diff -Nru firejail-0.9.64.4/configure firejail-0.9.66/configure --- firejail-0.9.64.4/configure 2021-02-05 22:05:18.000000000 +0000 +++ firejail-0.9.66/configure 2021-06-28 14:39:09.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.64.4. +# Generated by GNU Autoconf 2.69 for firejail 0.9.66. # # Report bugs to . # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.64.4' -PACKAGE_STRING='firejail 0.9.64.4' +PACKAGE_VERSION='0.9.66' +PACKAGE_STRING='firejail 0.9.66' PACKAGE_BUGREPORT='netblue30@protonmail.com' PACKAGE_URL='https://firejail.wordpress.com' @@ -627,7 +627,8 @@ EGREP GREP CPP -HAVE_SELINUX +HAVE_LTS +HAVE_FORCE_NONEWPRIVS HAVE_CONTRIB_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND @@ -645,10 +646,12 @@ HAVE_GAWK HAVE_MAN HAVE_USERTMPFS +HAVE_OUTPUT HAVE_OVERLAYFS HAVE_DBUSPROXY EXTRA_LDFLAGS EXTRA_CFLAGS +HAVE_SELINUX HAVE_APPARMOR AA_LIBS AA_CFLAGS @@ -710,7 +713,9 @@ enable_option_checking enable_analyzer enable_apparmor +enable_selinux enable_dbusproxy +enable_output enable_usertmpfs enable_man enable_firetunnel @@ -727,7 +732,8 @@ enable_busybox_workaround enable_gcov enable_contrib_install -enable_selinux +enable_force_nonewprivs +enable_lts ' ac_precious_vars='build_alias host_alias @@ -1293,7 +1299,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.64.4 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.66 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1355,7 +1361,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.64.4:";; + short | recursive ) echo "Configuration of firejail 0.9.66:";; esac cat <<\_ACEOF @@ -1363,9 +1369,11 @@ --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] - --enable-analyzer enable GCC 10 static analyzer + --enable-analyzer enable GCC static analyzer --enable-apparmor enable apparmor + --enable-selinux SELinux labeling support --disable-dbusproxy disable dbus proxy + --disable-output disable --output logging --disable-usertmpfs disable tmpfs as regular user --disable-man disable man pages --disable-firetunnel disable firetunnel @@ -1385,7 +1393,9 @@ --enable-gcov Gcov instrumentation --enable-contrib-install install contrib scripts - --enable-selinux SELinux labeling support + --enable-force-nonewprivs + enable force nonewprivs + --enable-lts enable long-term support software version (LTS) Some influential environment variables: CC C compiler command @@ -1471,7 +1481,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.64.4 +firejail configure 0.9.66 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1773,7 +1783,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.64.4, which was +It was created by firejail $as_me 0.9.66, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3161,7 +3171,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5 $as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; } if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" else : @@ -3197,7 +3207,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5 $as_echo "$ax_cv_check_cflags___mretpoline" >&6; } if test "x$ax_cv_check_cflags___mretpoline" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" else : @@ -3233,7 +3243,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5 $as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; } if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" else : @@ -3269,7 +3279,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 $as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; } if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" else : @@ -3283,7 +3293,7 @@ if test "x$enable_analyzer" = "xyes"; then : - EXTRA_CFLAGS+=" -fanalyzer" + EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak" fi @@ -3505,9 +3515,23 @@ AA_LIBS=$pkg_cv_AA_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS" + EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS" +fi + + +fi + +HAVE_SELINUX="" +# Check whether --enable-selinux was given. +if test "${enable_selinux+set}" = set; then : + enableval=$enable_selinux; fi +if test "x$enable_selinux" = "xyes"; then : + + HAVE_SELINUX="-DHAVE_SELINUX" + EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux " + fi @@ -3539,7 +3563,20 @@ # AC_SUBST(HAVE_OVERLAYFS) #]) -HAVE_USERTMPS="" +HAVE_OUTPUT="" +# Check whether --enable-output was given. +if test "${enable_output+set}" = set; then : + enableval=$enable_output; +fi + +if test "x$enable_output" != "xno"; then : + + HAVE_OUTPUT="-DHAVE_OUTPUT" + + +fi + +HAVE_USERTMPFS="" # Check whether --enable-usertmpfs was given. if test "${enable_usertmpfs+set}" = set; then : enableval=$enable_usertmpfs; @@ -3773,7 +3810,7 @@ if test "x$enable_gcov" = "xyes"; then : HAVE_GCOV="--coverage -DHAVE_GCOV " - EXTRA_LDFLAGS+=" -lgcov --coverage " + EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage " fi @@ -3792,20 +3829,80 @@ fi -HAVE_SELINUX="" -# Check whether --enable-selinux was given. -if test "${enable_selinux+set}" = set; then : - enableval=$enable_selinux; +HAVE_FORCE_NONEWPRIVS="" +# Check whether --enable-force-nonewprivs was given. +if test "${enable_force_nonewprivs+set}" = set; then : + enableval=$enable_force_nonewprivs; fi -if test "x$enable_selinux" = "xyes"; then : +if test "x$enable_force_nonewprivs" = "xyes"; then : - HAVE_SELINUX="-DHAVE_SELINUX" - EXTRA_LDFLAGS+=" -lselinux " + HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" fi +HAVE_LTS="" +# Check whether --enable-lts was given. +if test "${enable_lts+set}" = set; then : + enableval=$enable_lts; +fi + +if test "x$enable_lts" = "xyes"; then : + + HAVE_LTS="-DHAVE_LTS" + + + HAVE_DBUSPROXY="" + + + HAVE_OVERLAYFS="" + + + HAVE_OUTPUT="" + + + HAVE_USERTMPFS="" + + + HAVE_MAN="-DHAVE_MAN" + + + HAVE_FIRETUNNEL="" + + + HAVE_PRIVATEHOME="" + + + HAVE_CHROOT="" + + + HAVE_GLOBALCFG="" + + + HAVE_USERNS="" + + + HAVE_X11="" + + + HAVE_FILE_TRANSFER="" + + + HAVE_SUID="yes" + + + BUSYBOX_WORKAROUND="no" + + + HAVE_CONTRIB_INSTALL="no", + + +fi + + + + # checking pthread library { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 $as_echo_n "checking for main in -lpthread... " >&6; } @@ -4269,7 +4366,7 @@ ac_config_files="$ac_config_files mkdeb.sh" -ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile test/Makefile" +ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4813,7 +4910,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.64.4, which was +This file was extended by firejail $as_me 0.9.66, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4867,7 +4964,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.64.4 +firejail config.status 0.9.66 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -4993,14 +5090,16 @@ "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; - "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; + "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;; + "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;; "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; + "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac @@ -5461,31 +5560,49 @@ fi -echo -echo "Configuration options:" -echo " prefix: $prefix" -echo " sysconfdir: $sysconfdir" -echo " apparmor: $HAVE_APPARMOR" -echo " global config: $HAVE_GLOBALCFG" -echo " chroot: $HAVE_CHROOT" -echo " network: $HAVE_NETWORK" -echo " user namespace: $HAVE_USERNS" -echo " X11 sandboxing support: $HAVE_X11" -echo " whitelisting: $HAVE_WHITELIST" -echo " private home support: $HAVE_PRIVATE_HOME" -echo " file transfer support: $HAVE_FILE_TRANSFER" -echo " overlayfs support: $HAVE_OVERLAYFS" -echo " DBUS proxy support: $HAVE_DBUSPROXY" -echo " allow tmpfs as regular user: $HAVE_USERTMPFS" -echo " Manpage support: $HAVE_MAN" -echo " firetunnel support: $HAVE_FIRETUNNEL" -echo " busybox workaround: $BUSYBOX_WORKAROUND" -echo " Spectre compiler patch: $HAVE_SPECTRE" -echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" -echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" -echo " fatal warnings: $HAVE_FATAL_WARNINGS" -echo " Gcov instrumentation: $HAVE_GCOV" -echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" -echo " SELinux labeling support: $HAVE_SELINUX" -echo " Install as a SUID executable: $HAVE_SUID" -echo +cat </dev/null; then diff -Nru firejail-0.9.64.4/contrib/fjclip.py firejail-0.9.66/contrib/fjclip.py --- firejail-0.9.64.4/contrib/fjclip.py 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/fjclip.py 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 import sys diff -Nru firejail-0.9.64.4/contrib/fjdisplay.py firejail-0.9.66/contrib/fjdisplay.py --- firejail-0.9.64.4/contrib/fjdisplay.py 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/fjdisplay.py 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 import re diff -Nru firejail-0.9.64.4/contrib/fj-mkdeb.py firejail-0.9.66/contrib/fj-mkdeb.py --- firejail-0.9.64.4/contrib/fj-mkdeb.py 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/fj-mkdeb.py 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # This script automates the workaround for https://github.com/netblue30/firejail/issues/772 diff -Nru firejail-0.9.64.4/contrib/fjresize.py firejail-0.9.66/contrib/fjresize.py --- firejail-0.9.64.4/contrib/fjresize.py 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/fjresize.py 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 import sys diff -Nru firejail-0.9.64.4/contrib/gdb-firejail.sh firejail-0.9.66/contrib/gdb-firejail.sh --- firejail-0.9.64.4/contrib/gdb-firejail.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/gdb-firejail.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set -x diff -Nru firejail-0.9.64.4/contrib/jail_prober.py firejail-0.9.66/contrib/jail_prober.py --- firejail-0.9.64.4/contrib/jail_prober.py 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/jail_prober.py 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 """ Figure out which profile options may be causing a particular program to break @@ -70,6 +70,19 @@ return profile +def absolute_include(word): + home = os.environ['HOME'] + path = home + '/.config/firejail/' + + option, filename = word.split('=') + absolute_filename = path + filename + + if not os.path.isfile(absolute_filename): + absolute_filename = '${CFG}/' + filename + + return option + '=' + absolute_filename + + def arg_converter(arg_list, style): """ Convert between firejail command-line arguments (--example=something) and @@ -94,9 +107,12 @@ if style == 'to_profile': new_args = [word[2:] for word in new_args] - # Remove invalid '--include' args if converting to command-line form elif style == 'to_commandline': - new_args = [word for word in new_args if 'include' not in word] + new_args = [ + absolute_include(word) if word.startswith('--include') + else word + for word in new_args + ] return new_args @@ -148,8 +164,12 @@ def main(): - profile_path = sys.argv[1] - program = sys.argv[2] + try: + profile_path = sys.argv[1] + program = sys.argv[2] + except IndexError: + print('USAGE: jail_prober.py ') + sys.exit() # Quick error check and extract arguments check_params(profile_path) profile = get_args(profile_path) diff -Nru firejail-0.9.64.4/contrib/sort.py firejail-0.9.66/contrib/sort.py --- firejail-0.9.64.4/contrib/sort.py 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/sort.py 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 """ Sort the items of multi-item options in profiles, the following options are supported: @@ -35,43 +35,16 @@ def sort_protocol(protocols): """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" + # shortcut for common protocol lines if protocols in ("unix", "unix,inet,inet6"): return protocols + fixed_protocols = "" - present_protocols = { - "unix": False, - "inet": False, - "inet6": False, - "netlink": False, - "packet": False, - "bluetooth": False, - } - for protocol in protocols.split(","): - if protocol == "unix": - present_protocols["unix"] = True - elif protocol == "inet": - present_protocols["inet"] = True - elif protocol == "inet6": - present_protocols["inet6"] = True - elif protocol == "netlink": - present_protocols["netlink"] = True - elif protocol == "packet": - present_protocols["packet"] = True - elif protocol == "bluetooth": - present_protocols["bluetooth"] = True - if present_protocols["unix"]: - fixed_protocols += "unix," - if present_protocols["inet"]: - fixed_protocols += "inet," - if present_protocols["inet6"]: - fixed_protocols += "inet6," - if present_protocols["netlink"]: - fixed_protocols += "netlink," - if present_protocols["packet"]: - fixed_protocols += "packet," - if present_protocols["bluetooth"]: - fixed_protocols += "bluetooth," + for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): + for prefix in ("", "-", "+", "="): + if f",{prefix}{protocol}," in f",{protocols},": + fixed_protocols += f"{prefix}{protocol}," return fixed_protocols[:-1] @@ -80,7 +53,7 @@ lines = profile.read().split("\n") was_fixed = False fixed_profile = [] - for line in lines: + for lineno, line in enumerate(lines): if line[:12] in ("private-bin ", "private-etc ", "private-lib "): fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" elif line[:13] in ("seccomp.drop ", "seccomp.keep "): @@ -95,6 +68,10 @@ fixed_line = line if fixed_line != line: was_fixed = True + print( + f"{filename}:{lineno + 1}:-{line}\n" + f"{filename}:{lineno + 1}:+{fixed_line}" + ) fixed_profile.append(fixed_line) if was_fixed: profile.seek(0) @@ -108,6 +85,7 @@ def main(args): exit_code = 0 + print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...") for filename in args: try: if exit_code not in (1, 101): @@ -120,8 +98,8 @@ except PermissionError: print(f"[ Error ] Can't read/write `{filename}'") exit_code = 1 - except: - print(f"[ Error ] An error occurred while processing `{filename}'") + except Exception as err: + print(f"[ Error ] An error occurred while processing `{filename}': {err}") exit_code = 1 return exit_code diff -Nru firejail-0.9.64.4/contrib/syscalls.sh firejail-0.9.66/contrib/syscalls.sh --- firejail-0.9.64.4/contrib/syscalls.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/syscalls.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt" diff -Nru firejail-0.9.64.4/contrib/update_deb.sh firejail-0.9.66/contrib/update_deb.sh --- firejail-0.9.64.4/contrib/update_deb.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/update_deb.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # Purpose: Fetch, compile, and install firejail from GitHub source. For diff -Nru firejail-0.9.64.4/contrib/vim/ftdetect/firejail.vim firejail-0.9.66/contrib/vim/ftdetect/firejail.vim --- firejail-0.9.64.4/contrib/vim/ftdetect/firejail.vim 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/vim/ftdetect/firejail.vim 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ -autocmd BufNewFile,BufRead /etc/firejail/*.profile set filetype=firejail -autocmd BufNewFile,BufRead /etc/firejail/*.local set filetype=firejail -autocmd BufNewFile,BufRead /etc/firejail/*.inc set filetype=firejail -autocmd BufNewFile,BufRead ~/.config/firejail/*.profile set filetype=firejail -autocmd BufNewFile,BufRead ~/.config/firejail/*.local set filetype=firejail -autocmd BufNewFile,BufRead ~/.config/firejail/*.inc set filetype=firejail +autocmd BufNewFile,BufRead /etc/firejail/*.profile setfiletype firejail +autocmd BufNewFile,BufRead /etc/firejail/*.local setfiletype firejail +autocmd BufNewFile,BufRead /etc/firejail/*.inc setfiletype firejail +autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail +autocmd BufNewFile,BufRead ~/.config/firejail/*.local setfiletype firejail +autocmd BufNewFile,BufRead ~/.config/firejail/*.inc setfiletype firejail diff -Nru firejail-0.9.64.4/contrib/vim/syntax/firejail.vim firejail-0.9.66/contrib/vim/syntax/firejail.vim --- firejail-0.9.64.4/contrib/vim/syntax/firejail.vim 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/contrib/vim/syntax/firejail.vim 2021-06-22 15:51:28.000000000 +0000 @@ -20,19 +20,20 @@ syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained syn match fjProtocolList /,/ nextgroup=fjProtocol contained -" Syscalls grabbed from: src/include/syscall.h -" Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' ' -syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained +" Syscalls grabbed from: src/include/syscall*.h +" Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' ' +syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained " Syscall groups grabbed from: src/fseccomp/syscall.c -" Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|' -syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained +" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|' +syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained " Errnos grabbed from: src/fseccomp/errno.c -" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/fseccomp/errno.c | sort -u | tr $'\n' '|' +" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|' syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained syn match fjSyscallList /,/ nextgroup=fjSyscall contained syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained +syn keyword fjSeccompAction kill log ERRNO contained syn match fjEnvVar "[A-Za-z0-9_]\+=" contained syn match fjRmenvVar "[A-Za-z0-9_]\+" contained @@ -40,6 +41,7 @@ syn keyword fjAll all contained syn keyword fjNone none contained syn keyword fjLo lo contained +syn keyword fjFilter filter contained " Variable names grabbed from: src/firejail/macros.c " Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|' @@ -47,27 +49,30 @@ " Commands grabbed from: src/firejail/profile.c " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) -syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained +syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below -syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained +syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained -syn match fjCommand /\vseccomp(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained +syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained syn match fjCommand /shell / nextgroup=fjNone skipwhite contained syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained syn match fjCommand /ip / nextgroup=fjNone skipwhite contained +syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained +syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained +syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained " Commands that can't be inside a ?CONDITIONAL: statement syn match fjCommandNoCond /include / skipwhite contained syn match fjCommandNoCond /quiet$/ contained " Conditionals grabbed from: src/firejail/profile.c " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' -syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NODBUS) ?:/ nextgroup=fjCommand skipwhite contained +syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained " A line is either a command, a conditional or a comment syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment @@ -88,6 +93,8 @@ hi def link fjAll Type hi def link fjNone Type hi def link fjLo Type +hi def link fjFilter Type +hi def link fjSeccompAction Type let b:current_syntax = "firejail" diff -Nru firejail-0.9.64.4/debian/changelog firejail-0.9.66/debian/changelog --- firejail-0.9.64.4/debian/changelog 2021-02-08 17:23:11.000000000 +0000 +++ firejail-0.9.66/debian/changelog 2021-07-11 10:00:04.000000000 +0000 @@ -1,8 +1,36 @@ +firejail (0.9.66-1~0ubuntu21.04.0) hirsute; urgency=medium + + * Upload to Ubuntu PPA. + + -- Reiner Herrmann Sun, 11 Jul 2021 12:00:04 +0200 + +firejail (0.9.66-1) experimental; urgency=medium + + * New upstream release. + + -- Reiner Herrmann Tue, 29 Jun 2021 22:55:14 +0200 + +firejail (0.9.66~rc1-1) experimental; urgency=medium + + * New upstream release candidate. + - allow webext extensions to be loaded by chromium (Closes: #986049) + - fix opening of links in thunderbird (Closes: #968551) + * Drop removed .inc conffiles via maintscript. + + -- Reiner Herrmann Fri, 04 Jun 2021 22:24:24 +0200 + +firejail (0.9.64.4-2) unstable; urgency=medium + + * Cherry-pick upstream fix for fcopy usage with private-lib. (Closes: #973756) + * Add lintian override for warning about mode of firejail helper binaries. + + -- Reiner Herrmann Sat, 27 Feb 2021 12:25:29 +0100 + firejail (0.9.64.4-1) unstable; urgency=high * New upstream release. - disable overlayfs support because of security issue (local privilege - escalation). (CVE pending) + escalation). (CVE-2021-26910) * Drop d/clean. -- Reiner Herrmann Mon, 08 Feb 2021 18:23:11 +0100 diff -Nru firejail-0.9.64.4/debian/firejail.lintian-overrides firejail-0.9.66/debian/firejail.lintian-overrides --- firejail-0.9.64.4/debian/firejail.lintian-overrides 2019-12-30 17:03:50.000000000 +0000 +++ firejail-0.9.66/debian/firejail.lintian-overrides 2021-06-04 17:24:52.000000000 +0000 @@ -1 +1,3 @@ firejail: setuid-binary usr/bin/firejail 4755 root/root +# binaries intentionally installed non-readable by upstream +firejail: executable-is-not-world-readable usr/lib/*/firejail/f* 0711 diff -Nru firejail-0.9.64.4/debian/firejail.maintscript firejail-0.9.66/debian/firejail.maintscript --- firejail-0.9.64.4/debian/firejail.maintscript 2021-01-29 18:41:01.000000000 +0000 +++ firejail-0.9.66/debian/firejail.maintscript 2021-06-04 20:54:57.000000000 +0000 @@ -162,3 +162,7 @@ rm_conffile /etc/apparmor.d/local/firejail-local 0.9.58.2-1~ rm_conffile /etc/firejail/softmaker-common.inc 0.9.64.2-1~ mv_conffile /etc/firejail/whitelist-players.inc /etc/firejail/whitelist-player-common.inc 0.9.64.2-1~ +rm_conffile /etc/firejail/archiver-common.inc 0.9.66~rc1~ +rm_conffile /etc/firejail/chromium-common-hardened.inc 0.9.66~rc1~ +rm_conffile /etc/firejail/feh-network.inc 0.9.66~rc1~ +rm_conffile /etc/firejail/firefox-common-addons.inc 0.9.66~rc1~ diff -Nru firejail-0.9.64.4/debian/missing-sources/memwrexe-32.c firejail-0.9.66/debian/missing-sources/memwrexe-32.c --- firejail-0.9.64.4/debian/missing-sources/memwrexe-32.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/debian/missing-sources/memwrexe-32.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 #include diff -Nru firejail-0.9.64.4/debian/missing-sources/syscall_test32.c firejail-0.9.66/debian/missing-sources/syscall_test32.c --- firejail-0.9.64.4/debian/missing-sources/syscall_test32.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/debian/missing-sources/syscall_test32.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 #include diff -Nru firejail-0.9.64.4/debian/patches/apparmor-override.patch firejail-0.9.66/debian/patches/apparmor-override.patch --- firejail-0.9.64.4/debian/patches/apparmor-override.patch 2020-10-22 15:56:10.000000000 +0000 +++ firejail-0.9.66/debian/patches/apparmor-override.patch 2021-06-04 20:25:38.000000000 +0000 @@ -5,7 +5,7 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -137,7 +137,6 @@ +@@ -146,7 +146,6 @@ install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" # install apparmor profile customization file diff -Nru firejail-0.9.64.4/debian/patches/config-hardening.patch firejail-0.9.66/debian/patches/config-hardening.patch --- firejail-0.9.64.4/debian/patches/config-hardening.patch 2020-10-22 15:56:10.000000000 +0000 +++ firejail-0.9.66/debian/patches/config-hardening.patch 2021-06-04 20:25:36.000000000 +0000 @@ -18,7 +18,7 @@ # Enable or disable chroot support, default enabled. # chroot yes -@@ -102,7 +102,7 @@ +@@ -96,7 +96,7 @@ # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. diff -Nru firejail-0.9.64.4/debian/patches/disable-internet-tests.patch firejail-0.9.66/debian/patches/disable-internet-tests.patch --- firejail-0.9.64.4/debian/patches/disable-internet-tests.patch 2020-10-22 15:56:10.000000000 +0000 +++ firejail-0.9.66/debian/patches/disable-internet-tests.patch 2021-06-04 20:25:31.000000000 +0000 @@ -95,7 +95,7 @@ fi --- a/test/utils/utils.sh +++ b/test/utils/utils.sh -@@ -66,8 +66,7 @@ +@@ -59,8 +59,7 @@ echo "TESTING: fs.print (test/utils/fs-print.exp)" ./fs-print.exp @@ -107,7 +107,7 @@ ./caps-print.exp --- a/test/utils/build.exp +++ b/test/utils/build.exp -@@ -85,15 +85,5 @@ +@@ -97,15 +97,5 @@ } after 100 diff -Nru firejail-0.9.64.4/debian/patches/disable-terminal-tests.patch firejail-0.9.66/debian/patches/disable-terminal-tests.patch --- firejail-0.9.64.4/debian/patches/disable-terminal-tests.patch 2020-10-22 15:56:10.000000000 +0000 +++ firejail-0.9.66/debian/patches/disable-terminal-tests.patch 2021-06-04 20:25:34.000000000 +0000 @@ -27,7 +27,7 @@ then --- a/test/utils/utils.sh +++ b/test/utils/utils.sh -@@ -40,15 +40,6 @@ +@@ -33,15 +33,6 @@ echo "TESTING: help (test/utils/help.exp)" ./help.exp diff -Nru firejail-0.9.64.4/etc/apparmor/firejail-default firejail-0.9.66/etc/apparmor/firejail-default --- firejail-0.9.64.4/etc/apparmor/firejail-default 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/apparmor/firejail-default 2021-06-22 15:51:28.000000000 +0000 @@ -84,7 +84,8 @@ ########## # Allow running programs only from well-known system directories. If you need -# to run programs from your home directory, uncomment /home line. +# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix," +# or similar to /etc/apparmor.d/local/firejail-default (without the quotes). ########## /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, @@ -126,40 +127,14 @@ # We let Firejail deal with capabilities, but ensure that # some AppArmor related capabilities will not be available. ########## -capability chown, -capability dac_override, -capability dac_read_search, -capability fowner, -capability fsetid, -capability kill, -capability setgid, -capability setuid, -capability setpcap, -capability linux_immutable, -capability net_bind_service, -capability net_broadcast, -capability net_admin, -capability net_raw, -capability ipc_lock, -capability ipc_owner, -capability sys_module, -capability sys_rawio, -capability sys_chroot, -capability sys_ptrace, -capability sys_pacct, -capability sys_admin, -capability sys_boot, -capability sys_nice, -capability sys_resource, -capability sys_time, -capability sys_tty_config, -capability mknod, -capability lease, -#capability audit_write, -#capability audit_control, -capability setfcap, -#capability mac_override, -#capability mac_admin, +# The list of recognized capabilities varies from one apparmor version to another. +# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available +# We allow all caps by default and remove the ones we don't like: +capability, +deny capability audit_write, +deny capability audit_control, +deny capability mac_override, +deny capability mac_admin, # Site-specific additions and overrides. See local/README for details. #include diff -Nru firejail-0.9.64.4/etc/apparmor/firejail-local firejail-0.9.66/etc/apparmor/firejail-local --- firejail-0.9.64.4/etc/apparmor/firejail-local 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/apparmor/firejail-local 2021-06-22 15:51:28.000000000 +0000 @@ -1,2 +1,15 @@ # Site-specific additions and overrides for 'firejail-default'. # For more details, please see /etc/apparmor.d/local/README. + +# Here are some examples to allow running programs from home directory. +# Don't enable all of these, just pick a specific one or write a custom rule +# instead as done below for torbrowser-launcher. +#owner @HOME/** ix, +#owner @HOME/bin/** ix +#owner @HOME/.local/bin/** ix + +# Uncomment to opt-in to apparmor for brave + tor +#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix, + +# Uncomment to opt-in to apparmor for torbrowser-launcher +#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, diff -Nru firejail-0.9.64.4/etc/firejail.config firejail-0.9.66/etc/firejail.config --- firejail-0.9.64.4/etc/firejail.config 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/firejail.config 2021-06-27 18:09:10.000000000 +0000 @@ -35,23 +35,12 @@ # cannot be overridden by --noblacklist or --ignore. # disable-mnt no -# Set the limit for file copy in several --private-* options. The size is set -# in megabytes. By default we allow up to 500MB. -# Note: the files are copied in RAM. -# file-copy-limit 500 - # Enable or disable file transfer support, default enabled. # file-transfer yes # Enable Firejail green prompt in terminal, default disabled # firejail-prompt no -# Follow symlink as user. While using --whitelist feature, -# symlinks pointing outside home directory are followed only -# if both the link and the real file are owned by the user. -# Enabled by default -# follow-symlink-as-user yes - # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration @@ -83,18 +72,35 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Set the limit for file copy in several --private-* options. The size is set +# in megabytes. By default we allow up to 500MB. +# Note: the files are copied in RAM. +# file-copy-limit 500 + +# Enable or disable private-bin feature, default enabled. +# private-bin yes + # Remove /usr/local directories from private-bin list, default disabled. # private-bin-no-local no # Enable or disable private-cache feature, default enabled # private-cache yes +# Enable or disable private-etc feature, default enabled. +# private-etc yes + # Enable or disable private-home feature, default enabled # private-home yes # Enable or disable private-lib feature, default enabled # private-lib yes +# Enable or disable private-opt feature, default enabled. +# private-opt yes + +# Enable or disable private-srv feature, default enabled. +# private-srv yes + # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no @@ -107,6 +113,10 @@ # Enable or disable seccomp support, default enabled. # seccomp yes +# Add rules to the default seccomp filter. Same syntax as for --seccomp= +# None by default; this is an example. +# seccomp-filter-add !chroot,kcmp,mincore + # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) # seccomp-error-action EPERM @@ -116,6 +126,10 @@ # Enable or disable whitelisting support, default enabled. # whitelist yes +# Disable whitelist top level directories, in addition to those +# that are disabled out of the box. None by default; this is an example. +# whitelist-disable-topdir /etc,/usr/etc + # Enable or disable X11 sandboxing support, default enabled. # x11 yes diff -Nru firejail-0.9.64.4/etc/inc/allow-common-devel.inc firejail-0.9.66/etc/inc/allow-common-devel.inc --- firejail-0.9.64.4/etc/inc/allow-common-devel.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/allow-common-devel.inc 2021-06-22 15:51:28.000000000 +0000 @@ -15,6 +15,7 @@ noblacklist ${HOME}/.node-gyp noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm noblacklist ${HOME}/.yarn noblacklist ${HOME}/.yarn-config noblacklist ${HOME}/.yarncache @@ -27,10 +28,4 @@ noblacklist ${HOME}/.pythonhist # Rust -noblacklist ${HOME}/.cargo/advisory-db -noblacklist ${HOME}/.cargo/config -noblacklist ${HOME}/.cargo/git -noblacklist ${HOME}/.cargo/registry -noblacklist ${HOME}/.cargo/.crates.toml -noblacklist ${HOME}/.cargo/.crates2.json -noblacklist ${HOME}/.cargo/.package-cache +noblacklist ${HOME}/.cargo/* diff -Nru firejail-0.9.64.4/etc/inc/allow-gjs.inc firejail-0.9.66/etc/inc/allow-gjs.inc --- firejail-0.9.64.4/etc/inc/allow-gjs.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/allow-gjs.inc 2021-06-22 15:51:28.000000000 +0000 @@ -5,7 +5,8 @@ noblacklist ${PATH}/gjs noblacklist ${PATH}/gjs-console noblacklist /usr/lib/gjs -noblacklist /usr/lib64/gjs noblacklist /usr/lib/libgjs* +noblacklist /usr/lib/libmozjs-* +noblacklist /usr/lib64/gjs noblacklist /usr/lib64/libgjs* noblacklist /usr/lib64/libmozjs-* diff -Nru firejail-0.9.64.4/etc/inc/allow-nodejs.inc firejail-0.9.66/etc/inc/allow-nodejs.inc --- firejail-0.9.64.4/etc/inc/allow-nodejs.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/allow-nodejs.inc 2021-06-22 15:51:28.000000000 +0000 @@ -4,3 +4,7 @@ noblacklist ${PATH}/node noblacklist /usr/include/node + +# Allow python for node-gyp (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc diff -Nru firejail-0.9.64.4/etc/inc/allow-opengl-game.inc firejail-0.9.66/etc/inc/allow-opengl-game.inc --- firejail-0.9.64.4/etc/inc/allow-opengl-game.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/inc/allow-opengl-game.inc 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,3 @@ +noblacklist ${PATH}/bash +whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh +private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity diff -Nru firejail-0.9.64.4/etc/inc/allow-ssh.inc firejail-0.9.66/etc/inc/allow-ssh.inc --- firejail-0.9.64.4/etc/inc/allow-ssh.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/inc/allow-ssh.inc 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,8 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-ssh.local + +noblacklist ${HOME}/.ssh +noblacklist /etc/ssh +noblacklist /etc/ssh/ssh_config +noblacklist /tmp/ssh-* diff -Nru firejail-0.9.64.4/etc/inc/archiver-common.inc firejail-0.9.66/etc/inc/archiver-common.inc --- firejail-0.9.64.4/etc/inc/archiver-common.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/archiver-common.inc 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include archiver-common.local - -# common profile for archiver/compression tools - -blacklist ${RUNUSER} - -# WARNING: -# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed -# include file(s) here or by putting those into archiver-common.local. -# Another option is to do this **per archiver** in the relevant .local. -# Just beware that things tend to break when overtightening profiles. For example, because you only -# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. - -# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc. -#include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc. -#include disable-programs.inc -include disable-shell.inc - -apparmor -caps.drop all -hostname archiver -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -private-cache -private-dev - -dbus-user none -dbus-system none - -memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/inc/chromium-common-hardened.inc firejail-0.9.66/etc/inc/chromium-common-hardened.inc --- firejail-0.9.64.4/etc/inc/chromium-common-hardened.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/chromium-common-hardened.inc 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -caps.drop all -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp !chroot diff -Nru firejail-0.9.64.4/etc/inc/disable-common.inc firejail-0.9.66/etc/inc/disable-common.inc --- firejail-0.9.64.4/etc/inc/disable-common.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/disable-common.inc 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ blacklist ${HOME}/.config/autostart-scripts blacklist ${HOME}/.config/awesome blacklist ${HOME}/.config/i3 +blacklist ${HOME}/.config/sway blacklist ${HOME}/.config/lxsession/LXDE/autostart blacklist ${HOME}/.config/openbox blacklist ${HOME}/.config/plasma-workspace @@ -291,7 +292,15 @@ read-only ${HOME}/.zshrc.local # Remote access -read-only ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.rhosts +blacklist ${HOME}/.shosts +blacklist ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.ssh/authorized_keys2 +blacklist ${HOME}/.ssh/environment +blacklist ${HOME}/.ssh/rc +blacklist /etc/hosts.equiv +read-only ${HOME}/.ssh/config +read-only ${HOME}/.ssh/config.d # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc @@ -329,10 +338,12 @@ read-only ${HOME}/.gem read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages +read-only ${HOME}/.nvm read-only ${HOME}/bin read-only ${HOME}/.bin read-only ${HOME}/.local/bin read-only ${HOME}/.cargo/bin +read-only ${HOME}/.rustup # Write-protection for desktop entries read-only ${HOME}/.config/menus @@ -347,6 +358,9 @@ # Write-protection for thumbnailer dir read-only ${HOME}/.local/share/thumbnailers +# prevent access to ssh-agent +blacklist /tmp/ssh-* + # top secret blacklist ${HOME}/*.kdb blacklist ${HOME}/*.kdbx @@ -354,6 +368,7 @@ blacklist ${HOME}/.Private blacklist ${HOME}/.caff blacklist ${HOME}/.cargo/credentials +blacklist ${HOME}/.cargo/credentials.toml blacklist ${HOME}/.cert blacklist ${HOME}/.config/keybase blacklist ${HOME}/.davfs2/secrets @@ -393,6 +408,7 @@ blacklist /etc/shadow+ blacklist /etc/shadow- blacklist /etc/ssh +blacklist /etc/ssh/* blacklist /home/.ecryptfs blacklist /home/.fscrypt blacklist /var/backup @@ -430,6 +446,7 @@ blacklist ${PATH}/mount.ecryptfs_private blacklist ${PATH}/nc blacklist ${PATH}/ncat +blacklist ${PATH}/nmap blacklist ${PATH}/newgidmap blacklist ${PATH}/newgrp blacklist ${PATH}/newuidmap @@ -440,6 +457,7 @@ blacklist ${PATH}/strace blacklist ${PATH}/su blacklist ${PATH}/sudo +blacklist ${PATH}/tcpdump blacklist ${PATH}/umount blacklist ${PATH}/unix_chkpwd blacklist ${PATH}/xev diff -Nru firejail-0.9.64.4/etc/inc/disable-interpreters.inc firejail-0.9.66/etc/inc/disable-interpreters.inc --- firejail-0.9.64.4/etc/inc/disable-interpreters.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/disable-interpreters.inc 2021-06-22 15:51:28.000000000 +0000 @@ -6,8 +6,8 @@ blacklist ${PATH}/gjs blacklist ${PATH}/gjs-console blacklist /usr/lib/gjs -blacklist /usr/lib64/gjs blacklist /usr/lib/libgjs* +blacklist /usr/lib64/gjs blacklist /usr/lib64/libgjs* # Lua @@ -20,6 +20,7 @@ blacklist /usr/share/lua* # mozjs +blacklist /usr/lib/libmozjs-* blacklist /usr/lib64/libmozjs-* # Node.js @@ -30,8 +31,8 @@ blacklist ${HOME}/.nvm # Perl -blacklist ${PATH}/cpan* blacklist ${PATH}/core_perl +blacklist ${PATH}/cpan* blacklist ${PATH}/perl blacklist ${PATH}/site_perl blacklist ${PATH}/vendor_perl diff -Nru firejail-0.9.64.4/etc/inc/disable-passwdmgr.inc firejail-0.9.66/etc/inc/disable-passwdmgr.inc --- firejail-0.9.64.4/etc/inc/disable-passwdmgr.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/disable-passwdmgr.inc 2021-06-22 15:51:28.000000000 +0000 @@ -7,6 +7,7 @@ blacklist ${HOME}/.config/keepass blacklist ${HOME}/.config/keepassx blacklist ${HOME}/.config/keepassxc +blacklist ${HOME}/.config/KeePassXCrc blacklist ${HOME}/.config/Sinew Software Systems blacklist ${HOME}/.fpm blacklist ${HOME}/.keepass diff -Nru firejail-0.9.64.4/etc/inc/disable-programs.inc firejail-0.9.66/etc/inc/disable-programs.inc --- firejail-0.9.64.4/etc/inc/disable-programs.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/disable-programs.inc 2021-06-22 15:51:28.000000000 +0000 @@ -5,6 +5,7 @@ blacklist ${HOME}/Arduino blacklist ${HOME}/i2p blacklist ${HOME}/Monero/wallets +blacklist ${HOME}/Nextcloud blacklist ${HOME}/Nextcloud/Notes blacklist ${HOME}/SoftMaker blacklist ${HOME}/Standard Notes Backups @@ -38,6 +39,8 @@ blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.ZAP blacklist ${HOME}/.abook +blacklist ${HOME}/.addressbook +blacklist ${HOME}/.alpine-smime blacklist ${HOME}/.aMule blacklist ${HOME}/.android blacklist ${HOME}/.anydesk @@ -50,19 +53,16 @@ blacklist ${HOME}/.atom blacklist ${HOME}/.attic blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.avidemux6 +blacklist ${HOME}/.ballbuster.hs blacklist ${HOME}/.balsa blacklist ${HOME}/.bcast5 blacklist ${HOME}/.bibletime blacklist ${HOME}/.bitcoin +blacklist ${HOME}/.blobby blacklist ${HOME}/.bogofilter blacklist ${HOME}/.bzf -blacklist ${HOME}/.cargo/advisory-db -blacklist ${HOME}/.cargo/config -blacklist ${HOME}/.cargo/git -blacklist ${HOME}/.cargo/registry -blacklist ${HOME}/.cargo/.crates.toml -blacklist ${HOME}/.cargo/.crates2.json -blacklist ${HOME}/.cargo/.package-cache +blacklist ${HOME}/.cargo/* blacklist ${HOME}/.claws-mail blacklist ${HOME}/.cliqz blacklist ${HOME}/.clonk @@ -87,6 +87,7 @@ blacklist ${HOME}/.config/Element (Riot) blacklist ${HOME}/.config/ENCOM blacklist ${HOME}/.config/Enox +blacklist ${HOME}/.config/Epic blacklist ${HOME}/.config/Ferdi blacklist ${HOME}/.config/Flavio Tordini blacklist ${HOME}/.config/Franz @@ -102,22 +103,28 @@ blacklist ${HOME}/.config/INRIA blacklist ${HOME}/.config/InSilmaril blacklist ${HOME}/.config/Jitsi Meet +blacklist ${HOME}/.config/KDE/neochat blacklist ${HOME}/.config/Kid3 blacklist ${HOME}/.config/Kingsoft +blacklist ${HOME}/.config/LibreCAD +blacklist ${HOME}/.config/Loop_Hero blacklist ${HOME}/.config/Luminance blacklist ${HOME}/.config/LyX blacklist ${HOME}/.config/Mattermost blacklist ${HOME}/.config/Meltytech blacklist ${HOME}/.config/Mendeley Ltd. blacklist ${HOME}/.config/Min +blacklist ${HOME}/.config/ModTheSpire blacklist ${HOME}/.config/Mousepad blacklist ${HOME}/.config/Mumble blacklist ${HOME}/.config/MusE blacklist ${HOME}/.config/MuseScore blacklist ${HOME}/.config/MusicBrainz blacklist ${HOME}/.config/Nathan Osman +blacklist ${HOME}/.config/Nextcloud blacklist ${HOME}/.config/Nylas Mail blacklist ${HOME}/.config/PacmanLogViewer +blacklist ${HOME}/.config/PawelStolowski blacklist ${HOME}/.config/PBE blacklist ${HOME}/.config/Philipp Schmieder blacklist ${HOME}/.config/QGIS @@ -129,6 +136,8 @@ blacklist ${HOME}/.config/Rambox blacklist ${HOME}/.config/Riot blacklist ${HOME}/.config/Rocket.Chat +blacklist ${HOME}/.config/RogueLegacy +blacklist ${HOME}/.config/RogueLegacyStorageContainer blacklist ${HOME}/.config/Signal blacklist ${HOME}/.config/Sinew Software Systems blacklist ${HOME}/.config/Slack @@ -158,10 +167,12 @@ blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/audacious blacklist ${HOME}/.config/autokey +blacklist ${HOME}/.config/avidemux3_qt5rc blacklist ${HOME}/.config/aweather blacklist ${HOME}/.config/backintime blacklist ${HOME}/.config/baloofilerc blacklist ${HOME}/.config/baloorc +blacklist ${HOME}/.config/bcompare blacklist ${HOME}/.config/blender blacklist ${HOME}/.config/bless blacklist ${HOME}/.config/bnox @@ -210,6 +221,7 @@ blacklist ${HOME}/.config/electron-mail blacklist ${HOME}/.config/emaildefaults blacklist ${HOME}/.config/emailidentities +blacklist ${HOME}/.config/emilia blacklist ${HOME}/.config/enchant blacklist ${HOME}/.config/eog blacklist ${HOME}/.config/epiphany @@ -263,6 +275,7 @@ blacklist ${HOME}/.config/inox blacklist ${HOME}/.config/iridium blacklist ${HOME}/.config/itch +blacklist ${HOME}/.config/jami blacklist ${HOME}/.config/jd-gui.cfg blacklist ${HOME}/.config/k3brc blacklist ${HOME}/.config/kaffeinerc @@ -302,12 +315,12 @@ blacklist ${HOME}/.config/lutris blacklist ${HOME}/.config/lximage-qt blacklist ${HOME}/.config/mailtransports -blacklist ${HOME}/.local/share/man blacklist ${HOME}/.config/mana blacklist ${HOME}/.config/mate-calc blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/mate/mate-dictionary blacklist ${HOME}/.config/matrix-mirage +blacklist ${HOME}/.config/mcomix blacklist ${HOME}/.config/meld blacklist ${HOME}/.config/meteo-qt blacklist ${HOME}/.config/menulibre.cfg @@ -322,13 +335,18 @@ blacklist ${HOME}/.config/mps-youtube blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/mupen64plus +blacklist ${HOME}/.config/mutt blacklist ${HOME}/.config/mutter blacklist ${HOME}/.config/mypaint blacklist ${HOME}/.config/nano blacklist ${HOME}/.config/nautilus blacklist ${HOME}/.config/nemo +blacklist ${HOME}/.config/neochatrc +blacklist ${HOME}/.config/neochat.notifyrc +blacklist ${HOME}/.config/neomutt blacklist ${HOME}/.config/netsurf blacklist ${HOME}/.config/newsbeuter +blacklist ${HOME}/.config/newsboat blacklist ${HOME}/.config/newsflash blacklist ${HOME}/.config/nheko blacklist ${HOME}/.config/NitroShare @@ -340,10 +358,12 @@ blacklist ${HOME}/.config/onboard blacklist ${HOME}/.config/onionshare blacklist ${HOME}/.config/onlyoffice +blacklist ${HOME}/.config/openmw blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta blacklist ${HOME}/.config/orage blacklist ${HOME}/.config/org.gabmus.gfeeds.json +blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles blacklist ${HOME}/.config/org.kde.gwenviewrc blacklist ${HOME}/.config/otter blacklist ${HOME}/.config/pavucontrol-qt @@ -351,6 +371,7 @@ blacklist ${HOME}/.config/pcmanfm blacklist ${HOME}/.config/pdfmod blacklist ${HOME}/.config/Pinta +blacklist ${HOME}/.config/pipe-viewer blacklist ${HOME}/.config/pitivi blacklist ${HOME}/.config/pix blacklist ${HOME}/.config/pluma @@ -363,6 +384,7 @@ blacklist ${HOME}/.config/qBittorrentrc blacklist ${HOME}/.config/qnapi.ini blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/quodlibet blacklist ${HOME}/.config/qupzilla blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.config/ranger @@ -431,6 +453,7 @@ blacklist ${HOME}/.config/yandex-browser-beta blacklist ${HOME}/.config/yelp blacklist ${HOME}/.config/youtube-dl +blacklist ${HOME}/.config/youtube-dlg blacklist ${HOME}/.config/youtubemusic-nativefier-040164 blacklist ${HOME}/.config/youtube-music-desktop-app blacklist ${HOME}/.config/youtube-viewer @@ -460,6 +483,7 @@ blacklist ${HOME}/.ethereum blacklist ${HOME}/.etr blacklist ${HOME}/.filezilla +blacklist ${HOME}/.firedragon blacklist ${HOME}/.flowblade blacklist ${HOME}/.fltk blacklist ${HOME}/.fossamail @@ -468,9 +492,12 @@ blacklist ${HOME}/.freemind blacklist ${HOME}/.frogatto blacklist ${HOME}/.frozen-bubble +blacklist ${HOME}/.funnyboat blacklist ${HOME}/.gimp* blacklist ${HOME}/.gist blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.gl-117 +blacklist ${HOME}/.glaxiumrc blacklist ${HOME}/.gnome/gnome-schedule blacklist ${HOME}/.googleearth blacklist ${HOME}/.gradle @@ -559,10 +586,12 @@ blacklist ${HOME}/.kino-history blacklist ${HOME}/.kinorc blacklist ${HOME}/.klatexformula +blacklist ${HOME}/.klei blacklist ${HOME}/.kodi blacklist ${HOME}/.librewolf blacklist ${HOME}/.lincity-ng blacklist ${HOME}/.links +blacklist ${HOME}/.links2 blacklist ${HOME}/.linphone-history.db blacklist ${HOME}/.linphonerc blacklist ${HOME}/.lmmsrc.xml @@ -570,21 +599,31 @@ blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/3909/PapersPlease blacklist ${HOME}/.local/share/Anki2 +blacklist ${HOME}/.local/share/Dredmor blacklist ${HOME}/.local/share/Empathy blacklist ${HOME}/.local/share/Enpass blacklist ${HOME}/.local/share/Flavio Tordini blacklist ${HOME}/.local/share/JetBrains +blacklist ${HOME}/.local/share/KDE/neochat blacklist ${HOME}/.local/share/Kingsoft +blacklist ${HOME}/.local/share/LibreCAD blacklist ${HOME}/.local/share/Mendeley Ltd. blacklist ${HOME}/.local/share/Mumble +blacklist ${HOME}/.local/share/Nextcloud blacklist ${HOME}/.local/share/PBE +blacklist ${HOME}/.local/share/PawelStolowski +blacklist ${HOME}/.local/share/PillarsOfEternity blacklist ${HOME}/.local/share/Psi blacklist ${HOME}/.local/share/QGIS blacklist ${HOME}/.local/share/QMediathekView blacklist ${HOME}/.local/share/QuiteRss blacklist ${HOME}/.local/share/Ricochet +blacklist ${HOME}/.local/share/RogueLegacy +blacklist ${HOME}/.local/share/RogueLegacyStorageContainer blacklist ${HOME}/.local/share/Shortwave blacklist ${HOME}/.local/share/Steam +blacklist ${HOME}/.local/share/SteamWorldDig +blacklist ${HOME}/.local/share/SteamWorld Dig 2 blacklist ${HOME}/.local/share/SuperHexagon blacklist ${HOME}/.local/share/TelegramDesktop blacklist ${HOME}/.local/share/Terraria @@ -604,11 +643,13 @@ blacklist ${HOME}/.local/share/bijiben blacklist ${HOME}/.local/share/bohemiainteractive blacklist ${HOME}/.local/share/caja-python +blacklist ${HOME}/.local/share/calligragemini blacklist ${HOME}/.local/share/cantata blacklist ${HOME}/.local/share/cdprojektred blacklist ${HOME}/.local/share/clipit blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate blacklist ${HOME}/.local/share/contacts +blacklist ${HOME}/.local/share/cor-games blacklist ${HOME}/.local/share/data/Mendeley Ltd. blacklist ${HOME}/.local/share/data/Mumble blacklist ${HOME}/.local/share/data/MusE @@ -652,6 +693,7 @@ blacklist ${HOME}/.local/share/gwenview blacklist ${HOME}/.local/share/i2p blacklist ${HOME}/.local/share/IntoTheBreach +blacklist ${HOME}/.local/share/jami blacklist ${HOME}/.local/share/kaffeine blacklist ${HOME}/.local/share/kalgebra blacklist ${HOME}/.local/share/kate @@ -677,11 +719,14 @@ blacklist ${HOME}/.local/share/love blacklist ${HOME}/.local/share/lugaru blacklist ${HOME}/.local/share/lutris +blacklist ${HOME}/.local/share/man blacklist ${HOME}/.local/share/mana blacklist ${HOME}/.local/share/maps-places.json blacklist ${HOME}/.local/share/matrix-mirage +blacklist ${HOME}/.local/share/mcomix blacklist ${HOME}/.local/share/meld blacklist ${HOME}/.local/share/midori +blacklist ${HOME}/.local/share/minder blacklist ${HOME}/.local/share/mirage blacklist ${HOME}/.local/share/multimc blacklist ${HOME}/.local/share/multimc5 @@ -692,11 +737,15 @@ blacklist ${HOME}/.local/share/nemo blacklist ${HOME}/.local/share/nemo-python blacklist ${HOME}/.local/share/news-flash +blacklist ${HOME}/.local/share/newsbeuter +blacklist ${HOME}/.local/share/newsboat +blacklist ${HOME}/.local/share/nheko blacklist ${HOME}/.local/share/nomacs blacklist ${HOME}/.local/share/notes blacklist ${HOME}/.local/share/ocenaudio blacklist ${HOME}/.local/share/okular blacklist ${HOME}/.local/share/onlyoffice +blacklist ${HOME}/.local/share/openmw blacklist ${HOME}/.local/share/orage blacklist ${HOME}/.local/share/org.kde.gwenview blacklist ${HOME}/.local/share/Paradox Interactive @@ -763,11 +812,13 @@ blacklist ${HOME}/.neverball blacklist ${HOME}/.newsbeuter blacklist ${HOME}/.newsboat +blacklist ${HOME}/.newsrc blacklist ${HOME}/.nicotine blacklist ${HOME}/.node-gyp blacklist ${HOME}/.npm blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv +blacklist ${HOME}/.nvm blacklist ${HOME}/.nylas-mail blacklist ${HOME}/.openarena blacklist ${HOME}/.opencity @@ -780,7 +831,16 @@ blacklist ${HOME}/.ostrichriders blacklist ${HOME}/.paradoxinteractive blacklist ${HOME}/.parallelrealities/blobwars +blacklist ${HOME}/.pcsxr blacklist ${HOME}/.penguin-command +blacklist ${HOME}/.pine-crash +blacklist ${HOME}/.pine-debug1 +blacklist ${HOME}/.pine-debug2 +blacklist ${HOME}/.pine-debug3 +blacklist ${HOME}/.pine-debug4 +blacklist ${HOME}/.pine-interrupted-mail +blacklist ${HOME}/.pinerc +blacklist ${HOME}/.pinercex blacklist ${HOME}/.pingus blacklist ${HOME}/.pioneer blacklist ${HOME}/.purple @@ -807,6 +867,7 @@ blacklist ${HOME}/.stellarium blacklist ${HOME}/.subversion blacklist ${HOME}/.surf +blacklist ${HOME}/.suve/colorful blacklist ${HOME}/.swb.ini blacklist ${HOME}/.sword blacklist ${HOME}/.sylpheed-2.0 @@ -817,6 +878,7 @@ blacklist ${HOME}/.texlive20* blacklist ${HOME}/.thunderbird blacklist ${HOME}/.tilp +blacklist ${HOME}/.tin blacklist ${HOME}/.tooling blacklist ${HOME}/.tor-browser* blacklist ${HOME}/.torcs @@ -859,7 +921,6 @@ blacklist ${HOME}/.yarnrc blacklist ${HOME}/.zoom blacklist /tmp/akonadi-* -blacklist /tmp/ssh-* blacklist /tmp/.wine-* blacklist /var/games/nethack blacklist /var/games/slashem @@ -883,8 +944,10 @@ blacklist ${HOME}/.cache/MusicBrainz blacklist ${HOME}/.cache/NewsFlashGTK blacklist ${HOME}/.cache/Otter +blacklist ${HOME}/.cache/PawelStolowski blacklist ${HOME}/.cache/Psi blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/quodlibet blacklist ${HOME}/.cache/Quotient/quaternion blacklist ${HOME}/.cache/Shortwave blacklist ${HOME}/.cache/Tox @@ -914,7 +977,9 @@ blacklist ${HOME}/.cache/evolution blacklist ${HOME}/.cache/falkon blacklist ${HOME}/.cache/feedreader +blacklist ${HOME}/.cache/firedragon blacklist ${HOME}/.cache/flaska.net/trojita +blacklist ${HOME}/.cache/folks blacklist ${HOME}/.cache/font-manager blacklist ${HOME}/.cache/fossamail blacklist ${HOME}/.cache/fractal @@ -944,6 +1009,7 @@ blacklist ${HOME}/.cache/inox blacklist ${HOME}/.cache/iridium blacklist ${HOME}/.cache/kcmshell5 +blacklist ${HOME}/.cache/KDE/neochat blacklist ${HOME}/.cache/kdenlive blacklist ${HOME}/.cache/keepassxc blacklist ${HOME}/.cache/kfind @@ -990,6 +1056,7 @@ blacklist ${HOME}/.cache/pdfmod blacklist ${HOME}/.cache/peek blacklist ${HOME}/.cache/pip +blacklist ${HOME}/.cache/pipe-viewer blacklist ${HOME}/.cache/plasmashell blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* blacklist ${HOME}/.cache/psi @@ -1025,3 +1092,4 @@ blacklist ${HOME}/.cache/yandex-browser blacklist ${HOME}/.cache/yandex-browser-beta blacklist ${HOME}/.cache/youtube-dl +blacklist ${HOME}/.cache/youtube-viewer diff -Nru firejail-0.9.64.4/etc/inc/feh-network.inc firejail-0.9.66/etc/inc/feh-network.inc --- firejail-0.9.64.4/etc/inc/feh-network.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/feh-network.inc 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -ignore net none -netfilter -protocol unix,inet,inet6 -private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl diff -Nru firejail-0.9.64.4/etc/inc/firefox-common-addons.inc firejail-0.9.66/etc/inc/firefox-common-addons.inc --- firejail-0.9.64.4/etc/inc/firefox-common-addons.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/firefox-common-addons.inc 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include firefox-common-addons.local - -ignore include whitelist-runuser-common.inc - -noblacklist ${HOME}/.config/kgetrc -noblacklist ${HOME}/.config/okularpartrc -noblacklist ${HOME}/.config/okularrc -noblacklist ${HOME}/.config/qpdfview -noblacklist ${HOME}/.kde/share/apps/kget -noblacklist ${HOME}/.kde/share/apps/okular -noblacklist ${HOME}/.kde/share/config/kgetrc -noblacklist ${HOME}/.kde/share/config/okularpartrc -noblacklist ${HOME}/.kde/share/config/okularrc -noblacklist ${HOME}/.kde4/share/apps/kget -noblacklist ${HOME}/.kde4/share/apps/okular -noblacklist ${HOME}/.kde4/share/config/kgetrc -noblacklist ${HOME}/.kde4/share/config/okularpartrc -noblacklist ${HOME}/.kde4/share/config/okularrc -noblacklist ${HOME}/.local/share/kget -noblacklist ${HOME}/.local/share/kxmlgui5/okular -noblacklist ${HOME}/.local/share/okular -noblacklist ${HOME}/.local/share/qpdfview - -whitelist ${HOME}/.cache/gnome-mplayer/plugin -whitelist ${HOME}/.config/gnome-mplayer -whitelist ${HOME}/.config/kgetrc -whitelist ${HOME}/.config/okularpartrc -whitelist ${HOME}/.config/okularrc -whitelist ${HOME}/.config/pipelight-silverlight5.1 -whitelist ${HOME}/.config/pipelight-widevine -whitelist ${HOME}/.config/qpdfview -whitelist ${HOME}/.kde/share/apps/kget -whitelist ${HOME}/.kde/share/apps/okular -whitelist ${HOME}/.kde/share/config/kgetrc -whitelist ${HOME}/.kde/share/config/okularpartrc -whitelist ${HOME}/.kde/share/config/okularrc -whitelist ${HOME}/.kde4/share/apps/kget -whitelist ${HOME}/.kde4/share/apps/okular -whitelist ${HOME}/.kde4/share/config/kgetrc -whitelist ${HOME}/.kde4/share/config/okularpartrc -whitelist ${HOME}/.kde4/share/config/okularrc -whitelist ${HOME}/.keysnail.js -whitelist ${HOME}/.lastpass -whitelist ${HOME}/.local/share/kget -whitelist ${HOME}/.local/share/kxmlgui5/okular -whitelist ${HOME}/.local/share/okular -whitelist ${HOME}/.local/share/qpdfview -whitelist ${HOME}/.local/share/tridactyl -whitelist ${HOME}/.pentadactyl -whitelist ${HOME}/.pentadactylrc -whitelist ${HOME}/.tridactylrc -whitelist ${HOME}/.vimperator -whitelist ${HOME}/.vimperatorrc -whitelist ${HOME}/.wine-pipelight -whitelist ${HOME}/.wine-pipelight64 -whitelist ${HOME}/.zotero -whitelist ${HOME}/dwhelper - -# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) -noblacklist ${HOME}/.local/share/gnome-shell -whitelist ${HOME}/.local/share/gnome-shell -ignore dbus-user none -ignore dbus-system none -include allow-python3.inc - -# KeePassXC Browser Integration -#private-bin keepassxc-proxy - -# Flash plugin -# private-etc must first be enabled in firefox-common.profile and in profiles including it. -#private-etc adobe - -# ff2mpv -#ignore noexec ${HOME} -#noblacklist ${HOME}/.config/mpv -#noblacklist ${HOME}/.config/youtube-dl -#noblacklist ${HOME}/.netrc -#include allow-lua.inc -#include allow-python3.inc -#mkdir ${HOME}/.config/mpv -#mkdir ${HOME}/.config/youtube-dl -#whitelist ${HOME}/.config/mpv -#whitelist ${HOME}/.config/youtube-dl -#whitelist ${HOME}/.netrc -#whitelist /usr/share/lua -#whitelist /usr/share/lua* -#whitelist /usr/share/vulkan -#private-bin env,mpv,python3*,waf,youtube-dl diff -Nru firejail-0.9.64.4/etc/inc/whitelist-1793-workaround.inc firejail-0.9.66/etc/inc/whitelist-1793-workaround.inc --- firejail-0.9.64.4/etc/inc/whitelist-1793-workaround.inc 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/inc/whitelist-1793-workaround.inc 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,29 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include whitelist-1793-workaround.local +# This works around bug 1793, and allows whitelisting to be used for some KDE applications. + +noblacklist ${HOME}/.config/ibus +noblacklist ${HOME}/.config/mimeapps.list +noblacklist ${HOME}/.config/pkcs11 +noblacklist ${HOME}/.config/user-dirs.dirs +noblacklist ${HOME}/.config/user-dirs.locale +noblacklist ${HOME}/.config/dconf +noblacklist ${HOME}/.config/fontconfig +noblacklist ${HOME}/.config/gtk-2.0 +noblacklist ${HOME}/.config/gtk-3.0 +noblacklist ${HOME}/.config/gtk-4.0 +noblacklist ${HOME}/.config/gtkrc +noblacklist ${HOME}/.config/gtkrc-2.0 +noblacklist ${HOME}/.config/Kvantum +noblacklist ${HOME}/.config/Trolltech.conf +noblacklist ${HOME}/.config/QtProject.conf +noblacklist ${HOME}/.config/kdeglobals +noblacklist ${HOME}/.config/kio_httprc +noblacklist ${HOME}/.config/kioslaverc +noblacklist ${HOME}/.config/ksslcablacklist +noblacklist ${HOME}/.config/qt5ct +noblacklist ${HOME}/.config/qtcurve + +blacklist ${HOME}/.config/* +whitelist ${HOME}/.config diff -Nru firejail-0.9.64.4/etc/inc/whitelist-runuser-common.inc firejail-0.9.66/etc/inc/whitelist-runuser-common.inc --- firejail-0.9.64.4/etc/inc/whitelist-runuser-common.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/whitelist-runuser-common.inc 2021-06-22 15:51:28.000000000 +0000 @@ -13,3 +13,4 @@ whitelist ${RUNUSER}/wayland-0 whitelist ${RUNUSER}/wayland-1 whitelist ${RUNUSER}/xauth_* +whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] diff -Nru firejail-0.9.64.4/etc/inc/whitelist-usr-share-common.inc firejail-0.9.66/etc/inc/whitelist-usr-share-common.inc --- firejail-0.9.64.4/etc/inc/whitelist-usr-share-common.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/whitelist-usr-share-common.inc 2021-06-22 15:51:28.000000000 +0000 @@ -61,6 +61,7 @@ whitelist /usr/share/texmf whitelist /usr/share/themes whitelist /usr/share/thumbnail.so +whitelist /usr/share/uim whitelist /usr/share/vulkan whitelist /usr/share/X11 whitelist /usr/share/xml diff -Nru firejail-0.9.64.4/etc/inc/whitelist-var-common.inc firejail-0.9.66/etc/inc/whitelist-var-common.inc --- firejail-0.9.64.4/etc/inc/whitelist-var-common.inc 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/inc/whitelist-var-common.inc 2021-06-22 15:51:28.000000000 +0000 @@ -4,6 +4,7 @@ # common /var whitelist for all profiles +whitelist /var/lib/aspell whitelist /var/lib/ca-certificates whitelist /var/lib/dbus whitelist /var/lib/menu-xdg diff -Nru firejail-0.9.64.4/etc/profile-a-l/0ad.profile firejail-0.9.66/etc/profile-a-l/0ad.profile --- firejail-0.9.64.4/etc/profile-a-l/0ad.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/0ad.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,6 +10,8 @@ noblacklist ${HOME}/.config/0ad noblacklist ${HOME}/.local/share/0ad +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -34,6 +36,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/2048-qt.profile firejail-0.9.66/etc/profile-a-l/2048-qt.profile --- firejail-0.9.64.4/etc/profile-a-l/2048-qt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/2048-qt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/7z.profile firejail-0.9.66/etc/profile-a-l/7z.profile --- firejail-0.9.64.4/etc/profile-a-l/7z.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/7z.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,5 +7,8 @@ # Persistent global definitions include globals.local +# Included in archiver-common.profile ignore include disable-shell.inc -include archiver-common.inc + +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/abiword.profile firejail-0.9.66/etc/profile-a-l/abiword.profile --- firejail-0.9.64.4/etc/profile-a-l/abiword.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/abiword.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/agetpkg.profile firejail-0.9.66/etc/profile-a-l/agetpkg.profile --- firejail-0.9.64.4/etc/profile-a-l/agetpkg.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/agetpkg.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,11 +32,11 @@ hostname agetpkg ipc-namespace machine-id -noautopulse netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/akonadi_control.profile firejail-0.9.66/etc/profile-a-l/akonadi_control.profile --- firejail-0.9.64.4/etc/profile-a-l/akonadi_control.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/akonadi_control.profile 2021-06-22 15:51:28.000000000 +0000 @@ -40,6 +40,7 @@ no3d nodvd nogroups +noinput # nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/akregator.profile firejail-0.9.66/etc/profile-a-l/akregator.profile --- firejail-0.9.64.4/etc/profile-a-l/akregator.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/akregator.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/alacarte.profile firejail-0.9.66/etc/profile-a-l/alacarte.profile --- firejail-0.9.64.4/etc/profile-a-l/alacarte.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/alacarte.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,6 +6,7 @@ # Persistent global definitions include globals.local +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -36,6 +37,7 @@ nodvd no3d nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/alienarena.profile firejail-0.9.66/etc/profile-a-l/alienarena.profile --- firejail-0.9.64.4/etc/profile-a-l/alienarena.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/alienarena.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,53 @@ +# Firejail profile for alienarena +# Description: Multiplayer retro sci-fi deathmatch game +# This file is overwritten after every install/update +# Persistent local customizations +include alienarena.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/cor-games + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/cor-games +whitelist ${HOME}/.local/share/cor-games +whitelist /usr/share/alienarena +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin alienarena +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11 +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/alienarena-wrapper.profile firejail-0.9.66/etc/profile-a-l/alienarena-wrapper.profile --- firejail-0.9.64.4/etc/profile-a-l/alienarena-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/alienarena-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for alienarena-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include alienarena-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin alienarena-wrapper + +# Redirect +include alienarena.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/alpinef.profile firejail-0.9.66/etc/profile-a-l/alpinef.profile --- firejail-0.9.64.4/etc/profile-a-l/alpinef.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/alpinef.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for alpinef +# Description: Text-based email and newsgroups reader using function keys +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include alpinef.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin alpinef + +# Redirect +include alpine.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/alpine.profile firejail-0.9.66/etc/profile-a-l/alpine.profile --- firejail-0.9.64.4/etc/profile-a-l/alpine.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/alpine.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,104 @@ +# Firejail profile for alpine +# Description: Text-based email and newsgroups reader +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include alpine.local +# Persistent global definitions +include globals.local + +# Workaround for bug https://github.com/netblue30/firejail/issues/2747 +# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)' + +noblacklist /var/mail +noblacklist /var/spool/mail +noblacklist ${DOCUMENTS} +noblacklist ${HOME}/.addressbook +noblacklist ${HOME}/.alpine-smime +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.mh_profile +noblacklist ${HOME}/.mime.types +noblacklist ${HOME}/.newsrc +noblacklist ${HOME}/.pine-crash +noblacklist ${HOME}/.pine-debug1 +noblacklist ${HOME}/.pine-debug2 +noblacklist ${HOME}/.pine-debug3 +noblacklist ${HOME}/.pine-debug4 +noblacklist ${HOME}/.pine-interrupted-mail +noblacklist ${HOME}/.pinerc +noblacklist ${HOME}/.pinercex +noblacklist ${HOME}/.signature +noblacklist ${HOME}/mail + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +#whitelist ${DOCUMENTS} +#whitelist ${DOWNLOADS} +#whitelist ${HOME}/.addressbook +#whitelist ${HOME}/.alpine-smime +#whitelist ${HOME}/.mailcap +#whitelist ${HOME}/.mh_profile +#whitelist ${HOME}/.mime.types +#whitelist ${HOME}/.newsrc +#whitelist ${HOME}/.pine-crash +#whitelist ${HOME}/.pine-interrupted-mail +#whitelist ${HOME}/.pinerc +#whitelist ${HOME}/.pinercex +#whitelist ${HOME}/.pine-debug1 +#whitelist ${HOME}/.pine-debug2 +#whitelist ${HOME}/.pine-debug3 +#whitelist ${HOME}/.pine-debug4 +#whitelist ${HOME}/.signature +#whitelist ${HOME}/mail +whitelist /var/mail +whitelist /var/spool/mail +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin alpine +private-cache +private-dev +private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg +private-tmp +writable-run-user +writable-var + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME}/.signature diff -Nru firejail-0.9.64.4/etc/profile-a-l/amarok.profile firejail-0.9.66/etc/profile-a-l/amarok.profile --- firejail-0.9.64.4/etc/profile-a-l/amarok.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/amarok.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot notv @@ -33,3 +34,15 @@ private-dev # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl private-tmp + +dbus-user filter +dbus-user.own org.kde.amarok +dbus-user.own org.mpris.amarok +dbus-user.own org.mpris.MediaPlayer2.amarok +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.kde.StatusNotifierWatcher +# If you're not on kde-plasma add the next lines to your amarok.local. +#dbus-user.own org.kde.kded +#dbus-user.own org.kde.klauncher +#dbus-user.talk org.kde.knotify +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/amule.profile firejail-0.9.66/etc/profile-a-l/amule.profile --- firejail-0.9.64.4/etc/profile-a-l/amule.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/amule.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/android-studio.profile firejail-0.9.66/etc/profile-a-l/android-studio.profile --- firejail-0.9.64.4/etc/profile-a-l/android-studio.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/android-studio.profile 2021-06-22 15:51:28.000000000 +0000 @@ -5,17 +5,20 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/Google noblacklist ${HOME}/.AndroidStudio* noblacklist ${HOME}/.android noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff -Nru firejail-0.9.64.4/etc/profile-a-l/anki.profile firejail-0.9.66/etc/profile-a-l/anki.profile --- firejail-0.9.64.4/etc/profile-a-l/anki.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/anki.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/anydesk.profile firejail-0.9.66/etc/profile-a-l/anydesk.profile --- firejail-0.9.64.4/etc/profile-a-l/anydesk.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/anydesk.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/aosp.profile firejail-0.9.66/etc/profile-a-l/aosp.profile --- firejail-0.9.64.4/etc/profile-a-l/aosp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/aosp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,12 +11,14 @@ noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.repo_.gitconfig.json noblacklist ${HOME}/.repoconfig -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff -Nru firejail-0.9.64.4/etc/profile-a-l/apktool.profile firejail-0.9.66/etc/profile-a-l/apktool.profile --- firejail-0.9.64.4/etc/profile-a-l/apktool.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/apktool.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/apostrophe.profile firejail-0.9.66/etc/profile-a-l/apostrophe.profile --- firejail-0.9.64.4/etc/profile-a-l/apostrophe.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/apostrophe.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,15 +6,22 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.texlive20* noblacklist ${DOCUMENTS} noblacklist ${PICTURES} # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -24,8 +31,12 @@ include disable-shell.inc include disable-xdg.inc +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/apostrophe +whitelist /usr/share/texlive +whitelist /usr/share/texmf whitelist /usr/share/pandoc-* +whitelist /usr/share/perl5 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -37,6 +48,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,10 +61,10 @@ tracelog disable-mnt -private-bin apostrophe,pandoc,python3* +private-bin apostrophe,fmtutil,kpsewhich,mktexfmt,pandoc,pdftex,perl,python3*,sh,xdvipdfmx,xelatex,xetex private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,texlive,X11 private-tmp dbus-user filter diff -Nru firejail-0.9.64.4/etc/profile-a-l/arch-audit.profile firejail-0.9.66/etc/profile-a-l/arch-audit.profile --- firejail-0.9.64.4/etc/profile-a-l/arch-audit.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/arch-audit.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/archiver-common.profile firejail-0.9.66/etc/profile-a-l/archiver-common.profile --- firejail-0.9.64.4/etc/profile-a-l/archiver-common.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/archiver-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,53 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include archiver-common.local + +# common profile for archiver/compression tools + +blacklist ${RUNUSER} + +# Comment/uncomment the relevant include file(s) in your archiver-common.local +# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver** +# in the relevant .local. Beware that things tend to break when overtightening +# profiles. For example, because you only need to (un)compress files in ${DOWNLOADS}, +# other applications may need access to ${HOME}/.local/share. + +# Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc. +#include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc. +#include disable-programs.inc +include disable-shell.inc + +apparmor +caps.drop all +hostname archiver +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +#noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +private-cache +private-dev + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/ardour4.profile firejail-0.9.66/etc/profile-a-l/ardour4.profile --- firejail-0.9.64.4/etc/profile-a-l/ardour4.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ardour4.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for ardour5 # This file is overwritten after every install/update - # Persistent local customizations include ardur4.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include ardour5.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/ardour5.profile firejail-0.9.66/etc/profile-a-l/ardour5.profile --- firejail-0.9.64.4/etc/profile-a-l/ardour5.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ardour5.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/aria2c.profile firejail-0.9.66/etc/profile-a-l/aria2c.profile --- firejail-0.9.64.4/etc/profile-a-l/aria2c.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/aria2c.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,9 +41,9 @@ shell none # disable-mnt -# Add your custom event hook commands to 'private-bin' in your aria2c.local +# Add your custom event hook commands to 'private-bin' in your aria2c.local. private-bin aria2c,gzip -# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) +# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). #private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl diff -Nru firejail-0.9.64.4/etc/profile-a-l/ark.profile firejail-0.9.66/etc/profile-a-l/ark.profile --- firejail-0.9.64.4/etc/profile-a-l/ark.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ark.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/arm.profile firejail-0.9.66/etc/profile-a-l/arm.profile --- firejail-0.9.64.4/etc/profile-a-l/arm.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/arm.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ar.profile firejail-0.9.66/etc/profile-a-l/ar.profile --- firejail-0.9.64.4/etc/profile-a-l/ar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,4 +7,5 @@ # Persistent global definitions include globals.local -include archiver-common.inc +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/artha.profile firejail-0.9.66/etc/profile-a-l/artha.profile --- firejail-0.9.64.4/etc/profile-a-l/artha.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/artha.profile 2021-06-22 15:51:28.000000000 +0000 @@ -41,6 +41,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/assogiate.profile firejail-0.9.66/etc/profile-a-l/assogiate.profile --- firejail-0.9.64.4/etc/profile-a-l/assogiate.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/assogiate.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/asunder.profile firejail-0.9.66/etc/profile-a-l/asunder.profile --- firejail-0.9.64.4/etc/profile-a-l/asunder.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/asunder.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter no3d # nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/atool.profile firejail-0.9.66/etc/profile-a-l/atool.profile --- firejail-0.9.64.4/etc/profile-a-l/atool.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/atool.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,10 +9,12 @@ # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc -include archiver-common.inc noroot # without login.defs atool complains and uses UID/GID 1000 by default private-etc alternatives,group,login.defs,passwd private-tmp + +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/atril.profile firejail-0.9.66/etc/profile-a-l/atril.profile --- firejail-0.9.64.4/etc/profile-a-l/atril.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/atril.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,7 +41,7 @@ shell none tracelog -private-bin atril,atril-previewer,atril-thumbnailer +private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote private-dev private-etc alternatives,fonts,ld.so.cache # atril uses webkit gtk to display epub files diff -Nru firejail-0.9.64.4/etc/profile-a-l/audacious.profile firejail-0.9.66/etc/profile-a-l/audacious.profile --- firejail-0.9.64.4/etc/profile-a-l/audacious.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/audacious.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/audacity.profile firejail-0.9.66/etc/profile-a-l/audacity.profile --- firejail-0.9.64.4/etc/profile-a-l/audacity.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/audacity.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/audio-recorder.profile firejail-0.9.66/etc/profile-a-l/audio-recorder.profile --- firejail-0.9.64.4/etc/profile-a-l/audio-recorder.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/audio-recorder.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ whitelist ${MUSIC} whitelist ${DOWNLOADS} whitelist /usr/share/audio-recorder +whitelist /usr/share/gstreamer-1.0 include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -44,7 +45,11 @@ disable-mnt # private-bin audio-recorder private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-system none + # memory-deny-write-execute - breaks on Arch diff -Nru firejail-0.9.64.4/etc/profile-a-l/authenticator.profile firejail-0.9.66/etc/profile-a-l/authenticator.profile --- firejail-0.9.64.4/etc/profile-a-l/authenticator.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/authenticator.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/authenticator-rs.profile firejail-0.9.66/etc/profile-a-l/authenticator-rs.profile --- firejail-0.9.64.4/etc/profile-a-l/authenticator-rs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/authenticator-rs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/autokey-common.profile firejail-0.9.66/etc/profile-a-l/autokey-common.profile --- firejail-0.9.64.4/etc/profile-a-l/autokey-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/autokey-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/avidemux.profile firejail-0.9.66/etc/profile-a-l/avidemux.profile --- firejail-0.9.64.4/etc/profile-a-l/avidemux.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/avidemux.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,54 @@ +# Firejail profile for Avidemux +# Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks. +# Persistent local customizations +include avidemux.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.avidemux6 +noblacklist ${HOME}/.config/avidemux3_qt5rc +noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.avidemux6 +mkdir ${HOME}/.config/avidemux3_qt5rc +whitelist ${HOME}/.avidemux6 +whitelist ${HOME}/.config/avidemux3_qt5rc +whitelist ${VIDEOS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5 +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/aweather.profile firejail-0.9.66/etc/profile-a-l/aweather.profile --- firejail-0.9.64.4/etc/profile-a-l/aweather.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/aweather.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/b2sum.profile firejail-0.9.66/etc/profile-a-l/b2sum.profile --- firejail-0.9.64.4/etc/profile-a-l/b2sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/b2sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for b2sum +# Description: compute and check BLAKE2 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include b2sum.local +# Persistent global definitions +include globals.local + +private-bin b2sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/ballbuster.profile firejail-0.9.66/etc/profile-a-l/ballbuster.profile --- firejail-0.9.64.4/etc/profile-a-l/ballbuster.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ballbuster.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,53 @@ +# Firejail profile for ballbuster +# Description: Move the paddle to bounce the ball and break all the bricks +# This file is overwritten after every install/update +# Persistent local customizations +include ballbuster.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.ballbuster.hs + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkfile ${HOME}/.ballbuster.hs +whitelist ${HOME}/.ballbuster.hs +whitelist /usr/share/ballbuster +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin ballbuster +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/ballbuster-wrapper.profile firejail-0.9.66/etc/profile-a-l/ballbuster-wrapper.profile --- firejail-0.9.64.4/etc/profile-a-l/ballbuster-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ballbuster-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for ballbuster-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include ballbuster-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin ballbuster-wrapper + +# Redirect +include ballbuster.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/baloo_file.profile firejail-0.9.66/etc/profile-a-l/baloo_file.profile --- firejail-0.9.64.4/etc/profile-a-l/baloo_file.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/baloo_file.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/balsa.profile firejail-0.9.66/etc/profile-a-l/balsa.profile --- firejail-0.9.64.4/etc/profile-a-l/balsa.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/balsa.profile 2021-06-22 15:51:28.000000000 +0000 @@ -49,6 +49,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -61,7 +62,7 @@ tracelog # disable-mnt -# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm private-cache diff -Nru firejail-0.9.64.4/etc/profile-a-l/baobab.profile firejail-0.9.66/etc/profile-a-l/baobab.profile --- firejail-0.9.64.4/etc/profile-a-l/baobab.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/baobab.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/barrier.profile firejail-0.9.66/etc/profile-a-l/barrier.profile --- firejail-0.9.64.4/etc/profile-a-l/barrier.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/barrier.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/bcompare.profile firejail-0.9.66/etc/profile-a-l/bcompare.profile --- firejail-0.9.64.4/etc/profile-a-l/bcompare.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bcompare.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,48 @@ +# Firejail profile for Beyond Compare by Scooter Software +# Description: directory and file compare utility +# Disables the network, which only impacts checking for updates. +# This file is overwritten after every install/update +# Persistent local customizations +include bcompare.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/bcompare +# In case the user decides to include disable-programs.inc, still allow +# KDE's Gwenview to view images via right click -> Open With -> Associated Application +noblacklist ${HOME}/.config/gwenviewrc + +# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc. +#include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. +#include disable-programs.inc +#include disable-shell.inc - breaks launch +include disable-write-mnt.inc + +apparmor +caps.drop all +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/bibletime.profile firejail-0.9.66/etc/profile-a-l/bibletime.profile --- firejail-0.9.64.4/etc/profile-a-l/bibletime.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bibletime.profile 2021-06-22 15:51:28.000000000 +0000 @@ -38,6 +38,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/bijiben.profile firejail-0.9.66/etc/profile-a-l/bijiben.profile --- firejail-0.9.64.4/etc/profile-a-l/bijiben.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bijiben.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,8 +20,10 @@ mkdir ${HOME}/.local/share/bijiben whitelist ${HOME}/.local/share/bijiben whitelist ${HOME}/.cache/tracker +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/bijiben whitelist /usr/share/tracker +whitelist /usr/share/tracker3 include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -33,6 +35,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -57,3 +60,5 @@ dbus-user.talk ca.desrt.dconf dbus-user.talk org.freedesktop.Tracker1 dbus-system none + +env WEBKIT_FORCE_SANDBOX=0 diff -Nru firejail-0.9.64.4/etc/profile-a-l/bitcoin-qt.profile firejail-0.9.66/etc/profile-a-l/bitcoin-qt.profile --- firejail-0.9.64.4/etc/profile-a-l/bitcoin-qt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bitcoin-qt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/bitlbee.profile firejail-0.9.66/etc/profile-a-l/bitlbee.profile --- firejail-0.9.64.4/etc/profile-a-l/bitlbee.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bitlbee.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ netfilter no3d nodvd +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/bitwarden.profile firejail-0.9.66/etc/profile-a-l/bitwarden.profile --- firejail-0.9.64.4/etc/profile-a-l/bitwarden.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bitwarden.profile 2021-06-28 14:38:01.000000000 +0000 @@ -6,53 +6,25 @@ # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include whitelist-usr-share-common.inc + ignore noexec /tmp noblacklist ${HOME}/.config/Bitwarden -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc include disable-shell.inc -include disable-xdg.inc mkdir ${HOME}/.config/Bitwarden whitelist ${HOME}/.config/Bitwarden -whitelist ${DOWNLOADS} -include whitelist-common.inc -include whitelist-var-common.inc -apparmor -caps.drop all machine-id -netfilter no3d -nodvd -nogroups -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp !chroot -shell none -#tracelog - breaks on Arch -private-bin bitwarden -private-cache ?HAS_APPIMAGE: ignore private-dev -private-dev private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl private-opt Bitwarden -private-tmp - -# breaks appindicator (tray) functionality -# dbus-user none -# dbus-system none -#memory-deny-write-execute - breaks on Arch (see issue #1803) +# Redirect +include electron.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/bleachbit.profile firejail-0.9.66/etc/profile-a-l/bleachbit.profile --- firejail-0.9.64.4/etc/profile-a-l/bleachbit.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bleachbit.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/blender-2.8.profile firejail-0.9.66/etc/profile-a-l/blender-2.8.profile --- firejail-0.9.64.4/etc/profile-a-l/blender-2.8.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/blender-2.8.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for blender # This file is overwritten after every install/update - # Persistent local customizations include blender-2.8.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include blender.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/blender.profile firejail-0.9.66/etc/profile-a-l/blender.profile --- firejail-0.9.64.4/etc/profile-a-l/blender.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/blender.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/bless.profile firejail-0.9.66/etc/profile-a-l/bless.profile --- firejail-0.9.64.4/etc/profile-a-l/bless.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bless.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/blobby.profile firejail-0.9.66/etc/profile-a-l/blobby.profile --- firejail-0.9.64.4/etc/profile-a-l/blobby.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/blobby.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,52 @@ +# Firejail profile for blobby +# Persistent local customizations +include blobby.