); - if (!arg_writable_var_log) - fs_var_log(); - - fs_var_lib(); - fs_var_cache(); - fs_var_utmp(); - fs_machineid(); - - // don't leak user information - restrict_users(); - - // when starting as root, firejail config is not disabled; - if (getuid() != 0) - disable_config(); -} -#endif - // this function is called from sandbox.c before blacklist/whitelist functions void fs_private_tmp(void) { + if (arg_debug) + printf("Generate private-tmp whitelist commands\n"); + // check XAUTHORITY file, KDE keeps it under /tmp char *xauth = getenv("XAUTHORITY"); if (xauth) { @@ -1511,6 +1159,7 @@ char *cmd; if (asprintf(&cmd, "whitelist %s", rp) == -1) errExit("asprintf"); + profile_check_line(cmd, 0, NULL); profile_add(cmd); // profile_add does not duplicate the string } if (rp) @@ -1539,6 +1188,7 @@ char *cmd; if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1) errExit("asprintf"); + profile_check_line(cmd, 0, NULL); profile_add(cmd); // profile_add does not duplicate the string } } @@ -1553,15 +1203,15 @@ // check if ~/.cache is a valid destination struct stat s; if (lstat(cache, &s) == -1) { - fwarning("cannot find %s, tmpfs not mounted\n", cache); + fwarning("skipping private-cache: cannot find %s\n", cache); free(cache); return; } if (!S_ISDIR(s.st_mode)) { if (S_ISLNK(s.st_mode)) - fwarning("%s is a symbolic link, tmpfs not mounted\n", cache); + fwarning("skipping private-cache: %s is a symbolic link\n", cache); else - fwarning("%s is not a directory; cannot mount a tmpfs on top of it\n", cache); + fwarning("skipping private-cache: %s is not a directory\n", cache); free(cache); return; } diff -Nru firejail-0.9.60/src/firejail/fs_dev.c firejail-0.9.62/src/firejail/fs_dev.c --- firejail-0.9.60/src/firejail/fs_dev.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/fs_dev.c 2019-12-14 13:30:32.000000000 +0000 @@ -137,8 +137,8 @@ } static void create_char_dev(const char *path, mode_t mode, int major, int minor) { - dev_t dev = makedev(major, minor); - if (mknod(path, S_IFCHR | mode, dev) == -1) + dev_t device = makedev(major, minor); + if (mknod(path, S_IFCHR | mode, device) == -1) goto errexit; if (chmod(path, mode) < 0) goto errexit; diff -Nru firejail-0.9.60/src/firejail/fs_etc.c firejail-0.9.62/src/firejail/fs_etc.c --- firejail-0.9.60/src/firejail/fs_etc.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/fs_etc.c 2019-12-14 13:30:32.000000000 +0000 @@ -141,6 +141,13 @@ assert(private_dir); assert(private_run_dir); assert(private_list); + + // nothing to do if directory does not exist + struct stat s; + if (stat(private_dir, &s) == -1) { + fmessage("Cannot find %s\n", private_dir); + return; + } timetrace_start(); @@ -182,5 +189,10 @@ errExit("mount bind"); fs_logger2("mount", private_dir); + // mask private_run_dir (who knows if there are writable paths, and it is mounted exec) + if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mounting tmpfs"); + fs_logger2("tmpfs", private_run_dir); + fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); } diff -Nru firejail-0.9.60/src/firejail/fs_home.c firejail-0.9.62/src/firejail/fs_home.c --- firejail-0.9.60/src/firejail/fs_home.c 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/firejail/fs_home.c 2019-12-14 13:30:32.000000000 +0000 @@ -110,17 +110,12 @@ } static int store_xauthority(void) { + if (arg_x11_block) + return 0; + // put a copy of .Xauthority in XAUTHORITY_FILE - char *src; char *dest = RUN_XAUTHORITY_FILE; - // create an empty file as root, and change ownership to user - FILE *fp = fopen(dest, "w"); - if (fp) { - fprintf(fp, "\n"); - SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); - fclose(fp); - } - + char *src; if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); @@ -128,29 +123,37 @@ if (stat(src, &s) == 0) { if (is_link(src)) { fwarning("invalid .Xauthority file\n"); + free(src); return 0; } + // create an empty file as root, and change ownership to user + FILE *fp = fopen(dest, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); + fclose(fp); + } + else + errExit("fopen"); + copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user fs_logger2("clone", dest); + free(src); return 1; // file copied } + free(src); return 0; } static int store_asoundrc(void) { - // put a copy of .Xauthority in XAUTHORITY_FILE - char *src; - char *dest = RUN_ASOUNDRC_FILE; - // create an empty file as root, and change ownership to user - FILE *fp = fopen(dest, "w"); - if (fp) { - fprintf(fp, "\n"); - SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); - fclose(fp); - } + if (arg_nosound) + return 0; + // put a copy of .asoundrc in ASOUNDRC_FILE + char *dest = RUN_ASOUNDRC_FILE; + char *src; if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) errExit("asprintf"); @@ -164,18 +167,30 @@ fprintf(stderr, "Error: Cannot access %s\n", src); exit(1); } - if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0) { + if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0 || rp[strlen(cfg.homedir)] != '/') { fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n"); exit(1); } free(rp); } + // create an empty file as root, and change ownership to user + FILE *fp = fopen(dest, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); + fclose(fp); + } + else + errExit("fopen"); + copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user fs_logger2("clone", dest); + free(src); return 1; // file copied } + free(src); return 0; } @@ -194,13 +209,14 @@ copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); + free(dest); // delete the temporary file unlink(src); } static void copy_asoundrc(void) { - // copy XAUTHORITY_FILE in the new home directory + // copy ASOUNDRC_FILE in the new home directory char *src = RUN_ASOUNDRC_FILE ; char *dest; if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) @@ -214,6 +230,7 @@ copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); + free(dest); // delete the temporary file unlink(src); @@ -239,31 +256,51 @@ // mount bind private_homedir on top of homedir if (arg_debug) printf("Mount-bind %s on top of %s\n", private_homedir, homedir); - // get a file descriptor for private_homedir, fails if there is any symlink - int fd = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("safe_fd"); - // check if new home directory is owned by the user + // get file descriptors for homedir and private_homedir, fails if there is any symlink + int src = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (src == -1) + errExit("opening private directory"); + int dst = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (dst == -1) + errExit("opening home directory"); + // both mount source and target should be owned by the user struct stat s; - if (fstat(fd, &s) == -1) + if (fstat(src, &s) == -1) errExit("fstat"); - if (s.st_uid != getuid()) { + if (s.st_uid != u) { fprintf(stderr, "Error: private directory is not owned by the current user\n"); exit(1); } if ((S_IRWXU & s.st_mode) != S_IRWXU) fwarning("no full permissions on private directory\n"); - // mount via the link in /proc/self/fd - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + if (fstat(dst, &s) == -1) + errExit("fstat"); + if (s.st_uid != u) { + fprintf(stderr, "Error: cannot mount private directory:\n" + "Home directory is not owned by the current user\n"); + exit(1); + } + // mount via the links in /proc/self/fd + char *proc_src, *proc_dst; + if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) + errExit("asprintf"); + if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) errExit("asprintf"); - if (mount(proc, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) + if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) errExit("mount bind"); - free(proc); - close(fd); + free(proc_src); + free(proc_dst); + close(src); + close(dst); + // check /proc/self/mountinfo to confirm the mount is ok + MountData *mptr = get_last_mount(); + size_t len = strlen(homedir); + if (strncmp(mptr->dir, homedir, len) != 0 || + (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) + errLogExit("invalid private mount"); - fs_logger3("mount-bind", private_homedir, cfg.homedir); - fs_logger2("whitelist", cfg.homedir); + fs_logger3("mount-bind", private_homedir, homedir); + fs_logger2("whitelist", homedir); // preserve mode and ownership // if (chown(homedir, s.st_uid, s.st_gid) == -1) // errExit("mount-bind chown"); @@ -275,19 +312,18 @@ if (arg_debug) printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /root directory"); fs_logger("tmpfs /root"); } - else { + if (u == 0 && !arg_allusers) { // mask /home if (arg_debug) printf("Mounting a new /home directory\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /home directory"); fs_logger("tmpfs /home"); } - skel(homedir, u, g); if (xflag) copy_xauthority(); @@ -310,15 +346,15 @@ int aflag = store_asoundrc(); // mask /home - if (arg_debug) - printf("Mounting a new /home directory\n"); if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root ; else { + if (arg_debug) + printf("Mounting a new /home directory\n"); if (arg_allusers) - fwarning("--allusers disabled by --private or --whitelist\n"); + fwarning("allusers option disabled by private or whitelist option\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /home directory"); fs_logger("tmpfs /home"); } @@ -326,23 +362,29 @@ if (arg_debug) printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) - errExit("mounting root directory"); + errExit("mounting /root directory"); fs_logger("tmpfs /root"); if (u != 0) { - // create /home/user - if (arg_debug) - printf("Create a new user directory\n"); - if (mkdir(homedir, S_IRWXU) == -1) { - if (mkpath_as_root(homedir) == -1) - errExit("mkpath"); - if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST) - errExit("mkdir"); + if (strncmp(homedir, "/home/", 6) == 0) { + // create /home/user + if (arg_debug) + printf("Create a new user directory\n"); + if (mkdir(homedir, S_IRWXU) == -1) { + if (mkpath_as_root(homedir) == -1) + errExit("mkpath"); + if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST) + errExit("mkdir"); + } + if (chown(homedir, u, g) < 0) + errExit("chown"); + fs_logger2("mkdir", homedir); + fs_logger2("tmpfs", homedir); } - if (chown(homedir, u, g) < 0) - errExit("chown"); - fs_logger2("mkdir", homedir); - fs_logger2("tmpfs", homedir); + else + // user directory is outside /home, mask it as well + // check if directory is owned by the current user + fs_tmpfs(homedir, 1); } skel(homedir, u, g); @@ -350,7 +392,6 @@ copy_xauthority(); if (aflag) copy_asoundrc(); - } // check new private home directory (--private= option) - exit if it fails @@ -425,17 +466,15 @@ goto errexit; } else { - // check the file is in user home directory, a full home directory is not allowed + // check the file is in user home directory char *rname = realpath(fname, NULL); - if (!rname || - strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 || - strcmp(rname, cfg.homedir) == 0) + if (!rname || strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0) goto errexit; - - // only top files and directories in user home are allowed + // a full home directory is not allowed char *ptr = rname + strlen(cfg.homedir); if (*ptr != '/') goto errexit; + // only top files and directories in user home are allowed ptr = strchr(++ptr, '/'); if (ptr) { fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); @@ -464,14 +503,14 @@ } else if (S_ISDIR(s.st_mode)) { // create the directory in RUN_HOME_DIR - char *name; + char *path; char *ptr = strrchr(fname, '/'); ptr++; - if (asprintf(&name, "%s/%s", RUN_HOME_DIR, ptr) == -1) + if (asprintf(&path, "%s/%s", RUN_HOME_DIR, ptr) == -1) errExit("asprintf"); - mkdir_attr(name, 0755, getuid(), getgid()); - sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, name); - free(name); + mkdir_attr(path, 0755, getuid(), getgid()); + sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, path); + free(path); } else sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, RUN_HOME_DIR); @@ -528,23 +567,52 @@ if (arg_debug) printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir); - if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) + int fd = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("opening home directory"); + // home directory should be owned by the user + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); + if (s.st_uid != uid) { + fprintf(stderr, "Error: cannot mount private directory:\n" + "Home directory is not owned by the current user\n"); + exit(1); + } + // mount using the file descriptor + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); + free(proc); + close(fd); + // check /proc/self/mountinfo to confirm the mount is ok + MountData *mptr = get_last_mount(); + if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) + errLogExit("invalid private-home mount"); fs_logger2("tmpfs", homedir); + // mask RUN_HOME_DIR, it is writable and not noexec + if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mounting tmpfs"); + fs_logger2("tmpfs", RUN_HOME_DIR); + if (uid != 0) { // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /root directory"); + fs_logger("tmpfs /root"); } - else { + if (uid == 0 && !arg_allusers) { // mask /home if (arg_debug) printf("Mounting a new /home directory\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /home directory"); + fs_logger("tmpfs /home"); } skel(homedir, uid, gid); @@ -555,5 +623,4 @@ if (!arg_quiet) fprintf(stderr, "Home directory installed in %0.2f ms\n", timetrace_end()); - } diff -Nru firejail-0.9.60/src/firejail/fs_trace.c firejail-0.9.62/src/firejail/fs_trace.c --- firejail-0.9.60/src/firejail/fs_trace.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/fs_trace.c 2019-12-14 13:30:32.000000000 +0000 @@ -43,6 +43,46 @@ } } +void fs_tracefile(void) { + // create a bind mounted trace logfile that the sandbox can see + if (arg_debug) + printf("Creating an empty trace log file: %s\n", arg_tracefile); + EUID_USER(); + int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); + if (fd == -1) { + perror("open"); + fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile); + exit(1); + } + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); + if (!S_ISREG(s.st_mode)) { + fprintf(stderr, "Error: cannot write trace log: %s is no regular file\n", arg_tracefile); + exit(1); + } + if (ftruncate(fd, 0) == -1) + errExit("ftruncate"); + EUID_ROOT(); + FILE *fp = fopen(RUN_TRACE_FILE, "w"); + if (!fp) + errExit("fopen " RUN_TRACE_FILE); + fclose(fp); + fs_logger2("touch ", arg_tracefile); + // mount using the symbolic link in /proc/self/fd + if (arg_debug) + printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind " RUN_TRACE_FILE); + free(proc); + close(fd); + // now that RUN_TRACE_FILE is user-writable, mount it noexec + fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0); +} + void fs_trace(void) { // create the new ld.so.preload file and mount-bind it if (arg_debug) diff -Nru firejail-0.9.60/src/firejail/fs_whitelist.c firejail-0.9.62/src/firejail/fs_whitelist.c --- firejail-0.9.60/src/firejail/fs_whitelist.c 2019-05-17 15:49:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/fs_whitelist.c 2019-12-14 13:30:32.000000000 +0000 @@ -46,9 +46,10 @@ assert(path && *path); mode |= 0111; - // create directories with uid/gid as root or as current user if inside home or run directory + // create directories with uid/gid as root, or as current user if inside home or run/user/$uid directory int userprivs = 0; - if (strncmp(path, cfg.homedir, homedir_len) == 0 || strncmp(path, runuser, runuser_len) == 0) { + if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || + (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { EUID_USER(); userprivs = 1; } @@ -122,7 +123,7 @@ const char *fname; char *wfile = NULL; - if (entry->home_dir) { + if (entry->wldir == WLDIR_HOME) { if (strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') // either symlink pointing outside home directory // or entire home directory, skip the mount @@ -133,25 +134,25 @@ if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->tmp_dir) { + else if (entry->wldir == WLDIR_TMP) { fname = path + 5; // strlen("/tmp/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->media_dir) { + else if (entry->wldir == WLDIR_MEDIA) { fname = path + 7; // strlen("/media/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->mnt_dir) { + else if (entry->wldir == WLDIR_MNT) { fname = path + 5; // strlen("/mnt/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->var_dir) { + else if (entry->wldir == WLDIR_VAR) { if (strncmp(path, "/var/", 5) != 0) // symlink pointing outside /var, skip the mount return; @@ -161,7 +162,7 @@ if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->dev_dir) { + else if (entry->wldir == WLDIR_DEV) { if (strncmp(path, "/dev/", 5) != 0) // symlink pointing outside /dev, skip the mount return; @@ -171,19 +172,19 @@ if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->opt_dir) { + else if (entry->wldir == WLDIR_OPT) { fname = path + 5; // strlen("/opt/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->srv_dir) { + else if (entry->wldir == WLDIR_SRV) { fname = path + 5; // strlen("/srv/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->etc_dir) { + else if (entry->wldir == WLDIR_ETC) { if (strncmp(path, "/etc/", 5) != 0) // symlink pointing outside /etc, skip the mount return; @@ -193,19 +194,19 @@ if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->share_dir) { + else if (entry->wldir == WLDIR_SHARE) { fname = path + 11; // strlen("/usr/share/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->module_dir) { + else if (entry->wldir == WLDIR_MODULE) { fname = path + 12; // strlen("/sys/module/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) errExit("asprintf"); } - else if (entry->run_dir) { + else if (entry->wldir == WLDIR_RUN) { fname = path + runuser_len + 1; // strlen("/run/user/$uid/") if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_RUN_USER_DIR, fname) == -1) @@ -237,11 +238,6 @@ return; } -#ifdef TEST_MOUNTINFO - printf("TEST_MOUNTINFO\n"); - path = "/etc/."; -#endif - // create path of the mount target if necessary int fd2 = mkpath(path, 0755); if (fd2 == -1) { @@ -294,7 +290,8 @@ fs_logger2("whitelist", path); - // mount via the link in /proc/self/fd + // in order to make this mount resilient against symlink attacks, use + // a magic link in /proc/self/fd instead of mounting on path directly char *proc; if (asprintf(&proc, "/proc/self/fd/%d", fd3) == -1) errExit("asprintf"); @@ -305,7 +302,10 @@ // check the last mount operation MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found - +#ifdef TEST_MOUNTINFO + printf("TEST_MOUNTINFO\n"); + mptr->dir = "foo"; +#endif // confirm the file was mounted on the right target // strcmp does not work here, because mptr->dir can be a child mount size_t path_len = strlen(path); @@ -316,7 +316,7 @@ // - there should be more than one '/' char in dest string if (mptr->dir == strrchr(mptr->dir, '/')) errLogExit("invalid whitelist mount"); - // confirm the right file was mounted + // confirm the right file was mounted by comparing device and inode numbers int fd4 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); if (fd4 == -1) errExit("safe_fd"); @@ -331,6 +331,20 @@ return; } +static void whitelist_home(int topdir) { + ProfileEntry entry; + memset(&entry, 0, sizeof(entry)); + char *cmd; + if (asprintf(&cmd, "whitelist %s", cfg.homedir) == -1) + errExit("asprintf"); + entry.data = cmd; + entry.wldir = topdir; + // creates path owned by root, except homedir is inside /run/user/$uid + // does nothing if homedir does not exist + whitelist_path(&entry); + free(cmd); +} + void fs_whitelist(void) { ProfileEntry *entry = cfg.profile; @@ -510,7 +524,7 @@ continue; } - entry->home_dir = 1; + entry->wldir = WLDIR_HOME; home_dir = 1; if (arg_debug || arg_debug_whitelists) fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", @@ -528,7 +542,7 @@ } } else if (strncmp(new_name, "/tmp/", 5) == 0) { - entry->tmp_dir = 1; + entry->wldir = WLDIR_TMP; tmp_dir = 1; // both path and absolute path are under /tmp @@ -538,7 +552,7 @@ } } else if (strncmp(new_name, "/media/", 7) == 0) { - entry->media_dir = 1; + entry->wldir = WLDIR_MEDIA; media_dir = 1; // both path and absolute path are under /media if (strncmp(fname, "/media/", 7) != 0) { @@ -547,7 +561,7 @@ } } else if (strncmp(new_name, "/mnt/", 5) == 0) { - entry->mnt_dir = 1; + entry->wldir = WLDIR_MNT; mnt_dir = 1; // both path and absolute path are under /mnt if (strncmp(fname, "/mnt/", 5) != 0) { @@ -556,7 +570,7 @@ } } else if (strncmp(new_name, "/var/", 5) == 0) { - entry->var_dir = 1; + entry->wldir = WLDIR_VAR; var_dir = 1; // both path and absolute path are under /var // exceptions: /var/tmp, /var/run and /var/lock @@ -572,7 +586,7 @@ } } else if (strncmp(new_name, "/dev/", 5) == 0) { - entry->dev_dir = 1; + entry->wldir = WLDIR_DEV; dev_dir = 1; // special handling for /dev/shm // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm @@ -593,7 +607,7 @@ } } else if (strncmp(new_name, "/opt/", 5) == 0) { - entry->opt_dir = 1; + entry->wldir = WLDIR_OPT; opt_dir = 1; // both path and absolute path are under /dev if (strncmp(fname, "/opt/", 5) != 0) { @@ -602,7 +616,7 @@ } } else if (strncmp(new_name, "/srv/", 5) == 0) { - entry->srv_dir = 1; + entry->wldir = WLDIR_SRV; srv_dir = 1; // both path and absolute path are under /srv if (strncmp(fname, "/srv/", 5) != 0) { @@ -611,7 +625,7 @@ } } else if (strncmp(new_name, "/etc/", 5) == 0) { - entry->etc_dir = 1; + entry->wldir = WLDIR_ETC; etc_dir = 1; // special handling for some of the symlinks if (strcmp(new_name, "/etc/localtime") == 0); @@ -626,7 +640,7 @@ } } else if (strncmp(new_name, "/usr/share/", 11) == 0) { - entry->share_dir = 1; + entry->wldir = WLDIR_SHARE; share_dir = 1; // both path and absolute path are under /etc if (strncmp(fname, "/usr/share/", 11) != 0) { @@ -635,7 +649,7 @@ } } else if (strncmp(new_name, "/sys/module/", 12) == 0) { - entry->module_dir = 1; + entry->wldir = WLDIR_MODULE; module_dir = 1; // both path and absolute path are under /sys/module if (strncmp(fname, "/sys/module/", 12) != 0) { @@ -644,7 +658,7 @@ } } else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') { - entry->run_dir = 1; + entry->wldir = WLDIR_RUN; run_dir = 1; // both path and absolute path are under /run/user/$uid if (strncmp(fname, runuser, runuser_len) != 0 || fname[runuser_len] != '/') { @@ -706,35 +720,44 @@ free(nowhitelist); EUID_ROOT(); - // /home/user mountpoint - if (home_dir) { - // check if /home/user directory exists - if (stat(cfg.homedir, &s) == 0) { - // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR - mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); - if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + // /tmp mountpoint + if (tmp_dir) { + // check if /tmp directory exists + if (stat("/tmp", &s) == 0) { + // keep a copy of real /tmp directory in