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.blobby + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.blobby +whitelist ${HOME}/.blobby +include whitelist-common.inc +whitelist /usr/share/blobby +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin blobby +private-dev +private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse +private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/blobwars.profile firejail-0.9.66/etc/profile-a-l/blobwars.profile --- firejail-0.9.64.4/etc/profile-a-l/blobwars.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/blobwars.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/bluefish.profile firejail-0.9.66/etc/profile-a-l/bluefish.profile --- firejail-0.9.64.4/etc/profile-a-l/bluefish.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bluefish.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/Books.profile firejail-0.9.66/etc/profile-a-l/Books.profile --- firejail-0.9.64.4/etc/profile-a-l/Books.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Books.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,7 @@ +# Firejail profile for gnome-books +# This file is overwritten after every install/update + + +# Temporary fix for https://github.com/netblue30/firejail/issues/2624 +# Redirect +include gnome-books.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/brackets.profile firejail-0.9.66/etc/profile-a-l/brackets.profile --- firejail-0.9.64.4/etc/profile-a-l/brackets.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/brackets.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/brave-browser-beta.profile firejail-0.9.66/etc/profile-a-l/brave-browser-beta.profile --- firejail-0.9.64.4/etc/profile-a-l/brave-browser-beta.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/brave-browser-beta.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for brave (beta channel) # This file is overwritten after every install/update - # Persistent local customizations include brave-browser-beta.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/brave-browser-dev.profile firejail-0.9.66/etc/profile-a-l/brave-browser-dev.profile --- firejail-0.9.64.4/etc/profile-a-l/brave-browser-dev.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/brave-browser-dev.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for brave (development channel) # This file is overwritten after every install/update - # Persistent local customizations include brave-browser-dev.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/brave-browser-nightly.profile firejail-0.9.66/etc/profile-a-l/brave-browser-nightly.profile --- firejail-0.9.64.4/etc/profile-a-l/brave-browser-nightly.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/brave-browser-nightly.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for brave (nightly channel) # This file is overwritten after every install/update - # Persistent local customizations include brave-browser-nightly.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/brave-browser.profile firejail-0.9.66/etc/profile-a-l/brave-browser.profile --- firejail-0.9.64.4/etc/profile-a-l/brave-browser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/brave-browser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for brave # This file is overwritten after every install/update - # Persistent local customizations include brave-browser.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/brave-browser-stable.profile firejail-0.9.66/etc/profile-a-l/brave-browser-stable.profile --- firejail-0.9.64.4/etc/profile-a-l/brave-browser-stable.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/brave-browser-stable.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for brave (release channel) # This file is overwritten after every install/update - # Persistent local customizations include brave-browser-stable.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/brave.profile firejail-0.9.66/etc/profile-a-l/brave.profile --- firejail-0.9.64.4/etc/profile-a-l/brave.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/brave.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,7 +8,10 @@ # noexec /tmp is included in chromium-common.profile and breaks Brave ignore noexec /tmp -# TOR is installed in ${HOME} +# TOR is installed in ${HOME}. +# NOTE: chromium-common.profile enables apparmor. To keep that intact +# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. +# Alternatively you can add 'ignore apparmor' to your brave.local. ignore noexec ${HOME} noblacklist ${HOME}/.cache/BraveSoftware diff -Nru firejail-0.9.64.4/etc/profile-a-l/bsdcat.profile firejail-0.9.66/etc/profile-a-l/bsdcat.profile --- firejail-0.9.64.4/etc/profile-a-l/bsdcat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bsdcat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for bsdtar # This file is overwritten after every install/update - # Persistent local customizations include bsdcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include bsdtar.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/bsdcpio.profile firejail-0.9.66/etc/profile-a-l/bsdcpio.profile --- firejail-0.9.64.4/etc/profile-a-l/bsdcpio.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bsdcpio.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for bsdtar # This file is overwritten after every install/update - # Persistent local customizations include bsdcpio.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include bsdtar.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/bsdtar.profile firejail-0.9.66/etc/profile-a-l/bsdtar.profile --- firejail-0.9.64.4/etc/profile-a-l/bsdtar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bsdtar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,6 +6,7 @@ # Persistent global definitions include globals.local -include archiver-common.inc - private-etc alternatives,group,localtime,passwd + +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/Builder.profile firejail-0.9.66/etc/profile-a-l/Builder.profile --- firejail-0.9.64.4/etc/profile-a-l/Builder.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Builder.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for gnome-builder # This file is overwritten after every install/update - # Persistent local customizations include Builder.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/bzflag.profile firejail-0.9.66/etc/profile-a-l/bzflag.profile --- firejail-0.9.64.4/etc/profile-a-l/bzflag.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/bzflag.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/calibre.profile firejail-0.9.66/etc/profile-a-l/calibre.profile --- firejail-0.9.64.4/etc/profile-a-l/calibre.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calibre.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligraauthor.profile firejail-0.9.66/etc/profile-a-l/calligraauthor.profile --- firejail-0.9.64.4/etc/profile-a-l/calligraauthor.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligraauthor.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligraauthor.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include calligra.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligraconverter.profile firejail-0.9.66/etc/profile-a-l/calligraconverter.profile --- firejail-0.9.64.4/etc/profile-a-l/calligraconverter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligraconverter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligraconverter.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include calligra.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligraflow.profile firejail-0.9.66/etc/profile-a-l/calligraflow.profile --- firejail-0.9.64.4/etc/profile-a-l/calligraflow.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligraflow.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligraflow.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include calligra.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligragemini.profile firejail-0.9.66/etc/profile-a-l/calligragemini.profile --- firejail-0.9.64.4/etc/profile-a-l/calligragemini.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligragemini.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,12 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update +# Persistent local customizations +include calligragemini.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/calligragemini + +# Redirect +include calligra.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligraplan.profile firejail-0.9.66/etc/profile-a-l/calligraplan.profile --- firejail-0.9.64.4/etc/profile-a-l/calligraplan.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligraplan.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligraplan.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligraplanwork.profile firejail-0.9.66/etc/profile-a-l/calligraplanwork.profile --- firejail-0.9.64.4/etc/profile-a-l/calligraplanwork.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligraplanwork.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligraplanwork.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligra.profile firejail-0.9.66/etc/profile-a-l/calligra.profile --- firejail-0.9.64.4/etc/profile-a-l/calligra.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligra.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -27,9 +28,10 @@ novideo protocol unix seccomp +seccomp.block-secondary shell none -private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 +private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 private-dev # dbus-user none diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligrasheets.profile firejail-0.9.66/etc/profile-a-l/calligrasheets.profile --- firejail-0.9.64.4/etc/profile-a-l/calligrasheets.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligrasheets.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligrasheets.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligrastage.profile firejail-0.9.66/etc/profile-a-l/calligrastage.profile --- firejail-0.9.64.4/etc/profile-a-l/calligrastage.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligrastage.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligrastage.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage diff -Nru firejail-0.9.64.4/etc/profile-a-l/calligrawords.profile firejail-0.9.66/etc/profile-a-l/calligrawords.profile --- firejail-0.9.64.4/etc/profile-a-l/calligrawords.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/calligrawords.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update - # Persistent local customizations include calligrawords.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords diff -Nru firejail-0.9.64.4/etc/profile-a-l/cantata.profile firejail-0.9.66/etc/profile-a-l/cantata.profile --- firejail-0.9.64.4/etc/profile-a-l/cantata.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cantata.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ caps.drop all ipc-namespace netfilter +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/cargo.profile firejail-0.9.66/etc/profile-a-l/cargo.profile --- firejail-0.9.64.4/etc/profile-a-l/cargo.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cargo.profile 2021-06-24 15:56:49.000000000 +0000 @@ -0,0 +1,73 @@ +# Firejail profile for cargo +# Description: The Rust package manager +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cargo.local +# Persistent global definitions +include globals.local + +ignore noexec ${HOME} +ignore noexec /tmp + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +noblacklist ${HOME}/.cargo/credentials +noblacklist ${HOME}/.cargo/credentials.toml + +# Allows files commonly used by IDEs +include allow-common-devel.inc + +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc + +include disable-common.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +#mkdir ${HOME}/.cargo +#whitelist ${HOME}/YOUR_CARGO_PROJECTS +#whitelist ${HOME}/.cargo +#whitelist ${HOME}/.rustup +#include whitelist-common.inc +whitelist /usr/share/pkgconfig +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +#private-bin cargo,rustc +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-write ${HOME}/.cargo/bin diff -Nru firejail-0.9.64.4/etc/profile-a-l/cawbird.profile firejail-0.9.66/etc/profile-a-l/cawbird.profile --- firejail-0.9.64.4/etc/profile-a-l/cawbird.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cawbird.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/celluloid.profile firejail-0.9.66/etc/profile-a-l/celluloid.profile --- firejail-0.9.64.4/etc/profile-a-l/celluloid.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/celluloid.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,12 +10,14 @@ noblacklist ${HOME}/.config/gnome-mpv noblacklist ${HOME}/.config/youtube-dl +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc -# Allow lua (blacklisted by disable-interpreters.inc) -include allow-lua.inc +blacklist /usr/libexec include disable-common.inc include disable-devel.inc @@ -41,6 +43,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/checkbashisms.profile firejail-0.9.66/etc/profile-a-l/checkbashisms.profile --- firejail-0.9.64.4/etc/profile-a-l/checkbashisms.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/checkbashisms.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/Cheese.profile firejail-0.9.66/etc/profile-a-l/Cheese.profile --- firejail-0.9.64.4/etc/profile-a-l/Cheese.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Cheese.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for cheese # This file is overwritten after every install/update - # Persistent local customizations include Cheese.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/cherrytree.profile firejail-0.9.66/etc/profile-a-l/cherrytree.profile --- firejail-0.9.64.4/etc/profile-a-l/cherrytree.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cherrytree.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/chromium-browser-privacy.profile firejail-0.9.66/etc/profile-a-l/chromium-browser-privacy.profile --- firejail-0.9.64.4/etc/profile-a-l/chromium-browser-privacy.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/chromium-browser-privacy.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,12 +6,14 @@ noblacklist ${HOME}/.cache/ungoogled-chromium noblacklist ${HOME}/.config/ungoogled-chromium +blacklist /usr/libexec + mkdir ${HOME}/.cache/ungoogled-chromium mkdir ${HOME}/.config/ungoogled-chromium whitelist ${HOME}/.cache/ungoogled-chromium whitelist ${HOME}/.config/ungoogled-chromium -# private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings +# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings # Redirect include chromium.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/chromium-browser.profile firejail-0.9.66/etc/profile-a-l/chromium-browser.profile --- firejail-0.9.64.4/etc/profile-a-l/chromium-browser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/chromium-browser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for chromium # This file is overwritten after every install/update - # Persistent local customizations include chromium-browser.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include chromium.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/chromium-common-hardened.inc.profile firejail-0.9.66/etc/profile-a-l/chromium-common-hardened.inc.profile --- firejail-0.9.64.4/etc/profile-a-l/chromium-common-hardened.inc.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/chromium-common-hardened.inc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,10 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include chromium-common-hardened.inc.local + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6,netlink +# kcmp is required for ozone-platform=wayland, see #3783. +seccomp !chroot,!kcmp diff -Nru firejail-0.9.64.4/etc/profile-a-l/chromium-common.profile firejail-0.9.66/etc/profile-a-l/chromium-common.profile --- firejail-0.9.64.4/etc/profile-a-l/chromium-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/chromium-common.profile 2021-06-27 18:09:10.000000000 +0000 @@ -12,6 +12,10 @@ noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser +# to have access to Gnome extensions (extensions.gnome.org) via browser connector +#include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -30,15 +34,19 @@ include whitelist-usr-share-common.inc include whitelist-var-common.inc -# Uncomment the next line (or add it to your chromium-common.local) -# if your kernel allows unprivileged userns clone. -#include chromium-common-hardened.inc +# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. +#include chromium-common-hardened.inc.profile + +# Add the next two lines to your chromium-common.local to allow screen sharing under wayland. +#whitelist ${RUNUSER}/pipewire-0 +#whitelist /usr/share/pipewire/client.conf apparmor caps.keep sys_admin,sys_chroot netfilter nodvd nogroups +noinput notv ?BROWSER_DISABLE_U2F: nou2f shell none @@ -46,12 +54,10 @@ disable-mnt private-cache ?BROWSER_DISABLE_U2F: private-dev -# problems with multiple browser sessions -#private-tmp +#private-tmp - issues when using multiple browser sessions -# prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector -# dbus-user none +#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. dbus-system none -# the file dialog needs to work without d-bus +# The file dialog needs to work without d-bus. ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 diff -Nru firejail-0.9.64.4/etc/profile-a-l/chromium-freeworld.profile firejail-0.9.66/etc/profile-a-l/chromium-freeworld.profile --- firejail-0.9.64.4/etc/profile-a-l/chromium-freeworld.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/chromium-freeworld.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for chromium-freeworld # This file is overwritten after every install/update - # Persistent local customizations include chromium-freeworld.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include chromium.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/chromium.profile firejail-0.9.66/etc/profile-a-l/chromium.profile --- firejail-0.9.64.4/etc/profile-a-l/chromium.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/chromium.profile 2021-06-22 15:51:28.000000000 +0000 @@ -16,6 +16,7 @@ whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf whitelist /usr/share/chromium +whitelist /usr/share/mozilla/extensions # private-bin chromium,chromium-browser,chromedriver diff -Nru firejail-0.9.64.4/etc/profile-a-l/cinelerra.profile firejail-0.9.66/etc/profile-a-l/cinelerra.profile --- firejail-0.9.64.4/etc/profile-a-l/cinelerra.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cinelerra.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for cin # This file is overwritten after every install/update - # Persistent local customizations include cinelerra.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cin.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/cin.profile firejail-0.9.66/etc/profile-a-l/cin.profile --- firejail-0.9.64.4/etc/profile-a-l/cin.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cin.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,13 +19,14 @@ net none nodvd #nogroups +noinput nonewprivs notv nou2f noroot protocol unix -# if an 1-1.2% gap per thread hurts you, comment seccomp +# If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local. seccomp shell none diff -Nru firejail-0.9.64.4/etc/profile-a-l/cksum.profile firejail-0.9.66/etc/profile-a-l/cksum.profile --- firejail-0.9.64.4/etc/profile-a-l/cksum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cksum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for cksum +# Description: checksum and count the bytes in a file +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cksum.local +# Persistent global definitions +include globals.local + +private-bin cksum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/clamav.profile firejail-0.9.66/etc/profile-a-l/clamav.profile --- firejail-0.9.64.4/etc/profile-a-l/clamav.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clamav.profile 2021-06-22 15:51:28.000000000 +0000 @@ -17,6 +17,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/clamdscan.profile firejail-0.9.66/etc/profile-a-l/clamdscan.profile --- firejail-0.9.64.4/etc/profile-a-l/clamdscan.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clamdscan.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update - # Persistent local customizations include clamdscan.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include clamav.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/clamdtop.profile firejail-0.9.66/etc/profile-a-l/clamdtop.profile --- firejail-0.9.64.4/etc/profile-a-l/clamdtop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clamdtop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update - # Persistent local customizations include clamdtop.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include clamav.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/clamscan.profile firejail-0.9.66/etc/profile-a-l/clamscan.profile --- firejail-0.9.64.4/etc/profile-a-l/clamscan.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clamscan.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update - # Persistent local customizations include clamscan.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include clamav.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/clamtk.profile firejail-0.9.66/etc/profile-a-l/clamtk.profile --- firejail-0.9.64.4/etc/profile-a-l/clamtk.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clamtk.profile 2021-06-22 15:51:28.000000000 +0000 @@ -13,6 +13,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/clawsker.profile firejail-0.9.66/etc/profile-a-l/clawsker.profile --- firejail-0.9.64.4/etc/profile-a-l/clawsker.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clawsker.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,7 +46,7 @@ private-cache private-dev private-etc alternatives,fonts -private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* +private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* private-tmp dbus-user none diff -Nru firejail-0.9.64.4/etc/profile-a-l/claws-mail.profile firejail-0.9.66/etc/profile-a-l/claws-mail.profile --- firejail-0.9.64.4/etc/profile-a-l/claws-mail.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/claws-mail.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,17 +11,20 @@ mkdir ${HOME}/.claws-mail whitelist ${HOME}/.claws-mail -# If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local) +# Add the below lines to your claws-mail.local if you use python-based plugins. # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc whitelist /usr/share/doc/claws-mail -# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) -#ignore dbus-user none -#dbus-user filter -#dbus-user.talk org.freedesktop.Notifications +# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gnome.keyring.SystemPrompter +# Add the next line to your claws-mail.local if you use the notification plugin. +# dbus-user.talk org.freedesktop.Notifications # Redirect include email-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/clementine.profile firejail-0.9.66/etc/profile-a-l/clementine.profile --- firejail-0.9.64.4/etc/profile-a-l/clementine.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clementine.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ apparmor caps.drop all +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/clion.profile firejail-0.9.66/etc/profile-a-l/clion.profile --- firejail-0.9.64.4/etc/profile-a-l/clion.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clion.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,9 +11,11 @@ noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc @@ -22,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/clipgrab.profile firejail-0.9.66/etc/profile-a-l/clipgrab.profile --- firejail-0.9.64.4/etc/profile-a-l/clipgrab.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clipgrab.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,6 +43,6 @@ private-dev private-tmp -# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it +# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. # dbus-user none # dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/clipit.profile firejail-0.9.66/etc/profile-a-l/clipit.profile --- firejail-0.9.64.4/etc/profile-a-l/clipit.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clipit.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/clocks.profile firejail-0.9.66/etc/profile-a-l/clocks.profile --- firejail-0.9.64.4/etc/profile-a-l/clocks.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/clocks.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for gnome-clocks # This file is overwritten after every install/update - # Persistent local customizations include clocks.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/code.profile firejail-0.9.66/etc/profile-a-l/code.profile --- firejail-0.9.64.4/etc/profile-a-l/code.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/code.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/colorful.profile firejail-0.9.66/etc/profile-a-l/colorful.profile --- firejail-0.9.64.4/etc/profile-a-l/colorful.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/colorful.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,53 @@ +# Firejail profile for colorful +# Description: simple 2D sideview shooter +# This file is overwritten after every install/update +# Persistent local customizations +include colorful.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.suve/colorful + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.suve/colorful +whitelist ${HOME}/.suve/colorful +whitelist /usr/share/suve +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin colorful +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/colorful-wrapper.profile firejail-0.9.66/etc/profile-a-l/colorful-wrapper.profile --- firejail-0.9.64.4/etc/profile-a-l/colorful-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/colorful-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for colorful-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include colorful-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin colorful-wrapper + +# Redirect +include colorful.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/com.github.bleakgrey.tootle.profile firejail-0.9.66/etc/profile-a-l/com.github.bleakgrey.tootle.profile --- firejail-0.9.64.4/etc/profile-a-l/com.github.bleakgrey.tootle.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/com.github.bleakgrey.tootle.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/com.github.dahenson.agenda.profile firejail-0.9.66/etc/profile-a-l/com.github.dahenson.agenda.profile --- firejail-0.9.64.4/etc/profile-a-l/com.github.dahenson.agenda.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/com.github.dahenson.agenda.profile 2021-06-22 15:51:28.000000000 +0000 @@ -37,6 +37,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/com.github.johnfactotum.Foliate.profile firejail-0.9.66/etc/profile-a-l/com.github.johnfactotum.Foliate.profile --- firejail-0.9.64.4/etc/profile-a-l/com.github.johnfactotum.Foliate.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/com.github.johnfactotum.Foliate.profile 2021-06-22 15:51:28.000000000 +0000 @@ -40,6 +40,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/com.github.phase1geo.minder.profile firejail-0.9.66/etc/profile-a-l/com.github.phase1geo.minder.profile --- firejail-0.9.64.4/etc/profile-a-l/com.github.phase1geo.minder.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/com.github.phase1geo.minder.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,62 @@ +# Firejail profile for com.github.phase1geo.minder +# Description: Mind-mapping application +# This file is overwritten after every install/update +# Persistent local customizations +include com.github.phase1geo.minder.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/minder +noblacklist ${DOCUMENTS} +noblacklist ${PICTURES} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/minder +whitelist ${HOME}/.local/share/minder +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${PICTURES} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin com.github.phase1geo.minder +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg +private-tmp + +dbus-user filter +dbus-user.own com.github.phase1geo.minder +dbus-user.talk ca.desrt.dconf +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/com.gitlab.newsflash.profile firejail-0.9.66/etc/profile-a-l/com.gitlab.newsflash.profile --- firejail-0.9.64.4/etc/profile-a-l/com.gitlab.newsflash.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/com.gitlab.newsflash.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for newsflash # This file is overwritten after every install/update - # Persistent local customizations include com.gitlab.newsflash.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include newsflash.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/conky.profile firejail-0.9.66/etc/profile-a-l/conky.profile --- firejail-0.9.64.4/etc/profile-a-l/conky.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/conky.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/corebird.profile firejail-0.9.66/etc/profile-a-l/corebird.profile --- firejail-0.9.64.4/etc/profile-a-l/corebird.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/corebird.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/cower.profile firejail-0.9.66/etc/profile-a-l/cower.profile --- firejail-0.9.64.4/etc/profile-a-l/cower.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cower.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/coyim.profile firejail-0.9.66/etc/profile-a-l/coyim.profile --- firejail-0.9.64.4/etc/profile-a-l/coyim.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/coyim.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/cpio.profile firejail-0.9.66/etc/profile-a-l/cpio.profile --- firejail-0.9.64.4/etc/profile-a-l/cpio.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cpio.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,4 +10,5 @@ noblacklist /sbin noblacklist /usr/sbin -include archiver-common.inc +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/crawl.profile firejail-0.9.66/etc/profile-a-l/crawl.profile --- firejail-0.9.64.4/etc/profile-a-l/crawl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/crawl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/crawl-tiles.profile firejail-0.9.66/etc/profile-a-l/crawl-tiles.profile --- firejail-0.9.64.4/etc/profile-a-l/crawl-tiles.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/crawl-tiles.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for crawl # This file is overwritten after every install/update - # Persistent local customizations include crawl-titles.local +# Persistent global definitions +# added by included profile +#include globals.local ignore no3d diff -Nru firejail-0.9.64.4/etc/profile-a-l/crow.profile firejail-0.9.66/etc/profile-a-l/crow.profile --- firejail-0.9.64.4/etc/profile-a-l/crow.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/crow.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/cryptocat.profile firejail-0.9.66/etc/profile-a-l/cryptocat.profile --- firejail-0.9.64.4/etc/profile-a-l/cryptocat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/cryptocat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for Cryptocat # This file is overwritten after every install/update - # Persistent local customizations include cryptocat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include Cryptocat.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/Cryptocat.profile firejail-0.9.66/etc/profile-a-l/Cryptocat.profile --- firejail-0.9.64.4/etc/profile-a-l/Cryptocat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Cryptocat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -17,6 +17,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/curl.profile firejail-0.9.66/etc/profile-a-l/curl.profile --- firejail-0.9.64.4/etc/profile-a-l/curl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/curl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,9 +9,9 @@ # curl 7.74.0 introduces experimental support for HSTS cache # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ -# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts -# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local -# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact +# Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts. +# If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local +# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact. noblacklist ${HOME}/.curl-hsts noblacklist ${HOME}/.curlrc @@ -22,7 +22,7 @@ include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc -# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local +# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. #include disable-xdg.inc include whitelist-usr-share-common.inc @@ -36,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/Cyberfox.profile firejail-0.9.66/etc/profile-a-l/Cyberfox.profile --- firejail-0.9.64.4/etc/profile-a-l/Cyberfox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Cyberfox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for cyberfox # This file is overwritten after every install/update - # Persistent local customizations include Cyberfox.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cyberfox.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/darktable.profile firejail-0.9.66/etc/profile-a-l/darktable.profile --- firejail-0.9.64.4/etc/profile-a-l/darktable.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/darktable.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/dbus-send.profile firejail-0.9.66/etc/profile-a-l/dbus-send.profile --- firejail-0.9.64.4/etc/profile-a-l/dbus-send.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dbus-send.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -52,7 +53,7 @@ private-cache private-dev private-etc alternatives,dbus-1 -private-lib libpcre2-8.so.0 +private-lib libpcre* private-tmp memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/dconf-editor.profile firejail-0.9.66/etc/profile-a-l/dconf-editor.profile --- firejail-0.9.64.4/etc/profile-a-l/dconf-editor.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dconf-editor.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/dconf.profile firejail-0.9.66/etc/profile-a-l/dconf.profile --- firejail-0.9.64.4/etc/profile-a-l/dconf.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dconf.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ddgr.profile firejail-0.9.66/etc/profile-a-l/ddgr.profile --- firejail-0.9.64.4/etc/profile-a-l/ddgr.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ddgr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for ddgr +# Description: Search DuckDuckGo from your terminal +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ddgr.local +# Persistent global definitions +include globals.local + +private-bin ddgr + +# Redirect +include googler-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/deadbeef.profile firejail-0.9.66/etc/profile-a-l/deadbeef.profile --- firejail-0.9.64.4/etc/profile-a-l/deadbeef.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/deadbeef.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/default.profile firejail-0.9.66/etc/profile-a-l/default.profile --- firejail-0.9.64.4/etc/profile-a-l/default.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/default.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,12 +32,13 @@ # no3d # nodvd # nogroups +noinput nonewprivs noroot # nosound -# notv +notv # nou2f -# novideo +novideo protocol unix,inet,inet6 seccomp # shell none diff -Nru firejail-0.9.64.4/etc/profile-a-l/deluge.profile firejail-0.9.66/etc/profile-a-l/deluge.profile --- firejail-0.9.64.4/etc/profile-a-l/deluge.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/deluge.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ machine-id netfilter nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/desktopeditors.profile firejail-0.9.66/etc/profile-a-l/desktopeditors.profile --- firejail-0.9.64.4/etc/profile-a-l/desktopeditors.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/desktopeditors.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/devhelp.profile firejail-0.9.66/etc/profile-a-l/devhelp.profile --- firejail-0.9.64.4/etc/profile-a-l/devhelp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/devhelp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ # net none - makes settings immutable nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/devilspie.profile firejail-0.9.66/etc/profile-a-l/devilspie.profile --- firejail-0.9.64.4/etc/profile-a-l/devilspie.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/devilspie.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/dex2jar.profile firejail-0.9.66/etc/profile-a-l/dex2jar.profile --- firejail-0.9.64.4/etc/profile-a-l/dex2jar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dex2jar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/d-feet.profile firejail-0.9.66/etc/profile-a-l/d-feet.profile --- firejail-0.9.64.4/etc/profile-a-l/d-feet.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/d-feet.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/dia.profile firejail-0.9.66/etc/profile-a-l/dia.profile --- firejail-0.9.64.4/etc/profile-a-l/dia.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dia.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,6 +9,7 @@ noblacklist ${HOME}/.dia noblacklist ${DOCUMENTS} +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -35,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/digikam.profile firejail-0.9.66/etc/profile-a-l/digikam.profile --- firejail-0.9.64.4/etc/profile-a-l/digikam.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/digikam.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/digikamrc noblacklist ${HOME}/.kde/share/apps/digikam noblacklist ${HOME}/.kde4/share/apps/digikam +noblacklist ${HOME}/.local/share/kxmlgui5/digikam noblacklist ${PICTURES} include disable-common.inc diff -Nru firejail-0.9.64.4/etc/profile-a-l/dig.profile firejail-0.9.66/etc/profile-a-l/dig.profile --- firejail-0.9.64.4/etc/profile-a-l/dig.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dig.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,7 +21,7 @@ include disable-programs.inc include disable-xdg.inc -#mkfile ${HOME}/.digrc -- see #903 +#mkfile ${HOME}/.digrc - see #903 whitelist ${HOME}/.digrc include whitelist-common.inc include whitelist-usr-share-common.inc @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,7 +50,7 @@ disable-mnt private-bin bash,dig,sh private-dev -# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) +# Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038). #private-lib private-tmp diff -Nru firejail-0.9.64.4/etc/profile-a-l/dillo.profile firejail-0.9.66/etc/profile-a-l/dillo.profile --- firejail-0.9.64.4/etc/profile-a-l/dillo.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dillo.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ caps.drop all netfilter nodvd +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/dino.profile firejail-0.9.66/etc/profile-a-l/dino.profile --- firejail-0.9.64.4/etc/profile-a-l/dino.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dino.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,21 +20,24 @@ whitelist ${HOME}/.local/share/dino whitelist ${DOWNLOADS} include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all netfilter -no3d nodvd nogroups +noinput nonewprivs noroot -nosound notv nou2f -novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin dino @@ -42,3 +45,4 @@ # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection private-tmp +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/discord-canary.profile firejail-0.9.66/etc/profile-a-l/discord-canary.profile --- firejail-0.9.64.4/etc/profile-a-l/discord-canary.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/discord-canary.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,7 +10,7 @@ mkdir ${HOME}/.config/discordcanary whitelist ${HOME}/.config/discordcanary -private-bin discord-canary +private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9] private-opt discord-canary # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/discord-common.profile firejail-0.9.66/etc/profile-a-l/discord-common.profile --- firejail-0.9.64.4/etc/profile-a-l/discord-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/discord-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,6 +18,7 @@ ignore dbus-system none ignore noexec ${HOME} +ignore novideo whitelist ${HOME}/.config/BetterDiscord whitelist ${HOME}/.local/share/betterdiscordctl @@ -25,5 +26,7 @@ private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl +join-or-start discord + # Redirect include electron.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/display-im6.q16.profile firejail-0.9.66/etc/profile-a-l/display-im6.q16.profile --- firejail-0.9.64.4/etc/profile-a-l/display-im6.q16.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/display-im6.q16.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,10 @@ +# Firejail profile for display-im6.q16 +# This file is overwritten after every install/update +# Persistent local customizations +include display-im6.q16.local +# Persistent global definitions +include globals.local + + +# Redirect +include display.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/display.profile firejail-0.9.66/etc/profile-a-l/display.profile --- firejail-0.9.64.4/etc/profile-a-l/display.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/display.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/dnscrypt-proxy.profile firejail-0.9.66/etc/profile-a-l/dnscrypt-proxy.profile --- firejail-0.9.64.4/etc/profile-a-l/dnscrypt-proxy.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dnscrypt-proxy.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ netfilter no3d nodvd +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/dnsmasq.profile firejail-0.9.66/etc/profile-a-l/dnsmasq.profile --- firejail-0.9.64.4/etc/profile-a-l/dnsmasq.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dnsmasq.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ caps.keep net_admin,net_bind_service,net_raw,setgid,setuid no3d nodvd +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/Documents.profile firejail-0.9.66/etc/profile-a-l/Documents.profile --- firejail-0.9.64.4/etc/profile-a-l/Documents.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Documents.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for gnome-documents # This file is overwritten after every install/update - # Persistent local customizations include Documents.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/dolphin-emu.profile firejail-0.9.66/etc/profile-a-l/dolphin-emu.profile --- firejail-0.9.64.4/etc/profile-a-l/dolphin-emu.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dolphin-emu.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,7 +6,7 @@ # Persistent global definitions include globals.local -# Note: you must whitelist your games folder in a dolphin-emu.local +# Note: you must whitelist your games folder in your dolphin-emu.local. noblacklist ${HOME}/.cache/dolphin-emu noblacklist ${HOME}/.config/dolphin-emu @@ -18,6 +18,7 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.cache/dolphin-emu @@ -35,10 +36,10 @@ apparmor caps.drop all ipc-namespace -# uncomment the following line if you do not need NetPlay support +# Add the next line to your dolphin-emu.local if you do not need NetPlay support. # net none netfilter -# uncomment the following line if you do not need disc support +# Add the next line to your dolphin-emu.local if you do not need disc support. #nodvd nogroups nonewprivs @@ -53,7 +54,7 @@ private-bin bash,dolphin-emu,dolphin-emu-x11,sh private-cache -# uncomment the following line if you do not need controller support +# Add the next line to your dolphin-emu.local if you do not need controller support. #private-dev private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg private-opt none diff -Nru firejail-0.9.64.4/etc/profile-a-l/dooble.profile firejail-0.9.66/etc/profile-a-l/dooble.profile --- firejail-0.9.64.4/etc/profile-a-l/dooble.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dooble.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/dooble-qt4.profile firejail-0.9.66/etc/profile-a-l/dooble-qt4.profile --- firejail-0.9.64.4/etc/profile-a-l/dooble-qt4.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dooble-qt4.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for dooble # This file is overwritten after every install/update - # Persistent local customizations include dooble-qt4.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include dooble.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/dosbox.profile firejail-0.9.66/etc/profile-a-l/dosbox.profile --- firejail-0.9.64.4/etc/profile-a-l/dosbox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dosbox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,18 +11,22 @@ include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -36,3 +40,6 @@ private-bin dosbox private-dev private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/dragon.profile firejail-0.9.66/etc/profile-a-l/dragon.profile --- firejail-0.9.64.4/etc/profile-a-l/dragon.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dragon.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/drawio.profile firejail-0.9.66/etc/profile-a-l/drawio.profile --- firejail-0.9.64.4/etc/profile-a-l/drawio.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/drawio.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/drill.profile firejail-0.9.66/etc/profile-a-l/drill.profile --- firejail-0.9.64.4/etc/profile-a-l/drill.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/drill.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/dropbox.profile firejail-0.9.66/etc/profile-a-l/dropbox.profile --- firejail-0.9.64.4/etc/profile-a-l/dropbox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/dropbox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,6 +9,9 @@ noblacklist ${HOME}/.dropbox noblacklist ${HOME}/.dropbox-dist +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -30,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/easystroke.profile firejail-0.9.66/etc/profile-a-l/easystroke.profile --- firejail-0.9.64.4/etc/profile-a-l/easystroke.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/easystroke.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ebook-convert.profile firejail-0.9.66/etc/profile-a-l/ebook-convert.profile --- firejail-0.9.64.4/etc/profile-a-l/ebook-convert.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ebook-convert.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-convert.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/ebook-edit.profile firejail-0.9.66/etc/profile-a-l/ebook-edit.profile --- firejail-0.9.64.4/etc/profile-a-l/ebook-edit.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ebook-edit.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-edit.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/ebook-meta.profile firejail-0.9.66/etc/profile-a-l/ebook-meta.profile --- firejail-0.9.64.4/etc/profile-a-l/ebook-meta.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ebook-meta.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-meta.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/ebook-polish.profile firejail-0.9.66/etc/profile-a-l/ebook-polish.profile --- firejail-0.9.64.4/etc/profile-a-l/ebook-polish.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ebook-polish.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-polish.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/electron-mail.profile firejail-0.9.66/etc/profile-a-l/electron-mail.profile --- firejail-0.9.64.4/etc/profile-a-l/electron-mail.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/electron-mail.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/electron.profile firejail-0.9.66/etc/profile-a-l/electron.profile --- firejail-0.9.64.4/etc/profile-a-l/electron.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/electron.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,15 +18,15 @@ include whitelist-usr-share-common.inc include whitelist-var-common.inc -# Uncomment the next line (or add it to your chromium-common.local) -# if your kernel allows unprivileged userns clone. -#include chromium-common-hardened.inc +# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. +#include chromium-common-hardened.inc.profile apparmor caps.keep sys_admin,sys_chroot netfilter nodvd nogroups +noinput notv nou2f novideo diff -Nru firejail-0.9.64.4/etc/profile-a-l/electrum.profile firejail-0.9.66/etc/profile-a-l/electrum.profile --- firejail-0.9.64.4/etc/profile-a-l/electrum.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/electrum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/elinks.profile firejail-0.9.66/etc/profile-a-l/elinks.profile --- firejail-0.9.64.4/etc/profile-a-l/elinks.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/elinks.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for elinks # Description: Advanced text-mode WWW browser # This file is overwritten after every install/update +quiet # Persistent local customizations include elinks.local # Persistent global definitions @@ -8,36 +9,10 @@ noblacklist ${HOME}/.elinks -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* +mkdir ${HOME}/.elinks +whitelist ${HOME}/.elinks -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc +private-bin elinks -include whitelist-runuser-common.inc - -caps.drop all -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - -# private-bin elinks -private-cache -private-dev -# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl -private-tmp +# Redirect +include links-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/emacs.profile firejail-0.9.66/etc/profile-a-l/emacs.profile --- firejail-0.9.64.4/etc/profile-a-l/emacs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/emacs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,8 +8,7 @@ noblacklist ${HOME}/.emacs noblacklist ${HOME}/.emacs.d -# if you need gpg uncomment the following line -# or put it into your emacs.local +# Add the next line to your emacs.local if you need gpg support. #noblacklist ${HOME}/.gnupg # Allows files commonly used by IDEs diff -Nru firejail-0.9.64.4/etc/profile-a-l/email-common.profile firejail-0.9.66/etc/profile-a-l/email-common.profile --- firejail-0.9.64.4/etc/profile-a-l/email-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/email-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,6 +8,7 @@ #include globals.local noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.signature # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications @@ -17,32 +18,39 @@ include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist ${DOCUMENTS} -whitelist ${DOWNLOADS} -mkfile ${HOME}/.config/mimeapps.list mkdir ${HOME}/.gnupg +mkfile ${HOME}/.config/mimeapps.list mkfile ${HOME}/.signature whitelist ${HOME}/.config/mimeapps.list +whitelist ${HOME}/.mozilla/firefox/profiles.ini whitelist ${HOME}/.gnupg whitelist ${HOME}/.signature +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local whitelist ${HOME}/Mail +whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all +machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -51,22 +59,26 @@ novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog +# disable-mnt private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg private-tmp - -dbus-user none -dbus-system none - # encrypting and signing email writable-run-user +dbus-system none + # If you want to read local mail stored in /var/mail, add the following to email-common.local: #noblacklist /var/mail #noblacklist /var/spool/mail #whitelist /var/mail #whitelist /var/spool/mail #writable-var + +read-only ${HOME}/.mozilla/firefox/profiles.ini +read-only ${HOME}/.signature diff -Nru firejail-0.9.64.4/etc/profile-a-l/enchant.profile firejail-0.9.66/etc/profile-a-l/enchant.profile --- firejail-0.9.64.4/etc/profile-a-l/enchant.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/enchant.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/engrampa.profile firejail-0.9.66/etc/profile-a-l/engrampa.profile --- firejail-0.9.64.4/etc/profile-a-l/engrampa.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/engrampa.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,7 +37,6 @@ private-dev # private-tmp -dbus-user none +dbus-user filter +dbus-user.talk ca.desrt.dconf dbus-system none - -memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/enpass.profile firejail-0.9.66/etc/profile-a-l/enpass.profile --- firejail-0.9.64.4/etc/profile-a-l/enpass.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/enpass.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,16 +32,17 @@ include whitelist-common.inc include whitelist-var-common.inc -# machine-id and nosound break audio notification functionality -# comment both if you need that functionality or put 'ignore machine-id' -# and 'ignore nosound' in your enpass.local - +# machine-id and nosound break audio notification functionality. +# Add the next lines to your enpass.local if you need that functionality. +#ignore machine-id +#ignore nosound caps.drop all machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/eo-common.profile firejail-0.9.66/etc/profile-a-l/eo-common.profile --- firejail-0.9.64.4/etc/profile-a-l/eo-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/eo-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,6 +11,8 @@ noblacklist ${HOME}/.Steam noblacklist ${HOME}/.steam +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -31,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/eog.profile firejail-0.9.66/etc/profile-a-l/eog.profile --- firejail-0.9.64.4/etc/profile-a-l/eog.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/eog.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,11 +10,13 @@ whitelist /usr/share/eog -# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' -# comment those if you need that functionality -# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local -private-bin eog +# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'. +# Add the next lines to your eog.local if you need that functionality. +#ignore private-bin +#ignore private-etc +#ignore private-lib +private-bin eog # broken on Debian 10 (buster) running LXDE got the folowing error: # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown diff -Nru firejail-0.9.64.4/etc/profile-a-l/eom.profile firejail-0.9.66/etc/profile-a-l/eom.profile --- firejail-0.9.64.4/etc/profile-a-l/eom.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/eom.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,9 +10,12 @@ whitelist /usr/share/eom -# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' -# comment those if you need that functionality -# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local +# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'. +# Add the next lines to your eom.local if you need that functionality. +#ignore private-bin +#ignore private-etc +#ignore private-lib + private-bin eom # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/ephemeral.profile firejail-0.9.66/etc/profile-a-l/ephemeral.profile --- firejail-0.9.64.4/etc/profile-a-l/ephemeral.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ephemeral.profile 2021-06-22 15:51:28.000000000 +0000 @@ -41,6 +41,7 @@ netfilter nodvd nogroups +noinput nonewprivs # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. noroot diff -Nru firejail-0.9.64.4/etc/profile-a-l/equalx.profile firejail-0.9.66/etc/profile-a-l/equalx.profile --- firejail-0.9.64.4/etc/profile-a-l/equalx.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/equalx.profile 2021-06-22 15:51:28.000000000 +0000 @@ -39,6 +39,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/etr.profile firejail-0.9.66/etc/profile-a-l/etr.profile --- firejail-0.9.64.4/etc/profile-a-l/etr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/etr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,6 +8,8 @@ noblacklist ${HOME}/.etr +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -20,6 +22,8 @@ mkdir ${HOME}/.etr whitelist ${HOME}/.etr whitelist /usr/share/etr +# Debian version +whitelist /usr/share/games/etr include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -30,6 +34,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv @@ -37,6 +42,7 @@ novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog @@ -44,7 +50,7 @@ private-bin etr private-cache private-dev -# private-etc alternatives,drirc,machine-id,openal +# private-etc alternatives,drirc,machine-id,openal,passwd private-tmp dbus-user none diff -Nru firejail-0.9.64.4/etc/profile-a-l/etr-wrapper.profile firejail-0.9.66/etc/profile-a-l/etr-wrapper.profile --- firejail-0.9.64.4/etc/profile-a-l/etr-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/etr-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for etr-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include etr-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin etr-wrapper + +# Redirect +include etr.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/evince.profile firejail-0.9.66/etc/profile-a-l/evince.profile --- firejail-0.9.64.4/etc/profile-a-l/evince.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/evince.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,13 +6,15 @@ # Persistent global definitions include globals.local -# Uncomment this line and the bottom ones to use bookmarks -# NOTE: This possibly exposes information, including file history from other programs. +# WARNING: using bookmarks possibly exposes information, including file history from other programs. +# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below). #noblacklist ${HOME}/.local/share/gvfs-metadata noblacklist ${HOME}/.config/evince noblacklist ${DOCUMENTS} +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -37,6 +39,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -57,9 +60,9 @@ private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* private-tmp -# might break two-page-view on some systems +# dbus-user filtering might break two-page-view on some systems dbus-user filter -# Also uncomment these two lines if you want to use bookmarks +# Add the next two lines to your evince.local if you need bookmarks support. #dbus-user.talk org.gtk.vfs.Daemon #dbus-user.talk org.gtk.vfs.Metadata dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/evolution.profile firejail-0.9.66/etc/profile-a-l/evolution.profile --- firejail-0.9.64.4/etc/profile-a-l/evolution.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/evolution.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,16 +6,15 @@ # Persistent global definitions include globals.local +noblacklist /var/mail +noblacklist /var/spool/mail noblacklist ${HOME}/.bogofilter -noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.mozilla -noblacklist ${HOME}/.pki noblacklist ${HOME}/.cache/evolution noblacklist ${HOME}/.config/evolution +noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/evolution +noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki -noblacklist /var/mail -noblacklist /var/spool/mail include disable-common.inc include disable-devel.inc @@ -23,44 +22,16 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc -mkdir ${HOME}/.bogofilter -mkdir ${HOME}/.gnupg -mkdir ${HOME}/.pki -mkdir ${HOME}/.cache/evolution -mkdir ${HOME}/.config/evolution -mkdir ${HOME}/.local/share/evolution -mkdir ${HOME}/.local/share/pki -whitelist ${HOME}/.bogofilter -whitelist ${HOME}/.gnupg -whitelist ${HOME}/.mozilla/firefox/profiles.ini -whitelist ${HOME}/.pki -whitelist ${HOME}/.cache/evolution -whitelist ${HOME}/.config/evolution -whitelist ${HOME}/.local/share/evolution -whitelist ${HOME}/.local/share/pki -whitelist ${DOCUMENTS} -whitelist ${DOWNLOADS} -whitelist ${RUNUSER}/gnupg -whitelist /usr/share/evolution -whitelist /usr/share/gnupg -whitelist /usr/share/gnupg2 -whitelist /var/mail -whitelist /var/spool/mail -include whitelist-common.inc include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc -apparmor caps.drop all netfilter # no3d breaks under wayland -# no3d +#no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -70,27 +41,7 @@ protocol unix,inet,inet6 seccomp shell none -tracelog -# disable-mnt -# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg -# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support -# private-bin evolution -private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg private-tmp -writable-run-user writable-var - -dbus-user filter -dbus-user.own org.gnome.Evolution -dbus-user.talk ca.desrt.dconf -# Uncomment to have keyring access -# dbus-user.talk org.freedesktop.secrets -dbus-user.talk org.gnome.keyring.SystemPrompter -dbus-user.talk org.gnome.OnlineAccounts -dbus-user.talk org.freedesktop.Notifications -dbus-system none - -read-only ${HOME}/.mozilla/firefox/profiles.ini diff -Nru firejail-0.9.64.4/etc/profile-a-l/exfalso.profile firejail-0.9.66/etc/profile-a-l/exfalso.profile --- firejail-0.9.64.4/etc/profile-a-l/exfalso.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/exfalso.profile 2021-06-22 15:51:28.000000000 +0000 @@ -4,58 +4,12 @@ # Persistent local customizations include exfalso.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -noblacklist ${HOME}/.quodlibet -noblacklist ${MUSIC} - -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - -whitelist ${DOWNLOADS} -whitelist ${MUSIC} - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - -mkdir ${HOME}/.quodlibet -whitelist ${HOME}/.quodlibet -include whitelist-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none - -private-bin exfalso,python* -private-cache -private-dev -private-etc alternatives,fonts,group,passwd private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* -private-tmp dbus-user none -dbus-system none -#memory-deny-write-execute - breaks on Arch (see issue #1803) +# Redirect +include quodlibet.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/exiftool.profile firejail-0.9.66/etc/profile-a-l/exiftool.profile --- firejail-0.9.64.4/etc/profile-a-l/exiftool.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/exiftool.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,8 +43,9 @@ tracelog x11 none -# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. -# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. +# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool +# to /usr/bin/exiftool and add the below to your exiftool.local. +# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening. #private-bin exiftool,perl private-cache private-dev diff -Nru firejail-0.9.64.4/etc/profile-a-l/falkon.profile firejail-0.9.66/etc/profile-a-l/falkon.profile --- firejail-0.9.64.4/etc/profile-a-l/falkon.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/falkon.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/fbreader.profile firejail-0.9.66/etc/profile-a-l/fbreader.profile --- firejail-0.9.64.4/etc/profile-a-l/fbreader.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/fbreader.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ caps.drop all net none nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/feedreader.profile firejail-0.9.66/etc/profile-a-l/feedreader.profile --- firejail-0.9.64.4/etc/profile-a-l/feedreader.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/feedreader.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ # no3d nodvd nogroups +noinput nonewprivs noroot # nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/feh-network.inc.profile firejail-0.9.66/etc/profile-a-l/feh-network.inc.profile --- firejail-0.9.64.4/etc/profile-a-l/feh-network.inc.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/feh-network.inc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,8 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include feh-network.inc.local + +ignore net none +netfilter +protocol unix,inet,inet6 +private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl diff -Nru firejail-0.9.64.4/etc/profile-a-l/feh.profile firejail-0.9.66/etc/profile-a-l/feh.profile --- firejail-0.9.64.4/etc/profile-a-l/feh.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/feh.profile 2021-06-22 15:51:28.000000000 +0000 @@ -15,16 +15,15 @@ include disable-programs.inc include disable-shell.inc -# This profile disables network access -# In order to enable network access, -# uncomment the following or put it in your feh.local: -# include feh-network.inc +# Add the next line to your feh.local to enable network access. +#include feh-network.inc.profile caps.drop all net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ferdi.profile firejail-0.9.66/etc/profile-a-l/ferdi.profile --- firejail-0.9.64.4/etc/profile-a-l/ferdi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ferdi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/fetchmail.profile firejail-0.9.66/etc/profile-a-l/fetchmail.profile --- firejail-0.9.64.4/etc/profile-a-l/fetchmail.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/fetchmail.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ffmpeg.profile firejail-0.9.66/etc/profile-a-l/ffmpeg.profile --- firejail-0.9.64.4/etc/profile-a-l/ffmpeg.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ffmpeg.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/file-manager-common.profile firejail-0.9.66/etc/profile-a-l/file-manager-common.profile --- firejail-0.9.64.4/etc/profile-a-l/file-manager-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/file-manager-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -15,7 +15,7 @@ # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc -# Allow perl +# Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc # Allow python (blacklisted by disable-interpreters.inc) @@ -36,6 +36,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/file.profile firejail-0.9.66/etc/profile-a-l/file.profile --- firejail-0.9.64.4/etc/profile-a-l/file.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/file.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ no3d nodvd nogroups +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/file-roller.profile firejail-0.9.66/etc/profile-a-l/file-roller.profile --- firejail-0.9.64.4/etc/profile-a-l/file-roller.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/file-roller.profile 2021-06-22 15:51:28.000000000 +0000 @@ -13,6 +13,7 @@ include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/libexec/file-roller whitelist /usr/share/file-roller include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -20,12 +21,13 @@ apparmor caps.drop all -#ipc-namespace - causing issues launching on archlinux machine-id # net none - breaks on older Ubuntu versions +netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -38,7 +40,7 @@ shell none tracelog -private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo +private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd private-cache private-dev private-etc dconf,fonts,gtk-3.0,xdg diff -Nru firejail-0.9.64.4/etc/profile-a-l/filezilla.profile firejail-0.9.66/etc/profile-a-l/filezilla.profile --- firejail-0.9.64.4/etc/profile-a-l/filezilla.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/filezilla.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,12 +8,14 @@ noblacklist ${HOME}/.config/filezilla noblacklist ${HOME}/.filezilla -noblacklist ${HOME}/.ssh # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -25,6 +27,7 @@ caps.drop all netfilter nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/firedragon.profile firejail-0.9.66/etc/profile-a-l/firedragon.profile --- firejail-0.9.64.4/etc/profile-a-l/firedragon.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/firedragon.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,26 @@ +# Firejail profile for FireDragon +# Description: Librewolf fork with enhanced KDE integration +# This file is overwritten after every install/update +# Persistent local customizations +include firedragon.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/firedragon +noblacklist ${HOME}/.firedragon + +mkdir ${HOME}/.cache/firedragon +mkdir ${HOME}/.firedragon +whitelist ${HOME}/.cache/firedragon +whitelist ${HOME}/.firedragon + +# Add the next lines to your firedragon.local if you want to use the migration wizard. +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.mozilla + +# FireDragon requires a shell to launch on Arch. We can possibly remove sh though. +# Add the next line to your firedragon.local to enable private-bin. +#private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which + +# Redirect +include firefox-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/firefox-common-addons.profile firejail-0.9.66/etc/profile-a-l/firefox-common-addons.profile --- firejail-0.9.64.4/etc/profile-a-l/firefox-common-addons.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/firefox-common-addons.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,92 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include firefox-common-addons.local + +ignore include whitelist-runuser-common.inc +ignore private-cache + +noblacklist ${HOME}/.cache/youtube-dl +noblacklist ${HOME}/.config/kgetrc +noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.config/okularpartrc +noblacklist ${HOME}/.config/okularrc +noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.config/youtube-dl +noblacklist ${HOME}/.kde/share/apps/kget +noblacklist ${HOME}/.kde/share/apps/okular +noblacklist ${HOME}/.kde/share/config/kgetrc +noblacklist ${HOME}/.kde/share/config/okularpartrc +noblacklist ${HOME}/.kde/share/config/okularrc +noblacklist ${HOME}/.kde4/share/apps/kget +noblacklist ${HOME}/.kde4/share/apps/okular +noblacklist ${HOME}/.kde4/share/config/kgetrc +noblacklist ${HOME}/.kde4/share/config/okularpartrc +noblacklist ${HOME}/.kde4/share/config/okularrc +noblacklist ${HOME}/.local/share/kget +noblacklist ${HOME}/.local/share/kxmlgui5/okular +noblacklist ${HOME}/.local/share/okular +noblacklist ${HOME}/.local/share/qpdfview +noblacklist ${HOME}/.netrc + +whitelist ${HOME}/.cache/gnome-mplayer/plugin +whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs +whitelist ${HOME}/.config/gnome-mplayer +whitelist ${HOME}/.config/kgetrc +whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.config/okularpartrc +whitelist ${HOME}/.config/okularrc +whitelist ${HOME}/.config/pipelight-silverlight5.1 +whitelist ${HOME}/.config/pipelight-widevine +whitelist ${HOME}/.config/qpdfview +whitelist ${HOME}/.config/youtube-dl +whitelist ${HOME}/.kde/share/apps/kget +whitelist ${HOME}/.kde/share/apps/okular +whitelist ${HOME}/.kde/share/config/kgetrc +whitelist ${HOME}/.kde/share/config/okularpartrc +whitelist ${HOME}/.kde/share/config/okularrc +whitelist ${HOME}/.kde4/share/apps/kget +whitelist ${HOME}/.kde4/share/apps/okular +whitelist ${HOME}/.kde4/share/config/kgetrc +whitelist ${HOME}/.kde4/share/config/okularpartrc +whitelist ${HOME}/.kde4/share/config/okularrc +whitelist ${HOME}/.keysnail.js +whitelist ${HOME}/.lastpass +whitelist ${HOME}/.local/share/kget +whitelist ${HOME}/.local/share/kxmlgui5/okular +whitelist ${HOME}/.local/share/okular +whitelist ${HOME}/.local/share/qpdfview +whitelist ${HOME}/.local/share/tridactyl +whitelist ${HOME}/.netrc +whitelist ${HOME}/.pentadactyl +whitelist ${HOME}/.pentadactylrc +whitelist ${HOME}/.tridactylrc +whitelist ${HOME}/.vimperator +whitelist ${HOME}/.vimperatorrc +whitelist ${HOME}/.wine-pipelight +whitelist ${HOME}/.wine-pipelight64 +whitelist ${HOME}/.zotero +whitelist ${HOME}/dwhelper +whitelist /usr/share/lua +whitelist /usr/share/lua* +whitelist /usr/share/vulkan + +# GNOME Shell integration (chrome-gnome-shell) needs dbus and python +noblacklist ${HOME}/.local/share/gnome-shell +whitelist ${HOME}/.local/share/gnome-shell +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gnome.ChromeGnomeShell +dbus-user.talk org.gnome.Shell +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +# KeePassXC Browser Integration +#private-bin keepassxc-proxy + +# Flash plugin +# private-etc must first be enabled in firefox-common.profile and in profiles including it. +#private-etc adobe + +# ff2mpv +#ignore noexec ${HOME} +#include allow-lua.inc +#private-bin env,mpv,python3*,waf,youtube-dl diff -Nru firejail-0.9.64.4/etc/profile-a-l/firefox-common.profile firejail-0.9.66/etc/profile-a-l/firefox-common.profile --- firejail-0.9.64.4/etc/profile-a-l/firefox-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/firefox-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,8 +9,8 @@ # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} -# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. -#include firefox-common-addons.inc +# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. +#include firefox-common-addons.profile noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki @@ -32,11 +32,12 @@ apparmor caps.drop all -# machine-id breaks pulse audio; it should work fine in setups where sound is not required. +# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. #machine-id netfilter nodvd nogroups +noinput nonewprivs # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. noroot @@ -52,10 +53,11 @@ disable-mnt ?BROWSER_DISABLE_U2F: private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. +# Add it to your firefox-common.local if you want to enable it. #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp -# breaks various desktop integration features -# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma +# 'dbus-user none' breaks various desktop integration features like global menus, native notifications, +# Gnome connector, KDE connect and power management on KDE Plasma. dbus-user none dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/firefox.profile firejail-0.9.66/etc/profile-a-l/firefox.profile --- firejail-0.9.64.4/etc/profile-a-l/firefox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/firefox.profile 2021-06-27 18:09:10.000000000 +0000 @@ -6,14 +6,29 @@ # Persistent global definitions include globals.local +# NOTE: sandboxing web browsers is as important as it is complex. Users might be +# interested in creating custom profiles depending on use case (e.g. one for +# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more +# info. Here are a few links to get you going. +# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance +# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox +# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 + noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla +blacklist /usr/libexec + mkdir ${HOME}/.cache/mozilla/firefox mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla +# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. +# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them. +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + whitelist /usr/share/doc whitelist /usr/share/firefox whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini @@ -22,25 +37,32 @@ whitelist /usr/share/webext include whitelist-usr-share-common.inc -# firefox requires a shell to launch on Arch. +# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora use shell scripts to launch firefox, at least this is required +# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname -# private-etc must first be enabled in firefox-common.profile +# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too. #private-etc firefox dbus-user filter dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* -# Uncomment or put in your firefox.local to enable native notifications. +# Add the next line to your firefox.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications -# Uncomment or put in your firefox.local to allow to inhibit screensavers +# Add the next line to your firefox.local to allow inhibiting screensavers. #dbus-user.talk org.freedesktop.ScreenSaver -# Uncomment or put in your firefox.local for plasma browser integration +# Add the next lines to your firefox.local for plasma browser integration. #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver +# Add the next three lines to your firefox.local to allow screen sharing under wayland. +#whitelist ${RUNUSER}/pipewire-0 +#whitelist /usr/share/pipewire/client.conf +#dbus-user.talk org.freedesktop.portal.* +# Add the next line to your firefox.local if screen sharing sharing still does not work +# with the above lines (might depend on the portal implementation). +#ignore noroot ignore dbus-user none # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/flameshot.profile firejail-0.9.66/etc/profile-a-l/flameshot.profile --- firejail-0.9.64.4/etc/profile-a-l/flameshot.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/flameshot.profile 2021-06-22 15:51:28.000000000 +0000 @@ -37,6 +37,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -54,9 +55,15 @@ private-cache private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl private-dev -private-tmp +#private-tmp dbus-user filter dbus-user.own org.dharkael.Flameshot dbus-user.own org.flameshot.Flameshot +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.portal.Desktop +dbus-user.talk org.gnome.Shell +dbus-user.talk org.kde.KWin +dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.own org.kde.* dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/flowblade.profile firejail-0.9.66/etc/profile-a-l/flowblade.profile --- firejail-0.9.64.4/etc/profile-a-l/flowblade.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/flowblade.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/fontforge.profile firejail-0.9.66/etc/profile-a-l/fontforge.profile --- firejail-0.9.64.4/etc/profile-a-l/fontforge.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/fontforge.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/font-manager.profile firejail-0.9.66/etc/profile-a-l/font-manager.profile --- firejail-0.9.64.4/etc/profile-a-l/font-manager.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/font-manager.profile 2021-06-22 15:51:28.000000000 +0000 @@ -38,6 +38,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/FossaMail.profile firejail-0.9.66/etc/profile-a-l/FossaMail.profile --- firejail-0.9.64.4/etc/profile-a-l/FossaMail.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/FossaMail.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for fossamail # This file is overwritten after every install/update - # Persistent local customizations include FossaMail.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include fossamail.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/fractal.profile firejail-0.9.66/etc/profile-a-l/fractal.profile --- firejail-0.9.64.4/etc/profile-a-l/fractal.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/fractal.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,6 +8,7 @@ noblacklist ${HOME}/.cache/fractal +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -33,6 +34,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/franz.profile firejail-0.9.66/etc/profile-a-l/franz.profile --- firejail-0.9.64.4/etc/profile-a-l/franz.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/franz.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/freecadcmd.profile firejail-0.9.66/etc/profile-a-l/freecadcmd.profile --- firejail-0.9.64.4/etc/profile-a-l/freecadcmd.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freecadcmd.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for freecad # This file is overwritten after every install/update - # Persistent local customizations include freecadcms.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include freecad.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/freecad.profile firejail-0.9.66/etc/profile-a-l/freecad.profile --- firejail-0.9.64.4/etc/profile-a-l/freecad.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freecad.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/freeciv-gtk3.profile firejail-0.9.66/etc/profile-a-l/freeciv-gtk3.profile --- firejail-0.9.64.4/etc/profile-a-l/freeciv-gtk3.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freeciv-gtk3.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for freeciv # This file is overwritten after every install/update - # Persistent local customizations include freeciv-gtk3.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include freeciv.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/freeciv-mp-gtk3.profile firejail-0.9.66/etc/profile-a-l/freeciv-mp-gtk3.profile --- firejail-0.9.64.4/etc/profile-a-l/freeciv-mp-gtk3.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freeciv-mp-gtk3.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for freeciv # This file is overwritten after every install/update - # Persistent local customizations include freeciv-mp-gtk3.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include freeciv.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/freeciv.profile firejail-0.9.66/etc/profile-a-l/freeciv.profile --- firejail-0.9.64.4/etc/profile-a-l/freeciv.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freeciv.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/freecol.profile firejail-0.9.66/etc/profile-a-l/freecol.profile --- firejail-0.9.64.4/etc/profile-a-l/freecol.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freecol.profile 2021-06-22 15:51:28.000000000 +0000 @@ -39,6 +39,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/freemind.profile firejail-0.9.66/etc/profile-a-l/freemind.profile --- firejail-0.9.64.4/etc/profile-a-l/freemind.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freemind.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/freshclam.profile firejail-0.9.66/etc/profile-a-l/freshclam.profile --- firejail-0.9.64.4/etc/profile-a-l/freshclam.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/freshclam.profile 2021-06-22 15:51:28.000000000 +0000 @@ -14,6 +14,7 @@ no3d nodvd nogroups +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/Fritzing.profile firejail-0.9.66/etc/profile-a-l/Fritzing.profile --- firejail-0.9.64.4/etc/profile-a-l/Fritzing.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Fritzing.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/frogatto.profile firejail-0.9.66/etc/profile-a-l/frogatto.profile --- firejail-0.9.64.4/etc/profile-a-l/frogatto.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/frogatto.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,6 +18,7 @@ mkdir ${HOME}/.frogatto whitelist ${HOME}/.frogatto +whitelist /usr/libexec/frogatto whitelist /usr/share/frogatto include whitelist-common.inc include whitelist-runuser-common.inc @@ -29,6 +30,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/frozen-bubble.profile firejail-0.9.66/etc/profile-a-l/frozen-bubble.profile --- firejail-0.9.64.4/etc/profile-a-l/frozen-bubble.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/frozen-bubble.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/funnyboat.profile firejail-0.9.66/etc/profile-a-l/funnyboat.profile --- firejail-0.9.64.4/etc/profile-a-l/funnyboat.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/funnyboat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,57 @@ +# Firejail profile for funnyboat +# This file is overwritten after every install/update +# Persistent local customizations +include funnyboat.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.funnyboat + +ignore noexec /dev/shm +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +# include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.funnyboat +whitelist ${HOME}/.funnyboat +include whitelist-common.inc +include whitelist-runuser-common.inc +whitelist /usr/share/funnyboat +# Debian: +whitelist /usr/share/games/funnyboat +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none +# tracelog + +disable-mnt +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/gajim-history-manager.profile firejail-0.9.66/etc/profile-a-l/gajim-history-manager.profile --- firejail-0.9.64.4/etc/profile-a-l/gajim-history-manager.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gajim-history-manager.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for gajim-history-manager # This file is overwritten after every install/update - # Persistent local customizations include gajim-history-manager.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gajim.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gajim.profile firejail-0.9.66/etc/profile-a-l/gajim.profile --- firejail-0.9.64.4/etc/profile-a-l/gajim.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gajim.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,7 +21,7 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc -# Comment the following line if you need to whitelist folders other than ~/Downloads +# Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads. include disable-xdg.inc mkdir ${HOME}/.gnupg @@ -46,6 +46,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -73,7 +74,7 @@ dbus-user.talk org.mpris.MediaPlayer2.* dbus-system filter dbus-system.talk org.freedesktop.login1 -# Uncomment for location plugin support +# Add the next line to your gajim.local to enable location plugin support. #dbus-system.talk org.freedesktop.GeoClue2 join-or-start gajim diff -Nru firejail-0.9.64.4/etc/profile-a-l/galculator.profile firejail-0.9.66/etc/profile-a-l/galculator.profile --- firejail-0.9.64.4/etc/profile-a-l/galculator.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/galculator.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gapplication.profile firejail-0.9.66/etc/profile-a-l/gapplication.profile --- firejail-0.9.64.4/etc/profile-a-l/gapplication.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gapplication.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,6 +7,7 @@ include globals.local blacklist ${RUNUSER}/wayland-* +blacklist /usr/libexec include disable-common.inc include disable-devel.inc @@ -30,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -51,8 +53,8 @@ private-etc none private-tmp -# Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names. -# You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'. +# Add the next line to your gapplication.local to filter D-Bus names. +# You might need to add additional dbus-user.talk rules (see 'gapplication list-apps'). #dbus-user filter dbus-user.talk org.gnome.Boxes dbus-user.talk org.gnome.Builder diff -Nru firejail-0.9.64.4/etc/profile-a-l/gcloud.profile firejail-0.9.66/etc/profile-a-l/gcloud.profile --- firejail-0.9.64.4/etc/profile-a-l/gcloud.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gcloud.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ nodvd # required for sudo-free docker #nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gconf.profile firejail-0.9.66/etc/profile-a-l/gconf.profile --- firejail-0.9.64.4/etc/profile-a-l/gconf.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gconf.profile 2021-06-22 15:51:28.000000000 +0000 @@ -38,6 +38,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/geany.profile firejail-0.9.66/etc/profile-a-l/geany.profile --- firejail-0.9.64.4/etc/profile-a-l/geany.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/geany.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/geary.profile firejail-0.9.66/etc/profile-a-l/geary.profile --- firejail-0.9.64.4/etc/profile-a-l/geary.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/geary.profile 2021-06-22 15:51:28.000000000 +0000 @@ -4,28 +4,84 @@ # Persistent local customizations include geary.local # Persistent global definitions -# added by included profile -#include globals.local - -# Users have Geary set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories - -ignore dbus-user filter -ignore dbus-system none -ignore private-tmp +include globals.local +noblacklist ${HOME}/.cache/evolution +noblacklist ${HOME}/.cache/folks noblacklist ${HOME}/.cache/geary +noblacklist ${HOME}/.config/evolution noblacklist ${HOME}/.config/geary +noblacklist ${HOME}/.local/share/evolution noblacklist ${HOME}/.local/share/geary +noblacklist ${HOME}/.mozilla + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +mkdir ${HOME}/.cache/evolution +mkdir ${HOME}/.cache/folks mkdir ${HOME}/.cache/geary +mkdir ${HOME}/.config/evolution mkdir ${HOME}/.config/geary +mkdir ${HOME}/.local/share/evolution mkdir ${HOME}/.local/share/geary +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/evolution +whitelist ${HOME}/.cache/folks whitelist ${HOME}/.cache/geary +whitelist ${HOME}/.config/evolution whitelist ${HOME}/.config/geary +whitelist ${HOME}/.local/share/evolution whitelist ${HOME}/.local/share/geary +whitelist ${HOME}/.mozilla/firefox/profiles.ini whitelist /usr/share/geary +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +# disable-mnt +# Add 'ignore private-bin' to geary.local for hyperlink support +private-bin geary +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Geary +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.Contacts +dbus-user.talk org.gnome.OnlineAccounts +dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 +dbus-user.talk org.gnome.evolution.dataserver.Sources5 +dbus-system none -# allow Mozilla browsers -# Redirect -include firefox.profile +read-only ${HOME}/.mozilla/firefox/profiles.ini diff -Nru firejail-0.9.64.4/etc/profile-a-l/gedit.profile firejail-0.9.66/etc/profile-a-l/gedit.profile --- firejail-0.9.64.4/etc/profile-a-l/gedit.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gedit.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,7 +44,7 @@ # private-bin gedit private-dev -# private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them. +# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* private-tmp diff -Nru firejail-0.9.64.4/etc/profile-a-l/geekbench.profile firejail-0.9.66/etc/profile-a-l/geekbench.profile --- firejail-0.9.64.4/etc/profile-a-l/geekbench.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/geekbench.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/geeqie.profile firejail-0.9.66/etc/profile-a-l/geeqie.profile --- firejail-0.9.64.4/etc/profile-a-l/geeqie.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/geeqie.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,6 +19,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gfeeds.profile firejail-0.9.66/etc/profile-a-l/gfeeds.profile --- firejail-0.9.64.4/etc/profile-a-l/gfeeds.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gfeeds.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,6 +9,7 @@ noblacklist ${HOME}/.cache/gfeeds noblacklist ${HOME}/.cache/org.gabmus.gfeeds noblacklist ${HOME}/.config/org.gabmus.gfeeds.json +noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc @@ -25,9 +26,12 @@ mkdir ${HOME}/.cache/gfeeds mkdir ${HOME}/.cache/org.gabmus.gfeeds mkfile ${HOME}/.config/org.gabmus.gfeeds.json +mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles whitelist ${HOME}/.cache/gfeeds whitelist ${HOME}/.cache/org.gabmus.gfeeds whitelist ${HOME}/.config/org.gabmus.gfeeds.json +whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/gfeeds include whitelist-common.inc include whitelist-runuser-common.inc @@ -41,6 +45,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gget.profile firejail-0.9.66/etc/profile-a-l/gget.profile --- firejail-0.9.64.4/etc/profile-a-l/gget.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gget.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,60 @@ +# Firejail profile for gget +# Description: a cli. to get things. from git repos +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gget.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin gget +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/ghb.profile firejail-0.9.66/etc/profile-a-l/ghb.profile --- firejail-0.9.64.4/etc/profile-a-l/ghb.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ghb.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for handbrake # This file is overwritten after every install/update - # Persistent local customizations include ghb.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include handbrake.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/ghostwriter.profile firejail-0.9.66/etc/profile-a-l/ghostwriter.profile --- firejail-0.9.64.4/etc/profile-a-l/ghostwriter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ghostwriter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -55,5 +56,5 @@ private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg private-tmp -dbus-user none +dbus-user filter dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/gimp-2.10.profile firejail-0.9.66/etc/profile-a-l/gimp-2.10.profile --- firejail-0.9.64.4/etc/profile-a-l/gimp-2.10.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gimp-2.10.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for gimp # This file is overwritten after every install/update - # Persistent local customizations include gimp-2.10.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gimp.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gimp-2.8.profile firejail-0.9.66/etc/profile-a-l/gimp-2.8.profile --- firejail-0.9.64.4/etc/profile-a-l/gimp-2.8.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gimp-2.8.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for gimp # This file is overwritten after every install/update - # Persistent local customizations include gimp-2.8.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gimp.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gimp.profile firejail-0.9.66/etc/profile-a-l/gimp.profile --- firejail-0.9.64.4/etc/profile-a-l/gimp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gimp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,7 +6,7 @@ # Persistent global definitions include globals.local -# Uncomment or add to gimp.local in order to support scanning via xsane (see #3640). +# Add the next lines to your gimp.local in order to support scanning via xsane (see #3640). # TODO: Replace 'ignore seccomp' with a less permissive option. #ignore seccomp #ignore dbus-system @@ -15,8 +15,7 @@ # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory -# if you are not using external plugins, you can comment 'ignore noexec' statement below -# or put 'noexec ${HOME}' in your gimp.local +# If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. ignore noexec ${HOME} noblacklist ${HOME}/.cache/babl @@ -46,6 +45,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gist.profile firejail-0.9.66/etc/profile-a-l/gist.profile --- firejail-0.9.64.4/etc/profile-a-l/gist.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gist.profile 2021-06-22 15:51:28.000000000 +0000 @@ -38,6 +38,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/git-cola.profile firejail-0.9.66/etc/profile-a-l/git-cola.profile --- firejail-0.9.64.4/etc/profile-a-l/git-cola.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/git-cola.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,16 +11,19 @@ noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.subversion noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/git-cola -# Put your editor,diff viewer config path below and uncomment to load settings -# noblacklist ${HOME}/ +# Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings. +#noblacklist ${HOME}/ +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -31,7 +34,7 @@ whitelist ${RUNUSER}/gnupg whitelist ${RUNUSER}/keyring -# Whitelist your editor, diff viewer, gnupg path below in /usr/share/ +# Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer. whitelist /usr/share/git whitelist /usr/share/git-cola whitelist /usr/share/git-core @@ -51,6 +54,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -62,8 +66,8 @@ shell none tracelog -# Add your own diff viewer,editor,pinentry program -# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +# Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local. +#private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed private-cache private-dev @@ -71,13 +75,14 @@ private-tmp writable-run-user -# Breaks meld as diff viewer -# dbus-user filter -# Uncomment if you need keyring access -# dbus-user.talk org.freedesktop.secrets +# dbus-user filtering breaks meld as diff viewer +# Add the next line to your git-cola.local if you don't use meld. +#dbus-user filter +# Add the next line to your git-cola.local if you need keyring access +#dbus-user.talk org.freedesktop.secrets dbus-system none read-only ${HOME}/.git-credentials -# Comment if you need to allow hosts +# Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. read-only ${HOME}/.ssh diff -Nru firejail-0.9.64.4/etc/profile-a-l/gitg.profile firejail-0.9.66/etc/profile-a-l/gitg.profile --- firejail-0.9.64.4/etc/profile-a-l/gitg.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gitg.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,7 +10,9 @@ noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.local/share/gitg -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc @@ -37,6 +39,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -57,6 +60,6 @@ dbus-user filter dbus-user.own org.gnome.gitg dbus-user.talk ca.desrt.dconf -# Uncomment (or put in your gitg.local) if you need keyring access. +# Add the next line to your gitg.local if you need keyring access. #dbus-user.talk org.freedesktop.secrets dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/git.profile firejail-0.9.66/etc/profile-a-l/git.profile --- firejail-0.9.64.4/etc/profile-a-l/git.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/git.profile 2021-06-22 15:51:28.000000000 +0000 @@ -15,10 +15,12 @@ noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.nanorc -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* @@ -43,6 +45,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gitter.profile firejail-0.9.66/etc/profile-a-l/gitter.profile --- firejail-0.9.64.4/etc/profile-a-l/gitter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gitter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/Gitter.profile firejail-0.9.66/etc/profile-a-l/Gitter.profile --- firejail-0.9.64.4/etc/profile-a-l/Gitter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Gitter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for Gitter # This file is overwritten after every install/update - # Persistent local customizations include Gitter.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gitter.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gjs.profile firejail-0.9.66/etc/profile-a-l/gjs.profile --- firejail-0.9.64.4/etc/profile-a-l/gjs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gjs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gl-117.profile firejail-0.9.66/etc/profile-a-l/gl-117.profile --- firejail-0.9.64.4/etc/profile-a-l/gl-117.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gl-117.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,53 @@ +# Firejail profile for gl-117 +# Description: Action flight simulator +# This file is overwritten after every install/update +# Persistent local customizations +include gl-117.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.gl-117 + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.gl-117 +whitelist ${HOME}/.gl-117 +whitelist /usr/share/gl-117 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin gl-117 +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/gl-117-wrapper.profile firejail-0.9.66/etc/profile-a-l/gl-117-wrapper.profile --- firejail-0.9.64.4/etc/profile-a-l/gl-117-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gl-117-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for gl-117-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include gl-117-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin gl-117-wrapper + +# Redirect +include gl-117.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/glaxium.profile firejail-0.9.66/etc/profile-a-l/glaxium.profile --- firejail-0.9.64.4/etc/profile-a-l/glaxium.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/glaxium.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,53 @@ +# Firejail profile for glaxium +# Description: 3d spaceship shoot-em-up +# This file is overwritten after every install/update +# Persistent local customizations +include glaxium.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.glaxiumrc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkfile ${HOME}/.glaxiumrc +whitelist ${HOME}/.glaxiumrc +whitelist /usr/share/glaxium +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin glaxium +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/glaxium-wrapper.profile firejail-0.9.66/etc/profile-a-l/glaxium-wrapper.profile --- firejail-0.9.64.4/etc/profile-a-l/glaxium-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/glaxium-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for glaxium-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include glaxium-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin glaxium-wrapper + +# Redirect +include glaxium.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/globaltime.profile firejail-0.9.66/etc/profile-a-l/globaltime.profile --- firejail-0.9.64.4/etc/profile-a-l/globaltime.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/globaltime.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-books.profile firejail-0.9.66/etc/profile-a-l/gnome-books.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-books.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-books.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-builder.profile firejail-0.9.66/etc/profile-a-l/gnome-builder.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-builder.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-builder.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-calculator.profile firejail-0.9.66/etc/profile-a-l/gnome-calculator.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-calculator.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-calculator.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-calendar.profile firejail-0.9.66/etc/profile-a-l/gnome-calendar.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-calendar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-calendar.profile 2021-06-29 14:05:57.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,7 +46,7 @@ private-bin gnome-calendar private-cache private-dev -private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,nsswitch.conf,pki,resolv.conf,ssl +private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user filter diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-characters.profile firejail-0.9.66/etc/profile-a-l/gnome-characters.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-characters.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-characters.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,8 +45,7 @@ tracelog disable-mnt -# Uncomment the next line (or add it to your gnome-characters.local) -# if you don't need recently used chars +# Add the next line to your gnome-characters.local if you don't need access to recently used chars. #private private-bin gjs,gnome-characters private-cache @@ -53,8 +53,7 @@ private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg private-tmp -# Uncomment the next lines (or add it to your gnome-characters.local) -# if you don't need recently used chars +# Add the next lines to your gnome-characters.local if you don't need access to recently used chars. # dbus-user none # dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-chess.profile firejail-0.9.66/etc/profile-a-l/gnome-chess.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-chess.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-chess.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-clocks.profile firejail-0.9.66/etc/profile-a-l/gnome-clocks.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-clocks.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-clocks.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-contacts.profile firejail-0.9.66/etc/profile-a-l/gnome-contacts.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-contacts.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-contacts.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter #no3d - breaks on Arch nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-documents.profile firejail-0.9.66/etc/profile-a-l/gnome-documents.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-documents.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-documents.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-font-viewer.profile firejail-0.9.66/etc/profile-a-l/gnome-font-viewer.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-font-viewer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-font-viewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ net none no3d nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome_games-common.profile firejail-0.9.66/etc/profile-a-l/gnome_games-common.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome_games-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome_games-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-hexgl.profile firejail-0.9.66/etc/profile-a-l/gnome-hexgl.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-hexgl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-hexgl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-keyring.profile firejail-0.9.66/etc/profile-a-l/gnome-keyring.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-keyring.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-keyring.profile 2021-06-22 15:51:28.000000000 +0000 @@ -37,6 +37,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-latex.profile firejail-0.9.66/etc/profile-a-l/gnome-latex.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-latex.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-latex.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-logs.profile firejail-0.9.66/etc/profile-a-l/gnome-logs.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-logs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-logs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,12 +26,8 @@ net none no3d nodvd -# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), -# comment both 'nogroups' and 'noroot' -# or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local. -nogroups +noinput nonewprivs -noroot nosound notv nou2f @@ -50,9 +46,10 @@ private-tmp writable-var-log -dbus-user none +dbus-user filter +dbus-user.own org.gnome.Logs +dbus-user.talk ca.desrt.dconf dbus-system none -# comment this if you export logs to a file in your ${HOME} -# or put 'ignore read-only ${HOME}' in your gnome-logs.local. +# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. read-only ${HOME} diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-maps.profile firejail-0.9.66/etc/profile-a-l/gnome-maps.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-maps.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-maps.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,6 +18,8 @@ # Allow gjs (blacklisted by disable-interpreters.inc) include allow-gjs.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -46,6 +48,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-mplayer.profile firejail-0.9.66/etc/profile-a-l/gnome-mplayer.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-mplayer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-mplayer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ caps.drop all nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-mpv.profile firejail-0.9.66/etc/profile-a-l/gnome-mpv.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-mpv.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-mpv.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for celluloid (formerly GNOME MPV) # This file is overwritten after every install/update - # Persistent local customizations include gnome-mpv.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include celluloid.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-music.profile firejail-0.9.66/etc/profile-a-l/gnome-music.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-music.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-music.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-nettool.profile firejail-0.9.66/etc/profile-a-l/gnome-nettool.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-nettool.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-nettool.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput # ping needs to elevate privileges, noroot and nonewprivs will kill it #nonewprivs #noroot diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-passwordsafe.profile firejail-0.9.66/etc/profile-a-l/gnome-passwordsafe.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-passwordsafe.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-passwordsafe.profile 2021-06-22 15:51:28.000000000 +0000 @@ -13,6 +13,8 @@ # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -35,6 +37,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-photos.profile firejail-0.9.66/etc/profile-a-l/gnome-photos.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-photos.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-photos.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-pie.profile firejail-0.9.66/etc/profile-a-l/gnome-pie.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-pie.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-pie.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-pomodoro.profile firejail-0.9.66/etc/profile-a-l/gnome-pomodoro.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-pomodoro.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-pomodoro.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-recipes.profile firejail-0.9.66/etc/profile-a-l/gnome-recipes.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-recipes.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-recipes.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-schedule.profile firejail-0.9.66/etc/profile-a-l/gnome-schedule.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-schedule.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-schedule.profile 2021-06-22 15:51:28.000000000 +0000 @@ -51,6 +51,7 @@ no3d nodvd nogroups +noinput nosound notv nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-screenshot.profile firejail-0.9.66/etc/profile-a-l/gnome-screenshot.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-screenshot.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-screenshot.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-sound-recorder.profile firejail-0.9.66/etc/profile-a-l/gnome-sound-recorder.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-sound-recorder.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-sound-recorder.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-system-log.profile firejail-0.9.66/etc/profile-a-l/gnome-system-log.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-system-log.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-system-log.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,9 +27,9 @@ no3d nodvd # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), -# comment both 'nogroups' and 'noroot' -# or put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. +# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. nogroups +noinput nonewprivs noroot nosound @@ -53,6 +53,5 @@ # dbus-system none memory-deny-write-execute -# Comment the line below if you export logs to a file in your ${HOME} -# or put 'ignore read-only ${HOME}' in your gnome-system-log.local +# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. read-only ${HOME} diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-todo.profile firejail-0.9.66/etc/profile-a-l/gnome-todo.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-todo.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-todo.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-twitch.profile firejail-0.9.66/etc/profile-a-l/gnome-twitch.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-twitch.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-twitch.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnome-weather.profile firejail-0.9.66/etc/profile-a-l/gnome-weather.profile --- firejail-0.9.64.4/etc/profile-a-l/gnome-weather.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnome-weather.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnote.profile firejail-0.9.66/etc/profile-a-l/gnote.profile --- firejail-0.9.64.4/etc/profile-a-l/gnote.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnote.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gnubik.profile firejail-0.9.66/etc/profile-a-l/gnubik.profile --- firejail-0.9.64.4/etc/profile-a-l/gnubik.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gnubik.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/godot.profile firejail-0.9.66/etc/profile-a-l/godot.profile --- firejail-0.9.64.4/etc/profile-a-l/godot.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/godot.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/goobox.profile firejail-0.9.66/etc/profile-a-l/goobox.profile --- firejail-0.9.64.4/etc/profile-a-l/goobox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/goobox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,6 +19,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/google-chrome-stable.profile firejail-0.9.66/etc/profile-a-l/google-chrome-stable.profile --- firejail-0.9.64.4/etc/profile-a-l/google-chrome-stable.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/google-chrome-stable.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for google-chrome # This file is overwritten after every install/update - # Persistent local customizations include google-chrome-stable.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include google-chrome.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/google-earth.profile firejail-0.9.66/etc/profile-a-l/google-earth.profile --- firejail-0.9.64.4/etc/profile-a-l/google-earth.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/google-earth.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/google-earth-pro.profile firejail-0.9.66/etc/profile-a-l/google-earth-pro.profile --- firejail-0.9.64.4/etc/profile-a-l/google-earth-pro.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/google-earth-pro.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,9 +6,24 @@ # added by included profile #include globals.local -# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local -#ignore private-bin -private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,which,xdg-mime,xdg-settings +# Google Earth Pro can show issues that make it unpleasant to use, even when running unsandboxed. +# See https://wiki.archlinux.org/index.php/Google_Earth#Troubleshooting for details. +# Firejailing this application will demand extra work, as there are issues only upstream can fix (see #3906). +# As an alternative one could use the web version: https://earth.google.com/web/. +# The desktop version from the AUR can be made to work with firejail by appending the below snippet +# to /usr/bin/googleearth-pro: +# <--- snippet ---> +# Post-shutdown cleaning +#_lock_app_running="${HOME}/.googleearth/instance-running-lock" +#[[ -L "$_lock_app_running" ]] && rm -f "${_lock_app_running:?}" +#_lock_collada_cache="/tmp/geColladaModelCacheLock" +#[[ -e "$_lock_collada_cache" ]] && rm -f "${_lock_collada_cache:?}" +#_lock_icon_cache="/tmp/geIconCacheLock" +#[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" +# <--- end of snippet ---> + +# If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local. +private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings # Redirect include google-earth.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/google-play-music-desktop-player.profile firejail-0.9.66/etc/profile-a-l/google-play-music-desktop-player.profile --- firejail-0.9.64.4/etc/profile-a-l/google-play-music-desktop-player.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/google-play-music-desktop-player.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/googler-common.profile firejail-0.9.66/etc/profile-a-l/googler-common.profile --- firejail-0.9.64.4/etc/profile-a-l/googler-common.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/googler-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,62 @@ +# Firejail profile for googler clones +# Description: common profile for googler clones +# This file is overwritten after every install/update +# Persistent local customizations +include googler-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +noblacklist ${HOME}/.w3m + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${HOME}/.w3m +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin env,python3*,sh,w3m +private-cache +private-dev +private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/googler.profile firejail-0.9.66/etc/profile-a-l/googler.profile --- firejail-0.9.64.4/etc/profile-a-l/googler.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/googler.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for googler +# Description: Search Google from your terminal +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include googler.local +# Persistent global definitions +include globals.local + +private-bin googler + +# Redirect +include googler-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gpa.profile firejail-0.9.66/etc/profile-a-l/gpa.profile --- firejail-0.9.64.4/etc/profile-a-l/gpa.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gpa.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,6 +18,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gpg-agent.profile firejail-0.9.66/etc/profile-a-l/gpg-agent.profile --- firejail-0.9.64.4/etc/profile-a-l/gpg-agent.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gpg-agent.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gpg.profile firejail-0.9.66/etc/profile-a-l/gpg.profile --- firejail-0.9.64.4/etc/profile-a-l/gpg.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gpg.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gpicview.profile firejail-0.9.66/etc/profile-a-l/gpicview.profile --- firejail-0.9.64.4/etc/profile-a-l/gpicview.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gpicview.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gpredict.profile firejail-0.9.66/etc/profile-a-l/gpredict.profile --- firejail-0.9.64.4/etc/profile-a-l/gpredict.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gpredict.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gradio.profile firejail-0.9.66/etc/profile-a-l/gradio.profile --- firejail-0.9.64.4/etc/profile-a-l/gradio.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gradio.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gramps.profile firejail-0.9.66/etc/profile-a-l/gramps.profile --- firejail-0.9.64.4/etc/profile-a-l/gramps.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gramps.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile firejail-0.9.66/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile --- firejail-0.9.64.4/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gtar.profile firejail-0.9.66/etc/profile-a-l/gtar.profile --- firejail-0.9.64.4/etc/profile-a-l/gtar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gtar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for tar # This file is overwritten after every install/update - # Persistent local customizations include gtar.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include tar.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gthumb.profile firejail-0.9.66/etc/profile-a-l/gthumb.profile --- firejail-0.9.64.4/etc/profile-a-l/gthumb.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gthumb.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gtk-pipe-viewer.profile firejail-0.9.66/etc/profile-a-l/gtk-pipe-viewer.profile --- firejail-0.9.64.4/etc/profile-a-l/gtk-pipe-viewer.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gtk-pipe-viewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,12 @@ +# Firejail profile for gtk-pipe-viewer +# Description: Gtk front-end to pipe-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include gtk-pipe-viewer.local +# added by included profile +#include globals.local + +ignore quiet + +# Redirect +include pipe-viewer.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gtk-straw-viewer.profile firejail-0.9.66/etc/profile-a-l/gtk-straw-viewer.profile --- firejail-0.9.64.4/etc/profile-a-l/gtk-straw-viewer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gtk-straw-viewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,7 +8,5 @@ ignore quiet -include whitelist-runuser-common.inc - # Redirect include straw-viewer.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/gtk-update-icon-cache.profile firejail-0.9.66/etc/profile-a-l/gtk-update-icon-cache.profile --- firejail-0.9.64.4/etc/profile-a-l/gtk-update-icon-cache.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gtk-update-icon-cache.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gtk-youtube-viewer.profile firejail-0.9.66/etc/profile-a-l/gtk-youtube-viewer.profile --- firejail-0.9.64.4/etc/profile-a-l/gtk-youtube-viewer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gtk-youtube-viewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,7 +8,5 @@ ignore quiet -include whitelist-runuser-common.inc - # Redirect include youtube-viewer.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/guayadeque.profile firejail-0.9.66/etc/profile-a-l/guayadeque.profile --- firejail-0.9.64.4/etc/profile-a-l/guayadeque.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/guayadeque.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gucharmap.profile firejail-0.9.66/etc/profile-a-l/gucharmap.profile --- firejail-0.9.64.4/etc/profile-a-l/gucharmap.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gucharmap.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/gummi.profile firejail-0.9.66/etc/profile-a-l/gummi.profile --- firejail-0.9.64.4/etc/profile-a-l/gummi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gummi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,8 +8,13 @@ noblacklist ${HOME}/.cache/gummi noblacklist ${HOME}/.config/gummi +# Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex diff -Nru firejail-0.9.64.4/etc/profile-a-l/gunzip.profile firejail-0.9.66/etc/profile-a-l/gunzip.profile --- firejail-0.9.64.4/etc/profile-a-l/gunzip.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gunzip.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,5 +7,7 @@ # added by included profile #include globals.local +include allow-bin-sh.inc + # Redirect include gzip.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/guvcview.profile firejail-0.9.66/etc/profile-a-l/guvcview.profile --- firejail-0.9.64.4/etc/profile-a-l/guvcview.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/guvcview.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gwenview.profile firejail-0.9.66/etc/profile-a-l/gwenview.profile --- firejail-0.9.64.4/etc/profile-a-l/gwenview.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gwenview.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/gzip.profile firejail-0.9.66/etc/profile-a-l/gzip.profile --- firejail-0.9.64.4/etc/profile-a-l/gzip.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/gzip.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,7 +7,9 @@ # Persistent global definitions include globals.local -# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. +# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop +# all capabilities this is automatically read-only. noblacklist /var/lib/pacman -include archiver-common.inc +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/handbrake-gtk.profile firejail-0.9.66/etc/profile-a-l/handbrake-gtk.profile --- firejail-0.9.64.4/etc/profile-a-l/handbrake-gtk.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/handbrake-gtk.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for handbrake # This file is overwritten after every install/update - # Persistent local customizations include handbrake-gtk.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include handbrake.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/handbrake.profile firejail-0.9.66/etc/profile-a-l/handbrake.profile --- firejail-0.9.64.4/etc/profile-a-l/handbrake.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/handbrake.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ caps.drop all net none nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/hashcat.profile firejail-0.9.66/etc/profile-a-l/hashcat.profile --- firejail-0.9.64.4/etc/profile-a-l/hashcat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/hashcat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/hasher-common.profile firejail-0.9.66/etc/profile-a-l/hasher-common.profile --- firejail-0.9.64.4/etc/profile-a-l/hasher-common.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/hasher-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,60 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include hasher-common.local + +# common profile for hasher/checksum tools + +blacklist ${RUNUSER} + +# Comment/uncomment the relevant include file(s) in your hasher-common.local +# to (un)restrict file access for **all** hashers. Another option is to do this **per hasher** +# in the relevant .local. Beware that things tend to break when overtightening +# profiles. For example, because you only need to hash/check files in ${DOWNLOADS}, +# other applications may need access to ${HOME}/.local/share. + +# Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc. +#include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc. +#include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +# Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc. +#include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog +x11 none + +# Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache. +#private-cache +private-dev +# Add the next line to your hasher-common.local if you don't need to hash files in /tmp. +#private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} diff -Nru firejail-0.9.64.4/etc/profile-a-l/hedgewars.profile firejail-0.9.66/etc/profile-a-l/hedgewars.profile --- firejail-0.9.64.4/etc/profile-a-l/hedgewars.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/hedgewars.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/hexchat.profile firejail-0.9.66/etc/profile-a-l/hexchat.profile --- firejail-0.9.64.4/etc/profile-a-l/hexchat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/hexchat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,13 +8,16 @@ noblacklist ${HOME}/.config/hexchat -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -35,6 +38,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -47,7 +51,7 @@ disable-mnt # debug note: private-bin requires perl, python, etc on some systems -private-bin hexchat,python* +private-bin hexchat,python*,sh private-dev #private-lib - python problems private-tmp diff -Nru firejail-0.9.64.4/etc/profile-a-l/highlight.profile firejail-0.9.66/etc/profile-a-l/highlight.profile --- firejail-0.9.64.4/etc/profile-a-l/highlight.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/highlight.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/homebank.profile firejail-0.9.66/etc/profile-a-l/homebank.profile --- firejail-0.9.64.4/etc/profile-a-l/homebank.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/homebank.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/host.profile firejail-0.9.66/etc/profile-a-l/host.profile --- firejail-0.9.64.4/etc/profile-a-l/host.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/host.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/hugin.profile firejail-0.9.66/etc/profile-a-l/hugin.profile --- firejail-0.9.64.4/etc/profile-a-l/hugin.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/hugin.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/hyperrogue.profile firejail-0.9.66/etc/profile-a-l/hyperrogue.profile --- firejail-0.9.64.4/etc/profile-a-l/hyperrogue.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/hyperrogue.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/i2prouter.profile firejail-0.9.66/etc/profile-a-l/i2prouter.profile --- firejail-0.9.64.4/etc/profile-a-l/i2prouter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/i2prouter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,16 +9,16 @@ # Notice: default browser will most likely not be able to automatically open, due to sandbox. # Auto-opening default browser can be disabled in the I2P router console. # This profile will not currently work with any Arch User Repository I2P packages, -# use the distro-independent official I2P java installer instead +# use the distro-independent official I2P java installer instead. -# Only needed if i2prouter binary is in home directory, official I2P java installer does this +# Only needed when i2prouter binary resides in home directory (official I2P java installer does so). ignore noexec ${HOME} noblacklist ${HOME}/.config/i2p noblacklist ${HOME}/.i2p noblacklist ${HOME}/.local/share/i2p noblacklist ${HOME}/i2p -# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this +# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). noblacklist /usr/sbin # Allow java (blacklisted by disable-devel.inc) @@ -40,13 +40,14 @@ whitelist ${HOME}/.i2p whitelist ${HOME}/.local/share/i2p whitelist ${HOME}/i2p -# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this +# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). whitelist /usr/sbin/wrapper* include whitelist-common.inc -# May break I2P if wrapper is placed in the home directory; official I2P java installer does this -# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ +# May break I2P if wrapper resides in the home directory (official I2P java installer does so). +# When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local, +# as it places the wrapper in /usr/sbin/ #apparmor caps.drop all ipc-namespace @@ -55,6 +56,7 @@ no3d nodvd nogroups +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/iagno.profile firejail-0.9.66/etc/profile-a-l/iagno.profile --- firejail-0.9.64.4/etc/profile-a-l/iagno.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/iagno.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/idea.sh.profile firejail-0.9.66/etc/profile-a-l/idea.sh.profile --- firejail-0.9.64.4/etc/profile-a-l/idea.sh.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/idea.sh.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,12 +10,14 @@ noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc @@ -24,6 +26,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/imagej.profile firejail-0.9.66/etc/profile-a-l/imagej.profile --- firejail-0.9.64.4/etc/profile-a-l/imagej.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/imagej.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/img2txt.profile firejail-0.9.66/etc/profile-a-l/img2txt.profile --- firejail-0.9.64.4/etc/profile-a-l/img2txt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/img2txt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/impressive.profile firejail-0.9.66/etc/profile-a-l/impressive.profile --- firejail-0.9.64.4/etc/profile-a-l/impressive.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/impressive.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/inkscape.profile firejail-0.9.66/etc/profile-a-l/inkscape.profile --- firejail-0.9.64.4/etc/profile-a-l/inkscape.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/inkscape.profile 2021-06-22 15:51:28.000000000 +0000 @@ -39,6 +39,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ipcalc-ng.profile firejail-0.9.66/etc/profile-a-l/ipcalc-ng.profile --- firejail-0.9.64.4/etc/profile-a-l/ipcalc-ng.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ipcalc-ng.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile ipcalc-ng +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ipcalc-ng.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include ipcalc.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/ipcalc.profile firejail-0.9.66/etc/profile-a-l/ipcalc.profile --- firejail-0.9.64.4/etc/profile-a-l/ipcalc.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ipcalc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,63 @@ +# Firejail profile for ipcalc +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ipcalc.local +# Persistent global definitions +include globals.local + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +# include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +# include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +# machine-id +net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +# protocol unix +seccomp +shell none +# tracelog + +disable-mnt +private +private-bin bash,ipcalc,ipcalc-ng,perl,sh +# private-cache +private-dev +# empty etc directory +private-etc none +private-lib +private-opt none +private-tmp + +dbus-user none +dbus-system none + +# memory-deny-write-execute +# read-only ${HOME} diff -Nru firejail-0.9.64.4/etc/profile-a-l/iridium-browser.profile firejail-0.9.66/etc/profile-a-l/iridium-browser.profile --- firejail-0.9.64.4/etc/profile-a-l/iridium-browser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/iridium-browser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for iridium # This file is overwritten after every install/update - # Persistent local customizations include iridium-browser.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include iridium.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/itch.profile firejail-0.9.66/etc/profile-a-l/itch.profile --- firejail-0.9.64.4/etc/profile-a-l/itch.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/itch.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/jami-gnome.profile firejail-0.9.66/etc/profile-a-l/jami-gnome.profile --- firejail-0.9.64.4/etc/profile-a-l/jami-gnome.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/jami-gnome.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,43 @@ +# Firejail profile for jami-gnome +# Description: An encrypted peer-to-peer messenger +# This file is overwritten after every install/update +# Persistent local customizations +include jami-gnome.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/jami +noblacklist ${HOME}/.local/share/jami + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +#include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +mkdir ${HOME}/.config/jami +mkdir ${HOME}/.local/share/jami +whitelist ${HOME}/.config/jami +whitelist ${HOME}/.local/share/jami +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +seccomp +shell none + +disable-mnt +private-dev +private-tmp + +env QT_QPA_PLATFORM=xcb diff -Nru firejail-0.9.64.4/etc/profile-a-l/jd-gui.profile firejail-0.9.66/etc/profile-a-l/jd-gui.profile --- firejail-0.9.64.4/etc/profile-a-l/jd-gui.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/jd-gui.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/JDownloader.profile firejail-0.9.66/etc/profile-a-l/JDownloader.profile --- firejail-0.9.64.4/etc/profile-a-l/JDownloader.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/JDownloader.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/jerry.profile firejail-0.9.66/etc/profile-a-l/jerry.profile --- firejail-0.9.64.4/etc/profile-a-l/jerry.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/jerry.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/jitsi-meet-desktop.profile firejail-0.9.66/etc/profile-a-l/jitsi-meet-desktop.profile --- firejail-0.9.64.4/etc/profile-a-l/jitsi-meet-desktop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/jitsi-meet-desktop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,7 +20,7 @@ mkdir ${HOME}/.config/Jitsi Meet whitelist ${HOME}/.config/Jitsi Meet -private-bin bash,jitsi-meet-desktop +private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/jumpnbump-menu.profile firejail-0.9.66/etc/profile-a-l/jumpnbump-menu.profile --- firejail-0.9.64.4/etc/profile-a-l/jumpnbump-menu.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/jumpnbump-menu.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,6 +7,7 @@ # added by included profile #include globals.local +# Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc private-bin jumpnbump-menu,python3* diff -Nru firejail-0.9.64.4/etc/profile-a-l/jumpnbump.profile firejail-0.9.66/etc/profile-a-l/jumpnbump.profile --- firejail-0.9.64.4/etc/profile-a-l/jumpnbump.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/jumpnbump.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/k3b.profile firejail-0.9.66/etc/profile-a-l/k3b.profile --- firejail-0.9.64.4/etc/profile-a-l/k3b.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/k3b.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,11 +21,12 @@ include whitelist-var-common.inc -caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource +caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource # net none netfilter no3d # nonewprivs - breaks privileged helpers +noinput # noroot - breaks privileged helpers nosound notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/kaffeine.profile firejail-0.9.66/etc/profile-a-l/kaffeine.profile --- firejail-0.9.64.4/etc/profile-a-l/kaffeine.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kaffeine.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/kalgebramobile.profile firejail-0.9.66/etc/profile-a-l/kalgebramobile.profile --- firejail-0.9.64.4/etc/profile-a-l/kalgebramobile.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kalgebramobile.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for kalgebramobile # This file is overwritten after every install/update - # Persistent local customizations include kalgebramobile.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include kalgebra.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/kalgebra.profile firejail-0.9.66/etc/profile-a-l/kalgebra.profile --- firejail-0.9.64.4/etc/profile-a-l/kalgebra.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kalgebra.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/karbon.profile firejail-0.9.66/etc/profile-a-l/karbon.profile --- firejail-0.9.64.4/etc/profile-a-l/karbon.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/karbon.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for krita # This file is overwritten after every install/update - # Persistent local customizations include karbon.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.local/share/kxmlgui5/karbon diff -Nru firejail-0.9.64.4/etc/profile-a-l/kate.profile firejail-0.9.66/etc/profile-a-l/kate.profile --- firejail-0.9.64.4/etc/profile-a-l/kate.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kate.profile 2021-06-22 15:51:28.000000000 +0000 @@ -38,6 +38,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/kazam.profile firejail-0.9.66/etc/profile-a-l/kazam.profile --- firejail-0.9.64.4/etc/profile-a-l/kazam.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kazam.profile 2021-06-22 15:51:28.000000000 +0000 @@ -12,6 +12,7 @@ noblacklist ${VIDEOS} noblacklist ${HOME}/.config/kazam +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -34,6 +35,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/kcalc.profile firejail-0.9.66/etc/profile-a-l/kcalc.profile --- firejail-0.9.64.4/etc/profile-a-l/kcalc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kcalc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -15,6 +15,7 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.local/share/kxmlgui5/kcalc mkfile ${HOME}/.config/kcalcrc @@ -24,7 +25,12 @@ whitelist ${HOME}/.kde/share/config/kcalcrc whitelist ${HOME}/.kde4/share/config/kcalcrc whitelist ${HOME}/.local/share/kxmlgui5/kcalc +whitelist /usr/share/config.kcfg/kcalc.kcfg +whitelist /usr/share/kcalc +whitelist /usr/share/kconf_update/kcalcrc.upd include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -33,6 +39,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,13 +48,19 @@ novideo protocol unix seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin kcalc +private-cache private-dev +private-etc alternatives,fonts,ld.so.cache,locale,locale.conf # private-lib - problems on Arch private-tmp dbus-user none dbus-system none + +#memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/kdeinit4.profile firejail-0.9.66/etc/profile-a-l/kdeinit4.profile --- firejail-0.9.64.4/etc/profile-a-l/kdeinit4.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kdeinit4.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ netfilter no3d nogroups +noinput nonewprivs # nosound - disabled for knotify noroot diff -Nru firejail-0.9.64.4/etc/profile-a-l/kdenlive.profile firejail-0.9.66/etc/profile-a-l/kdenlive.profile --- firejail-0.9.64.4/etc/profile-a-l/kdenlive.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kdenlive.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ # net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/kdiff3.profile firejail-0.9.66/etc/profile-a-l/kdiff3.profile --- firejail-0.9.64.4/etc/profile-a-l/kdiff3.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kdiff3.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,21 +9,25 @@ noblacklist ${HOME}/.config/kdiff3fileitemactionrc noblacklist ${HOME}/.config/kdiff3rc -# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. +# Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc. +# By default we deny access only to .ssh and .gnupg. #include disable-common.inc +blacklist ${HOME}/.ssh +blacklist ${HOME}/.gnupg + include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc. +# Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc include disable-xdg.inc - + include whitelist-runuser-common.inc -# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share. +# Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. #include whitelist-usr-share-common.inc -# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var. +# Add the next line to your kdiff3.local if you don't need to compare files in /var. #include whitelist-var-common.inc apparmor @@ -32,6 +36,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/keepass2.profile firejail-0.9.66/etc/profile-a-l/keepass2.profile --- firejail-0.9.64.4/etc/profile-a-l/keepass2.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/keepass2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for keepass # This file is overwritten after every install/update - # Persistent local customizations include keepass2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include keepass.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/keepass.profile firejail-0.9.66/etc/profile-a-l/keepass.profile --- firejail-0.9.64.4/etc/profile-a-l/keepass.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/keepass.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/keepassx2.profile firejail-0.9.66/etc/profile-a-l/keepassx2.profile --- firejail-0.9.64.4/etc/profile-a-l/keepassx2.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/keepassx2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile for keepassx2 # Description: Cross platform password manager # This file is overwritten after every install/update - # Persistent local customizations include keepassx2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirects include keepassx.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/keepassxc.profile firejail-0.9.66/etc/profile-a-l/keepassxc.profile --- firejail-0.9.64.4/etc/profile-a-l/keepassxc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/keepassxc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,11 +10,20 @@ noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.cache/keepassxc noblacklist ${HOME}/.config/keepassxc +noblacklist ${HOME}/.config/KeePassXCrc noblacklist ${HOME}/.keepassxc -# 2.2.4 needs this path when compiled with "Native messaging browser extension" -noblacklist ${HOME}/.mozilla noblacklist ${DOCUMENTS} +# Allow browser profiles, required for browser integration. +noblacklist ${HOME}/.config/BraveSoftware +noblacklist ${HOME}/.config/chromium +noblacklist ${HOME}/.config/google-chrome +noblacklist ${HOME}/.config/vivaldi +noblacklist ${HOME}/.local/share/torbrowser +noblacklist ${HOME}/.mozilla + +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -24,17 +33,28 @@ include disable-shell.inc include disable-xdg.inc -# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines. -# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx +# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. +# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. #mkdir ${HOME}/Documents/KeePassXC #whitelist ${HOME}/Documents/KeePassXC -# Needed for KeePassXC-Browser +# Needed for KeePassXC-Browser. +#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #mkdir ${HOME}/.cache/keepassxc #mkdir ${HOME}/.config/keepassxc #whitelist ${HOME}/.cache/keepassxc #whitelist ${HOME}/.config/keepassxc +#whitelist ${HOME}/.config/KeePassXCrc #include whitelist-common.inc whitelist /usr/share/keepassxc @@ -47,6 +67,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -73,12 +94,12 @@ dbus-user.talk org.gnome.ScreenSaver dbus-user.talk org.gnome.SessionManager dbus-user.talk org.gnome.SessionManager.Presence -# Uncomment or add to your keepassxc.local to allow Notifications. +# Add the next line to your keepassxc.local to allow notifications. #dbus-user.talk org.freedesktop.Notifications -# Uncomment or add to your keepassxc.local to allow Tray. +# Add the next line to your keepassxc.local to allow the tray menu. #dbus-user.talk org.kde.StatusNotifierWatcher #dbus-user.own org.kde.* dbus-system none -# Mutex is stored in /tmp by default, which is broken by private-tmp +# Mutex is stored in /tmp by default, which is broken by private-tmp. join-or-start keepassxc diff -Nru firejail-0.9.64.4/etc/profile-a-l/keepassx.profile firejail-0.9.66/etc/profile-a-l/keepassx.profile --- firejail-0.9.64.4/etc/profile-a-l/keepassx.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/keepassx.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/kfind.profile firejail-0.9.66/etc/profile-a-l/kfind.profile --- firejail-0.9.64.4/etc/profile-a-l/kfind.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kfind.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/kget.profile firejail-0.9.66/etc/profile-a-l/kget.profile --- firejail-0.9.64.4/etc/profile-a-l/kget.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kget.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/kid3.profile firejail-0.9.66/etc/profile-a-l/kid3.profile --- firejail-0.9.64.4/etc/profile-a-l/kid3.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kid3.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/kino.profile firejail-0.9.66/etc/profile-a-l/kino.profile --- firejail-0.9.64.4/etc/profile-a-l/kino.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kino.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/kiwix-desktop.profile firejail-0.9.66/etc/profile-a-l/kiwix-desktop.profile --- firejail-0.9.64.4/etc/profile-a-l/kiwix-desktop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kiwix-desktop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ # no3d nodvd nogroups +noinput nonewprivs noroot # nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/klatexformula_cmdl.profile firejail-0.9.66/etc/profile-a-l/klatexformula_cmdl.profile --- firejail-0.9.64.4/etc/profile-a-l/klatexformula_cmdl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/klatexformula_cmdl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for klatexformula_cmdl # This file is overwritten after every install/update - # Persistent local customizations include klatexformula_cmdl.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include klatexformula.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/klatexformula.profile firejail-0.9.66/etc/profile-a-l/klatexformula.profile --- firejail-0.9.64.4/etc/profile-a-l/klatexformula.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/klatexformula.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/klavaro.profile firejail-0.9.66/etc/profile-a-l/klavaro.profile --- firejail-0.9.64.4/etc/profile-a-l/klavaro.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/klavaro.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/kmail.profile firejail-0.9.66/etc/profile-a-l/kmail.profile --- firejail-0.9.64.4/etc/profile-a-l/kmail.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kmail.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,10 +9,6 @@ # kmail has problems launching akonadi in debian and ubuntu. # one solution is to have akonadi already running when kmail is started -noblacklist ${HOME}/.gnupg -# noblacklist ${HOME}/.kde/ -# noblacklist ${HOME}/.kde4/ -noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.cache/akonadi* noblacklist ${HOME}/.cache/kmail2 noblacklist ${HOME}/.config/akonadi* @@ -23,6 +19,7 @@ noblacklist ${HOME}/.config/kmailsearchindexingrc noblacklist ${HOME}/.config/mailtransports noblacklist ${HOME}/.config/specialmailcollectionsrc +noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/akonadi* noblacklist ${HOME}/.local/share/apps/korganizer noblacklist ${HOME}/.local/share/contacts @@ -33,8 +30,6 @@ noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.local/share/notes noblacklist /tmp/akonadi-* -noblacklist /var/mail -noblacklist /var/spool/mail include disable-common.inc include disable-devel.inc @@ -42,77 +37,15 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc -include disable-xdg.inc -mkdir ${HOME}/.gnupg -# mkdir ${HOME}/.kde/ -# mkdir ${HOME}/.kde4/ -mkdir ${HOME}/.cache/akonadi* -mkdir ${HOME}/.cache/kmail2 -mkdir ${HOME}/.config/akonadi* -mkdir ${HOME}/.config/baloorc -mkdir ${HOME}/.config/emaildefaults -mkdir ${HOME}/.config/emailidentities -mkdir ${HOME}/.config/kmail2rc -mkdir ${HOME}/.config/kmailsearchindexingrc -mkdir ${HOME}/.config/mailtransports -mkdir ${HOME}/.config/specialmailcollectionsrc -mkdir ${HOME}/.local/share/akonadi* -mkdir ${HOME}/.local/share/apps/korganizer -mkdir ${HOME}/.local/share/contacts -mkdir ${HOME}/.local/share/emailidentities -mkdir ${HOME}/.local/share/kmail2 -mkdir ${HOME}/.local/share/kxmlgui5/kmail -mkdir ${HOME}/.local/share/kxmlgui5/kmail2 -mkdir ${HOME}/.local/share/local-mail -mkdir ${HOME}/.local/share/notes -mkdir /tmp/akonadi-* -whitelist ${HOME}/.gnupg -# whitelist ${HOME}/.kde/ -# whitelist ${HOME}/.kde4/ -whitelist ${HOME}/.mozilla/firefox/profiles.ini -whitelist ${HOME}/.cache/akonadi* -whitelist ${HOME}/.cache/kmail2 -whitelist ${HOME}/.config/akonadi* -whitelist ${HOME}/.config/baloorc -whitelist ${HOME}/.config/emaildefaults -whitelist ${HOME}/.config/emailidentities -whitelist ${HOME}/.config/kmail2rc -whitelist ${HOME}/.config/kmailsearchindexingrc -whitelist ${HOME}/.config/mailtransports -whitelist ${HOME}/.config/specialmailcollectionsrc -whitelist ${HOME}/.local/share/akonadi* -whitelist ${HOME}/.local/share/apps/korganizer -whitelist ${HOME}/.local/share/contacts -whitelist ${HOME}/.local/share/emailidentities -whitelist ${HOME}/.local/share/kmail2 -whitelist ${HOME}/.local/share/kxmlgui5/kmail -whitelist ${HOME}/.local/share/kxmlgui5/kmail2 -whitelist ${HOME}/.local/share/local-mail -whitelist ${HOME}/.local/share/notes -whitelist ${DOWNLOADS} -whitelist ${DOCUMENTS} -whitelist ${RUNUSER}/gnupg -whitelist /tmp/akonadi-* -whitelist /usr/share/akonadi -whitelist /usr/share/gnupg -whitelist /usr/share/gnupg2 -whitelist /usr/share/kconf_update -whitelist /usr/share/kf5 -whitelist /usr/share/kservices5 -whitelist /usr/share/qlogging-categories5 -whitelist /var/mail -whitelist /var/spool/mail -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc include whitelist-var-common.inc -apparmor +# apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -124,14 +57,7 @@ seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set # tracelog -private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg # private-tmp - interrupts connection to akonadi, breaks opening of email attachments +# writable-run-user is needed for signing and encrypting emails writable-run-user -writable-var - -# dbus-user none -dbus-system none - -read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file diff -Nru firejail-0.9.64.4/etc/profile-a-l/kmplayer.profile firejail-0.9.66/etc/profile-a-l/kmplayer.profile --- firejail-0.9.64.4/etc/profile-a-l/kmplayer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kmplayer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-a-l/kodi.profile firejail-0.9.66/etc/profile-a-l/kodi.profile --- firejail-0.9.64.4/etc/profile-a-l/kodi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kodi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,6 +8,10 @@ # noexec ${HOME} breaks plugins ignore noexec ${HOME} +# Add the following to your kodi.local if you use a CEC Adapter. +#ignore nogroups +#ignore noroot +#ignore private-dev noblacklist ${HOME}/.kodi noblacklist ${MUSIC} @@ -32,6 +36,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs # Seems to cause issues with Nvidia drivers sometimes (#3501) noroot diff -Nru firejail-0.9.64.4/etc/profile-a-l/konversation.profile firejail-0.9.66/etc/profile-a-l/konversation.profile --- firejail-0.9.64.4/etc/profile-a-l/konversation.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/konversation.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/kopete.profile firejail-0.9.66/etc/profile-a-l/kopete.profile --- firejail-0.9.64.4/etc/profile-a-l/kopete.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kopete.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/krita.profile firejail-0.9.66/etc/profile-a-l/krita.profile --- firejail-0.9.64.4/etc/profile-a-l/krita.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/krita.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ktorrent.profile firejail-0.9.66/etc/profile-a-l/ktorrent.profile --- firejail-0.9.64.4/etc/profile-a-l/ktorrent.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ktorrent.profile 2021-06-22 15:51:28.000000000 +0000 @@ -46,6 +46,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/ktouch.profile firejail-0.9.66/etc/profile-a-l/ktouch.profile --- firejail-0.9.64.4/etc/profile-a-l/ktouch.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/ktouch.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/kube.profile firejail-0.9.66/etc/profile-a-l/kube.profile --- firejail-0.9.64.4/etc/profile-a-l/kube.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kube.profile 2021-06-22 15:51:28.000000000 +0000 @@ -51,6 +51,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/kwin_x11.profile firejail-0.9.66/etc/profile-a-l/kwin_x11.profile --- firejail-0.9.64.4/etc/profile-a-l/kwin_x11.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kwin_x11.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/kwrite.profile firejail-0.9.66/etc/profile-a-l/kwrite.profile --- firejail-0.9.64.4/etc/profile-a-l/kwrite.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/kwrite.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot # nosound - KWrite is using ALSA! diff -Nru firejail-0.9.64.4/etc/profile-a-l/latex-common.profile firejail-0.9.66/etc/profile-a-l/latex-common.profile --- firejail-0.9.64.4/etc/profile-a-l/latex-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/latex-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/lbunzip2.profile firejail-0.9.66/etc/profile-a-l/lbunzip2.profile --- firejail-0.9.64.4/etc/profile-a-l/lbunzip2.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lbunzip2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for gzip # Description: GNU compression utilities # This file is overwritten after every install/update - # Persistent local customizations include lbunzip2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gzip.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lbzcat.profile firejail-0.9.66/etc/profile-a-l/lbzcat.profile --- firejail-0.9.64.4/etc/profile-a-l/lbzcat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lbzcat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for gzip # Description: GNU compression utilities # This file is overwritten after every install/update - # Persistent local customizations include lbzcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gzip.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lbzip2.profile firejail-0.9.66/etc/profile-a-l/lbzip2.profile --- firejail-0.9.64.4/etc/profile-a-l/lbzip2.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lbzip2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for gzip # Description: GNU compression utilities # This file is overwritten after every install/update - # Persistent local customizations include lbzip2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gzip.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/leafpad.profile firejail-0.9.66/etc/profile-a-l/leafpad.profile --- firejail-0.9.64.4/etc/profile-a-l/leafpad.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/leafpad.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/less.profile firejail-0.9.66/etc/profile-a-l/less.profile --- firejail-0.9.64.4/etc/profile-a-l/less.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/less.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ net none no3d nodvd +noinput nonewprivs #noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/librecad.profile firejail-0.9.66/etc/profile-a-l/librecad.profile --- firejail-0.9.64.4/etc/profile-a-l/librecad.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/librecad.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,51 @@ +# Firejail profile for librecad +# Persistent local customizations +include librecad.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/LibreCAD +noblacklist ${HOME}/.local/share/LibreCAD + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/librecad +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +#nogroups +#noinput +nonewprivs +noroot +notv +#nou2f +novideo +protocol unix,inet,inet6 +netfilter +seccomp +shell none +#tracelog + +#disable-mnt +private-bin librecad +private-dev +# private-etc cups,drirc,fonts,passwd,xdg +#private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/libreoffice.profile firejail-0.9.66/etc/profile-a-l/libreoffice.profile --- firejail-0.9.64.4/etc/profile-a-l/libreoffice.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/libreoffice.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,11 +9,13 @@ noblacklist /usr/local/sbin noblacklist ${HOME}/.config/libreoffice -# libreoffice uses java for some certain operations -# comment if you don't care about java functionality +# libreoffice uses java for some functionality. +# Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality. # Allow java (blacklisted by disable-devel.inc) include allow-java.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -22,25 +24,28 @@ include whitelist-var-common.inc -# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode. -# comment the next line to use the ubuntu profile instead of firejail's apparmor profile +# Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. +# Add the next lines to your libreoffice.local to use the Ubuntu profile instead of firejail's apparmor profile. +#ignore apparmor +#ignore nonewprivs +#ignore protocol +#ignore seccomp +#ignore tracelog + apparmor caps.drop all netfilter nodvd nogroups -# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile +noinput nonewprivs noroot notv nou2f novideo -# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile protocol unix,inet,inet6 -# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile seccomp shell none -# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile tracelog #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls diff -Nru firejail-0.9.64.4/etc/profile-a-l/librewolf-nightly.profile firejail-0.9.66/etc/profile-a-l/librewolf-nightly.profile --- firejail-0.9.64.4/etc/profile-a-l/librewolf-nightly.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/librewolf-nightly.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for librewolf-nightly +# This file is overwritten after every install/update +# Persistent local customizations +include librewolf-nightly.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Add the next line to your librewolf-nightly.local to enable private-bin. +#private-bin librewolf-nightly + +# Redirect +include librewolf.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/librewolf.profile firejail-0.9.66/etc/profile-a-l/librewolf.profile --- firejail-0.9.64.4/etc/profile-a-l/librewolf.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/librewolf.profile 2021-06-27 18:09:10.000000000 +0000 @@ -14,15 +14,44 @@ whitelist ${HOME}/.cache/librewolf whitelist ${HOME}/.librewolf -# Uncomment (or add to librewolf.local) the following lines if you want to -# use the migration wizard. +# Add the next lines to your librewolf.local if you want to use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla -# librewolf requires a shell to launch on Arch. We can possibly remove sh though. -#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which -# private-etc must first be enabled in firefox-common.profile +# To enable KeePassXC Plugin add one of the following lines to your librewolf.local. +# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them. +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + +whitelist /usr/share/doc +whitelist /usr/share/gtk-doc/html +whitelist /usr/share/mozilla +whitelist /usr/share/webext +include whitelist-usr-share-common.inc + +# Add the next line to your librewolf.local to enable private-bin (Arch Linux). +#private-bin dbus-launch,dbus-send,librewolf,sh +# Add the next line to your librewolf.local to enable private-etc. +# NOTE: private-etc must first be enabled in firefox-common.local. #private-etc librewolf +dbus-user filter +# Add the next line to your librewolf.local to enable native notifications. +#dbus-user.talk org.freedesktop.Notifications +# Add the next line to your librewolf.local to allow inhibiting screensavers. +#dbus-user.talk org.freedesktop.ScreenSaver +# Add the next lines to your librewolf.local for plasma browser integration. +#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration +#dbus-user.talk org.kde.JobViewServer +#dbus-user.talk org.kde.kuiserver +# Add the next three lines to your librewolf.local to allow screensharing under Wayland. +#whitelist ${RUNUSER}/pipewire-0 +#whitelist /usr/share/pipewire/client.conf +#dbus-user.talk org.freedesktop.portal.* +# Also add the next line to your librewolf.local if screensharing does not work with +# the above lines (depends on the portal implementation). +#ignore noroot +ignore dbus-user none + # Redirect include firefox-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/liferea.profile firejail-0.9.66/etc/profile-a-l/liferea.profile --- firejail-0.9.64.4/etc/profile-a-l/liferea.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/liferea.profile 2021-06-22 15:51:28.000000000 +0000 @@ -37,6 +37,7 @@ # no3d nodvd nogroups +noinput nonewprivs noroot # nosound @@ -55,8 +56,8 @@ dbus-user filter dbus-user.own net.sourceforge.liferea dbus-user.talk ca.desrt.dconf -# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local +# Add the next line to your liferea.local if you use the 'Popup Notifications' plugin. #dbus-user.talk org.freedesktop.Notifications -# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local +# Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. #dbus-user.talk org.freedesktop.secrets dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/lincity-ng.profile firejail-0.9.66/etc/profile-a-l/lincity-ng.profile --- firejail-0.9.64.4/etc/profile-a-l/lincity-ng.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lincity-ng.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/links2.profile firejail-0.9.66/etc/profile-a-l/links2.profile --- firejail-0.9.64.4/etc/profile-a-l/links2.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/links2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,18 @@ +# Firejail profile for links2 +# Description: Text WWW browser with a graphic version +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include links2.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.links2 + +mkdir ${HOME}/.links2 +whitelist ${HOME}/.links2 + +private-bin links2 + +# Redirect +include links-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/links-common.profile firejail-0.9.66/etc/profile-a-l/links-common.profile --- firejail-0.9.64.4/etc/profile-a-l/links-common.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/links-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,63 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include links-common.local + +# common profile for links browsers + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# Additional noblacklist files/directories (blacklisted in disable-programs.inc) +# used as associated programs can be added in your links-common.local. +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +# Add 'ignore machine-id' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +machine-id +netfilter +# Add 'ignore no3d' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +# Add 'ignore nosound' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. +private-bin sh +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +# Add the next line to your links-common.local to allow external media players. +# private-etc alsa,asound.conf,machine-id,openal,pulse +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-a-l/links.profile firejail-0.9.66/etc/profile-a-l/links.profile --- firejail-0.9.64.4/etc/profile-a-l/links.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/links.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,59 +9,10 @@ noblacklist ${HOME}/.links -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# you may want to noblacklist files/directories blacklisted in -# disable-programs.inc and used as associated programs -include disable-programs.inc -include disable-xdg.inc - mkdir ${HOME}/.links whitelist ${HOME}/.links -whitelist ${DOWNLOADS} -include whitelist-runuser-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -# comment machine-id (or put 'ignore machine-id' in your links.local) if you want -# to allow access only to user-configured associated media player -machine-id -netfilter -# comment no3d (or put 'ignore no3d' in your links.local) if you want -# to allow access only to user-configured associated media player -no3d -nodvd -nogroups -nonewprivs -noroot -# comment nosound (or put 'ignore nosound' in your links.local) if you want -# to allow access only to user-configured associated media player -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog -disable-mnt -# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local -# or append 'PROGRAM1,PROGRAM2' to this private-bin line -private-bin links,sh -private-cache -private-dev -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl -# Uncomment the following line (or put it in your links.local) allow external -# media players -# private-etc alsa,asound.conf,machine-id,openal,pulse -private-tmp +private-bin links -memory-deny-write-execute +# Redirect +include links-common.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/linphone.profile firejail-0.9.66/etc/profile-a-l/linphone.profile --- firejail-0.9.64.4/etc/profile-a-l/linphone.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/linphone.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/lmms.profile firejail-0.9.66/etc/profile-a-l/lmms.profile --- firejail-0.9.64.4/etc/profile-a-l/lmms.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lmms.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/lobase.profile firejail-0.9.66/etc/profile-a-l/lobase.profile --- firejail-0.9.64.4/etc/profile-a-l/lobase.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lobase.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include lobase.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/localc.profile firejail-0.9.66/etc/profile-a-l/localc.profile --- firejail-0.9.64.4/etc/profile-a-l/localc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/localc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include localc.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lodraw.profile firejail-0.9.66/etc/profile-a-l/lodraw.profile --- firejail-0.9.64.4/etc/profile-a-l/lodraw.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lodraw.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include lodraw.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/loffice.profile firejail-0.9.66/etc/profile-a-l/loffice.profile --- firejail-0.9.64.4/etc/profile-a-l/loffice.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/loffice.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include loffice.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lofromtemplate.profile firejail-0.9.66/etc/profile-a-l/lofromtemplate.profile --- firejail-0.9.64.4/etc/profile-a-l/lofromtemplate.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lofromtemplate.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include lofromtemplate.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/Logs.profile firejail-0.9.66/etc/profile-a-l/Logs.profile --- firejail-0.9.64.4/etc/profile-a-l/Logs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/Logs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for gnome-logs # This file is overwritten after every install/update - # Persistent local customizations include Logs.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff -Nru firejail-0.9.64.4/etc/profile-a-l/loimpress.profile firejail-0.9.66/etc/profile-a-l/loimpress.profile --- firejail-0.9.64.4/etc/profile-a-l/loimpress.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/loimpress.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include loimpress.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lollypop.profile firejail-0.9.66/etc/profile-a-l/lollypop.profile --- firejail-0.9.64.4/etc/profile-a-l/lollypop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lollypop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/lomath.profile firejail-0.9.66/etc/profile-a-l/lomath.profile --- firejail-0.9.64.4/etc/profile-a-l/lomath.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lomath.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include lomath.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/loweb.profile firejail-0.9.66/etc/profile-a-l/loweb.profile --- firejail-0.9.64.4/etc/profile-a-l/loweb.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/loweb.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include loweb.