RUN_WHITELIST_TMP_DIR + mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); + if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); - // mount a tmpfs and initialize /home/user, overrides --allusers - fs_private(); + // mount tmpfs on /tmp + if (arg_debug || arg_debug_whitelists) + printf("Mounting tmpfs on /tmp directory\n"); + if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=1777,gid=0") < 0) + errExit("mounting tmpfs on /tmp"); + fs_logger("tmpfs /tmp"); + + // pam-tmpdir - issue #2685 + char *env = getenv("TMP"); + if (env) { + char *pamtmpdir; + if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) + errExit("asprintf"); + if (strcmp(env, pamtmpdir) == 0) { + // create empty user-owned /tmp/user/$uid directory + mkdir_attr("/tmp/user", 0711, 0, 0); + fs_logger("mkdir /tmp/user"); + mkdir_attr(pamtmpdir, 0700, getuid(), 0); + fs_logger2("mkdir", pamtmpdir); + } + free(pamtmpdir); + } + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/tmp/", 5) == 0) + whitelist_home(WLDIR_TMP); } else - home_dir = 0; - } - - // /tmp mountpoint - if (tmp_dir) { - // keep a copy of real /tmp directory in RUN_WHITELIST_TMP_DIR - mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); - if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /tmp - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /tmp directory\n"); - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=1777,gid=0") < 0) - errExit("mounting tmpfs on /tmp"); - fs_logger("tmpfs /tmp"); + tmp_dir = 0; } // /media mountpoint @@ -752,6 +775,10 @@ if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /media"); fs_logger("tmpfs /media"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/media/", 7) == 0) + whitelist_home(WLDIR_MEDIA); } else media_dir = 0; @@ -772,40 +799,61 @@ if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /mnt"); fs_logger("tmpfs /mnt"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/mnt/", 5) == 0) + whitelist_home(WLDIR_MNT); } else mnt_dir = 0; } - // /var mountpoint if (var_dir) { - // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR - mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); - if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); + // check if /var directory exists + if (stat("/var", &s) == 0) { + // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR + mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); + if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); - // mount tmpfs on /var - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /var directory\n"); - if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /var"); - fs_logger("tmpfs /var"); + // mount tmpfs on /var + if (arg_debug || arg_debug_whitelists) + printf("Mounting tmpfs on /var directory\n"); + if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mounting tmpfs on /var"); + fs_logger("tmpfs /var"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/var/", 5) == 0) + whitelist_home(WLDIR_VAR); + } + else + var_dir = 0; } // /dev mountpoint if (dev_dir) { - // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR - mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); - if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) - errExit("mount bind"); + // check if /dev directory exists + if (stat("/dev", &s) == 0) { + // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR + mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); + if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) + errExit("mount bind"); - // mount tmpfs on /dev - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /dev directory\n"); - if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /dev"); - fs_logger("tmpfs /dev"); + // mount tmpfs on /dev + if (arg_debug || arg_debug_whitelists) + printf("Mounting tmpfs on /dev directory\n"); + if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mounting tmpfs on /dev"); + fs_logger("tmpfs /dev"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/dev/", 5) == 0) + whitelist_home(WLDIR_DEV); + } + else + dev_dir = 0; } // /opt mountpoint @@ -823,6 +871,10 @@ if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /opt"); fs_logger("tmpfs /opt"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/opt/", 5) == 0) + whitelist_home(WLDIR_OPT); } else opt_dir = 0; @@ -843,6 +895,10 @@ if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /srv"); fs_logger("tmpfs /srv"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/srv/", 5) == 0) + whitelist_home(WLDIR_SRV); } else srv_dir = 0; @@ -857,12 +913,16 @@ if (mount("/etc", RUN_WHITELIST_ETC_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); - // mount tmpfs on /srv + // mount tmpfs on /etc if (arg_debug || arg_debug_whitelists) printf("Mounting tmpfs on /etc directory\n"); if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /etc"); fs_logger("tmpfs /etc"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/etc/", 5) == 0) + whitelist_home(WLDIR_ETC); } else etc_dir = 0; @@ -883,6 +943,10 @@ if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /usr/share"); fs_logger("tmpfs /usr/share"); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, "/usr/share/", 11) == 0) + whitelist_home(WLDIR_SHARE); } else share_dir = 0; @@ -908,7 +972,7 @@ module_dir = 0; } - // /run/user mountpoint + // /run/user/$uid mountpoint if (run_dir) { // check if /run/user/$uid directory exists if (stat(runuser, &s) == 0) { @@ -927,11 +991,38 @@ errExit("mounting tmpfs on /run/user/"); free(options); fs_logger2("tmpfs", runuser); + + // autowhitelist home directory if it is masked by the tmpfs + if (strncmp(cfg.homedir, runuser, runuser_len) == 0 && cfg.homedir[runuser_len] == '/') + whitelist_home(WLDIR_RUN); } else run_dir = 0; } + // home mountpoint + if (home_dir) { + // check if home directory exists + if (stat(cfg.homedir, &s) == 0) { + // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR + mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); + int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("safe_fd"); + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(proc, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + free(proc); + close(fd); + + // mount a tmpfs and initialize home directory, overrides --allusers + fs_private(); + } + else + home_dir = 0; + } // go through profile rules again, and interpret whitelist commands entry = cfg.profile; @@ -951,6 +1042,7 @@ // if the link is already there, do not bother if (lstat(entry->link, &s) != 0) { // create the path if necessary + // entry->link has no trailing slashes or single dots int fd = mkpath(entry->link, 0755); if (fd == -1) { if (arg_debug || arg_debug_whitelists) @@ -1058,7 +1150,7 @@ fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR); } - // mask the real /run/user/$uid directory, currently mounted on RUN_WHITELIST_MODULE_DIR + // mask the real /run/user/$uid directory, currently mounted on RUN_WHITELIST_RUN_USER_DIR if (run_dir) { if (mount("tmpfs", RUN_WHITELIST_RUN_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mount tmpfs"); diff -Nru firejail-0.9.60/src/firejail/main.c firejail-0.9.62/src/firejail/main.c --- firejail-0.9.60/src/firejail/main.c 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/firejail/main.c 2019-12-14 13:30:32.000000000 +0000 @@ -26,7 +26,6 @@ #include #include #include -#include #include #include #include @@ -38,11 +37,27 @@ #include #include +#include +#ifndef O_PATH +#define O_PATH 010000000 +#endif + +#ifdef __ia64__ +/* clone(2) has a different interface on ia64, as it needs to know + the size of the stack */ +int __clone2(int (*fn)(void *), + void *child_stack_base, size_t stack_size, + int flags, void *arg, ... + /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); +#endif + uid_t firejail_uid = 0; gid_t firejail_gid = 0; #define STACK_SIZE (1024 * 1024) -static char child_stack[STACK_SIZE]; // space for child's stack +#define STACK_ALIGNMENT 16 +static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack + Config cfg; // configuration int arg_private = 0; // mount private /home and /tmp directoryu int arg_private_cache = 0; // mount private home/.cache @@ -67,6 +82,7 @@ char *arg_caps_list = NULL; // optional caps list int arg_trace = 0; // syscall tracing support +char *arg_tracefile = NULL; // syscall tracing file int arg_tracelog = 0; // blacklist tracing support int arg_rlimit_cpu = 0; // rlimit max cpu time int arg_rlimit_nofile = 0; // rlimit nofile @@ -126,7 +142,7 @@ int arg_nodvd = 0; // --nodvd int arg_nodbus = 0; // -nodbus int arg_nou2f = 0; // --nou2f -int arg_deterministic_exit_code = 0; // always exit with first childs exit status +int arg_deterministic_exit_code = 0; // always exit with first child's exit status int login_shell = 0; @@ -233,6 +249,32 @@ return pid; } +// return 1 if there is a link somewhere in path of directory +static int has_link(const char *dir) { + assert(dir); + int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) { + if (errno == ENOTDIR && is_dir(dir)) + return 1; + } + else + close(fd); + return 0; +} + +static void check_homedir(void) { + assert(cfg.homedir); + if (cfg.homedir[0] != '/') { + fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); + exit(1); + } + // symlinks are rejected in many places + if (has_link(cfg.homedir)) { + fprintf(stderr, "No full support for symbolic links in path of user directory.\n" + "Please provide resolved path in password database (/etc/passwd).\n\n"); + } +} + // init configuration static void init_cfg(int argc, char **argv) { EUID_ASSERT(); @@ -255,14 +297,15 @@ if (!cfg.username) errExit("strdup"); - // build home directory name - cfg.homedir = NULL; - if (pw->pw_dir != NULL) { - cfg.homedir = clean_pathname(pw->pw_dir); - assert(cfg.homedir); - } - else { - fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); + // check user database + if (!firejail_user_check(cfg.username)) { + fprintf(stderr, "Error: the user is not allowed to use Firejail.\n" + "Please add the user in %s/firejail.users file,\n" + "either by running \"sudo firecfg\", or by editing the file directly.\n" + "See \"man firejail-users\" for more details.\n\n", SYSCONFDIR); + + // attempt to run the program as is + run_symlink(argc, argv, 1); exit(1); } @@ -270,17 +313,13 @@ if (!cfg.cwd && errno != ENOENT) errExit("getcwd"); - // check user database - if (!firejail_user_check(cfg.username)) { - fprintf(stderr, "Error: the user is not allowed to use Firejail. " - "Please add the user in %s/firejail.users file, " - "either by running \"sudo firecfg\", or by editing the file directly.\n" - "See \"man firejail-users\" for more details.\n", SYSCONFDIR); - - // attempt to run the program as is - run_symlink(argc, argv, 1); + // build home directory name + if (pw->pw_dir == NULL) { + fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); exit(1); } + cfg.homedir = clean_pathname(pw->pw_dir); + check_homedir(); // initialize random number generator sandbox_pid = getpid(); @@ -915,9 +954,14 @@ // sanitize the umask orig_umask = umask(022); + // argument count should be larger than 0 + if (argc == 0) { + fprintf(stderr, "Error: argv[0] is NULL\n"); + exit(1); + } + // check if the user is allowed to use firejail init_cfg(argc, argv); - assert(cfg.homedir); // get starting timestamp, process --quiet start_timestamp = getticks(); @@ -1261,6 +1305,26 @@ } else if (strcmp(argv[i], "--trace") == 0) arg_trace = 1; + else if (strncmp(argv[i], "--trace=", 8) == 0) { + arg_trace = 1; + arg_tracefile = argv[i] + 8; + if (*arg_tracefile == '\0') { + fprintf(stderr, "Error: invalid trace option\n"); + exit(1); + } + invalid_filename(arg_tracefile, 0); // no globbing + if (strstr(arg_tracefile, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile); + exit(1); + } + // if the filename starts with ~, expand the home directory + if (*arg_tracefile == '~') { + char *tmp; + if (asprintf(&tmp, "%s%s", cfg.homedir, arg_tracefile + 1) == -1) + errExit("asprintf"); + arg_tracefile = tmp; + } + } else if (strcmp(argv[i], "--tracelog") == 0) arg_tracelog = 1; else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { @@ -1498,6 +1562,7 @@ exit_err_feature("overlayfs"); } #endif +#ifdef HAVE_FIRETUNNEL else if (strcmp(argv[i], "--tunnel") == 0) { // try to connect to the default client side of the tunnel // if this fails, try the default server side of the tunnel @@ -1523,7 +1588,7 @@ exit(1); } } - +#endif else if (strncmp(argv[i], "--profile=", 10) == 0) { // multiple profile files are allowed! @@ -1596,12 +1661,14 @@ fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); exit(1); } - - - invalid_filename(argv[i] + 9, 0); // no globbing - // extract chroot dirname cfg.chrootdir = argv[i] + 9; + if (*cfg.chrootdir == '\0') { + fprintf(stderr, "Error: invalid chroot option\n"); + exit(1); + } + invalid_filename(cfg.chrootdir, 0); // no globbing + // if the directory starts with ~, expand the home directory if (*cfg.chrootdir == '~') { char *tmp; @@ -1609,22 +1676,8 @@ errExit("asprintf"); cfg.chrootdir = tmp; } - - if (strstr(cfg.chrootdir, "..") || is_link(cfg.chrootdir)) { - fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir); - return 1; - } - - // check chroot dirname exists, don't allow "--chroot=/" - char *rpath = realpath(cfg.chrootdir, NULL); - if (rpath == NULL || strcmp(rpath, "/") == 0) { - fprintf(stderr, "Error: invalid chroot directory\n"); - exit(1); - } - cfg.chrootdir = rpath; - - // check chroot directory structure - fs_check_chroot_dir(cfg.chrootdir); + // check chroot directory + fs_check_chroot_dir(); } else exit_err_feature("chroot"); @@ -2158,8 +2211,8 @@ else if (cfg.dns4 == NULL) cfg.dns4 = dns; else { - fprintf(stderr, "Error: up to 4 DNS servers can be specified\n"); - return 1; + fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns); + free(dns); } } @@ -2539,10 +2592,18 @@ EUID_ASSERT(); EUID_ROOT(); +#ifdef __ia64__ + child = __clone2(sandbox, + child_stack, + STACK_SIZE, + flags, + NULL); +#else child = clone(sandbox, child_stack + STACK_SIZE, flags, NULL); +#endif if (child == -1) errExit("clone"); EUID_USER(); diff -Nru firejail-0.9.60/src/firejail/Makefile.in firejail-0.9.62/src/firejail/Makefile.in --- firejail-0.9.60/src/firejail/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o firejail *.gcov *.gcda *.gcno +clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/firejail/mountinfo.c firejail-0.9.62/src/firejail/mountinfo.c --- firejail-0.9.60/src/firejail/mountinfo.c 2019-05-17 15:49:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/mountinfo.c 2019-12-14 13:30:32.000000000 +0000 @@ -33,7 +33,7 @@ // Convert octal escape sequence to decimal value static int read_oct(const char *path) { - int decimal = 0; + int dec = 0; int digit, i; // there are always exactly three octal digits for (i = 1; i < 4; i++) { @@ -42,29 +42,26 @@ fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); exit(1); } - decimal = (decimal + digit - '0') * 8; + dec = (dec << 3) + (digit - '0'); } - decimal /= 8; - return decimal; + return dec; } // Restore empty spaces in pathnames extracted from /proc/self/mountinfo static void unmangle_path(char *path) { char *p = strchr(path, '\\'); - if (p) { - if (read_oct(p) == ' ') { - *p = ' '; - int i = 3; - do { - p++; - if (*(p + i) == '\\' && read_oct(p + i) == ' ') { - *p = ' '; - i += 3; - } - else - *p = *(p + i); - } while (*p); - } + if (p && read_oct(p) == ' ') { + *p = ' '; + int i = 3; + do { + p++; + if (*(p + i) == '\\' && read_oct(p + i) == ' ') { + *p = ' '; + i += 3; + } + else + *p = *(p + i); + } while (*p); } } @@ -136,7 +133,6 @@ // open /proc/self/mountinfo FILE *fp = fopen("/proc/self/mountinfo", "re"); if (!fp) { - perror("fopen"); fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); exit(1); } @@ -167,31 +163,24 @@ if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) errExit("asprintf"); FILE *fp = fopen(fdinfo, "re"); - if (!fp) { - perror("fopen"); - fprintf(stderr, "Error: cannot open %s\n", fdinfo); - exit(1); - } + free(fdinfo); + if (!fp) + goto errexit; // read the file char buf[MAX_BUF]; - if (fgets(buf, MAX_BUF, fp) == NULL) { - fprintf(stderr, "Error: cannot read %s\n", fdinfo); - exit(1); - } + if (fgets(buf, MAX_BUF, fp) == NULL) + goto errexit; do { if (strncmp(buf, "mnt_id:", 7) == 0) { char *ptr = buf + 7; while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { ptr++; } - if (*ptr == '\0') { - fprintf(stderr, "Error: cannot read %s\n", fdinfo); - exit(1); - } + if (*ptr == '\0') + goto errexit; fclose(fp); close(fd); - free(fdinfo); return atoi(ptr); } } while (fgets(buf, MAX_BUF, fp)); @@ -199,8 +188,11 @@ // fallback, kernels older than 3.15 don't expose the mount id in this place fclose(fp); close(fd); - free(fdinfo); return -2; + +errexit: + fprintf(stderr, "Error: cannot read proc file\n"); + exit(1); } // Check /proc/self/mountinfo if path contains any mounts points. @@ -211,7 +203,6 @@ // open /proc/self/mountinfo FILE *fp = fopen("/proc/self/mountinfo", "re"); if (!fp) { - perror("fopen"); fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); exit(1); } @@ -234,9 +225,9 @@ exit(1); } do { + parse_line(buf, &mntp); // find mount point with mount id if (!found) { - parse_line(buf, &mntp); if (mntp.mountid == mount_id) { // give up if mount id has been reassigned, // don't remount blacklisted path @@ -245,19 +236,17 @@ strstr(mntp.fsname, "firejail.ro.file")) break; - *rv = strdup(path); - if (*rv == NULL) + rv[cnt] = strdup(path); + if (rv[cnt] == NULL) errExit("strdup"); cnt++; found = 1; continue; } - else - continue; + continue; } // from here on add all mount points below path, // don't remount blacklisted paths - parse_line(buf, &mntp); if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/' && strstr(mntp.fsname, "firejail.ro.dir") == NULL && diff -Nru firejail-0.9.60/src/firejail/network.c firejail-0.9.62/src/firejail/network.c --- firejail-0.9.60/src/firejail/network.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/network.c 2019-12-14 13:30:32.000000000 +0000 @@ -229,7 +229,7 @@ continue; char *ptr = buf; - while (*ptr != ' ' && *ptr != '\t') + while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') ptr++; while (*ptr == ' ' || *ptr == '\t') ptr++; diff -Nru firejail-0.9.60/src/firejail/paths.c firejail-0.9.62/src/firejail/paths.c --- firejail-0.9.60/src/firejail/paths.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/paths.c 2019-12-14 13:30:32.000000000 +0000 @@ -24,6 +24,7 @@ static unsigned int path_cnt = 0; static unsigned int longest_path_elt = 0; +static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning static void init_paths(void) { char *path = getenv("PATH"); char *p; @@ -46,10 +47,9 @@ errExit("calloc"); // fill in 'paths' with pointers to elements of 'path' - char *elt; unsigned int i = 0, j; unsigned int len; - while ((elt = strsep(&path, ":")) != 0) { + while ((elt = strsep(&path, ":")) != NULL) { // skip any entry that is not absolute if (elt[0] != '/') goto skip; @@ -73,7 +73,7 @@ skip:; } - assert(paths[i] == 0); + assert(paths[i] == NULL); // path_cnt may be too big now, if entries were skipped above path_cnt = i+1; } diff -Nru firejail-0.9.60/src/firejail/preproc.c firejail-0.9.62/src/firejail/preproc.c --- firejail-0.9.60/src/firejail/preproc.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/preproc.c 2019-12-14 13:30:32.000000000 +0000 @@ -85,6 +85,10 @@ tmpfs_mounted = 1; fs_logger2("tmpfs", RUN_MNT_DIR); + // open and mount trace file while there are no user-writable files in RUN_MNT_DIR + if (arg_tracefile) + fs_tracefile(); + #ifdef HAVE_SECCOMP create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); diff -Nru firejail-0.9.60/src/firejail/profile.c firejail-0.9.62/src/firejail/profile.c --- firejail-0.9.60/src/firejail/profile.c 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/firejail/profile.c 2019-12-14 13:30:32.000000000 +0000 @@ -143,10 +143,18 @@ return arg_appimage != 0; } +static int check_netoptions(void) { + return (arg_nonetwork || any_bridge_configured()); +} + static int check_nodbus(void) { return arg_nodbus != 0; } +static int check_x11(void) { + return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11")); +} + static int check_disable_u2f(void) { return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0; } @@ -157,7 +165,9 @@ Cond conditionals[] = { {"HAS_APPIMAGE", check_appimage}, + {"HAS_NET", check_netoptions}, {"HAS_NODBUS", check_nodbus}, + {"HAS_X11", check_x11}, {"BROWSER_DISABLE_U2F", check_disable_u2f}, {"BROWSER_ALLOW_DRM", check_allow_drm}, { NULL, NULL } @@ -869,8 +879,8 @@ else if (cfg.dns4 == NULL) cfg.dns4 = dns; else { - fprintf(stderr, "Error: up to 4 DNS servers can be specified\n"); - exit(1); + fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns); + free(dns); } return 0; } @@ -941,6 +951,11 @@ return 0; } + if (strcmp(ptr, "allow-debuggers") == 0) { + arg_allow_debuggers = 1; + return 0; + } + if (strcmp(ptr, "x11 none") == 0) { arg_x11_block = 1; return 0; diff -Nru firejail-0.9.60/src/firejail/pulseaudio.c firejail-0.9.62/src/firejail/pulseaudio.c --- firejail-0.9.60/src/firejail/pulseaudio.c 2019-05-17 15:49:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/pulseaudio.c 2019-12-14 13:30:32.000000000 +0000 @@ -88,7 +88,7 @@ if (mkdir(RUN_PULSE_DIR, 0700) == -1) errExit("mkdir"); // mount it nosuid, noexec, nodev - fs_noexec(RUN_PULSE_DIR); + fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0); // create the new client.conf file char *pulsecfg = NULL; @@ -155,8 +155,10 @@ if (fstatvfs(fd, &vfs) == -1) errExit("fstatvfs"); if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) - fs_rdonly(RUN_PULSE_DIR); + fs_remount(RUN_PULSE_DIR, MOUNT_READONLY, 0); // mount via the link in /proc/self/fd + if (arg_debug) + printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg); char *proc; if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) errExit("asprintf"); diff -Nru firejail-0.9.60/src/firejail/restrict_users.c firejail-0.9.62/src/firejail/restrict_users.c --- firejail-0.9.60/src/firejail/restrict_users.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/restrict_users.c 2019-12-14 13:30:32.000000000 +0000 @@ -25,9 +25,13 @@ #include #include #include -#include #include +#include +#ifndef O_PATH +# define O_PATH 010000000 +#endif + #define MAXBUF 1024 // linked list of users @@ -79,8 +83,16 @@ errExit("mkdir"); // keep a copy of the user home directory - if (mount(cfg.homedir, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("safe_fd"); + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); + free(proc); + close(fd); // mount tmpfs in the new home if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) diff -Nru firejail-0.9.60/src/firejail/sandbox.c firejail-0.9.62/src/firejail/sandbox.c --- firejail-0.9.60/src/firejail/sandbox.c 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/firejail/sandbox.c 2019-12-14 13:30:32.000000000 +0000 @@ -268,6 +268,7 @@ if (cfg.timeout) { options = WNOHANG; timeout = cfg.timeout; + sleep(1); } int status = 0; @@ -302,8 +303,11 @@ // handle --timeout if (options) { if (--timeout == 0) { + // SIGTERM might fail if the process ignores it (SIG_IGN) + // we give it 100ms to close properly and after that we SIGKILL it kill(-1, SIGTERM); - sleep(1); + usleep(100000); + kill(-1, SIGKILL); flush_stdin(); _exit(1); } @@ -574,7 +578,7 @@ force_nonewprivs = 1; // disable all capabilities - fmessage("\n** Warning: dropping all Linux capabilities **\n"); + fmessage("\n** Warning: dropping all Linux capabilities **\n\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot @@ -1106,7 +1110,7 @@ (void) rv; } // make seccomp filters read-only - fs_rdonly(RUN_SECCOMP_DIR); + fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); #endif // set capabilities diff -Nru firejail-0.9.60/src/firejail/sbox.c firejail-0.9.62/src/firejail/sbox.c --- firejail-0.9.60/src/firejail/sbox.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/sbox.c 2019-12-14 13:30:32.000000000 +0000 @@ -104,7 +104,7 @@ .filter = filter, }; -int sbox_run(unsigned filter, int num, ...) { +int sbox_run(unsigned filtermask, int num, ...) { EUID_ROOT(); int i; @@ -129,22 +129,40 @@ if (child < 0) errExit("fork"); if (child == 0) { - // clean the new process + // preserve firejail-specific env vars + char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); + if (cl) { + // duplicate the value, who knows what's going to happen with it in clearenv! + cl = strdup(cl); + if (!cl) + errExit("strdup"); + } clearenv(); + if (cl) { + if (setenv("FIREJAIL_FILE_COPY_LIMIT", cl, 1) == -1) + errExit("setenv"); + free(cl); + } + if (arg_quiet) // --quiet is passed as an environment variable + setenv("FIREJAIL_QUIET", "yes", 1); + if (arg_debug) // --debug is passed as an environment variable + setenv("FIREJAIL_DEBUG", "yes", 1); - if (filter & SBOX_STDIN_FROM_FILE) { + if (filtermask & SBOX_STDIN_FROM_FILE) { int fd; if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); exit(1); } - dup2(fd,STDIN_FILENO); + if (dup2(fd, STDIN_FILENO) == -1) + errExit("dup2"); close(fd); } - else if ((filter & SBOX_ALLOW_STDIN) == 0) { + else if ((filtermask & SBOX_ALLOW_STDIN) == 0) { int fd = open("/dev/null",O_RDWR, 0); if (fd != -1) { - dup2(fd, STDIN_FILENO); + if (dup2(fd, STDIN_FILENO) == -1) + errExit("dup2"); close(fd); } else // the user could run the sandbox without /dev/null @@ -159,17 +177,17 @@ umask(027); // apply filters - if (filter & SBOX_CAPS_NONE) { + if (filtermask & SBOX_CAPS_NONE) { caps_drop_all(); } - else if (filter & SBOX_CAPS_NETWORK) { + else if (filtermask & SBOX_CAPS_NETWORK) { #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; set |= ((uint64_t) 1) << CAP_NET_RAW; caps_set(set); #endif } - else if (filter & SBOX_CAPS_HIDEPID) { + else if (filtermask & SBOX_CAPS_HIDEPID) { #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; set |= ((uint64_t) 1) << CAP_SYS_PACCT; @@ -177,7 +195,7 @@ #endif } - if (filter & SBOX_SECCOMP) { + if (filtermask & SBOX_SECCOMP) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("prctl(NO_NEW_PRIVS)"); } @@ -186,22 +204,16 @@ } } - if (filter & SBOX_ROOT) { + if (filtermask & SBOX_ROOT) { // elevate privileges in order to get grsecurity working if (setreuid(0, 0)) errExit("setreuid"); if (setregid(0, 0)) errExit("setregid"); } - else if (filter & SBOX_USER) + else if (filtermask & SBOX_USER) drop_privs(1); - clearenv(); - - // --quiet is passed as an environment variable - if (arg_quiet) - setenv("FIREJAIL_QUIET", "yes", 1); - if (arg[0]) // get rid of scan-build warning execvp(arg[0], arg); else diff -Nru firejail-0.9.60/src/firejail/seccomp.c firejail-0.9.62/src/firejail/seccomp.c --- firejail-0.9.60/src/firejail/seccomp.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/seccomp.c 2019-12-14 13:30:32.000000000 +0000 @@ -48,10 +48,11 @@ const char *ptr1 = str; char *ptr2 = rv; while (*ptr1 != '\0') { - if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':' || *ptr1 == '@' || *ptr1 == '-') + if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':' + || *ptr1 == '@' || *ptr1 == '-' || *ptr1 == '$' || *ptr1 == '!') *ptr2++ = *ptr1++; else { - fprintf(stderr, "Error: invalid syscall list\n"); + fprintf(stderr, "Error: invalid syscall list entry %s\n", str); exit(1); } } diff -Nru firejail-0.9.60/src/firejail/usage.c firejail-0.9.62/src/firejail/usage.c --- firejail-0.9.60/src/firejail/usage.c 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/firejail/usage.c 2019-12-14 13:30:32.000000000 +0000 @@ -66,7 +66,7 @@ #ifdef HAVE_NETWORK " --defaultgw=address - configure default gateway.\n" #endif - " --deterministic-exit-code - always exit with first childs status code.\n" + " --deterministic-exit-code - always exit with first child's status code.\n" " --dns=address - set DNS server.\n" " --dns.print=name|pid - print DNS configuration.\n" " --env=name=value - set environment variable.\n" diff -Nru firejail-0.9.60/src/firejail/util.c firejail-0.9.62/src/firejail/util.c --- firejail-0.9.60/src/firejail/util.c 2019-05-17 15:49:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/util.c 2019-12-14 13:30:32.000000000 +0000 @@ -50,7 +50,7 @@ char *msg1; char *msg2 = "Access error"; if (vasprintf(&msg1, fmt, args) != -1 && - asprintf(&msg2, "Access error: pid %d, last mount name:%s dir:%s type:%s - %s", getuid(), m->fsname, m->dir, m->fstype, msg1) != -1) + asprintf(&msg2, "Access error: uid %d, last mount name:%s dir:%s type:%s - %s", getuid(), m->fsname, m->dir, m->fstype, msg1) != -1) syslog(LOG_CRIT, "%s", msg2); va_end(args); closelog(); @@ -487,7 +487,6 @@ size_t len = strlen(buf); if (len == 0) return NULL; - assert(len + 1 != 0 && buf[len] == '\0'); // allocate memory for the new string char *rv = malloc(len + 1); @@ -554,15 +553,13 @@ char *clean_pathname(const char *path) { assert(path); size_t len = strlen(path); - assert(len + 1 != 0 && path[len] == '\0'); - char *rv = malloc(len + 1); if (!rv) errExit("malloc"); if (len > 0) { - size_t i, j, cnt; - for (i = 0, j = 0, cnt = 0; i < len; i++) { + size_t i = 0, j = 0, cnt = 0; + for (; i < len; i++) { if (path[i] == '/') cnt++; else @@ -1114,10 +1111,10 @@ } void disable_file_or_dir(const char *fname) { - if (arg_debug) - printf("blacklist %s\n", fname); struct stat s; if (stat(fname, &s) != -1) { + if (arg_debug) + printf("blacklist %s\n", fname); if (is_dir(fname)) { if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) errExit("disable directory"); @@ -1126,8 +1123,8 @@ if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) errExit("disable file"); } + fs_logger2("blacklist", fname); } - fs_logger2("blacklist", fname); } void disable_file_path(const char *path, const char *file) { @@ -1142,73 +1139,64 @@ free(fname); } -// The returned file descriptor should be suitable for privileged operations on -// user controlled paths +// open file without following any symbolic link +// returns a file descriptor on success, or -1 if a symlink is found int safe_fd(const char *path, int flags) { assert(path); - - // reject empty string, relative path if (*path != '/') goto errexit; - // reject ".." if (strstr(path, "..")) goto errexit; - char *p = strrchr(path, '/'); - assert(p); - // reject trailing slash, root directory - if (*(p + 1) == '\0') - goto errexit; - // reject trailing dot - if (*(p + 1) == '.' && *(p + 2) == '\0') - goto errexit; - - // work with a copy of path - char *dup = strdup(path); - if (!dup) - errExit("strdup"); int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC); if (parentfd == -1) errExit("open"); - - // traverse the path and return -1 if a symlink is encountered int fd = -1; - char *current_tok = EMPTY_STRING; + + char *last_tok = EMPTY_STRING; + char *dup = strdup(path); + if (!dup) + errExit("strdup"); char *tok = strtok(dup, "/"); - assert(tok); - while (tok) { + if (!tok) { // root directory + free(dup); + return parentfd; + } + + while(1) { // open the element, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link + // if token is a single dot, the previous directory is reopened fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) { // if the following token is NULL, the current token is the final path element // try again to open it, this time using the passed flags, and return -1 or the descriptor - current_tok = tok; + last_tok = tok; tok = strtok(NULL, "/"); if (!tok) - fd = openat(parentfd, current_tok, flags|O_NOFOLLOW); + fd = openat(parentfd, last_tok, flags|O_NOFOLLOW); close(parentfd); free(dup); return fd; // -1 if open failed } // move on to next path segment - current_tok = tok; + last_tok = tok; tok = strtok(NULL, "/"); - if (tok) { - close(parentfd); - parentfd = fd; - } + if (!tok) + break; + close(parentfd); + parentfd = fd; } // we are here because the last path element exists and is of file type directory // reopen it using the passed flags close(fd); - fd = openat(parentfd, current_tok, flags|O_NOFOLLOW); + fd = openat(parentfd, last_tok, flags|O_NOFOLLOW); close(parentfd); free(dup); return fd; // -1 if open failed errexit: - fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path); + fprintf(stderr, "Error: cannot open \"%s\": invalid path\n", path); exit(1); } @@ -1288,14 +1276,13 @@ char buf[BUFLEN]; while (fgets(buf, BUFLEN, fp)) { if (strncmp(buf, "SigCgt:", 7) == 0) { - char *ptr = buf + 7; unsigned long long val; - if (sscanf(ptr, "%llx", &val) != 1) { + if (sscanf(buf + 7, "%llx", &val) != 1) { fprintf(stderr, "Error: cannot read /proc file\n"); exit(1); } val >>= (signal - 1); - val &= 1; + val &= 1ULL; fclose(fp); return val; // 1 if process has a handler for the signal, else 0 } diff -Nru firejail-0.9.60/src/firejail/x11.c firejail-0.9.62/src/firejail/x11.c --- firejail-0.9.60/src/firejail/x11.c 2019-05-17 15:49:59.000000000 +0000 +++ firejail-0.9.62/src/firejail/x11.c 2019-12-14 13:30:32.000000000 +0000 @@ -210,7 +210,7 @@ setenv("FIREJAIL_X11", "yes", 1); - // mever try to run X servers as root!!! + // never try to run X servers as root!!! if (getuid() == 0) { fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); exit(1); @@ -222,6 +222,7 @@ fprintf(stderr, "\nError: Xvfb program was not found in /usr/bin directory, please install it:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xvfb\n"); fprintf(stderr, " Arch: sudo pacman -S xorg-server-xvfb\n"); + fprintf(stderr, " Fedora: sudo dnf install xorg-x11-server-Xvfb\n"); exit(0); } @@ -310,7 +311,7 @@ if (arg_debug) { size_t i = 0; - printf("\n*** Stating xvfb client:"); + printf("\n*** Starting xvfb client:"); while (jail_argv[i]!=NULL) { printf(" \"%s\"", jail_argv[i]); i++; @@ -441,6 +442,7 @@ fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); + fprintf(stderr, " Fedora: sudo dnf install xorg-x11-server-Xephyr\n"); exit(0); } @@ -838,7 +840,7 @@ if (arg_debug) { if (n == 10) - printf("failed to stop xpra server gratefully\n"); + printf("failed to stop xpra server gracefully\n"); else printf("xpra server successfully stopped in %d secs\n", n); } @@ -893,9 +895,9 @@ strcpy(start_child,start_child_prefix); for(i = 0; (unsigned) i < fpos; i++) { - strncat(start_child,firejail_argv[i],strlen(firejail_argv[i])); + strcat(start_child,firejail_argv[i]); if((unsigned) i != fpos - 1) - strncat(start_child," ",strlen(" ")); + strcat(start_child," "); } server_argv[spos++] = start_child; @@ -1023,6 +1025,8 @@ if (!program_in_path("xpra")) { fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); + fprintf(stderr, " Arch: sudo pacman -S xpra\n"); + fprintf(stderr, " Fedora: sudo dnf install xpra\n"); exit(0); } @@ -1056,6 +1060,10 @@ fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); + fprintf(stderr, " Arch: sudo pacman -S xpra\n"); + fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); + fprintf(stderr, " Fedora: sudo dnf install xpra\n"); + fprintf(stderr, " Fedora: sudo dnf install xorg-x11-server-Xephyr\n"); exit(0); } } @@ -1086,8 +1094,10 @@ // check xauth utility is present in the system struct stat s; if (stat("/usr/bin/xauth", &s) == -1) { - fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n" - " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); + fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"); + fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); + fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); + fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); exit(1); } if (s.st_uid != 0 && s.st_gid != 0) { @@ -1128,8 +1138,14 @@ #ifdef HAVE_GCOV __gcov_flush(); #endif - execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, + if (arg_debug) { + execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); + } + else { + execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, + "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); + } _exit(127); } @@ -1169,7 +1185,7 @@ umount("/tmp"); // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid - fs_noexec(RUN_XAUTHORITY_SEC_FILE); + fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); // Ensure there is already a file in the usual location, so that bind-mount below will work. char *dest; @@ -1202,9 +1218,11 @@ if (fstatvfs(fd, &vfs) == -1) errExit("fstatvfs"); if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) - fs_rdonly(RUN_XAUTHORITY_SEC_FILE); + fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY, 0); // mount via the link in /proc/self/fd + if (arg_debug) + printf("Mounting %s on %s\n", RUN_XAUTHORITY_SEC_FILE, dest); char *proc; if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) errExit("asprintf"); @@ -1220,6 +1238,20 @@ errLogExit("invalid .Xauthority mount"); ASSERT_PERMS(dest, getuid(), getgid(), 0600); + + // blacklist .Xauthority file if it is not masked already + char *envar = getenv("XAUTHORITY"); + if (envar) { + char *rp = realpath(envar, NULL); + if (rp) { + if (strcmp(rp, dest) != 0) + disable_file_or_dir(rp); + free(rp); + } + } + // set environment variable + if (setenv("XAUTHORITY", dest, 1) < 0) + errExit("setenv"); free(dest); #endif } @@ -1231,11 +1263,22 @@ if (display <= 0) return; + struct stat s1, s2; + if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0) + return; + if ((s1.st_mode & S_ISVTX) == 0) { + fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n"); + return; + } + if (s2.st_uid != 0) { + fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n"); + return; + } char *x11file; if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) errExit("asprintf"); struct stat x11stat; - if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) { + if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) { free(x11file); return; } @@ -1246,12 +1289,8 @@ // Move the real /tmp/.X11-unix to a scratch location // so we can still access x11file after we mount a // tmpfs over /tmp/.X11-unix. - int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700); - if (rv == -1) + if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1) errExit("mkdir"); - if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700)) - errExit("set_perms"); - if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) errExit("mount bind"); @@ -1270,21 +1309,36 @@ errExit("fchown"); close(fd); - // do the mount + // the mount source is under control of the user, so be careful and + // mount without following symbolic links, using a file descriptor char *wx11file; if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) errExit("asprintf"); - if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) + fd = safe_fd(wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + errExit("opening X11 socket"); + // confirm once more we are mounting a socket + if (fstat(fd, &x11stat) == -1) + errExit("fstat"); + if (!S_ISSOCK(x11stat.st_mode)) { + errno = ENOTSOCK; + errExit("mounting X11 socket"); + } + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); fs_logger2("whitelist", x11file); - - free(x11file); - free(wx11file); + close(fd); + free(proc); // block access to RUN_WHITELIST_X11_DIR if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) errExit("mount"); fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); + free(wx11file); + free(x11file); #endif } @@ -1303,12 +1357,18 @@ } // blacklist sockets - profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); - profile_add(strdup("blacklist /tmp/.X11-unix")); + char *cmd = strdup("blacklist /tmp/.X11-unix"); + if (!cmd) + errExit("strdup"); + profile_check_line(cmd, 0, NULL); + profile_add(cmd); // blacklist .Xauthority - profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); - profile_add(strdup("blacklist ${HOME}/.Xauthority")); + cmd = strdup("blacklist ${HOME}/.Xauthority"); + if (!cmd) + errExit("strdup"); + profile_check_line(cmd, 0, NULL); + profile_add(cmd); char *xauthority = getenv("XAUTHORITY"); if (xauthority) { char *line; diff -Nru firejail-0.9.60/src/firemon/firemon.c firejail-0.9.62/src/firemon/firemon.c --- firejail-0.9.60/src/firemon/firemon.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firemon/firemon.c 2019-12-14 13:30:32.000000000 +0000 @@ -26,6 +26,7 @@ #include pid_t skip_process = 0; +int arg_debug = 0; static int arg_route = 0; static int arg_arp = 0; static int arg_tree = 0; @@ -83,7 +84,9 @@ return i; } - return -1; + // if a second child is not found, return the first child pid + // this happens for processes sandboxed with --join + return first_child; } // sleep and wait for a key to be pressed @@ -140,7 +143,8 @@ printf("firemon version %s\n\n", VERSION); return 0; } - + else if (strcmp(argv[i], "--debug") == 0) + arg_debug = 1; // options without a pid argument else if (strcmp(argv[i], "--top") == 0) arg_top = 1; diff -Nru firejail-0.9.60/src/firemon/firemon.h firejail-0.9.62/src/firemon/firemon.h --- firejail-0.9.60/src/firemon/firemon.h 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firemon/firemon.h 2019-12-14 13:30:32.000000000 +0000 @@ -29,6 +29,9 @@ #include "../include/pid.h" #include "../include/common.h" +// main.c +extern int arg_debug; + // clear screen static inline void firemon_clrscr(void) { printf("\033[2J\033[1;1H"); diff -Nru firejail-0.9.60/src/firemon/Makefile.in firejail-0.9.62/src/firemon/Makefile.in --- firejail-0.9.60/src/firemon/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firemon/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ firemon: $(OBJS) ../lib/common.o ../lib/pid.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o firemon *.gcov *.gcda *.gcno +clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/firemon/procevent.c firejail-0.9.62/src/firemon/procevent.c --- firejail-0.9.60/src/firemon/procevent.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firemon/procevent.c 2019-12-14 13:30:32.000000000 +0000 @@ -173,6 +173,20 @@ if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) goto errexit; + // set a large socket rx buffer + // the regular default value as set in /proc/sys/net/core/rmem_default will fill the + // buffer much quicker than we can process it + int bsize = 1024 * 1024; // 1MB + socklen_t blen = sizeof(int); + if (setsockopt(sock, SOL_SOCKET, SO_RCVBUFFORCE, &bsize, blen) == -1) + fprintf(stderr, "Warning: cannot set rx buffer size, using default system value\n"); + else if (arg_debug) { + if (getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &bsize, &blen) == -1) + fprintf(stderr, "Error: cannot read rx buffer size\n"); + else + printf("rx buffer size %d\n", bsize / 2); // the value returned is duble the real one, see man 7 socket + } + // send monitoring message struct nlmsghdr nlmsghdr; memset(&nlmsghdr, 0, sizeof(nlmsghdr)); @@ -244,14 +258,19 @@ } - if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) { + if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) return 0; - } if (len == -1) { - if (errno == EINTR) { - return 0; - } else { - fprintf(stderr,"recv: %s\n", strerror(errno)); + if (errno == EINTR) + continue; + else if (errno == ENOBUFS) { + // rx buffer is full, the kernel started dropping messages + printf("*** Waning *** - message burst received, not all events are printed\n"); +//return -1; + continue; + } + else { + fprintf(stderr,"Error: rx socket recv call, errno %d, %s\n", errno, strerror(errno)); return -1; } } diff -Nru firejail-0.9.60/src/firemon/usage.c firejail-0.9.62/src/firemon/usage.c --- firejail-0.9.60/src/firemon/usage.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/firemon/usage.c 2019-12-14 13:30:32.000000000 +0000 @@ -31,6 +31,7 @@ "\t--caps - print capabilities configuration for each sandbox.\n\n" "\t--cgroup - print control group information for each sandbox.\n\n" "\t--cpu - print CPU affinity for each sandbox.\n\n" + "\t--debug - print debug messages.\n\n" "\t--help, -? - this help screen.\n\n" "\t--interface - print network interface information for each sandbox.\n\n" "\t--list - list all sandboxes.\n\n" diff -Nru firejail-0.9.60/src/fldd/Makefile.in firejail-0.9.62/src/fldd/Makefile.in --- firejail-0.9.60/src/fldd/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fldd/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fldd: $(OBJS) ../lib/ldd_utils.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fldd *.gcov *.gcda *.gcno +clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/fnet/Makefile.in firejail-0.9.62/src/fnet/Makefile.in --- firejail-0.9.60/src/fnet/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fnet/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fnet: $(OBJS) ../lib/libnetlink.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fnet *.gcov *.gcda *.gcno +clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/fnetfilter/Makefile.in firejail-0.9.62/src/fnetfilter/Makefile.in --- firejail-0.9.60/src/fnetfilter/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fnetfilter/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fnetfilter: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fnetfilter *.gcov *.gcda *.gcno +clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/fseccomp/fseccomp.h firejail-0.9.62/src/fseccomp/fseccomp.h --- firejail-0.9.60/src/fseccomp/fseccomp.h 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fseccomp/fseccomp.h 2019-12-14 13:30:32.000000000 +0000 @@ -52,7 +52,9 @@ void write_to_file(int fd, const void *data, int size); void filter_init(int fd); void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg); +void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg); void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg); +void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg); void filter_add_errno(int fd, int syscall, int arg, void *ptrarg); void filter_end_blacklist(int fd); void filter_end_whitelist(int fd); diff -Nru firejail-0.9.60/src/fseccomp/Makefile.in firejail-0.9.62/src/fseccomp/Makefile.in --- firejail-0.9.60/src/fseccomp/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fseccomp/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fseccomp: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno +clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/fseccomp/seccomp.c firejail-0.9.62/src/fseccomp/seccomp.c --- firejail-0.9.60/src/fseccomp/seccomp.