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lowriter.profile firejail-0.9.66/etc/profile-a-l/lowriter.profile --- firejail-0.9.64.4/etc/profile-a-l/lowriter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lowriter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include lowriter.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lugaru.profile firejail-0.9.66/etc/profile-a-l/lugaru.profile --- firejail-0.9.64.4/etc/profile-a-l/lugaru.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lugaru.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/luminance-hdr.profile firejail-0.9.66/etc/profile-a-l/luminance-hdr.profile --- firejail-0.9.64.4/etc/profile-a-l/luminance-hdr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/luminance-hdr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/lutris.profile firejail-0.9.66/etc/profile-a-l/lutris.profile --- firejail-0.9.64.4/etc/profile-a-l/lutris.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lutris.profile 2021-06-22 15:51:28.000000000 +0000 @@ -14,6 +14,10 @@ noblacklist ${HOME}/.local/share/lutris # noblacklist ${HOME}/.wine noblacklist /tmp/.wine-* +# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise +# Lutris won't even start. +noblacklist /sbin +noblacklist /usr/sbin ignore noexec ${HOME} @@ -35,7 +39,7 @@ mkdir ${HOME}/.config/lutris mkdir ${HOME}/.local/share/lutris # mkdir ${HOME}/.wine -whitelist ${HOME}/Downloads +whitelist ${DOWNLOADS} whitelist ${HOME}/Games whitelist ${HOME}/.cache/lutris whitelist ${HOME}/.cache/winetricks @@ -66,9 +70,11 @@ seccomp shell none -# uncomment the following line if you do not need controller support -# private-dev +# Add the next line to your lutris.local if you do not need controller support. +#private-dev private-tmp -dbus-user none +dbus-user filter +dbus-user.own net.lutris.Lutris +dbus-user.talk com.feralinteractive.GameMode dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-a-l/lximage-qt.profile firejail-0.9.66/etc/profile-a-l/lximage-qt.profile --- firejail-0.9.64.4/etc/profile-a-l/lximage-qt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lximage-qt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/lxmusic.profile firejail-0.9.66/etc/profile-a-l/lxmusic.profile --- firejail-0.9.64.4/etc/profile-a-l/lxmusic.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lxmusic.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-a-l/lynx.profile firejail-0.9.66/etc/profile-a-l/lynx.profile --- firejail-0.9.64.4/etc/profile-a-l/lynx.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lynx.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-a-l/lyx.profile firejail-0.9.66/etc/profile-a-l/lyx.profile --- firejail-0.9.64.4/etc/profile-a-l/lyx.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lyx.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,8 +11,13 @@ noblacklist ${HOME}/.config/LyX noblacklist ${HOME}/.lyx +# Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzcat.profile firejail-0.9.66/etc/profile-a-l/lzcat.profile --- firejail-0.9.64.4/etc/profile-a-l/lzcat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzcat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzcmp.profile firejail-0.9.66/etc/profile-a-l/lzcmp.profile --- firejail-0.9.64.4/etc/profile-a-l/lzcmp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzcmp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzcmp.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzdiff.profile firejail-0.9.66/etc/profile-a-l/lzdiff.profile --- firejail-0.9.64.4/etc/profile-a-l/lzdiff.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzdiff.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,12 @@ # Firejail profile alias for cpio # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - +quiet # Persistent local customizations include lzdiff.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzegrep.profile firejail-0.9.66/etc/profile-a-l/lzegrep.profile --- firejail-0.9.64.4/etc/profile-a-l/lzegrep.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzegrep.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzegrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzfgrep.profile firejail-0.9.66/etc/profile-a-l/lzfgrep.profile --- firejail-0.9.64.4/etc/profile-a-l/lzfgrep.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzfgrep.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzfgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzgrep.profile firejail-0.9.66/etc/profile-a-l/lzgrep.profile --- firejail-0.9.64.4/etc/profile-a-l/lzgrep.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzgrep.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzip.profile firejail-0.9.66/etc/profile-a-l/lzip.profile --- firejail-0.9.64.4/etc/profile-a-l/lzip.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzip.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzip.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzless.profile firejail-0.9.66/etc/profile-a-l/lzless.profile --- firejail-0.9.64.4/etc/profile-a-l/lzless.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzless.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzless.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzmadec.profile firejail-0.9.66/etc/profile-a-l/lzmadec.profile --- firejail-0.9.64.4/etc/profile-a-l/lzmadec.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzmadec.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,12 @@ # Firejail profile alias for xzdec # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - +quiet # Persistent local customizations include lzmadec.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include xzdec.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzmainfo.profile firejail-0.9.66/etc/profile-a-l/lzmainfo.profile --- firejail-0.9.64.4/etc/profile-a-l/lzmainfo.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzmainfo.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzmainfo.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzma.profile firejail-0.9.66/etc/profile-a-l/lzma.profile --- firejail-0.9.64.4/etc/profile-a-l/lzma.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzma.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzma.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzmore.profile firejail-0.9.66/etc/profile-a-l/lzmore.profile --- firejail-0.9.64.4/etc/profile-a-l/lzmore.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzmore.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include lzmore.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/lzop.profile firejail-0.9.66/etc/profile-a-l/lzop.profile --- firejail-0.9.64.4/etc/profile-a-l/lzop.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/lzop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,12 @@ +# Firejail profile for lzop +# Description: File compressor using lzo lib +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include lzop.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-a-l/sway.profile firejail-0.9.66/etc/profile-a-l/sway.profile --- firejail-0.9.64.4/etc/profile-a-l/sway.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-a-l/sway.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,19 @@ +# Firejail profile for Sway +# Description: i3-compatible Wayland compositor +# This file is overwritten after every install/update +# Persistent local customizations +include sway.local +# Persistent global definitions +include globals.local + +# all applications started in sway will run in this profile +noblacklist ${HOME}/.config/sway +# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway +noblacklist ${HOME}/.config/i3 +include disable-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp diff -Nru firejail-0.9.64.4/etc/profile-m-z/macrofusion.profile firejail-0.9.66/etc/profile-m-z/macrofusion.profile --- firejail-0.9.64.4/etc/profile-m-z/macrofusion.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/macrofusion.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/Maelstrom.profile firejail-0.9.66/etc/profile-m-z/Maelstrom.profile --- firejail-0.9.64.4/etc/profile-m-z/Maelstrom.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/Maelstrom.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput #nonewprivs #noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/magicor.profile firejail-0.9.66/etc/profile-m-z/magicor.profile --- firejail-0.9.64.4/etc/profile-m-z/magicor.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/magicor.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ net none nodvd nogroups +noinput nonewprivs notv nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/manaplus.profile firejail-0.9.66/etc/profile-m-z/manaplus.profile --- firejail-0.9.64.4/etc/profile-m-z/manaplus.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/manaplus.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/man.profile firejail-0.9.66/etc/profile-m-z/man.profile --- firejail-0.9.64.4/etc/profile-m-z/man.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/man.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,6 +10,7 @@ blacklist ${RUNUSER} noblacklist ${HOME}/.local/share/man +noblacklist ${HOME}/.rustup include disable-common.inc include disable-devel.inc @@ -19,16 +20,17 @@ include disable-programs.inc include disable-xdg.inc -mkdir ${HOME}/.local/share/man -whitelist ${HOME}/.local/share/man -whitelist ${HOME}/.manpath +#mkdir ${HOME}/.local/share/man +#whitelist ${HOME}/.local/share/man +#whitelist ${HOME}/.manpath whitelist /usr/share/groff whitelist /usr/share/info whitelist /usr/share/lintian whitelist /usr/share/locale whitelist /usr/share/man whitelist /var/cache/man -include whitelist-common.inc +#include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -40,6 +42,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -53,13 +56,15 @@ x11 none disable-mnt -private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim +#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim private-cache private-dev -private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg -private-tmp +private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg +#private-tmp dbus-user none dbus-system none memory-deny-write-execute +read-only ${HOME} +read-only /tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/Maps.profile firejail-0.9.66/etc/profile-m-z/Maps.profile --- firejail-0.9.64.4/etc/profile-m-z/Maps.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/Maps.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for gnome-maps # This file is overwritten after every install/update - # Persistent local customizations include Maps.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff -Nru firejail-0.9.64.4/etc/profile-m-z/marker.profile firejail-0.9.66/etc/profile-m-z/marker.profile --- firejail-0.9.64.4/etc/profile-m-z/marker.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/marker.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,12 +6,15 @@ # Persistent global definitions include globals.local -# Uncomment (or add to your marker.local) if you need internet access. +# Add the next lines to your marker.local if you need internet access. #ignore net none #protocol unix,inet,inet6 #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf noblacklist ${HOME}/.cache/marker +noblacklist ${DOCUMENTS} + +include allow-python3.inc include disable-common.inc include disable-devel.inc @@ -22,6 +25,7 @@ include disable-shell.inc include disable-xdg.inc +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/com.github.fabiocolacio.marker include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -35,6 +39,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -47,7 +52,7 @@ shell none tracelog -private-bin marker +private-bin marker,python3* private-cache private-dev private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 diff -Nru firejail-0.9.64.4/etc/profile-m-z/masterpdfeditor.profile firejail-0.9.66/etc/profile-m-z/masterpdfeditor.profile --- firejail-0.9.64.4/etc/profile-m-z/masterpdfeditor.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/masterpdfeditor.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ machine-id nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mate-calc.profile firejail-0.9.66/etc/profile-m-z/mate-calc.profile --- firejail-0.9.64.4/etc/profile-m-z/mate-calc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mate-calc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mate-calculator.profile firejail-0.9.66/etc/profile-m-z/mate-calculator.profile --- firejail-0.9.64.4/etc/profile-m-z/mate-calculator.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mate-calculator.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for mate-calc # This file is overwritten after every install/update - # Persistent local customizations include mate-calculator.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include mate-calc.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/mate-color-select.profile firejail-0.9.66/etc/profile-m-z/mate-color-select.profile --- firejail-0.9.64.4/etc/profile-m-z/mate-color-select.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mate-color-select.profile 2021-06-22 15:51:28.000000000 +0000 @@ -15,11 +15,13 @@ include whitelist-common.inc +apparmor caps.drop all netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mate-dictionary.profile firejail-0.9.66/etc/profile-m-z/mate-dictionary.profile --- firejail-0.9.64.4/etc/profile-m-z/mate-dictionary.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mate-dictionary.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mathematica.profile firejail-0.9.66/etc/profile-m-z/mathematica.profile --- firejail-0.9.64.4/etc/profile-m-z/mathematica.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mathematica.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for Mathematica # This file is overwritten after every install/update - # Persistent local customizations include mathematica.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include Mathematica.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/mcabber.profile firejail-0.9.66/etc/profile-m-z/mcabber.profile --- firejail-0.9.64.4/etc/profile-m-z/mcabber.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mcabber.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,6 +19,7 @@ caps.drop all netfilter nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mcomix.profile firejail-0.9.66/etc/profile-m-z/mcomix.profile --- firejail-0.9.64.4/etc/profile-m-z/mcomix.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mcomix.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,74 @@ +# Firejail profile for mcomix +# Description: A comic book and manga viewer in python +# This file is overwritten after every install/update +# Persistent local customizations +include mcomix.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/mcomix +noblacklist ${HOME}/.local/share/mcomix +noblacklist ${DOCUMENTS} + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow python (blacklisted by disable-interpreters.inc) +# mcomix <= 1.2 uses python2 +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/mcomix +mkdir ${HOME}/.local/share/mcomix +whitelist /usr/share/mcomix +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +include whitelist-runuser-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +# mcomix <= 1.2 uses python2 +private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip +private-cache +private-dev +# mcomix <= 1.2 uses gtk-2.0 +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg +private-tmp + +dbus-user none +dbus-system none + +read-only ${HOME} +read-write ${HOME}/.config/mcomix +read-write ${HOME}/.local/share/mcomix +#to allow ${HOME}/.local/share/recently-used.xbel +read-write ${HOME}/.local/share +# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails +read-write ${HOME}/.thumbnails diff -Nru firejail-0.9.64.4/etc/profile-m-z/md5sum.profile firejail-0.9.66/etc/profile-m-z/md5sum.profile --- firejail-0.9.64.4/etc/profile-m-z/md5sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/md5sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for md5sum +# Description: compute and check MD5 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include md5sum.local +# Persistent global definitions +include globals.local + +private-bin md5sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/mdr.profile firejail-0.9.66/etc/profile-m-z/mdr.profile --- firejail-0.9.64.4/etc/profile-m-z/mdr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mdr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mediainfo.profile firejail-0.9.66/etc/profile-m-z/mediainfo.profile --- firejail-0.9.64.4/etc/profile-m-z/mediainfo.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mediainfo.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mediathekview.profile firejail-0.9.66/etc/profile-m-z/mediathekview.profile --- firejail-0.9.64.4/etc/profile-m-z/mediathekview.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mediathekview.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/megaglest_editor.profile firejail-0.9.66/etc/profile-m-z/megaglest_editor.profile --- firejail-0.9.64.4/etc/profile-m-z/megaglest_editor.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/megaglest_editor.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for megaglest # This file is overwritten after every install/update - # Persistent local customizations include megaglest_editor.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include megaglest.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/megaglest.profile firejail-0.9.66/etc/profile-m-z/megaglest.profile --- firejail-0.9.64.4/etc/profile-m-z/megaglest.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/megaglest.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ mkdir ${HOME}/.megaglest whitelist ${HOME}/.megaglest whitelist /usr/share/megaglest +whitelist /usr/share/games/megaglest # Debian version include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -31,6 +32,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/meld.profile firejail-0.9.66/etc/profile-m-z/meld.profile --- firejail-0.9.64.4/etc/profile-m-z/meld.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/meld.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,44 +6,48 @@ # Persistent global definitions include globals.local -# If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need -# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path +# If you want to use meld as git mergetool (and maybe some other VCS integrations) you need +# to bypass firejail. You can do this by removing the symlink or by calling it by its absolute path. # Removing the symlink: -# sudo rm /usr/local/bin/meld -# Calling by its absolute path (example for git-mergetool): -# git config --global mergetool.meld.cmd /usr/bin/meld +# $ sudo rm /usr/local/bin/meld +# Calling it by its absolute path (example for git mergetool): +# $ git config --global mergetool.meld.cmd /usr/bin/meld noblacklist ${HOME}/.config/meld noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.local/share/meld -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.subversion # Allow python (blacklisted by disable-interpreters.inc) +# Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks +# but want to keep Python 2 support for older meld versions. +#include allow-python2.inc include allow-python3.inc -# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. -#include allow-python2.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + +blacklist /usr/libexec -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. +# Add the next line to your meld.local if you don't need to compare files in disable-common.inc. #include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. +# Add the next line to your meld.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc include whitelist-runuser-common.inc -# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. +# Add the next lines to your meld.local if you don't need to compare files in /usr/share. #whitelist /usr/share/meld #include whitelist-usr-share-common.inc -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. +# Add the next line to your meld.local if you don't need to compare files in /var. #include whitelist-var-common.inc apparmor @@ -54,6 +58,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -69,9 +74,9 @@ private-bin bzr,cvs,git,hg,meld,python*,svn private-cache private-dev -# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. +# Add the next line to your meld.local if you don't need to compare files in /etc. #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion -# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551) +# Add 'ignore private-tmp' to your meld.local if you want to use it as difftool (#3551). private-tmp read-only ${HOME}/.ssh diff -Nru firejail-0.9.64.4/etc/profile-m-z/mendeleydesktop.profile firejail-0.9.66/etc/profile-m-z/mendeleydesktop.profile --- firejail-0.9.64.4/etc/profile-m-z/mendeleydesktop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mendeleydesktop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/menulibre.profile firejail-0.9.66/etc/profile-m-z/menulibre.profile --- firejail-0.9.64.4/etc/profile-m-z/menulibre.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/menulibre.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,6 +6,7 @@ # Persistent global definitions include globals.local +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -36,6 +37,7 @@ nodvd no3d nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/meteo-qt.profile firejail-0.9.66/etc/profile-m-z/meteo-qt.profile --- firejail-0.9.64.4/etc/profile-m-z/meteo-qt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/meteo-qt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mindless.profile firejail-0.9.66/etc/profile-m-z/mindless.profile --- firejail-0.9.64.4/etc/profile-m-z/mindless.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mindless.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/minecraft-launcher.profile firejail-0.9.66/etc/profile-m-z/minecraft-launcher.profile --- firejail-0.9.64.4/etc/profile-m-z/minecraft-launcher.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/minecraft-launcher.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,7 +6,8 @@ # Persistent global definitions include globals.local -# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. +# Some distros put the executable in /opt/minecraft-launcher. +# Run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. ignore noexec ${HOME} @@ -30,11 +31,11 @@ include whitelist-usr-share-common.inc include whitelist-var-common.inc -apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -49,7 +50,8 @@ private-bin java,java-config,minecraft-launcher private-cache private-dev -# If multiplayer or realms break add your own java folder from /etc or comment the line below. +# If multiplayer or realms break, add 'private-etc ' +# or 'ignore private-etc' to your minecraft-launcher.local. private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg private-opt minecraft-launcher private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/minetest.profile firejail-0.9.66/etc/profile-m-z/minetest.profile --- firejail-0.9.64.4/etc/profile-m-z/minetest.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/minetest.profile 2021-06-22 15:51:28.000000000 +0000 @@ -40,6 +40,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/minitube.profile firejail-0.9.66/etc/profile-m-z/minitube.profile --- firejail-0.9.64.4/etc/profile-m-z/minitube.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/minitube.profile 2021-06-22 15:51:28.000000000 +0000 @@ -40,6 +40,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mirage.profile firejail-0.9.66/etc/profile-m-z/mirage.profile --- firejail-0.9.64.4/etc/profile-m-z/mirage.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mirage.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/mirage noblacklist /sbin +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -40,6 +41,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mirrormagic.profile firejail-0.9.66/etc/profile-m-z/mirrormagic.profile --- firejail-0.9.64.4/etc/profile-m-z/mirrormagic.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mirrormagic.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mocp.profile firejail-0.9.66/etc/profile-m-z/mocp.profile --- firejail-0.9.64.4/etc/profile-m-z/mocp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mocp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mousepad.profile firejail-0.9.66/etc/profile-m-z/mousepad.profile --- firejail-0.9.64.4/etc/profile-m-z/mousepad.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mousepad.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mp3splt-gtk.profile firejail-0.9.66/etc/profile-m-z/mp3splt-gtk.profile --- firejail-0.9.64.4/etc/profile-m-z/mp3splt-gtk.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mp3splt-gtk.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mp3splt.profile firejail-0.9.66/etc/profile-m-z/mp3splt.profile --- firejail-0.9.64.4/etc/profile-m-z/mp3splt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mp3splt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mpd.profile firejail-0.9.66/etc/profile-m-z/mpd.profile --- firejail-0.9.64.4/etc/profile-m-z/mpd.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mpd.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ netfilter no3d nodvd +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mpDris2.profile firejail-0.9.66/etc/profile-m-z/mpDris2.profile --- firejail-0.9.64.4/etc/profile-m-z/mpDris2.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mpDris2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/mpg123.profile firejail-0.9.66/etc/profile-m-z/mpg123.profile --- firejail-0.9.64.4/etc/profile-m-z/mpg123.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mpg123.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mplayer.profile firejail-0.9.66/etc/profile-m-z/mplayer.profile --- firejail-0.9.64.4/etc/profile-m-z/mplayer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mplayer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ # net none - mplayer can be used for streaming. netfilter # nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/mpsyt.profile firejail-0.9.66/etc/profile-m-z/mpsyt.profile --- firejail-0.9.64.4/etc/profile-m-z/mpsyt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mpsyt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -53,6 +53,7 @@ nodvd # Seems to cause issues with Nvidia drivers sometimes nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mpv.profile firejail-0.9.66/etc/profile-m-z/mpv.profile --- firejail-0.9.64.4/etc/profile-m-z/mpv.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mpv.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,10 +30,13 @@ # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -62,6 +65,7 @@ netfilter # nogroups seems to cause issues with Nvidia drivers sometimes nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/mrrescue.profile firejail-0.9.66/etc/profile-m-z/mrrescue.profile --- firejail-0.9.64.4/etc/profile-m-z/mrrescue.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mrrescue.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,18 +8,28 @@ noblacklist ${HOME}/.local/share/love +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.local/share/love whitelist ${HOME}/.local/share/love whitelist /usr/share/mrrescue include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -28,6 +38,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv @@ -35,6 +46,7 @@ novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog diff -Nru firejail-0.9.64.4/etc/profile-m-z/ms-office.profile firejail-0.9.66/etc/profile-m-z/ms-office.profile --- firejail-0.9.64.4/etc/profile-m-z/ms-office.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ms-office.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/mtpaint.profile firejail-0.9.66/etc/profile-m-z/mtpaint.profile --- firejail-0.9.64.4/etc/profile-m-z/mtpaint.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mtpaint.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ nodvd no3d nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/multimc5.profile firejail-0.9.66/etc/profile-m-z/multimc5.profile --- firejail-0.9.64.4/etc/profile-m-z/multimc5.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/multimc5.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/multimc.profile firejail-0.9.66/etc/profile-m-z/multimc.profile --- firejail-0.9.64.4/etc/profile-m-z/multimc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/multimc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for multimc5 # This file is overwritten after every install/update - # Persistent local customizations include multimc.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include multimc5.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/mumble.profile firejail-0.9.66/etc/profile-m-z/mumble.profile --- firejail-0.9.64.4/etc/profile-m-z/mumble.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mumble.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,7 +29,6 @@ caps.drop all netfilter -no3d nodvd nogroups nonewprivs diff -Nru firejail-0.9.64.4/etc/profile-m-z/mupdf.profile firejail-0.9.66/etc/profile-m-z/mupdf.profile --- firejail-0.9.64.4/etc/profile-m-z/mupdf.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mupdf.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/musictube.profile firejail-0.9.66/etc/profile-m-z/musictube.profile --- firejail-0.9.64.4/etc/profile-m-z/musictube.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/musictube.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/musixmatch.profile firejail-0.9.66/etc/profile-m-z/musixmatch.profile --- firejail-0.9.64.4/etc/profile-m-z/musixmatch.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/musixmatch.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,9 +20,11 @@ no3d nodvd nogroups +noinput nonewprivs noroot nogroups +noinput nosound notv nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/mutt.profile firejail-0.9.66/etc/profile-m-z/mutt.profile --- firejail-0.9.64.4/etc/profile-m-z/mutt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mutt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,7 @@ # Firejail profile for mutt # Description: Text-based mailreader supporting MIME, GPG, PGP and threading # This file is overwritten after every install/update +quiet # Persistent local customizations include mutt.local # Persistent global definitions @@ -8,15 +9,18 @@ noblacklist /var/mail noblacklist /var/spool/mail +noblacklist ${DOCUMENTS} noblacklist ${HOME}/.Mail noblacklist ${HOME}/.bogofilter noblacklist ${HOME}/.cache/mutt +noblacklist ${HOME}/.config/mutt noblacklist ${HOME}/.config/nano noblacklist ${HOME}/.elinks noblacklist ${HOME}/.emacs noblacklist ${HOME}/.emacs.d noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mail +noblacklist ${HOME}/.mailcap noblacklist ${HOME}/.msmtprc noblacklist ${HOME}/.mutt noblacklist ${HOME}/.muttrc @@ -34,19 +38,88 @@ blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* +# Add the next lines to your mutt.local for oauth.py,S/MIME support. +#include allow-perl.inc +#include allow-python2.inc +#include allow-python3.inc + include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc +mkdir ${HOME}/.Mail +mkdir ${HOME}/.bogofilter +mkdir ${HOME}/.cache/mutt +mkdir ${HOME}/.config/mutt +mkdir ${HOME}/.config/nano +mkdir ${HOME}/.elinks +mkdir ${HOME}/.emacs.d +mkdir ${HOME}/.gnupg +mkdir ${HOME}/.mail +mkdir ${HOME}/.mutt +mkdir ${HOME}/.vim +mkdir ${HOME}/.w3m +mkdir ${HOME}/Mail +mkdir ${HOME}/mail +mkdir ${HOME}/postponed +mkdir ${HOME}/sent +mkfile ${HOME}/.emacs +mkfile ${HOME}/.mailcap +mkfile ${HOME}/.msmtprc +mkfile ${HOME}/.muttrc +mkfile ${HOME}/.nanorc +mkfile ${HOME}/.signature +mkfile ${HOME}/.viminfo +mkfile ${HOME}/.vimrc +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${HOME}/.Mail +whitelist ${HOME}/.bogofilter +whitelist ${HOME}/.cache/mutt +whitelist ${HOME}/.config/mutt +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.elinks +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mail +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.msmtprc +whitelist ${HOME}/.mutt +whitelist ${HOME}/.muttrc +whitelist ${HOME}/.nanorc +whitelist ${HOME}/.signature +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/.vimrc +whitelist ${HOME}/.w3m +whitelist ${HOME}/Mail +whitelist ${HOME}/mail +whitelist ${HOME}/postponed +whitelist ${HOME}/sent +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/mutt +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.drop all +ipc-namespace +machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -55,8 +128,23 @@ novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none +tracelog +# disable-mnt +private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg +private-tmp writable-run-user writable-var + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME}/.elinks +read-only ${HOME}/.nanorc +read-only ${HOME}/.signature +read-only ${HOME}/.w3m diff -Nru firejail-0.9.64.4/etc/profile-m-z/mypaint-ora-thumbnailer.profile firejail-0.9.66/etc/profile-m-z/mypaint-ora-thumbnailer.profile --- firejail-0.9.64.4/etc/profile-m-z/mypaint-ora-thumbnailer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mypaint-ora-thumbnailer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for mypaint-ora-thumbnailer # This file is overwritten after every install/update - # Persistent local customizations include mypaint-ora-thumbnailer.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include mypaint.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/mypaint.profile firejail-0.9.66/etc/profile-m-z/mypaint.profile --- firejail-0.9.64.4/etc/profile-m-z/mypaint.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/mypaint.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nano.profile firejail-0.9.66/etc/profile-m-z/nano.profile --- firejail-0.9.64.4/etc/profile-m-z/nano.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nano.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -46,8 +47,12 @@ private-bin nano,rnano private-cache private-dev -# Comment the next line if you want to edit files in /etc directly +# Add the next lines to your nano.local if you want to edit files in /etc directly. +#ignore private-etc +#writable-etc private-etc alternatives,nanorc +# Add the next line to your nano.local if you want to edit files in /var directly. +#writable-var dbus-user none dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/Natron.profile firejail-0.9.66/etc/profile-m-z/Natron.profile --- firejail-0.9.64.4/etc/profile-m-z/Natron.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/Natron.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for natron # This file is overwritten after every install/update - # Persistent local customizations include Natron.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include natron.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/ncdu.profile firejail-0.9.66/etc/profile-m-z/ncdu.profile --- firejail-0.9.64.4/etc/profile-m-z/ncdu.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ncdu.profile 2021-06-22 15:51:28.000000000 +0000 @@ -16,6 +16,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/neochat.profile firejail-0.9.66/etc/profile-m-z/neochat.profile --- firejail-0.9.64.4/etc/profile-m-z/neochat.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/neochat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,66 @@ +# Firejail profile for neochat +# Description: Matrix Client +# This file is overwritten after every install/update +# Persistent local customizations +include neochat.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/KDE/neochat +noblacklist ${HOME}/.config/KDE +noblacklist ${HOME}/.config/KDE/neochat +noblacklist ${HOME}/.config/neochatrc +noblacklist ${HOME}/.config/neochat.notifyrc +noblacklist ${HOME}/.local/share/KDE/neochat + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/KDE/neochat +mkdir ${HOME}/.local/share/KDE/neochat +whitelist ${HOME}/.cache/KDE/neochat +whitelist ${HOME}/.local/share/KDE/neochat +whitelist ${DOWNLOADS} +include whitelist-1793-workaround.inc +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin neochat +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dbus-1,fonts,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg +private-tmp + +dbus-user filter +dbus-user.own org.kde.neochat +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.kde.kwalletd5 +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/neomutt.profile firejail-0.9.66/etc/profile-m-z/neomutt.profile --- firejail-0.9.64.4/etc/profile-m-z/neomutt.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/neomutt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,153 @@ +# Firejail profile for neomutt +# Description: Mutt fork with advanced features and better documentation +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include neomutt.local +# Persistent global definitions +include globals.local + +noblacklist ${DOCUMENTS} +noblacklist ${HOME}/.Mail +noblacklist ${HOME}/.bogofilter +noblacklist ${HOME}/.config/mutt +noblacklist ${HOME}/.config/nano +noblacklist ${HOME}/.config/neomutt +noblacklist ${HOME}/.elinks +noblacklist ${HOME}/.emacs +noblacklist ${HOME}/.emacs.d +noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mail +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.msmtprc +noblacklist ${HOME}/.mutt +noblacklist ${HOME}/.muttrc +noblacklist ${HOME}/.nanorc +noblacklist ${HOME}/.neomutt +noblacklist ${HOME}/.neomuttrc +noblacklist ${HOME}/.signature +noblacklist ${HOME}/.vim +noblacklist ${HOME}/.viminfo +noblacklist ${HOME}/.vimrc +noblacklist ${HOME}/.w3m +noblacklist ${HOME}/Mail +noblacklist ${HOME}/mail +noblacklist ${HOME}/postponed +noblacklist ${HOME}/sent +noblacklist /var/mail +noblacklist /var/spool/mail + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include allow-lua.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.Mail +mkdir ${HOME}/.bogofilter +mkdir ${HOME}/.config/mutt +mkdir ${HOME}/.config/nano +mkdir ${HOME}/.config/neomutt +mkdir ${HOME}/.elinks +mkdir ${HOME}/.emacs.d +mkdir ${HOME}/.gnupg +mkdir ${HOME}/.mail +mkdir ${HOME}/.mutt +mkdir ${HOME}/.neomutt +mkdir ${HOME}/.vim +mkdir ${HOME}/.w3m +mkdir ${HOME}/Mail +mkdir ${HOME}/mail +mkdir ${HOME}/postponed +mkdir ${HOME}/sent +mkfile ${HOME}/.emacs +mkfile ${HOME}/.mailcap +mkfile ${HOME}/.msmtprc +mkfile ${HOME}/.muttrc +mkfile ${HOME}/.nanorc +mkfile ${HOME}/.neomuttrc +mkfile ${HOME}/.signature +mkfile ${HOME}/.viminfo +mkfile ${HOME}/.vimrc +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${HOME}/.Mail +whitelist ${HOME}/.bogofilter +whitelist ${HOME}/.config/mutt +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.config/neomutt +whitelist ${HOME}/.elinks +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mail +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.msmtprc +whitelist ${HOME}/.mutt +whitelist ${HOME}/.muttrc +whitelist ${HOME}/.nanorc +whitelist ${HOME}/.neomutt +whitelist ${HOME}/.neomuttrc +whitelist ${HOME}/.signature +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/.vimrc +whitelist ${HOME}/.w3m +whitelist ${HOME}/Mail +whitelist ${HOME}/mail +whitelist ${HOME}/postponed +whitelist ${HOME}/sent +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/neomutt +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +# disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg +private-tmp +writable-run-user +writable-var + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME}/.elinks +read-only ${HOME}/.nanorc +read-only ${HOME}/.signature +read-only ${HOME}/.w3m diff -Nru firejail-0.9.64.4/etc/profile-m-z/netactview.profile firejail-0.9.66/etc/profile-m-z/netactview.profile --- firejail-0.9.64.4/etc/profile-m-z/netactview.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/netactview.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nethack.profile firejail-0.9.66/etc/profile-m-z/nethack.profile --- firejail-0.9.64.4/etc/profile-m-z/nethack.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nethack.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ no3d nodvd nogroups +noinput #nonewprivs #noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nethack-vultures.profile firejail-0.9.66/etc/profile-m-z/nethack-vultures.profile --- firejail-0.9.64.4/etc/profile-m-z/nethack-vultures.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nethack-vultures.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput #nonewprivs #noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/neverball.profile firejail-0.9.66/etc/profile-m-z/neverball.profile --- firejail-0.9.64.4/etc/profile-m-z/neverball.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/neverball.profile 2021-06-22 15:51:28.000000000 +0000 @@ -14,26 +14,39 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.neverball whitelist ${HOME}/.neverball +whitelist /usr/share/neverball include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all -netfilter +net none nodvd nogroups +noinput nonewprivs noroot notv nou2f novideo -protocol unix,netlink +protocol unix seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin neverball +private-cache private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id private-tmp +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/neverball-wrapper.profile firejail-0.9.66/etc/profile-m-z/neverball-wrapper.profile --- firejail-0.9.64.4/etc/profile-m-z/neverball-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/neverball-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for neverball-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include neverball-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin neverball-wrapper + +# Redirect +include neverball.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/neverputt-wrapper.profile firejail-0.9.66/etc/profile-m-z/neverputt-wrapper.profile --- firejail-0.9.64.4/etc/profile-m-z/neverputt-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/neverputt-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for neverputt-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include neverputt-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin neverputt-wrapper + +# Redirect +include neverputt.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/newsbeuter.profile firejail-0.9.66/etc/profile-m-z/newsbeuter.profile --- firejail-0.9.64.4/etc/profile-m-z/newsbeuter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/newsbeuter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,13 +7,23 @@ # added by included profile #include globals.local -noblacklist ${HOME}/.config/newsbeuter -noblacklist ${HOME}/.newsbeuter +ignore include newsboat.local +ignore mkdir ${HOME}/.config/newsboat +ignore mkdir ${HOME}/.local/share/newsboat +ignore mkdir ${HOME}/.newsboat +blacklist ${PATH}/newsboat + +blacklist ${HOME}/.config/newsboat +blacklist ${HOME}/.local/share/newsboat +blacklist ${HOME}/.newsboat + +nowhitelist ${HOME}/.config/newsboat +nowhitelist ${HOME}/.local/share/newsboat +nowhitelist ${HOME}/.newsboat mkdir ${HOME}/.config/newsbeuter +mkdir ${HOME}/.local/share/newsbeuter mkdir ${HOME}/.newsbeuter -whitelist ${HOME}/.config/newsbeuter -whitelist ${HOME}/.newsbeuter private-bin newsbeuter diff -Nru firejail-0.9.64.4/etc/profile-m-z/newsboat.profile firejail-0.9.66/etc/profile-m-z/newsboat.profile --- firejail-0.9.64.4/etc/profile-m-z/newsboat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/newsboat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,6 +6,11 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/newsbeuter +noblacklist ${HOME}/.config/newsboat +noblacklist ${HOME}/.local/share/newsbeuter +noblacklist ${HOME}/.local/share/newsboat +noblacklist ${HOME}/.newsbeuter noblacklist ${HOME}/.newsboat include disable-common.inc @@ -16,7 +21,14 @@ include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.config/newsboat +mkdir ${HOME}/.local/share/newsboat mkdir ${HOME}/.newsboat +whitelist ${HOME}/.config/newsbeuter +whitelist ${HOME}/.config/newsboat +whitelist ${HOME}/.local/share/newsbeuter +whitelist ${HOME}/.local/share/newsboat +whitelist ${HOME}/.newsbeuter whitelist ${HOME}/.newsboat include whitelist-common.inc include whitelist-runuser-common.inc @@ -28,6 +40,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -38,7 +51,7 @@ shell none disable-mnt -private-bin gzip,lynx,newsboat,sh +private-bin gzip,lynx,newsboat,sh,w3m private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo diff -Nru firejail-0.9.64.4/etc/profile-m-z/newsflash.profile firejail-0.9.66/etc/profile-m-z/newsflash.profile --- firejail-0.9.64.4/etc/profile-m-z/newsflash.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/newsflash.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nextcloud-desktop.profile firejail-0.9.66/etc/profile-m-z/nextcloud-desktop.profile --- firejail-0.9.64.4/etc/profile-m-z/nextcloud-desktop.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nextcloud-desktop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,10 @@ +# Firejail profile alias for nextcloud +# This file is overwritten after every install/update +# Persistent local customizations +include nextcloud-desktop.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include nextcloud.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nextcloud.profile firejail-0.9.66/etc/profile-m-z/nextcloud.profile --- firejail-0.9.64.4/etc/profile-m-z/nextcloud.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nextcloud.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,72 @@ +# Firejail profile for nextcloud +# Description: Nextcloud desktop synchronization client +# This file is overwritten after every install/update +# Persistent local customizations +include nextcloud.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/Nextcloud +noblacklist ${HOME}/.config/Nextcloud +noblacklist ${HOME}/.local/share/Nextcloud +# Add the next lines to your nextcloud.local to allow sync in more directories. +#noblacklist ${DOCUMENTS} +#noblacklist ${MUSIC} +#noblacklist ${PICTURES} +#noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/Nextcloud +mkdir ${HOME}/.config/Nextcloud +mkdir ${HOME}/.local/share/Nextcloud +whitelist ${HOME}/Nextcloud +whitelist ${HOME}/.config/Nextcloud +whitelist ${HOME}/.local/share/Nextcloud +# Add the next lines to your nextcloud.local to allow sync in more directories. +#whitelist ${DOCUMENTS} +#whitelist ${MUSIC} +#whitelist ${PICTURES} +#whitelist ${VIDEOS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin nextcloud,nextcloud-desktop +private-cache +private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-dev +private-tmp + +dbus-user filter +dbus-user.talk org.freedesktop.secrets +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/nheko.profile firejail-0.9.66/etc/profile-m-z/nheko.profile --- firejail-0.9.64.4/etc/profile-m-z/nheko.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nheko.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,8 +6,9 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/nheko noblacklist ${HOME}/.cache/nheko +noblacklist ${HOME}/.config/nheko +noblacklist ${HOME}/.local/share/nheko include disable-common.inc include disable-devel.inc @@ -18,10 +19,12 @@ include disable-shell.inc include disable-xdg.inc +mkdir ${HOME}/.cache/nheko mkdir ${HOME}/.config/nheko -mkdir ${HOME}/.cache/nheko/nheko -whitelist ${HOME}/.config/nheko +mkdir ${HOME}/.local/share/nheko whitelist ${HOME}/.cache/nheko +whitelist ${HOME}/.config/nheko +whitelist ${HOME}/.local/share/nheko whitelist ${DOWNLOADS} include whitelist-common.inc include whitelist-runuser-common.inc @@ -33,6 +36,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -48,9 +52,11 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp + +# Add the next lines to your nheko.local to enable notification support. +#ignore dbus-user none +#dbus-user filter +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.kde.StatusNotifierWatcher dbus-user none -# Comment the above line and uncomment below lines for notification popups -# dbus-user filter -# dbus-user.talk org.freedesktop.Notifications -# dbus-user.talk org.kde.StatusNotifierWatcher dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/nicotine.profile firejail-0.9.66/etc/profile-m-z/nicotine.profile --- firejail-0.9.64.4/etc/profile-m-z/nicotine.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nicotine.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,6 +8,7 @@ noblacklist ${HOME}/.nicotine +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include disable-common.inc @@ -35,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nitroshare-cli.profile firejail-0.9.66/etc/profile-m-z/nitroshare-cli.profile --- firejail-0.9.64.4/etc/profile-m-z/nitroshare-cli.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nitroshare-cli.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update - # Persistent local customizations include nitroshare-cli.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nitroshare-nmh.profile firejail-0.9.66/etc/profile-m-z/nitroshare-nmh.profile --- firejail-0.9.64.4/etc/profile-m-z/nitroshare-nmh.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nitroshare-nmh.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update - # Persistent local customizations include nitroshare-nmh.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nitroshare.profile firejail-0.9.66/etc/profile-m-z/nitroshare.profile --- firejail-0.9.64.4/etc/profile-m-z/nitroshare.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nitroshare.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nitroshare-send.profile firejail-0.9.66/etc/profile-m-z/nitroshare-send.profile --- firejail-0.9.64.4/etc/profile-m-z/nitroshare-send.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nitroshare-send.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update - # Persistent local customizations include nitroshare-send.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nitroshare-ui.profile firejail-0.9.66/etc/profile-m-z/nitroshare-ui.profile --- firejail-0.9.64.4/etc/profile-m-z/nitroshare-ui.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nitroshare-ui.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update - # Persistent local customizations include nitroshare-ui.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nodejs-common.profile firejail-0.9.66/etc/profile-m-z/nodejs-common.profile --- firejail-0.9.64.4/etc/profile-m-z/nodejs-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nodejs-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ # Firejail profile for Node.js -# Description: Common profile for npm/yarn +# Description: Asynchronous event-driven JavaScript runtime # This file is overwritten after every install/update # Persistent local customizations include nodejs-common.local @@ -10,6 +10,20 @@ blacklist /tmp/.X11-unix blacklist ${RUNUSER} +ignore read-only ${HOME}/.npm-packages +ignore read-only ${HOME}/.npmrc +ignore read-only ${HOME}/.nvm +ignore read-only ${HOME}/.yarnrc + +noblacklist ${HOME}/.node-gyp +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + ignore noexec ${HOME} include allow-bin-sh.inc @@ -21,6 +35,32 @@ include disable-shell.inc include disable-xdg.inc +# If you want whitelisting, change ${HOME}/Projects below to your node projects directory +# and add the next lines to your nodejs-common.local. +#mkdir ${HOME}/.node-gyp +#mkdir ${HOME}/.npm +#mkdir ${HOME}/.npm-packages +#mkfile ${HOME}/.npmrc +#mkdir ${HOME}/.nvm +#mkdir ${HOME}/.yarn +#mkdir ${HOME}/.yarn-config +#mkdir ${HOME}/.yarncache +#mkfile ${HOME}/.yarnrc +#whitelist ${HOME}/.node-gyp +#whitelist ${HOME}/.npm +#whitelist ${HOME}/.npm-packages +#whitelist ${HOME}/.npmrc +#whitelist ${HOME}/.nvm +#whitelist ${HOME}/.yarn +#whitelist ${HOME}/.yarn-config +#whitelist ${HOME}/.yarncache +#whitelist ${HOME}/.yarnrc +#whitelist ${HOME}/Projects +#include whitelist-common.inc + +whitelist /usr/share/doc/node +whitelist /usr/share/nvm +whitelist /usr/share/systemtap/tapset/node.stp include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -32,6 +72,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,8 +86,11 @@ disable-mnt private-dev -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg -private-tmp +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg +#private-tmp dbus-user none dbus-system none + +# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. +#env GATSBY_TELEMETRY_DISABLED=1 diff -Nru firejail-0.9.64.4/etc/profile-m-z/node.profile firejail-0.9.66/etc/profile-m-z/node.profile --- firejail-0.9.64.4/etc/profile-m-z/node.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/node.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,11 @@ +# Firejail profile for node +# Description: Evented I/O for V8 javascript +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include node.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nomacs.profile firejail-0.9.66/etc/profile-m-z/nomacs.profile --- firejail-0.9.64.4/etc/profile-m-z/nomacs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nomacs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/notify-send.profile firejail-0.9.66/etc/profile-m-z/notify-send.profile --- firejail-0.9.64.4/etc/profile-m-z/notify-send.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/notify-send.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/npm.profile firejail-0.9.66/etc/profile-m-z/npm.profile --- firejail-0.9.64.4/etc/profile-m-z/npm.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/npm.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,23 +7,5 @@ # Persistent global definitions include globals.local -ignore read-only ${HOME}/.npm-packages -ignore read-only ${HOME}/.npmrc - -noblacklist ${HOME}/.node-gyp -noblacklist ${HOME}/.npm -noblacklist ${HOME}/.npmrc - -# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory -# and uncomment the lines below. -#mkdir ${HOME}/.node-gyp -#mkdir ${HOME}/.npm -#mkfile ${HOME}/.npmrc -#whitelist ${HOME}/.node-gyp -#whitelist ${HOME}/.npm -#whitelist ${HOME}/.npmrc -#whitelist ${HOME}/Projects -#include whitelist-common.inc - # Redirect include nodejs-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nslookup.profile firejail-0.9.66/etc/profile-m-z/nslookup.profile --- firejail-0.9.64.4/etc/profile-m-z/nslookup.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nslookup.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nvm.profile firejail-0.9.66/etc/profile-m-z/nvm.profile --- firejail-0.9.64.4/etc/profile-m-z/nvm.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nvm.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for nvm +# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include nvm.local +# Persistent global definitions +include globals.local + +ignore noroot + +# Redirect +include nodejs-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/nylas.profile firejail-0.9.66/etc/profile-m-z/nylas.profile --- firejail-0.9.64.4/etc/profile-m-z/nylas.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nylas.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/nyx.profile firejail-0.9.66/etc/profile-m-z/nyx.profile --- firejail-0.9.64.4/etc/profile-m-z/nyx.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/nyx.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/obs.profile firejail-0.9.66/etc/profile-m-z/obs.profile --- firejail-0.9.64.4/etc/profile-m-z/obs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/obs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/ocenaudio.profile firejail-0.9.66/etc/profile-m-z/ocenaudio.profile --- firejail-0.9.64.4/etc/profile-m-z/ocenaudio.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ocenaudio.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,12 +26,13 @@ caps.drop all ipc-namespace # net none - breaks update functionality and AppArmor on Ubuntu systems -# uncomment (or put 'net none' in your ocenaudio.local) when needed +# Add 'net none' to your ocenaudio.local when you want that functionality. #net none netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/odt2txt.profile firejail-0.9.66/etc/profile-m-z/odt2txt.profile --- firejail-0.9.64.4/etc/profile-m-z/odt2txt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/odt2txt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/okular.profile firejail-0.9.66/etc/profile-m-z/okular.profile --- firejail-0.9.64.4/etc/profile-m-z/okular.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/okular.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,10 +28,16 @@ include disable-shell.inc include disable-xdg.inc -whitelist /usr/share/config.kcfg +whitelist /usr/share/config.kcfg/gssettings.kcfg +whitelist /usr/share/config.kcfg/pdfsettings.kcfg +whitelist /usr/share/config.kcfg/okular.kcfg +whitelist /usr/share/config.kcfg/okular_core.kcfg +whitelist /usr/share/ghostscript +whitelist /usr/share/kconf_update/okular.upd whitelist /usr/share/kxmlgui5/okular whitelist /usr/share/okular whitelist /usr/share/poppler +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -42,6 +48,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/onboard.profile firejail-0.9.66/etc/profile-m-z/onboard.profile --- firejail-0.9.64.4/etc/profile-m-z/onboard.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/onboard.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,6 +8,7 @@ noblacklist ${HOME}/.config/onboard +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -35,6 +36,7 @@ nodvd no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/onionshare-gui.profile firejail-0.9.66/etc/profile-m-z/onionshare-gui.profile --- firejail-0.9.64.4/etc/profile-m-z/onionshare-gui.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/onionshare-gui.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/ooffice.profile firejail-0.9.66/etc/profile-m-z/ooffice.profile --- firejail-0.9.64.4/etc/profile-m-z/ooffice.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ooffice.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include ooffice.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/ooviewdoc.profile firejail-0.9.66/etc/profile-m-z/ooviewdoc.profile --- firejail-0.9.64.4/etc/profile-m-z/ooviewdoc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ooviewdoc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include ooviewdoc.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/openarena_ded.profile firejail-0.9.66/etc/profile-m-z/openarena_ded.profile --- firejail-0.9.64.4/etc/profile-m-z/openarena_ded.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openarena_ded.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for openarena # This file is overwritten after every install/update - # Persistent local customizations include openarena_ded.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include openarena.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/openarena.profile firejail-0.9.66/etc/profile-m-z/openarena.profile --- firejail-0.9.64.4/etc/profile-m-z/openarena.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openarena.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/opencity.profile firejail-0.9.66/etc/profile-m-z/opencity.profile --- firejail-0.9.64.4/etc/profile-m-z/opencity.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/opencity.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/openclonk.profile firejail-0.9.66/etc/profile-m-z/openclonk.profile --- firejail-0.9.64.4/etc/profile-m-z/openclonk.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openclonk.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/open-invaders.profile firejail-0.9.66/etc/profile-m-z/open-invaders.profile --- firejail-0.9.64.4/etc/profile-m-z/open-invaders.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/open-invaders.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/openmw-launcher.profile firejail-0.9.66/etc/profile-m-z/openmw-launcher.profile --- firejail-0.9.64.4/etc/profile-m-z/openmw-launcher.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openmw-launcher.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,7 @@ +# Firejail profile for openmw-launcher +# This file is overwritten after every install/update +# Persistent local customizations +include openmw-launcher.local + +# Redirect +include openmw.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/openmw.profile firejail-0.9.66/etc/profile-m-z/openmw.profile --- firejail-0.9.64.4/etc/profile-m-z/openmw.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openmw.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,62 @@ +# Firejail profile for openmw +# Description: Open source engine re-implementation for Morrowind +# This file is overwritten after every install/update +# Persistent local customizations +include openmw.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/openmw +noblacklist ${HOME}/.local/share/openmw + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/openmw +mkdir ${HOME}/.local/share/openmw +whitelist ${HOME}/.config/openmw +# Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt. +# Alternatively you can whitelist custom paths in your openmw.local. +whitelist ${HOME}/.local/share/openmw +whitelist /usr/share/openmw +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +netfilter +# Add 'ignore nodvd' to your openmw.local when installing from disc. +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg +private-opt none +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/openoffice.org.profile firejail-0.9.66/etc/profile-m-z/openoffice.org.profile --- firejail-0.9.64.4/etc/profile-m-z/openoffice.org.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openoffice.org.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include openoffice.org.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/openshot.profile firejail-0.9.66/etc/profile-m-z/openshot.profile --- firejail-0.9.64.4/etc/profile-m-z/openshot.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openshot.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/openshot-qt.profile firejail-0.9.66/etc/profile-m-z/openshot-qt.profile --- firejail-0.9.64.4/etc/profile-m-z/openshot-qt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openshot-qt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for openshot # This file is overwritten after every install/update - # Persistent local customizations include openshot-qt.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include openshot.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/openttd.profile firejail-0.9.66/etc/profile-m-z/openttd.profile --- firejail-0.9.64.4/etc/profile-m-z/openttd.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/openttd.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/orage.profile firejail-0.9.66/etc/profile-m-z/orage.profile --- firejail-0.9.64.4/etc/profile-m-z/orage.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/orage.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot # nosound - calendar application, It must be able to play sound to wake you up. diff -Nru firejail-0.9.64.4/etc/profile-m-z/ostrichriders.profile firejail-0.9.66/etc/profile-m-z/ostrichriders.profile --- firejail-0.9.64.4/etc/profile-m-z/ostrichriders.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ostrichriders.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,8 @@ net none nodvd nogroups +# Add 'ignore noinput' to your ostrichriders.local if you need controller support. +noinput nonewprivs noroot notv @@ -42,7 +44,6 @@ disable-mnt private-bin ostrichriders private-cache -# comment the following line if you need controller support private-dev private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/otter-browser.profile firejail-0.9.66/etc/profile-m-z/otter-browser.profile --- firejail-0.9.64.4/etc/profile-m-z/otter-browser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/otter-browser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -41,6 +41,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/pandoc.profile firejail-0.9.66/etc/profile-m-z/pandoc.profile --- firejail-0.9.64.4/etc/profile-m-z/pandoc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pandoc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/patch.profile firejail-0.9.66/etc/profile-m-z/patch.profile --- firejail-0.9.64.4/etc/profile-m-z/patch.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/patch.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,7 +44,7 @@ private-bin patch,red private-dev -private-lib libfakeroot +private-lib libdl.so.*,libfakeroot dbus-user none dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/pavucontrol.profile firejail-0.9.66/etc/profile-m-z/pavucontrol.profile --- firejail-0.9.64.4/etc/profile-m-z/pavucontrol.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pavucontrol.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/PCSX2.profile firejail-0.9.66/etc/profile-m-z/PCSX2.profile --- firejail-0.9.64.4/etc/profile-m-z/PCSX2.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/PCSX2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,57 @@ +# Firejail profile for PCSX2 +# Description: A PlayStation 2 emulator +# This file is overwritten after every install/update +# Persistent local customizations +include PCSX2.local +# Persistent global definitions +include globals.local + +# Note: you must whitelist your games folder in your PCSX2.local. + +noblacklist ${HOME}/.config/PCSX2 + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/PCSX2 +whitelist ${HOME}/.config/PCSX2 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +netfilter +# Add the next line to your PCSX2.local if you're not loading games from disc. +#nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,netlink +#seccomp - breaks loading with no logs +shell none +#tracelog - 32/64 bit incompatibility + +private-bin PCSX2 +private-cache +# Add the next line to your PCSX2.local if you do not need controller support. +#private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg +private-opt none +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/pcsxr.profile firejail-0.9.66/etc/profile-m-z/pcsxr.profile --- firejail-0.9.64.4/etc/profile-m-z/pcsxr.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pcsxr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,57 @@ +# Firejail profile for pcsxr +# Description: A PlayStation emulator +# This file is overwritten after every install/update +# Persistent local customizations +include pcsxr.local +# Persistent global definitions +include globals.local + +# Note: you must whitelist your games folder in your pcsxr.local + +noblacklist ${HOME}/.pcsxr + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.pcsxr +whitelist ${HOME}/.pcsxr +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +netfilter +# Add the next line to your pcsxr.local when not loading games from disc. +#nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,netlink +seccomp +shell none +tracelog + +private-bin pcsxr +private-cache +# Add the next line to your pcsxr.local if you do not need controller support. +#private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg +private-opt none +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/pdfchain.profile firejail-0.9.66/etc/profile-m-z/pdfchain.profile --- firejail-0.9.64.4/etc/profile-m-z/pdfchain.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pdfchain.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ net none no3d nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pdfmod.profile firejail-0.9.66/etc/profile-m-z/pdfmod.profile --- firejail-0.9.64.4/etc/profile-m-z/pdfmod.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pdfmod.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pdfsam.profile firejail-0.9.66/etc/profile-m-z/pdfsam.profile --- firejail-0.9.64.4/etc/profile-m-z/pdfsam.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pdfsam.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pdftotext.profile firejail-0.9.66/etc/profile-m-z/pdftotext.profile --- firejail-0.9.64.4/etc/profile-m-z/pdftotext.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pdftotext.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/peek.profile firejail-0.9.66/etc/profile-m-z/peek.profile --- firejail-0.9.64.4/etc/profile-m-z/peek.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/peek.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/penguin-command.profile firejail-0.9.66/etc/profile-m-z/penguin-command.profile --- firejail-0.9.64.4/etc/profile-m-z/penguin-command.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/penguin-command.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/photoflare.profile firejail-0.9.66/etc/profile-m-z/photoflare.profile --- firejail-0.9.64.4/etc/profile-m-z/photoflare.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/photoflare.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ nodvd no3d nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/picard.profile firejail-0.9.66/etc/profile-m-z/picard.profile --- firejail-0.9.64.4/etc/profile-m-z/picard.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/picard.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pidgin.profile firejail-0.9.66/etc/profile-m-z/pidgin.profile --- firejail-0.9.64.4/etc/profile-m-z/pidgin.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pidgin.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/pinball.profile firejail-0.9.66/etc/profile-m-z/pinball.profile --- firejail-0.9.64.4/etc/profile-m-z/pinball.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pinball.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,56 @@ +# Firejail profile for pinball +# Description: Emilia 3D Pinball Game +# This file is overwritten after every install/update +# Persistent local customizations +include pinball.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/emilia + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/emilia +whitelist ${HOME}/.config/emilia + +whitelist /usr/share/pinball +# on debian games are stored under /usr/share/games +whitelist /usr/share/games/pinball +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin pinball +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/pinball-wrapper.profile firejail-0.9.66/etc/profile-m-z/pinball-wrapper.profile --- firejail-0.9.64.4/etc/profile-m-z/pinball-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pinball-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for pinball-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include pinball-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin pinball-wrapper + +# Redirect +include pinball.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/ping.profile firejail-0.9.66/etc/profile-m-z/ping.profile --- firejail-0.9.64.4/etc/profile-m-z/ping.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ping.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput # ping needs to rise privileges, noroot and nonewprivs will kill it #nonewprivs #noroot diff -Nru firejail-0.9.64.4/etc/profile-m-z/pingus.profile firejail-0.9.66/etc/profile-m-z/pingus.profile --- firejail-0.9.64.4/etc/profile-m-z/pingus.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pingus.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,12 +8,18 @@ noblacklist ${HOME}/.pingus +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.pingus @@ -29,6 +35,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv @@ -36,6 +43,7 @@ novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog diff -Nru firejail-0.9.64.4/etc/profile-m-z/pinta.profile firejail-0.9.66/etc/profile-m-z/pinta.profile --- firejail-0.9.64.4/etc/profile-m-z/pinta.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pinta.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pioneer.profile firejail-0.9.66/etc/profile-m-z/pioneer.profile --- firejail-0.9.64.4/etc/profile-m-z/pioneer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pioneer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/pipe-viewer.profile firejail-0.9.66/etc/profile-m-z/pipe-viewer.profile --- firejail-0.9.64.4/etc/profile-m-z/pipe-viewer.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pipe-viewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,21 @@ +# Firejail profile for pipe-viewer +# Description: Fork of youtube-viewer, scrapes youtube directly and with invidious +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include pipe-viewer.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/pipe-viewer +noblacklist ${HOME}/.config/pipe-viewer + +mkdir ${HOME}/.config/pipe-viewer +mkdir ${HOME}/.cache/pipe-viewer +whitelist ${HOME}/.cache/pipe-viewer +whitelist ${HOME}/.config/pipe-viewer + +private-bin gtk-pipe-viewer,pipe-viewer + +# Redirect +include youtube-viewers-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/pithos.profile firejail-0.9.66/etc/profile-m-z/pithos.profile --- firejail-0.9.64.4/etc/profile-m-z/pithos.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pithos.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/pitivi.profile firejail-0.9.66/etc/profile-m-z/pitivi.profile --- firejail-0.9.64.4/etc/profile-m-z/pitivi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pitivi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/pix.profile firejail-0.9.66/etc/profile-m-z/pix.profile --- firejail-0.9.64.4/etc/profile-m-z/pix.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pix.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pkglog.profile firejail-0.9.66/etc/profile-m-z/pkglog.profile --- firejail-0.9.64.4/etc/profile-m-z/pkglog.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pkglog.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,7 +6,7 @@ # Persistent global definitions include globals.local -# Allow python3 (blacklisted by disable-interpreters.inc) +# Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc include disable-common.inc @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/playonlinux.profile firejail-0.9.66/etc/profile-m-z/playonlinux.profile --- firejail-0.9.64.4/etc/profile-m-z/playonlinux.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/playonlinux.profile 2021-06-22 15:51:28.000000000 +0000 @@ -12,9 +12,12 @@ # nc is needed to run playonlinux noblacklist ${PATH}/nc +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc -include allow-perl.inc # Redirect include wine.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/pluma.profile firejail-0.9.66/etc/profile-m-z/pluma.profile --- firejail-0.9.64.4/etc/profile-m-z/pluma.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pluma.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,6 +50,4 @@ # dbus-user none # dbus-system none -memory-deny-write-execute - join-or-start pluma diff -Nru firejail-0.9.64.4/etc/profile-m-z/plv.profile firejail-0.9.66/etc/profile-m-z/plv.profile --- firejail-0.9.64.4/etc/profile-m-z/plv.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/plv.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pngquant.profile firejail-0.9.66/etc/profile-m-z/pngquant.profile --- firejail-0.9.64.4/etc/profile-m-z/pngquant.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pngquant.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/polari.profile firejail-0.9.66/etc/profile-m-z/polari.profile --- firejail-0.9.64.4/etc/profile-m-z/polari.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/polari.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/ppsspp.profile firejail-0.9.66/etc/profile-m-z/ppsspp.profile --- firejail-0.9.64.4/etc/profile-m-z/ppsspp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ppsspp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,13 +1,14 @@ # Firejail profile for ppsspp -# Description: A PSP emulator written in C++ +# Description: A PSP emulator # This file is overwritten after every install/update # Persistent local customizations include ppsspp.local # Persistent global definitions include globals.local +# Note: you must whitelist your games folder in your ppsspp.local. + noblacklist ${HOME}/.config/ppsspp -noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc @@ -15,8 +16,15 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc +mkdir ${HOME}/.config/ppsspp +whitelist ${HOME}/.config/ppsspp +whitelist /usr/share/ppsspp +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -27,12 +35,14 @@ nonewprivs noroot notv +nou2f novideo protocol unix,netlink seccomp shell none -# uncomment the following line if you do not need controller support +private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL +# Add the next line to your ppsspp.local if you do not need controller support. #private-dev private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-opt ppsspp diff -Nru firejail-0.9.64.4/etc/profile-m-z/PPSSPPSDL.profile firejail-0.9.66/etc/profile-m-z/PPSSPPSDL.profile --- firejail-0.9.64.4/etc/profile-m-z/PPSSPPSDL.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/PPSSPPSDL.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,9 @@ +# Firejail profile for PPSSPPSDL +# This file is overwritten after every install/update +# Persistent local customizations +include PPSSPPSDL.local +# added by included profile +#include globals.local + +# Redirect +include ppsspp.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/pragha.profile firejail-0.9.66/etc/profile-m-z/pragha.profile --- firejail-0.9.64.4/etc/profile-m-z/pragha.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pragha.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/profanity.profile firejail-0.9.66/etc/profile-m-z/profanity.profile --- firejail-0.9.64.4/etc/profile-m-z/profanity.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/profanity.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/psi-plus.profile firejail-0.9.66/etc/profile-m-z/psi-plus.profile --- firejail-0.9.64.4/etc/profile-m-z/psi-plus.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/psi-plus.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/psi.profile firejail-0.9.66/etc/profile-m-z/psi.profile --- firejail-0.9.64.4/etc/profile-m-z/psi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/psi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,8 +6,8 @@ # Persistent global definitions include globals.local -# Uncomment for GPG -# noblacklist ${HOME}/.gnupg +# Add the next line to your psi.local to enable GPG support. +#noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.cache/psi noblacklist ${HOME}/.cache/Psi noblacklist ${HOME}/.config/psi @@ -23,28 +23,28 @@ include disable-shell.inc include disable-xdg.inc -# Uncomment for GPG -# mkdir ${HOME}/.gnupg +# Add the next line to your psi.local to enable GPG support. +#mkdir ${HOME}/.gnupg mkdir ${HOME}/.cache/psi mkdir ${HOME}/.cache/Psi mkdir ${HOME}/.config/psi mkdir ${HOME}/.local/share/psi mkdir ${HOME}/.local/share/Psi -# Uncomment for GPG -# whitelist ${HOME}/.gnupg +# Add the next line to your psi.local to enable GPG support. +#whitelist ${HOME}/.gnupg whitelist ${HOME}/.cache/psi whitelist ${HOME}/.cache/Psi whitelist ${HOME}/.config/psi whitelist ${HOME}/.local/share/psi whitelist ${HOME}/.local/share/Psi whitelist ${DOWNLOADS} -# Uncomment for GPG -# whitelist /usr/share/gnupg -# whitelist /usr/share/gnupg2 +# Add the next lines to your psi.local to enable GPG support. +#whitelist /usr/share/gnupg +#whitelist /usr/share/gnupg2 whitelist /usr/share/psi -# Uncomment for GPG -# whitelist ${RUNUSER}/gnupg -# whitelist ${RUNUSER}/keyring +# Add the next lines to your psi.local to enable GPG support. +#whitelist ${RUNUSER}/gnupg +#whitelist ${RUNUSER}/keyring include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -55,6 +55,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -63,11 +64,11 @@ protocol unix,inet,inet6,netlink seccomp !chroot shell none -# breaks on Arch -# tracelog +#tracelog - breaks on Arch disable-mnt -# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG +# Add the next line to your psi.local to enable GPG support. +#private-bin gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet private-bin getopt,psi private-cache private-dev diff -Nru firejail-0.9.64.4/etc/profile-m-z/pybitmessage.profile firejail-0.9.66/etc/profile-m-z/pybitmessage.profile --- firejail-0.9.64.4/etc/profile-m-z/pybitmessage.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pybitmessage.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/pycharm-community.profile firejail-0.9.66/etc/profile-m-z/pycharm-community.profile --- firejail-0.9.64.4/etc/profile-m-z/pycharm-community.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pycharm-community.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ machine-id nodvd nogroups +noinput nosound notv nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/pycharm-professional.profile firejail-0.9.66/etc/profile-m-z/pycharm-professional.profile --- firejail-0.9.64.4/etc/profile-m-z/pycharm-professional.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pycharm-professional.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profilen alias for pycharm-professional # This file is overwritten after every install/update - # Persistent local customizations include pyucharm-professional.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.PyCharm* diff -Nru firejail-0.9.64.4/etc/profile-m-z/pzstd.profile firejail-0.9.66/etc/profile-m-z/pzstd.profile --- firejail-0.9.64.4/etc/profile-m-z/pzstd.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/pzstd.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update - # Persistent local customizations include pzstd.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/qbittorrent.profile firejail-0.9.66/etc/profile-m-z/qbittorrent.profile --- firejail-0.9.64.4/etc/profile-m-z/qbittorrent.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qbittorrent.profile 2021-06-22 15:51:28.000000000 +0000 @@ -41,6 +41,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/qcomicbook.profile firejail-0.9.66/etc/profile-m-z/qcomicbook.profile --- firejail-0.9.64.4/etc/profile-m-z/qcomicbook.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qcomicbook.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,68 @@ +# Firejail profile for qcomicbook +# Description: A comic book and manga viewer in QT +# This file is overwritten after every install/update +# Persistent local customizations +include qcomicbook.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/PawelStolowski +noblacklist ${HOME}/.config/PawelStolowski +noblacklist ${HOME}/.local/share/PawelStolowski +noblacklist ${DOCUMENTS} + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/PawelStolowski +mkdir ${HOME}/.config/PawelStolowski +mkdir ${HOME}/.local/share/PawelStolowski +whitelist /usr/share/qcomicbook +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg +private-tmp + +dbus-user none +dbus-system none + +read-only ${HOME} +read-write ${HOME}/.cache/PawelStolowski +read-write ${HOME}/.config/PawelStolowski +read-write ${HOME}/.local/share/PawelStolowski +#to allow ${HOME}/.local/share/recently-used.xbel +read-write ${HOME}/.local/share diff -Nru firejail-0.9.64.4/etc/profile-m-z/qgis.profile firejail-0.9.66/etc/profile-m-z/qgis.profile --- firejail-0.9.64.4/etc/profile-m-z/qgis.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qgis.profile 2021-06-22 15:51:28.000000000 +0000 @@ -37,6 +37,7 @@ machine-id nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/qlipper.profile firejail-0.9.66/etc/profile-m-z/qlipper.profile --- firejail-0.9.64.4/etc/profile-m-z/qlipper.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qlipper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/QMediathekView.profile firejail-0.9.66/etc/profile-m-z/QMediathekView.profile --- firejail-0.9.64.4/etc/profile-m-z/QMediathekView.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/QMediathekView.profile 2021-06-22 15:51:28.000000000 +0000 @@ -37,6 +37,7 @@ # no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/qmmp.profile firejail-0.9.66/etc/profile-m-z/qmmp.profile --- firejail-0.9.64.4/etc/profile-m-z/qmmp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qmmp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ netfilter # no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/qnapi.profile firejail-0.9.66/etc/profile-m-z/qnapi.profile --- firejail-0.9.64.4/etc/profile-m-z/qnapi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qnapi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/QOwnNotes.profile firejail-0.9.66/etc/profile-m-z/QOwnNotes.profile --- firejail-0.9.64.4/etc/profile-m-z/QOwnNotes.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/QOwnNotes.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/qpdfview.profile firejail-0.9.66/etc/profile-m-z/qpdfview.profile --- firejail-0.9.64.4/etc/profile-m-z/qpdfview.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qpdfview.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ machine-id nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/qrencode.profile firejail-0.9.66/etc/profile-m-z/qrencode.profile --- firejail-0.9.64.4/etc/profile-m-z/qrencode.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qrencode.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,7 +49,7 @@ private-cache private-dev private-etc none -private-lib libpcre2-8.so.0 +private-lib libpcre* private-tmp dbus-user none diff -Nru firejail-0.9.64.4/etc/profile-m-z/qtox.profile firejail-0.9.66/etc/profile-m-z/qtox.profile --- firejail-0.9.64.4/etc/profile-m-z/qtox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/qtox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/quaternion.profile firejail-0.9.66/etc/profile-m-z/quaternion.profile --- firejail-0.9.64.4/etc/profile-m-z/quaternion.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/quaternion.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/quiterss.profile firejail-0.9.66/etc/profile-m-z/quiterss.profile --- firejail-0.9.64.4/etc/profile-m-z/quiterss.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/quiterss.profile 2021-06-22 15:51:28.000000000 +0000 @@ -37,6 +37,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/quodlibet.profile firejail-0.9.66/etc/profile-m-z/quodlibet.profile --- firejail-0.9.64.4/etc/profile-m-z/quodlibet.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/quodlibet.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,67 @@ +# Firejail profile for quodlibet +# Description: Music player and music library manager +# This file is overwritten after every install/update +# Persistent local customizations +include quodlibet.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/quodlibet +noblacklist ${HOME}/.config/quodlibet +noblacklist ${HOME}/.quodlibet +noblacklist ${MUSIC} + +include allow-bin-sh.inc + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/quodlibet +mkdir ${HOME}/.config/quodlibet +mkdir ${HOME}/.quodlibet + +whitelist ${HOME}/.cache/quodlibet +whitelist ${HOME}/.config/quodlibet +whitelist ${HOME}/.quodlibet +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin exfalso,operon,python*,quodlibet,sh +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,passwd,pki,pulse,resolv.conf,ssl +private-tmp + +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/redeclipse.profile firejail-0.9.66/etc/profile-m-z/redeclipse.profile --- firejail-0.9.64.4/etc/profile-m-z/redeclipse.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/redeclipse.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/redshift.profile firejail-0.9.66/etc/profile-m-z/redshift.profile --- firejail-0.9.64.4/etc/profile-m-z/redshift.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/redshift.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/regextester.profile firejail-0.9.66/etc/profile-m-z/regextester.profile --- firejail-0.9.64.4/etc/profile-m-z/regextester.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/regextester.profile 2021-06-22 15:51:28.000000000 +0000 @@ -16,9 +16,8 @@ include disable-xdg.inc whitelist /usr/share/com.github.artemanufrij.regextester -include whitelist-usr-share-common.inc - include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -29,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,11 +48,9 @@ private-lib libgranite.so.* private-tmp -# makes settings immutable -# dbus-user none -# dbus-system none - -memory-deny-write-execute +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-system none # never write anything read-only ${HOME} diff -Nru firejail-0.9.64.4/etc/profile-m-z/remmina.profile firejail-0.9.66/etc/profile-m-z/remmina.profile --- firejail-0.9.64.4/etc/profile-m-z/remmina.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/remmina.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,7 +9,9 @@ noblacklist ${HOME}/.remmina noblacklist ${HOME}/.config/remmina noblacklist ${HOME}/.local/share/remmina -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc @@ -25,6 +27,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/rhythmbox.profile firejail-0.9.66/etc/profile-m-z/rhythmbox.profile --- firejail-0.9.64.4/etc/profile-m-z/rhythmbox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/rhythmbox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -38,6 +38,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/ricochet.profile firejail-0.9.66/etc/profile-m-z/ricochet.profile --- firejail-0.9.64.4/etc/profile-m-z/ricochet.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ricochet.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/ripperx.profile firejail-0.9.66/etc/profile-m-z/ripperx.profile --- firejail-0.9.64.4/etc/profile-m-z/ripperx.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ripperx.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/ristretto.profile firejail-0.9.66/etc/profile-m-z/ristretto.profile --- firejail-0.9.64.4/etc/profile-m-z/ristretto.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ristretto.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/rsync-download_only.profile firejail-0.9.66/etc/profile-m-z/rsync-download_only.profile --- firejail-0.9.64.4/etc/profile-m-z/rsync-download_only.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/rsync-download_only.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,9 +7,8 @@ # Persistent global definitions include globals.local -# Warning: This profile is writte to use rsync as an client for downloading, -# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. - +# WARNING: this profile is designed to use rsync as a client for downloading, +# not as a daemon (rsync --daemon) nor to create backups. # Usage: firejail --profile=rsync-download_only rsync blacklist /tmp/.X11-unix @@ -24,7 +23,7 @@ include disable-shell.inc include disable-xdg.inc -# Uncomment or add to rsync.local to enable extra hardening +# Add the next line to your rsync-download_only.local to enable extra hardening. #whitelist ${DOWNLOADS} include whitelist-var-common.inc @@ -35,6 +34,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/rtin.profile firejail-0.9.66/etc/profile-m-z/rtin.profile --- firejail-0.9.64.4/etc/profile-m-z/rtin.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/rtin.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,8 @@ +# Firejail profile for rtin +# Description: ncurses-based Usenet newsreader +# symlink to tin, same as `tin -r` +# This file is overwritten after every install/update +# Persistent local customizations +include rtin.local + +include tin.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/rtorrent.profile firejail-0.9.66/etc/profile-m-z/rtorrent.profile --- firejail-0.9.64.4/etc/profile-m-z/rtorrent.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/rtorrent.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,6 +18,7 @@ machine-id netfilter nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/rtv-addons.profile firejail-0.9.66/etc/profile-m-z/rtv-addons.profile --- firejail-0.9.64.4/etc/profile-m-z/rtv-addons.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/rtv-addons.profile 2021-06-28 00:03:00.000000000 +0000 @@ -0,0 +1,28 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include rtv-addons.local +# You can configure rtv to open different type of links +# in external applications. Configuration here: +# https://github.com/michael-lazar/rtv#viewing-media-links +# This include is meant to facilitate that configuration +# with the use of a .local file. + +ignore nosound +ignore private-bin +ignore dbus-user none + +noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.netrc +noblacklist ${HOME}/.w3m + +whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs +whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.netrc +whitelist ${HOME}/.w3m + +#private-bin w3m,mpv,youtube-dl + +# tells rtv, which browser to use +#env RTV_BROWSER=w3m diff -Nru firejail-0.9.64.4/etc/profile-m-z/rtv.profile firejail-0.9.66/etc/profile-m-z/rtv.profile --- firejail-0.9.64.4/etc/profile-m-z/rtv.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/rtv.profile 2021-06-28 00:03:00.000000000 +0000 @@ -12,10 +12,17 @@ noblacklist ${HOME}/.config/rtv noblacklist ${HOME}/.local/share/rtv +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc +# You can configure rtv to open different type of links in external applications. +# Configuration: https://github.com/michael-lazar/rtv#viewing-media-links. +# Add the next line to your rtv.local to enable external application support. +#include rtv-addons.profile include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -37,6 +44,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,10 +57,10 @@ tracelog disable-mnt -private-bin python*,rtv,sh,xdg-settings +private-bin less,python*,rtv,sh,xdg-settings private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg dbus-user none dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/runenpass.sh.profile firejail-0.9.66/etc/profile-m-z/runenpass.sh.profile --- firejail-0.9.64.4/etc/profile-m-z/runenpass.sh.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/runenpass.sh.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail alias profile for enpass # This file is overwritten after every install/update - # Persistent local customizations include runenpass.sh.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include enpass.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/sayonara.profile firejail-0.9.66/etc/profile-m-z/sayonara.profile --- firejail-0.9.64.4/etc/profile-m-z/sayonara.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sayonara.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/scallion.profile firejail-0.9.66/etc/profile-m-z/scallion.profile --- firejail-0.9.64.4/etc/profile-m-z/scallion.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/scallion.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/scorched3d.profile firejail-0.9.66/etc/profile-m-z/scorched3d.profile --- firejail-0.9.64.4/etc/profile-m-z/scorched3d.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/scorched3d.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,6 +19,7 @@ mkdir ${HOME}/.scorched3d whitelist ${HOME}/.scorched3d whitelist /usr/share/scorched3d +whitelist /usr/share/games/scorched3d include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -29,6 +30,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -40,7 +42,7 @@ tracelog disable-mnt -private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds +private-bin scorched3d,scorched3dc,scorched3ds private-cache private-dev private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/scorched3d-wrapper.profile firejail-0.9.66/etc/profile-m-z/scorched3d-wrapper.profile --- firejail-0.9.64.4/etc/profile-m-z/scorched3d-wrapper.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/scorched3d-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,10 +1,11 @@ -# Firejail profile for scorched3d +# Firejail profile for scorched3d-wrapper # This file is overwritten after every install/update # Persistent local customizations include scorched3d-wrapper.local -whitelist /usr/share/opengl-games-utils -private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity +include allow-opengl-game.inc + +private-bin scorched3d-wrapper # Redirect include scorched3d.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/scorchwentbonkers.profile firejail-0.9.66/etc/profile-m-z/scorchwentbonkers.profile --- firejail-0.9.64.4/etc/profile-m-z/scorchwentbonkers.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/scorchwentbonkers.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/Screenshot.profile firejail-0.9.66/etc/profile-m-z/Screenshot.profile --- firejail-0.9.64.4/etc/profile-m-z/Screenshot.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/Screenshot.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile for gnome-screenshot # This file is overwritten after every install/update - # Persistent local customizations include Screenshot.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff -Nru firejail-0.9.64.4/etc/profile-m-z/scribus.profile firejail-0.9.66/etc/profile-m-z/scribus.profile --- firejail-0.9.64.4/etc/profile-m-z/scribus.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/scribus.profile 2021-06-22 15:51:28.000000000 +0000 @@ -45,6 +45,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/sdat2img.profile firejail-0.9.66/etc/profile-m-z/sdat2img.profile --- firejail-0.9.64.4/etc/profile-m-z/sdat2img.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sdat2img.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/seahorse-adventures.profile firejail-0.9.66/etc/profile-m-z/seahorse-adventures.profile --- firejail-0.9.64.4/etc/profile-m-z/seahorse-adventures.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/seahorse-adventures.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,6 +6,9 @@ # Persistent global definitions include globals.local +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -20,6 +23,7 @@ include disable-xdg.inc whitelist /usr/share/seahorse-adventures +whitelist /usr/share/games/seahorse-adventures include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -29,6 +33,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv @@ -41,7 +46,7 @@ disable-mnt private -private-bin python*,seahorse-adventures +private-bin bash,dash,python*,seahorse-adventures,sh private-cache private-dev private-etc machine-id diff -Nru firejail-0.9.64.4/etc/profile-m-z/seahorse.profile firejail-0.9.66/etc/profile-m-z/seahorse.profile --- firejail-0.9.64.4/etc/profile-m-z/seahorse.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/seahorse.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,8 +9,9 @@ blacklist /tmp/.X11-unix noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.ssh -noblacklist /tmp/ssh-* + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc @@ -21,7 +22,7 @@ include disable-xdg.inc # whitelisting in ${HOME} breaks file encryption feature of nautilus. -# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile +# Once #2882 is fixed this can be activated here and nowhitelisted in seahorse-tool.profile. #mkdir ${HOME}/.gnupg #mkdir ${HOME}/.ssh #whitelist ${HOME}/.gnupg @@ -45,6 +46,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/seamonkey-bin.profile firejail-0.9.66/etc/profile-m-z/seamonkey-bin.profile --- firejail-0.9.64.4/etc/profile-m-z/seamonkey-bin.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/seamonkey-bin.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for seamonkey # This file is overwritten after every install/update - # Persistent local customizations include seamonkey-bin.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include seamonkey.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/server.profile firejail-0.9.66/etc/profile-m-z/server.profile --- firejail-0.9.64.4/etc/profile-m-z/server.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/server.profile 2021-06-22 15:51:28.000000000 +0000 @@ -60,6 +60,7 @@ no3d nodvd # nogroups +noinput # nonewprivs # noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/servo.profile firejail-0.9.66/etc/profile-m-z/servo.profile --- firejail-0.9.64.4/etc/profile-m-z/servo.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/servo.profile 2021-06-22 15:51:28.000000000 +0000 @@ -17,7 +17,8 @@ include disable-programs.inc include disable-xdg.inc -# Add a whitelist for the directory where servo is installed and uncomment the lines below. +# Add the next lines to your servo.local to turn this into a whitelisting profile. +# You will need to add a whitelist for the directory where servo is installed. #whitelist ${DOWNLOADS} #include whitelist-common.inc include whitelist-runuser-common.inc @@ -28,6 +29,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/sha1sum.profile firejail-0.9.66/etc/profile-m-z/sha1sum.profile --- firejail-0.9.64.4/etc/profile-m-z/sha1sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sha1sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for sha1sum +# Description: compute and check SHA1 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha1sum.local +# Persistent global definitions +include globals.local + +private-bin sha1sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/sha224sum.profile firejail-0.9.66/etc/profile-m-z/sha224sum.profile --- firejail-0.9.64.4/etc/profile-m-z/sha224sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sha224sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for sha224sum +# Description: compute and check SHA224 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha224sum.local +# Persistent global definitions +include globals.local + +private-bin sha224sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/sha256sum.profile firejail-0.9.66/etc/profile-m-z/sha256sum.profile --- firejail-0.9.64.4/etc/profile-m-z/sha256sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sha256sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for sha256sum +# Description: compute and check SHA256 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha256sum.local +# Persistent global definitions +include globals.local + +private-bin sha256sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/sha384sum.profile firejail-0.9.66/etc/profile-m-z/sha384sum.profile --- firejail-0.9.64.4/etc/profile-m-z/sha384sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sha384sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for sha384sum +# Description: compute and check SHA384 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha384sum.local +# Persistent global definitions +include globals.local + +private-bin sha384sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/sha512sum.profile firejail-0.9.66/etc/profile-m-z/sha512sum.profile --- firejail-0.9.64.4/etc/profile-m-z/sha512sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sha512sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for sha512sum +# Description: compute and check SHA512 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha512sum.local +# Persistent global definitions +include globals.local + +private-bin sha512sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/shellcheck.profile firejail-0.9.66/etc/profile-m-z/shellcheck.profile --- firejail-0.9.64.4/etc/profile-m-z/shellcheck.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/shellcheck.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/shortwave.profile firejail-0.9.66/etc/profile-m-z/shortwave.profile --- firejail-0.9.64.4/etc/profile-m-z/shortwave.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/shortwave.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/shotcut.profile firejail-0.9.66/etc/profile-m-z/shotcut.profile --- firejail-0.9.64.4/etc/profile-m-z/shotcut.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/shotcut.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/shotwell.profile firejail-0.9.66/etc/profile-m-z/shotwell.profile --- firejail-0.9.64.4/etc/profile-m-z/shotwell.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/shotwell.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/signal-cli.profile firejail-0.9.66/etc/profile-m-z/signal-cli.profile --- firejail-0.9.64.4/etc/profile-m-z/signal-cli.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/signal-cli.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/signal-desktop.profile firejail-0.9.66/etc/profile-m-z/signal-desktop.profile --- firejail-0.9.64.4/etc/profile-m-z/signal-desktop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/signal-desktop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -5,11 +5,6 @@ # Persistent global definitions include globals.local -# Disabled until someone reported positive feedback -ignore include-xdg.inc -ignore include whitelist-runuser-common.inc -ignore include whitelist-usr-share-common.inc -ignore private-cache ignore novideo ignore noexec /tmp @@ -24,7 +19,12 @@ mkdir ${HOME}/.config/Signal whitelist ${HOME}/.config/Signal -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl + +# allow D-Bus notifications +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +ignore dbus-user none # Redirect include electron.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/silentarmy.profile firejail-0.9.66/etc/profile-m-z/silentarmy.profile --- firejail-0.9.64.4/etc/profile-m-z/silentarmy.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/silentarmy.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/simplescreenrecorder.profile firejail-0.9.66/etc/profile-m-z/simplescreenrecorder.profile --- firejail-0.9.64.4/etc/profile-m-z/simplescreenrecorder.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/simplescreenrecorder.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/simutrans.profile firejail-0.9.66/etc/profile-m-z/simutrans.profile --- firejail-0.9.64.4/etc/profile-m-z/simutrans.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/simutrans.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/skypeforlinux.profile firejail-0.9.66/etc/profile-m-z/skypeforlinux.profile --- firejail-0.9.64.4/etc/profile-m-z/skypeforlinux.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/skypeforlinux.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,6 +18,7 @@ ignore dbus-system none # breaks Skype +ignore apparmor ignore noexec /tmp noblacklist ${HOME}/.config/skypeforlinux diff -Nru firejail-0.9.64.4/etc/profile-m-z/slack.profile firejail-0.9.66/etc/profile-m-z/slack.profile --- firejail-0.9.64.4/etc/profile-m-z/slack.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/slack.profile 2021-06-22 15:51:28.000000000 +0000 @@ -18,12 +18,14 @@ noblacklist ${HOME}/.config/Slack +include allow-bin-sh.inc + include disable-shell.inc mkdir ${HOME}/.config/Slack whitelist ${HOME}/.config/Slack -private-bin locale,slack +private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe # Redirect diff -Nru firejail-0.9.64.4/etc/profile-m-z/slashem.profile firejail-0.9.66/etc/profile-m-z/slashem.profile --- firejail-0.9.64.4/etc/profile-m-z/slashem.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/slashem.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ no3d nodvd nogroups +noinput #nonewprivs #noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/smplayer.profile firejail-0.9.66/etc/profile-m-z/smplayer.profile --- firejail-0.9.64.4/etc/profile-m-z/smplayer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/smplayer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,7 +10,10 @@ noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.mplayer +# Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc + +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -36,6 +39,7 @@ caps.drop all netfilter # nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/smtube.profile firejail-0.9.66/etc/profile-m-z/smtube.profile --- firejail-0.9.64.4/etc/profile-m-z/smtube.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/smtube.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ nou2f novideo nogroups +noinput nonewprivs noroot protocol unix,inet,inet6,netlink diff -Nru firejail-0.9.64.4/etc/profile-m-z/smuxi-frontend-gnome.profile firejail-0.9.66/etc/profile-m-z/smuxi-frontend-gnome.profile --- firejail-0.9.64.4/etc/profile-m-z/smuxi-frontend-gnome.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/smuxi-frontend-gnome.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/soffice.profile firejail-0.9.66/etc/profile-m-z/soffice.profile --- firejail-0.9.64.4/etc/profile-m-z/soffice.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/soffice.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update - # Persistent local customizations include soffice.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/softmaker-common.profile firejail-0.9.66/etc/profile-m-z/softmaker-common.profile --- firejail-0.9.64.4/etc/profile-m-z/softmaker-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/softmaker-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/sol.profile firejail-0.9.66/etc/profile-m-z/sol.profile --- firejail-0.9.64.4/etc/profile-m-z/sol.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sol.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ # no3d nodvd nogroups +noinput nonewprivs noroot # nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/soundconverter.profile firejail-0.9.66/etc/profile-m-z/soundconverter.profile --- firejail-0.9.64.4/etc/profile-m-z/soundconverter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/soundconverter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/sound-juicer.profile firejail-0.9.66/etc/profile-m-z/sound-juicer.profile --- firejail-0.9.64.4/etc/profile-m-z/sound-juicer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sound-juicer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter no3d nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/spectacle.profile firejail-0.9.66/etc/profile-m-z/spectacle.profile --- firejail-0.9.64.4/etc/profile-m-z/spectacle.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/spectacle.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,7 +6,7 @@ # Persistent global definitions include globals.local -# Uncomment the following lines to use sharing services. +# Add the next lines to your spectacle.local to use sharing services. #netfilter #ignore net none #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl @@ -26,6 +26,8 @@ mkfile ${HOME}/.config/spectaclerc whitelist ${HOME}/.config/spectaclerc whitelist ${PICTURES} +whitelist /usr/share/kconf_update/spectacle_newConfig.upd +whitelist /usr/share/kconf_update/spectacle_shortcuts.upd include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -38,6 +40,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -46,6 +49,7 @@ novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog @@ -53,11 +57,12 @@ private-bin spectacle private-cache private-dev -private-etc alternatives,fonts,ld.so.conf +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d private-tmp dbus-user filter dbus-user.own org.kde.spectacle +dbus-user.own org.kde.Spectacle dbus-user.talk org.freedesktop.FileManager1 #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kglobalaccel diff -Nru firejail-0.9.64.4/etc/profile-m-z/spectral.profile firejail-0.9.66/etc/profile-m-z/spectral.profile --- firejail-0.9.64.4/etc/profile-m-z/spectral.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/spectral.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -50,8 +51,9 @@ private-tmp dbus-user none -# Comment the above line and uncomment below lines for notification popups -# dbus-user filter -# dbus-user.talk org.freedesktop.Notifications -# dbus-user.talk org.kde.StatusNotifierWatcher +# Add the next lines to your spectral.local to enable notification support. +#ignore dbus-user none +#dbus-user filter +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.kde.StatusNotifierWatcher dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/spotify.profile firejail-0.9.66/etc/profile-m-z/spotify.profile --- firejail-0.9.64.4/etc/profile-m-z/spotify.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/spotify.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -43,7 +44,7 @@ disable-mnt private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity private-dev -# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio +# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt spotify private-srv none diff -Nru firejail-0.9.64.4/etc/profile-m-z/sqlitebrowser.profile firejail-0.9.66/etc/profile-m-z/sqlitebrowser.profile --- firejail-0.9.64.4/etc/profile-m-z/sqlitebrowser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sqlitebrowser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/ssh-agent.profile firejail-0.9.66/etc/profile-m-z/ssh-agent.profile --- firejail-0.9.64.4/etc/profile-m-z/ssh-agent.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ssh-agent.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,9 +6,8 @@ # Persistent global definitions include globals.local -noblacklist /etc/ssh -noblacklist /tmp/ssh-* -noblacklist ${HOME}/.ssh +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* diff -Nru firejail-0.9.64.4/etc/profile-m-z/ssh.profile firejail-0.9.66/etc/profile-m-z/ssh.profile --- firejail-0.9.64.4/etc/profile-m-z/ssh.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ssh.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,13 +7,13 @@ # Persistent global definitions include globals.local -noblacklist /etc/ssh -noblacklist /tmp/ssh-* -noblacklist ${HOME}/.ssh # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc noblacklist ${PATH}/ncat +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc @@ -24,12 +24,14 @@ include whitelist-usr-share-common.inc include whitelist-runuser-common.inc +apparmor caps.drop all ipc-namespace netfilter no3d nodvd nogroups +noinput nonewprivs # noroot - see issue #1543 nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/standardnotes-desktop.profile firejail-0.9.66/etc/profile-m-z/standardnotes-desktop.profile --- firejail-0.9.64.4/etc/profile-m-z/standardnotes-desktop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/standardnotes-desktop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/start-tor-browser.profile firejail-0.9.66/etc/profile-m-z/start-tor-browser.profile --- firejail-0.9.64.4/etc/profile-m-z/start-tor-browser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/start-tor-browser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -3,40 +3,8 @@ # Persistent local customizations include start-tor-browser.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -ignore noexec ${HOME} - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -include whitelist-var-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp !chroot -shell none -# tracelog may cause issues, see github issue #1930 -#tracelog - -disable-mnt -private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity -private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl -private-tmp - -dbus-user none -dbus-system none +# Redirect +include start-tor-browser.desktop.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/steam-native.profile firejail-0.9.66/etc/profile-m-z/steam-native.profile --- firejail-0.9.64.4/etc/profile-m-z/steam-native.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/steam-native.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for steam # This file is overwritten after every install/update - # Persistent local customizations include steam-native.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include steam.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/steam.profile firejail-0.9.66/etc/profile-m-z/steam.profile --- firejail-0.9.64.4/etc/profile-m-z/steam.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/steam.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,16 +6,28 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/Epic +noblacklist ${HOME}/.config/Loop_Hero +noblacklist ${HOME}/.config/ModTheSpire +noblacklist ${HOME}/.config/RogueLegacy +noblacklist ${HOME}/.config/RogueLegacyStorageContainer noblacklist ${HOME}/.killingfloor +noblacklist ${HOME}/.klei noblacklist ${HOME}/.local/share/3909/PapersPlease noblacklist ${HOME}/.local/share/aspyr-media noblacklist ${HOME}/.local/share/bohemiainteractive noblacklist ${HOME}/.local/share/cdprojektred +noblacklist ${HOME}/.local/share/Dredmor noblacklist ${HOME}/.local/share/FasterThanLight noblacklist ${HOME}/.local/share/feral-interactive noblacklist ${HOME}/.local/share/IntoTheBreach noblacklist ${HOME}/.local/share/Paradox Interactive +noblacklist ${HOME}/.local/share/PillarsOfEternity +noblacklist ${HOME}/.local/share/RogueLegacy +noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer noblacklist ${HOME}/.local/share/Steam +noblacklist ${HOME}/.local/share/SteamWorldDig +noblacklist ${HOME}/.local/share/SteamWorld Dig 2 noblacklist ${HOME}/.local/share/SuperHexagon noblacklist ${HOME}/.local/share/Terraria noblacklist ${HOME}/.local/share/vpltd @@ -42,17 +54,27 @@ include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/Epic +mkdir ${HOME}/.config/Loop_Hero +mkdir ${HOME}/.config/ModTheSpire +mkdir ${HOME}/.config/RogueLegacy mkdir ${HOME}/.config/unity3d mkdir ${HOME}/.killingfloor +mkdir ${HOME}/.klei mkdir ${HOME}/.local/share/3909/PapersPlease mkdir ${HOME}/.local/share/aspyr-media mkdir ${HOME}/.local/share/bohemiainteractive mkdir ${HOME}/.local/share/cdprojektred +mkdir ${HOME}/.local/share/Dredmor mkdir ${HOME}/.local/share/FasterThanLight mkdir ${HOME}/.local/share/feral-interactive mkdir ${HOME}/.local/share/IntoTheBreach mkdir ${HOME}/.local/share/Paradox Interactive +mkdir ${HOME}/.local/share/PillarsOfEternity +mkdir ${HOME}/.local/share/RogueLegacy mkdir ${HOME}/.local/share/Steam +mkdir ${HOME}/.local/share/SteamWorldDig +mkdir ${HOME}/.local/share/SteamWorld Dig 2 mkdir ${HOME}/.local/share/SuperHexagon mkdir ${HOME}/.local/share/Terraria mkdir ${HOME}/.local/share/vpltd @@ -62,17 +84,29 @@ mkdir ${HOME}/.steam mkfile ${HOME}/.steampath mkfile ${HOME}/.steampid +whitelist ${HOME}/.config/Epic +whitelist ${HOME}/.config/Loop_Hero +whitelist ${HOME}/.config/ModTheSpire +whitelist ${HOME}/.config/RogueLegacy +whitelist ${HOME}/.config/RogueLegacyStorageContainer whitelist ${HOME}/.config/unity3d whitelist ${HOME}/.killingfloor +whitelist ${HOME}/.klei whitelist ${HOME}/.local/share/3909/PapersPlease whitelist ${HOME}/.local/share/aspyr-media whitelist ${HOME}/.local/share/bohemiainteractive whitelist ${HOME}/.local/share/cdprojektred +whitelist ${HOME}/.local/share/Dredmor whitelist ${HOME}/.local/share/FasterThanLight whitelist ${HOME}/.local/share/feral-interactive whitelist ${HOME}/.local/share/IntoTheBreach whitelist ${HOME}/.local/share/Paradox Interactive +whitelist ${HOME}/.local/share/PillarsOfEternity +whitelist ${HOME}/.local/share/RogueLegacy +whitelist ${HOME}/.local/share/RogueLegacyStorageContainer whitelist ${HOME}/.local/share/Steam +whitelist ${HOME}/.local/share/SteamWorldDig +whitelist ${HOME}/.local/share/SteamWorld Dig 2 whitelist ${HOME}/.local/share/SuperHexagon whitelist ${HOME}/.local/share/Terraria whitelist ${HOME}/.local/share/vpltd @@ -85,39 +119,48 @@ include whitelist-common.inc include whitelist-var-common.inc +# NOTE: The following were intentionally left out as they are alternative +# (i.e.: unnecessary and/or legacy) paths whose existence may potentially +# clobber other paths (see #4225). If you use any, either add the entry to +# steam.local or move the contents to a path listed above (or open an issue if +# it's missing above). +#mkdir ${HOME}/.config/RogueLegacyStorageContainer +#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer + caps.drop all #ipc-namespace netfilter nodvd -# nVidia users may need to comment / ignore nogroups and noroot nogroups nonewprivs +# If you use nVidia you might need to add 'ignore noroot' to your steam.local. noroot notv nou2f -# novideo should be commented for VR +# For VR support add 'ignore novideo' to your steam.local. novideo protocol unix,inet,inet6,netlink -# seccomp sometimes causes issues (see #2951, #3267), -# comment it or add 'ignore seccomp' to steam.local if so. +# seccomp sometimes causes issues (see #2951, #3267). +# Add 'ignore seccomp' to your steam.local if you experience this. seccomp !ptrace shell none # tracelog breaks integrated browser #tracelog -# private-bin is disabled while in testing, but has been tested working with multiple games +# private-bin is disabled while in testing, but is known to work with multiple games. +# Add the next line to your steam.local to enable private-bin. #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity -# extra programs are available which might be needed for select games +# Extra programs are available which might be needed for select games. +# Add the next line to your steam.local to enable support for these programs. #private-bin java,java-config,mono -# picture viewers are needed for viewing screenshots +# To view screenshots add the next line to your steam.local. #private-bin eog,eom,gthumb,pix,viewnior,xviewer -# comment the following line if you need controller support private-dev -# private-etc breaks a small selection of games on some systems, comment to support those +# private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' +# to your steam.local to support those. private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl private-tmp -# breaks appindicator support # dbus-user none # dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/steam-runtime.profile firejail-0.9.66/etc/profile-m-z/steam-runtime.profile --- firejail-0.9.64.4/etc/profile-m-z/steam-runtime.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/steam-runtime.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for steam # This file is overwritten after every install/update - # Persistent local customizations include steam-runtime.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include steam.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/stellarium.profile firejail-0.9.66/etc/profile-m-z/stellarium.profile --- firejail-0.9.64.4/etc/profile-m-z/stellarium.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/stellarium.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/strawberry.profile firejail-0.9.66/etc/profile-m-z/strawberry.profile --- firejail-0.9.64.4/etc/profile-m-z/strawberry.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/strawberry.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/straw-viewer.profile firejail-0.9.66/etc/profile-m-z/straw-viewer.profile --- firejail-0.9.64.4/etc/profile-m-z/straw-viewer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/straw-viewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,7 +1,7 @@ # Firejail profile for straw-viewer # Description: Fork of youtube-viewer acts like an invidious frontend -quiet # This file is overwritten after every install/update +quiet # Persistent local customizations include straw-viewer.local # Persistent global definitions @@ -10,49 +10,12 @@ noblacklist ${HOME}/.cache/straw-viewer noblacklist ${HOME}/.config/straw-viewer -include allow-lua.inc -include allow-perl.inc -include allow-python2.inc -include allow-python3.inc - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - mkdir ${HOME}/.config/straw-viewer mkdir ${HOME}/.cache/straw-viewer whitelist ${HOME}/.cache/straw-viewer whitelist ${HOME}/.config/straw-viewer -whitelist ${DOWNLOADS} -include whitelist-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog -disable-mnt -private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl -private-cache -private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg -private-tmp +private-bin gtk-straw-viewer,straw-viewer -dbus-user none -dbus-system none +# Redirect +include youtube-viewers-common.profile \ No newline at end of file diff -Nru firejail-0.9.64.4/etc/profile-m-z/strings.profile firejail-0.9.66/etc/profile-m-z/strings.profile --- firejail-0.9.64.4/etc/profile-m-z/strings.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/strings.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs #noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/studio.sh.profile firejail-0.9.66/etc/profile-m-z/studio.sh.profile --- firejail-0.9.64.4/etc/profile-m-z/studio.sh.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/studio.sh.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for Android Studio # This file is overwritten after every install/update - # Persistent local customizations include studio.sh.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include android-studio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/subdownloader.profile firejail-0.9.66/etc/profile-m-z/subdownloader.profile --- firejail-0.9.64.4/etc/profile-m-z/subdownloader.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/subdownloader.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/sum.profile firejail-0.9.66/etc/profile-m-z/sum.profile --- firejail-0.9.64.4/etc/profile-m-z/sum.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sum.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,13 @@ +# Firejail profile for sum +# Description: checksum and count the blocks in a file +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sum.local +# Persistent global definitions +include globals.local + +private-bin sum + +# Redirect +include hasher-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/supertux2.profile firejail-0.9.66/etc/profile-m-z/supertux2.profile --- firejail-0.9.64.4/etc/profile-m-z/supertux2.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/supertux2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -14,11 +14,13 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.local/share/supertux2 whitelist ${HOME}/.local/share/supertux2 whitelist /usr/share/supertux2 +whitelist /usr/share/games/supertux2 # Debian version include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -29,6 +31,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv @@ -42,6 +45,8 @@ disable-mnt # private-bin supertux2 +private-cache +private-etc machine-id private-dev private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/supertuxkart.profile firejail-0.9.66/etc/profile-m-z/supertuxkart.profile --- firejail-0.9.64.4/etc/profile-m-z/supertuxkart.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/supertuxkart.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/supertuxkart noblacklist ${HOME}/.local/share/supertuxkart +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -26,6 +28,7 @@ whitelist ${HOME}/.cache/supertuxkart whitelist ${HOME}/.local/share/supertuxkart whitelist /usr/share/supertuxkart +whitelist /usr/share/games/supertuxkart # Debian version include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -50,7 +53,7 @@ disable-mnt private-bin supertuxkart private-cache -# uncomment the following line if you do not need controller support +# Add the next line to your supertuxkart.local if you do not need controller support. #private-dev private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/supertuxkart-wrapper.profile firejail-0.9.66/etc/profile-m-z/supertuxkart-wrapper.profile --- firejail-0.9.64.4/etc/profile-m-z/supertuxkart-wrapper.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/supertuxkart-wrapper.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,14 @@ +# Firejail profile for supertuxkart-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include supertuxkart-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin supertuxkart-wrapper + +# Redirect +include supertuxkart.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/surf.profile firejail-0.9.66/etc/profile-m-z/surf.profile --- firejail-0.9.64.4/etc/profile-m-z/surf.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/surf.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ caps.drop all netfilter nodvd +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/sushi.profile firejail-0.9.66/etc/profile-m-z/sushi.profile --- firejail-0.9.64.4/etc/profile-m-z/sushi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sushi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/sylpheed.profile firejail-0.9.66/etc/profile-m-z/sylpheed.profile --- firejail-0.9.64.4/etc/profile-m-z/sylpheed.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sylpheed.profile 2021-06-22 15:51:28.000000000 +0000 @@ -13,5 +13,14 @@ whitelist /usr/share/sylpheed +# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.keyring.SystemPrompter +# Add the next line to your sylpheed.local to enable notifications. +# dbus-user.talk org.freedesktop.Notifications + # Redirect include email-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/synfigstudio.profile firejail-0.9.66/etc/profile-m-z/synfigstudio.profile --- firejail-0.9.64.4/etc/profile-m-z/synfigstudio.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/synfigstudio.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/sysprof.profile firejail-0.9.66/etc/profile-m-z/sysprof.profile --- firejail-0.9.64.4/etc/profile-m-z/sysprof.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/sysprof.profile 2021-06-22 15:51:28.000000000 +0000 @@ -15,8 +15,15 @@ include disable-programs.inc include disable-xdg.inc -# help menu functionality (yelp) - comment or add this block prepended with 'ignore' -# to your sysprof.local if you don't need the help functionality +# Add the next lines to your sysprof.local if you don't need (yelp) help menu functionality. +#ignore noblacklist ${HOME}/.config/yelp +#ignore mkdir ${HOME}/.config/yelp +#nowhitelist ${HOME}/.config/yelp +#nowhitelist /usr/share/help/C/sysprof +#nowhitelist /usr/share/yelp +#nowhitelist /usr/share/yelp-tools +#nowhitelist /usr/share/yelp-xsl + noblacklist ${HOME}/.config/yelp mkdir ${HOME}/.config/yelp whitelist ${HOME}/.config/yelp @@ -39,8 +46,10 @@ no3d nodvd nogroups +noinput nonewprivs -# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial +# Some older Debian/Ubuntu sysprof versions need root privileges. +# Add 'ignore noroot' to your sysprof.local if you run one of these. noroot nosound notv @@ -56,7 +65,7 @@ private-cache private-dev private-etc alternatives,fonts,ld.so.cache,machine-id,ssl -# private-lib breaks help menu +# private-lib - breaks help menu #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/tar.profile firejail-0.9.66/etc/profile-m-z/tar.profile --- firejail-0.9.64.4/etc/profile-m-z/tar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,13 +7,17 @@ # Persistent global definitions include globals.local -# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. -noblacklist /var/lib/pacman - +# Included in archiver-common.profile ignore include disable-shell.inc -include archiver-common.inc + +# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop +# all capabilities this is automatically read-only. +noblacklist /var/lib/pacman private-etc alternatives,group,localtime,login.defs,passwd #private-lib libfakeroot,liblzma.so.*,libreadline.so.* # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) writable-var + +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/tcpdump.profile firejail-0.9.66/etc/profile-m-z/tcpdump.profile --- firejail-0.9.64.4/etc/profile-m-z/tcpdump.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tcpdump.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,6 +8,7 @@ noblacklist /sbin noblacklist /usr/sbin +noblacklist ${PATH}/tcpdump include disable-common.inc include disable-devel.inc @@ -27,6 +28,7 @@ no3d nodvd #nogroups +noinput nonewprivs #noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/teamspeak3.profile firejail-0.9.66/etc/profile-m-z/teamspeak3.profile --- firejail-0.9.64.4/etc/profile-m-z/teamspeak3.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/teamspeak3.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/teeworlds.profile firejail-0.9.66/etc/profile-m-z/teeworlds.profile --- firejail-0.9.64.4/etc/profile-m-z/teeworlds.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/teeworlds.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/telegram-desktop.profile firejail-0.9.66/etc/profile-m-z/telegram-desktop.profile --- firejail-0.9.64.4/etc/profile-m-z/telegram-desktop.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/telegram-desktop.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for telegram # Description: Official Telegram Desktop client # This file is overwritten after every install/update - # Persistent local customizations -include tekegram-desktop.local +include telegram-desktop.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include telegram.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/telegram.profile firejail-0.9.66/etc/profile-m-z/telegram.profile --- firejail-0.9.64.4/etc/profile-m-z/telegram.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/telegram.profile 2021-06-28 17:13:02.000000000 +0000 @@ -12,18 +12,44 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +mkdir ${HOME}/.TelegramDesktop +mkdir ${HOME}/.local/share/TelegramDesktop +whitelist ${HOME}/.TelegramDesktop +whitelist ${HOME}/.local/share/TelegramDesktop +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor caps.drop all netfilter nodvd +noinput nonewprivs noroot notv protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary +shell none disable-mnt +#private-bin telegram,Telegram,telegram-desktop private-cache -private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg +private-dev +private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg private-tmp + +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.gnome.Mutter.IdleMonitor +dbus-user.talk org.freedesktop.ScreenSaver +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/Telegram.profile firejail-0.9.66/etc/profile-m-z/Telegram.profile --- firejail-0.9.64.4/etc/profile-m-z/Telegram.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/Telegram.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for telegram # This file is overwritten after every install/update - # Persistent local customizations include Telegram.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include telegram.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/terasology.profile firejail-0.9.66/etc/profile-m-z/terasology.profile --- firejail-0.9.64.4/etc/profile-m-z/terasology.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/terasology.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/thunar.profile firejail-0.9.66/etc/profile-m-z/thunar.profile --- firejail-0.9.64.4/etc/profile-m-z/thunar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/thunar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for Thunar # Description: Modern file manager for Xfce # This file is overwritten after every install/update - # Persistent local customizations include thunar.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include Thunar.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/thunderbird-beta.profile firejail-0.9.66/etc/profile-m-z/thunderbird-beta.profile --- firejail-0.9.64.4/etc/profile-m-z/thunderbird-beta.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/thunderbird-beta.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for thunderbird-beta # This file is overwritten after every install/update - # Persistent local customizations include thunderbird-beta.local +# Persistent global definitions +# added by included profile +#include globals.local private-opt thunderbird-beta diff -Nru firejail-0.9.64.4/etc/profile-m-z/tin.profile firejail-0.9.66/etc/profile-m-z/tin.profile --- firejail-0.9.64.4/etc/profile-m-z/tin.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tin.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,69 @@ +# Firejail profile for tin +# Description: ncurses-based Usenet newsreader +# This file is overwritten after every install/update +# Persistent local customizations +include tin.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.newsrc +noblacklist ${HOME}/.tin + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.tin +mkfile ${HOME}/.newsrc +# Note: files/directories directly in ${HOME} can't be whitelisted, as +# tin saves .newsrc by renaming a temporary file, which is not possible for +# bind-mounted files. +#whitelist ${HOME}/.newsrc +#whitelist ${HOME}/.tin +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin rtin,tin +private-cache +private-dev +private-etc passwd,resolv.conf,terminfo,tin +private-lib terminfo +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-m-z/tmux.profile firejail-0.9.66/etc/profile-m-z/tmux.profile --- firejail-0.9.64.4/etc/profile-m-z/tmux.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tmux.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,46 @@ +# Firejail profile for tmux +# Description: terminal multiplexer +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include tmux.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +noblacklist /tmp/tmux-* + +# include disable-common.inc +# include disable-devel.inc +# include disable-exec.inc +include disable-passwdmgr.inc +# include disable-programs.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +# private-cache +private-dev +# private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_ar.profile firejail-0.9.66/etc/profile-m-z/tor-browser_ar.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_ar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_ar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_ar.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ar diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-ar.profile firejail-0.9.66/etc/profile-m-z/tor-browser-ar.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-ar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-ar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-ar.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ar diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_ca.profile firejail-0.9.66/etc/profile-m-z/tor-browser_ca.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_ca.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_ca.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_ca.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ca diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-ca.profile firejail-0.9.66/etc/profile-m-z/tor-browser-ca.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-ca.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-ca.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-ca.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ca diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_cs.profile firejail-0.9.66/etc/profile-m-z/tor-browser_cs.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_cs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_cs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_cs.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_cs diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-cs.profile firejail-0.9.66/etc/profile-m-z/tor-browser-cs.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-cs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-cs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-cs.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-cs diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_da.profile firejail-0.9.66/etc/profile-m-z/tor-browser_da.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_da.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_da.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_da.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_da diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-da.profile firejail-0.9.66/etc/profile-m-z/tor-browser-da.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-da.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-da.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-da.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-da diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_de.profile firejail-0.9.66/etc/profile-m-z/tor-browser_de.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_de.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_de.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_de.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_de diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-de.profile firejail-0.9.66/etc/profile-m-z/tor-browser-de.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-de.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-de.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-de.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-de diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_el.profile firejail-0.9.66/etc/profile-m-z/tor-browser_el.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_el.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_el.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_el.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_el diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-el.profile firejail-0.9.66/etc/profile-m-z/tor-browser-el.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-el.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-el.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-el.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-el diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_en.profile firejail-0.9.66/etc/profile-m-z/tor-browser_en.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_en.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_en.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_en.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_en diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-en.profile firejail-0.9.66/etc/profile-m-z/tor-browser-en.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-en.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-en.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-en.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-en diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-en-us.profile firejail-0.9.66/etc/profile-m-z/tor-browser-en-us.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-en-us.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-en-us.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-en-us.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-en-us diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_en-US.profile firejail-0.9.66/etc/profile-m-z/tor-browser_en-US.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_en-US.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_en-US.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_en-US.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_en-US diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-es-es.profile firejail-0.9.66/etc/profile-m-z/tor-browser-es-es.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-es-es.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-es-es.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-es-es.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-es-es diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_es-ES.profile firejail-0.9.66/etc/profile-m-z/tor-browser_es-ES.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_es-ES.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_es-ES.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_es-ES.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_es-ES diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_es.profile firejail-0.9.66/etc/profile-m-z/tor-browser_es.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_es.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_es.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_es.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_es diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-es.profile firejail-0.9.66/etc/profile-m-z/tor-browser-es.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-es.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-es.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-es.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-es diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_fa.profile firejail-0.9.66/etc/profile-m-z/tor-browser_fa.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_fa.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_fa.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_fa.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_fa diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-fa.profile firejail-0.9.66/etc/profile-m-z/tor-browser-fa.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-fa.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-fa.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-fa.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-fa diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_fr.profile firejail-0.9.66/etc/profile-m-z/tor-browser_fr.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_fr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_fr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_fr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_fr diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-fr.profile firejail-0.9.66/etc/profile-m-z/tor-browser-fr.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-fr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-fr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-fr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-fr diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-ga-ie.profile firejail-0.9.66/etc/profile-m-z/tor-browser-ga-ie.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-ga-ie.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-ga-ie.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-ga-ie.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ga-ie diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_ga-IE.profile firejail-0.9.66/etc/profile-m-z/tor-browser_ga-IE.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_ga-IE.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_ga-IE.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_ga-IE.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ga-IE diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_he.profile firejail-0.9.66/etc/profile-m-z/tor-browser_he.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_he.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_he.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_he.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_he diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-he.profile firejail-0.9.66/etc/profile-m-z/tor-browser-he.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-he.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-he.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-he.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-he diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_hu.profile firejail-0.9.66/etc/profile-m-z/tor-browser_hu.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_hu.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_hu.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_hu.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_hu diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-hu.profile firejail-0.9.66/etc/profile-m-z/tor-browser-hu.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-hu.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-hu.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-hu.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-hu diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_id.profile firejail-0.9.66/etc/profile-m-z/tor-browser_id.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_id.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_id.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_id.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_id diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-id.profile firejail-0.9.66/etc/profile-m-z/tor-browser-id.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-id.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-id.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-id.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-id diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_is.profile firejail-0.9.66/etc/profile-m-z/tor-browser_is.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_is.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_is.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_is.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_is diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-is.profile firejail-0.9.66/etc/profile-m-z/tor-browser-is.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-is.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-is.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-is.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-is diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_it.profile firejail-0.9.66/etc/profile-m-z/tor-browser_it.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_it.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_it.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_it.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_it diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-it.profile firejail-0.9.66/etc/profile-m-z/tor-browser-it.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-it.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-it.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-it.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-it diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_ja.profile firejail-0.9.66/etc/profile-m-z/tor-browser_ja.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_ja.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_ja.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_ja.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ja diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-ja.profile firejail-0.9.66/etc/profile-m-z/tor-browser-ja.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-ja.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-ja.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-ja.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ja diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_ka.profile firejail-0.9.66/etc/profile-m-z/tor-browser_ka.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_ka.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_ka.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_ka.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ka diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-ka.profile firejail-0.9.66/etc/profile-m-z/tor-browser-ka.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-ka.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-ka.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-ka.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ka diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_ko.profile firejail-0.9.66/etc/profile-m-z/tor-browser_ko.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_ko.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_ko.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_ko.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ko diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-ko.profile firejail-0.9.66/etc/profile-m-z/tor-browser-ko.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-ko.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-ko.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-ko.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ko diff -Nru firejail-0.9.64.4/etc/profile-m-z/torbrowser-launcher.profile firejail-0.9.66/etc/profile-m-z/torbrowser-launcher.profile --- firejail-0.9.64.4/etc/profile-m-z/torbrowser-launcher.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/torbrowser-launcher.profile 2021-06-22 15:51:28.000000000 +0000 @@ -15,6 +15,9 @@ include allow-python2.inc include allow-python3.inc +blacklist /opt +blacklist /srv + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -28,13 +31,21 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.config/torbrowser whitelist ${HOME}/.local/share/torbrowser +whitelist /usr/share/torbrowser-launcher include whitelist-common.inc include whitelist-var-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +# Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. +# IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need +# to be uncommented too for this to work as expected. +#apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -43,8 +54,7 @@ protocol unix,inet,inet6 seccomp !chroot shell none -# tracelog may cause issues, see github issue #1930 -#tracelog +#tracelog - may cause issues, see #1930 disable-mnt private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_nb.profile firejail-0.9.66/etc/profile-m-z/tor-browser_nb.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_nb.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_nb.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_nb.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_nb diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-nb.profile firejail-0.9.66/etc/profile-m-z/tor-browser-nb.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-nb.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-nb.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-nb.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-nb diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_nl.profile firejail-0.9.66/etc/profile-m-z/tor-browser_nl.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_nl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_nl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_nl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_nl diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-nl.profile firejail-0.9.66/etc/profile-m-z/tor-browser-nl.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-nl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-nl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-nl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-nl diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_pl.profile firejail-0.9.66/etc/profile-m-z/tor-browser_pl.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_pl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_pl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_pl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_pl diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-pl.profile firejail-0.9.66/etc/profile-m-z/tor-browser-pl.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-pl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-pl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-pl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-pl diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser.profile firejail-0.9.66/etc/profile-m-z/tor-browser.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-pt-br.profile firejail-0.9.66/etc/profile-m-z/tor-browser-pt-br.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-pt-br.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-pt-br.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-pt-br.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-pt-br diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_pt-BR.profile firejail-0.9.66/etc/profile-m-z/tor-browser_pt-BR.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_pt-BR.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_pt-BR.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_pt-BR.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_pt-BR diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_ru.profile firejail-0.9.66/etc/profile-m-z/tor-browser_ru.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_ru.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_ru.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_ru.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ru diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-ru.profile firejail-0.9.66/etc/profile-m-z/tor-browser-ru.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-ru.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-ru.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-ru.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ru diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-sv-se.profile firejail-0.9.66/etc/profile-m-z/tor-browser-sv-se.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-sv-se.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-sv-se.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-sv-se.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-sv-se diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_sv-SE.profile firejail-0.9.66/etc/profile-m-z/tor-browser_sv-SE.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_sv-SE.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_sv-SE.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_sv-SE.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_sv-SE diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_tr.profile firejail-0.9.66/etc/profile-m-z/tor-browser_tr.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_tr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_tr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_tr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_tr diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-tr.profile firejail-0.9.66/etc/profile-m-z/tor-browser-tr.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-tr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-tr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-tr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-tr diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_vi.profile firejail-0.9.66/etc/profile-m-z/tor-browser_vi.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_vi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_vi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_vi.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_vi diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-vi.profile firejail-0.9.66/etc/profile-m-z/tor-browser-vi.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-vi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-vi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-vi.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-vi diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-cn.profile firejail-0.9.66/etc/profile-m-z/tor-browser-zh-cn.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-cn.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-zh-cn.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-zh-cn.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-zh-cn diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-CN.profile firejail-0.9.66/etc/profile-m-z/tor-browser_zh-CN.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-CN.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_zh-CN.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_zh-CN.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_zh-CN diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-tw.profile firejail-0.9.66/etc/profile-m-z/tor-browser-zh-tw.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-tw.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser-zh-tw.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser-zh-tw.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-zh-tw diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-TW.profile firejail-0.9.66/etc/profile-m-z/tor-browser_zh-TW.profile --- firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-TW.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor-browser_zh-TW.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update - -# Persistent global definitions +# Persistent local customizations include tor-browser_zh-TW.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_zh-TW diff -Nru firejail-0.9.64.4/etc/profile-m-z/torcs.profile firejail-0.9.66/etc/profile-m-z/torcs.profile --- firejail-0.9.64.4/etc/profile-m-z/torcs.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/torcs.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/tor.profile firejail-0.9.66/etc/profile-m-z/tor.profile --- firejail-0.9.64.4/etc/profile-m-z/tor.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tor.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/totem.profile firejail-0.9.66/etc/profile-m-z/totem.profile --- firejail-0.9.64.4/etc/profile-m-z/totem.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/totem.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,7 +6,8 @@ # Persistent global definitions include globals.local -# Allow lua (required for youtube video) +# Allow lua (blacklisted by disable-interpreters.inc) +# required for youtube video include allow-lua.inc # Allow python (blacklisted by disable-interpreters.inc) @@ -39,6 +40,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/transgui.profile firejail-0.9.66/etc/profile-m-z/transgui.profile --- firejail-0.9.64.4/etc/profile-m-z/transgui.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/transgui.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/transmission-common.profile firejail-0.9.66/etc/profile-m-z/transmission-common.profile --- firejail-0.9.64.4/etc/profile-m-z/transmission-common.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/transmission-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ machine-id netfilter nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/transmission-daemon.profile firejail-0.9.66/etc/profile-m-z/transmission-daemon.profile --- firejail-0.9.64.4/etc/profile-m-z/transmission-daemon.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/transmission-daemon.profile 2021-06-22 15:51:28.000000000 +0000 @@ -14,7 +14,7 @@ whitelist /var/lib/transmission caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot -protocol unix,inet,inet6,packet +protocol packet private-bin transmission-daemon private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl diff -Nru firejail-0.9.64.4/etc/profile-m-z/tremulous.profile firejail-0.9.66/etc/profile-m-z/tremulous.profile --- firejail-0.9.64.4/etc/profile-m-z/tremulous.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tremulous.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/trojita.profile firejail-0.9.66/etc/profile-m-z/trojita.profile --- firejail-0.9.64.4/etc/profile-m-z/trojita.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/trojita.profile 2021-06-22 15:51:28.000000000 +0000 @@ -38,6 +38,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/truecraft.profile firejail-0.9.66/etc/profile-m-z/truecraft.profile --- firejail-0.9.64.4/etc/profile-m-z/truecraft.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/truecraft.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/tshark.profile firejail-0.9.66/etc/profile-m-z/tshark.profile --- firejail-0.9.64.4/etc/profile-m-z/tshark.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tshark.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile for tshark # This file is overwritten after every install/update quiet - # Persistent local customizations include tshark.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include wireshark.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/tuxguitar.profile firejail-0.9.66/etc/profile-m-z/tuxguitar.profile --- firejail-0.9.64.4/etc/profile-m-z/tuxguitar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tuxguitar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,6 +6,9 @@ # Persistent global definitions include globals.local +# tuxguitar fails to launch +ignore noexec ${HOME} + noblacklist ${HOME}/.tuxguitar* noblacklist ${DOCUMENTS} noblacklist ${MUSIC} @@ -29,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -40,6 +44,3 @@ private-dev private-tmp - -# noexec ${HOME} - tuxguitar may fail to launch -noexec /tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/tvbrowser.profile firejail-0.9.66/etc/profile-m-z/tvbrowser.profile --- firejail-0.9.64.4/etc/profile-m-z/tvbrowser.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/tvbrowser.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/udiskie.profile firejail-0.9.66/etc/profile-m-z/udiskie.profile --- firejail-0.9.64.4/etc/profile-m-z/udiskie.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/udiskie.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ net none no3d nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/uefitool.profile firejail-0.9.66/etc/profile-m-z/uefitool.profile --- firejail-0.9.64.4/etc/profile-m-z/uefitool.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/uefitool.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/uget-gtk.profile firejail-0.9.66/etc/profile-m-z/uget-gtk.profile --- firejail-0.9.64.4/etc/profile-m-z/uget-gtk.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/uget-gtk.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ caps.drop all netfilter nodvd +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/unbound.profile firejail-0.9.66/etc/profile-m-z/unbound.profile --- firejail-0.9.64.4/etc/profile-m-z/unbound.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unbound.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter no3d nodvd +noinput nonewprivs nosound notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/unf.profile firejail-0.9.66/etc/profile-m-z/unf.profile --- firejail-0.9.64.4/etc/profile-m-z/unf.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unf.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/unknown-horizons.profile firejail-0.9.66/etc/profile-m-z/unknown-horizons.profile --- firejail-0.9.64.4/etc/profile-m-z/unknown-horizons.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unknown-horizons.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/unlzma.profile firejail-0.9.66/etc/profile-m-z/unlzma.profile --- firejail-0.9.64.4/etc/profile-m-z/unlzma.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unlzma.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include unlzma.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/unrar.profile firejail-0.9.66/etc/profile-m-z/unrar.profile --- firejail-0.9.64.4/etc/profile-m-z/unrar.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unrar.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,8 +7,9 @@ # Persistent global definitions include globals.local -include archiver-common.inc - private-bin unrar private-etc alternatives,group,localtime,passwd private-tmp + +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/unxz.profile firejail-0.9.66/etc/profile-m-z/unxz.profile --- firejail-0.9.64.4/etc/profile-m-z/unxz.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unxz.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include unxz.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/unzip.profile firejail-0.9.66/etc/profile-m-z/unzip.profile --- firejail-0.9.64.4/etc/profile-m-z/unzip.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unzip.profile 2021-06-22 15:51:28.000000000 +0000 @@ -10,6 +10,7 @@ # GNOME Shell integration (chrome-gnome-shell) noblacklist ${HOME}/.local/share/gnome-shell -include archiver-common.inc - private-etc alternatives,group,localtime,passwd + +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/unzstd.profile firejail-0.9.66/etc/profile-m-z/unzstd.profile --- firejail-0.9.64.4/etc/profile-m-z/unzstd.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/unzstd.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update - # Persistent local customizations include unzstd.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/utox.profile firejail-0.9.66/etc/profile-m-z/utox.profile --- firejail-0.9.64.4/etc/profile-m-z/utox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/utox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/uudeview.profile firejail-0.9.66/etc/profile-m-z/uudeview.profile --- firejail-0.9.64.4/etc/profile-m-z/uudeview.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/uudeview.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ net none nodvd #nogroups +noinput nonewprivs #noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/viewnior.profile firejail-0.9.66/etc/profile-m-z/viewnior.profile --- firejail-0.9.64.4/etc/profile-m-z/viewnior.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/viewnior.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/viking.profile firejail-0.9.66/etc/profile-m-z/viking.profile --- firejail-0.9.64.4/etc/profile-m-z/viking.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/viking.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/vim.profile firejail-0.9.66/etc/profile-m-z/vim.profile --- firejail-0.9.64.4/etc/profile-m-z/vim.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vim.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/virtualbox.profile firejail-0.9.66/etc/profile-m-z/virtualbox.profile --- firejail-0.9.64.4/etc/profile-m-z/virtualbox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/virtualbox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 +apparmor caps.keep net_raw,sys_nice netfilter nodvd @@ -43,8 +44,10 @@ tracelog #disable-mnt +#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami private-cache private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl +private-tmp dbus-user none dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/VirtualBox.profile firejail-0.9.66/etc/profile-m-z/VirtualBox.profile --- firejail-0.9.64.4/etc/profile-m-z/VirtualBox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/VirtualBox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for virtualbox # Description: x86 virtualization solution # This file is overwritten after every install/update - # Persistent local customizations include VirtualBox.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include virtualbox.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/vlc.profile firejail-0.9.66/etc/profile-m-z/vlc.profile --- firejail-0.9.64.4/etc/profile-m-z/vlc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vlc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -34,6 +34,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/vmware-player.profile firejail-0.9.66/etc/profile-m-z/vmware-player.profile --- firejail-0.9.64.4/etc/profile-m-z/vmware-player.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vmware-player.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,8 @@ +# Firejail profile for vmware-player +# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. +# This file is overwritten after every install/update +# Persistent local customizations +include vmware-player.local + +# Redirect +include vmware.