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fseccomp/seccomp.c 2019-12-14 13:30:32.000000000 +0000 @@ -80,6 +80,10 @@ // build pre-exec filter: don't blacklist any syscalls in @default-keep filter_init(fd); + + // allow exceptions in form of !syscall + syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); + char *prelist, *postlist; syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); if (prelist) @@ -128,6 +132,10 @@ // build pre-exec filter: blacklist @default, don't blacklist // any listed syscalls in @default-keep filter_init(fd); + + // allow exceptions in form of !syscall + syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); + add_default_list(fd, allow_debuggers); char *prelist, *postlist; syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); @@ -175,6 +183,10 @@ // build pre-exec filter: whitelist also @default-keep filter_init(fd); + + // allow exceptions in form of !syscall + syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL); + // these syscalls are used by firejail after the seccomp filter is initialized int r; r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL); diff -Nru firejail-0.9.60/src/fseccomp/seccomp_file.c firejail-0.9.62/src/fseccomp/seccomp_file.c --- firejail-0.9.60/src/fseccomp/seccomp_file.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fseccomp/seccomp_file.c 2019-12-14 13:30:32.000000000 +0000 @@ -60,26 +60,58 @@ write_to_file(fd, filter, sizeof(filter)); } -void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { - (void) arg; - (void) ptrarg; - +static void write_whitelist(int fd, int syscall) { struct sock_filter filter[] = { WHITELIST(syscall) }; write_to_file(fd, filter, sizeof(filter)); } -void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { - (void) arg; - (void) ptrarg; - +static void write_blacklist(int fd, int syscall) { struct sock_filter filter[] = { BLACKLIST(syscall) }; write_to_file(fd, filter, sizeof(filter)); } +void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { + (void) arg; + (void) ptrarg; + + if (syscall >= 0) { + write_whitelist(fd, syscall); + } +} + +// handle seccomp list exceptions (seccomp x,y,!z) +void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { + (void) arg; + (void) ptrarg; + + if (syscall < 0) { + write_whitelist(fd, -syscall); + } +} + +void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { + (void) arg; + (void) ptrarg; + + if (syscall >= 0) { + write_blacklist(fd, syscall); + } +} + +// handle seccomp list exceptions (seccomp x,y,!z) +void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { + (void) arg; + (void) ptrarg; + + if (syscall < 0) { + write_blacklist(fd, -syscall); + } +} + void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { (void) ptrarg; struct sock_filter filter[] = { diff -Nru firejail-0.9.60/src/fseccomp/syscall.c firejail-0.9.62/src/fseccomp/syscall.c --- firejail-0.9.60/src/fseccomp/syscall.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fseccomp/syscall.c 2019-12-14 13:30:32.000000000 +0000 @@ -50,6 +50,99 @@ }; // end of syslist static const SyscallGroupList sysgroups[] = { + { .name = "@aio", .list = +#ifdef SYS_io_cancel + "io_cancel," +#endif +#ifdef SYS_io_destroy + "io_destroy," +#endif +#ifdef SYS_io_getevents + "io_getevents," +#endif +#ifdef SYS_io_pgetevents + "io_pgetevents," +#endif +#ifdef SYS_io_setup + "io_setup," +#endif +#ifdef SYS_io_submit + "io_submit" +#endif + }, + { .name = "@basic-io", .list = +#ifdef SYS__llseek + "_llseek," +#endif +#ifdef SYS_close + "close," +#endif +#ifdef SYS_dup + "dup," +#endif +#ifdef SYS_dup2 + "dup2," +#endif +#ifdef SYS_dup3 + "dup3," +#endif +#ifdef SYS_lseek + "lseek," +#endif +#ifdef SYS_pread64 + "pread64," +#endif +#ifdef SYS_preadv + "preadv," +#endif +#ifdef SYS_preadv2 + "preadv2," +#endif +#ifdef SYS_pwrite64 + "pwrite64," +#endif +#ifdef SYS_pwritev + "pwritev," +#endif +#ifdef SYS_pwritev2 + "pwritev2," +#endif +#ifdef SYS_read + "read," +#endif +#ifdef SYS_readv + "readv," +#endif +#ifdef SYS_write + "write," +#endif +#ifdef SYS_writev + "writev" +#endif + }, + { .name = "@chown", .list = +#ifdef SYS_chown + "chown," +#endif +#ifdef SYS_chown32 + "chown32," +#endif +#ifdef SYS_fchown + "fchown," +#endif +#ifdef SYS_fchown32 + "fchown32," +#endif +#ifdef SYS_fchownat + "fchownat," +#endif +#ifdef SYS_lchown + "lchown," +#endif +#ifdef SYS_lchown32 + "lchown32" +#endif + }, { .name = "@clock", .list = #ifdef SYS_adjtimex "adjtimex," @@ -108,11 +201,14 @@ #endif }, { .name = "@default", .list = + "@clock," "@cpu-emulation," "@debug," + "@module," "@obsolete," - "@privileged," - "@resources," + "@raw-io," + "@reboot," + "@swap," #ifdef SYS_open_by_handle_at "open_by_handle_at," #endif @@ -140,6 +236,15 @@ #ifdef SYS_request_key "request_key," #endif +#ifdef SYS_mbind + "mbind," +#endif +#ifdef SYS_migrate_pages + "migrate_pages," +#endif +#ifdef SYS_move_pages + "move_pages," +#endif #ifdef SYS_keyctl "keyctl," #endif @@ -161,6 +266,9 @@ #ifdef SYS_remap_file_pages "remap_file_pages," #endif +#ifdef SYS_set_mempolicy + "set_mempolicy" +#endif #ifdef SYS_vmsplice "vmsplice," #endif @@ -170,6 +278,36 @@ #ifdef SYS_userfaultfd "userfaultfd," #endif +#ifdef SYS_acct + "acct," +#endif +#ifdef SYS_bpf + "bpf," +#endif +#ifdef SYS_chroot + "chroot," +#endif +#ifdef SYS_mount + "mount," +#endif +#ifdef SYS_nfsservctl + "nfsservctl," +#endif +#ifdef SYS_pivot_root + "pivot_root," +#endif +#ifdef SYS_setdomainname + "setdomainname," +#endif +#ifdef SYS_sethostname + "sethostname," +#endif +#ifdef SYS_umount2 + "umount2," +#endif +#ifdef SYS_vhangup + "vhangup" +#endif //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem // "mincore" //#endif @@ -190,6 +328,382 @@ "execve," "prctl" }, + { .name = "@file-system", .list = +#ifdef SYS_access + "access," +#endif +#ifdef SYS_chdir + "chdir," +#endif +#ifdef SYS_chmod + "chmod," +#endif +#ifdef SYS_close + "close," +#endif +#ifdef SYS_creat + "creat," +#endif +#ifdef SYS_faccessat + "faccessat," +#endif +#ifdef SYS_fallocate + "fallocate," +#endif +#ifdef SYS_fchdir + "fchdir," +#endif +#ifdef SYS_fchmod + "fchmod," +#endif +#ifdef SYS_fchmodat + "fchmodat," +#endif +#ifdef SYS_fcntl + "fcntl," +#endif +#ifdef SYS_fcntl64 + "fcntl64," +#endif +#ifdef SYS_fgetxattr + "fgetxattr," +#endif +#ifdef SYS_flistxattr + "flistxattr," +#endif +#ifdef SYS_fremovexattr + "fremovexattr," +#endif +#ifdef SYS_fsetxattr + "fsetxattr," +#endif +#ifdef SYS_fstat + "fstat," +#endif +#ifdef SYS_fstat64 + "fstat64," +#endif +#ifdef SYS_fstatat64 + "fstatat64," +#endif +#ifdef SYS_fstatfs + "fstatfs," +#endif +#ifdef SYS_fstatfs64 + "fstatfs64," +#endif +#ifdef SYS_ftruncate + "ftruncate," +#endif +#ifdef SYS_ftruncate64 + "ftruncate64," +#endif +#ifdef SYS_futimesat + "futimesat," +#endif +#ifdef SYS_getcwd + "getcwd," +#endif +#ifdef SYS_getdents + "getdents," +#endif +#ifdef SYS_getdents64 + "getdents64," +#endif +#ifdef SYS_getxattr + "getxattr," +#endif +#ifdef SYS_inotify_add_watch + "inotify_add_watch," +#endif +#ifdef SYS_inotify_init + "inotify_init," +#endif +#ifdef SYS_inotify_init1 + "inotify_init1," +#endif +#ifdef SYS_inotify_rm_watch + "inotify_rm_watch," +#endif +#ifdef SYS_lgetxattr + "lgetxattr," +#endif +#ifdef SYS_link + "link," +#endif +#ifdef SYS_linkat + "linkat," +#endif +#ifdef SYS_listxattr + "listxattr," +#endif +#ifdef SYS_llistxattr + "llistxattr," +#endif +#ifdef SYS_lremovexattr + "lremovexattr," +#endif +#ifdef SYS_lsetxattr + "lsetxattr," +#endif +#ifdef SYS_lstat + "lstat," +#endif +#ifdef SYS_lstat64 + "lstat64," +#endif +#ifdef SYS_mkdir + "mkdir," +#endif +#ifdef SYS_mkdirat + "mkdirat," +#endif +#ifdef SYS_mknod + "mknod," +#endif +#ifdef SYS_mknodat + "mknodat," +#endif +#ifdef SYS_mmap + "mmap," +#endif +#ifdef SYS_mmap2 + "mmap2," +#endif +#ifdef SYS_munmap + "munmap," +#endif +#ifdef SYS_newfstatat + "newfstatat," +#endif +#ifdef SYS_oldfstat + "oldfstat," +#endif +#ifdef SYS_oldlstat + "oldlstat," +#endif +#ifdef SYS_oldstat + "oldstat," +#endif +#ifdef SYS_open + "open," +#endif +#ifdef SYS_openat + "openat," +#endif +#ifdef SYS_readlink + "readlink," +#endif +#ifdef SYS_readlinkat + "readlinkat," +#endif +#ifdef SYS_removexattr + "removexattr," +#endif +#ifdef SYS_rename + "rename," +#endif +#ifdef SYS_renameat + "renameat," +#endif +#ifdef SYS_renameat2 + "renameat2," +#endif +#ifdef SYS_rmdir + "rmdir," +#endif +#ifdef SYS_setxattr + "setxattr," +#endif +#ifdef SYS_stat + "stat," +#endif +#ifdef SYS_stat64 + "stat64," +#endif +#ifdef SYS_statfs + "statfs," +#endif +#ifdef SYS_statfs64 + "statfs64," +#endif +#ifdef SYS_statx + "statx," +#endif +#ifdef SYS_symlink + "symlink," +#endif +#ifdef SYS_symlinkat + "symlinkat," +#endif +#ifdef SYS_truncate + "truncate," +#endif +#ifdef SYS_truncate64 + "truncate64," +#endif +#ifdef SYS_unlink + "unlink," +#endif +#ifdef SYS_unlinkat + "unlinkat," +#endif +#ifdef SYS_utime + "utime," +#endif +#ifdef SYS_utimensat + "utimensat," +#endif +#ifdef SYS_utimes + "utimes" +#endif + }, + { .name = "@io-event", .list = +#ifdef SYS__newselect + "_newselect," +#endif +#ifdef SYS_epoll_create + "epoll_create," +#endif +#ifdef SYS_epoll_create1 + "epoll_create1," +#endif +#ifdef SYS_epoll_ctl + "epoll_ctl," +#endif +#ifdef SYS_epoll_ctl_old + "epoll_ctl_old," +#endif +#ifdef SYS_epoll_pwait + "epoll_pwait," +#endif +#ifdef SYS_epoll_wait + "epoll_wait," +#endif +#ifdef SYS_epoll_wait_old + "epoll_wait_old," +#endif +#ifdef SYS_eventfd + "eventfd," +#endif +#ifdef SYS_eventfd2 + "eventfd2," +#endif +#ifdef SYS_poll + "poll," +#endif +#ifdef SYS_ppoll + "ppoll," +#endif +#ifdef SYS_pselect6 + "pselect6," +#endif +#ifdef SYS_select + "select" +#endif + }, + { .name = "@ipc", .list = +#ifdef SYS_ipc + "ipc," +#endif +#ifdef SYS_memfd_create + "memfd_create," +#endif +#ifdef SYS_mq_getsetattr + "mq_getsetattr," +#endif +#ifdef SYS_mq_notify + "mq_notify," +#endif +#ifdef SYS_mq_open + "mq_open," +#endif +#ifdef SYS_mq_timedreceive + "mq_timedreceive," +#endif +#ifdef SYS_mq_timedsend + "mq_timedsend," +#endif +#ifdef SYS_mq_unlink + "mq_unlink," +#endif +#ifdef SYS_msgctl + "msgctl," +#endif +#ifdef SYS_msgget + "msgget," +#endif +#ifdef SYS_msgrcv + "msgrcv," +#endif +#ifdef SYS_msgsnd + "msgsnd," +#endif +#ifdef SYS_pipe + "pipe," +#endif +#ifdef SYS_pipe2 + "pipe2," +#endif +#ifdef SYS_process_vm_readv + "process_vm_readv," +#endif +#ifdef SYS_process_vm_writev + "process_vm_writev," +#endif +#ifdef SYS_semctl + "semctl," +#endif +#ifdef SYS_semget + "semget," +#endif +#ifdef SYS_semop + "semop," +#endif +#ifdef SYS_semtimedop + "semtimedop," +#endif +#ifdef SYS_shmat + "shmat," +#endif +#ifdef SYS_shmctl + "shmctl," +#endif +#ifdef SYS_shmdt + "shmdt," +#endif +#ifdef SYS_shmget + "shmget" +#endif + }, + { .name = "@keyring", .list = +#ifdef SYS_add_key + "add_key," +#endif +#ifdef SYS_keyctl + "keyctl," +#endif +#ifdef SYS_request_key + "request_key" +#endif + }, + { .name = "@memlock", .list = +#ifdef SYS_mlock + "mlock," +#endif +#ifdef SYS_mlock2 + "mlock2," +#endif +#ifdef SYS_mlockall + "mlockall," +#endif +#ifdef SYS_munlock + "munlock," +#endif +#ifdef SYS_munlockall + "munlockall" +#endif + }, { .name = "@module", .list = #ifdef SYS_delete_module "delete_module," @@ -201,6 +715,88 @@ "init_module" #endif }, + { .name = "@mount", .list = +#ifdef SYS_chroot + "chroot," +#endif +#ifdef SYS_mount + "mount," +#endif +#ifdef SYS_pivot_root + "pivot_root," +#endif +#ifdef SYS_umount + "umount," +#endif +#ifdef SYS_umount2 + "umount2" +#endif + }, + { .name = "@network-io", .list = +#ifdef SYS_accept + "accept," +#endif +#ifdef SYS_accept4 + "accept4," +#endif +#ifdef SYS_bind + "bind," +#endif +#ifdef SYS_connect + "connect," +#endif +#ifdef SYS_getpeername + "getpeername," +#endif +#ifdef SYS_getsockname + "getsockname," +#endif +#ifdef SYS_getsockopt + "getsockopt," +#endif +#ifdef SYS_listen + "listen," +#endif +#ifdef SYS_recv + "recv," +#endif +#ifdef SYS_recvfrom + "recvfrom," +#endif +#ifdef SYS_recvmmsg + "recvmmsg," +#endif +#ifdef SYS_recvmsg + "recvmsg," +#endif +#ifdef SYS_send + "send," +#endif +#ifdef SYS_sendmmsg + "sendmmsg," +#endif +#ifdef SYS_sendmsg + "sendmsg," +#endif +#ifdef SYS_sendto + "sendto," +#endif +#ifdef SYS_setsockopt + "setsockopt," +#endif +#ifdef SYS_shutdown + "shutdown," +#endif +#ifdef SYS_socket + "socket," +#endif +#ifdef SYS_socketcall + "socketcall," +#endif +#ifdef SYS_socketpair + "socketpair" +#endif + }, { .name = "@obsolete", .list = #ifdef SYS__sysctl "_sysctl," @@ -229,6 +825,9 @@ #ifdef SYS_gtty "gtty," #endif +#ifdef SYS_idle + "idle," +#endif #ifdef SYS_lock "lock," #endif @@ -282,35 +881,81 @@ #endif }, { .name = "@privileged", .list = + "@chown," "@clock," "@module," "@raw-io," "@reboot," "@swap," +#ifdef SYS__sysctl + "_sysctl," +#endif #ifdef SYS_acct "acct," #endif #ifdef SYS_bpf "bpf," #endif +#ifdef SYS_capset + "capset," +#endif #ifdef SYS_chroot "chroot," #endif +#ifdef SYS_fanotify_init + "fanotify_init," +#endif #ifdef SYS_mount "mount," #endif #ifdef SYS_nfsservctl "nfsservctl," #endif +#ifdef SYS_open_by_handle_at + "open_by_handle_at," +#endif #ifdef SYS_pivot_root "pivot_root," #endif +#ifdef SYS_quotactl + "quotactl," +#endif #ifdef SYS_setdomainname "setdomainname," #endif +#ifdef SYS_setfsuid + "setfsuid," +#endif +#ifdef SYS_setfsuid32 + "setfsuid32," +#endif +#ifdef SYS_setgroups + "setgroups," +#endif +#ifdef SYS_setgroups32 + "setgroups32," +#endif #ifdef SYS_sethostname "sethostname," #endif +#ifdef SYS_setresuid + "setresuid," +#endif +#ifdef SYS_setresuid32 + "setresuid32," +#endif +#ifdef SYS_setreuid + "setreuid," +#endif +#ifdef SYS_setreuid32 + "setreuid32," +#endif +#ifdef SYS_setuid + "setuid," +#endif +#ifdef SYS_setuid32 + "setuid32," +#endif #ifdef SYS_umount2 "umount2," #endif @@ -318,6 +963,71 @@ "vhangup" #endif }, + { .name = "@process", .list = +#ifdef SYS_arch_prctl + "arch_prctl," +#endif +#ifdef SYS_capget + "capget," +#endif +#ifdef SYS_clone + "clone," +#endif +#ifdef SYS_execveat + "execveat," +#endif +#ifdef SYS_fork + "fork," +#endif +#ifdef SYS_getrusage + "getrusage," +#endif +#ifdef SYS_kill + "kill," +#endif +#ifdef SYS_pidfd_send_signal + "pidfd_send_signal," +#endif +#ifdef SYS_prctl + "prctl," +#endif +#ifdef SYS_rt_sigqueueinfo + "rt_sigqueueinfo," +#endif +#ifdef SYS_rt_tgsigqueueinfo + "rt_tgsigqueueinfo," +#endif +#ifdef SYS_setns + "setns," +#endif +#ifdef SYS_swapcontext + "swapcontext," +#endif +#ifdef SYS_tgkill + "tgkill," +#endif +#ifdef SYS_times + "times," +#endif +#ifdef SYS_tkill + "tkill," +#endif +#ifdef SYS_unshare + "unshare," +#endif +#ifdef SYS_vfork + "vfork," +#endif +#ifdef SYS_wait4 + "wait4," +#endif +#ifdef SYS_waitid + "waitid," +#endif +#ifdef SYS_waitpid + "waitpid" +#endif + }, { .name = "@raw-io", .list = #ifdef SYS_ioperm "ioperm," @@ -356,8 +1066,11 @@ #endif }, { .name = "@resources", .list = -#ifdef SYS_set_mempolicy - "set_mempolicy," +#ifdef SYS_ioprio_set + "ioprio_set," +#endif +#ifdef SYS_mbind + "mbind," #endif #ifdef SYS_migrate_pages "migrate_pages," @@ -365,8 +1078,108 @@ #ifdef SYS_move_pages "move_pages," #endif -#ifdef SYS_mbind - "mbind" +#ifdef SYS_nice + "nice," +#endif +#ifdef SYS_sched_setaffinity + "sched_setaffinity," +#endif +#ifdef SYS_sched_setattr + "sched_setattr," +#endif +#ifdef SYS_sched_setparam + "sched_setparam," +#endif +#ifdef SYS_sched_setscheduler + "sched_setscheduler," +#endif +#ifdef SYS_set_mempolicy + "set_mempolicy" +#endif + }, + { .name = "@setuid", .list = +#ifdef SYS_setgid + "setgid," +#endif +#ifdef SYS_setgid32 + "setgid32," +#endif +#ifdef SYS_setgroups + "setgroups," +#endif +#ifdef SYS_setgroups32 + "setgroups32," +#endif +#ifdef SYS_setregid + "setregid," +#endif +#ifdef SYS_setregid32 + "setregid32," +#endif +#ifdef SYS_setresgid + "setresgid," +#endif +#ifdef SYS_setresgid32 + "setresgid32," +#endif +#ifdef SYS_setresuid + "setresuid," +#endif +#ifdef SYS_setresuid32 + "setresuid32," +#endif +#ifdef SYS_setreuid + "setreuid," +#endif +#ifdef SYS_setreuid32 + "setreuid32," +#endif +#ifdef SYS_setuid + "setuid," +#endif +#ifdef SYS_setuid32 + "setuid32" +#endif + }, + { .name = "@signal", .list = +#ifdef SYS_rt_sigaction + "rt_sigaction," +#endif +#ifdef SYS_rt_sigpending + "rt_sigpending," +#endif +#ifdef SYS_rt_sigprocmask + "rt_sigprocmask," +#endif +#ifdef SYS_rt_sigsuspend + "rt_sigsuspend," +#endif +#ifdef SYS_rt_sigtimedwait + "rt_sigtimedwait," +#endif +#ifdef SYS_sigaction + "sigaction," +#endif +#ifdef SYS_sigaltstack + "sigaltstack," +#endif +#ifdef SYS_signal + "signal," +#endif +#ifdef SYS_signalfd + "signalfd," +#endif +#ifdef SYS_signalfd4 + "signalfd4," +#endif +#ifdef SYS_sigpending + "sigpending," +#endif +#ifdef SYS_sigprocmask + "sigprocmask," +#endif +#ifdef SYS_sigsuspend + "sigsuspend" #endif }, { .name = "@swap", .list = @@ -376,6 +1189,226 @@ #ifdef SYS_swapoff "swapoff" #endif + }, + { .name = "@sync", .list = +#ifdef SYS_fdatasync + "fdatasync," +#endif +#ifdef SYS_fsync + "fsync," +#endif +#ifdef SYS_msync + "msync," +#endif +#ifdef SYS_sync + "sync," +#endif +#ifdef SYS_sync_file_range + "sync_file_range," +#endif +#ifdef SYS_sync_file_range2 + "sync_file_range2," +#endif +#ifdef SYS_syncfs + "syncfs" +#endif + }, + { .name = "@system-service", .list = + "@aio," + "@basic-io," + "@chown," + "@default," + "@file-system," + "@io-event," + "@ipc," + "@keyring," + "@memlock," + "@network-io," + "@process," + "@resources," + "@setuid," + "@signal," + "@sync," + "@timer," +#ifdef SYS_brk + "brk," +#endif +#ifdef SYS_capget + "capget," +#endif +#ifdef SYS_capset + "capset," +#endif +#ifdef SYS_copy_file_range + "copy_file_range," +#endif +#ifdef SYS_fadvise64 + "fadvise64," +#endif +#ifdef SYS_fadvise64_64 + "fadvise64_64," +#endif +#ifdef SYS_flock + "flock," +#endif +#ifdef SYS_get_mempolicy + "get_mempolicy," +#endif +#ifdef SYS_getcpu + "getcpu," +#endif +#ifdef SYS_getpriority + "getpriority," +#endif +#ifdef SYS_getrandom + "getrandom," +#endif +#ifdef SYS_ioctl + "ioctl," +#endif +#ifdef SYS_ioprio_get + "ioprio_get," +#endif +#ifdef SYS_kcmp + "kcmp," +#endif +#ifdef SYS_madvise + "madvise," +#endif +#ifdef SYS_mprotect + "mprotect," +#endif +#ifdef SYS_mremap + "mremap," +#endif +#ifdef SYS_name_to_handle_at + "name_to_handle_at," +#endif +#ifdef SYS_oldolduname + "oldolduname," +#endif +#ifdef SYS_olduname + "olduname," +#endif +#ifdef SYS_personality + "personality," +#endif +#ifdef SYS_readahead + "readahead," +#endif +#ifdef SYS_readdir + "readdir," +#endif +#ifdef SYS_remap_file_pages + "remap_file_pages," +#endif +#ifdef SYS_sched_get_priority_max + "sched_get_priority_max," +#endif +#ifdef SYS_sched_get_priority_min + "sched_get_priority_min," +#endif +#ifdef SYS_sched_getaffinity + "sched_getaffinity," +#endif +#ifdef SYS_sched_getattr + "sched_getattr," +#endif +#ifdef SYS_sched_getparam + "sched_getparam," +#endif +#ifdef SYS_sched_getscheduler + "sched_getscheduler," +#endif +#ifdef SYS_sched_rr_get_interval + "sched_rr_get_interval," +#endif +#ifdef SYS_sched_yield + "sched_yield," +#endif +#ifdef SYS_sendfile + "sendfile," +#endif +#ifdef SYS_sendfile64 + "sendfile64," +#endif +#ifdef SYS_setfsgid + "setfsgid," +#endif +#ifdef SYS_setfsgid32 + "setfsgid32," +#endif +#ifdef SYS_setfsuid + "setfsuid," +#endif +#ifdef SYS_setfsuid32 + "setfsuid32," +#endif +#ifdef SYS_setpgid + "setpgid," +#endif +#ifdef SYS_setsid + "setsid," +#endif +#ifdef SYS_splice + "splice," +#endif +#ifdef SYS_sysinfo + "sysinfo," +#endif +#ifdef SYS_tee + "tee," +#endif +#ifdef SYS_umask + "umask," +#endif +#ifdef SYS_uname + "uname," +#endif +#ifdef SYS_userfaultfd + "userfaultfd," +#endif +#ifdef SYS_vmsplice + "vmsplice" +#endif + }, + { .name = "@timer", .list = +#ifdef SYS_alarm + "alarm," +#endif +#ifdef SYS_getitimer + "getitimer," +#endif +#ifdef SYS_setitimer + "setitimer," +#endif +#ifdef SYS_timer_create + "timer_create," +#endif +#ifdef SYS_timer_delete + "timer_delete," +#endif +#ifdef SYS_timer_getoverrun + "timer_getoverrun," +#endif +#ifdef SYS_timer_gettime + "timer_gettime," +#endif +#ifdef SYS_timer_settime + "timer_settime," +#endif +#ifdef SYS_timerfd_create + "timerfd_create," +#endif +#ifdef SYS_timerfd_gettime + "timerfd_gettime," +#endif +#ifdef SYS_timerfd_settime + "timerfd_settime," +#endif +#ifdef SYS_times + "times" +#endif } }; @@ -497,9 +1530,17 @@ syscall_check_list(new_list, callback, fd, arg, ptrarg); } else { + bool negate = false; + if (*ptr == '!') { + negate = true; + ptr++; + } syscall_process_name(ptr, &syscall_nr, &error_nr); if (syscall_nr == -1) {;} else if (callback != NULL) { + if (negate) { + syscall_nr = -syscall_nr; + } if (error_nr != -1 && fd != 0) { filter_add_errno(fd, syscall_nr, error_nr, ptrarg); } @@ -522,7 +1563,7 @@ (void)fd; (void) arg; SyscallCheckList *ptr = ptrarg; - if (syscall == ptr->syscall) + if (abs(syscall) == ptr->syscall) ptr->found = true; } diff -Nru firejail-0.9.60/src/fsec-optimize/Makefile.in firejail-0.9.62/src/fsec-optimize/Makefile.in --- firejail-0.9.60/src/fsec-optimize/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fsec-optimize/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fsec-optimize: $(OBJS) ../lib/libnetlink.o $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fsec-optimize *.gcov *.gcda *.gcno +clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/fsec-print/Makefile.in firejail-0.9.62/src/fsec-print/Makefile.in --- firejail-0.9.60/src/fsec-print/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/fsec-print/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ fsec-print: $(OBJS) ../lib/libnetlink.o $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fsec-print *.gcov *.gcda *.gcno +clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/ftee/Makefile.in firejail-0.9.62/src/ftee/Makefile.in --- firejail-0.9.60/src/ftee/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/ftee/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -8,7 +8,7 @@ ftee: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o ftee *.gcov *.gcda *.gcno +clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/include/rundefs.h firejail-0.9.62/src/include/rundefs.h --- firejail-0.9.60/src/include/rundefs.h 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/include/rundefs.h 2019-12-14 13:30:32.000000000 +0000 @@ -21,82 +21,83 @@ #ifndef RUNDEFS_H #define RUNDEFS_H // filesystem -#define RUN_FIREJAIL_BASEDIR "/run" -#define RUN_FIREJAIL_DIR "/run/firejail" -#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" -#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place -#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib" -#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" -#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" -#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" -#define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" -#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock" -#define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock" -#define RUN_RO_DIR "/run/firejail/firejail.ro.dir" -#define RUN_RO_FILE "/run/firejail/firejail.ro.file" -#define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created -#define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup" -#define RUN_CPU_CFG "/run/firejail/mnt/cpu" -#define RUN_GROUPS_CFG "/run/firejail/mnt/groups" -#define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" -#define RUN_NONEWPRIVS_CFG "/run/firejail/mnt/nonewprivs" -#define RUN_HOME_DIR "/run/firejail/mnt/home" -#define RUN_ETC_DIR "/run/firejail/mnt/etc" -#define RUN_OPT_DIR "/run/firejail/mnt/opt" -#define RUN_SRV_DIR "/run/firejail/mnt/srv" -#define RUN_BIN_DIR "/run/firejail/mnt/bin" -#define RUN_PULSE_DIR "/run/firejail/mnt/pulse" -#define RUN_LIB_DIR "/run/firejail/mnt/lib" -#define RUN_LIB_FILE "/run/firejail/mnt/libfiles" -#define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" - -#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" -#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed -#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter -#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter -#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures -#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute -#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter -#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library -#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make -#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make -#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make -#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make -#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make - - -#define RUN_DEV_DIR "/run/firejail/mnt/dev" -#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" - -#define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" -#define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking -#define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking -#define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting -#define RUN_WHITELIST_RUN_USER_DIR "/run/firejail/mnt/orig-run-user" // run directory whitelisting -#define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" -#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" -#define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt" -#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" -#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" -#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" -#define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv" -#define RUN_WHITELIST_ETC_DIR "/run/firejail/mnt/orig-etc" -#define RUN_WHITELIST_SHARE_DIR "/run/firejail/mnt/orig-share" -#define RUN_WHITELIST_MODULE_DIR "/run/firejail/mnt/orig-module" - -#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" -#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" -#define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" -#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" -#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" -#define RUN_MACHINEID "/run/firejail/mnt/machine-id" -#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" -#define RUN_UTMP_FILE "/run/firejail/mnt/utmp" -#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" -#define RUN_GROUP_FILE "/run/firejail/mnt/group" -#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" -#define RUN_UMASK_FILE "/run/firejail/mnt/umask" -#define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot" -#define RUN_READY_FOR_JOIN "/run/firejail/mnt/ready-for-join" +#define RUN_FIREJAIL_BASEDIR "/run" +#define RUN_FIREJAIL_DIR RUN_FIREJAIL_BASEDIR "/firejail" +#define RUN_FIREJAIL_APPIMAGE_DIR RUN_FIREJAIL_DIR "/appimage" +#define RUN_FIREJAIL_NAME_DIR RUN_FIREJAIL_DIR "/name" // also used in src/lib/pid.c - todo: move it in a common place +#define RUN_FIREJAIL_LIB_DIR RUN_FIREJAIL_DIR "/lib" +#define RUN_FIREJAIL_X11_DIR RUN_FIREJAIL_DIR "/x11" +#define RUN_FIREJAIL_NETWORK_DIR RUN_FIREJAIL_DIR "/network" +#define RUN_FIREJAIL_BANDWIDTH_DIR RUN_FIREJAIL_DIR "/bandwidth" +#define RUN_FIREJAIL_PROFILE_DIR RUN_FIREJAIL_DIR "/profile" +#define RUN_NETWORK_LOCK_FILE RUN_FIREJAIL_DIR "/firejail-network.lock" +#define RUN_DIRECTORY_LOCK_FILE RUN_FIREJAIL_DIR "/firejail-run.lock" +#define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir" +#define RUN_RO_FILE RUN_FIREJAIL_DIR "/firejail.ro.file" +#define RUN_MNT_DIR RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created +#define RUN_CGROUP_CFG RUN_MNT_DIR "/cgroup" +#define RUN_CPU_CFG RUN_MNT_DIR "/cpu" +#define RUN_GROUPS_CFG RUN_MNT_DIR "/groups" +#define RUN_PROTOCOL_CFG RUN_MNT_DIR "/protocol" +#define RUN_NONEWPRIVS_CFG RUN_MNT_DIR "/nonewprivs" +#define RUN_HOME_DIR RUN_MNT_DIR "/home" +#define RUN_ETC_DIR RUN_MNT_DIR "/etc" +#define RUN_OPT_DIR RUN_MNT_DIR "/opt" +#define RUN_SRV_DIR RUN_MNT_DIR "/srv" +#define RUN_BIN_DIR RUN_MNT_DIR "/bin" +#define RUN_PULSE_DIR RUN_MNT_DIR "/pulse" +#define RUN_LIB_DIR RUN_MNT_DIR "/lib" +#define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" +#define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" + +#define RUN_SECCOMP_DIR RUN_MNT_DIR "/seccomp" +#define RUN_SECCOMP_LIST RUN_SECCOMP_DIR "/seccomp.list" // list of seccomp files installed +#define RUN_SECCOMP_PROTOCOL RUN_SECCOMP_DIR "/seccomp.protocol" // protocol filter +#define RUN_SECCOMP_CFG RUN_SECCOMP_DIR "/seccomp" // configured filter +#define RUN_SECCOMP_32 RUN_SECCOMP_DIR "/seccomp.32" // 32bit arch filter installed on 64bit architectures +#define RUN_SECCOMP_MDWX RUN_SECCOMP_DIR "/seccomp.mdwx" // filter for memory-deny-write-execute +#define RUN_SECCOMP_BLOCK_SECONDARY RUN_SECCOMP_DIR "/seccomp.block_secondary" // secondary arch blocking filter +#define RUN_SECCOMP_POSTEXEC RUN_SECCOMP_DIR "/seccomp.postexec" // filter for post-exec library +#define PATH_SECCOMP_DEFAULT LIBDIR "/firejail/seccomp" // default filter built during make +#define PATH_SECCOMP_DEFAULT_DEBUG LIBDIR "/firejail/seccomp.debug" // default filter built during make +#define PATH_SECCOMP_32 LIBDIR "/firejail/seccomp.32" // 32bit arch filter built during make +#define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make +#define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make + + +#define RUN_DEV_DIR RUN_MNT_DIR "/dev" +#define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" + +#define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" +#define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking +#define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking +#define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting +#define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting +#define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" +#define RUN_WHITELIST_MEDIA_DIR RUN_MNT_DIR "/orig-media" +#define RUN_WHITELIST_MNT_DIR RUN_MNT_DIR "/orig-mnt" +#define RUN_WHITELIST_VAR_DIR RUN_MNT_DIR "/orig-var" +#define RUN_WHITELIST_DEV_DIR RUN_MNT_DIR "/orig-dev" +#define RUN_WHITELIST_OPT_DIR RUN_MNT_DIR "/orig-opt" +#define RUN_WHITELIST_SRV_DIR RUN_MNT_DIR "/orig-srv" +#define RUN_WHITELIST_ETC_DIR RUN_MNT_DIR "/orig-etc" +#define RUN_WHITELIST_SHARE_DIR RUN_MNT_DIR "/orig-share" +#define RUN_WHITELIST_MODULE_DIR RUN_MNT_DIR "/orig-module" + +#define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" +#define RUN_XAUTHORITY_SEC_FILE RUN_MNT_DIR "/sec.Xauthority" +#define RUN_ASOUNDRC_FILE RUN_MNT_DIR "/.asoundrc" +#define RUN_HOSTNAME_FILE RUN_MNT_DIR "/hostname" +#define RUN_HOSTS_FILE RUN_MNT_DIR "/hosts" +#define RUN_MACHINEID RUN_MNT_DIR "/machine-id" +#define RUN_LDPRELOAD_FILE RUN_MNT_DIR "/ld.so.preload" +#define RUN_UTMP_FILE RUN_MNT_DIR "/utmp" +#define RUN_PASSWD_FILE RUN_MNT_DIR "/passwd" +#define RUN_GROUP_FILE RUN_MNT_DIR "/group" +#define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger" +#define RUN_TRACE_FILE RUN_MNT_DIR "/trace" +#define RUN_UMASK_FILE RUN_MNT_DIR "/umask" +#define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" +#define RUN_READY_FOR_JOIN RUN_MNT_DIR "/ready-for-join" #endif diff -Nru firejail-0.9.60/src/lib/common.c firejail-0.9.62/src/lib/common.c --- firejail-0.9.60/src/lib/common.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/lib/common.c 2019-12-28 13:14:56.000000000 +0000 @@ -53,7 +53,7 @@ errout: free(path); - fprintf(stderr, "Error: cannot join namespace %s\\n", type); + fprintf(stderr, "Error: cannot join namespace %s\n", type); return -1; } diff -Nru firejail-0.9.60/src/lib/Makefile.in firejail-0.9.62/src/lib/Makefile.in --- firejail-0.9.60/src/lib/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/lib/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -5,7 +5,7 @@ %.o : %.c $(H_FILE_LIST) $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno +clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/lib/pid.c firejail-0.9.62/src/lib/pid.c --- firejail-0.9.60/src/lib/pid.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/lib/pid.c 2019-12-14 13:30:32.000000000 +0000 @@ -329,10 +329,9 @@ } } - pid_t child = -1; struct dirent *entry; char *end; - while (child < 0 && (entry = readdir(dir))) { + while ((entry = readdir(dir))) { pid_t pid = strtol(entry->d_name, &end, 10); pid %= max_pids; if (end == entry->d_name || *end) diff -Nru firejail-0.9.60/src/libpostexecseccomp/libpostexecseccomp.c firejail-0.9.62/src/libpostexecseccomp/libpostexecseccomp.c --- firejail-0.9.60/src/libpostexecseccomp/libpostexecseccomp.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/libpostexecseccomp/libpostexecseccomp.c 2019-12-14 13:30:32.000000000 +0000 @@ -40,9 +40,7 @@ return; } unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); - struct sock_filter *filter = MAP_FAILED; - if (size != 0) - filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); + struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); close(fd); if (filter == MAP_FAILED) { diff -Nru firejail-0.9.60/src/libpostexecseccomp/Makefile.in firejail-0.9.62/src/libpostexecseccomp/Makefile.in --- firejail-0.9.60/src/libpostexecseccomp/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/libpostexecseccomp/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -19,7 +19,7 @@ libpostexecseccomp.so: $(OBJS) $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl -clean:; rm -f $(OBJS) libpostexecseccomp.so +clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/libtrace/libtrace.c firejail-0.9.62/src/libtrace/libtrace.c --- firejail-0.9.60/src/libtrace/libtrace.c 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/libtrace/libtrace.c 2019-12-14 13:30:32.000000000 +0000 @@ -32,63 +32,88 @@ #include #include #include -#include +#include "../include/rundefs.h" + +#define tprintf(fp, args...) \ + do { \ + if (!fp)\ + init(); \ + fprintf(fp, args); \ + } while(0) // break recursivity on fopen call typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode); static orig_fopen_t orig_fopen = NULL; typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode); static orig_fopen64_t orig_fopen64 = NULL; +typedef int (*orig_access_t)(const char *pathname, int mode); +static orig_access_t orig_access = NULL; // -// pid +// library constructor/destructor // +// Using fprintf to /dev/tty instead of printf in order to fix #561 +static FILE *ftty = NULL; static pid_t mypid = 0; -static inline pid_t pid(void) { - if (!mypid) - mypid = getpid(); - return mypid; -} +#define MAXNAME 16 // 8 or larger +static char myname[MAXNAME] = "unknown"; -// -// process name -// -#define MAXNAME 16 -static char myname[MAXNAME]; -static int nameinit = 0; -static char *name(void) { - if (!nameinit) { - // initialize the name of the process based on /proc/PID/comm - memset(myname, 0, MAXNAME); - - pid_t p = pid(); - char *fname; - if (asprintf(&fname, "/proc/%u/comm", p) == -1) - return "unknown"; - - // read file - if (!orig_fopen) - orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); - FILE *fp = orig_fopen(fname, "r"); - if (!fp) - return "unknown"; - if (fgets(myname, MAXNAME, fp) == NULL) { - fclose(fp); - free(fname); - return "unknown"; +static void init(void) __attribute__((constructor)); +void init(void) { + if (ftty) + return; + + orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); + orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); + + // allow environment variable to override defaults + char *logfile = getenv("FIREJAIL_TRACEFILE"); + if (!logfile) { + // if exists, log to trace file + logfile = RUN_TRACE_FILE; + if (orig_access(logfile, F_OK)) + // else log to associated tty + logfile = "/dev/tty"; + } + + // logfile + unsigned cnt = 0; + while ((ftty = orig_fopen(logfile, "a")) == NULL) { + if (++cnt > 10) { // 10 sec + perror("Cannot open trace log file"); + exit(1); } + sleep(1); + } + // line buffered stream + setvbuf(ftty, NULL, _IOLBF, BUFSIZ); - // clean '\n' - char *ptr = strchr(myname, '\n'); - if (ptr) - *ptr = '\0'; + // pid + mypid = getpid(); - fclose(fp); + // process name + char *fname; + if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) { + FILE *fp = orig_fopen(fname, "r"); free(fname); - nameinit = 1; + if (fp) { + if (fgets(myname, MAXNAME, fp) == NULL) + strcpy(myname, "unknown"); + fclose(fp); + } } - return myname; + // clean '\n' + char *ptr = strchr(myname, '\n'); + if (ptr) + *ptr = '\0'; + +// tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); +} + +static void fini(void) __attribute__((destructor)); +void fini(void) { + fclose(ftty); } // @@ -235,23 +260,23 @@ static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { if (addr->sa_family == AF_INET) { struct sockaddr_in *a = (struct sockaddr_in *) addr; - printf("%u:%s:%s %d %s port %u:%d\n", pid(), name(), call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv); + tprintf(ftty, "%u:%s:%s %d %s port %u:%d\n", mypid, myname, call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv); } else if (addr->sa_family == AF_INET6) { struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr; char str[INET6_ADDRSTRLEN]; inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN); - printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, str, rv); + tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, str, rv); } else if (addr->sa_family == AF_UNIX) { struct sockaddr_un *a = (struct sockaddr_un *) addr; if (a->sun_path[0]) - printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, a->sun_path, rv); + tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, a->sun_path, rv); else - printf("%u:%s:%s %d @%s:%d\n", pid(), name(), call, sockfd, a->sun_path + 1, rv); + tprintf(ftty, "%u:%s:%s %d @%s:%d\n", mypid, myname, call, sockfd, a->sun_path + 1, rv); } else { - printf("%u:%s:%s %d family %d:%d\n", pid(), name(), call, sockfd, addr->sa_family, rv); + tprintf(ftty, "%u:%s:%s %d family %d:%d\n", mypid, myname, call, sockfd, addr->sa_family, rv); } } @@ -267,7 +292,7 @@ orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); int rv = orig_open(pathname, flags, mode); - printf("%u:%s:open %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -278,7 +303,7 @@ orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); int rv = orig_open64(pathname, flags, mode); - printf("%u:%s:open64 %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -290,7 +315,7 @@ orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); int rv = orig_openat(dirfd, pathname, flags, mode); - printf("%u:%s:openat %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:openat %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -301,7 +326,7 @@ orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); int rv = orig_openat64(dirfd, pathname, flags, mode); - printf("%u:%s:openat64 %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -312,7 +337,7 @@ orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); FILE *rv = orig_fopen(pathname, mode); - printf("%u:%s:fopen %s:%p\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:fopen %s:%p\n", mypid, myname, pathname, rv); return rv; } @@ -322,7 +347,7 @@ orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); FILE *rv = orig_fopen64(pathname, mode); - printf("%u:%s:fopen64 %s:%p\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv); return rv; } #endif /* __GLIBC__ */ @@ -336,7 +361,7 @@ orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); FILE *rv = orig_freopen(pathname, mode, stream); - printf("%u:%s:freopen %s:%p\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:freopen %s:%p\n", mypid, myname, pathname, rv); return rv; } @@ -348,7 +373,7 @@ orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); FILE *rv = orig_freopen64(pathname, mode, stream); - printf("%u:%s:freopen64 %s:%p\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv); return rv; } #endif /* __GLIBC__ */ @@ -361,7 +386,7 @@ orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); int rv = orig_unlink(pathname); - printf("%u:%s:unlink %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:unlink %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -372,7 +397,7 @@ orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); int rv = orig_unlinkat(dirfd, pathname, flags); - printf("%u:%s:unlinkat %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:unlinkat %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -384,7 +409,7 @@ orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); int rv = orig_mkdir(pathname, mode); - printf("%u:%s:mkdir %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:mkdir %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -395,7 +420,7 @@ orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); int rv = orig_mkdirat(dirfd, pathname, mode); - printf("%u:%s:mkdirat %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:mkdirat %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -406,56 +431,56 @@ orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); int rv = orig_rmdir(pathname); - printf("%u:%s:rmdir %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:rmdir %s:%d\n", mypid, myname, pathname, rv); return rv; } // stat -typedef int (*orig_stat_t)(const char *pathname, struct stat *buf); +typedef int (*orig_stat_t)(const char *pathname, struct stat *statbuf); static orig_stat_t orig_stat = NULL; -int stat(const char *pathname, struct stat *buf) { +int stat(const char *pathname, struct stat *statbuf) { if (!orig_stat) orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); - int rv = orig_stat(pathname, buf); - printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv); + int rv = orig_stat(pathname, statbuf); + tprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv); return rv; } #ifdef __GLIBC__ -typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf); +typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf); static orig_stat64_t orig_stat64 = NULL; -int stat64(const char *pathname, struct stat64 *buf) { +int stat64(const char *pathname, struct stat64 *statbuf) { if (!orig_stat64) orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); - int rv = orig_stat64(pathname, buf); - printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv); + int rv = orig_stat64(pathname, statbuf); + tprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv); return rv; } #endif /* __GLIBC__ */ // lstat -typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf); +typedef int (*orig_lstat_t)(const char *pathname, struct stat *statbuf); static orig_lstat_t orig_lstat = NULL; -int lstat(const char *pathname, struct stat *buf) { +int lstat(const char *pathname, struct stat *statbuf) { if (!orig_lstat) orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); - int rv = orig_lstat(pathname, buf); - printf("%u:%s:lstat %s:%d\n", pid(), name(), pathname, rv); + int rv = orig_lstat(pathname, statbuf); + tprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv); return rv; } #ifdef __GLIBC__ -typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf); +typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf); static orig_lstat64_t orig_lstat64 = NULL; -int lstat64(const char *pathname, struct stat64 *buf) { +int lstat64(const char *pathname, struct stat64 *statbuf) { if (!orig_lstat64) orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); - int rv = orig_lstat64(pathname, buf); - printf("%u:%s:lstat64 %s:%d\n", pid(), name(), pathname, rv); + int rv = orig_lstat64(pathname, statbuf); + tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); return rv; } #endif /* __GLIBC__ */ @@ -468,19 +493,17 @@ orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); DIR *rv = orig_opendir(pathname); - printf("%u:%s:opendir %s:%p\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:opendir %s:%p\n", mypid, myname, pathname, rv); return rv; } // access -typedef int (*orig_access_t)(const char *pathname, int mode); -static orig_access_t orig_access = NULL; int access(const char *pathname, int mode) { if (!orig_access) orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); int rv = orig_access(pathname, mode); - printf("%u:%s:access %s:%d\n", pid(), name(), pathname, rv); + tprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv); return rv; } @@ -501,14 +524,14 @@ // socket typedef int (*orig_socket_t)(int domain, int type, int protocol); static orig_socket_t orig_socket = NULL; -static char buf[1024]; +static char socketbuf[1024]; int socket(int domain, int type, int protocol) { if (!orig_socket) orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket"); int rv = orig_socket(domain, type, protocol); - char *ptr = buf; - ptr += sprintf(ptr, "%u:%s:socket ", pid(), name()); + char *ptr = socketbuf; + ptr += sprintf(ptr, "%u:%s:socket ", mypid, myname); char *str = translate(socket_domain, domain); if (str == NULL) ptr += sprintf(ptr, "%d ", domain); @@ -538,7 +561,7 @@ sprintf(ptr, "%s", str); } - printf("%s:%d\n", buf, rv); + tprintf(ftty, "%s:%d\n", socketbuf, rv); return rv; } @@ -576,7 +599,7 @@ orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system"); int rv = orig_system(command); - printf("%u:%s:system %s:%d\n", pid(), name(), command, rv); + tprintf(ftty, "%u:%s:system %s:%d\n", mypid, myname, command, rv); return rv; } @@ -588,7 +611,7 @@ orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid"); int rv = orig_setuid(uid); - printf("%u:%s:setuid %d:%d\n", pid(), name(), uid, rv); + tprintf(ftty, "%u:%s:setuid %d:%d\n", mypid, myname, uid, rv); return rv; } @@ -600,7 +623,7 @@ orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid"); int rv = orig_setgid(gid); - printf("%u:%s:setgid %d:%d\n", pid(), name(), gid, rv); + tprintf(ftty, "%u:%s:setgid %d:%d\n", mypid, myname, gid, rv); return rv; } @@ -612,7 +635,7 @@ orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid"); int rv = orig_setfsuid(uid); - printf("%u:%s:setfsuid %d:%d\n", pid(), name(), uid, rv); + tprintf(ftty, "%u:%s:setfsuid %d:%d\n", mypid, myname, uid, rv); return rv; } @@ -624,7 +647,7 @@ orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid"); int rv = orig_setfsgid(gid); - printf("%u:%s:setfsgid %d:%d\n", pid(), name(), gid, rv); + tprintf(ftty, "%u:%s:setfsgid %d:%d\n", mypid, myname, gid, rv); return rv; } @@ -636,7 +659,7 @@ orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid"); int rv = orig_setreuid(ruid, euid); - printf("%u:%s:setreuid %d %d:%d\n", pid(), name(), ruid, euid, rv); + tprintf(ftty, "%u:%s:setreuid %d %d:%d\n", mypid, myname, ruid, euid, rv); return rv; } @@ -648,7 +671,7 @@ orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid"); int rv = orig_setregid(rgid, egid); - printf("%u:%s:setregid %d %d:%d\n", pid(), name(), rgid, egid, rv); + tprintf(ftty, "%u:%s:setregid %d %d:%d\n", mypid, myname, rgid, egid, rv); return rv; } @@ -660,7 +683,7 @@ orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid"); int rv = orig_setresuid(ruid, euid, suid); - printf("%u:%s:setresuid %d %d %d:%d\n", pid(), name(), ruid, euid, suid, rv); + tprintf(ftty, "%u:%s:setresuid %d %d %d:%d\n", mypid, myname, ruid, euid, suid, rv); return rv; } @@ -672,7 +695,7 @@ orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid"); int rv = orig_setresgid(rgid, egid, sgid); - printf("%u:%s:setresgid %d %d %d:%d\n", pid(), name(), rgid, egid, sgid, rv); + tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv); return rv; } @@ -687,6 +710,6 @@ int rv = readlink("/proc/self/exe", buf, PATH_MAX); if (rv != -1) { buf[rv] = '\0'; // readlink does not add a '\0' at the end - printf("%u:%s:exec %s:0\n", pid(), name(), buf); + tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); } } diff -Nru firejail-0.9.60/src/libtrace/Makefile.in firejail-0.9.62/src/libtrace/Makefile.in --- firejail-0.9.60/src/libtrace/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/libtrace/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -20,7 +20,7 @@ $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl -clean:; rm -f $(OBJS) libtrace.so +clean:; rm -fr $(OBJS) libtrace.so *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/libtracelog/Makefile.in firejail-0.9.62/src/libtracelog/Makefile.in --- firejail-0.9.60/src/libtracelog/Makefile.in 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/libtracelog/Makefile.in 2019-12-14 13:30:32.000000000 +0000 @@ -20,7 +20,7 @@ $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl -clean:; rm -f $(OBJS) libtracelog.so +clean:; rm -fr $(OBJS) libtracelog.so *.plist distclean: clean rm -fr Makefile diff -Nru firejail-0.9.60/src/man/firecfg.txt firejail-0.9.62/src/man/firecfg.txt --- firejail-0.9.60/src/man/firecfg.txt 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/man/firecfg.txt 2019-12-14 13:30:32.000000000 +0000 @@ -42,7 +42,7 @@ .br .br --fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). +- fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). .RE .SH OPTIONS diff -Nru firejail-0.9.60/src/man/firejail-login.txt firejail-0.9.62/src/man/firejail-login.txt --- firejail-0.9.60/src/man/firejail-login.txt 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/man/firejail-login.txt 2019-12-14 13:30:32.000000000 +0000 @@ -11,7 +11,7 @@ Example: - netblue:--net=none --protocol=unix + netblue: --net=none --protocol=unix Wildcard patterns are accepted in the user name field: diff -Nru firejail-0.9.60/src/man/firejail-profile.txt firejail-0.9.62/src/man/firejail-profile.txt --- firejail-0.9.60/src/man/firejail-profile.txt 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/man/firejail-profile.txt 2019-12-14 13:30:32.000000000 +0000 @@ -74,6 +74,15 @@ [...] .RE +.SH Templates +In /usr/share/doc/firejail there are two templates to write new profiles. +.RS +profile.template - for regular profiles +.br +redirect_alias-profile.template - for aliasing/redirecting profiles +.RE + + .SH Scripting Scripting commands: @@ -94,7 +103,8 @@ This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F, and BROWSER_ALLOW_DRM. +Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM +can be enabled or disabled globally in Firejail's configuration file. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. @@ -141,7 +151,7 @@ Example: "ignore seccomp" .br -Example: "ignore net ehh0" +Example: "ignore net eth0" .TP \fBquiet @@ -151,10 +161,10 @@ .SH Filesystem These profile entries define a chroot filesystem built on top of the existing -host filesystem. Each line describes a file element that is removed from -the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), +host filesystem. Each line describes a file/directory that is inaccessible +(\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), -or mount-bind a directory or file on top of another directory or file (\fBbind\fR). +or mount-bind a directory or file on top of another directory or file (\fBbind\fR). Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and HOME directories are searched. Examples: @@ -193,6 +203,9 @@ \fBdisable-mnt Disable /mnt, /media, /run/mount and /run/media access. .TP +\fBkeep-dev-shm +/dev/shm directory is untouched (even with private-dev). +.TP \fBkeep-var-tmp /var/tmp directory is untouched. .TP @@ -244,33 +257,37 @@ \fBprivate directory Use directory as user home. .TP -\fBprivate-home file,directory -Build a new user home in a temporary -filesystem, and copy the files and directories in the list in the -new home. All modifications are discarded when the sandbox is -closed. +\fBprivate-bin file,file +Build a new /bin in a temporary filesystem, and copy the programs in the list. +The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. .TP \fBprivate-cache Mount an empty temporary filesystem on top of the .cache directory in user home. All modifications are discarded when the sandbox is closed. .TP -\fBprivate-bin file,file -Build a new /bin in a temporary filesystem, and copy the programs in the list. -The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. +\fBprivate-cwd +Set working directory inside jail to the home directory, and failing that, the root directory. +.TP +\fBprivate-cwd directory +Set working directory inside the jail. .TP \fBprivate-dev Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available. Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions. -.TP -\fBkeep-dev-shm -/dev/shm directory is untouched (even with private-dev). + .TP \fBprivate-etc file,directory Build a new /etc in a temporary filesystem, and copy the files and directories in the list. All modifications are discarded when the sandbox is closed. .TP +\fBprivate-home file,directory +Build a new user home in a temporary +filesystem, and copy the files and directories in the list in the +new home. All modifications are discarded when the sandbox is +closed. +.TP \fBprivate-lib file,directory Build a new /lib directory and bring in the libraries required by the application to run. This feature is still under development, see \fBman 1 firejail\fR for some examples. @@ -288,12 +305,6 @@ \fBprivate-tmp Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .TP -\fBprivate-cwd -Set working directory inside jail to the home directory, and failing that, the root directory. -.TP -\fBprivate-cwd directory -Set working directory inside the jail. -.TP \fBread-only file_or_directory Make directory or file read-only. .TP @@ -334,21 +345,39 @@ The following security filters are currently implemented: .TP +\fBallow-debuggers +Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. +.TP \fBapparmor Enable AppArmor confinement. .TP \fBcaps Enable default Linux capabilities filter. .TP -\fBcaps.drop all -Blacklist all Linux capabilities. -.TP \fBcaps.drop capability,capability,capability Blacklist given Linux capabilities. .TP +\fBcaps.drop all +Blacklist all Linux capabilities. +.TP \fBcaps.keep capability,capability,capability Whitelist given Linux capabilities. .TP +\fBmemory-deny-write-execute +Install a seccomp filter to block attempts to create memory mappings +that are both writable and executable, to change mappings to be +executable or to create executable shared memory. +.TP +\fBnonewprivs +Sets the NO_NEW_PRIVS prctl. This ensures that child processes +cannot acquire new privileges using execve(2); in particular, +this means that calling a suid binary (or one with file capabilities) +does not result in an increase of privilege. +.TP +\fBnoroot +Use this command to enable an user namespace. The namespace has only one user, the current user. +There is no root account (uid 0) defined in the namespace. +.TP \fBprotocol protocol1,protocol2,protocol3 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. Recognized values: \fBunix\fR, @@ -370,21 +399,6 @@ \fBseccomp.keep syscall,syscall,syscall Enable seccomp filter and whitelist the system calls in the list. .TP -\fBmemory-deny-write-execute -Install a seccomp filter to block attempts to create memory mappings -that are both writable and executable, to change mappings to be -executable or to create executable shared memory. -.TP -\fBnonewprivs -Sets the NO_NEW_PRIVS prctl. This ensures that child processes -cannot acquire new privileges using execve(2); in particular, -this means that calling a suid binary (or one with file capabilities) -does not result in an increase of privilege. -.TP -\fBnoroot -Use this command to enable an user namespace. The namespace has only one user, the current user. -There is no root account (uid 0) defined in the namespace. -.TP \fBx11 Enable X11 sandboxing. .TP @@ -429,6 +443,15 @@ Examples: .TP +\fBcgroup /sys/fs/cgroup/g1/tasks +The sandbox is placed in g1 control group. +.TP +\fBcpu 0,1,2 +Use only CPU cores 0, 1 and 2. +.TP +\fBnice -5 +Set a nice value of -5 to all processes running inside the sandbox. +.TP \fBrlimit-as 123456789012 Set the maximum size of the process's virtual memory to 123456789012 bytes. .TP @@ -447,15 +470,6 @@ \fBrlimit-sigpending 200 Set the maximum number of processes that can be created for the real user ID of the calling process to 200. .TP -\fBcpu 0,1,2 -Use only CPU cores 0, 1 and 2. -.TP -\fBnice -5 -Set a nice value of -5 to all processes running inside the sandbox. -.TP -\fBcgroup /sys/fs/cgroup/g1/tasks -The sandbox is placed in g1 control group. -.TP \fBtimeout hh:mm:ss Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. @@ -465,14 +479,6 @@ All user home directories are visible inside the sandbox. By default, only current user home directory is visible. .TP -\fBname sandboxname -Set sandbox name. Example: -.br - -.br -name browser - -.TP \fBenv name=value Set environment variable. Examples: .br @@ -483,17 +489,23 @@ env CFLAGS="-W -Wall -Werror" .TP -\fBnodvd -Disable DVD and audio CD devices. +\fBipc-namespace +Enable IPC namespace. .TP -\fBnogroups -Disable supplementary user groups +\fBname sandboxname +Set sandbox name. Example: +.br + +.br +name browser + .TP -\fBshell none -Run the program directly, without a shell. +\fBno3d +Disable 3D hardware acceleration. .TP -\fBipc-namespace -Enable IPC namespace. +\fBnoautopulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. .TP \fBnodbus Disable D-Bus access. Only the regular UNIX socket is handled by @@ -501,13 +513,15 @@ request a new network namespace using the net command. Another option is to remove unix from protocol set. .TP +\fBnodvd +Disable DVD and audio CD devices. +.TP +\fBnogroups +Disable supplementary user groups +.TP \fBnosound Disable sound system. .TP -\fBnoautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. -.TP \fBnotv Disable DVB (Digital Video Broadcasting) TV devices. .TP @@ -517,8 +531,9 @@ \fBnovideo Disable video devices. .TP -\fBno3d -Disable 3D hardware acceleration. +\fBshell none +Run the program directly, without a shell. + .SH Networking Networking features available in profile files. @@ -606,16 +621,6 @@ \fBmtu number Assign a MTU value to the last network interface defined by a net command. - - -.TP -\fBnetfilter -If a new network namespace is created, enabled default network filter. - -.TP -\fBnetfilter filename -If a new network namespace is created, enabled the network filter in filename. - .TP \fBnet bridge_interface Enable a new network namespace and connect it to this bridge interface. @@ -636,6 +641,13 @@ be defined. Mixing bridge and macvlan devices is allowed. .TP +\fBnet none +Enable a new, unconnected network namespace. The only interface +available in the new namespace is a new loopback interface (lo). +Use this option to deny network access to programs that don't +really need network access. + +.TP \fBnet tap_interface Enable a new network namespace and connect it to this ethernet tap interface using the standard Linux macvlan @@ -644,11 +656,13 @@ Please use ip, netmask and defaultgw to specify the configuration. .TP -\fBnet none -Enable a new, unconnected network namespace. The only interface -available in the new namespace is a new loopback interface (lo). -Use this option to deny network access to programs that don't -really need network access. +\fBnetfilter +If a new network namespace is created, enabled default network filter. + +.TP +\fBnetfilter filename +If a new network namespace is created, enabled the network filter in filename. + .TP \fBnetmask address @@ -663,14 +677,14 @@ .SH Other .TP +\fBdeterministic-exit-code +Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. + +.TP \fBjoin-or-start sandboxname Join the sandbox identified by name or start a new one. Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". -.TP -\fBdeterministic-exit-code -Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. - .SH FILES /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile diff -Nru firejail-0.9.60/src/man/firejail.txt firejail-0.9.62/src/man/firejail.txt --- firejail-0.9.60/src/man/firejail.txt 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/src/man/firejail.txt 2019-12-14 13:30:32.000000000 +0000 @@ -8,6 +8,12 @@ firejail [OPTIONS] [program and arguments] .RE .PP +Start an AppImage program: +.PP +.RS +firejail [OPTIONS] --appimage [appimage-file and arguments] +.RE +.PP File transfer from an existing sandbox .PP .RS @@ -411,7 +417,7 @@ .TP \fB\-\-deterministic-exit-code -Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. +Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. .TP \fB\-\-dns=address @@ -822,24 +828,6 @@ $ firejail \-\-net=br0 \-\-net=br1 .TP -\fB\-\-net=none -Enable a new, unconnected network namespace. The only interface -available in the new namespace is a new loopback interface (lo). -Use this option to deny -network access to programs that don't really need network access. -.br - -.br -Example: -.br -$ firejail \-\-net=none vlc -.br - -.br -Note: \-\-net=none can crash the application on some platforms. -In these cases, it can be replaced with \-\-protocol=unix. - -.TP \fB\-\-net=ethernet_interface|wireless_interface Enable a new network namespace and connect it to this ethernet interface using the standard Linux macvlan|ipvaln @@ -859,6 +847,24 @@ $ firejail \-\-net=wlan0 firefox .TP +\fB\-\-net=none +Enable a new, unconnected network namespace. The only interface +available in the new namespace is a new loopback interface (lo). +Use this option to deny +network access to programs that don't really need network access. +.br + +.br +Example: +.br +$ firejail \-\-net=none vlc +.br + +.br +Note: \-\-net=none can crash the application on some platforms. +In these cases, it can be replaced with \-\-protocol=unix. + +.TP \fB\-\-net=tap_interface Enable a new network namespace and connect it to this ethernet tap interface using the standard Linux macvlan @@ -1428,6 +1434,48 @@ $ firejail \-\-private-cache openbox .TP +\fB\-\-private-cwd +Set working directory inside jail to the home directory, and failing that, the root directory. +.br +Does not impact working directory of profile include paths. +.br + +.br +Example: +.br +$ pwd +.br +/tmp +.br +$ firejail \-\-private-cwd +.br +$ pwd +.br +/home/user +.br + +.TP +\fB\-\-private-cwd=directory +Set working directory inside the jail. +.br +Does not impact working directory of profile include paths. +.br + +.br +Example: +.br +$ pwd +.br +/tmp +.br +$ firejail \-\-private-cwd=/opt +.br +$ pwd +.br +/opt +.br + +.TP \fB\-\-private-dev Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available. Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions. @@ -1573,49 +1621,6 @@ .br .TP -\fB\-\-private-cwd -Set working directory inside jail to the home directory, and failing that, the root directory. -.br -Does not impact working directory of profile include paths. -.br - -.br -Example: -.br -$ pwd -.br -/tmp -.br -$ firejail \-\-private-cwd -.br -$ pwd -.br -/home/user -.br - -.TP -\fB\-\-private-cwd=directory -Set working directory inside the jail. -.br -Does not impact working directory of profile include paths. -.br - -.br -Example: -.br -$ pwd -.br -/tmp -.br -$ firejail \-\-private-cwd=/opt -.br -$ pwd -.br -/opt -.br - - -.TP \fB\-\-profile=filename_or_profilename Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. For more information, see \fBSECURITY PROFILES\fR section below. @@ -1756,25 +1761,22 @@ $ firejail \-\-net=eth0 \-\-scan .TP \fB\-\-seccomp -Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: -_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, -create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, -io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, -kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, -name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, -personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, -query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, -security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, -swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, -vm86, vm86old, vmsplice and vserver. +Enable seccomp filter and blacklist the syscalls in the default list, +which is @default-nodebuggers unless allow-debuggers is specified, +then it is @default. .br To help creating useful seccomp filters more easily, the following -system call groups are defined: @clock, @cpu-emulation, @debug, -@default, @default-nodebuggers, @default-keep, @module, @obsolete, -@privileged, @raw-io, @reboot, @resources and @swap. In addition, a -system call can be specified by its number instead of name with prefix -$, so for example $165 would be equal to mount on i386. +system call groups are defined: @aio, @basic-io, @chown, @clock, +@cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, +@file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, +@network-io, @obsolete, @privileged, @process, @raw-io, @reboot, +@resources, @setuid, @swap, @sync, @system-service and @timer. +More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt + +In addition, a system call can be specified by its number instead of +name with prefix $, so for example $165 would be equal to mount on i386. +Exceptions can be allowed with prefix !. .br System architecture is strictly imposed only if flag @@ -1792,8 +1794,10 @@ .br $ firejail \-\-seccomp .TP -\fB\-\-seccomp=syscall,@group -Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. +\fB\-\-seccomp=syscall,@group,!syscall2 +Enable seccomp filter, whitelist "syscall2", but blacklist the default +list and the syscalls or syscall groups specified by the +command. .br .br @@ -1893,10 +1897,10 @@ .TP -\fB\-\-seccomp.keep=syscall,syscall,syscall -Enable seccomp filter, and whitelist the syscalls specified by the -command. The system calls needed by Firejail (group @default-keep: -prctl, execve) are handled with the preload library. +\fB\-\-seccomp.keep=syscall,@group,!syscall2 +Enable seccomp filter, blacklist all syscall not listed and "syscall2". +The system calls needed by Firejail (group @default-keep: prctl, execve) +are handled with the preload library. .br .br @@ -2136,8 +2140,9 @@ .br $ firejail \-\-top .TP -\fB\-\-trace -Trace open, access and connect system calls. +\fB\-\-trace[=filename] +Trace open, access and connect system calls. If filename is specified, log +trace output to filename, otherwise log to console. .br .br @@ -2318,9 +2323,9 @@ .TP \fB\-\-x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. -The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing +The sandbox will prevent screenshot and keylogger applications started inside the sandbox from accessing clients running outside the sandbox. -Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. +Firejail will try Xpra first, and if Xpra is not installed on the system, it will try to find Xephyr. If all fails, Firejail will not attempt to use Xvfb or X11 security extension. .br diff -Nru firejail-0.9.60/src/man/firemon.txt firejail-0.9.62/src/man/firemon.txt --- firejail-0.9.60/src/man/firemon.txt 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/src/man/firemon.txt 2019-12-14 13:30:32.000000000 +0000 @@ -25,6 +25,9 @@ \fB\-\-cpu Print CPU affinity for each sandbox. .TP +\fB\-\-debug +Print debug messages +.TP \fB\-?\fR, \fB\-\-help\fR Print options end exit. .TP diff -Nru firejail-0.9.60/test/apps/apps.sh firejail-0.9.62/test/apps/apps.sh --- firejail-0.9.60/test/apps/apps.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/apps/apps.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird " LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat" diff -Nru firejail-0.9.60/test/apps/transmission-qt.exp firejail-0.9.62/test/apps/transmission-qt.exp --- firejail-0.9.60/test/apps/transmission-qt.exp 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/apps/transmission-qt.exp 2019-12-14 13:30:32.000000000 +0000 @@ -7,7 +7,7 @@ spawn $env(SHELL) match_max 100000 -send -- "firejail transmission-qt\r" +send -- "firejail --ignore=quiet transmission-qt\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Reading profile /etc/firejail/transmission-qt.profile" @@ -50,7 +50,7 @@ expect { timeout {puts "TESTING ERROR 5\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail transmission-qt" + ":firejail --ignore=quiet transmission-qt" } expect { timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} @@ -64,7 +64,7 @@ send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - ":firejail transmission-qt" + ":firejail --ignore=quiet transmission-qt" } expect { timeout {puts "TESTING ERROR 6.1\n";exit} diff -Nru firejail-0.9.60/test/apps-x11/apps-x11.sh firejail-0.9.62/test/apps-x11/apps-x11.sh --- firejail-0.9.60/test/apps-x11/apps-x11.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/apps-x11/apps-x11.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C echo "TESTING: no x11 (test/apps-x11/x11-none.exp)" ./x11-none.exp diff -Nru firejail-0.9.60/test/apps-x11-xorg/apps-x11-xorg.sh firejail-0.9.62/test/apps-x11-xorg/apps-x11-xorg.sh --- firejail-0.9.60/test/apps-x11-xorg/apps-x11-xorg.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/apps-x11-xorg/apps-x11-xorg.