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/vmware.profile firejail-0.9.66/etc/profile-m-z/vmware.profile --- firejail-0.9.64.4/etc/profile-m-z/vmware.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vmware.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,6 +21,9 @@ mkdir ${HOME}/.vmware whitelist ${HOME}/.cache/vmware whitelist ${HOME}/.vmware +# Add the next lines to your vmware.local if you need to use "shared VM". +#whitelist /var/lib/vmware +#writable-var include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -34,6 +37,7 @@ tracelog #disable-mnt +# Add the next line to your vmware.local to enable private-bin. #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix dbus-user none diff -Nru firejail-0.9.64.4/etc/profile-m-z/vmware-view.profile firejail-0.9.66/etc/profile-m-z/vmware-view.profile --- firejail-0.9.64.4/etc/profile-m-z/vmware-view.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vmware-view.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,57 @@ +# Firejail profile for vmware-view +# Description: VMware Horizon Client +# This file is overwritten after every install/update +# Persistent local customizations +include vmware-view.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.vmware + +noblacklist /sbin +noblacklist /usr/sbin + +include allow-bin-sh.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.vmware +whitelist ${HOME}/.vmware +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +# Add 'ignore novideo' to your vmware-view.local if you need your webcam. +novideo +protocol unix,inet,inet6 +seccomp !iopl +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg +# Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox. +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/vmware-workstation.profile firejail-0.9.66/etc/profile-m-z/vmware-workstation.profile --- firejail-0.9.64.4/etc/profile-m-z/vmware-workstation.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vmware-workstation.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,8 @@ +# Firejail profile for vmware-workstation +# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. +# This file is overwritten after every install/update +# Persistent local customizations +include vmware-workstation.local + +# Redirect +include vmware.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/vscodium.profile firejail-0.9.66/etc/profile-m-z/vscodium.profile --- firejail-0.9.64.4/etc/profile-m-z/vscodium.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vscodium.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for Visual Studio Code # This file is overwritten after every install/update - # Persistent local customizations include vscodium.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.VSCodium diff -Nru firejail-0.9.64.4/etc/profile-m-z/vulturesclaw.profile firejail-0.9.66/etc/profile-m-z/vulturesclaw.profile --- firejail-0.9.64.4/etc/profile-m-z/vulturesclaw.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vulturesclaw.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for nethack-vultures # This file is overwritten after every install/update - # Persistent local customizations include vulturesclaw.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist /var/games/vulturesclaw whitelist /var/games/vulturesclaw diff -Nru firejail-0.9.64.4/etc/profile-m-z/vultureseye.profile firejail-0.9.66/etc/profile-m-z/vultureseye.profile --- firejail-0.9.64.4/etc/profile-m-z/vultureseye.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vultureseye.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for nethack-vultures # This file is overwritten after every install/update - # Persistent local customizations include vultureseye.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist /var/games/vultureseye whitelist /var/games/vultureseye diff -Nru firejail-0.9.64.4/etc/profile-m-z/vym.profile firejail-0.9.66/etc/profile-m-z/vym.profile --- firejail-0.9.64.4/etc/profile-m-z/vym.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/vym.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/w3m.profile firejail-0.9.66/etc/profile-m-z/w3m.profile --- firejail-0.9.64.4/etc/profile-m-z/w3m.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/w3m.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,7 +7,7 @@ # Persistent global definitions include globals.local -# Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole +# Add the next lines to your w3m.local if you want to use w3m-img on a vconsole. #ignore nogroups #ignore private-dev #ignore private-etc @@ -17,22 +17,37 @@ blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +mkdir ${HOME}/.w3m +whitelist /usr/share/w3m +whitelist ${DOWNLOADS} +whitelist ${HOME}/.w3m include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all +ipc-namespace +machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,8 +59,14 @@ shell none tracelog -# private-bin w3m +disable-mnt +private-bin perl,sh,w3m private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff -Nru firejail-0.9.64.4/etc/profile-m-z/warmux.profile firejail-0.9.66/etc/profile-m-z/warmux.profile --- firejail-0.9.64.4/etc/profile-m-z/warmux.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/warmux.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/warsow.profile firejail-0.9.66/etc/profile-m-z/warsow.profile --- firejail-0.9.64.4/etc/profile-m-z/warsow.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/warsow.profile 2021-06-22 15:51:28.000000000 +0000 @@ -35,6 +35,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/warzone2100.profile firejail-0.9.66/etc/profile-m-z/warzone2100.profile --- firejail-0.9.64.4/etc/profile-m-z/warzone2100.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/warzone2100.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/waterfox.profile firejail-0.9.66/etc/profile-m-z/waterfox.profile --- firejail-0.9.64.4/etc/profile-m-z/waterfox.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/waterfox.profile 2021-06-22 15:51:28.000000000 +0000 @@ -13,14 +13,15 @@ whitelist ${HOME}/.cache/waterfox whitelist ${HOME}/.waterfox -# Uncomment (or add to watefox.local) the following lines if you want to -# use the migration wizard. +# Add the next lines to your watefox.local if you want to use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla # waterfox requires a shell to launch on Arch. We can possibly remove sh though. +# Add the next line to your waterfox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which -# private-etc must first be enabled in firefox-common.profile +# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be +# enabled in your firefox-common.local. #private-etc waterfox # Redirect diff -Nru firejail-0.9.64.4/etc/profile-m-z/webstorm.profile firejail-0.9.66/etc/profile-m-z/webstorm.profile --- firejail-0.9.64.4/etc/profile-m-z/webstorm.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/webstorm.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,12 +8,16 @@ noblacklist ${HOME}/.WebStorm* noblacklist ${HOME}/.android noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allow KDE file manager to open with log directories (blacklisted by disable-programs.inc) +noblacklist ${HOME}/.config/dolphinrc # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + noblacklist ${PATH}/node noblacklist ${HOME}/.nvm @@ -27,6 +31,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/webui-aria2.profile firejail-0.9.66/etc/profile-m-z/webui-aria2.profile --- firejail-0.9.64.4/etc/profile-m-z/webui-aria2.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/webui-aria2.profile 2021-06-22 15:51:28.000000000 +0000 @@ -20,6 +20,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/weechat-curses.profile firejail-0.9.66/etc/profile-m-z/weechat-curses.profile --- firejail-0.9.64.4/etc/profile-m-z/weechat-curses.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/weechat-curses.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for weechat # This file is overwritten after every install/update - # Persistent local customizations include weechat-curses.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include weechat.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/weechat.profile firejail-0.9.66/etc/profile-m-z/weechat.profile --- firejail-0.9.64.4/etc/profile-m-z/weechat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/weechat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -11,6 +11,7 @@ include disable-common.inc include disable-programs.inc +whitelist /usr/share/weechat include whitelist-usr-share-common.inc include whitelist-var-common.inc diff -Nru firejail-0.9.64.4/etc/profile-m-z/wesnoth.profile firejail-0.9.66/etc/profile-m-z/wesnoth.profile --- firejail-0.9.64.4/etc/profile-m-z/wesnoth.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wesnoth.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ caps.drop all nodvd +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/wget.profile firejail-0.9.66/etc/profile-m-z/wget.profile --- firejail-0.9.64.4/etc/profile-m-z/wget.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wget.profile 2021-06-22 15:51:28.000000000 +0000 @@ -21,7 +21,7 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc -# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local +# Depending on workflow you can add the next line to your wget.local. #include disable-xdg.inc include whitelist-usr-share-common.inc @@ -35,6 +35,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -50,7 +51,7 @@ private-bin wget private-cache private-dev -# depending on workflow you can uncomment the below or put this private-etc in your wget.local +# Depending on workflow you can add the next line to your wget.local. #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc #private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/whois.profile firejail-0.9.66/etc/profile-m-z/whois.profile --- firejail-0.9.64.4/etc/profile-m-z/whois.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/whois.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/widelands.profile firejail-0.9.66/etc/profile-m-z/widelands.profile --- firejail-0.9.64.4/etc/profile-m-z/widelands.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/widelands.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/wine.profile firejail-0.9.66/etc/profile-m-z/wine.profile --- firejail-0.9.64.4/etc/profile-m-z/wine.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wine.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,14 +24,14 @@ # include whitelist-usr-share-common.inc include whitelist-var-common.inc -# some applications don't need allow-debuggers, comment the next line -# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) +# Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. allow-debuggers caps.drop all # net none netfilter nodvd nogroups +noinput nonewprivs noroot # nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/wireshark-gtk.profile firejail-0.9.66/etc/profile-m-z/wireshark-gtk.profile --- firejail-0.9.64.4/etc/profile-m-z/wireshark-gtk.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wireshark-gtk.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for wireshark # Description: Network protocol analyzer # This file is overwritten after every install/update - # Persistent local customizations include wireshark-gtk.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include wireshark.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/wireshark.profile firejail-0.9.66/etc/profile-m-z/wireshark.profile --- firejail-0.9.64.4/etc/profile-m-z/wireshark.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wireshark.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ netfilter no3d # nogroups - breaks network traffic capture for unprivileged users +noinput # nonewprivs - breaks network traffic capture for unprivileged users # noroot nodvd @@ -39,11 +40,15 @@ nou2f novideo # protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols -seccomp +#seccomp shell none tracelog # private-bin wireshark +private-cache private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/wireshark-qt.profile firejail-0.9.66/etc/profile-m-z/wireshark-qt.profile --- firejail-0.9.64.4/etc/profile-m-z/wireshark-qt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wireshark-qt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for wireshark # Description: Network protocol analyzer # This file is overwritten after every install/update - # Persistent local customizations include wireshark-qt.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include wireshark.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/wordwarvi.profile firejail-0.9.66/etc/profile-m-z/wordwarvi.profile --- firejail-0.9.64.4/etc/profile-m-z/wordwarvi.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wordwarvi.profile 2021-06-22 15:51:28.000000000 +0000 @@ -30,6 +30,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/wps.profile firejail-0.9.66/etc/profile-m-z/wps.profile --- firejail-0.9.64.4/etc/profile-m-z/wps.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/wps.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,12 +23,13 @@ apparmor caps.drop all machine-id -# Uncomment the next line (or add to wps.local) if you don't use network features. +# Add the next line to your wps.local if you don't use network features. #net none netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,7 +37,7 @@ nou2f novideo protocol unix,inet,inet6 -# seccomp cause some minor issues, if you can live with them enable it. +# seccomp causes some minor issues. Add the next line to your wps.local if you can live with those. #seccomp shell none tracelog diff -Nru firejail-0.9.64.4/etc/profile-m-z/x2goclient.profile firejail-0.9.66/etc/profile-m-z/x2goclient.profile --- firejail-0.9.64.4/etc/profile-m-z/x2goclient.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/x2goclient.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,10 +6,12 @@ # Persistent global definitions include globals.local -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.x2go noblacklist ${HOME}/.x2goclient +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -24,6 +26,7 @@ #no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/xbill.profile firejail-0.9.66/etc/profile-m-z/xbill.profile --- firejail-0.9.64.4/etc/profile-m-z/xbill.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xbill.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xcalc.profile firejail-0.9.66/etc/profile-m-z/xcalc.profile --- firejail-0.9.64.4/etc/profile-m-z/xcalc.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xcalc.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xed.profile firejail-0.9.66/etc/profile-m-z/xed.profile --- firejail-0.9.64.4/etc/profile-m-z/xed.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xed.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/Xephyr.profile firejail-0.9.66/etc/profile-m-z/Xephyr.profile --- firejail-0.9.64.4/etc/profile-m-z/Xephyr.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/Xephyr.profile 2021-06-22 15:51:28.000000000 +0000 @@ -22,6 +22,7 @@ # Xephyr needs to be allowed access to the abstract Unix socket namespace. nodvd nogroups +noinput nonewprivs # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. # noroot diff -Nru firejail-0.9.64.4/etc/profile-m-z/xfce4-dict.profile firejail-0.9.66/etc/profile-m-z/xfce4-dict.profile --- firejail-0.9.64.4/etc/profile-m-z/xfce4-dict.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xfce4-dict.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xfce4-mixer.profile firejail-0.9.66/etc/profile-m-z/xfce4-mixer.profile --- firejail-0.9.64.4/etc/profile-m-z/xfce4-mixer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xfce4-mixer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,7 +19,7 @@ mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml -whitelist /usr/share/gstreamer +whitelist /usr/share/gstreamer-* whitelist /usr/share/xfce4 whitelist /usr/share/xfce4-mixer include whitelist-common.inc @@ -33,6 +33,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/xfce4-notes.profile firejail-0.9.66/etc/profile-m-z/xfce4-notes.profile --- firejail-0.9.64.4/etc/profile-m-z/xfce4-notes.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xfce4-notes.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xfce4-screenshooter.profile firejail-0.9.66/etc/profile-m-z/xfce4-screenshooter.profile --- firejail-0.9.64.4/etc/profile-m-z/xfce4-screenshooter.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xfce4-screenshooter.profile 2021-06-22 15:51:28.000000000 +0000 @@ -29,6 +29,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/xiphos.profile firejail-0.9.66/etc/profile-m-z/xiphos.profile --- firejail-0.9.64.4/etc/profile-m-z/xiphos.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xiphos.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xlinks2 firejail-0.9.66/etc/profile-m-z/xlinks2 --- firejail-0.9.64.4/etc/profile-m-z/xlinks2 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xlinks2 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,20 @@ +# Firejail profile for xlinks2 +# Description: Text WWW browser (X11) +# This file is overwritten after every install/update +# Persistent local customizations +include xlinks2.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist /tmp/.X11-unix + +include whitelist-common.inc + +# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' +# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line +private-bin xlinks2 +private-etc fonts + +# Redirect +include links2.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xlinks.profile firejail-0.9.66/etc/profile-m-z/xlinks.profile --- firejail-0.9.64.4/etc/profile-m-z/xlinks.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xlinks.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,7 +8,6 @@ #include globals.local noblacklist /tmp/.X11-unix -noblacklist ${HOME}/.links include whitelist-common.inc diff -Nru firejail-0.9.64.4/etc/profile-m-z/XMind.profile firejail-0.9.66/etc/profile-m-z/XMind.profile --- firejail-0.9.64.4/etc/profile-m-z/XMind.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/XMind.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/xmms.profile firejail-0.9.66/etc/profile-m-z/xmms.profile --- firejail-0.9.64.4/etc/profile-m-z/xmms.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xmms.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,6 +19,7 @@ caps.drop all netfilter no3d +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/xmr-stak.profile firejail-0.9.66/etc/profile-m-z/xmr-stak.profile --- firejail-0.9.64.4/etc/profile-m-z/xmr-stak.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xmr-stak.profile 2021-06-22 15:51:28.000000000 +0000 @@ -24,6 +24,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xonotic-glx.profile firejail-0.9.66/etc/profile-m-z/xonotic-glx.profile --- firejail-0.9.64.4/etc/profile-m-z/xonotic-glx.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xonotic-glx.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for xonotic # This file is overwritten after every install/update - # Persistent local customizations include xonotic-glx.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include xonotic.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xonotic.profile firejail-0.9.66/etc/profile-m-z/xonotic.profile --- firejail-0.9.64.4/etc/profile-m-z/xonotic.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xonotic.profile 2021-06-22 15:51:28.000000000 +0000 @@ -8,12 +8,16 @@ noblacklist ${HOME}/.xonotic +include allow-bin-sh.inc +include allow-opengl-game.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.xonotic @@ -29,6 +33,7 @@ netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -41,7 +46,7 @@ disable-mnt private-cache -private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity +private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic* private-dev private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp diff -Nru firejail-0.9.64.4/etc/profile-m-z/xonotic-sdl.profile firejail-0.9.66/etc/profile-m-z/xonotic-sdl.profile --- firejail-0.9.64.4/etc/profile-m-z/xonotic-sdl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xonotic-sdl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for xonotic # This file is overwritten after every install/update - # Persistent local customizations include xonotic-sdl.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include xonotic.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xournal.profile firejail-0.9.66/etc/profile-m-z/xournal.profile --- firejail-0.9.64.4/etc/profile-m-z/xournal.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xournal.profile 2021-06-22 15:51:28.000000000 +0000 @@ -28,6 +28,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xpdf.profile firejail-0.9.66/etc/profile-m-z/xpdf.profile --- firejail-0.9.64.4/etc/profile-m-z/xpdf.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xpdf.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xplayer.profile firejail-0.9.66/etc/profile-m-z/xplayer.profile --- firejail-0.9.64.4/etc/profile-m-z/xplayer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xplayer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -32,6 +32,7 @@ caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff -Nru firejail-0.9.64.4/etc/profile-m-z/xpra.profile firejail-0.9.66/etc/profile-m-z/xpra.profile --- firejail-0.9.64.4/etc/profile-m-z/xpra.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xpra.profile 2021-06-22 15:51:28.000000000 +0000 @@ -33,6 +33,7 @@ # xpra needs to be allowed access to the abstract Unix socket namespace. nodvd nogroups +noinput nonewprivs # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. #noroot diff -Nru firejail-0.9.64.4/etc/profile-m-z/xreader.profile firejail-0.9.66/etc/profile-m-z/xreader.profile --- firejail-0.9.64.4/etc/profile-m-z/xreader.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xreader.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/x-terminal-emulator.profile firejail-0.9.66/etc/profile-m-z/x-terminal-emulator.profile --- firejail-0.9.64.4/etc/profile-m-z/x-terminal-emulator.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/x-terminal-emulator.profile 2021-06-22 15:51:28.000000000 +0000 @@ -9,6 +9,7 @@ ipc-namespace net none nogroups +noinput noroot nou2f protocol unix diff -Nru firejail-0.9.64.4/etc/profile-m-z/Xvfb.profile firejail-0.9.66/etc/profile-m-z/Xvfb.profile --- firejail-0.9.64.4/etc/profile-m-z/Xvfb.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/Xvfb.profile 2021-06-22 15:51:28.000000000 +0000 @@ -25,6 +25,7 @@ # Xvfb needs to be allowed access to the abstract Unix socket namespace. nodvd nogroups +noinput nonewprivs # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. #noroot diff -Nru firejail-0.9.64.4/etc/profile-m-z/xviewer.profile firejail-0.9.66/etc/profile-m-z/xviewer.profile --- firejail-0.9.64.4/etc/profile-m-z/xviewer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xviewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -26,6 +26,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzcat.profile firejail-0.9.66/etc/profile-m-z/xzcat.profile --- firejail-0.9.64.4/etc/profile-m-z/xzcat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzcat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include xzcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzcmp.profile firejail-0.9.66/etc/profile-m-z/xzcmp.profile --- firejail-0.9.64.4/etc/profile-m-z/xzcmp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzcmp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include xzcmp.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzdec.profile firejail-0.9.66/etc/profile-m-z/xzdec.profile --- firejail-0.9.64.4/etc/profile-m-z/xzdec.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzdec.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,4 +7,5 @@ # Persistent global definitions include globals.local -include archiver-common.inc +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzdiff.profile firejail-0.9.66/etc/profile-m-z/xzdiff.profile --- firejail-0.9.64.4/etc/profile-m-z/xzdiff.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzdiff.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include xzdiff.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzegrep.profile firejail-0.9.66/etc/profile-m-z/xzegrep.profile --- firejail-0.9.64.4/etc/profile-m-z/xzegrep.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzegrep.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include xzegrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzfgrep.profile firejail-0.9.66/etc/profile-m-z/xzfgrep.profile --- firejail-0.9.64.4/etc/profile-m-z/xzfgrep.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzfgrep.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include xzfgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzgrep.profile firejail-0.9.66/etc/profile-m-z/xzgrep.profile --- firejail-0.9.64.4/etc/profile-m-z/xzgrep.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzgrep.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for cpio # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Persistent local customizations include xzgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzless.profile firejail-0.9.66/etc/profile-m-z/xzless.profile --- firejail-0.9.64.4/etc/profile-m-z/xzless.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzless.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,9 +1,11 @@ # Firejail profile alias for cpio # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update - # Persistent local customizations include xzless.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xzmore.profile firejail-0.9.66/etc/profile-m-z/xzmore.profile --- firejail-0.9.64.4/etc/profile-m-z/xzmore.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xzmore.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include xzmore.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/xz.profile firejail-0.9.66/etc/profile-m-z/xz.profile --- firejail-0.9.64.4/etc/profile-m-z/xz.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/xz.profile 2021-06-22 15:51:28.000000000 +0000 @@ -2,9 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet - # Persistent local customizations include xz.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/yarn.profile firejail-0.9.66/etc/profile-m-z/yarn.profile --- firejail-0.9.64.4/etc/profile-m-z/yarn.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/yarn.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,24 +6,5 @@ # Persistent global definitions include globals.local -ignore read-only ${HOME}/.yarnrc - -noblacklist ${HOME}/.yarn -noblacklist ${HOME}/.yarn-config -noblacklist ${HOME}/.yarncache -noblacklist ${HOME}/.yarnrc - -# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. -#mkdir ${HOME}/.yarn -#mkdir ${HOME}/.yarn-config -#mkdir ${HOME}/.yarncache -#mkfile ${HOME}/.yarnrc -#whitelist ${HOME}/.yarn -#whitelist ${HOME}/.yarn-config -#whitelist ${HOME}/.yarncache -#whitelist ${HOME}/.yarnrc -#whitelist ${HOME}/Projects -#include whitelist-common.inc - # Redirect include nodejs-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/yelp.profile firejail-0.9.66/etc/profile-m-z/yelp.profile --- firejail-0.9.64.4/etc/profile-m-z/yelp.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/yelp.profile 2021-06-22 15:51:28.000000000 +0000 @@ -19,6 +19,7 @@ mkdir ${HOME}/.config/yelp whitelist ${HOME}/.config/yelp +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/doc whitelist /usr/share/groff whitelist /usr/share/help @@ -33,14 +34,15 @@ apparmor caps.drop all -# machine-id breaks sound - uncomment here or put it in your yelp.local if you don't need it +# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support. #machine-id net none nodvd nogroups +noinput nonewprivs noroot -# nosound - uncomment here or put it in your yelp.local if you don't need it +# nosound - add the next line to your yelp.local if you don't need sound support. #nosound notv nou2f @@ -66,11 +68,11 @@ # read-only ${HOME} breaks some features: # 1. yelp --editor-mode # 2. saving the window geometry -# comment the line below or put 'ignore read-only ${HOME}' into your yelp.local if you need these features +# add 'ignore read-only ${HOME}' to your yelp.local if you need these features. read-only ${HOME} read-write ${HOME}/.cache # 3. printing to PDF in ${DOCUMENTS} -# additionally uncomment the lines below or put 'noblacklist ${DOCUMENTS}' and -# 'whitelist ${DOCUMENTS}' into your yelp.local if you need printing to PDF support +# additionally add 'noblacklist ${DOCUMENTS}' and 'whitelist ${DOCUMENTS}' to +# your yelp.local if you need PDF printing support. #noblacklist ${DOCUMENTS} #whitelist ${DOCUMENTS} diff -Nru firejail-0.9.64.4/etc/profile-m-z/youtube-dl-gui.profile firejail-0.9.66/etc/profile-m-z/youtube-dl-gui.profile --- firejail-0.9.64.4/etc/profile-m-z/youtube-dl-gui.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/youtube-dl-gui.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,57 @@ +# Firejail profile for youtube-dl-gui +# Description: A cross platform front-end GUI of the popular youtube-dl media downloader +include youtube-dl-gui.local +# This file is overwritten after every install/update +include globals.local + +#These are blacklisted by disable-interpreters.inc +include allow-python2.inc +include allow-python3.inc + +noblacklist ${HOME}/.config/youtube-dlg + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/youtube-dlg +whitelist ${HOME}/.config/youtube-dlg +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/youtube-dl.profile firejail-0.9.66/etc/profile-m-z/youtube-dl.profile --- firejail-0.9.64.4/etc/profile-m-z/youtube-dl.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/youtube-dl.profile 2021-06-22 15:51:28.000000000 +0000 @@ -43,6 +43,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/youtube-viewer.profile firejail-0.9.66/etc/profile-m-z/youtube-viewer.profile --- firejail-0.9.64.4/etc/profile-m-z/youtube-viewer.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/youtube-viewer.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,47 +7,15 @@ # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/youtube-viewer noblacklist ${HOME}/.config/youtube-viewer -include allow-perl.inc -include allow-python2.inc -include allow-python3.inc - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - +mkdir ${HOME}/.cache/youtube-viewer mkdir ${HOME}/.config/youtube-viewer +whitelist ${HOME}/.cache/youtube-viewer whitelist ${HOME}/.config/youtube-viewer -include whitelist-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog -disable-mnt -private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer -private-cache -private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg -private-tmp +private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer -dbus-user none -dbus-system none +# Redirect +include youtube-viewers-common.profile \ No newline at end of file diff -Nru firejail-0.9.64.4/etc/profile-m-z/youtube-viewers-common.profile firejail-0.9.66/etc/profile-m-z/youtube-viewers-common.profile --- firejail-0.9.64.4/etc/profile-m-z/youtube-viewers-common.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/youtube-viewers-common.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,61 @@ +# Firejail profile for youtube-viewer clones +# Description: common profile for Trizen's Youtube viewers +# This file is overwritten after every install/update +# Persistent local customizations +include youtube-viewers-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +noblacklist ${HOME}/.cache/youtube-dl + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg +private-tmp + +dbus-user none +dbus-system none diff -Nru firejail-0.9.64.4/etc/profile-m-z/zaproxy.profile firejail-0.9.66/etc/profile-m-z/zaproxy.profile --- firejail-0.9.64.4/etc/profile-m-z/zaproxy.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zaproxy.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/zart.profile firejail-0.9.66/etc/profile-m-z/zart.profile --- firejail-0.9.64.4/etc/profile-m-z/zart.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zart.profile 2021-06-22 15:51:28.000000000 +0000 @@ -23,6 +23,7 @@ net none nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/profile-m-z/zathura.profile firejail-0.9.66/etc/profile-m-z/zathura.profile --- firejail-0.9.64.4/etc/profile-m-z/zathura.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zathura.profile 2021-06-22 15:51:28.000000000 +0000 @@ -17,12 +17,14 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc +include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.config/zathura mkdir ${HOME}/.local/share/zathura whitelist /usr/share/doc whitelist /usr/share/zathura +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -32,6 +34,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,6 +43,7 @@ novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff -Nru firejail-0.9.64.4/etc/profile-m-z/zeal.profile firejail-0.9.66/etc/profile-m-z/zeal.profile --- firejail-0.9.64.4/etc/profile-m-z/zeal.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zeal.profile 2021-06-22 15:51:28.000000000 +0000 @@ -36,6 +36,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/ZeGrapher.profile firejail-0.9.66/etc/profile-m-z/ZeGrapher.profile --- firejail-0.9.64.4/etc/profile-m-z/ZeGrapher.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/ZeGrapher.profile 2021-06-22 15:51:28.000000000 +0000 @@ -27,6 +27,7 @@ net none nodvd nogroups +noinput nonewprivs noroot nosound diff -Nru firejail-0.9.64.4/etc/profile-m-z/zoom.profile firejail-0.9.66/etc/profile-m-z/zoom.profile --- firejail-0.9.64.4/etc/profile-m-z/zoom.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zoom.profile 2021-06-22 15:51:28.000000000 +0000 @@ -6,14 +6,14 @@ # Persistent global definitions include globals.local -# Disabled until someone reported positive feedback +# Disabled until someone reports positive feedback. ignore apparmor ignore novideo ignore dbus-user none ignore dbus-system none # nogroups breaks webcam access on non-systemd systems (see #3711). -# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local +# If you use such a system, add 'ignore nogroups' to your zoom.local. #ignore nogroups noblacklist ${HOME}/.config/zoomus.conf diff -Nru firejail-0.9.64.4/etc/profile-m-z/zstdcat.profile firejail-0.9.66/etc/profile-m-z/zstdcat.profile --- firejail-0.9.64.4/etc/profile-m-z/zstdcat.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zstdcat.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update - # Persistent local customizations include zstdcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/zstdgrep.profile firejail-0.9.66/etc/profile-m-z/zstdgrep.profile --- firejail-0.9.64.4/etc/profile-m-z/zstdgrep.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zstdgrep.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update - # Persistent local customizations include zstdgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/zstdless.profile firejail-0.9.66/etc/profile-m-z/zstdless.profile --- firejail-0.9.64.4/etc/profile-m-z/zstdless.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zstdless.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update - # Persistent local customizations include zstdless.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/zstdmt.profile firejail-0.9.66/etc/profile-m-z/zstdmt.profile --- firejail-0.9.64.4/etc/profile-m-z/zstdmt.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zstdmt.profile 2021-06-22 15:51:28.000000000 +0000 @@ -1,8 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update - # Persistent local customizations include zstdmt.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/zstd.profile firejail-0.9.66/etc/profile-m-z/zstd.profile --- firejail-0.9.64.4/etc/profile-m-z/zstd.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zstd.profile 2021-06-22 15:51:28.000000000 +0000 @@ -7,4 +7,5 @@ # Persistent global definitions include globals.local -include archiver-common.inc +# Redirect +include archiver-common.profile diff -Nru firejail-0.9.64.4/etc/profile-m-z/zulip.profile firejail-0.9.66/etc/profile-m-z/zulip.profile --- firejail-0.9.64.4/etc/profile-m-z/zulip.profile 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/profile-m-z/zulip.profile 2021-06-22 15:51:28.000000000 +0000 @@ -31,6 +31,7 @@ no3d nodvd nogroups +noinput nonewprivs noroot notv diff -Nru firejail-0.9.64.4/etc/templates/profile.template firejail-0.9.66/etc/templates/profile.template --- firejail-0.9.64.4/etc/templates/profile.template 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/templates/profile.template 2021-06-22 15:51:28.000000000 +0000 @@ -1,17 +1,17 @@ # Firejail profile for PROGRAM_NAME -# Description: DESCRIPTION +# Description: DESCRIPTION OF THE PROGRAM # This file is overwritten after every install/update # --- CUT HERE --- -# This is a generic template to help you with creation of profiles -# for new programs. PRs welcome at https://github.com/netblue30/firejail/. +# This is a generic template to help you create profiles. +# PRs welcome at https://github.com/netblue30/firejail/. # # Rules to follow: # - lines with one # are often used in profiles # - lines with two ## are only needed in special situations # - make the profile as restrictive as possible while still keeping the program useful -# (e. g. a program that is unable to save user's work is considered bad practice) -# - dedicate some time (based on the complexity of the application) to profile testing before raising -# a pull request +# (e.g. a program that is unable to save user's work is considered bad practice) +# - dedicate ample time (based on the complexity of the application) to profile testing before +# submitting a pull request # - keep the sections structure, use a single empty line as separator # - entries within sections are alphabetically sorted # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware @@ -42,7 +42,7 @@ # ${DOCUMENTS} # ${DOWNLOADS} # ${HOME} (user's home) -# ${PATH} (contents of PATH envvar) +# ${PATH} (contents of PATH env var) # ${MUSIC} # ${RUNUSER} (/run/user/UID) # ${VIDEOS} @@ -59,14 +59,6 @@ ##ignore noexec ${HOME} ##ignore noexec /tmp -##blacklist PATH -# Disable X11 (CLI only), see also 'x11 none' below -#blacklist /tmp/.X11-unix -# Disable Wayland -#blacklist ${RUNUSER}/wayland-* -# Disable RUNUSER (cli only) -#blacklist ${RUNUSER} - # It is common practice to add files/dirs containing program-specific configuration # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc # (keep list sorted) and then disable blacklisting below. @@ -81,12 +73,14 @@ # `ls -aR` #noblacklist PATH -# Allow python (blacklisted by disable-interpreters.inc) -#include allow-python2.inc -#include allow-python3.inc +# Allow /bin/sh (blacklisted by disable-shell.inc) +#include allow-bin-sh.inc -# Allow perl (blacklisted by disable-interpreters.inc) -#include allow-perl.inc +# Allows files commonly used by IDEs +#include allow-common-devel.inc + +# Allow gjs (blacklisted by disable-interpreters.inc) +#include allow-gjs.inc # Allow java (blacklisted by disable-devel.inc) #include allow-java.inc @@ -94,15 +88,32 @@ # Allow lua (blacklisted by disable-interpreters.inc) #include allow-lua.inc +# Allow perl (blacklisted by disable-interpreters.inc) +#include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) +#include allow-python2.inc +#include allow-python3.inc + # Allow ruby (blacklisted by disable-interpreters.inc) #include allow-ruby.inc -# Allow gjs (blacklisted by disable-interpreters.inc) -#include allow-gjs.inc +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc -# Allows files commonly used by IDEs -#include allow-common-devel.inc +##blacklist PATH +# Disable X11 (CLI only), see also 'x11 none' below +#blacklist /tmp/.X11-unix +# Disable Wayland +#blacklist ${RUNUSER}/wayland-* +# Disable RUNUSER (cli only; supersedes Disable Wayland) +#blacklist ${RUNUSER} +# Remove the next blacklist if you system has no /usr/libexec dir, +# otherwise try to add it. +#blacklist /usr/libexec +# disable-*.inc includes +# remove disable-write-mnt.inc if you set disable-mnt #include disable-common.inc #include disable-devel.inc #include disable-exec.inc @@ -114,10 +125,10 @@ #include disable-xdg.inc # This section often mirrors noblacklist section above. The idea is -# that if a user feels too restricted (he's unable to save files into -# home directory for instance) he/she may disable whitelist (nowhitelist) +# that if a user feels too restricted (e.g. unable to save files into +# home directory) they may disable whitelist (nowhitelist) # in PROFILE.local but still be protected by BLACKLISTS section -# (further explanation at https://github.com/netblue30/firejail/issues/1569) +# (explanation at https://github.com/netblue30/firejail/issues/1569) #mkdir PATH ##mkfile PATH #whitelist PATH @@ -133,7 +144,7 @@ ##hostname NAME # CLI only ##ipc-namespace -# breaks sound and sometime dbus related functions +# breaks audio and sometimes dbus related functions #machine-id # 'net none' or 'netfilter' #net none @@ -142,6 +153,7 @@ ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) #nodvd #nogroups +#noinput #nonewprivs #noroot #nosound @@ -152,13 +164,13 @@ # - unix is usually needed # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) # - netlink is rarely needed -# - packet almost never -#protocol unix,inet,inet6,netlink,packet +# - packet and bluetooth almost never +#protocol unix,inet,inet6,netlink,packet,bluetooth #seccomp ##seccomp !chroot ##seccomp.drop SYSCALLS (see syscalls.txt) #seccomp.block-secondary -##seccomp-error-action log (Only for debugging seccomp issues) +##seccomp-error-action log (only for debugging seccomp issues) #shell none #tracelog # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set @@ -173,16 +185,16 @@ #private-etc FILES # private-etc templates (see also #1734, #2093) # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg -# Extra: magic,magic.mgc,passwd,group -# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc -# Extra: proxychains.conf,gai.conf -# Sound: alsa,asound.conf,pulse,machine-id +# Extra: group,magic,magic.mgc,passwd +# 3D: bumblebee,drirc,glvnd,nvidia +# Audio: alsa,asound.conf,machine-id,pulse +# D-Bus: dbus-1,machine-id # GUI: fonts,pango,X11 # GTK: dconf,gconf,gtk-2.0,gtk-3.0 -# Qt: Trolltech.conf # KDE: kde4rc,kde5rc -# 3D: drirc,glvnd,bumblebee,nvidia -# D-Bus: dbus-1,machine-id +# Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +# Extra: gai.conf,proxychains.conf +# Qt: Trolltech.conf ##private-lib LIBS ##private-opt NAME #private-tmp @@ -191,15 +203,16 @@ ##writable-var ##writable-var-log -# Since 0.9.63 also a more granular regulation of dbus is supported. -# To get the dbus-addresses to which an application needs access to. -# You can look at flatpak if the application is also distriputed via flatpak: +# Since 0.9.63 also a more granular control of dbus is supported. +# To get the dbus-addresses an application needs access to you can +# check with flatpak (when the application is distriputed that way): # flatpak remote-info --show-metadata flathub # Notes: # - flatpak implicitly allows an app to own on the session bus -# - In order to make dconf work (if it is used by the app) you need to allow -# 'ca.desrt.dconf' even if it is not allowed by flatpak. -# Notes and Policiy about addresses can be found at +# - Some features like native notifications are implemented as portal too. +# - In order to make dconf work (when used by the app) you need to allow +# 'ca.desrt.dconf' even when not allowed by flatpak. +# Notes and policies about addresses can be found at # #dbus-user filter #dbus-user.own com.github.netblue30.firejail @@ -208,7 +221,8 @@ #dbus-system none ##env VAR=VALUE +##join-or-start NAME #memory-deny-write-execute ##noexec PATH ##read-only ${HOME} -##join-or-start NAME +##read-write ${HOME} diff -Nru firejail-0.9.64.4/etc/templates/syscalls.txt firejail-0.9.66/etc/templates/syscalls.txt --- firejail-0.9.64.4/etc/templates/syscalls.txt 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/etc/templates/syscalls.txt 2021-06-27 18:11:48.000000000 +0000 @@ -33,10 +33,10 @@ @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext -@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup +@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup @default-nodebuggers=@default,ptrace,personality,process_vm_readv @default-keep=execveat,execve,prctl -@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes +@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget @keyring=add_key,keyctl,request_key diff -Nru firejail-0.9.64.4/install.sh firejail-0.9.66/install.sh --- firejail-0.9.64.4/install.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/install.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 echo "installing..." diff -Nru firejail-0.9.64.4/Makefile.in firejail-0.9.66/Makefile.in --- firejail-0.9.64.4/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -21,13 +21,17 @@ MAN_SRC = src/man endif +COMPLETIONDIRS = src/zsh_completion src/bash_completion + +.PHONY: all all: all_items mydirs $(MAN_TARGET) filters -APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats -SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee +APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck +SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter -MYDIRS = src/lib $(MAN_SRC) +MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so -MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 +COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion +MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) @@ -42,7 +46,6 @@ $(MYDIRS): $(MAKE) -C $@ - $(MANPAGES): src/man ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ @@ -70,6 +73,7 @@ seccomp.mdwx.32: src/fseccomp/fseccomp src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 +.PHONY: clean clean: for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ $(MAKE) -C $$dir clean; \ @@ -89,6 +93,7 @@ rm -f test/sysutils/firejail_t* cd test/compile; ./compile.sh --clean; cd ../.. +.PHONY: distclean distclean: clean for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ $(MAKE) -C $$dir distclean; \ @@ -107,6 +112,8 @@ install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) # firecfg executable install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) + # jailcheck executable + install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) # libraries and plugins install -m 0755 -d $(DESTDIR)$(libdir)/firejail install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config @@ -159,6 +166,9 @@ install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg + # zsh completion + install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions + install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ install: all $(MAKE) realinstall @@ -172,6 +182,7 @@ rm -f $(DESTDIR)$(bindir)/firemon rm -f $(DESTDIR)$(bindir)/firecfg rm -fr $(DESTDIR)$(libdir)/firejail + rm -fr $(DESTDIR)$(libdir)/jailcheck rm -fr $(DESTDIR)$(datarootdir)/doc/firejail for man in $(MANPAGES); do \ rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ @@ -183,7 +194,7 @@ @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" -DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" +DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot" dist: mv config.status config.status.old @@ -224,24 +235,23 @@ scan-build: clean NO_EXTRA_CFLAGS="yes" scan-build make - # # make test # -TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters arguments fs fcopy fnetfilter +TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) $(TEST_TARGETS): $(MAKE) -C test $(subst test-,,$@) -test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" -test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" -test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments +test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment echo "TEST COMPLETE" ########################################## diff -Nru firejail-0.9.64.4/mkdeb.sh.in firejail-0.9.66/mkdeb.sh.in --- firejail-0.9.64.4/mkdeb.sh.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/mkdeb.sh.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ diff -Nru firejail-0.9.64.4/mketc.sh firejail-0.9.66/mketc.sh --- firejail-0.9.64.4/mketc.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/mketc.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 sed -i -e ' diff -Nru firejail-0.9.64.4/mkman.sh firejail-0.9.66/mkman.sh --- firejail-0.9.64.4/mkman.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/mkman.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set -e diff -Nru firejail-0.9.64.4/platform/debian/copyright firejail-0.9.66/platform/debian/copyright --- firejail-0.9.64.4/platform/debian/copyright 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/platform/debian/copyright 2021-06-22 15:51:28.000000000 +0000 @@ -7,7 +7,7 @@ and networking stack isolation, and it runs on any recent Linux system. It includes a sandbox profile for Mozilla Firefox. - Copyright (C) 2014-2020 Firejail Authors (see README file for more details) + Copyright (C) 2014-2021 Firejail Authors (see README file for more details) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff -Nru firejail-0.9.64.4/platform/rpm/firejail.spec firejail-0.9.66/platform/rpm/firejail.spec --- firejail-0.9.64.4/platform/rpm/firejail.spec 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/platform/rpm/firejail.spec 2021-06-22 15:51:28.000000000 +0000 @@ -35,14 +35,17 @@ %attr(4755, -, -) %{_bindir}/__NAME__ %{_bindir}/firecfg %{_bindir}/firemon +%{_bindir}/jailcheck %{_libdir}/__NAME__ %{_datarootdir}/bash-completion/completions/__NAME__ %{_datarootdir}/bash-completion/completions/firecfg %{_datarootdir}/bash-completion/completions/firemon +%{_datarootdir}/zsh/site-functions/_firejail %{_docdir}/__NAME__ %{_mandir}/man1/__NAME__.1.gz %{_mandir}/man1/firecfg.1.gz %{_mandir}/man1/firemon.1.gz +%{_mandir}/man1/jailcheck.1.gz %{_mandir}/man5/__NAME__-login.5.gz %{_mandir}/man5/__NAME__-profile.5.gz %{_mandir}/man5/__NAME__-users.5.gz diff -Nru firejail-0.9.64.4/platform/rpm/mkrpm.sh firejail-0.9.66/platform/rpm/mkrpm.sh --- firejail-0.9.64.4/platform/rpm/mkrpm.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/platform/rpm/mkrpm.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # Usage: ./platform/rpm/mkrpm.sh firejail "" diff -Nru firejail-0.9.64.4/README firejail-0.9.66/README --- firejail-0.9.64.4/README 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/README 2021-06-28 00:14:53.000000000 +0000 @@ -12,6 +12,8 @@ Download: https://sourceforge.net/projects/firejail/files/ Build and install: ./configure && make && sudo make install Documentation and support: https://firejail.wordpress.com/ +Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA +Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ Development: https://github.com/netblue30/firejail License: GPL v2 @@ -40,10 +42,12 @@ - curiosityseeker (https://github.com/curiosityseeker) - glitsj16 (https://github.com/glitsj16) - Fred-Barclay (https://github.com/Fred-Barclay) +- Kelvin M. Klann (https://github.com/kmk3) - Kristóf Marussy (https://github.com/kris7t) +- Neo00001 (https://github.com/Neo00001) - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) - rusty-snake (https://github.com/rusty-snake) -- smithsohu (https://github.com/smitsohu) +- smitsohu (https://github.com/smitsohu) - SkewedZeppelin (https://github.com/SkewedZeppelin) - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) - Topi Miettinen (https://github.com/topimiettinen) @@ -73,6 +77,11 @@ - whitelist Bohemia Interactive config dir for Steam Akhil Hans Maulloo (https://github.com/kouul) - xz profile +Albin Kauffmann (https://github.com/albinou) + - Firefox and Chromium profile fixes + - info to allow screen sharing in profiles +Alex Leahu (https://github.com/alxjsn) + - fix screen sharing configuration on Wayland Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) - src/lib/libnetlink.c extracted from iproute2 software package Aleksey Manevich (https://github.com/manevich) @@ -102,6 +111,7 @@ - whois profile fix - added profile for strawberry - w3m profile fix + - disable seccomp in wireshark profile Andreas Hunkeler (https://github.com/Karneades) - Add profile for offical Linux Teams application Andrey Alekseenko (https://github.com/al42and) @@ -162,9 +172,12 @@ - removing net none from code.profile bbhtt (https://github.com/bbhtt) - improvements to balsa,fractal,gajim,trojita profiles - - improvements to nheko, spectral, feh, links, lynx profiles - - added alacartem com.github.bleakgrey.tootle, photoflare profiles + - improvements to nheko, spectral, feh, links, lynx, smplayer profiles + - added alacarte, com.github.bleakgrey.tootle, photoflare profiles - add profiles for MS Edge dev build for Linux and Librewolf + - fixes to cheese, authenticator, liferea + - add profile for straw-viewer + - email clients whitelisting and fixes Benjamin Kampmann (https://github.com/ligthyear) - Forward exit code from child process bitfreak25 (https://github.com/bitfreak25) @@ -193,6 +206,7 @@ - fixup geary - add gradio profile - update virtualbox.profile + - Quodlibet profile BytesTuner (https://github.com/BytesTuner) - provided keepassxc profile caoliver (https://github.com/caoliver) @@ -268,6 +282,7 @@ Davide Beatrici (https://github.com/davidebeatrici) - steam.profile: correctly blacklist unneeded directories in user's home - minetest fixes + - map /dev/input with "--private-dev", add "--no-input" option to disable it David Hyrule (https://github.com/Svaag) - remove nou2f in ssh profile Deelvesh Bunjun (https://github.com/DeelveshBunjun) @@ -315,6 +330,7 @@ - (la)tex profiles - fixed transmission-common.profile - fixed standardnotes-desktop.profile + - fix jailprober.py floxo (https://github.com/floxo) - fixed qml disk cache issue Franco (nextime) Lanza (https://github.com/nextime) @@ -424,6 +440,8 @@ - added --overlay-named=name and --overlay-path=path Hans-Christoph Steiner (https://github.com/eighthave) - added xournal profile +Harald Kubota (https://github.com/haraldkubota) + - zsh completion hawkey116477 (https://github.com/hawkeye116477) - added Waterfox profile - updated Cyberfox profile @@ -449,11 +467,15 @@ - added mumble profile intika (https://github.com/intika) - added musixmatch profile +irandms (https://github.com/irandms) + - man firecfg fixes irregulator (https://github.com/irregulator) - thunderbird profile fixes for debian stretch Irvine (https://github.com/Irvinehimself) - added conky profile - added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles +Ivan (https://github.com/ordinary-dev) + - fix telegram profile Ivan Kozik (https://github.com/ivan) - speed up sandbox exit Jaykishan Mutkawoa (https://github.com/jmutkawoa) @@ -483,6 +505,7 @@ - fixed spotify.profile Jeff Squyres (https://github.com/jsquyres) - various manpage fixes + - cmdline.c: optionally quote the resulting command line Jericho (https://github.com/attritionorg) - spelling Jesse Smith (https://github.com/slicer69) @@ -507,6 +530,7 @@ - Add davfs2 secrets file to blacklist - Add profile for udiskie - fix udiskie.profile + - improve hints for allowing browser access to Gnome extensions connector jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile @@ -541,6 +565,8 @@ - okular profile fixes - jitsi-meet-desktop profile - konversatin profile fix + - added Neochat profile + - added whitelist-1793-workaround.inc KOLANICH (https://github.com/KOLANICH) - added symlink fixer fix_private-bin.py in contrib section - update fix_private-bin.py @@ -550,6 +576,10 @@ - whitelisting evolution, kmail Kristóf Marussy (https://github.com/kris7t) - dns support +kuesji koesnu (https://github.com/kuesji) + - unit suffixes for rlimit-fsize and rlimit-as + - util.c and firejail.h fixes + - better parser for size strings Kunal Mehta (https://github.com/legoktm) - converted all links to https in manpages laniakea64 (https://github.com/laniakea64) @@ -596,6 +626,8 @@ - seccomp errno filter support Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes +Matthew Cline (https://github.com/matthew-cline) + - steam profile and dropbox profile fixes matu3ba (https://github.com/matu3ba) - evince hardening, dbus removed - fix dia profile @@ -607,6 +639,8 @@ - added --noautopulse command line option Michael Haas (https://github.com/mhaas) - bugfixes +Michael Hoffmann (https://github.com/brisad) + - added support for subdirs in private-etc Mike Frysinger (vapier@gentoo.org) - Gentoo compile patch mirabellette (https://github.com/mirabellette) @@ -627,18 +661,28 @@ - update telegram profile - add spectacle profile - add kdiff3 profile +NetSysFire (https://github.com/NetSysFire) + - update weechat profile Nick Fox (https://github.com/njfox) - add a profile alias for code-oss - add code-oss config directory - fix wire-desktop.profile on arch NickMolloy (https://github.com/NickMolloy) - ARP address length fix +Nico (https://github.com/dr460nf1r3) + - added FireDragon profile +Nicola Davide Mannarelli (https://github.com/nidamanx) + - fix "Could not create AF_NETLINK socket" + - added nextcloud profiles + - Firefox, KeepassXC, Telegram fixes Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Niklas Goerke (https://github.com/Niklas974) - update QOwnNotes profile Nikos Chantziaras (https://github.com/realnc) - fix audio support for Discord +nolanl (https://github.com/nolanl) + - added localtime to signal-desktop's profile nyancat18 (https://github.com/nyancat18) - added ardour4, dooble, karbon, krita profiles Ondra Nekola (https://github.com/satai) @@ -686,6 +730,8 @@ PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) - fix quiterss profile - added profile for gnome-ring +pholodniak (https://github.com/pholodniak) + - profstats fixes pianoslum (https://github.com/pianoslum) - nodbus breaking evince two-page-view warning pirate486743186 (https://github.com/pirate486743186) @@ -693,6 +739,18 @@ - mpsyt profile - fix youtube-dl and mpv - fix gnome-mpv profile + - fix gunzip profile + - reorganizing youtube-viewers + - fix pluma profile + - whitelist /var/lib/aspell + - mcomix fixes + - fixing engrampa profile + - adding qcomicbook and pipe-viewer in disable-programs + - newsboat/newsbeuter profiles + - fix atril profile + - reorganizing links browsers + - added rtv, alpine, mcomix, qcomicbook, googler, ddgr profiles + - w3m, zahura, profile.template fixes Pixel Fairy (https://github.com/xahare) - added fjclip.py, fjdisplay.py and fjresize.py in contrib section PizzaDude (https://github.com/pizzadude) @@ -728,6 +786,8 @@ - strings profile RandomVoid (https://github.com/RandomVoid) - fix building C# projects in Godot + - fix Lutris profile + - fix running games with enabled Feral GameMode in Lutris Raphaël Droz (https://github.com/drzraf) - zoom profile fixes realaltffour (https://github.com/realaltffour) @@ -769,6 +829,8 @@ - some typo fixes - added profile templates - added sort.py to contrib +sak96 (https://github.com/sak96) + - discord profile fixes Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) - fixed ktorrent profile sarneaud (https://github.com/sarneaud) @@ -795,7 +857,11 @@ sinkuu (https://github.com/sinkuu) - blacklisting kwalletd - fix symlink invocation for programs placing symlinks in $PATH -smithsohu (https://github.com/smitsohu) +Simo Piiroinen (https://github.com/spiiroin) + - Jolla/SailfishOS patches +slowpeek (https://github.com/slowpeek) + - refine appimage example in docs +smitsohu (https://github.com/smitsohu) - read-only kde4 services directory - enhanced mediathekview profile - added tuxguitar profile @@ -813,7 +879,7 @@ - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile - fix keepassxc.profile - fix qtox.profile - - add ocaltime to private-etc to make qtox show correct time + - add localtime to private-etc to make qtox show correct time - fixes for the keepassxc 2.2.5 version SkewedZeppelin (https://github.com/SkewedZeppelin) - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles @@ -910,6 +976,8 @@ - mupen64plus profile Tomasz Jan Góralczyk (https://github.com/tjg) - fixed Steam profile +Tomi Leppänen (https://github.com/Tomin1) + - Jolla/SailfishOS patches Topi Miettinen (https://github.com/topimiettinen) - improved seccomp printing - improve mount handling, fix /run/user handling @@ -918,6 +986,10 @@ - improve loading of seccomp filter and memory-deny-write-execute feature - private-lib feature - make --nodbus block also system D-Bus socket +Ted Robertson (https://github.com/tredondo) + - webstorm profile fixes + - added bcompare profile + - various documentation fixes user1024 (user1024@tut.by) - electron profile whitelisting - fixed Rocket.Chat profile @@ -982,6 +1054,9 @@ - apparmor profile enhancements - various KDE profile enhancements read-only kde5 services directory +Vladislav Nepogodin (https://github.com/vnepogodin) + - added Librewolf profiles + - added Sway profile xee5ch (https://github.com/xee5ch) - skypeforlinux profile Ypnose (https://github.com/Ypnose) @@ -1008,4 +1083,7 @@ with firejail --x11 - support for xpra-extra-params in firejail.config -Copyright (C) 2014-2020 Firejail Authors +zupatisc (https://github.com/zupatisc) + - patch-util fix + +Copyright (C) 2014-2021 Firejail Authors diff -Nru firejail-0.9.64.4/RELNOTES firejail-0.9.66/RELNOTES --- firejail-0.9.64.4/RELNOTES 2021-02-07 20:00:19.000000000 +0000 +++ firejail-0.9.66/RELNOTES 2021-06-29 14:08:43.000000000 +0000 @@ -1,5 +1,48 @@ +firejail (0.9.66) baseline; urgency=low + * deprecated --audit options, relpaced by jailcheck utility + * deprecated follow-symlink-as-user from firejail.config + * new firejail.config settings: private-bin, private-etc + * new firejail.config settings: private-opt, private-srv + * new firejail.config settings: whitelist-disable-topdir + * new firejail.config settings: seccomp-filter-add + * removed kcmp syscall from seccomp default filter + * rename --noautopulse to keep-config-pulse + * filtering environment variables + * zsh completion + * command line: --mkdir, --mkfile + * --protocol now accumulates + * Jolla/SailfishOS patches + * private-lib rework + * whitelist rework + * jailtest utility for testing running sandboxes + * capabilities list update + * faccessat2 syscall support + * --private-dev keeps /dev/input + * added --noinput to disable /dev/input + * add support for subdirs in --private-etc + * compile time: --enable-force-nonewprivs + * compile time: --disable-output + * compile time: --enable-lts + * subdirs support in private-etc + * input devices support in private-dev, --no-input + * support trailing comments on profile lines + * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng + * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, + * avidemux, calligragemini, vmware-player, vmware-workstation + * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr + * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum + * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum + * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway + * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, + * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, + * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon + * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat, + * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer + * links2, xlinks2, googler, ddgr, tin + -- netblue30 Mon, 28 Jun 2021 09:00:00 -0500 + firejail (0.9.64.4) baseline; urgency=low - * disabled overlayfs, pending multiple fixes + * disabled overlayfs, pending multiple fixes (CVE-2021-26910) -- netblue30 Sun, 7 Feb 2021 09:00:00 -0500 firejail (0.9.64.2) baseline; urgency=low diff -Nru firejail-0.9.64.4/src/bash_completion/firejail.bash_completion firejail-0.9.66/src/bash_completion/firejail.bash_completion --- firejail-0.9.64.4/src/bash_completion/firejail.bash_completion 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/bash_completion/firejail.bash_completion 1970-01-01 00:00:00.000000000 +0000 @@ -1,111 +0,0 @@ -# bash completion for firejail -*- shell-script -*- -#******************************************************************** -# Script based on completions/configure script in bash-completion package in -# Debian. The original package is release under GPL v2 license, the webpage is -# http://bash-completion.alioth.debian.org -#******************************************************************* - -__interfaces(){ - cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs -} - - -_firejail() -{ - local cur prev words cword split - _init_completion -s || return - - case $prev in - --help|--version|-debug-caps|--debug-syscalls|--debug-syscalls32|--list|--tree|--top|--join|--shutdown) - return 0 - ;; - --profile) - _filedir - return 0 - ;; - --hosts-file) - _filedir - return 0 - ;; - --chroot) - _filedir -d - return 0 - ;; - --cgroup) - _filedir -d - return 0 - ;; - --tmpfs) - _filedir - return 0 - ;; - --blacklist) - _filedir - return 0 - ;; - --noblacklist) - _filedir - return 0 - ;; - --whitelist) - _filedir - return 0 - ;; - --nowhitelist) - _filedir - return 0 - ;; - --read-only) - _filedir - return 0 - ;; - --read-write) - _filedir - return 0 - ;; - --bind) - _filedir - return 0 - ;; - --private) - _filedir - return 0 - ;; - --netfilter) - _filedir - return 0 - ;; - --shell) - _filedir - return 0 - ;; - --audit) - _filedir - return 0 - ;; - --net) - comps=$(__interfaces) - COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) - return 0 - ;; - esac - - $split && return 0 - - # if $COMP_CONFIGURE_HINTS is not null, then completions of the form - # --option=SETTING will include 'SETTING' as a contextual hint - [[ "$cur" != -* ]] && _command && return 0 - - if [[ -n $COMP_CONFIGURE_HINTS ]]; then - COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \ - awk '/^ --[A-Za-z]/ { print $1; \ - if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \ - -- "$cur" ) ) - [[ $COMPREPLY == *=* ]] && compopt -o nospace - else - COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) ) - [[ $COMPREPLY == *= ]] && compopt -o nospace - fi - -} && -complete -F _firejail firejail diff -Nru firejail-0.9.64.4/src/bash_completion/firejail.bash_completion.in firejail-0.9.66/src/bash_completion/firejail.bash_completion.in --- firejail-0.9.64.4/src/bash_completion/firejail.bash_completion.in 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/bash_completion/firejail.bash_completion.in 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,118 @@ +# bash completion for firejail -*- shell-script -*- +#******************************************************************** +# Script based on completions/configure script in bash-completion package in +# Debian. The original package is release under GPL v2 license, the webpage is +# http://bash-completion.alioth.debian.org +#******************************************************************* + +__interfaces(){ + cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs +} + +_profiles() { + if [[ -d "$1" ]] ; then + ls -1 $1/*.profile 2>/dev/null | sed -E 's;^.*\/;;g' + fi +} +_all_profiles() { + local sys_profiles=$(_profiles _SYSCONFDIR_/firejail) + local user_profiles=$(_profiles $HOME/.config/firejail) + COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur")) +} + + +_firejail() +{ + local cur prev words cword split + _init_completion -s || return + + case $prev in + --help|--version|-debug-caps|--debug-syscalls|--debug-syscalls32|--list|--tree|--top|--join|--shutdown) + return 0 + ;; + --profile) + _all_profiles + return 0 + ;; + --hosts-file) + _filedir + return 0 + ;; + --chroot) + _filedir -d + return 0 + ;; + --cgroup) + _filedir -d + return 0 + ;; + --tmpfs) + _filedir + return 0 + ;; + --blacklist) + _filedir + return 0 + ;; + --noblacklist) + _filedir + return 0 + ;; + --whitelist) + _filedir + return 0 + ;; + --nowhitelist) + _filedir + return 0 + ;; + --read-only) + _filedir + return 0 + ;; + --read-write) + _filedir + return 0 + ;; + --bind) + _filedir + return 0 + ;; + --private) + _filedir + return 0 + ;; + --netfilter) + _filedir + return 0 + ;; + --shell) + _filedir + return 0 + ;; + --net) + comps=$(__interfaces) + COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) + return 0 + ;; + esac + + $split && return 0 + + # if $COMP_CONFIGURE_HINTS is not null, then completions of the form + # --option=SETTING will include 'SETTING' as a contextual hint + [[ "$cur" != -* ]] && _command && return 0 + + if [[ -n $COMP_CONFIGURE_HINTS ]]; then + COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \ + awk '/^ --[A-Za-z]/ { print $1; \ + if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \ + -- "$cur" ) ) + [[ $COMPREPLY == *=* ]] && compopt -o nospace + else + COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) ) + [[ $COMPREPLY == *= ]] && compopt -o nospace + fi + +} && +complete -F _firejail firejail diff -Nru firejail-0.9.64.4/src/bash_completion/Makefile.in firejail-0.9.66/src/bash_completion/Makefile.in --- firejail-0.9.64.4/src/bash_completion/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/bash_completion/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,17 @@ +.PHONY: all +all: firejail.bash_completion + +include ../common.mk + +firejail.bash_completion: firejail.bash_completion.in + gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp + sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ + rm $@.tmp + +.PHONY: clean +clean: + rm -fr firejail.bash_completion + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff -Nru firejail-0.9.64.4/src/common.mk.in firejail-0.9.66/src/common.mk.in --- firejail-0.9.64.4/src/common.mk.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/common.mk.in 2021-06-22 15:51:28.000000000 +0000 @@ -23,10 +23,18 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ HAVE_GCOV=@HAVE_GCOV@ HAVE_SELINUX=@HAVE_SELINUX@ +ifeq (@HAVE_SUID@, yes) +HAVE_SUID=-DHAVE_SUID +else +HAVE_SUID= +endif HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ HAVE_USERTMPFS=@HAVE_USERTMPFS@ +HAVE_OUTPUT=@HAVE_OUTPUT@ +HAVE_LTS=@HAVE_LTS@ +HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) @@ -34,7 +42,7 @@ CFLAGS = @CFLAGS@ CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) +MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) CFLAGS += $(MANFLAGS) CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread diff -Nru firejail-0.9.64.4/src/faudit/caps.c firejail-0.9.66/src/faudit/caps.c --- firejail-0.9.64.4/src/faudit/caps.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/caps.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "faudit.h" -#include - -#define MAXBUF 4098 -static int extract_caps(uint64_t *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "CapBnd:\t", 8) == 0) { - char *ptr = buf + 8; - unsigned long long tmp; - sscanf(ptr, "%llx", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -// return 1 if the capability is in the map -static int check_capability(uint64_t map, int cap) { - int i; - uint64_t mask = 1ULL; - - for (i = 0; i < 64; i++, mask <<= 1) { - if ((i == cap) && (mask & map)) - return 1; - } - - return 0; -} - -void caps_test(void) { - uint64_t caps_val; - - if (extract_caps(&caps_val)) { - printf("SKIP: cannot extract capabilities on this platform.\n"); - return; - } - - if (caps_val) { - printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); - printf("Use \"firejail --caps.drop=all\" to fix it.\n"); - - if (check_capability(caps_val, CAP_SYS_ADMIN)) - printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); - if (check_capability(caps_val, CAP_SYS_BOOT)) - printf("UGLY: CAP_SYS_BOOT is enabled.\n"); - } - else - printf("GOOD: all capabilities are disabled.\n"); -} diff -Nru firejail-0.9.64.4/src/faudit/dbus.c firejail-0.9.66/src/faudit/dbus.c --- firejail-0.9.64.4/src/faudit/dbus.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/dbus.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,131 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include "../include/rundefs.h" -#include -#include -#include - -// return 0 if the connection is possible -int check_unix(const char *sockfile) { - assert(sockfile); - int rv = -1; - - // open socket - int sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock == -1) - return rv; - - // connect - struct sockaddr_un remote; - memset(&remote, 0, sizeof(struct sockaddr_un)); - remote.sun_family = AF_UNIX; - strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1); - int len = strlen(remote.sun_path) + sizeof(remote.sun_family); - if (*sockfile == '@') - remote.sun_path[0] = '\0'; - if (connect(sock, (struct sockaddr *)&remote, len) == 0) - rv = 0; - - close(sock); - return rv; -} - -static char *test_dbus_env(char *env_var_name) { - // check the session bus - char *str = getenv(env_var_name); - char *found = NULL; - if (str) { - int rv = 0; - char *bus = strdup(str); - if (!bus) - errExit("strdup"); - char *sockfile; - if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { - sockfile += 13; - *sockfile = '@'; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - *sockfile = '@'; - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - } - else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { - sockfile += 10; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - if (rv == 0) { - if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 || - strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) { - printf("GOOD: D-Bus filtering is active on %s\n", sockfile); - } else { - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - } - } - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - found = strdup(sockfile); - if (!found) - errExit("strdup"); - } - else if (strstr(bus, "tcp:host=") != NULL) - printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); - else - printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); - free(bus); - } - else - printf("MAYBE: %s environment variable not configured.\n", env_var_name); - return found; -} - -static void test_default_socket(const char *found, const char *format, ...) { - va_list ap; - va_start(ap, format); - char *sockfile; - if (vasprintf(&sockfile, format, ap) == -1) - errExit("vasprintf"); - va_end(ap); - if (found != NULL && strcmp(found, sockfile) == 0) - goto end; - int rv = check_unix(sockfile); - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); -end: - free(sockfile); -} - -void dbus_test(void) { - char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS"); - test_default_socket(found_user, "/run/user/%d/bus", (int) getuid()); - test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid()); - if (found_user != NULL) - free(found_user); - char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS"); - test_default_socket(found_system, "/run/dbus/system_bus_socket"); - if (found_system != NULL) - free(found_system); -} diff -Nru firejail-0.9.64.4/src/faudit/dev.c firejail-0.9.66/src/faudit/dev.c --- firejail-0.9.64.4/src/faudit/dev.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/dev.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include - -void dev_test(void) { - DIR *dir; - if (!(dir = opendir("/dev"))) { - fprintf(stderr, "Error: cannot open /dev directory\n"); - return; - } - - struct dirent *entry; - printf("INFO: files visible in /dev directory: "); - int cnt = 0; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) - continue; - - printf("%s, ", entry->d_name); - cnt++; - } - printf("\n"); - - if (cnt > 20) - printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); - else - printf("GOOD: Access to /dev directory is restricted.\n"); - closedir(dir); -} diff -Nru firejail-0.9.64.4/src/faudit/faudit.h firejail-0.9.66/src/faudit/faudit.h --- firejail-0.9.64.4/src/faudit/faudit.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/faudit.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#ifndef FAUDIT_H -#define FAUDIT_H -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) - -// main.c -extern char *prog; - -// pid.c -void pid_test(void); - -// caps.c -void caps_test(void); - -// seccomp.c -void seccomp_test(void); - -// syscall.c -void syscall_helper(int argc, char **argv); -void syscall_run(const char *name); - -// files.c -void files_test(void); - -// network.c -void network_test(void); - -// dbus.c -int check_unix(const char *sockfile); -void dbus_test(void); - -// dev.c -void dev_test(void); - -// x11.c -void x11_test(void); - -#endif diff -Nru firejail-0.9.64.4/src/faudit/files.c firejail-0.9.66/src/faudit/files.c --- firejail-0.9.64.4/src/faudit/files.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/files.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,75 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - -static char *username = NULL; -static char *homedir = NULL; - -static void check_home_file(const char *name) { - assert(homedir); - - char *fname; - if (asprintf(&fname, "%s/%s", homedir, name) == -1) - errExit("asprintf"); - - if (access(fname, R_OK) == 0) { - printf("UGLY: I can access files in %s directory. ", fname); - printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); - } - else - printf("GOOD: I cannot access files in %s directory.\n", fname); - - free(fname); -} - -void files_test(void) { - struct passwd *pw = getpwuid(getuid()); - if (!pw) { - fprintf(stderr, "Error: cannot retrieve user account information\n"); - return; - } - - username = strdup(pw->pw_name); - if (!username) - errExit("strdup"); - homedir = strdup(pw->pw_dir); - if (!homedir) - errExit("strdup"); - - // check access to .ssh directory - check_home_file(".ssh"); - - // check access to .gnupg directory - check_home_file(".gnupg"); - - // check access to Firefox browser directory - check_home_file(".mozilla"); - - // check access to Chromium browser directory - check_home_file(".config/chromium"); - - // check access to Debian Icedove directory - check_home_file(".icedove"); - - // check access to Thunderbird directory - check_home_file(".thunderbird"); -} diff -Nru firejail-0.9.64.4/src/faudit/main.c firejail-0.9.66/src/faudit/main.c --- firejail-0.9.64.4/src/faudit/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/main.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,98 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -char *prog; - -int main(int argc, char **argv) { - // make test-arguments helper - if (getenv("FIREJAIL_TEST_ARGUMENTS")) { - printf("Arguments:\n"); - - int i; - for (i = 0; i < argc; i++) { - printf("#%s#\n", argv[i]); - } - - return 0; - } - - - if (argc != 1) { - int i; - - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "syscall") == 0) { - syscall_helper(argc, argv); - return 0; - } - } - return 1; - } - - printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); - - // extract program name - prog = realpath(argv[0], NULL); - if (prog == NULL) { - prog = strdup("faudit"); - if (!prog) - errExit("strdup"); - } - printf("INFO: starting %s.\n", prog); - - - // check pid namespace - pid_test(); - printf("\n"); - - // check seccomp - seccomp_test(); - printf("\n"); - - // check capabilities - caps_test(); - printf("\n"); - - // check some well-known problematic files and directories - files_test(); - printf("\n"); - - // network - network_test(); - printf("\n"); - - // dbus - dbus_test(); - printf("\n"); - - // x11 test - x11_test(); - printf("\n"); - - // /dev test - dev_test(); - printf("\n"); - - - free(prog); - printf("--------------------------------------------------------------------------------\n"); - - return 0; -} diff -Nru firejail-0.9.64.4/src/faudit/Makefile.in firejail-0.9.66/src/faudit/Makefile.in --- firejail-0.9.64.4/src/faudit/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/Makefile.in 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -all: faudit - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -faudit: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist - -distclean: clean - rm -fr Makefile diff -Nru firejail-0.9.64.4/src/faudit/network.c firejail-0.9.66/src/faudit/network.c --- firejail-0.9.64.4/src/faudit/network.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/network.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#include -#include - -static void check_ssh(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: SSH server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(22); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: SSH server not available on localhost.\n"); - else { - printf("MAYBE: an SSH server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -static void check_http(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: HTTP server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(80); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: HTTP server not available on localhost.\n"); - else { - printf("MAYBE: an HTTP server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -void check_netlink(void) { - int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); - if (sock == -1) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - return; - } - - struct sockaddr_nl local; - memset(&local, 0, sizeof(local)); - local.nl_family = AF_NETLINK; - local.nl_groups = 0; //subscriptions; - - if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - close(sock); - return; - } - - close(sock); - printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); - printf("You can use \"--protocol\" to disable the socket.\n"); -} - -void network_test(void) { - check_ssh(); - check_http(); - check_netlink(); -} diff -Nru firejail-0.9.64.4/src/faudit/pid.c firejail-0.9.66/src/faudit/pid.c --- firejail-0.9.64.4/src/faudit/pid.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/pid.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,99 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -void pid_test(void) { - static char *kern_proc[] = { - "kthreadd", - "ksoftirqd", - "kworker", - "rcu_sched", - "rcu_bh", - NULL // NULL terminated list - }; - int i; - - // look at the first 10 processes - int not_visible = 1; - for (i = 1; i <= 10; i++) { - struct stat s; - char *fname; - if (asprintf(&fname, "/proc/%d/comm", i) == -1) - errExit("asprintf"); - if (stat(fname, &s) == -1) { - free(fname); - continue; - } - - // open file - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - free(fname); - continue; - } - - // read file - char buf[100]; - if (fgets(buf, 10, fp) == NULL) { - fclose(fp); - free(fname); - continue; - } - not_visible = 0; - - // clean /n - char *ptr; - if ((ptr = strchr(buf, '\n')) != NULL) - *ptr = '\0'; - - // check process name against the kernel list - int j = 0; - while (kern_proc[j] != NULL) { - if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { - fclose(fp); - free(fname); - printf("BAD: Process %d is not running in a PID namespace. ", getpid()); - printf("Are you sure you're running in a sandbox?\n"); - return; - } - j++; - } - - fclose(fp); - free(fname); - } - - pid_t pid = getpid(); - if (not_visible && pid > 100) - printf("BAD: Process %d is not running in a PID namespace.\n", pid); - else - printf("GOOD: process %d is running in a PID namespace.\n", pid); - - // try to guess the type of container/sandbox - char *str = getenv("container"); - if (str) - printf("INFO: container/sandbox %s.\n", str); - else { - str = getenv("SNAP"); - if (str) - printf("INFO: this is a snap package\n"); - } -} diff -Nru firejail-0.9.64.4/src/faudit/seccomp.c firejail-0.9.66/src/faudit/seccomp.c --- firejail-0.9.64.4/src/faudit/seccomp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/seccomp.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -#define MAXBUF 4098 -static int extract_seccomp(int *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "Seccomp:\t", 9) == 0) { - char *ptr = buf + 9; - int tmp; - sscanf(ptr, "%d", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -void seccomp_test(void) { - int seccomp_status; - int rv = extract_seccomp(&seccomp_status); - - if (rv) { - printf("INFO: cannot extract seccomp configuration on this platform.\n"); - return; - } - - if (seccomp_status == 0) { - printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); - } - else if (seccomp_status == 1) - printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n"); - else if (seccomp_status == 2) { - printf("GOOD: seccomp BPF enabled.\n"); - - printf("checking syscalls: "); fflush(0); - printf("mount... "); fflush(0); - syscall_run("mount"); - - printf("umount2... "); fflush(0); - syscall_run("umount2"); - - printf("ptrace... "); fflush(0); - syscall_run("ptrace"); - - printf("swapon... "); fflush(0); - syscall_run("swapon"); - - printf("swapoff... "); fflush(0); - syscall_run("swapoff"); - - printf("init_module... "); fflush(0); - syscall_run("init_module"); - - printf("delete_module... "); fflush(0); - syscall_run("delete_module"); - - printf("chroot... "); fflush(0); - syscall_run("chroot"); - - printf("pivot_root... "); fflush(0); - syscall_run("pivot_root"); - -#if defined(__i386__) || defined(__x86_64__) - printf("iopl... "); fflush(0); - syscall_run("iopl"); - - printf("ioperm... "); fflush(0); - syscall_run("ioperm"); -#endif - printf("\n"); - } - else - fprintf(stderr, "Error: unrecognized seccomp mode\n"); - -} diff -Nru firejail-0.9.64.4/src/faudit/syscall.c firejail-0.9.66/src/faudit/syscall.c --- firejail-0.9.64.4/src/faudit/syscall.