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C which firefox 2>/dev/null if [ "$?" -eq 0 ]; diff -Nru firejail-0.9.60/test/arguments/arguments.sh firejail-0.9.62/test/arguments/arguments.sh --- firejail-0.9.60/test/arguments/arguments.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/arguments/arguments.sh 2019-12-14 13:30:32.000000000 +0000 @@ -1,4 +1,5 @@ #!/bin/bash +export LC_ALL=C if [ -f /etc/debian_version ]; then libdir=$(dirname "$(dpkg -L firejail | grep faudit)") diff -Nru firejail-0.9.60/test/chroot/chroot.sh firejail-0.9.62/test/chroot/chroot.sh --- firejail-0.9.60/test/chroot/chroot.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/chroot/chroot.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C rm -f unchroot gcc -o unchroot unchroot.c diff -Nru firejail-0.9.60/test/compile/compile.sh firejail-0.9.62/test/compile/compile.sh --- firejail-0.9.60/test/compile/compile.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/compile/compile.sh 2019-12-14 13:30:32.000000000 +0000 @@ -3,7 +3,7 @@ arr[1]="TEST 1: standard compilation" arr[2]="TEST 2: compile seccomp disabled" arr[3]="TEST 3: compile chroot disabled" -arr[4]="deprecated: TEST 4: compile bind disabled" +arr[4]="TEST 4: compile firetunnel disabled" arr[5]="TEST 5: compile user namespace disabled" arr[6]="TEST 6: compile network disabled" arr[7]="TEST 7: compile X11 disabled" @@ -108,6 +108,24 @@ rm output-configure output-make #***************************************************************** +# TEST 4 +#***************************************************************** +# - disable firetunnel configuration +#***************************************************************** +print_title "${arr[4]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test4 +grep Error output-configure output-make >> ./report-test4 +cp output-configure oc4 +cp output-make om4 +rm output-configure output-make + +#***************************************************************** # TEST 5 #***************************************************************** # - disable user namespace configuration diff -Nru firejail-0.9.60/test/environment/dns.exp firejail-0.9.62/test/environment/dns.exp --- firejail-0.9.60/test/environment/dns.exp 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/environment/dns.exp 2019-12-14 13:30:32.000000000 +0000 @@ -1,31 +1,77 @@ #!/usr/bin/expect -f -set timeout 30 +set timeout 10 spawn $env(SHELL) match_max 100000 +send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2 --dns=1.2.3.4 sleep 1\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Warning: up to 4 DNS servers can be specified, 1.2.3.4 ignored" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "DNS server 8.8.4.4" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "DNS server 8.8.8.8" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "DNS server 4.2.2.1" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "DNS server ::2" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1.6\n";exit} + "Parent is shutting down, bye..." +} +after 100 + + +send -- "firejail --quiet --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2 --dns=1.2.3.4 cat /etc/passwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Warning: up to 4 DNS servers can be specified, 1.2.3.4 ignored" {puts "TESTING ERROR 2.1\n";exit} + "DNS server 8.8.4.4" {puts "TESTING ERROR 2.2\n";exit} + "DNS server 8.8.8.8" {puts "TESTING ERROR 2.3\n";exit} + "DNS server 4.2.2.1" {puts "TESTING ERROR 2.4\n";exit} + "DNS server ::2" {puts "TESTING ERROR 2.5\n";exit} + "Child process initialized" {puts "TESTING ERROR 2.6\n";exit} + "Parent is shutting down, bye..." {puts "TESTING ERROR 2.7\n";exit} + "root" +} +after 100 + send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2\r" expect { - timeout {puts "TESTING ERROR 2.1\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "Child process initialized" } sleep 1 send -- "cat /etc/resolv.conf\r" expect { - timeout {puts "TESTING ERROR 2.2\n";exit} + timeout {puts "TESTING ERROR 4.1\n";exit} "nameserver 8.8.4.4" } expect { - timeout {puts "TESTING ERROR 2.3\n";exit} + timeout {puts "TESTING ERROR 4.2\n";exit} "nameserver 8.8.8.8" } expect { - timeout {puts "TESTING ERROR 2.4\n";exit} + timeout {puts "TESTING ERROR 4.3\n";exit} "nameserver 4.2.2.1" } expect { - timeout {puts "TESTING ERROR 2.5\n";exit} + timeout {puts "TESTING ERROR 4.4\n";exit} "nameserver ::2" } after 100 @@ -35,27 +81,27 @@ send -- "firejail --profile=dns.profile\r" expect { - timeout {puts "TESTING ERROR 12.1\n";exit} + timeout {puts "TESTING ERROR 5.1\n";exit} "Child process initialized" } sleep 1 send -- "cat /etc/resolv.conf\r" expect { - timeout {puts "TESTING ERROR 12.2\n";exit} + timeout {puts "TESTING ERROR 5.2\n";exit} "nameserver 8.8.4.4" } expect { - timeout {puts "TESTING ERROR 12.3\n";exit} + timeout {puts "TESTING ERROR 5.3\n";exit} "nameserver 8.8.8.8" } expect { - timeout {puts "TESTING ERROR 12.4\n";exit} + timeout {puts "TESTING ERROR 5.4\n";exit} "nameserver 4.2.2.1" } after 100 expect { - timeout {puts "TESTING ERROR 12.5\n";exit} + timeout {puts "TESTING ERROR 5.5\n";exit} "nameserver ::2" } send -- "exit\r" @@ -63,15 +109,15 @@ send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" expect { - timeout {puts "TESTING ERROR 1.2\n";exit} + timeout {puts "TESTING ERROR 6.1\n";exit} "connect" } expect { - timeout {puts "TESTING ERROR 1.2\n";exit} + timeout {puts "TESTING ERROR 6.2\n";exit} "208.67.222.222" } expect { - timeout {puts "TESTING ERROR 1.2\n";exit} + timeout {puts "TESTING ERROR 6.3\n";exit} "53" } after 100 diff -Nru firejail-0.9.60/test/environment/environment.sh firejail-0.9.62/test/environment/environment.sh --- firejail-0.9.60/test/environment/environment.sh 2019-05-21 12:17:54.000000000 +0000 +++ firejail-0.9.62/test/environment/environment.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C echo "TESTING: timeout (test/environment/timeout.exp)" @@ -119,3 +120,6 @@ echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" ./deterministic-exit-code.exp + +echo "TESTING: retain umask (test/environment/umask.exp" +(umask 123 && ./umask.exp) diff -Nru firejail-0.9.60/test/environment/rlimit.profile firejail-0.9.62/test/environment/rlimit.profile --- firejail-0.9.60/test/environment/rlimit.profile 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/environment/rlimit.profile 2019-12-14 13:30:32.000000000 +0000 @@ -1,5 +1,5 @@ - rlimit-fsize 1024 +rlimit-fsize 1024 rlimit-nproc 1000 - rlimit-nofile 500 -rlimit-sigpending 200 +rlimit-nofile 500 +rlimit-sigpending 200 rlimit-as 123456789012 diff -Nru firejail-0.9.60/test/environment/umask.exp firejail-0.9.62/test/environment/umask.exp --- firejail-0.9.60/test/environment/umask.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/environment/umask.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,41 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "umask\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0123" +} +after 100 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Warning: an existing sandbox was detected" +} +after 100 + +send -- "umask\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "0123" +} +after 100 + +send -- "exit\r" +after 100 + +send -- "exit\r" +sleep 1 + +puts "\nall done\n" diff -Nru firejail-0.9.60/test/fcopy/fcopy.sh firejail-0.9.62/test/fcopy/fcopy.sh --- firejail-0.9.60/test/fcopy/fcopy.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/fcopy/fcopy.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C if [ -f /etc/debian_version ]; then libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") diff -Nru firejail-0.9.60/test/filters/filters.sh firejail-0.9.62/test/filters/filters.sh --- firejail-0.9.60/test/filters/filters.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/filters/filters.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C if [ -f /etc/debian_version ]; then libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)") @@ -110,6 +111,9 @@ echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" ./seccomp-empty.exp +echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" +./seccomp-numeric.exp + if [ "$(uname -m)" = "x86_64" ]; then echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" ./seccomp-dualfilter.exp diff -Nru firejail-0.9.60/test/filters/noroot.exp firejail-0.9.62/test/filters/noroot.exp --- firejail-0.9.60/test/filters/noroot.exp 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/filters/noroot.exp 2019-12-14 13:30:32.000000000 +0000 @@ -7,156 +7,130 @@ spawn $env(SHELL) match_max 100000 -send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" +send -- "firejail --name=test --noroot --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit} - "noroot option is not available" {puts "TESTING SKIP: user namespace not available\n"; exit} "Child process initialized" } sleep 1 +# check seccomp disabled and all caps enabled send -- "cat /proc/self/status\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} - "CapBnd: 0000000000000000" -} -expect { timeout {puts "TESTING ERROR 2\n";exit} - "Seccomp:" + "CapBnd:" } expect { timeout {puts "TESTING ERROR 3\n";exit} - "2" + "ffffffff" } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Cpus_allowed:" + "Seccomp:" } -puts "\n" - -send -- "ping 0\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Operation not permitted" + "0" } -send -- "whoami\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - $env(USER) + "Cpus_allowed:" } -send -- "sudo -s\r" +puts "\n" + +send -- "whoami\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} - "Bad system call" { puts "OK\n";} + $env(USER) } -send -- "cat /proc/self/uid_map | wc -l\r" +send -- "sudo -s\r" expect { timeout {puts "TESTING ERROR 8\n";exit} - "1" + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } -send -- "cat /proc/self/gid_map | wc -l\r" + +send -- "sudo su -\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "5" + "effective uid is not 0" {puts "OK\n"} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } -puts "\n" -send -- "exit\r" -sleep 2 - - - -send -- "firejail --name=test --noroot --noprofile\r" +send -- "sudo ls\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + "effective uid is not 0" {puts "OK\n"} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } -sleep 1 -send -- "cat /proc/self/status\r" +send -- "cat /proc/self/uid_map | wc -l\r" expect { timeout {puts "TESTING ERROR 11\n";exit} - "CapBnd:" + "1" } +send -- "cat /proc/self/gid_map | wc -l\r" expect { timeout {puts "TESTING ERROR 12\n";exit} - "ffffffff" + "5" } + + + +spawn $env(SHELL) +send -- "firejail --debug --join=test\r" expect { timeout {puts "TESTING ERROR 13\n";exit} - "Seccomp:" + "User namespace detected" } expect { timeout {puts "TESTING ERROR 14\n";exit} - "2" {puts "seccomp already active\n";} - "0" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "Cpus_allowed:" + "Joining user namespace" } -puts "\n" +sleep 1 -send -- "whoami\r" -expect { - timeout {puts "TESTING ERROR 16\n";exit} - $env(USER) -} send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 17\n";exit} + timeout {puts "TESTING ERROR 15\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} -} -send -- "ping 0\r" -expect { - timeout {puts "TESTING ERROR 18\n";exit} - "Operation not permitted" + "Permission denied" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 19\n";exit} + timeout {puts "TESTING ERROR 16\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 20\n";exit} + timeout {puts "TESTING ERROR 17\n";exit} "5" } - - -spawn $env(SHELL) -send -- "firejail --debug --join=test\r" +# check seccomp disabled and all caps enabled +send -- "cat /proc/self/status\r" expect { - timeout {puts "TESTING ERROR 21\n";exit} - "User namespace detected" + timeout {puts "TESTING ERROR 18\n";exit} + "CapBnd:" } expect { - timeout {puts "TESTING ERROR 22\n";exit} - "Joining user namespace" + timeout {puts "TESTING ERROR 19\n";exit} + "ffffffff" } -sleep 1 - -send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 23\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} - "Permission denied" { puts "OK\n";} + timeout {puts "TESTING ERROR 20\n";exit} + "Seccomp:" } -send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 24\n";exit} - "1" + timeout {puts "TESTING ERROR 21\n";exit} + "0" } -send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 25\n";exit} - "5" + timeout {puts "TESTING ERROR 22\n";exit} + "Cpus_allowed:" } +puts "\n" + + after 100 puts "\nall done\n" diff -Nru firejail-0.9.60/test/filters/seccomp-numeric.exp firejail-0.9.62/test/filters/seccomp-numeric.exp --- firejail-0.9.60/test/filters/seccomp-numeric.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/filters/seccomp-numeric.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,44 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "touch seccomp-test-file\r" +after 100 + +send -- "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "No such file or directory" +} +after 100 + +send -- "firejail --seccomp=\\\$263:ENOENT,mkdir:ENOENT rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "No such file or directory" +} +after 100 + +send -- "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT mkdir seccomp-test-dir\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "No such file or directory" +} +after 100 + +send -- "firejail --seccomp=unlinkat:ENOENT,\\\$83:ENOENT mkdir seccomp-test-dir\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "No such file or directory" +} +after 100 + +send -- "rm seccomp-test-file\r" +#send -- "rm -fr seccomp-test-dir\r" +after 100 +puts "all done\n" diff -Nru firejail-0.9.60/test/filters/seccomp-su.exp firejail-0.9.62/test/filters/seccomp-su.exp --- firejail-0.9.60/test/filters/seccomp-su.exp 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/filters/seccomp-su.exp 2019-12-14 13:30:32.000000000 +0000 @@ -28,13 +28,6 @@ "Bad system call" {puts "OK\n"} } -send -- "ping google.com\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Operation not permitted" {puts "OK\n"} - "unknown host" {puts "OK\n"} -} - send -- "exit\r" after 100 puts "all done\n" diff -Nru firejail-0.9.60/test/fs/fs.sh firejail-0.9.62/test/fs/fs.sh --- firejail-0.9.60/test/fs/fs.sh 2019-05-26 11:13:23.000000000 +0000 +++ firejail-0.9.62/test/fs/fs.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C # These directories are required by some tests: mkdir -p ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Videos @@ -20,6 +21,8 @@ touch ~/_firejail_test_dir/test1/b echo "TESTING: read/write (test/fs/read-write.exp)" ./read-write.exp +echo "TESTING: whitelist readonly (test/fs/whitelist-readonly.exp)" +./whitelist-readonly.exp rm -fr ~/_firejail_test_* echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" @@ -69,6 +72,9 @@ echo "TESTING: private-bin (test/fs/private-bin.exp)" ./private-bin.exp +echo "TESTING: private-cache (test/fs/private-cache.exp)" +./private-cache.exp + echo "TESTING: private-cwd (test/fs/private-cwd.exp)" ./private-cwd.exp @@ -93,6 +99,12 @@ echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" ./option_blacklist_glob.exp +echo "TESTING: noblacklist blacklist noexec (test/fs/noblacklist-blacklist-noexec.exp)" +./noblacklist-blacklist-noexec.exp + +echo "TESTING: noblacklist blacklist readonly (test/fs/noblacklist-blacklist-readonly.exp)" +./noblacklist-blacklist-readonly.exp + echo "TESTING: bind as user (test/fs/option_bind_user.exp)" ./option_bind_user.exp @@ -108,6 +120,12 @@ echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" ./whitelist-dev.exp +echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)" +./whitelist-noexec.exp + +echo "TESTING: whitelist with whitespaces (test/fs/whitelist-whitespace.exp)" +./whitelist-whitespace.exp + echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" ./fscheck-bindnoroot.exp diff -Nru firejail-0.9.60/test/fs/noblacklist-blacklist-noexec.exp firejail-0.9.62/test/fs/noblacklist-blacklist-noexec.exp --- firejail-0.9.60/test/fs/noblacklist-blacklist-noexec.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/fs/noblacklist-blacklist-noexec.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 +set PWD $env(PWD) + + +send -- "firejail --noprofile --noblacklist=$PWD --blacklist=$PWD --noexec=$PWD\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls $PWD\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "noblacklist-blacklist-noexec.exp" +} +after 100 + +send -- "$PWD/noblacklist-blacklist-noexec.exp\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} +after 100 + +send -- "exit\r" +sleep 1 + +puts "\nall done\n" diff -Nru firejail-0.9.60/test/fs/noblacklist-blacklist-readonly.exp firejail-0.9.62/test/fs/noblacklist-blacklist-readonly.exp --- firejail-0.9.60/test/fs/noblacklist-blacklist-readonly.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/fs/noblacklist-blacklist-readonly.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,35 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --noprofile --noblacklist=~ --blacklist=~ --read-only=~\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls ~\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Downloads" +} +after 100 + +send -- "echo World > ~/Hello\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Read-only file system" +} +after 100 + +send -- "exit\r" +sleep 1 + +puts "\nall done\n" diff -Nru firejail-0.9.60/test/fs/private-cache.exp firejail-0.9.62/test/fs/private-cache.exp --- firejail-0.9.60/test/fs/private-cache.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/fs/private-cache.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,53 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +if {[file exists ~/.cache]} { + puts "found .cache directory\n" +} else { + send -- "mkdir --mode=755 ~/.cache\r" +} +after 100 + +send -- "touch ~/.cache/abcdefg\r" +after 100 + +send -- "firejail --noprofile --private-cache\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/.cache\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "total 0" +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "rm -v ~/.cache/abcdefg\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "removed" +} +after 100 + +# redo the test with --private + +send -- "firejail --noprofile --private --private-cache\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Warning" +} +sleep 1 + +send -- "exit\r" +sleep 1 + +puts "\nall done\n" diff -Nru firejail-0.9.60/test/fs/whitelist-dev.exp firejail-0.9.62/test/fs/whitelist-dev.exp --- firejail-0.9.60/test/fs/whitelist-dev.exp 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/fs/whitelist-dev.exp 2019-12-14 13:30:32.000000000 +0000 @@ -14,10 +14,10 @@ } sleep 1 -send -- "find /dev | wc -l\r" +send -- "ls /dev | wc -l\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "2" + "1" } after 100 send -- "exit\r" @@ -33,7 +33,7 @@ send -- "find /dev | wc -l\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "4" + "1" } after 100 send -- "exit\r" @@ -46,7 +46,7 @@ } sleep 1 -send -- "ls -l /dev | wc -l\r" +send -- "ls /dev | wc -l\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "12" {puts "OK\n"} diff -Nru firejail-0.9.60/test/fs/whitelist-noexec.exp firejail-0.9.62/test/fs/whitelist-noexec.exp --- firejail-0.9.60/test/fs/whitelist-noexec.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/fs/whitelist-noexec.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 +set PWD $env(PWD) + + +send -- "firejail --noprofile --whitelist=$PWD --noexec=$PWD\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls $PWD\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "whitelist-noexec.exp" +} +after 100 + +send -- "$PWD/whitelist-noexec.exp\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} +after 100 + +send -- "exit\r" +sleep 1 + +puts "\nall done\n" diff -Nru firejail-0.9.60/test/fs/whitelist-readonly.exp firejail-0.9.62/test/fs/whitelist-readonly.exp --- firejail-0.9.60/test/fs/whitelist-readonly.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/fs/whitelist-readonly.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,28 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --noprofile --whitelist=~/_firejail_test_dir --read-only=~\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > ~/_firejail_test_dir/a\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Read-only file system" +} +after 100 + +send -- "exit\r" +sleep 1 + +puts "\nall done\n" diff -Nru firejail-0.9.60/test/fs/whitelist-whitespace.exp firejail-0.9.62/test/fs/whitelist-whitespace.exp --- firejail-0.9.60/test/fs/whitelist-whitespace.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/fs/whitelist-whitespace.exp 2019-12-14 13:30:32.000000000 +0000 @@ -0,0 +1,34 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "touch ~/filewith\\\ \\\ many\\\ whitespaces\\\ \r" +after 100 + +send -- "firejail --noprofile --whitelist=~/filewith\\\ \\\ many\\\ whitespaces\\\ \r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls ~\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "filewith many whitespaces " +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "rm -v ~/filewith\\\ \\\ many\\\ whitespaces\\\ \r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "removed" +} +after 100 + +puts "\nall done\n" diff -Nru firejail-0.9.60/test/network/network.sh firejail-0.9.62/test/network/network.sh --- firejail-0.9.60/test/network/network.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/network/network.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C sudo ./configure diff -Nru firejail-0.9.60/test/profiles/profiles.sh firejail-0.9.62/test/profiles/profiles.sh --- firejail-0.9.60/test/profiles/profiles.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/profiles/profiles.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C echo "TESTING: profile conditional (test/profiles/conditional.exp)" ./conditional.exp diff -Nru firejail-0.9.60/test/root/root.sh firejail-0.9.62/test/root/root.sh --- firejail-0.9.60/test/root/root.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/root/root.sh 2019-12-14 13:30:32.000000000 +0000 @@ -3,6 +3,7 @@ # set a new firejail config file #cp firejail.config /etc/firejail/firejail.config +export LC_ALL=C #******************************** # firecfg diff -Nru firejail-0.9.60/test/sysutils/sysutils.sh firejail-0.9.62/test/sysutils/sysutils.sh --- firejail-0.9.60/test/sysutils/sysutils.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/sysutils/sysutils.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C which cpio 2>/dev/null if [ "$?" -eq 0 ]; diff -Nru firejail-0.9.60/test/utils/~ firejail-0.9.62/test/utils/~ --- firejail-0.9.60/test/utils/~ 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/test/utils/~ 2019-12-27 07:26:53.000000000 +0000 @@ -0,0 +1,247 @@ + + + + + Debian -- The Universal Operating System + + + + + + + + + + + + + + + + + + + + +
+Download Debian 10.2(64-bit PC Network installer) +
+