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/syscall.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,105 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#if defined(__i386__) || defined(__x86_64__) -#include -#endif -#include -extern int init_module(void *module_image, unsigned long len, - const char *param_values); -extern int finit_module(int fd, const char *param_values, - int flags); -extern int delete_module(const char *name, int flags); -extern int pivot_root(const char *new_root, const char *put_old); - -void syscall_helper(int argc, char **argv) { - (void) argc; - - if (argc < 3) - return; - - if (strcmp(argv[2], "mount") == 0) { - int rv = mount(NULL, NULL, NULL, 0, NULL); - (void) rv; - printf("\nUGLY: mount syscall permitted.\n"); - } - else if (strcmp(argv[2], "umount2") == 0) { - umount2(NULL, 0); - printf("\nUGLY: umount2 syscall permitted.\n"); - } - else if (strcmp(argv[2], "ptrace") == 0) { - ptrace(0, 0, NULL, NULL); - printf("\nUGLY: ptrace syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapon") == 0) { - swapon(NULL, 0); - printf("\nUGLY: swapon syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapoff") == 0) { - swapoff(NULL); - printf("\nUGLY: swapoff syscall permitted.\n"); - } - else if (strcmp(argv[2], "init_module") == 0) { - init_module(NULL, 0, NULL); - printf("\nUGLY: init_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "delete_module") == 0) { - delete_module(NULL, 0); - printf("\nUGLY: delete_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "chroot") == 0) { - int rv = chroot("/blablabla-57281292"); - (void) rv; - printf("\nUGLY: chroot syscall permitted.\n"); - } - else if (strcmp(argv[2], "pivot_root") == 0) { - pivot_root(NULL, NULL); - printf("\nUGLY: pivot_root syscall permitted.\n"); - } -#if defined(__i386__) || defined(__x86_64__) - else if (strcmp(argv[2], "iopl") == 0) { - iopl(0L); - printf("\nUGLY: iopl syscall permitted.\n"); - } - else if (strcmp(argv[2], "ioperm") == 0) { - ioperm(0, 0, 0); - printf("\nUGLY: ioperm syscall permitted.\n"); - } -#endif - exit(0); -} - -void syscall_run(const char *name) { - assert(prog); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - execl(prog, prog, "syscall", name, NULL); - perror("execl"); - _exit(1); - } - - // wait for the child to finish - waitpid(child, NULL, 0); -} diff -Nru firejail-0.9.64.4/src/faudit/x11.c firejail-0.9.66/src/faudit/x11.c --- firejail-0.9.64.4/src/faudit/x11.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/faudit/x11.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - - -void x11_test(void) { - // check regular display 0 sockets - if (check_unix("/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); - - if (check_unix("@/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); - - // check all unix sockets in /tmp/.X11-unix directory - DIR *dir; - if (!(dir = opendir("/tmp/.X11-unix"))) { - // sleep 2 seconds and try again - sleep(2); - if (!(dir = opendir("/tmp/.X11-unix"))) { - ; - } - } - - if (dir == NULL) - printf("GOOD: cannot open /tmp/.X11-unix directory\n"); - else { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, "X0") == 0) - continue; - if (strcmp(entry->d_name, ".") == 0) - continue; - if (strcmp(entry->d_name, "..") == 0) - continue; - char *name; - if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) - errExit("asprintf"); - if (check_unix(name) == 0) - printf("MAYBE: X11 socket %s is available\n", name); - free(name); - } - closedir(dir); - } -} diff -Nru firejail-0.9.64.4/src/fbuilder/build_bin.c firejail-0.9.66/src/fbuilder/build_bin.c --- firejail-0.9.64.4/src/fbuilder/build_bin.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/build_bin.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -83,11 +83,9 @@ continue; *ptr2 = '\0'; - // skip strace - if (strcmp(ptr, "strace") == 0) - continue; - - bin_out = filedb_add(bin_out, ptr); + // skip strace and firejail (in case we hit a symlink in /usr/local/bin) + if (strcmp(ptr, "strace") && strcmp(ptr, "firejail")) + bin_out = filedb_add(bin_out, ptr); } fclose(fp); @@ -121,6 +119,5 @@ ptr = ptr->next; } fprintf(fp, "\n"); - fprintf(fp, "# private-lib\n"); } } diff -Nru firejail-0.9.64.4/src/fbuilder/build_fs.c firejail-0.9.66/src/fbuilder/build_fs.c --- firejail-0.9.64.4/src/fbuilder/build_fs.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/build_fs.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -146,31 +146,49 @@ //******************************************* // var directory //******************************************* +#if 0 +// todo: load the list from whitelist-var-common.inc +static char *var_skip[] = { + "/var/lib/ca-certificates", + "/var/lib/dbus", + "/var/lib/menu-xdg", + "/var/lib/uim", + "/var/cache/fontconfig", + "/var/tmp", + "/var/run", + "/var/lock", + NULL +}; +#endif static FileDB *var_out = NULL; +static FileDB *var_skip = NULL; static void var_callback(char *ptr) { - if (strcmp(ptr, "/var/lib") == 0) - ; - else if (strcmp(ptr, "/var/cache") == 0) - ; - else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) - var_out = filedb_add(var_out, "/var/lib/menu-xdg"); - else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) - var_out = filedb_add(var_out, "/var/cache/fontconfig"); - else - var_out = filedb_add(var_out, ptr); + // extract the directory: + assert(strncmp(ptr, "/var", 4) == 0); + char *p1 = ptr + 4; + if (*p1 != '/') + return; + p1++; + + if (*p1 == '/') // double '/' + p1++; + if (*p1 == '\0') + return; + + if (!filedb_find(var_skip, p1)) + var_out = filedb_add(var_out, p1); } void build_var(const char *fname, FILE *fp) { assert(fname); + var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/"); process_files(fname, "/var", var_callback); - if (var_out == NULL) { - fprintf(fp, "blacklist /var\n"); - } else { - filedb_print(var_out, "whitelist ", fp); - fprintf(fp, "include whitelist-var-common.inc\n"); - } + // always whitelist /var + if (var_out) + filedb_print(var_out, "whitelist /var/", fp); + fprintf(fp, "include whitelist-var-common.inc\n"); } @@ -178,6 +196,7 @@ // usr/share directory //******************************************* static FileDB *share_out = NULL; +static FileDB *share_skip = NULL; static void share_callback(char *ptr) { // extract the directory: assert(strncmp(ptr, "/usr/share", 10) == 0); @@ -195,21 +214,21 @@ if (p2) *p2 = '\0'; - // store the file - share_out = filedb_add(share_out, ptr); + + if (!filedb_find(share_skip, p1)) + share_out = filedb_add(share_out, p1); } void build_share(const char *fname, FILE *fp) { assert(fname); + share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/"); process_files(fname, "/usr/share", share_callback); - if (share_out == NULL) { - fprintf(fp, "blacklist /usr/share\n"); - } else { - filedb_print(share_out, "whitelist ", fp); - fprintf(fp, "include whitelist-usr-share-common.inc\n"); - } + // always whitelist /usr/share + if (share_out) + filedb_print(share_out, "whitelist /usr/share/", fp); + fprintf(fp, "include whitelist-usr-share-common.inc\n"); } //******************************************* @@ -220,6 +239,10 @@ // skip strace file if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) return; + if (strncmp(ptr, "/tmp/runtime-", 13) == 0) + return; + if (strcmp(ptr, "/tmp") == 0) + return; tmp_out = filedb_add(tmp_out, ptr); } @@ -232,8 +255,7 @@ if (tmp_out == NULL) fprintf(fp, "private-tmp\n"); else { - fprintf(fp, "\n"); - fprintf(fp, "# private-tmp\n"); + fprintf(fp, "#private-tmp\n"); fprintf(fp, "# File accessed in /tmp directory:\n"); fprintf(fp, "# "); FileDB *ptr = tmp_out; @@ -249,40 +271,37 @@ // dev directory //******************************************* static char *dev_skip[] = { + "/dev/stdin", + "/dev/stdout", + "/dev/stderr", "/dev/zero", "/dev/null", "/dev/full", "/dev/random", + "/dev/srandom", "/dev/urandom", + "/dev/sr0", + "/dev/cdrom", + "/dev/cdrw", + "/dev/dvd", + "/dev/dvdrw", + "/dev/fd", + "/dev/pts", + "/dev/ptmx", + "/dev/log", + + "/dev/aload", // old ALSA devices, not covered in private-dev + "/dev/dsp", // old OSS device, deprecated + "/dev/tty", "/dev/snd", "/dev/dri", - "/dev/pts", - "/dev/nvidia0", - "/dev/nvidia1", - "/dev/nvidia2", - "/dev/nvidia3", - "/dev/nvidia4", - "/dev/nvidia5", - "/dev/nvidia6", - "/dev/nvidia7", - "/dev/nvidia8", - "/dev/nvidia9", - "/dev/nvidiactl", - "/dev/nvidia-modeset", - "/dev/nvidia-uvm", - "/dev/video0", - "/dev/video1", - "/dev/video2", - "/dev/video3", - "/dev/video4", - "/dev/video5", - "/dev/video6", - "/dev/video7", - "/dev/video8", - "/dev/video9", + "/dev/nvidia", + "/dev/video", "/dev/dvb", - "/dev/sr0", + "/dev/hidraw", + "/dev/usb", + "/dev/input", NULL }; @@ -292,7 +311,7 @@ int i = 0; int found = 0; while (dev_skip[i]) { - if (strcmp(ptr, dev_skip[i]) == 0) { + if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) { found = 1; break; } @@ -310,9 +329,8 @@ if (dev_out == NULL) fprintf(fp, "private-dev\n"); else { - fprintf(fp, "\n"); - fprintf(fp, "# private-dev\n"); - fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); + fprintf(fp, "#private-dev\n"); + fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n"); fprintf(fp, "# "); FileDB *ptr = dev_out; while (ptr) { diff -Nru firejail-0.9.64.4/src/fbuilder/build_home.c firejail-0.9.66/src/fbuilder/build_home.c --- firejail-0.9.64.4/src/fbuilder/build_home.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/build_home.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,30 +23,6 @@ static FileDB *db_skip = NULL; static FileDB *db_out = NULL; -static void load_whitelist_common(void) { - FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); - exit(1); - } - - char buf[MAX_BUF]; - while (fgets(buf, MAX_BUF, fp)) { - if (strncmp(buf, "whitelist ${HOME}/", 18) != 0) - continue; - char *fn = buf + 18; - char *ptr = strchr(buf, '\n'); - if (!ptr) - continue; - *ptr = '\0'; - - // add the file to skip list - db_skip = filedb_add(db_skip, fn); - } - - fclose(fp); -} - void process_home(const char *fname, char *home, int home_len) { assert(fname); assert(home); @@ -141,7 +117,7 @@ } // skip files and directories in whitelist-common.inc - if (filedb_find(db_skip, toadd)) { + if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) { if (dir) free(dir); continue; @@ -162,7 +138,7 @@ assert(fname); // load whitelist common - load_whitelist_common(); + db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/"); // find user home directory struct passwd *pw = getpwuid(getuid()); diff -Nru firejail-0.9.64.4/src/fbuilder/build_profile.c firejail-0.9.66/src/fbuilder/build_profile.c --- firejail-0.9.64.4/src/fbuilder/build_profile.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/build_profile.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -24,21 +24,6 @@ #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" -/* static char *cmdlist[] = { */ -/* "/usr/bin/firejail", */ -/* "--quiet", */ -/* "--output=" TRACE_OUTPUT, */ -/* "--noprofile", */ -/* "--caps.drop=all", */ -/* "--nonewprivs", */ -/* "--trace", */ -/* "--shell=none", */ -/* "/usr/bin/strace", // also used as a marker in build_profile() */ -/* "-c", */ -/* "-f", */ -/* "-o" STRACE_OUTPUT, */ -/* }; */ - void build_profile(int argc, char **argv, int index, FILE *fp) { // next index is the application name if (index >= argc) { @@ -141,6 +126,12 @@ if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { if (fp == stdout) printf("--- Built profile beings after this line ---\n"); + fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); + fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); + fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); + fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); + fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); + fprintf(fp, "# Firejail profile for %s\n", argv[index]); fprintf(fp, "# Persistent local customizations\n"); fprintf(fp, "#include %s.local\n", argv[index]); @@ -148,56 +139,72 @@ fprintf(fp, "#include globals.local\n"); fprintf(fp, "\n"); - fprintf(fp, "### basic blacklisting\n"); - fprintf(fp, "include disable-common.inc\n"); - fprintf(fp, "# include disable-devel.inc\n"); - fprintf(fp, "# include disable-exec.inc\n"); - fprintf(fp, "# include disable-interpreters.inc\n"); - fprintf(fp, "include disable-passwdmgr.inc\n"); - fprintf(fp, "# include disable-programs.inc\n"); - fprintf(fp, "# include disable-xdg.inc\n"); - fprintf(fp, "\n"); - - fprintf(fp, "### home directory whitelisting\n"); + fprintf(fp, "### Basic Blacklisting ###\n"); + fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); + fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); + fprintf(fp, "### and /tmp directories non-executable.\n"); + fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n"); + fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n"); + fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n"); + fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n"); + fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n"); + fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n"); + fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n"); + fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n"); + fprintf(fp, "\n"); + + fprintf(fp, "### Home Directory Whitelisting ###\n"); + fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); + fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); build_home(trace_output, fp); fprintf(fp, "\n"); - fprintf(fp, "### filesystem\n"); - fprintf(fp, "# /usr/share:\n"); + fprintf(fp, "### Filesystem Whitelisting ###\n"); build_share(trace_output, fp); - fprintf(fp, "# /var:\n"); + //todo: include whitelist-runuser-common.inc build_var(trace_output, fp); fprintf(fp, "\n"); - fprintf(fp, "# $PATH:\n"); - build_bin(trace_output, fp); - fprintf(fp, "# /dev:\n"); - build_dev(trace_output, fp); - fprintf(fp, "# /etc:\n"); - build_etc(trace_output, fp); - fprintf(fp, "# /tmp:\n"); - build_tmp(trace_output, fp); - fprintf(fp, "\n"); - fprintf(fp, "### security filters\n"); + fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n"); fprintf(fp, "caps.drop all\n"); + fprintf(fp, "ipc-namespace\n"); + fprintf(fp, "netfilter\n"); + fprintf(fp, "#no3d\t# disable 3D acceleration\n"); + fprintf(fp, "#nodvd\t# disable DVD and CD devices\n"); + fprintf(fp, "#nogroups\t# disable supplementary user groups\n"); + fprintf(fp, "#noinput\t# disable input devices\n"); fprintf(fp, "nonewprivs\n"); + fprintf(fp, "noroot\n"); + fprintf(fp, "#notv\t# disable DVB TV devices\n"); + fprintf(fp, "#nou2f\t# disable U2F devices\n"); + fprintf(fp, "#novideo\t# disable video capture devices\n"); + build_protocol(trace_output, fp); fprintf(fp, "seccomp\n"); if (!have_strace) { - fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); - fprintf(fp, "# whitelisted seccomp filter.\n"); + fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); + fprintf(fp, "### whitelisted seccomp filter.\n"); } else if (!have_yama_permission) - fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); + fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); else build_seccomp(strace_output, fp); + fprintf(fp, "shell none\n"); + fprintf(fp, "tracelog\n"); fprintf(fp, "\n"); - fprintf(fp, "### network\n"); - build_protocol(trace_output, fp); + fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n"); + build_bin(trace_output, fp); + fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n"); + build_dev(trace_output, fp); + build_etc(trace_output, fp); + fprintf(fp, "#private-lib\n"); + build_tmp(trace_output, fp); fprintf(fp, "\n"); - fprintf(fp, "### environment\n"); - fprintf(fp, "shell none\n"); + fprintf(fp, "#dbus-user none\n"); + fprintf(fp, "#dbus-system none\n"); + fprintf(fp, "\n"); + fprintf(fp, "#memory-deny-write-execute\n"); if (!arg_debug) { unlink(trace_output); diff -Nru firejail-0.9.64.4/src/fbuilder/build_seccomp.c firejail-0.9.66/src/fbuilder/build_seccomp.c --- firejail-0.9.64.4/src/fbuilder/build_seccomp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/build_seccomp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -82,11 +82,12 @@ //*************************************** // protocol //*************************************** -int unix_s = 0; -int inet = 0; -int inet6 = 0; -int netlink = 0; -int packet = 0; +static int unix_s = 0; +static int inet = 0; +static int inet6 = 0; +static int netlink = 0; +static int packet = 0; +static int bluetooth = 0; static void process_protocol(const char *fname) { assert(fname); @@ -135,6 +136,8 @@ netlink = 1; else if (strncmp(ptr, "AF_PACKET ", 10) == 0) packet = 1; + else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0) + bluetooth = 1; } fclose(fp); @@ -161,22 +164,22 @@ } int net = 0; - if (unix_s || inet || inet6 || netlink || packet) { + if (unix_s || inet || inet6 || netlink || packet || bluetooth) { fprintf(fp, "protocol "); if (unix_s) fprintf(fp, "unix,"); - if (inet) { - fprintf(fp, "inet,"); - net = 1; - } - if (inet6) { - fprintf(fp, "inet6,"); + if (inet || inet6) { + fprintf(fp, "inet,inet6,"); net = 1; } if (netlink) fprintf(fp, "netlink,"); if (packet) { - fprintf(fp, "packet"); + fprintf(fp, "packet,"); + net = 1; + } + if (bluetooth) { + fprintf(fp, "bluetooth"); net = 1; } fprintf(fp, "\n"); diff -Nru firejail-0.9.64.4/src/fbuilder/fbuilder.h firejail-0.9.66/src/fbuilder/fbuilder.h --- firejail-0.9.64.4/src/fbuilder/fbuilder.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/fbuilder.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -66,5 +66,6 @@ FileDB *filedb_add(FileDB *head, const char *fname); FileDB *filedb_find(FileDB *head, const char *fname); void filedb_print(FileDB *head, const char *prefix, FILE *fp); +FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix); #endif diff -Nru firejail-0.9.64.4/src/fbuilder/filedb.c firejail-0.9.66/src/fbuilder/filedb.c --- firejail-0.9.64.4/src/fbuilder/filedb.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/filedb.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,7 +20,9 @@ #include "fbuilder.h" +// find exact name or an exact name in a parent directory FileDB *filedb_find(FileDB *head, const char *fname) { + assert(fname); FileDB *ptr = head; int found = 0; int len = strlen(fname); @@ -52,6 +54,8 @@ FileDB *filedb_add(FileDB *head, const char *fname) { assert(fname); + // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.* + // don't add it if it is already there or if the parent directory is already in the list if (filedb_find(head, fname)) return head; @@ -70,9 +74,52 @@ }; void filedb_print(FileDB *head, const char *prefix, FILE *fp) { + assert(head); + assert(prefix); + FileDB *ptr = head; while (ptr) { - fprintf(fp, "%s%s\n", prefix, ptr->fname); + if (fp) + fprintf(fp, "%s%s\n", prefix, ptr->fname); + else + printf("%s%s\n", prefix, ptr->fname); ptr = ptr->next; } } + +FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) { + assert(fname); + assert(prefix); + int len = strlen(prefix); + char *f; + if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1) + errExit("asprintf"); + FILE *fp = fopen(f, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); + free(f); + exit(1); + } + + char buf[MAX_BUF]; + while (fgets(buf, MAX_BUF, fp)) { + if (strncmp(buf, prefix, len) != 0) + continue; + + char *fn = buf + len; + char *ptr = strchr(buf, '\n'); + if (!ptr) + continue; + *ptr = '\0'; + + // add the file to skip list + head = filedb_add(head, fn); + } + + fclose(fp); + free(f); +//printf("***************************************************\n"); +//filedb_print(head, prefix, NULL); +//printf("***************************************************\n"); + return head; +} diff -Nru firejail-0.9.64.4/src/fbuilder/main.c firejail-0.9.66/src/fbuilder/main.c --- firejail-0.9.64.4/src/fbuilder/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -39,7 +39,7 @@ int i; int prog_index = 0; FILE *fp = stdout; - int prof_file = 0; + char *prof_file = NULL; // parse arguments and extract program index for (i = 1; i < argc; i++) { @@ -58,18 +58,23 @@ exit(1); } + // don't run if the file exists + if (access(argv[i] + 8, F_OK) == 0) { + fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); + exit(1); + } + // check file access fp = fopen(argv[i] + 8, "w"); if (!fp) { - fprintf(stderr, "Error fbuild: cannot open profile file.\n"); + fprintf(stderr, "Error: cannot open profile file.\n"); exit(1); } - prof_file = 1; - // do nothing, this is passed down from firejail + prof_file = argv[i] + 8; } else { if (*argv[i] == '-') { - fprintf(stderr, "Error fbuilder: invalid program\n"); + fprintf(stderr, "Error: invalid program\n"); usage(); exit(1); } @@ -79,10 +84,13 @@ } if (prog_index == 0) { - fprintf(stderr, "Error fbuilder: program and arguments required\n"); + fprintf(stderr, "Error : program and arguments required\n"); usage(); - if (prof_file) + if (prof_file) { fclose(fp); + int rv = unlink(prof_file); + (void) rv; + } exit(1); } diff -Nru firejail-0.9.64.4/src/fbuilder/Makefile.in firejail-0.9.66/src/fbuilder/Makefile.in --- firejail-0.9.64.4/src/fbuilder/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fbuilder include ../common.mk @@ -8,7 +9,9 @@ fbuilder: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/fbuilder/utils.c firejail-0.9.66/src/fbuilder/utils.c --- firejail-0.9.64.4/src/fbuilder/utils.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fbuilder/utils.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fcopy/main.c firejail-0.9.66/src/fcopy/main.c --- firejail-0.9.64.4/src/fcopy/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fcopy/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,11 +19,15 @@ */ #include "../include/common.h" -#include #include #include #include +#include +#ifndef O_PATH +#define O_PATH 010000000 +#endif + #if HAVE_SELINUX #include #include @@ -51,10 +55,11 @@ #endif // copy from firejail/selinux.c -static void selinux_relabel_path(const char *path, const char *inside_path) -{ +static void selinux_relabel_path(const char *path, const char *inside_path) { + assert(path); + assert(inside_path); #if HAVE_SELINUX - char procfs_path[64]; + char procfs_path[64]; char *fcon = NULL; int fd; struct stat st; @@ -68,20 +73,23 @@ if (!label_hnd) label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_hnd) + errExit("selabel_open"); + /* Open the file as O_PATH, to pin it while we determine and adjust the label */ - fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); + fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); if (fd < 0) return; if (fstat(fd, &st) < 0) goto close; - if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { + if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { sprintf(procfs_path, "/proc/self/fd/%i", fd); if (arg_debug) printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); setfilecon_raw(procfs_path, fcon); - } + } freecon(fcon); close: close(fd); @@ -172,6 +180,51 @@ } } +static char *proc_pid_to_self(const char *target) { + assert(target); + char *use_target = 0; + char *proc_pid = 0; + + if (!(use_target = realpath(target, NULL))) + goto done; + + // target is under /proc/? + static const char proc[] = "/proc/"; + if (strncmp(use_target, proc, sizeof(proc) - 1)) + goto done; + + int digit = use_target[sizeof(proc) - 1]; + if (digit < '1' || digit > '9') + goto done; + + // check where /proc/self points to + static const char proc_self[] = "/proc/self"; + if (!(proc_pid = realpath(proc_self, NULL))) + goto done; + + // redirect /proc/PID/xxx -> /proc/self/XXX + size_t pfix = strlen(proc_pid); + if (strncmp(use_target, proc_pid, pfix)) + goto done; + + if (use_target[pfix] != 0 && use_target[pfix] != '/') + goto done; + + char *tmp; + if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) { + if (arg_debug) + fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp); + free(use_target); + use_target = tmp; + } + else + errExit("asprintf"); + +done: + if (proc_pid) + free(proc_pid); + return use_target; +} void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { (void) mode; @@ -183,7 +236,7 @@ if (lstat(linkpath, &s) == 0) return; - char *rp = realpath(target, NULL); + char *rp = proc_pid_to_self(target); if (rp) { if (symlink(rp, linkpath) == -1) { free(rp); @@ -227,16 +280,14 @@ first = 0; else if (!arg_quiet) fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); - free(outfname); - return 0; + goto out; } // extract mode and ownership if (stat(infname, &s) != 0) { if (!arg_quiet) fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); - free(outfname); - return 0; + goto out; } uid_t uid = s.st_uid; gid_t gid = s.st_gid; @@ -246,8 +297,7 @@ if ((s.st_size + size_cnt) > copy_limit) { fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024); size_limit_reached = 1; - free(outfname); - return 0; + goto out; } file_cnt++; @@ -262,7 +312,8 @@ else if (ftype == FTW_SL) { copy_link(infname, outfname, mode, uid, gid); } - +out: + free(outfname); return(0); } @@ -295,7 +346,8 @@ return rsrc; // normal exit from the function errexit: - fprintf(stderr, "Error fcopy: invalid file %s\n", src); + free(rsrc); + fprintf(stderr, "Error fcopy: invalid ownership for file %s\n", src); exit(1); } diff -Nru firejail-0.9.64.4/src/fcopy/Makefile.in firejail-0.9.66/src/fcopy/Makefile.in --- firejail-0.9.64.4/src/fcopy/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fcopy/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fcopy include ../common.mk @@ -8,7 +9,9 @@ fcopy: $(OBJS) ../lib/common.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/firecfg/desktop_files.c firejail-0.9.66/src/firecfg/desktop_files.c --- firejail-0.9.64.4/src/firecfg/desktop_files.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firecfg/desktop_files.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firecfg/firecfg.config firejail-0.9.66/src/firecfg/firecfg.config --- firejail-0.9.64.4/src/firecfg/firecfg.config 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firecfg/firecfg.config 2021-06-22 15:51:28.000000000 +0000 @@ -4,6 +4,7 @@ #qemu-system-x86_64 0ad 2048-qt +Books Builder Cheese Cryptocat @@ -20,7 +21,9 @@ Maps Mathematica Natron +PCSX2 PPSSPPQt +PPSSPPSDL QMediathekView QOwnNotes Screenshot @@ -35,6 +38,8 @@ akonadi_control akregator alacarte +alpine +alpinef amarok amule amuled @@ -69,13 +74,16 @@ autokey-qt autokey-run autokey-shell +avidemux3_qt5 aweather +ballbuster baloo_file baloo_filemetadata_temp_extractor balsa baobab barrier basilisk +bcompare beaker bibletime bijiben @@ -106,6 +114,7 @@ calligraauthor calligraconverter calligraflow +calligragemini calligraplan calligraplanwork calligrasheets @@ -141,9 +150,11 @@ code code-oss cola +colorful com.github.bleakgrey.tootle com.github.dahenson.agenda com.github.johnfactotum.Foliate +com.github.phase1geo.minder com.gitlab.newsflash conkeror conky @@ -158,6 +169,7 @@ cyberfox darktable dconf-editor +ddgr ddgtk deadbeef deluge @@ -173,10 +185,10 @@ discord discord-canary display +display-im6.q16 dnox dnscrypt-proxy dnsmasq -dolphin dolphin-emu dooble dooble-qt4 @@ -188,6 +200,10 @@ d-feet easystroke ebook-viewer +ebook-convert +ebook-edit +ebook-meta +ebook-polish electron-mail electrum element-desktop @@ -224,6 +240,7 @@ ffprobe file-roller filezilla +firedragon firefox firefox-beta firefox-developer-edition @@ -256,6 +273,7 @@ freshclam frogatto frozen-bubble +funnyboat gajim gajim-history-manager galculator @@ -281,6 +299,8 @@ github-desktop gitter # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 +gl-117 +glaxium globaltime gmpc gnome-2048 @@ -333,6 +353,7 @@ google-earth google-earth-pro google-play-music-desktop-player +googler gpa gpicview gpredict @@ -340,6 +361,7 @@ gramps gravity-beams-and-evaporating-stars gthumb +gtk-pipe-viewer gtk-straw-viewer gtk-youtube-viewer gtk2-youtube-viewer @@ -372,6 +394,8 @@ inkscape inkview inox +ipcalc +ipcalc-ng iridium iridium-browser jd-gui @@ -424,12 +448,15 @@ kwrite leafpad # less - breaks man +librecad libreoffice librewolf +librewolf-nightly liferea lightsoff lincity-ng links +links2 linphone lmms lobase @@ -455,7 +482,7 @@ lyx macrofusion magicor -# man +man manaplus marker masterpdfeditor @@ -469,6 +496,7 @@ matrix-mirage mattermost-desktop mcabber +mcomix mediainfo mediathekview megaglest @@ -535,6 +563,8 @@ mypaint-ora-thumbnailer natron ncdu +neochat +neomutt netactview nethack netsurf @@ -543,6 +573,8 @@ newsbeuter newsboat newsflash +nextcloud +nextcloud-desktop nheko nicotine nitroshare @@ -569,6 +601,8 @@ openarena_ded opencity openclonk +openmw +openmw-launcher openoffice.org openshot openshot-qt @@ -585,6 +619,7 @@ patch pavucontrol pavucontrol-qt +pcsxr pdfchain pdfmod pdfsam @@ -594,10 +629,12 @@ photoflare picard pidgin +pinball #ping - disabled until we fix #1912 pingus pinta pioneer +pipe-viewer pithos pitivi pix @@ -620,6 +657,7 @@ # pycharm-professional # pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) qbittorrent +qcomicbook qemu-launcher qgis qlipper @@ -652,7 +690,6 @@ sayonara scallion scorched3d -scorched3d-wrapper scorchwentbonkers scribus sdat2img @@ -799,6 +836,8 @@ vivaldi-stable vlc vmware +vmware-player +vmware-workstation vscodium vulturesclaw vultureseye @@ -839,12 +878,12 @@ xfce4-screenshooter xiphos xlinks +xlinks2 xmms xmr-stak xonotic xonotic-glx xonotic-sdl -xonotic-sdl-wrapper xournal xournalpp xpdf @@ -860,6 +899,7 @@ yelp youtube youtube-dl +youtube-dl-gui youtube-viewer youtubemusic-nativefier ytmdesktop diff -Nru firejail-0.9.64.4/src/firecfg/firecfg.h firejail-0.9.66/src/firecfg/firecfg.h --- firejail-0.9.64.4/src/firecfg/firecfg.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firecfg/firecfg.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firecfg/main.c firejail-0.9.66/src/firecfg/main.c --- firejail-0.9.64.4/src/firecfg/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firecfg/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firecfg/Makefile.in firejail-0.9.66/src/firecfg/Makefile.in --- firejail-0.9.64.4/src/firecfg/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firecfg/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: firecfg include ../common.mk @@ -8,7 +9,9 @@ firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/firecfg/sound.c firejail-0.9.66/src/firecfg/sound.c --- firejail-0.9.64.4/src/firecfg/sound.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firecfg/sound.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firecfg/util.c firejail-0.9.66/src/firecfg/util.c --- firejail-0.9.64.4/src/firecfg/util.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firecfg/util.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firejail/appimage.c firejail-0.9.66/src/firejail/appimage.c --- firejail-0.9.64.4/src/firejail/appimage.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/appimage.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -21,6 +21,7 @@ // sudo mount -o loop krita-3.0-x86_64.appimage mnt #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -29,7 +30,8 @@ #include static char *devloop = NULL; // device file -static char *mntdir = NULL; // mount point in /tmp directory +static long unsigned size = 0; // offset into appimage file +#define MAXBUF 4096 #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h static void err_loop(void) { @@ -38,36 +40,66 @@ } #endif +// return 1 if found +int appimage_find_profile(const char *archive) { + assert(archive); + assert(strlen(archive)); + + // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config + FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r"); + if (!fp) { + fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config"); + exit(1); + } + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (*buf == '#') + continue; + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + if (strcasestr(archive, buf)) { + fclose(fp); + return profile_find_firejail(buf, 1); + } + } + + fclose(fp); + return 0; + +} + + void appimage_set(const char *appimage) { assert(appimage); assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); #ifdef LOOP_CTL_GET_FREE - // check appimage file + // open appimage file invalid_filename(appimage, 0); // no globbing - if (access(appimage, R_OK) == -1) { - fprintf(stderr, "Error: cannot access AppImage file\n"); + int ffd = open(appimage, O_RDONLY|O_CLOEXEC); + if (ffd == -1) { + fprintf(stderr, "Error: cannot read AppImage file\n"); + exit(1); + } + struct stat s; + if (fstat(ffd, &s) == -1) + errExit("fstat"); + if (!S_ISREG(s.st_mode)) { + fprintf(stderr, "Error: invalid AppImage file\n"); exit(1); } // get appimage type and ELF size // a value of 0 means we are dealing with a type1 appimage - long unsigned int size = appimage2_size(appimage); + size = appimage2_size(ffd); if (arg_debug) printf("AppImage ELF size %lu\n", size); - // open appimage file - /* coverity[toctou] */ - int ffd = open(appimage, O_RDONLY|O_CLOEXEC); - if (ffd == -1) { - fprintf(stderr, "Error: cannot open AppImage file\n"); - exit(1); - } - // find or allocate a free loop device to use EUID_ROOT(); - int cfd = open("/dev/loop-control", O_RDWR); + int cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC); if (cfd == -1) err_loop(); int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); @@ -77,7 +109,8 @@ if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) errExit("asprintf"); - int lfd = open(devloop, O_RDONLY); + // associate loop device with appimage + int lfd = open(devloop, O_RDONLY|O_CLOEXEC); if (lfd == -1) err_loop(); if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) @@ -90,109 +123,64 @@ if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) err_loop(); } - close(lfd); close(ffd); EUID_USER(); - // creates appimage mount point perms 0700 - if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) - errExit("asprintf"); - EUID_ROOT(); - mkdir_attr(mntdir, 0700, getuid(), getgid()); - EUID_USER(); - - // mount - char *mode; - if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) - errExit("asprintf"); - unsigned long flags = MS_MGC_VAL|MS_RDONLY; - if (getuid()) - flags |= MS_NODEV|MS_NOSUID; - - EUID_ROOT(); - if (size == 0) { - fmessage("Mounting appimage type 1\n"); - if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) - errExit("mounting appimage"); - } - else { - fmessage("Mounting appimage type 2\n"); - if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0) - errExit("mounting appimage"); - } - - if (arg_debug) - printf("appimage mounted on %s\n", mntdir); - EUID_USER(); - + // set environment char* abspath = realpath(appimage, NULL); if (abspath == NULL) errExit("Failed to obtain absolute path"); + env_store_name_val("APPIMAGE", abspath, SETENV); + free(abspath); - // set environment - if (setenv("APPIMAGE", abspath, 1) < 0) - errExit("setenv"); - if (mntdir && setenv("APPDIR", mntdir, 1) < 0) - errExit("setenv"); - if (size != 0 && setenv("ARGV0", appimage, 1) < 0) - errExit("setenv"); - if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0) - errExit("setenv"); + env_store_name_val("APPDIR", RUN_FIREJAIL_APPIMAGE_DIR, SETENV); - // build new command line - if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) - errExit("asprintf"); + if (size != 0) + env_store_name_val("ARGV0", appimage, SETENV); + + if (cfg.cwd) + env_store_name_val("OWD", cfg.cwd, SETENV); - free(abspath); - free(mode); -#ifdef HAVE_GCOV __gcov_flush(); -#endif #else fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); exit(1); #endif } -void appimage_clear(void) { - int rv; +// mount appimage into sandbox file system +void appimage_mount(void) { + if (!devloop) + return; - EUID_ROOT(); - if (mntdir) { - int i; - int rv = 0; - for (i = 0; i < 5; i++) { - rv = umount2(mntdir, MNT_FORCE); - if (rv == 0) { - fmessage("AppImage unmounted\n"); - - break; - } - if (rv == -1 && errno == EBUSY) { - fwarning("EBUSY error trying to unmount %s\n", mntdir); - sleep(2); - continue; - } - - // rv = -1 - if (!arg_quiet) { - fwarning("error trying to unmount %s\n", mntdir); - perror("umount"); - } - } + unsigned long flags = MS_MGC_VAL|MS_RDONLY; + if (getuid()) + flags |= MS_NODEV|MS_NOSUID; - if (rv == 0) { - rmdir(mntdir); - free(mntdir); - } + if (size == 0) { + fmessage("Mounting appimage type 1\n"); + char *mode; + if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) + errExit("asprintf"); + if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "iso9660", flags, mode) < 0) + errExit("mounting appimage"); + free(mode); + } + else { + fmessage("Mounting appimage type 2\n"); + if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "squashfs", flags, NULL) < 0) + errExit("mounting appimage"); } +} +void appimage_clear(void) { + EUID_ROOT(); if (devloop) { - int lfd = open(devloop, O_RDONLY); + int lfd = open(devloop, O_RDONLY|O_CLOEXEC); if (lfd != -1) { - rv = ioctl(lfd, LOOP_CLR_FD, 0); - (void) rv; + if (ioctl(lfd, LOOP_CLR_FD, 0) != -1) + fmessage("AppImage detached\n"); close(lfd); } } diff -Nru firejail-0.9.64.4/src/firejail/appimage_size.c firejail-0.9.66/src/firejail/appimage_size.c --- firejail-0.9.64.4/src/firejail/appimage_size.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/appimage_size.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -132,22 +132,20 @@ // return 0 if error // return 0 if this is not an appimgage2 file -long unsigned int appimage2_size(const char *fname) { +long unsigned int appimage2_size(int fd) { ssize_t ret; - int fd; long unsigned int size = 0; - fd = open(fname, O_RDONLY); if (fd < 0) return 0; ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); if (ret != EI_NIDENT) - goto getout; + return 0; if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) - goto getout; + return 0; if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { size = read_elf32(fd); @@ -156,23 +154,19 @@ size = read_elf64(fd); } else { - goto getout; + return 0; } if (size == 0) - goto getout; + return 0; // look for a LZMA header at this location unsigned char buf[4]; ret = pread(fd, buf, 4, size); - if (ret != 4) { - size = 0; - goto getout; - } + if (ret != 4) + return 0; if (memcmp(buf, "hsqs", 4) != 0) - size = 0; + return 0; -getout: - close(fd); return size; } diff -Nru firejail-0.9.64.4/src/firejail/arp.c firejail-0.9.66/src/firejail/arp.c --- firejail-0.9.64.4/src/firejail/arp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/arp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -277,7 +277,7 @@ int i = 0; for (i = 0; i < 10; i++) { dest = start + ((uint32_t) rand()) % range; - if (dest == ifip) // do not allow the interface address + if (dest == ifip || dest == cfg.defaultgw) // do not allow the interface address or the default gateway continue; // try again // if we've made it up to here, we have a valid address @@ -325,7 +325,7 @@ // loop through addresses and stop as soon as you find an unused one while (dest <= last) { - if (dest == ifip) { + if (dest == ifip || dest == cfg.defaultgw) { dest++; continue; } diff -Nru firejail-0.9.64.4/src/firejail/bandwidth.c firejail-0.9.66/src/firejail/bandwidth.c --- firejail-0.9.64.4/src/firejail/bandwidth.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/bandwidth.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "firejail.h" @@ -119,26 +120,19 @@ if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) errExit("asprintf"); - // if the file already exists, do nothing - struct stat s; - if (stat(fname, &s) == 0) { - free(fname); - return; - } - // create an empty file and set mod and ownership - /* coverity[toctou] */ - FILE *fp = fopen(fname, "w"); - if (fp) { - SET_PERMS_STREAM(fp, 0, 0, 0644); - fclose(fp); - } - else { + // if the file already exists, do nothing + FILE *fp = fopen(fname, "wxe"); + free(fname); + if (!fp) { + if (errno == EEXIST) + return; fprintf(stderr, "Error: cannot create bandwidth file\n"); exit(1); } - free(fname); + SET_PERMS_STREAM(fp, 0, 0, 0644); + fclose(fp); } @@ -148,7 +142,7 @@ errExit("asprintf"); // create an empty file and set mod and ownership - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (fp) { if (cfg.bridge0.configured) fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox); @@ -178,7 +172,7 @@ if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp) { char buf[1024]; while (fgets(buf, 1024,fp)) { @@ -214,7 +208,7 @@ if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (fp) { IFBW *ptr = ifbw; while (ptr) { @@ -307,7 +301,7 @@ char *fname; if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { fprintf(stderr, "Error: cannot read network map file %s\n", fname); exit(1); diff -Nru firejail-0.9.64.4/src/firejail/caps.c firejail-0.9.66/src/firejail/caps.c --- firejail-0.9.64.4/src/firejail/caps.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/caps.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -162,6 +162,21 @@ #else {"audit_read", 37 }, #endif +#ifdef CAP_PERFMON + {"perfmon", CAP_PERFMON }, +#else + {"perfmon", 38 }, +#endif +#ifdef CAP_BPF + {"bpf", CAP_BPF }, +#else + {"bpf", 39 }, +#endif +#ifdef CAP_CHECKPOINT_RESTORE + {"checkpoint_restore", CAP_CHECKPOINT_RESTORE }, +#else + {"checkpoint_restore", 40 }, +#endif // // end of generated code @@ -374,7 +389,7 @@ errExit("asprintf"); EUID_ROOT(); // grsecurity - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); EUID_USER(); // grsecurity if (!fp) goto errexit; diff -Nru firejail-0.9.64.4/src/firejail/cgroup.c firejail-0.9.66/src/firejail/cgroup.c --- firejail-0.9.64.4/src/firejail/cgroup.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/cgroup.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -26,7 +26,7 @@ if (cfg.cgroup == NULL) return; - FILE *fp = fopen(RUN_CGROUP_CFG, "w"); + FILE *fp = fopen(RUN_CGROUP_CFG, "wxe"); if (fp) { fprintf(fp, "%s", cfg.cgroup); fflush(0); @@ -48,7 +48,7 @@ if (!fname) return; - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp) { char buf[MAXBUF]; if (fgets(buf, MAXBUF, fp)) { @@ -91,19 +91,19 @@ goto errout; // tasks file exists - struct stat s; - if (stat(path, &s) == -1) + FILE *fp = fopen(path, "ae"); + if (!fp) goto errout; - // task file belongs to the user running the sandbox + int fd = fileno(fp); + if (fd == -1) + errExit("fileno"); + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); if (s.st_uid != getuid() && s.st_gid != getgid()) goto errout2; - // add the task to cgroup - /* coverity[toctou] */ - FILE *fp = fopen(path, "a"); - if (!fp) - goto errout; pid_t pid = getpid(); int rv = fprintf(fp, "%d\n", pid); (void) rv; diff -Nru firejail-0.9.64.4/src/firejail/checkcfg.c firejail-0.9.66/src/firejail/checkcfg.c --- firejail-0.9.64.4/src/firejail/checkcfg.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/checkcfg.c 2021-06-27 18:09:10.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -35,6 +35,8 @@ char *netfilter_default = NULL; unsigned long join_timeout = 5000000; // microseconds char *config_seccomp_error_action_str = "EPERM"; +char *config_seccomp_filter_add = NULL; +char **whitelist_reject_topdirs = NULL; int checkcfg(int val) { assert(val < CFG_MAX); @@ -59,7 +61,7 @@ // open configuration file const char *fname = SYSCONFDIR "/firejail.config"; - fp = fopen(fname, "r"); + fp = fopen(fname, "re"); if (!fp) { #ifdef HAVE_GLOBALCFG fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); @@ -102,7 +104,6 @@ PARSE_YESNO(CFG_USERNS, "userns") PARSE_YESNO(CFG_CHROOT, "chroot") PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") - PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") PARSE_YESNO(CFG_SECCOMP, "seccomp") PARSE_YESNO(CFG_WHITELIST, "whitelist") @@ -110,10 +111,14 @@ PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") - PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") + PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") + PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") + PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc") + PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") - PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") + PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt") + PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv") PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") @@ -130,8 +135,7 @@ *end = '\0'; // is the file present? - struct stat s; - if (stat(fname, &s) == -1) { + if (access(fname, F_OK) == -1) { fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); exit(1); } @@ -215,15 +219,17 @@ } // file copy limit - else if (strncmp(ptr, "file-copy-limit ", 16) == 0) { - if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1) - errExit("setenv"); - } + else if (strncmp(ptr, "file-copy-limit ", 16) == 0) + env_store_name_val("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, SETENV); // timeout for join option else if (strncmp(ptr, "join-timeout ", 13) == 0) join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds + // add rules to default seccomp filter + else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0) + config_seccomp_filter_add = seccomp_check_list(ptr + 19); + // seccomp error action else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { if (strcmp(ptr + 21, "kill") == 0) @@ -240,6 +246,31 @@ errExit("strdup"); } + else if (strncmp(ptr, "whitelist-disable-topdir ", 25) == 0) { + char *str = strdup(ptr + 25); + if (!str) + errExit("strdup"); + + size_t cnt = 0; + size_t sz = 4; + whitelist_reject_topdirs = malloc(sz * sizeof(char *)); + if (!whitelist_reject_topdirs) + errExit("malloc"); + + char *tok = strtok(str, ","); + while (tok) { + whitelist_reject_topdirs[cnt++] = tok; + if (cnt >= sz) { + sz *= 2; + whitelist_reject_topdirs = realloc(whitelist_reject_topdirs, sz * sizeof(char *)); + if (!whitelist_reject_topdirs) + errExit("realloc"); + } + tok = strtok(NULL, ","); + } + whitelist_reject_topdirs[cnt] = NULL; + } + else goto errout; @@ -271,6 +302,14 @@ void print_compiletime_support(void) { printf("Compile time support:\n"); + printf("\t- always force nonewprivs support is %s\n", +#ifdef HAVE_FORCE_NONEWPRIVS + "enabled" +#else + "disabled" +#endif + ); + printf("\t- AppArmor support is %s\n", #ifdef HAVE_APPARMOR "enabled" @@ -335,6 +374,13 @@ #endif ); + printf("\t- output logging is %s\n", +#ifdef HAVE_OUTPUT + "enabled" +#else + "disabled" +#endif + ); printf("\t- overlayfs support is %s\n", #ifdef HAVE_OVERLAYFS "enabled" @@ -382,4 +428,6 @@ "disabled" #endif ); + + } diff -Nru firejail-0.9.64.4/src/firejail/chroot.c firejail-0.9.66/src/firejail/chroot.c --- firejail-0.9.64.4/src/firejail/chroot.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/chroot.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #ifdef HAVE_CHROOT #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -29,7 +30,6 @@ #define O_PATH 010000000 #endif - // exit if error void fs_check_chroot_dir(void) { EUID_ASSERT(); @@ -131,9 +131,9 @@ assert(rootdir); // fails if there is any symlink or if rootdir is not a directory - int parentfd = safe_fd(rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (parentfd == -1) - errExit("safe_fd"); + errExit("safer_openat"); // rootdir has to be owned by root and is not allowed to be generally writable, // this also excludes /tmp and friends struct stat s; @@ -163,30 +163,36 @@ int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd("/dev", fd)) errExit("mounting /dev"); - free(proc); close(fd); - // x11 +#ifdef HAVE_X11 // if users want this mount, they should set FIREJAIL_CHROOT_X11 - if (getenv("FIREJAIL_X11") || getenv("FIREJAIL_CHROOT_X11")) { + if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { if (arg_debug) printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); + struct stat s1, s2; + if (stat("/tmp", &s1) || lstat("/tmp/.X11-unix", &s2)) + errExit("mounting /tmp/.X11-unix"); + if ((s1.st_mode & S_ISVTX) != S_ISVTX) { + fprintf(stderr, "Error: sticky bit not set on /tmp directory\n"); + exit(1); + } + if (s2.st_uid != 0) { + fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n"); + exit(1); + } + check_subdir(parentfd, "tmp/.X11-unix", 0); fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd("/tmp/.X11-unix", fd)) errExit("mounting /tmp/.X11-unix"); - free(proc); close(fd); } +#endif // HAVE_X11 // some older distros don't have a /run directory, create one by default if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST) @@ -194,7 +200,7 @@ check_subdir(parentfd, "run", 1); // pulseaudio; only support for default directory /run/user/$UID/pulse - if (getenv("FIREJAIL_CHROOT_PULSE")) { + if (env_get("FIREJAIL_CHROOT_PULSE")) { char *pulse; if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1) errExit("asprintf"); @@ -202,29 +208,21 @@ if (arg_debug) printf("Mounting %s on chroot %s\n", orig_pulse, orig_pulse); - int src = safe_fd(orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int src = safer_openat(-1, orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (src == -1) { fprintf(stderr, "Error: cannot open %s\n", orig_pulse); exit(1); } - int dst = safe_fd(pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int dst = safer_openat(-1, pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (dst == -1) { fprintf(stderr, "Error: cannot open %s\n", pulse); exit(1); } - free(pulse); - - char *proc_src, *proc_dst; - if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) - errExit("asprintf"); - if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) - errExit("asprintf"); - if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(proc_src); - free(proc_dst); + if (bind_mount_by_fd(src, dst)) + errExit("mounting pulseaudio"); close(src); close(dst); + free(pulse); // update /etc/machine-id in chroot update_file(parentfd, "etc/machine-id"); @@ -243,11 +241,8 @@ fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd)) errExit("mount bind"); - free(proc); close(fd); // create /run/firejail/mnt directory in chroot @@ -258,29 +253,22 @@ fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd(RUN_MNT_DIR, fd)) errExit("mount bind"); - free(proc); close(fd); // update chroot resolv.conf update_file(parentfd, "etc/resolv.conf"); -#ifdef HAVE_GCOV __gcov_flush(); -#endif + // create /run/firejail/mnt/oroot char *oroot = RUN_OVERLAY_ROOT; if (mkdir(oroot, 0755) == -1) errExit("mkdir"); // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay - if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1) - errExit("asprintf"); - if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_fd_to_path(parentfd, oroot)) errExit("mounting rootdir oroot"); - free(proc); close(parentfd); // chroot into the new directory if (arg_debug) diff -Nru firejail-0.9.64.4/src/firejail/cmdline.c firejail-0.9.66/src/firejail/cmdline.c --- firejail-0.9.64.4/src/firejail/cmdline.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/cmdline.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -26,7 +26,7 @@ #include #include -static int cmdline_length(int argc, char **argv, int index) { +static int cmdline_length(int argc, char **argv, int index, bool want_extra_quotes) { assert(index != -1); unsigned i,j; @@ -46,10 +46,11 @@ len += 3; in_quotes = false; } else { - if (!in_quotes) + if (!in_quotes && want_extra_quotes) len++; len++; - in_quotes = true; + if (want_extra_quotes) + in_quotes = true; } } if (in_quotes) { @@ -64,7 +65,7 @@ return len; } -static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { +static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index, bool want_extra_quotes) { assert(index != -1); unsigned i,j; @@ -103,14 +104,15 @@ // anything other else { - if (!in_quotes) { + if (!in_quotes && want_extra_quotes) { // open quotes ptr1[0] = '\''; ptr1++; } ptr1[0] = argv[i + index][j]; ptr1++; - in_quotes = true; + if (want_extra_quotes) + in_quotes = true; } } // close quotes @@ -134,12 +136,12 @@ assert((unsigned) len == strlen(command_line)); } -void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { +void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) { // index == -1 could happen if we have --shell=none and no program was specified // the program should exit with an error before entering this function assert(index != -1); - int len = cmdline_length(argc, argv, index); + int len = cmdline_length(argc, argv, index, want_extra_quotes); if (len > ARG_MAX) { errno = E2BIG; errExit("cmdline_length"); @@ -152,7 +154,7 @@ if (!*window_title) errExit("malloc"); - quote_cmdline(*command_line, *window_title, len, argc, argv, index); + quote_cmdline(*command_line, *window_title, len, argc, argv, index, want_extra_quotes); if (arg_debug) printf("Building quoted command line: %s\n", *command_line); @@ -161,30 +163,23 @@ assert(*window_title); } -void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) { +void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) { // index == -1 could happen if we have --shell=none and no program was specified // the program should exit with an error before entering this function assert(index != -1); - if (arg_debug) - printf("Building AppImage command line: %s\n", *command_line); - + char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun"; - int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes - int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage - int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun - int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun + int len1 = cmdline_length(argc, argv, index, want_extra_quotes); // length of argv w/o changes + int len2 = cmdline_length(1, &argv[index], 0, want_extra_quotes); // apptest.AppImage + int len3 = cmdline_length(1, &apprun_path, 0, want_extra_quotes); // /run/firejail/appimage/AppRun + int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun if (len4 > ARG_MAX) { errno = E2BIG; errExit("cmdline_length"); } - // save created apprun in cfg.command_line - char *tmp1 = strdup(*command_line); - if (!tmp1) - errExit("strdup"); - // TODO: deal with extra allocated memory. char *command_line_tmp = malloc(len1 + len3 + 1); if (!command_line_tmp) @@ -194,19 +189,18 @@ errExit("malloc"); // run default quote_cmdline - quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index); + quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index, want_extra_quotes); assert(command_line_tmp); assert(*window_title); // 'fix' command_line now - if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1) + if (asprintf(command_line, "'%s' %s", apprun_path, command_line_tmp + len2) == -1) errExit("asprintf"); if (arg_debug) printf("AppImage quoted command line: %s\n", *command_line); // free strdup - free(tmp1); free(command_line_tmp); } diff -Nru firejail-0.9.64.4/src/firejail/cpu.c firejail-0.9.66/src/firejail/cpu.c --- firejail-0.9.64.4/src/firejail/cpu.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/cpu.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -75,7 +75,7 @@ if (cfg.cpus == 0) return; - FILE *fp = fopen(RUN_CPU_CFG, "w"); + FILE *fp = fopen(RUN_CPU_CFG, "wxe"); if (fp) { fprintf(fp, "%x\n", cfg.cpus); SET_PERMS_STREAM(fp, 0, 0, 0600); @@ -91,7 +91,7 @@ if (!fname) return; - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp) { unsigned tmp; int rv = fscanf(fp, "%x", &tmp); @@ -139,7 +139,7 @@ } EUID_ROOT(); // grsecurity - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); EUID_USER(); // grsecurity if (!fp) { printf(" Error: cannot open %s\n", file); diff -Nru firejail-0.9.64.4/src/firejail/dbus.c firejail-0.9.66/src/firejail/dbus.c --- firejail-0.9.64.4/src/firejail/dbus.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/dbus.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -111,7 +111,7 @@ } ++p; } - return in_segment && segments >= 2; + return in_segment && segments >= 1; } int dbus_check_name(const char *name) { @@ -258,12 +258,8 @@ if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1) errExit("asprintf"); struct stat s; - if (stat(dbus_user_socket, &s) == -1) { - if (errno == ENOENT) - goto fail; - return NULL; - errExit("stat"); - } + if (lstat(dbus_user_socket, &s) == -1) + goto fail; if (!S_ISSOCK(s.st_mode)) goto fail; return dbus_user_socket; @@ -329,7 +325,7 @@ errExit("close"); if (arg_dbus_user == DBUS_POLICY_FILTER) { - char *user_env = getenv(DBUS_SESSION_BUS_ADDRESS_ENV); + const char *user_env = env_get(DBUS_SESSION_BUS_ADDRESS_ENV); if (user_env == NULL) { char *dbus_user_socket = find_user_socket(); write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", @@ -350,7 +346,7 @@ } if (arg_dbus_system == DBUS_POLICY_FILTER) { - char *system_env = getenv(DBUS_SYSTEM_BUS_ADDRESS_ENV); + const char *system_env = env_get(DBUS_SYSTEM_BUS_ADDRESS_ENV); if (system_env == NULL) { write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); @@ -416,7 +412,7 @@ } static void socket_overlay(char *socket_path, char *proxy_path) { - int fd = safe_fd(proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC); + int fd = safer_openat(-1, proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC); if (fd == -1) errExit("opening DBus proxy socket"); struct stat s; @@ -426,17 +422,13 @@ errno = ENOTSOCK; errExit("mounting DBus proxy socket"); } - char *proxy_fd_path; - if (asprintf(&proxy_fd_path, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proxy_path, socket_path, NULL, MS_BIND | MS_REC, NULL) == -1) + if (bind_mount_fd_to_path(fd, socket_path)) errExit("mount bind"); - free(proxy_fd_path); close(fd); } -static char *get_socket_env(const char *name) { - char *value = getenv(name); +static const char *get_socket_env(const char *name) { + const char *value = env_get(name); if (value == NULL) return NULL; if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, @@ -446,21 +438,13 @@ } void dbus_set_session_bus_env(void) { - if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, - DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { - fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV - " required by --dbus-user\n"); - exit(1); - } + env_store_name_val(DBUS_SESSION_BUS_ADDRESS_ENV, + DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, SETENV); } void dbus_set_system_bus_env(void) { - if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, - DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { - fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV - " required by --dbus-system\n"); - exit(1); - } + env_store_name_val(DBUS_SYSTEM_BUS_ADDRESS_ENV, + DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, SETENV); } static void disable_socket_dir(void) { @@ -486,7 +470,7 @@ create_empty_dir_as_root(RUN_DBUS_DIR, 0755); if (arg_dbus_user != DBUS_POLICY_ALLOW) { - create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700); + create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600); if (arg_dbus_user == DBUS_POLICY_FILTER) { assert(dbus_user_proxy_socket != NULL); @@ -506,7 +490,7 @@ errExit("asprintf"); disable_file_or_dir(dbus_user_socket2); - char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); + const char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && strcmp(user_env, dbus_user_socket2) != 0) disable_file_or_dir(user_env); @@ -525,7 +509,7 @@ } if (arg_dbus_system != DBUS_POLICY_ALLOW) { - create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700); + create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600); if (arg_dbus_system == DBUS_POLICY_FILTER) { assert(dbus_system_proxy_socket != NULL); @@ -535,7 +519,7 @@ disable_file_or_dir(DBUS_SYSTEM_SOCKET); - char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); + const char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) disable_file_or_dir(system_env); @@ -561,4 +545,4 @@ fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); } -#endif // HAVE_DBUSPROXY \ No newline at end of file +#endif // HAVE_DBUSPROXY diff -Nru firejail-0.9.64.4/src/firejail/dhcp.c firejail-0.9.66/src/firejail/dhcp.c --- firejail-0.9.64.4/src/firejail/dhcp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/dhcp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -93,7 +93,7 @@ while (found == 0 && tries < 10) { if (tries >= 1) usleep(100000); - FILE *pidfile = fopen(client->pid_file, "r"); + FILE *pidfile = fopen(client->pid_file, "re"); if (pidfile) { long pid; if (fscanf(pidfile, "%ld", &pid) == 1) @@ -153,19 +153,13 @@ if (!any_dhcp()) return; - char *dhclient_path = RUN_MNT_DIR "/dhclient";; + char *dhclient_path = RUN_MNT_DIR "/dhclient"; struct stat s; if (stat(dhclient_path, &s) == -1) { - dhclient_path = "/usr/sbin/dhclient"; - if (stat(dhclient_path, &s) == -1) { - fprintf(stderr, "Error: dhclient was not found.\n"); - exit(1); - } + fprintf(stderr, "Error: %s was not found.\n", dhclient_path); + exit(1); } - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); - dhclient_path = RUN_MNT_DIR "/dhclient"; - EUID_ROOT(); if (mkdir(RUN_DHCLIENT_DIR, 0700)) errExit("mkdir"); diff -Nru firejail-0.9.64.4/src/firejail/env.c firejail-0.9.66/src/firejail/env.c --- firejail-0.9.64.4/src/firejail/env.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/env.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -25,8 +25,8 @@ typedef struct env_t { struct env_t *next; - char *name; - char *value; + const char *name; + const char *value; ENV_OP op; } Env; static Env *envlist = NULL; @@ -59,12 +59,7 @@ if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1) errExit("asprintf"); - struct stat s; - if (stat(dirname, &s) == -1) - return; - // find the file - /* coverity[toctou] */ DIR *dir = opendir(dirname); if (!dir) { free(dirname); @@ -84,7 +79,7 @@ char *fname; if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); free(fname); if (!fp) continue; @@ -117,45 +112,35 @@ // default sandbox env variables void env_defaults(void) { // Qt fixes - if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) - errExit("setenv"); - if (setenv("QML_DISABLE_DISK_CACHE", "1", 1) < 0) - errExit("setenv"); -// if (setenv("QTWEBENGINE_DISABLE_SANDBOX", "1", 1) < 0) -// errExit("setenv"); -// if (setenv("MOZ_NO_REMOTE, "1", 1) < 0) -// errExit("setenv"); - if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, - errExit("setenv"); + env_store_name_val("QT_X11_NO_MITSHM", "1", SETENV); + env_store_name_val("QML_DISABLE_DISK_CACHE", "1", SETENV); +// env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV); +// env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); + env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, if (!cfg.shell) cfg.shell = guess_shell(); - if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) - errExit("setenv"); + if (cfg.shell) + env_store_name_val("SHELL", cfg.shell, SETENV); // spawn KIO slaves inside the sandbox - if (setenv("KDE_FORK_SLAVES", "1", 1) < 0) - errExit("setenv"); + env_store_name_val("KDE_FORK_SLAVES", "1", SETENV); // set prompt color to green int set_prompt = 0; if (checkcfg(CFG_FIREJAIL_PROMPT)) set_prompt = 1; else { // check FIREJAIL_PROMPT="yes" environment variable - char *prompt = getenv("FIREJAIL_PROMPT"); + const char *prompt = env_get("FIREJAIL_PROMPT"); if (prompt && strcmp(prompt, "yes") == 0) set_prompt = 1; } - if (set_prompt) { + if (set_prompt) //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' - if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) - errExit("setenv"); - } - else { + env_store_name_val("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", SETENV); + else // remove PROMPT_COMMAND - if (setenv("PROMPT_COMMAND", ":", 1) < 0) // unsetenv() will not work here, bash still picks it up from somewhere - errExit("setenv"); - } + env_store_name_val("PROMPT_COMMAND", ":", SETENV); // unsetenv() will not work here, bash still picks it up from somewhere // set the window title if (!arg_quiet && isatty(STDOUT_FILENO)) @@ -163,14 +148,13 @@ // pass --quiet as an environment variable, in case the command calls further firejailed commands if (arg_quiet) - setenv("FIREJAIL_QUIET", "yes", 1); + env_store_name_val("FIREJAIL_QUIET", "yes", SETENV); fflush(0); } // parse and store the environment setting void env_store(const char *str, ENV_OP op) { - EUID_ASSERT(); assert(str); // some basic checking @@ -181,8 +165,7 @@ if (!ptr) goto errexit; ptr++; - if (*ptr == '\0') - goto errexit; + op = SETENV; } // build list entry @@ -210,8 +193,40 @@ exit(1); } +void env_store_name_val(const char *name, const char *val, ENV_OP op) { + assert(name); + + // some basic checking + if (*name == '\0') + goto errexit; + + // build list entry + Env *env = calloc(1, sizeof(Env)); + if (!env) + errExit("calloc"); + + env->name = strdup(name); + if (env->name == NULL) + errExit("strdup"); + + if (op == SETENV) { + env->value = strdup(val); + if (env->value == NULL) + errExit("strdup"); + } + env->op = op; + + // add entry to the list + env_add(env); + return; + +errexit: + fprintf(stderr, "Error: invalid --env setting\n"); + exit(1); +} + // set env variables in the new sandbox process -void env_apply(void) { +void env_apply_all(void) { Env *env = envlist; while (env) { @@ -225,3 +240,81 @@ env = env->next; } } + +// get env variable +const char *env_get(const char *name) { + Env *env = envlist; + const char *r = NULL; + + while (env) { + if (strcmp(env->name, name) == 0) { + if (env->op == SETENV) + r = env->value; + else if (env->op == RMENV) + r = NULL; + } + env = env->next; + } + return r; +} + +static const char * const env_whitelist[] = { + "LANG", + "LANGUAGE", + "LC_MESSAGES", + "PATH", + "DISPLAY" // required by X11 +}; + +static const char * const env_whitelist_sbox[] = { + "FIREJAIL_DEBUG", + "FIREJAIL_FILE_COPY_LIMIT", + "FIREJAIL_PLUGIN", + "FIREJAIL_QUIET", + "FIREJAIL_SECCOMP_ERROR_ACTION", + "FIREJAIL_TEST_ARGUMENTS", + "FIREJAIL_TRACEFILE" +}; + +static void env_apply_list(const char * const *list, unsigned int num_items) { + Env *env = envlist; + + while (env) { + if (env->op == SETENV) { + for (unsigned int i = 0; i < num_items; i++) + if (strcmp(env->name, list[i]) == 0) { + // sanity check for whitelisted environment variables + if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) { + fprintf(stderr, "Error: too long environment variable %s, please use --rmenv\n", env->name); + exit(1); + } + + //fprintf(stderr, "whitelisted env var %s=%s\n", env->name, env->value); + if (setenv(env->name, env->value, 1) < 0) + errExit("setenv"); + break; + } + } else if (env->op == RMENV) + unsetenv(env->name); + + env = env->next; + } +} + +// Filter env variables in main firejail process. All variables will +// be reapplied for the sandboxed app by env_apply_all(). +void env_apply_whitelist(void) { + int r; + + r = clearenv(); + if (r != 0) + errExit("clearenv"); + + env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); +} + +// Filter env variables for a sbox app +void env_apply_whitelist_sbox(void) { + env_apply_whitelist(); + env_apply_list(env_whitelist_sbox, ARRAY_SIZE(env_whitelist_sbox)); +} diff -Nru firejail-0.9.64.4/src/firejail/firejail.h firejail-0.9.66/src/firejail/firejail.h --- firejail-0.9.64.4/src/firejail/firejail.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/firejail.h 2021-06-27 18:09:10.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -45,6 +45,15 @@ assert(s.st_gid == gid);\ assert((s.st_mode & 07777) == (mode));\ } while (0) +#define ASSERT_PERMS_AS_USER(file, uid, gid, mode) \ + do { \ + assert(file);\ + struct stat s;\ + if (stat_as_user(file, &s) == -1) errExit("stat");\ + assert(s.st_uid == uid);\ + assert(s.st_gid == gid);\ + assert((s.st_mode & 07777) == (mode));\ + } while (0) #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ do { \ struct stat s;\ @@ -81,6 +90,8 @@ (void) rv;\ } while (0) +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + // main.c typedef struct bridge_t { // on the host @@ -120,26 +131,22 @@ uint8_t configured; } Interface; +typedef struct topdir_t { + char *path; + int fd; +} TopDir; + typedef struct profile_entry_t { struct profile_entry_t *next; char *data; // command // whitelist command parameters - char *link; // link name - set if the file is a link - enum { - WLDIR_HOME = 1, // whitelist in home directory - WLDIR_TMP, // whitelist in /tmp directory - WLDIR_MEDIA, // whitelist in /media directory - WLDIR_MNT, // whitelist in /mnt directory - WLDIR_VAR, // whitelist in /var directory - WLDIR_DEV, // whitelist in /dev directory - WLDIR_OPT, // whitelist in /opt directory - WLDIR_SRV, // whitelist in /srv directory - WLDIR_ETC, // whitelist in /etc directory - WLDIR_SHARE, // whitelist in /usr/share directory - WLDIR_MODULE, // whitelist in /sys/module directory - WLDIR_RUN // whitelist in /run/user/$uid directory - } wldir; + struct wparam_t { + char *file; // resolved file path + char *link; // link path + TopDir *top; // top level directory + } *wparam; + } ProfileEntry; typedef struct config_t { @@ -312,7 +319,6 @@ extern int arg_scan; // arp-scan all interfaces extern int arg_whitelist; // whitelist command extern int arg_nosound; // disable sound -extern int arg_noautopulse; // disable automatic ~/.config/pulse init extern int arg_novideo; //disable video devices in /dev extern int arg_no3d; // disable 3d hardware acceleration extern int arg_quiet; // no output for scripting @@ -321,13 +327,12 @@ extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc +extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init extern int arg_writable_var; // writable var extern int arg_keep_var_tmp; // don't overwrite /var/tmp extern int arg_writable_run_user; // writable /run/user extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage -extern int arg_audit; // audit -extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 @@ -339,7 +344,8 @@ extern int arg_memory_deny_write_execute; // block writable and executable memory extern int arg_notv; // --notv extern int arg_nodvd; // --nodvd -extern int arg_nou2f; // --nou2f +extern int arg_nou2f; // --nou2f +extern int arg_noinput; // --noinput extern int arg_deterministic_exit_code; // always exit with first child's exit status typedef enum { @@ -449,6 +455,9 @@ // add a profile entry in cfg.profile list; use str to populate the list void profile_add(char *str); void profile_add_ignore(const char *str); +char *profile_list_normalize(char *list); +char *profile_list_compress(char *list); +void profile_list_augment(char **list, const char *items); // list.c void list(void); @@ -489,6 +498,7 @@ void errLogExit(char* fmt, ...) __attribute__((noreturn)); void fwarning(char* fmt, ...); void fmessage(char* fmt, ...); +long long unsigned parse_arg_size(char *str); void drop_privs(int nogroups); int mkpath_as_root(const char* path); void extract_command_name(int index, char **argv); @@ -498,11 +508,14 @@ void logerr(const char *msg); void set_nice(int inc); int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); -void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); +void copy_file_as_user(const char *srcname, const char *destname, mode_t mode); void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); void touch_file_as_user(const char *fname, mode_t mode); int is_dir(const char *fname); int is_link(const char *fname); +char *realpath_as_user(const char *fname); +int stat_as_user(const char *fname, struct stat *s); +int lstat_as_user(const char *fname, struct stat *s); void trim_trailing_slash_or_dot(char *path); char *line_remove_spaces(const char *buf); char *split_comma(char *str); @@ -525,12 +538,16 @@ unsigned extract_timeout(const char *str); void disable_file_or_dir(const char *fname); void disable_file_path(const char *path, const char *file); -int safe_fd(const char *path, int flags); +int safer_openat(int dirfd, const char *path, int flags); +int remount_by_fd(int dst, unsigned long mountflags); +int bind_mount_by_fd(int src, int dst); +int bind_mount_path_to_fd(const char *srcname, int dst); +int bind_mount_fd_to_path(int src, const char *destname); int has_handler(pid_t pid, int signal); void enter_network_namespace(pid_t pid); int read_pid(const char *name, pid_t *pid); pid_t require_pid(const char *name); -void check_homedir(void); +void check_homedir(const char *dir); // Get info regarding the last kernel mount operation from /proc/self/mountinfo // The return value points to a static area, and will be overwritten by subsequent calls. @@ -566,6 +583,7 @@ void fs_dev_disable_tv(void); void fs_dev_disable_dvd(void); void fs_dev_disable_u2f(void); +void fs_dev_disable_input(void); // fs_home.c // private mode (--private) @@ -647,6 +665,8 @@ // fs_etc.c void fs_machineid(void); +void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list); +void fs_private_dir_mount(const char *private_dir, const char *private_run_dir); void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); // no_sandbox.c @@ -655,7 +675,7 @@ void run_no_sandbox(int argc, char **argv) __attribute__((noreturn)); #define MAX_ENVS 256 // some sane maximum number of environment variables -#define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH +#define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps // env.c typedef enum { SETENV = 0, @@ -663,8 +683,12 @@ } ENV_OP; void env_store(const char *str, ENV_OP op); -void env_apply(void); +void env_store_name_val(const char *name, const char *val, ENV_OP op); +void env_apply_all(void); +void env_apply_whitelist(void); +void env_apply_whitelist_sbox(void); void env_defaults(void); +const char *env_get(const char *name); void env_ibus_load(void); // fs_whitelist.c @@ -755,20 +779,23 @@ CFG_WHITELIST, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, - CFG_PRIVATE_HOME, + CFG_PRIVATE_BIN, CFG_PRIVATE_BIN_NO_LOCAL, + CFG_PRIVATE_CACHE, + CFG_PRIVATE_ETC, + CFG_PRIVATE_HOME, + CFG_PRIVATE_LIB, + CFG_PRIVATE_OPT, + CFG_PRIVATE_SRV, CFG_FIREJAIL_PROMPT, - CFG_FOLLOW_SYMLINK_AS_USER, CFG_DISABLE_MNT, CFG_JOIN, CFG_ARP_PROBES, CFG_XPRA_ATTACH, CFG_BROWSER_DISABLE_U2F, CFG_BROWSER_ALLOW_DRM, - CFG_PRIVATE_LIB, CFG_APPARMOR, CFG_DBUS, - CFG_PRIVATE_CACHE, CFG_CGROUP, CFG_NAME_CHANGE, CFG_SECCOMP_ERROR_ACTION, @@ -783,21 +810,24 @@ extern char *netfilter_default; extern unsigned long join_timeout; extern char *config_seccomp_error_action_str; +extern char *config_seccomp_filter_add; +extern char **whitelist_reject_topdirs; int checkcfg(int val); void print_compiletime_support(void); // appimage.c +int appimage_find_profile(const char *archive); void appimage_set(const char *appimage_path); +void appimage_mount(void); void appimage_clear(void); -const char *appimage_getdir(void); // appimage_size.c -long unsigned int appimage2_size(const char *fname); +long unsigned int appimage2_size(int fd); // cmdline.c -void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); -void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path); +void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes); +void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes); // sbox.c // programs diff -Nru firejail-0.9.64.4/src/firejail/fs_bin.c firejail-0.9.66/src/firejail/fs_bin.c --- firejail-0.9.64.4/src/firejail/fs_bin.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_bin.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firejail/fs.c firejail-0.9.66/src/firejail/fs.c --- firejail-0.9.64.4/src/firejail/fs.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -54,16 +55,10 @@ [MOUNT_RDWR_NOCHECK] = "read-write", }; -typedef enum { - UNSUCCESSFUL, - SUCCESSFUL -} LAST_DISABLE_OPERATION; -LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL; - static void disable_file(OPERATION op, const char *filename) { assert(filename); assert(op next; continue; @@ -375,16 +395,12 @@ op = MOUNT_TMPFS; } else if (strncmp(entry->data, "mkdir ", 6) == 0) { - EUID_USER(); fs_mkdir(entry->data + 6); - EUID_ROOT(); entry = entry->next; continue; } else if (strncmp(entry->data, "mkfile ", 7) == 0) { - EUID_USER(); fs_mkfile(entry->data + 7); - EUID_ROOT(); entry = entry->next; continue; } @@ -440,6 +456,8 @@ for (i = 0; i < noblacklist_c; i++) free(noblacklist[i]); free(noblacklist); + + EUID_ROOT(); } //*********************************************** @@ -448,11 +466,12 @@ // mount a writable tmpfs on directory; requires a resolved path void fs_tmpfs(const char *dir, unsigned check_owner) { + EUID_USER(); assert(dir); if (arg_debug) printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); // get a file descriptor for dir, fails if there is any symlink - int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("while opening directory"); struct stat s; @@ -472,6 +491,7 @@ errExit("fstatvfs"); unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND); // mount via the symbolic link in /proc/self/fd + EUID_ROOT(); char *proc; if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) errExit("asprintf"); @@ -487,17 +507,18 @@ close(fd); } -// remount path, but preserve existing mount flags; requires a resolved path +// remount path, preserving other mount flags; requires a resolved path static void fs_remount_simple(const char *path, OPERATION op) { + EUID_ASSERT(); assert(path); // open path without following symbolic links - int fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) + int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (fd < 0) goto out; - // identify file owner + struct stat s; - if (fstat(fd, &s) == -1) { + if (fstat(fd, &s) < 0) { // fstat can fail with EACCES if path is a FUSE mount, // mounted without 'allow_root' or 'allow_other' if (errno != EACCES) @@ -507,8 +528,10 @@ } // get mount flags struct statvfs buf; - if (fstatvfs(fd, &buf) == -1) - errExit("fstatvfs"); + if (fstatvfs(fd, &buf) < 0) { + close(fd); + goto out; + } unsigned long flags = buf.f_flag; // read-write option @@ -519,7 +542,7 @@ return; } // allow only user owned directories, except the user is root - if (op == MOUNT_RDWR && getuid() != 0 && s.st_uid != getuid()) { + if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) { fwarning("you are not allowed to change %s to read-write\n", path); close(fd); return; @@ -549,24 +572,37 @@ if (arg_debug) printf("Mounting %s %s\n", opstr[op], path); - // mount --bind /bin /bin - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount"); - free(proc); - close(fd); - // mount --bind -o remount,ro /bin - // we need to open path again - fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) - errExit("mount"); + // make path a mount point: + // mount --bind path path + EUID_ROOT(); + int err = bind_mount_by_fd(fd, fd); + EUID_USER(); + if (err) { + close(fd); + goto out; + } + + // remount the mount point + // need to open path again + int fd2 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); + close(fd); // earliest timepoint to close fd + if (fd2 < 0) + goto out; + + // device and inode number should be the same + struct stat s2; + if (fstat(fd2, &s2) < 0) + errExit("fstat"); + if (s.st_dev != s2.st_dev || s.st_ino != s2.st_ino) + errLogExit("invalid %s mount", opstr[op]); + + EUID_ROOT(); + err = remount_by_fd(fd2, flags); + EUID_USER(); + close(fd2); + if (err) + goto out; // run a sanity check on /proc/self/mountinfo and confirm that target of the last // mount operation was path; if there are other mount points contained inside path, @@ -577,9 +613,8 @@ (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) && strcmp(path, "/") != 0) // support read-only=/ errLogExit("invalid %s mount", opstr[op]); + fs_logger2(opstr[op], path); - free(proc); - close(fd); return; out: @@ -588,7 +623,9 @@ // remount recursively; requires a resolved path static void fs_remount_rec(const char *dir, OPERATION op) { + EUID_ASSERT(); assert(dir); + struct stat s; if (stat(dir, &s) != 0) return; @@ -626,6 +663,14 @@ // resolve a path and remount it void fs_remount(const char *path, OPERATION op, int rec) { assert(path); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + char *rpath = realpath(path, NULL); if (rpath) { if (rec) @@ -634,10 +679,14 @@ fs_remount_simple(rpath, op); free(rpath); } + + if (called_as_root) + EUID_ROOT(); } // Disable /mnt, /media, /run/mount and /run/media access void fs_mnt(const int enforce) { + EUID_USER(); if (enforce) { // disable-mnt set in firejail.config // overriding with noblacklist is not possible in this case @@ -647,13 +696,12 @@ disable_file(BLACKLIST_FILE, "/run/media"); } else { - EUID_USER(); profile_add("blacklist /mnt"); profile_add("blacklist /media"); profile_add("blacklist /run/mount"); profile_add("blacklist /run/media"); - EUID_ROOT(); } + EUID_ROOT(); } @@ -668,7 +716,6 @@ errExit("mounting /proc/sys"); fs_logger("read-only /proc/sys"); - /* Mount a version of /sys that describes the network namespace */ if (arg_debug) printf("Remounting /sys directory\n"); @@ -683,13 +730,13 @@ else fs_logger("remount /sys"); + EUID_USER(); + disable_file(BLACKLIST_FILE, "/sys/firmware"); disable_file(BLACKLIST_FILE, "/sys/hypervisor"); { // allow user access to some directories in /sys/ by specifying 'noblacklist' option - EUID_USER(); profile_add("blacklist /sys/fs"); profile_add("blacklist /sys/module"); - EUID_ROOT(); } disable_file(BLACKLIST_FILE, "/sys/power"); disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); @@ -733,12 +780,8 @@ // disable /dev/port disable_file(BLACKLIST_FILE, "/dev/port"); - - // disable various ipc sockets in /run/user if (!arg_writable_run_user) { - struct stat s; - char *fname; if (asprintf(&fname, "/run/user/%d", getuid()) == -1) errExit("asprintf"); @@ -749,8 +792,7 @@ errExit("asprintf"); if (create_empty_dir_as_user(fnamegpg, 0700)) fs_logger2("create", fnamegpg); - if (stat(fnamegpg, &s) == 0) - disable_file(BLACKLIST_FILE, fnamegpg); + disable_file(BLACKLIST_FILE, fnamegpg); free(fnamegpg); // disable /run/user/{uid}/systemd @@ -759,8 +801,7 @@ errExit("asprintf"); if (create_empty_dir_as_user(fnamesysd, 0755)) fs_logger2("create", fnamesysd); - if (stat(fnamesysd, &s) == 0) - disable_file(BLACKLIST_FILE, fnamesysd); + disable_file(BLACKLIST_FILE, fnamesysd); free(fnamesysd); } free(fname); @@ -771,37 +812,30 @@ disable_file(BLACKLIST_FILE, "/dev/kmsg"); disable_file(BLACKLIST_FILE, "/proc/kmsg"); } + + EUID_ROOT(); } // disable firejail configuration in ~/.config/firejail void disable_config(void) { - struct stat s; - + EUID_USER(); char *fname; if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) errExit("asprintf"); - if (stat(fname, &s) == 0) - disable_file(BLACKLIST_FILE, fname); + disable_file(BLACKLIST_FILE, fname); free(fname); // disable run time information - if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); - if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); - if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); - if (stat(RUN_FIREJAIL_PROFILE_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); - if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); - if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); + EUID_ROOT(); } // build a basic read-only filesystem -// top level directories could be links, run no after-mount checks void fs_basic_fs(void) { uid_t uid = getuid(); @@ -811,6 +845,7 @@ if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mounting /proc"); + EUID_USER(); if (arg_debug) printf("Basic read-only filesystem:\n"); if (!arg_writable_etc) { @@ -830,6 +865,7 @@ fs_remount("/lib64", MOUNT_READONLY, 1); fs_remount("/lib32", MOUNT_READONLY, 1); fs_remount("/libx32", MOUNT_READONLY, 1); + EUID_ROOT(); // update /var directory in order to support multiple sandboxes running on the same root directory fs_var_lock(); @@ -858,6 +894,7 @@ #ifdef HAVE_OVERLAYFS char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { assert(subdirname); + EUID_ASSERT(); struct stat s; char *dirname; @@ -988,9 +1025,9 @@ char *firejail; if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); - int fd = safe_fd(firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) - errExit("safe_fd"); + errExit("safer_openat"); free(firejail); // create basedir if it doesn't exist // the new directory will be owned by root @@ -1173,9 +1210,8 @@ fs_logger("whitelist /tmp"); // chroot in the new filesystem -#ifdef HAVE_GCOV __gcov_flush(); -#endif + if (chroot(oroot) == -1) errExit("chroot"); @@ -1217,11 +1253,12 @@ // this function is called from sandbox.c before blacklist/whitelist functions void fs_private_tmp(void) { + EUID_ASSERT(); if (arg_debug) printf("Generate private-tmp whitelist commands\n"); // check XAUTHORITY file, KDE keeps it under /tmp - char *xauth = getenv("XAUTHORITY"); + const char *xauth = env_get("XAUTHORITY"); if (xauth) { char *rp = realpath(xauth, NULL); if (rp && strncmp(rp, "/tmp/", 5) == 0) { @@ -1237,8 +1274,8 @@ // whitelist x11 directory profile_add("whitelist /tmp/.X11-unix"); - // read-only x11 directory - profile_add("read-only /tmp/.X11-unix"); + // read-only x11 directory + profile_add("read-only /tmp/.X11-unix"); // whitelist any pulse* file in /tmp directory // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user diff -Nru firejail-0.9.64.4/src/firejail/fs_dev.c firejail-0.9.66/src/firejail/fs_dev.c --- firejail-0.9.64.4/src/firejail/fs_dev.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_dev.