Debian

+
+
+

Debian is a free operating system (OS) for your computer. +An operating system is the set of basic programs and utilities that make +your computer run. +

+

Debian provides more than a pure OS: it comes with over +59000 packages, precompiled software bundled +up in a nice format for easy installation on your machine. Read more...

+
+ +

The latest stable release of Debian is +10.2. The last update to this release was made on +November 16th, 2019. Read more about available +versions of Debian.

+

Getting Started

+

Please use the navigation bar at the top of this page to access more content.

+

In addition, users that speak languages other than English may check the +international section, and, people who use systems other +than Intel x86 should check the ports section.

+
+ +

News

+

[16 Nov 2019] Updated Debian 10: 10.2 released
+[08 Sep 2019] Updated Debian 9: 9.11 released
+[07 Sep 2019] Updated Debian 10: 10.1 released
+[07 Sep 2019] Updated Debian 9: 9.10 released
+[27 Jul 2019] DebConf19 closes in Curitiba and DebConf20 dates announced
+[07 Jul 2019] Debian Edu / Skolelinux Buster — a complete Linux solution for your school
+

+

For older news items see the News Page. +If you would like to receive mail whenever new Debian news comes out, subscribe to the +debian-announce mailing list.

+
+ +

Security Advisories

+

[20 Dec 2019] DSA-4591 cyrus-sasl2 - security update
+[19 Dec 2019] DSA-4590 cyrus-imapd - security update
+[18 Dec 2019] DSA-4589 debian-edu-config - security update
+[17 Dec 2019] DSA-4588 python-ecdsa - security update
+[17 Dec 2019] DSA-4587 ruby2.3 - security update
+[17 Dec 2019] DSA-4586 ruby2.5 - security update
+[15 Dec 2019] DSA-4585 thunderbird - security update
+[14 Dec 2019] DSA-4584 spamassassin - security update
+[13 Dec 2019] DSA-4583 spip - security update
+[13 Dec 2019] DSA-4582 davical - security update
+

+

For older security advisories see the +Security Page. +If you would like to receive security advisories as soon as they're announced, subscribe to the +debian-security-announce +mailing list.

+
+
+ + + diff -Nru firejail-0.9.60/test/utils/build.exp firejail-0.9.62/test/utils/build.exp --- firejail-0.9.60/test/utils/build.exp 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/utils/build.exp 2019-12-14 13:30:32.000000000 +0000 @@ -61,24 +61,40 @@ } after 100 -send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "whitelist /var/tmp/firejail-test-file-7699" -} +send -- "rm firejail-test-file-4388\r" after 100 - -send -- "firejail --build man firejail\r" +send -- "firejail --build=firejail-test-file-4388 cat /etc/passwd\r" +after 100 +send -- "cat firejail-test-file-4388\r" expect { - timeout {puts "TESTING ERROR 12\n";exit} - "whitelist /usr/share/man" + timeout {puts "TESTING ERROR 10.1\n";exit} + "private-etc passwd," } after 100 -send -- "firejail --build wget blablabla\r" + +#send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r" +#expect { +# timeout {puts "TESTING ERROR 11\n";exit} +# "whitelist /var/tmp/firejail-test-file-7699" +#} +#after 100 + +#send -- "firejail --build man firejail\r" +#expect { +# timeout {puts "TESTING ERROR 12\n";exit} +# "whitelist /usr/share/man" +#} +#after 100 + +send -- "firejail --build wget --output-document=~ debian.org\r" expect { timeout {puts "TESTING ERROR 13\n";exit} - "protocol inet" + "protocol" +} +expect { + timeout {puts "TESTING ERROR 13.1\n";exit} + "inet" } after 100 diff -Nru firejail-0.9.60/test/utils/utils.sh firejail-0.9.62/test/utils/utils.sh --- firejail-0.9.60/test/utils/utils.sh 2019-04-21 11:42:59.000000000 +0000 +++ firejail-0.9.62/test/utils/utils.sh 2019-12-14 13:30:32.000000000 +0000 @@ -5,6 +5,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C if [ -f /etc/debian_version ]; then libdir=$(dirname "$(dpkg -L firejail | grep faudit)") @@ -20,6 +21,7 @@ rm -f ~/firejail-test-file-7699 rm -f /tmp/firejail-test-file-7699 rm -f /var/tmp/firejail-test-file-7699 +rm -f firejail-test-file-4388 if [ $(readlink /proc/self) -lt 100 ]; then echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)"