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -41,6 +41,7 @@ DEV_TV, DEV_DVD, DEV_U2F, + DEV_INPUT } DEV_TYPE; @@ -89,6 +90,7 @@ {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F}, {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F}, {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F + {"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT}, {NULL, NULL, DEV_NONE} }; @@ -103,7 +105,8 @@ (dev[i].type == DEV_VIDEO && arg_novideo == 0) || (dev[i].type == DEV_TV && arg_notv == 0) || (dev[i].type == DEV_DVD && arg_nodvd == 0) || - (dev[i].type == DEV_U2F && arg_nou2f == 0)) { + (dev[i].type == DEV_U2F && arg_nou2f == 0) || + (dev[i].type == DEV_INPUT && arg_noinput == 0)) { int dir = is_dir(dev[i].run_fname); if (arg_debug) @@ -119,7 +122,7 @@ i++; continue; } - FILE *fp = fopen(dev[i].dev_fname, "w"); + FILE *fp = fopen(dev[i].dev_fname, "we"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); @@ -184,8 +187,10 @@ static void process_dev_shm(void) { // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...) // looking for jack socket + EUID_USER(); glob_t globbuf; int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf); + EUID_ROOT(); if (globerr && !arg_keep_dev_shm) { empty_dev_shm(); return; @@ -215,7 +220,7 @@ struct stat s; if (stat("/dev/log", &s) == 0) { have_devlog = 1; - FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); + FILE *fp = fopen(RUN_DEVLOG_FILE, "we"); if (!fp) have_devlog = 0; else { @@ -236,7 +241,7 @@ // bring back /dev/log if (have_devlog) { - FILE *fp = fopen("/dev/log", "w"); + FILE *fp = fopen("/dev/log", "we"); if (fp) { fprintf(fp, "\n"); fclose(fp); @@ -385,4 +390,13 @@ disable_file_or_dir(dev[i].dev_fname); i++; } +} + +void fs_dev_disable_input(void) { + int i = 0; + while (dev[i].dev_fname != NULL) { + if (dev[i].type == DEV_INPUT) + disable_file_or_dir(dev[i].dev_fname); + i++; + } } diff -Nru firejail-0.9.64.4/src/firejail/fs_etc.c firejail-0.9.66/src/firejail/fs_etc.c --- firejail-0.9.64.4/src/firejail/fs_etc.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_etc.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include #include #include #include @@ -51,7 +52,7 @@ mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; // write it in a file - FILE *fp = fopen(RUN_MACHINEID, "w"); + FILE *fp = fopen(RUN_MACHINEID, "we"); if (!fp) errExit("fopen"); fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); @@ -75,6 +76,44 @@ } } +// Duplicate directory structure from src to dst by creating empty directories. +// The paths _must_ be identical after their respective prefixes. +// When finished, dst will point to the target directory. That is, if +// it starts out pointing to a file, it will instead be truncated so +// that it contains the parent directory instead. +static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) { + char *p = src + src_prefix_len + 1; + char *q = dst + dst_prefix_len + 1; + char *r = dst + dst_prefix_len; + struct stat s; + bool last = false; + *r = '\0'; + for (; !last; p++, q++) { + if (*p == '\0') { + last = true; + } + if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) { + // We found a new component of our src path. + // Null-terminate it temporarily here so that we can work + // with it. + *p = '\0'; + if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { + // Null-terminate the dst path and undo its previous + // termination. + *q = '\0'; + *r = '/'; + r = q; + create_empty_dir_as_root(dst, s.st_mode); + } + if (!last) { + // If we're not at the final terminating null, restore + // the slash so that we can continue our traversal. + *p = '/'; + } + } + } +} + // return 0 if file not found, 1 if found static int check_dir_or_file(const char *fname) { assert(fname); @@ -102,7 +141,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { assert(fname); - if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) { + if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) { fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); exit(1); } @@ -118,27 +157,22 @@ } if (arg_debug) - printf("copying %s to private %s\n", src, private_dir); + printf("Copying %s to private %s\n", src, private_dir); - struct stat s; - if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { - // create the directory in RUN_ETC_DIR - char *dirname; - if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) - errExit("asprintf"); - create_empty_dir_as_root(dirname, s.st_mode); - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); - free(dirname); - } - else - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); + char *dst; + if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1) + errExit("asprintf"); + build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); + + free(dst); fs_logger2("clone", src); free(src); } -void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { +void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list) { assert(private_dir); assert(private_run_dir); assert(private_list); @@ -147,12 +181,10 @@ struct stat s; if (stat(private_dir, &s) == -1) { if (arg_debug) - printf("Cannot find %s\n", private_dir); + printf("Cannot find %s: %s\n", private_dir, strerror(errno)); return; } - timetrace_start(); - // create /run/firejail/mnt/etc directory mkdir_attr(private_run_dir, 0755, 0, 0); selinux_relabel_path(private_run_dir, private_dir); @@ -185,9 +217,23 @@ free(dlist); fs_logger_print(); } +} + +void fs_private_dir_mount(const char *private_dir, const char *private_run_dir) { + assert(private_dir); + assert(private_run_dir); if (arg_debug) printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); + + // nothing to do if directory does not exist + struct stat s; + if (stat(private_dir, &s) == -1) { + if (arg_debug) + printf("Cannot find %s: %s\n", private_dir, strerror(errno)); + return; + } + if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); fs_logger2("mount", private_dir); @@ -196,6 +242,11 @@ if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs"); fs_logger2("tmpfs", private_run_dir); +} +void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { + timetrace_start(); + fs_private_dir_copy(private_dir, private_run_dir, private_list); + fs_private_dir_mount(private_dir, private_run_dir); fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); } diff -Nru firejail-0.9.64.4/src/firejail/fs_home.c firejail-0.9.66/src/firejail/fs_home.c --- firejail-0.9.64.4/src/firejail/fs_home.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_home.c 2021-06-27 18:09:10.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -31,27 +31,27 @@ #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif -static void skel(const char *homedir, uid_t u, gid_t g) { - char *fname; +static void skel(const char *homedir) { + EUID_ASSERT(); // zsh if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) { // copy skel files + char *fname; if (asprintf(&fname, "%s/.zshrc", homedir) == -1) errExit("asprintf"); - struct stat s; // don't copy it if we already have the file - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) return; - if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (stat("/etc/skel/.zshrc", &s) == 0) { - copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user + if (access("/etc/skel/.zshrc", R_OK) == 0) { + copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user fs_logger("clone /etc/skel/.zshrc"); fs_logger2("clone", fname); } @@ -65,19 +65,18 @@ // csh else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) { // copy skel files + char *fname; if (asprintf(&fname, "%s/.cshrc", homedir) == -1) errExit("asprintf"); - struct stat s; - // don't copy it if we already have the file - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) return; - if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (stat("/etc/skel/.cshrc", &s) == 0) { - copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user + if (access("/etc/skel/.cshrc", R_OK) == 0) { + copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user fs_logger("clone /etc/skel/.cshrc"); fs_logger2("clone", fname); } @@ -91,18 +90,18 @@ // bash etc. else { // copy skel files + char *fname; if (asprintf(&fname, "%s/.bashrc", homedir) == -1) errExit("asprintf"); - struct stat s; // don't copy it if we already have the file - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) return; - if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (stat("/etc/skel/.bashrc", &s) == 0) { - copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user + if (access("/etc/skel/.bashrc", R_OK) == 0) { + copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user fs_logger("clone /etc/skel/.bashrc"); fs_logger2("clone", fname); } @@ -112,6 +111,7 @@ } static int store_xauthority(void) { + EUID_ASSERT(); if (arg_x11_block) return 0; @@ -122,15 +122,16 @@ errExit("asprintf"); struct stat s; - if (stat(src, &s) == 0) { - if (is_link(src)) { + if (lstat(src, &s) == 0) { + if (S_ISLNK(s.st_mode)) { fwarning("invalid .Xauthority file\n"); free(src); return 0; } // create an empty file as root, and change ownership to user - FILE *fp = fopen(dest, "w"); + EUID_ROOT(); + FILE *fp = fopen(dest, "we"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); @@ -138,10 +139,11 @@ } else errExit("fopen"); + EUID_USER(); - copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user - fs_logger2("clone", dest); + copy_file_as_user(src, dest, 0600); // regular user selinux_relabel_path(dest, src); + fs_logger2("clone", dest); free(src); return 1; // file copied } @@ -151,6 +153,7 @@ } static int store_asoundrc(void) { + EUID_ASSERT(); if (arg_nosound) return 0; @@ -161,11 +164,11 @@ errExit("asprintf"); struct stat s; - if (stat(src, &s) == 0) { - if (is_link(src)) { + if (lstat(src, &s) == 0) { + if (S_ISLNK(s.st_mode)) { // make sure the real path of the file is inside the home directory /* coverity[toctou] */ - char* rp = realpath(src, NULL); + char *rp = realpath(src, NULL); if (!rp) { fprintf(stderr, "Error: Cannot access %s\n", src); exit(1); @@ -178,7 +181,8 @@ } // create an empty file as root, and change ownership to user - FILE *fp = fopen(dest, "w"); + EUID_ROOT(); + FILE *fp = fopen(dest, "we"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); @@ -186,10 +190,11 @@ } else errExit("fopen"); + EUID_USER(); - copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user - selinux_relabel_path(dest, src); + copy_file_as_user(src, dest, 0644); // regular user fs_logger2("clone", dest); + selinux_relabel_path(dest, src); free(src); return 1; // file copied } @@ -199,6 +204,7 @@ } static void copy_xauthority(void) { + EUID_ASSERT(); // copy XAUTHORITY_FILE in the new home directory char *src = RUN_XAUTHORITY_FILE ; char *dest; @@ -211,16 +217,18 @@ exit(1); } - copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user - selinux_relabel_path(dest, src); + copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); + selinux_relabel_path(dest, dest); free(dest); - // delete the temporary file - unlink(src); + EUID_ROOT(); + unlink(src); // delete the temporary file + EUID_USER(); } static void copy_asoundrc(void) { + EUID_ASSERT(); // copy ASOUNDRC_FILE in the new home directory char *src = RUN_ASOUNDRC_FILE ; char *dest; @@ -233,12 +241,14 @@ exit(1); } - copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user + copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); + selinux_relabel_path(dest, dest); free(dest); - // delete the temporary file - unlink(src); + EUID_ROOT(); + unlink(src); // delete the temporary file + EUID_USER(); } // private mode (--private=homedir): @@ -251,21 +261,22 @@ char *private_homedir = cfg.home_private; assert(homedir); assert(private_homedir); + EUID_ASSERT(); + + uid_t u = getuid(); + // gid_t g = getgid(); int xflag = store_xauthority(); int aflag = store_asoundrc(); - uid_t u = getuid(); - gid_t g = getgid(); - // mount bind private_homedir on top of homedir if (arg_debug) printf("Mount-bind %s on top of %s\n", private_homedir, homedir); // get file descriptors for homedir and private_homedir, fails if there is any symlink - int src = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (src == -1) errExit("opening private directory"); - int dst = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int dst = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (dst == -1) errExit("opening home directory"); // both mount source and target should be owned by the user @@ -286,17 +297,11 @@ exit(1); } // mount via the links in /proc/self/fd - char *proc_src, *proc_dst; - if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) - errExit("asprintf"); - if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) - errExit("asprintf"); - if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) + EUID_ROOT(); + if (bind_mount_by_fd(src, dst)) errExit("mount bind"); - free(proc_src); - free(proc_dst); - close(src); - close(dst); + EUID_USER(); + // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); size_t len = strlen(homedir); @@ -304,6 +309,8 @@ (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) errLogExit("invalid private mount"); + close(src); + close(dst); fs_logger3("mount-bind", private_homedir, homedir); fs_logger2("whitelist", homedir); // preserve mode and ownership @@ -312,6 +319,7 @@ // if (chmod(homedir, s.st_mode) == -1) // errExit("mount-bind chmod"); + EUID_ROOT(); if (u != 0) { // mask /root if (arg_debug) @@ -330,8 +338,9 @@ selinux_relabel_path("/home", "/home"); fs_logger("tmpfs /home"); } + EUID_USER(); - skel(homedir, u, g); + skel(homedir); if (xflag) copy_xauthority(); if (aflag) @@ -346,12 +355,15 @@ void fs_private(void) { char *homedir = cfg.homedir; assert(homedir); + EUID_ASSERT(); + uid_t u = getuid(); gid_t g = getgid(); int xflag = store_xauthority(); int aflag = store_asoundrc(); + EUID_ROOT(); // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); @@ -384,7 +396,6 @@ if (chown(homedir, u, g) < 0) errExit("chown"); - selinux_relabel_path(homedir, homedir); fs_logger2("mkdir", homedir); fs_logger2("tmpfs", homedir); } @@ -392,9 +403,12 @@ // mask user home directory // the directory should be owned by the current user fs_tmpfs(homedir, 1); + + selinux_relabel_path(homedir, homedir); } + EUID_USER(); - skel(homedir, u, g); + skel(homedir); if (xflag) copy_xauthority(); if (aflag) @@ -437,6 +451,7 @@ // --private-home //*********************************************************************************** static char *check_dir_or_file(const char *name) { + EUID_ASSERT(); assert(name); // basic checks @@ -497,6 +512,7 @@ } static void duplicate(char *name) { + EUID_ASSERT(); char *fname = check_dir_or_file(name); if (arg_debug) @@ -534,28 +550,31 @@ // set skel files, // restore .Xauthority void fs_private_home_list(void) { - timetrace_start(); - char *homedir = cfg.homedir; char *private_list = cfg.home_private_keep; assert(homedir); assert(private_list); + EUID_ASSERT(); - int xflag = store_xauthority(); - int aflag = store_asoundrc(); + timetrace_start(); uid_t uid = getuid(); gid_t gid = getgid(); + int xflag = store_xauthority(); + int aflag = store_asoundrc(); + // create /run/firejail/mnt/home directory + EUID_ROOT(); mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); - selinux_relabel_path(RUN_HOME_DIR, "/home"); + selinux_relabel_path(RUN_HOME_DIR, homedir); + fs_logger_print(); // save the current log + EUID_USER(); + // copy the list of files in the new home directory if (arg_debug) printf("Copying files in the new home:\n"); - - // copy the list of files in the new home directory char *dlist = strdup(cfg.home_private_keep); if (!dlist) errExit("strdup"); @@ -575,7 +594,7 @@ if (arg_debug) printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir); - int fd = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int fd = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("opening home directory"); // home directory should be owned by the user @@ -588,24 +607,19 @@ exit(1); } // mount using the file descriptor - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + EUID_ROOT(); + if (bind_mount_path_to_fd(RUN_HOME_DIR, fd)) errExit("mount bind"); - free(proc); + EUID_USER(); close(fd); + // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) errLogExit("invalid private-home mount"); fs_logger2("tmpfs", homedir); - // mask RUN_HOME_DIR, it is writable and not noexec - if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs"); - fs_logger2("tmpfs", RUN_HOME_DIR); - + EUID_ROOT(); if (uid != 0) { // mask /root if (arg_debug) @@ -625,7 +639,12 @@ fs_logger("tmpfs /home"); } - skel(homedir, uid, gid); + // mask RUN_HOME_DIR, it is writable and not noexec + if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mounting tmpfs"); + EUID_USER(); + + skel(homedir); if (xflag) copy_xauthority(); if (aflag) diff -Nru firejail-0.9.64.4/src/firejail/fs_hostname.c firejail-0.9.66/src/firejail/fs_hostname.c --- firejail-0.9.64.4/src/firejail/fs_hostname.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_hostname.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -47,11 +47,11 @@ printf("Creating a new /etc/hosts file\n"); // copy /etc/host into our new file, and modify it on the fly /* coverity[toctou] */ - FILE *fp1 = fopen("/etc/hosts", "r"); + FILE *fp1 = fopen("/etc/hosts", "re"); if (!fp1) goto errexit; - FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); + FILE *fp2 = fopen(RUN_HOSTS_FILE, "we"); if (!fp2) { fclose(fp1); goto errexit; @@ -165,7 +165,7 @@ if (arg_debug) printf("Creating a new /etc/resolv.conf file\n"); - FILE *fp = fopen("/etc/resolv.conf", "w"); + FILE *fp = fopen("/etc/resolv.conf", "wxe"); if (!fp) { fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); exit(1); diff -Nru firejail-0.9.64.4/src/firejail/fs_lib2.c firejail-0.9.66/src/firejail/fs_lib2.c --- firejail-0.9.64.4/src/firejail/fs_lib2.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_lib2.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -21,9 +21,8 @@ #include #include -extern void fslib_duplicate(const char *full_path); -extern void fslib_copy_libs(const char *full_path); -extern void fslib_copy_dir(const char *full_path); +extern void fslib_mount_libs(const char *full_path, unsigned user); +extern void fslib_mount(const char *full_path); //*************************************************************** // Standard C library @@ -97,7 +96,8 @@ if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) errExit("asprintf"); - fslib_duplicate(fname); + fslib_mount(fname); + free(fname); } } closedir(dir); @@ -118,11 +118,56 @@ // install locale if (stat("/usr/lib/locale", &s) == 0) - fslib_copy_dir("/usr/lib/locale"); + fslib_mount("/usr/lib/locale"); fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); } +//*************************************************************** +// Firejail libraries +//*************************************************************** + +static void fdir(void) { + // firejail directory itself + fslib_mount(LIBDIR "/firejail"); + + // executables and libraries from firejail directory + static const char * const fbin[] = { + PATH_FCOPY, // currently sufficient to find all needed libraries + // PATH_FSECCOMP, + // PATH_FSEC_OPTIMIZE, + // PATH_FSEC_PRINT, + // RUN_FIREJAIL_LIB_DIR "/libtrace.so", + // RUN_FIREJAIL_LIB_DIR "/libtracelog.so", + // RUN_FIREJAIL_LIB_DIR "/libpostexecseccomp.so", + NULL, + }; + + // need to parse as root user, unprivileged users have no read permission on executables + int i; + for (i = 0; fbin[i]; i++) + fslib_mount_libs(fbin[i], 0); +} + +void fslib_install_firejail(void) { + timetrace_start(); + // bring in firejail executable libraries, in case we are redirected here + // by a firejail symlink from /usr/local/bin/firejail + fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user + + // bring in firejail directory + fdir(); + + // bring in dhclient libraries + if (any_dhcp()) + fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user + + // bring in xauth libraries + if (arg_x11_xorg) + fslib_mount_libs("/usr/bin/xauth", 1); // parse as user + + fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); +} //*************************************************************** // various system libraries @@ -268,8 +313,8 @@ if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } else { free(name); @@ -277,8 +322,8 @@ if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } } free(name); @@ -288,8 +333,8 @@ if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } else { free(name); @@ -297,8 +342,8 @@ if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } } free(name); diff -Nru firejail-0.9.64.4/src/firejail/fs_lib.c firejail-0.9.66/src/firejail/fs_lib.c --- firejail-0.9.64.4/src/firejail/fs_lib.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_lib.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,16 +23,44 @@ #include #include #include -#include +#include +#include #include #define MAXBUF 4096 extern void fslib_install_stdc(void); +extern void fslib_install_firejail(void); extern void fslib_install_system(void); static int lib_cnt = 0; static int dir_cnt = 0; +static const char *masked_lib_dirs[] = { + "/usr/lib64", + "/lib64", + "/usr/lib", + "/lib", + "/usr/local/lib64", + "/usr/local/lib", + NULL, +}; + +// return 1 if the file is in masked_lib_dirs[] +static int valid_full_path(const char *full_path) { + if (strstr(full_path, "..")) + return 0; + + int i = 0; + while (masked_lib_dirs[i]) { + size_t len = strlen(masked_lib_dirs[i]); + if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && + full_path[len] == '/') + return 1; + i++; + } + return 0; +} + char *find_in_path(const char *program) { EUID_ASSERT(); if (arg_debug) @@ -44,9 +72,10 @@ errExit("readlink"); self[len] = '\0'; - char *path = getenv("PATH"); + const char *path = env_get("PATH"); if (!path) return NULL; + char *dup = strdup(path); if (!dup) errExit("strdup"); @@ -79,22 +108,6 @@ return NULL; } -static void report_duplication(const char *full_path) { - char *fname = strrchr(full_path, '/'); - if (fname && *(++fname) != '\0') { - // report the file on all bin paths - int i = 0; - while (default_lib_paths[i]) { - char *p; - if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1) - errExit("asprintf"); - fs_logger2("clone", p); - free(p); - i++; - } - } -} - static char *build_dest_dir(const char *full_path) { assert(full_path); if (strstr(full_path, "/x86_64-linux-gnu/")) @@ -102,71 +115,112 @@ return RUN_LIB_DIR; } -// copy fname in private_run_dir -void fslib_duplicate(const char *full_path) { +// return name of mount target in allocated memory +static char *build_dest_name(const char *full_path) { assert(full_path); + char *fname = strrchr(full_path, '/'); + assert(fname); + fname++; + // no trailing slash or dot + assert(fname[0] != '\0' && (fname[0] != '.' || fname[1] != '\0')); - struct stat s; - if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) - return; + char *dest; + if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), fname) == -1) + errExit("asprintf"); + return dest; +} - char *dest_dir = build_dest_dir(full_path); +static void fslib_mount_dir(const char *full_path) { + // create new directory and mount the original on top of it + char *dest = build_dest_name(full_path); + if (mkdir(dest, 0755) == -1) { + if (errno == EEXIST) { // directory has been mounted already, nothing to do + free(dest); + return; + } + errExit("mkdir"); + } - // don't copy it if the file is already there - char *ptr = strrchr(full_path, '/'); - if (!ptr) - return; - ptr++; - if (*ptr == '\0') - return; + if (arg_debug || arg_debug_private_lib) + printf(" mounting %s on %s\n", full_path, dest); + // if full_path is a symbolic link, mount will follow it + if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + free(dest); + dir_cnt++; +} - char *name; - if (asprintf(&name, "%s/%s", dest_dir, ptr) == -1) - errExit("asprintf"); - if (stat(name, &s) == 0) { - free(name); - return; +static void fslib_mount_file(const char *full_path) { + // create new file and mount the original on top of it + char *dest = build_dest_name(full_path); + int fd = open(dest, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); + if (fd == -1) { + if (errno == EEXIST) { // file has been mounted already, nothing to do + free(dest); + return; + } + errExit("open"); } - free(name); + close(fd); if (arg_debug || arg_debug_private_lib) - printf(" copying %s to private %s\n", full_path, dest_dir); - - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); - report_duplication(full_path); + printf(" mounting %s on %s\n", full_path, dest); + // if full_path is a symbolic link, mount will follow it + if (mount(full_path, dest, NULL, MS_BIND, NULL) < 0) + errExit("mount bind"); + free(dest); lib_cnt++; } +void fslib_mount(const char *full_path) { + assert(full_path); + struct stat s; + + if (*full_path == '\0' || + !valid_full_path(full_path) || + stat_as_user(full_path, &s) != 0 || + s.st_uid != 0) + return; + + if (S_ISDIR(s.st_mode)) + fslib_mount_dir(full_path); + else if (S_ISREG(s.st_mode) && is_lib_64(full_path)) + fslib_mount_file(full_path); +} // requires full path for lib // it could be a library or an executable // lib is not copied, only libraries used by it -void fslib_copy_libs(const char *full_path) { +void fslib_mount_libs(const char *full_path, unsigned user) { assert(full_path); - if (arg_debug || arg_debug_private_lib) - printf(" fslib_copy_libs %s\n", full_path); - // if library/executable does not exist or the user does not have read access to it // print a warning and exit the function. - if (access(full_path, R_OK)) { + if (user && access(full_path, R_OK)) { if (arg_debug || arg_debug_private_lib) - printf("cannot find %s for private-lib, skipping...\n", full_path); + printf("Cannot read %s, skipping...\n", full_path); return; } + if (arg_debug || arg_debug_private_lib) + printf(" fslib_mount_libs %s\n", full_path); // create an empty RUN_LIB_FILE and allow the user to write to it unlink(RUN_LIB_FILE); // in case is there create_empty_file_as_root(RUN_LIB_FILE, 0644); - if (chown(RUN_LIB_FILE, getuid(), getgid())) + if (user && chown(RUN_LIB_FILE, getuid(), getgid())) errExit("chown"); // run fldd to extract the list of files if (arg_debug || arg_debug_private_lib) - printf(" running fldd %s\n", full_path); - sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); + printf(" running fldd %s as %s\n", full_path, user ? "user" : "root"); + unsigned mask; + if (user) + mask = SBOX_USER; + else + mask = SBOX_ROOT; + sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); // open the list of libraries and install them on by one - FILE *fp = fopen(RUN_LIB_FILE, "r"); + FILE *fp = fopen(RUN_LIB_FILE, "re"); if (!fp) errExit("fopen"); @@ -176,68 +230,31 @@ char *ptr = strchr(buf, '\n'); if (ptr) *ptr = '\0'; - fslib_duplicate(buf); + + trim_trailing_slash_or_dot(buf); + fslib_mount(buf); } fclose(fp); unlink(RUN_LIB_FILE); } - -void fslib_copy_dir(const char *full_path) { - assert(full_path); - if (arg_debug || arg_debug_private_lib) - printf(" fslib_copy_dir %s\n", full_path); - - // do nothing if the directory does not exist or is not owned by root - struct stat s; - if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) - return; - - char *dir_name = strrchr(full_path, '/'); - assert(dir_name); - dir_name++; - assert(*dir_name != '\0'); - - // do nothing if the directory is already there - char *dest; - if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) - errExit("asprintf"); - if (stat(dest, &s) == 0) { - free(dest); - return; - } - - // create new directory and mount the original on top of it - mkdir_attr(dest, 0755, 0, 0); - - if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("clone", full_path); - fs_logger2("mount", full_path); - dir_cnt++; - free(dest); -} - -// fname should be a vallid full path at this point +// fname should be a full path at this point static void load_library(const char *fname) { assert(fname); assert(*fname == '/'); - // existing file owned by root, read access + // existing file owned by root struct stat s; - if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) { + if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) { // load directories, regular 64 bit libraries, and 64 bit executables - if (is_dir(fname) || is_lib_64(fname)) { - if (is_dir(fname)) - fslib_copy_dir(fname); - else { - if (strstr(fname, ".so") || - access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries - fslib_duplicate(fname); + if (S_ISDIR(s.st_mode)) + fslib_mount(fname); + else if (S_ISREG(s.st_mode) && is_lib_64(fname)) { + if (strstr(fname, ".so") || + access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries + fslib_mount(fname); - fslib_copy_libs(fname); - } + fslib_mount_libs(fname, 1); // parse as user } } } @@ -268,17 +285,24 @@ #define DO_GLOBBING #ifdef DO_GLOBBING // globbing + EUID_USER(); glob_t globbuf; int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); if (globerr) { fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname); exit(1); } + EUID_ROOT(); size_t j; for (j = 0; j < globbuf.gl_pathc; j++) { assert(globbuf.gl_pathv[j]); //printf("glob %s\n", globbuf.gl_pathv[j]); // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway + + // foobar/* expands to foobar/. and foobar/.. + const char *base = gnu_basename(globbuf.gl_pathv[j]); + if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0) + continue; load_library(globbuf.gl_pathv[j]); } @@ -293,7 +317,6 @@ return; } - void fslib_install_list(const char *lib_list) { assert(lib_list); if (arg_debug || arg_debug_private_lib) @@ -308,42 +331,31 @@ fprintf(stderr, "Error: invalid private-lib argument\n"); exit(1); } + trim_trailing_slash_or_dot(ptr); install_list_entry(ptr); - while ((ptr = strtok(NULL, ",")) != NULL) + while ((ptr = strtok(NULL, ",")) != NULL) { + trim_trailing_slash_or_dot(ptr); install_list_entry(ptr); + } free(dlist); fs_logger_print(); } - - static void mount_directories(void) { - if (arg_debug || arg_debug_private_lib) - printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); + fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself - if (is_dir("/lib")) { - if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/lib"); - fs_logger("mount /lib"); - } - - if (is_dir("/lib64")) { - if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/lib64"); - fs_logger("mount /lib64"); - } - - if (is_dir("/usr/lib")) { - if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/usr/lib"); - fs_logger("mount /usr/lib"); + int i = 0; + while (masked_lib_dirs[i]) { + if (is_dir(masked_lib_dirs[i])) { + if (arg_debug || arg_debug_private_lib) + printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, masked_lib_dirs[i]); + if (mount(RUN_LIB_DIR, masked_lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + fs_logger2("tmpfs", masked_lib_dirs[i]); + fs_logger2("mount", masked_lib_dirs[i]); + } + i++; } // for amd64 only - we'll deal with i386 later @@ -379,25 +391,12 @@ printf("Installing standard C library\n"); fslib_install_stdc(); - // start timetrace - timetrace_start(); - - // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail + // install other libraries needed by firejail if (arg_debug || arg_debug_private_lib) printf("Installing Firejail libraries\n"); - fslib_install_list(PATH_FIREJAIL); - - // bring in firejail directory - fslib_install_list(LIBDIR "/firejail"); - - // bring in dhclient libraries - if (any_dhcp()) { - if (arg_debug || arg_debug_private_lib) - printf("Installing dhclient libraries\n"); - fslib_install_list(RUN_MNT_DIR "/dhclient"); - } - fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); + fslib_install_firejail(); + // start timetrace timetrace_start(); // copy the libs in the new lib directory for the main exe @@ -426,7 +425,6 @@ fslib_install_list(cfg.shell); // a shell is useless without some basic commands fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); - } // for the listed libs and directories diff -Nru firejail-0.9.64.4/src/firejail/fs_logger.c firejail-0.9.66/src/firejail/fs_logger.c --- firejail-0.9.64.4/src/firejail/fs_logger.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_logger.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -92,7 +92,7 @@ if (!head) return; - FILE *fp = fopen(RUN_FSLOGGER_FILE, "a"); + FILE *fp = fopen(RUN_FSLOGGER_FILE, "ae"); if (!fp) { perror("fopen"); return; @@ -123,15 +123,8 @@ // in case the pid is that of a firejail process, use the pid of the first child process pid = switch_to_child(pid); - // check privileges for non-root users - uid_t uid = getuid(); - if (uid != 0) { - uid_t sandbox_uid = pid_get_uid(pid); - if (uid != sandbox_uid) { - fprintf(stderr, "Error: permission denied\n"); - exit(1); - } - } + // exit if no permission to join the sandbox + check_join_permission(pid); // print RUN_FSLOGGER_FILE char *fname; @@ -139,24 +132,16 @@ errExit("asprintf"); EUID_ROOT(); - struct stat s; - if (stat(fname, &s) == -1 || s.st_uid != 0) { - fprintf(stderr, "Error: Cannot access filesystem log\n"); - exit(1); - } - - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); + free(fname); if (!fp) { fprintf(stderr, "Error: Cannot open filesystem log\n"); exit(1); } - char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) printf("%s", buf); fclose(fp); - free(fname); exit(0); } diff -Nru firejail-0.9.64.4/src/firejail/fs_mkdir.c firejail-0.9.66/src/firejail/fs_mkdir.c --- firejail-0.9.64.4/src/firejail/fs_mkdir.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_mkdir.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -25,7 +26,6 @@ #include #include - static void check(const char *fname) { // manufacture /run/user directory char *runuser; @@ -46,7 +46,7 @@ struct stat s; if (chdir("/")) { - fprintf(stderr, "Error: can't chdir to /"); + fprintf(stderr, "Error: can't chdir to /\n"); return; } @@ -63,7 +63,7 @@ return; } if (chdir(subdir)) { - fprintf(stderr, "Error: can't chdir to %s", subdir); + fprintf(stderr, "Error: can't chdir to %s\n", subdir); return; } @@ -95,9 +95,9 @@ // create directory mkdir_recursive(expanded); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish diff -Nru firejail-0.9.64.4/src/firejail/fs_trace.c firejail-0.9.66/src/firejail/fs_trace.c --- firejail-0.9.64.4/src/firejail/fs_trace.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_trace.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -33,8 +33,7 @@ if (stat("/etc/ld.so.preload", &s)) { if (arg_debug) printf("Creating an empty /etc/ld.so.preload file\n"); - /* coverity[toctou] */ - FILE *fp = fopen("/etc/ld.so.preload", "w"); + FILE *fp = fopen("/etc/ld.so.preload", "wxe"); if (!fp) errExit("fopen"); SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); @@ -64,20 +63,16 @@ if (ftruncate(fd, 0) == -1) errExit("ftruncate"); EUID_ROOT(); - FILE *fp = fopen(RUN_TRACE_FILE, "w"); + FILE *fp = fopen(RUN_TRACE_FILE, "we"); if (!fp) errExit("fopen " RUN_TRACE_FILE); fclose(fp); - fs_logger2("touch ", arg_tracefile); + fs_logger2("touch", arg_tracefile); // mount using the symbolic link in /proc/self/fd if (arg_debug) printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_fd_to_path(fd, RUN_TRACE_FILE)) errExit("mount bind " RUN_TRACE_FILE); - free(proc); close(fd); // now that RUN_TRACE_FILE is user-writable, mount it noexec fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0); @@ -88,7 +83,7 @@ if (arg_debug) printf("Create the new ld.so.preload file\n"); - FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); + FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we"); if (!fp) errExit("fopen"); const char *prefix = RUN_FIREJAIL_LIB_DIR; diff -Nru firejail-0.9.64.4/src/firejail/fs_var.c firejail-0.9.66/src/firejail/fs_var.c --- firejail-0.9.64.4/src/firejail/fs_var.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_var.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -127,7 +127,7 @@ // create an empty /var/log/wtmp file /* coverity[toctou] */ - FILE *fp = fopen("/var/log/wtmp", "w"); + FILE *fp = fopen("/var/log/wtmp", "wxe"); if (fp) { SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); fclose(fp); @@ -135,7 +135,7 @@ fs_logger("touch /var/log/wtmp"); // create an empty /var/log/btmp file - fp = fopen("/var/log/btmp", "w"); + fp = fopen("/var/log/btmp", "wxe"); if (fp) { SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); fclose(fp); @@ -158,8 +158,7 @@ fs_logger("tmpfs /var/lib/dhcp"); // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file - FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); - + FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "wxe"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); @@ -287,7 +286,7 @@ if (stat(UTMP_FILE, &s) == 0) utmp_group = s.st_gid; else { - fwarning("cannot find /var/run/utmp\n"); + fwarning("cannot find %s\n", UTMP_FILE); return; } @@ -296,7 +295,7 @@ printf("Create the new utmp file\n"); /* coverity[toctou] */ - FILE *fp = fopen(RUN_UTMP_FILE, "w"); + FILE *fp = fopen(RUN_UTMP_FILE, "we"); if (!fp) errExit("fopen"); @@ -323,5 +322,9 @@ printf("Mount the new utmp file\n"); if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mount bind utmp"); - fs_logger("create /var/run/utmp"); + fs_logger2("create", UTMP_FILE); + + // blacklist RUN_UTMP_FILE + if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0) + errExit("mount bind"); } diff -Nru firejail-0.9.64.4/src/firejail/fs_whitelist.c firejail-0.9.66/src/firejail/fs_whitelist.c --- firejail-0.9.64.4/src/firejail/fs_whitelist.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/fs_whitelist.c 2021-06-27 18:09:10.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -16,50 +16,46 @@ * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ + */ #include "firejail.h" #include #include -#include #include #include -#include #include #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif +#define TOP_MAX 64 // maximum number of top level directories + // mountinfo functionality test; // 1. enable TEST_MOUNTINFO definition // 2. run firejail --whitelist=/any/directory //#define TEST_MOUNTINFO -#define EMPTY_STRING ("") -static size_t homedir_len; // cache length of homedir string -static size_t runuser_len; // cache length of runuser string -static char *runuser; +static size_t homedir_len = 0; // cache length of homedir string +static size_t runuser_len = 0; // cache length of runuser string +static char *runuser = NULL; -static int mkpath(const char* path, mode_t mode) { - assert(path && *path); - mode |= 0111; - // create directories with uid/gid as root, or as current user if inside home or run/user/$uid directory - int userprivs = 0; - if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || - (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { - EUID_USER(); - userprivs = 1; - } +static void whitelist_error(const char *path) { + assert(path); + fprintf(stderr, "Error: invalid whitelist path %s\n", path); + exit(1); +} + +static int whitelist_mkpath(const char* path, mode_t mode) { // work on a copy of the path char *dup = strdup(path); if (!dup) errExit("strdup"); - // don't create the last path element + // only create leading directories, don't create the file char *p = strrchr(dup, '/'); assert(p); *p = '\0'; @@ -69,10 +65,10 @@ errExit("open"); // traverse the path, return -1 if a symlink is encountered - int done = 0; int fd = -1; + int done = 0; char *tok = strtok(dup, "/"); - assert(tok); // path is no top level directory + assert(tok); while (tok) { // create the directory if necessary if (mkdirat(parentfd, tok, mode) == -1) { @@ -81,9 +77,6 @@ perror("mkdir"); close(parentfd); free(dup); - if (userprivs) { - EUID_ROOT(); - } return -1; } } @@ -96,9 +89,6 @@ perror("open"); close(parentfd); free(dup); - if (userprivs) { - EUID_ROOT(); - } return -1; } // move on to next path segment @@ -111,195 +101,102 @@ fs_logger2("mkpath", path); free(dup); - if (userprivs) { - EUID_ROOT(); - } return fd; } -static void whitelist_path(ProfileEntry *entry) { - assert(entry); - const char *path = entry->data + 10; - const char *fname; - char *wfile = NULL; - - if (entry->wldir == WLDIR_HOME) { - if (strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') - // either symlink pointing outside home directory - // or entire home directory, skip the mount - return; - - fname = path + homedir_len + 1; // strlen("/home/user/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_TMP) { - fname = path + 5; // strlen("/tmp/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_MEDIA) { - fname = path + 7; // strlen("/media/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_MNT) { - fname = path + 5; // strlen("/mnt/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_VAR) { - if (strncmp(path, "/var/", 5) != 0) - // symlink pointing outside /var, skip the mount - return; - - fname = path + 5; // strlen("/var/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_DEV) { - if (strncmp(path, "/dev/", 5) != 0) - // symlink pointing outside /dev, skip the mount - return; - - fname = path + 5; // strlen("/dev/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_OPT) { - fname = path + 5; // strlen("/opt/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_SRV) { - fname = path + 5; // strlen("/srv/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_ETC) { - if (strncmp(path, "/etc/", 5) != 0) - // symlink pointing outside /etc, skip the mount - return; - - fname = path + 5; // strlen("/etc/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_SHARE) { - fname = path + 11; // strlen("/usr/share/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_MODULE) { - fname = path + 12; // strlen("/sys/module/") +static void whitelist_file(int dirfd, const char *relpath, const char *path) { + assert(relpath && path); - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_RUN) { - fname = path + runuser_len + 1; // strlen("/run/user/$uid/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_RUN_USER_DIR, fname) == -1) - errExit("asprintf"); - } - assert(wfile); - - if (arg_debug || arg_debug_whitelists) - printf("Whitelisting %s\n", path); - - // confirm again the mount source exists and there is no symlink - struct stat wfilestat; - EUID_USER(); - int fd = safe_fd(wfile, O_PATH|O_NOFOLLOW|O_CLOEXEC); - EUID_ROOT(); + // open mount source, using a file descriptor that refers to the + // top level directory + // as the top level directory was opened before mounting the tmpfs + // we still have full access to all directory contents + // take care to not follow symbolic links (dirfd was obtained without + // following a link, too) + int fd = safer_openat(dirfd, relpath, O_PATH|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) { if (arg_debug || arg_debug_whitelists) - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - free(wfile); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); return; } - if (fstat(fd, &wfilestat) == -1) + struct stat s; + if (fstat(fd, &s) == -1) errExit("fstat"); - close(fd); - if (S_ISLNK(wfilestat.st_mode)) { + if (S_ISLNK(s.st_mode)) { if (arg_debug || arg_debug_whitelists) - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - free(wfile); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); + close(fd); return; } - // create path of the mount target if necessary - int fd2 = mkpath(path, 0755); + // create mount target as root, except if inside home or run/user/$UID directory + int userprivs = 0; + if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || + (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { + EUID_USER(); + userprivs = 1; + } + + // create path of the mount target + int fd2 = whitelist_mkpath(path, 0755); if (fd2 == -1) { // something went wrong during path creation or a symlink was found; // if there is a symlink somewhere in the path of the mount target, // assume the file is whitelisted already if (arg_debug || arg_debug_whitelists) - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - free(wfile); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); + close(fd); + if (userprivs) + EUID_ROOT(); return; } // get file name of the mount target const char *file = gnu_basename(path); - // create the mount target if necessary and open it, a symlink is rejected + // create mount target itself and open it, a symlink is rejected int fd3 = -1; - if (S_ISDIR(wfilestat.st_mode)) { + if (S_ISDIR(s.st_mode)) { // directory foo can exist already: - // firejail --whitelist=/foo/bar --whitelist=/foo + // firejail --whitelist=~/foo/bar --whitelist=~/foo if (mkdirat(fd2, file, 0755) == -1 && errno != EEXIST) { if (arg_debug || arg_debug_whitelists) { perror("mkdir"); - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); } + close(fd); close(fd2); - free(wfile); + if (userprivs) + EUID_ROOT(); return; } fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); } - else { + else // create an empty file, fails with EEXIST if it is whitelisted already: // firejail --whitelist=/foo --whitelist=/foo/bar fd3 = openat(fd2, file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR|S_IWUSR); - } if (fd3 == -1) { - if (arg_debug || arg_debug_whitelists) { - if (errno != EEXIST) { - perror("open"); - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - } + if (errno != EEXIST && (arg_debug || arg_debug_whitelists)) { + perror("open"); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); } + close(fd); close(fd2); - free(wfile); + if (userprivs) + EUID_ROOT(); return; } - close(fd2); - fs_logger2("whitelist", path); + close(fd2); + if (userprivs) + EUID_ROOT(); - // in order to make this mount resilient against symlink attacks, use - // a magic link in /proc/self/fd instead of mounting on path directly - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd3) == -1) - errExit("asprintf"); - if (mount(wfile, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (arg_debug || arg_debug_whitelists) + printf("Whitelisting %s\n", path); + if (bind_mount_by_fd(fd, fd3)) errExit("mount bind"); - free(proc); - close(fd3); - // check the last mount operation MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found #ifdef TEST_MOUNTINFO @@ -316,37 +213,51 @@ // - there should be more than one '/' char in dest string if (mptr->dir == strrchr(mptr->dir, '/')) errLogExit("invalid whitelist mount"); - // confirm the right file was mounted by comparing device and inode numbers - int fd4 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd4 == -1) - errExit("safe_fd"); - struct stat s; - if (fstat(fd4, &s) == -1) - errExit("fstat"); - if (s.st_dev != wfilestat.st_dev || s.st_ino != wfilestat.st_ino) - errLogExit("invalid whitelist mount"); - close(fd4); - - free(wfile); - return; + close(fd); + close(fd3); + fs_logger2("whitelist", path); } -static void whitelist_home(int topdir) { - ProfileEntry entry; - memset(&entry, 0, sizeof(entry)); - char *cmd; - if (asprintf(&cmd, "whitelist %s", cfg.homedir) == -1) - errExit("asprintf"); - entry.data = cmd; - entry.wldir = topdir; - // creates path owned by root, except homedir is inside /run/user/$uid - // does nothing if homedir does not exist - whitelist_path(&entry); - free(cmd); -} +static void whitelist_symlink(const char *link, const char *target) { + assert(link && target); + // create files as root, except if inside home or run/user/$UID directory + int userprivs = 0; + if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') || + (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) { + EUID_USER(); + userprivs = 1; + } + + int fd = whitelist_mkpath(link, 0755); + if (fd == -1) { + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); + if (userprivs) + EUID_ROOT(); + return; + } + + // get file name of symlink + const char *file = gnu_basename(link); + + // create the link + if (symlinkat(target, fd, file) == -1) { + if (arg_debug || arg_debug_whitelists) { + perror("symlink"); + printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); + } + } + else if (arg_debug || arg_debug_whitelists) + printf("Created symbolic link %s -> %s\n", link, target); + + close(fd); + if (userprivs) + EUID_ROOT(); +} static void globbing(const char *pattern) { + EUID_ASSERT(); assert(pattern); // globbing @@ -363,6 +274,11 @@ // testing for GLOB_NOCHECK - no pattern matched returns the original pattern if (strcmp(globbuf.gl_pathv[i], pattern) == 0) continue; + // foo/* expands to foo/. and foo/.. + const char *base = gnu_basename(globbuf.gl_pathv[i]); + if (strcmp(base, ".") == 0 || + strcmp(base, "..") == 0) + continue; // build the new profile command char *newcmd; @@ -378,6 +294,226 @@ globfree(&globbuf); } +// mount tmpfs on all top level directories +static void tmpfs_topdirs(const TopDir *topdirs) { + int tmpfs_home = 0; + int tmpfs_runuser = 0; + + int i; + for (i = 0; i < TOP_MAX && topdirs[i].path; i++) { + // do nested top level directories last + // this way '--whitelist=nested_top_level_dir' + // yields the full, unmodified directory + // instead of the tmpfs + if (strcmp(topdirs[i].path, cfg.homedir) == 0) { + tmpfs_home = 1; + continue; + } + if (strcmp(topdirs[i].path, runuser) == 0) { + tmpfs_runuser = 1; + continue; + } + + // special case /run + // open /run/firejail, so it can be restored right after mounting the tmpfs + int fd = -1; + if (strcmp(topdirs[i].path, "/run") == 0) { + fd = open(RUN_FIREJAIL_DIR, O_PATH|O_CLOEXEC); + if (fd == -1) + errExit("open"); + } + + // mount tmpfs + fs_tmpfs(topdirs[i].path, 0); + selinux_relabel_path(topdirs[i].path, topdirs[i].path); + + // init tmpfs + if (strcmp(topdirs[i].path, "/run") == 0) { + // restore /run/firejail directory + if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1) + errExit("mkdir"); + if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) + errExit("mount bind"); + close(fd); + fs_logger2("whitelist", RUN_FIREJAIL_DIR); + + // restore /run/user/$UID directory + // get path relative to /run + const char *rel = runuser + 5; + whitelist_file(topdirs[i].fd, rel, runuser); + } + else if (strcmp(topdirs[i].path, "/tmp") == 0) { + // fix pam-tmpdir (#2685) + const char *env = env_get("TMP"); + if (env) { + char *pamtmpdir; + if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) + errExit("asprintf"); + if (strcmp(env, pamtmpdir) == 0) { + // create empty user-owned /tmp/user/$UID directory + mkdir_attr("/tmp/user", 0711, 0, 0); + selinux_relabel_path("/tmp/user", "/tmp/user"); + fs_logger("mkdir /tmp/user"); + mkdir_attr(pamtmpdir, 0700, getuid(), 0); + selinux_relabel_path(pamtmpdir, pamtmpdir); + fs_logger2("mkdir", pamtmpdir); + } + free(pamtmpdir); + } + } + + // restore user home directory if it is masked by the tmpfs + // creates path owned by root + // does nothing if user home directory doesn't exist + size_t topdir_len = strlen(topdirs[i].path); + if (strncmp(topdirs[i].path, cfg.homedir, topdir_len) == 0 && cfg.homedir[topdir_len] == '/') { + // get path relative to top level directory + const char *rel = cfg.homedir + topdir_len + 1; + whitelist_file(topdirs[i].fd, rel, cfg.homedir); + } + } + + // user home directory + if (tmpfs_home) { + EUID_USER(); + fs_private(); // checks owner if outside /home + EUID_ROOT(); + } + + // /run/user/$UID directory + if (tmpfs_runuser) { + fs_tmpfs(runuser, 0); + selinux_relabel_path(runuser, runuser); + } +} + +static int reject_topdir(const char *dir) { + if (!whitelist_reject_topdirs) + return 0; + + size_t i; + for (i = 0; whitelist_reject_topdirs[i]; i++) { + if (strcmp(dir, whitelist_reject_topdirs[i]) == 0) + return 1; + } + return 0; +} + +// keep track of whitelist top level directories by adding them to an array +// open each directory +static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { + assert(dir && path); + + // /proc and /sys are not allowed + if (strcmp(dir, "/") == 0 || + strcmp(dir, "/proc") == 0 || + strcmp(dir, "/sys") == 0) + whitelist_error(path); + + // whitelisting home directory is disabled if --private option is present + if (arg_private && strcmp(dir, cfg.homedir) == 0) { + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path); + return NULL; + } + + // do nothing if directory doesn't exist + struct stat s; + if (lstat(dir, &s) != 0) { + if (arg_debug || arg_debug_whitelists) + printf("Cannot access whitelist top level directory %s: %s\n", dir, strerror(errno)); + return NULL; + } + // do nothing if directory is a link + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) { + fwarning("skipping whitelist %s because %s is a symbolic link\n", path, dir); + return NULL; + } + whitelist_error(path); + } + // do nothing if directory is disabled by administrator + if (reject_topdir(dir)) { + fmessage("Whitelist top level directory %s is disabled in Firejail configuration file\n", dir); + return NULL; + } + + // add directory to array + if (arg_debug || arg_debug_whitelists) + printf("Adding whitelist top level directory %s\n", dir); + static int cnt = 0; + if (cnt >= TOP_MAX) { + fprintf(stderr, "Error: too many whitelist top level directories\n"); + exit(1); + } + TopDir *rv = topdirs + cnt; + cnt++; + + rv->path = strdup(dir); + if (!rv->path) + errExit("strdup"); + + // open the directory, don't follow symbolic links + rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); + if (rv->fd == -1) { + fprintf(stderr, "Error: cannot open %s\n", dir); + exit(1); + } + + return rv; +} + +static TopDir *have_topdir(const char *dir, TopDir *topdirs) { + assert(dir); + + int i; + for (i = 0; i < TOP_MAX; i++) { + TopDir *rv = topdirs + i; + if (!rv->path) + break; + if (strcmp(dir, rv->path) == 0) + return rv; + } + return NULL; +} + +static char *extract_topdir(const char *path) { + assert(path); + + char *dup = strdup(path); + if (!dup) + errExit("strdup"); + + // user home directory can be anywhere; disconnect user home + // whitelisting from top level directory whitelisting + // by treating user home as separate whitelist top level directory + if (strncmp(dup, cfg.homedir, homedir_len) == 0 && dup[homedir_len] == '/') + dup[homedir_len] = '\0'; + // /run/user/$UID is treated as top level directory + else if (strncmp(dup, runuser, runuser_len) == 0 && dup[runuser_len] == '/') + dup[runuser_len] = '\0'; + // whitelisting in /sys is not allowed, but /sys/module is an exception + // and is treated as top level directory here + else if (strncmp(dup, "/sys/module", 11) == 0 && dup[11] == '/') + dup[11] = '\0'; + // treat /usr subdirectories as top level directories + else if (strncmp(dup, "/usr/", 5) == 0) { + char *p = strchr(dup+5, '/'); + if (!p) + whitelist_error(path); + *p = '\0'; + } + // all other top level directories + else { + assert(dup[0] == '/'); + char *p = strchr(dup+1, '/'); + if (!p) + whitelist_error(path); + *p = '\0'; + } + + return dup; +} void fs_whitelist(void) { ProfileEntry *entry = cfg.profile; @@ -389,29 +525,18 @@ runuser_len = strlen(runuser); homedir_len = strlen(cfg.homedir); - char *new_name = NULL; - int home_dir = 0; // /home/user directory flag - int tmp_dir = 0; // /tmp directory flag - int media_dir = 0; // /media directory flag - int mnt_dir = 0; // /mnt directory flag - int var_dir = 0; // /var directory flag - int dev_dir = 0; // /dev directory flag - int opt_dir = 0; // /opt directory flag - int srv_dir = 0; // /srv directory flag - int etc_dir = 0; // /etc directory flag - int share_dir = 0; // /usr/share directory flag - int module_dir = 0; // /sys/module directory flag - int run_dir = 0; // /run/user/$uid directory flag - size_t nowhitelist_c = 0; size_t nowhitelist_m = 32; char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist)); if (nowhitelist == NULL) - errExit("failed allocating memory for nowhitelist entries"); + errExit("calloc"); + + TopDir *topdirs = calloc(TOP_MAX, sizeof(*topdirs)); + if (topdirs == NULL) + errExit("calloc"); // verify whitelist files, extract symbolic links, etc. EUID_USER(); - struct stat s; while (entry) { int nowhitelist_flag = 0; @@ -424,48 +549,73 @@ entry = entry->next; continue; } - char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: %s\n", __LINE__, entry->data); - // replace ~/ or ${HOME} into /home/username or resolve macro - new_name = expand_macros(dataptr); - assert(new_name); - - // mount empty home directory if resolving the macro was not successful - if (is_macro(new_name) && macro_id(new_name) > -1) { - // no warning if home does not exist (e.g. in a chroot) - if (stat(cfg.homedir, &s) == 0 && !nowhitelist_flag && !arg_private) { - home_dir = 1; - if (!arg_quiet) { - fprintf(stderr, "***\n"); - fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", new_name); - fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); - fprintf(stderr, "***\n"); - } + const char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; + + // replace ~ into /home/username or resolve macro + char *expanded = expand_macros(dataptr); + + // check if respolving the macro was successful + if (is_macro(expanded) && macro_id(expanded) > -1) { + if (!nowhitelist_flag && (have_topdir(cfg.homedir, topdirs) || add_topdir(cfg.homedir, topdirs, expanded)) && !arg_quiet) { + fprintf(stderr, "***\n"); + fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", expanded); + fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); + fprintf(stderr, "***\n"); } - entry->data = EMPTY_STRING; entry = entry->next; - free(new_name); + free(expanded); continue; } - // remove trailing slashes and single dots - if (!nowhitelist_flag) - trim_trailing_slash_or_dot(new_name); + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: expanded: %s\n", __LINE__, expanded); + + // path should be absolute at this point + if (expanded[0] != '/') + whitelist_error(expanded); + + // sane pathname + char *new_name = clean_pathname(expanded); + free(expanded); if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); + printf("Debug %d: new_name: %s\n", __LINE__, new_name); - // valid path referenced to filesystem root - if (*new_name != '/') { - if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Debug %d: \n", __LINE__); - goto errexit; + if (strstr(new_name, "..")) + whitelist_error(new_name); + + // /run/firejail is not allowed + if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) + whitelist_error(new_name); + + TopDir *current_top = NULL; + if (!nowhitelist_flag) { + // extract whitelist top level directory + char *dir = extract_topdir(new_name); + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: dir: %s\n", __LINE__, dir); + + // check if this top level directory has been processed already + current_top = have_topdir(dir, topdirs); + if (!current_top) { // got new top level directory + current_top = add_topdir(dir, topdirs, new_name); + if (!current_top) { // skip this command, top level directory not valid + entry = entry->next; + free(new_name); + free(dir); + continue; + } + } + free(dir); } - // extract the absolute path of the file + // extract resolved path of the file // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr - char *fname; + char *fname = NULL; if (strcmp(new_name, "/dev/fd") == 0) fname = strdup("/proc/self/fd"); else if (strcmp(new_name, "/dev/stdin") == 0) @@ -477,60 +627,30 @@ else fname = realpath(new_name, NULL); - // if this is not a real path, let's try globbing - // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list - // the new profile entries will be processed in this loop - // currently there is no globbing support for nowhitelist - if (!fname && !nowhitelist_flag) - globbing(new_name); - if (!fname) { - // file not found, blank the entry in the list and continue if (arg_debug || arg_debug_whitelists) { - printf("Removed whitelist/nowhitelist path: %s\n", entry->data); + printf("Removed path: %s\n", entry->data); printf("\texpanded: %s\n", new_name); - printf("\treal path: (null)\n"); - printf("\t");fflush(0); - perror("realpath"); + printf("\trealpath: (null)\n"); + printf("\t%s\n", strerror(errno)); } - // if 1 the file was not found; mount an empty directory if (!nowhitelist_flag) { - if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') { - if(!arg_private) - home_dir = 1; - } - else if (strncmp(new_name, "/tmp/", 5) == 0) - tmp_dir = 1; - else if (strncmp(new_name, "/media/", 7) == 0) - media_dir = 1; - else if (strncmp(new_name, "/mnt/", 5) == 0) - mnt_dir = 1; - else if (strncmp(new_name, "/var/", 5) == 0) - var_dir = 1; - else if (strncmp(new_name, "/dev/", 5) == 0) - dev_dir = 1; - else if (strncmp(new_name, "/opt/", 5) == 0) - opt_dir = 1; - else if (strncmp(new_name, "/srv/", 5) == 0) - srv_dir = 1; - else if (strncmp(new_name, "/etc/", 5) == 0) - etc_dir = 1; - else if (strncmp(new_name, "/usr/share/", 11) == 0) - share_dir = 1; - else if (strncmp(new_name, "/sys/module/", 12) == 0) - module_dir = 1; - else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') - run_dir = 1; + // if this is not a real path, let's try globbing + // push the new paths at the end of profile entry list + // the new profile entries will be processed in this loop + // currently there is no globbing support for nowhitelist + globbing(new_name); } - entry->data = EMPTY_STRING; entry = entry->next; free(new_name); continue; } - else if (arg_debug_whitelists) - printf("real path %s\n", fname); + + // /run/firejail is not allowed + if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) + whitelist_error(fname); if (nowhitelist_flag) { // store the path in nowhitelist array @@ -544,175 +664,12 @@ errExit("failed increasing memory for nowhitelist entries"); } nowhitelist[nowhitelist_c++] = fname; - entry->data = EMPTY_STRING; entry = entry->next; free(new_name); continue; } - - // check for supported directories - if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') { - // whitelisting home directory is disabled if --private option is present - if (arg_private) { - if (arg_debug || arg_debug_whitelists) - printf("\"%s\" disabled by --private\n", entry->data); - - entry->data = EMPTY_STRING; - entry = entry->next; - free(fname); - free(new_name); - continue; - } - - entry->wldir = WLDIR_HOME; - home_dir = 1; - if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", - __LINE__, fname, cfg.homedir); - - // both path and absolute path are in user home, - // if not check if the symlink destination is owned by the user - if (strncmp(fname, cfg.homedir, homedir_len) != 0 || fname[homedir_len] != '/') { - if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { - if (stat(fname, &s) == 0 && s.st_uid != getuid()) { - free(fname); - goto errexit; - } - } - } - } - else if (strncmp(new_name, "/tmp/", 5) == 0) { - entry->wldir = WLDIR_TMP; - tmp_dir = 1; - - // both path and absolute path are under /tmp - if (strncmp(fname, "/tmp/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/media/", 7) == 0) { - entry->wldir = WLDIR_MEDIA; - media_dir = 1; - // both path and absolute path are under /media - if (strncmp(fname, "/media/", 7) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/mnt/", 5) == 0) { - entry->wldir = WLDIR_MNT; - mnt_dir = 1; - // both path and absolute path are under /mnt - if (strncmp(fname, "/mnt/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/var/", 5) == 0) { - entry->wldir = WLDIR_VAR; - var_dir = 1; - // both path and absolute path are under /var - // exceptions: /var/tmp, /var/run and /var/lock - if (strcmp(new_name, "/var/run")== 0 && strcmp(fname, "/run") == 0); - else if (strcmp(new_name, "/var/lock")== 0 && strcmp(fname, "/run/lock") == 0); - else if (strcmp(new_name, "/var/tmp")== 0 && strcmp(fname, "/tmp") == 0); - else { - // both path and absolute path are under /var - if (strncmp(fname, "/var/", 5) != 0) { - free(fname); - goto errexit; - } - } - } - else if (strncmp(new_name, "/dev/", 5) == 0) { - entry->wldir = WLDIR_DEV; - dev_dir = 1; - // special handling for /dev/shm - // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm - if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); - // special handling for /dev/log, which can be a symlink to /run/systemd/journal/dev-log - else if (strcmp(new_name, "/dev/log") == 0 && strcmp(fname, "/run/systemd/journal/dev-log") == 0); - // special processing for /proc/self/fd files - else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0); - else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0); - else if (strcmp(new_name, "/dev/stdout") == 0 && strcmp(fname, "/proc/self/fd/1") == 0); - else if (strcmp(new_name, "/dev/stderr") == 0 && strcmp(fname, "/proc/self/fd/2") == 0); - else { - // both path and absolute path are under /dev - if (strncmp(fname, "/dev/", 5) != 0) { - free(fname); - goto errexit; - } - } - } - else if (strncmp(new_name, "/opt/", 5) == 0) { - entry->wldir = WLDIR_OPT; - opt_dir = 1; - // both path and absolute path are under /dev - if (strncmp(fname, "/opt/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/srv/", 5) == 0) { - entry->wldir = WLDIR_SRV; - srv_dir = 1; - // both path and absolute path are under /srv - if (strncmp(fname, "/srv/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/etc/", 5) == 0) { - entry->wldir = WLDIR_ETC; - etc_dir = 1; - // special handling for some of the symlinks - if (strcmp(new_name, "/etc/localtime") == 0); - else if (strcmp(new_name, "/etc/mtab") == 0); - else if (strcmp(new_name, "/etc/os-release") == 0); - // both path and absolute path are under /etc - else { - if (strncmp(fname, "/etc/", 5) != 0) { - free(fname); - goto errexit; - } - } - } - else if (strncmp(new_name, "/usr/share/", 11) == 0) { - entry->wldir = WLDIR_SHARE; - share_dir = 1; - // both path and absolute path are under /etc - if (strncmp(fname, "/usr/share/", 11) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/sys/module/", 12) == 0) { - entry->wldir = WLDIR_MODULE; - module_dir = 1; - // both path and absolute path are under /sys/module - if (strncmp(fname, "/sys/module/", 12) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') { - entry->wldir = WLDIR_RUN; - run_dir = 1; - // both path and absolute path are under /run/user/$uid - if (strncmp(fname, runuser, runuser_len) != 0 || fname[runuser_len] != '/') { - free(fname); - goto errexit; - } - } else { - free(fname); - goto errexit; - } - - // check if the path is in nowhitelist array - if (nowhitelist_flag == 0) { + // check if the path is in nowhitelist array size_t i; int found = 0; for (i = 0; i < nowhitelist_c; i++) { @@ -726,494 +683,80 @@ if (found) { if (arg_debug || arg_debug_whitelists) printf("Skip nowhitelisted path %s\n", fname); - entry->data = EMPTY_STRING; entry = entry->next; - free(fname); free(new_name); + free(fname); continue; } } - // mark symbolic links + // attach whitelist parameters to profile entry + entry->wparam = calloc(1, sizeof(struct wparam_t)); + if (!entry->wparam) + errExit("calloc"); + + assert(current_top); + entry->wparam->top = current_top; + entry->wparam->file = fname; + + // mark link if (is_link(new_name)) - entry->link = new_name; - else { + entry->wparam->link = new_name; + else free(new_name); - entry->link = NULL; - } - // change file name in entry->data - if (strcmp(fname, entry->data + 10) != 0) { - char *newdata; - if (asprintf(&newdata, "whitelist %s", fname) == -1) - errExit("asprintf"); - entry->data = newdata; - if (arg_debug || arg_debug_whitelists) - printf("Replaced whitelist path: %s\n", entry->data); - } - free(fname); entry = entry->next; } // release nowhitelist memory - assert(nowhitelist); free(nowhitelist); + // mount tmpfs on all top level directories EUID_ROOT(); - // /tmp mountpoint - if (tmp_dir) { - // check if /tmp directory exists - if (stat("/tmp", &s) == 0) { - // keep a copy of real /tmp directory in RUN_WHITELIST_TMP_DIR - mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); - if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /tmp - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /tmp directory\n"); - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=1777,gid=0") < 0) - errExit("mounting tmpfs on /tmp"); - selinux_relabel_path("/tmp", "/tmp"); - fs_logger("tmpfs /tmp"); - - // pam-tmpdir - issue #2685 - char *env = getenv("TMP"); - if (env) { - char *pamtmpdir; - if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) - errExit("asprintf"); - if (strcmp(env, pamtmpdir) == 0) { - // create empty user-owned /tmp/user/$uid directory - mkdir_attr("/tmp/user", 0711, 0, 0); - selinux_relabel_path("/tmp/user", "/tmp/user"); - fs_logger("mkdir /tmp/user"); - mkdir_attr(pamtmpdir, 0700, getuid(), 0); - selinux_relabel_path(pamtmpdir, pamtmpdir); - fs_logger2("mkdir", pamtmpdir); - } - free(pamtmpdir); - } - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/tmp/", 5) == 0) - whitelist_home(WLDIR_TMP); - } - else - tmp_dir = 0; - } - - // /media mountpoint - if (media_dir) { - // some distros don't have a /media directory - if (stat("/media", &s) == 0) { - // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR - mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0); - if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /media - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /media directory\n"); - if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /media"); - selinux_relabel_path("/media", "/media"); - fs_logger("tmpfs /media"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/media/", 7) == 0) - whitelist_home(WLDIR_MEDIA); - } - else - media_dir = 0; - } - - // /mnt mountpoint - if (mnt_dir) { - // check if /mnt directory exists - if (stat("/mnt", &s) == 0) { - // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR - mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0); - if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /mnt - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /mnt directory\n"); - if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /mnt"); - selinux_relabel_path("/mnt", "/mnt"); - fs_logger("tmpfs /mnt"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/mnt/", 5) == 0) - whitelist_home(WLDIR_MNT); - } - else - mnt_dir = 0; - } - - // /var mountpoint - if (var_dir) { - // check if /var directory exists - if (stat("/var", &s) == 0) { - // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR - mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); - if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /var - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /var directory\n"); - if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /var"); - selinux_relabel_path("/var", "/var"); - fs_logger("tmpfs /var"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/var/", 5) == 0) - whitelist_home(WLDIR_VAR); - } - else - var_dir = 0; - } - - // /dev mountpoint - if (dev_dir) { - // check if /dev directory exists - if (stat("/dev", &s) == 0) { - // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR - mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); - if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) - errExit("mount bind"); - - // mount tmpfs on /dev - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /dev directory\n"); - if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /dev"); - selinux_relabel_path("/dev", "/dev"); - fs_logger("tmpfs /dev"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/dev/", 5) == 0) - whitelist_home(WLDIR_DEV); - } - else - dev_dir = 0; - } - - // /opt mountpoint - if (opt_dir) { - // check if /opt directory exists - if (stat("/opt", &s) == 0) { - // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR - mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0); - if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /opt - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /opt directory\n"); - if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /opt"); - selinux_relabel_path("/opt", "/opt"); - fs_logger("tmpfs /opt"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/opt/", 5) == 0) - whitelist_home(WLDIR_OPT); - } - else - opt_dir = 0; - } - - // /srv mountpoint - if (srv_dir) { - // check if /srv directory exists - if (stat("/srv", &s) == 0) { - // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR - mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0); - if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /srv - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /srv directory\n"); - if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /srv"); - selinux_relabel_path("/srv", "/srv"); - fs_logger("tmpfs /srv"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/srv/", 5) == 0) - whitelist_home(WLDIR_SRV); - } - else - srv_dir = 0; - } - - // /etc mountpoint - if (etc_dir) { - // check if /etc directory exists - if (stat("/etc", &s) == 0) { - // keep a copy of real /etc directory in RUN_WHITELIST_ETC_DIR - mkdir_attr(RUN_WHITELIST_ETC_DIR, 0755, 0, 0); - if (mount("/etc", RUN_WHITELIST_ETC_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /etc - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /etc directory\n"); - if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /etc"); - selinux_relabel_path("/etc", "/etc"); - fs_logger("tmpfs /etc"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/etc/", 5) == 0) - whitelist_home(WLDIR_ETC); - } - else - etc_dir = 0; - } - - // /usr/share mountpoint - if (share_dir) { - // check if /usr/share directory exists - if (stat("/usr/share", &s) == 0) { - // keep a copy of real /usr/share directory in RUN_WHITELIST_ETC_DIR - mkdir_attr(RUN_WHITELIST_SHARE_DIR, 0755, 0, 0); - if (mount("/usr/share", RUN_WHITELIST_SHARE_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /srv - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /usr/share directory\n"); - if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /usr/share"); - selinux_relabel_path("/usr/share", "/usr/share"); - fs_logger("tmpfs /usr/share"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/usr/share/", 11) == 0) - whitelist_home(WLDIR_SHARE); - } - else - share_dir = 0; - } - - // /sys/module mountpoint - if (module_dir) { - // check if /sys/module directory exists - if (stat("/sys/module", &s) == 0) { - // keep a copy of real /sys/module directory in RUN_WHITELIST_MODULE_DIR - mkdir_attr(RUN_WHITELIST_MODULE_DIR, 0755, 0, 0); - if (mount("/sys/module", RUN_WHITELIST_MODULE_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /sys/module - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /sys/module directory\n"); - if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /sys/module"); - selinux_relabel_path("/sys/module", "/sys/module"); - fs_logger("tmpfs /sys/module"); - } - else - module_dir = 0; - } - - // /run/user/$uid mountpoint - if (run_dir) { - // check if /run/user/$uid directory exists - if (stat(runuser, &s) == 0) { - // keep a copy of real /run/user/$uid directory in RUN_WHITELIST_RUN_USER_DIR - mkdir_attr(RUN_WHITELIST_RUN_USER_DIR, 0700, getuid(), getgid()); - if (mount(runuser, RUN_WHITELIST_RUN_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /run/user/$uid - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on %s directory\n", runuser); - char *options; - if (asprintf(&options, "mode=700,uid=%u,gid=%u", getuid(), getgid()) == -1) - errExit("asprintf"); - if (mount("tmpfs", runuser, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, options) < 0) - errExit("mounting tmpfs on /run/user/"); - selinux_relabel_path(runuser, runuser); - free(options); - fs_logger2("tmpfs", runuser); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, runuser, runuser_len) == 0 && cfg.homedir[runuser_len] == '/') - whitelist_home(WLDIR_RUN); - } - else - run_dir = 0; - } - - // home mountpoint - if (home_dir) { - // check if home directory exists - if (stat(cfg.homedir, &s) == 0) { - // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR - mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); - int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("safe_fd"); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(proc); - close(fd); - - // mount a tmpfs and initialize home directory - fs_private(); - } - else - home_dir = 0; - } + tmpfs_topdirs(topdirs); // go through profile rules again, and interpret whitelist commands entry = cfg.profile; while (entry) { - // handle only whitelist commands - if (strncmp(entry->data, "whitelist ", 10)) { - entry = entry->next; - continue; - } + if (entry->wparam) { + char *file = entry->wparam->file; + char *link = entry->wparam->link; + const char *topdir = entry->wparam->top->path; + size_t topdir_len = strlen(topdir); + int dirfd = entry->wparam->top->fd; + + // top level directories of link and file can differ + // whitelist the file only if it is in same top level directory + if (strncmp(file, topdir, topdir_len) == 0 && file[topdir_len] == '/') { + // get path relative to top level directory + const char *rel = file + topdir_len + 1; -//printf("here %d#%s#\n", __LINE__, entry->data); - // whitelist the real file - whitelist_path(entry); - - // create the link if any - if (entry->link) { - // if the link is already there, do not bother - if (lstat(entry->link, &s) != 0) { - // create the path if necessary - // entry->link has no trailing slashes or single dots - int fd = mkpath(entry->link, 0755); - if (fd == -1) { - if (arg_debug || arg_debug_whitelists) - printf("Debug %d: cannot create symbolic link %s\n", __LINE__, entry->link); - free(entry->link); - entry->link = NULL; - entry = entry->next; - continue; - } - // get file name of symlink - const char *file = gnu_basename(entry->link); - // create the link - int rv = symlinkat(entry->data + 10, fd, file); - if (rv) { - if (arg_debug || arg_debug_whitelists) { - perror("symlink"); - printf("Debug %d: cannot create symbolic link %s\n", __LINE__, entry->link); - } - } - else if (arg_debug || arg_debug_whitelists) - printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); - close(fd); + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: file: %s; dirfd: %d; topdir: %s; rel: %s\n", __LINE__, file, dirfd, topdir, rel); + whitelist_file(dirfd, rel, file); } - free(entry->link); - entry->link = NULL; - } - - entry = entry->next; - } - // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR - if (home_dir) { - if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); - } - - // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR - if (tmp_dir) { - if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR); - } - - // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR - if (var_dir) { - if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR); - } - - // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR - if (opt_dir) { - if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR); - } - - // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR - if (dev_dir) { - if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR); - } - - // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR - if (media_dir) { - if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); - } - - // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR - if (mnt_dir) { - if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); - } - - // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR - if (srv_dir) { - if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); - } - - // mask the real /etc directory, currently mounted on RUN_WHITELIST_ETC_DIR - if (etc_dir) { - if (mount("tmpfs", RUN_WHITELIST_ETC_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_ETC_DIR); - } - - // mask the real /usr/share directory, currently mounted on RUN_WHITELIST_SHARE_DIR - if (share_dir) { - if (mount("tmpfs", RUN_WHITELIST_SHARE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR); - } + // create the link if any + if (link) { + whitelist_symlink(link, file); + free(link); + } - // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR - if (module_dir) { - if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR); - } + free(file); + free(entry->wparam); + entry->wparam = NULL; + } - // mask the real /run/user/$uid directory, currently mounted on RUN_WHITELIST_RUN_USER_DIR - if (run_dir) { - if (mount("tmpfs", RUN_WHITELIST_RUN_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_RUN_USER_DIR); + entry = entry->next; } + // release resources free(runuser); - return; -errexit: - fprintf(stderr, "Error: invalid whitelist path %s\n", new_name); - exit(1); + size_t i; + for (i = 0; i < TOP_MAX && topdirs[i].path; i++) { + free(topdirs[i].path); + close(topdirs[i].fd); + } + free(topdirs); } diff -Nru firejail-0.9.64.4/src/firejail/join.c firejail-0.9.66/src/firejail/join.c --- firejail-0.9.64.4/src/firejail/join.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/join.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -103,7 +103,7 @@ if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); free(fname); if (!fp) return; @@ -147,7 +147,7 @@ } // build command - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true); } static void extract_nogroups(pid_t pid) { @@ -219,7 +219,7 @@ perror("asprintf"); exit(1); } - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); if (!fp) goto errexit; @@ -266,7 +266,7 @@ char *uidmap; if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) errExit("asprintf"); - FILE *fp = fopen(uidmap, "r"); + FILE *fp = fopen(uidmap, "re"); if (!fp) { free(uidmap); return; @@ -411,7 +411,7 @@ extract_x11_display(parent); int shfd = -1; - if (!arg_shell_none && !arg_audit) + if (!arg_shell_none) shfd = open_shell(); EUID_ROOT(); @@ -561,7 +561,7 @@ char *display_str; if (asprintf(&display_str, ":%d", display) == -1) errExit("asprintf"); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); free(display_str); } diff -Nru firejail-0.9.64.4/src/firejail/ls.c firejail-0.9.66/src/firejail/ls.c --- firejail-0.9.64.4/src/firejail/ls.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/ls.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,6 +19,7 @@ */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -221,7 +222,7 @@ if (arg_debug) printf("cat %s\n", path); - FILE *fp = fopen(path, "r"); + FILE *fp = fopen(path, "re"); if (!fp) { fprintf(stderr, "Error: cannot read %s\n", path); exit(1); @@ -349,9 +350,8 @@ ls(fname1); else cat(fname1); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif } // get file from host and store it in the sandbox else if (op == SANDBOX_FS_PUT && path2) { @@ -383,9 +383,9 @@ // copy the file if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } @@ -415,9 +415,9 @@ // copy the file if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } diff -Nru firejail-0.9.64.4/src/firejail/macros.c firejail-0.9.66/src/firejail/macros.c --- firejail-0.9.64.4/src/firejail/macros.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/macros.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -99,7 +99,7 @@ if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { free(fname); return NULL; @@ -149,6 +149,7 @@ // returns mallocated memory static char *resolve_hardcoded(char *entries[]) { + EUID_ASSERT(); char *fname; struct stat s; diff -Nru firejail-0.9.64.4/src/firejail/main.c firejail-0.9.66/src/firejail/main.c --- firejail-0.9.64.4/src/firejail/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/main.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "firejail.h" #include "../include/pid.h" #include "../include/firejail_user.h" +#include "../include/gcov_wrapper.h" #include "../include/syscall.h" #include "../include/seccomp.h" #define _GNU_SOURCE @@ -116,7 +117,6 @@ int arg_scan = 0; // arp-scan all interfaces int arg_whitelist = 0; // whitelist command int arg_nosound = 0; // disable sound -int arg_noautopulse = 0; // disable automatic ~/.config/pulse init int arg_novideo = 0; //disable video devices in /dev int arg_no3d; // disable 3d hardware acceleration int arg_quiet = 0; // no output for scripting @@ -125,13 +125,12 @@ int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc +int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init int arg_writable_var = 0; // writable var int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage -int arg_audit = 0; // audit -char *arg_audit_prog = NULL; // audit int arg_apparmor = 0; // apparmor int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 @@ -145,6 +144,7 @@ int arg_notv = 0; // --notv int arg_nodvd = 0; // --nodvd int arg_nou2f = 0; // --nou2f +int arg_noinput = 0; // --noinput int arg_deterministic_exit_code = 0; // always exit with first child's exit status DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system @@ -260,8 +260,8 @@ fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); exit(1); } + check_homedir(pw->pw_dir); cfg.homedir = clean_pathname(pw->pw_dir); - check_homedir(); // initialize random number generator sandbox_pid = getpid(); @@ -297,7 +297,7 @@ else if (br->ipsandbox) { // for macvlan check network range char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); if (rv) { - fprintf(stderr, "%s", rv); + fprintf(stderr, "%s\n", rv); exit(1); } } @@ -536,7 +536,7 @@ char *fname; if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16); exit(1); @@ -861,31 +861,37 @@ } char *guess_shell(void) { - char *shell = NULL; - struct stat s; + const char *shell; + char *retval; - shell = getenv("SHELL"); + shell = env_get("SHELL"); if (shell) { invalid_filename(shell, 0); // no globbing - if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 && + if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL && strcmp(shell, PATH_FIREJAIL) != 0) - return shell; + goto found; } // shells in order of preference - char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; + static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; int i = 0; while (shells[i] != NULL) { // access call checks as real UID/GID, not as effective UID/GID - if (stat(shells[i], &s) == 0 && access(shells[i], X_OK) == 0) { + if (access(shells[i], X_OK) == 0) { shell = shells[i]; - break; + goto found; } i++; } - return shell; + return NULL; + + found: + retval = strdup(shell); + if (!retval) + errExit("strdup"); + return retval; } // return argument index @@ -926,9 +932,13 @@ if (setresuid(-1, getuid(), getuid()) != 0) errExit("setresuid"); + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); umask(orig_umask); + // restore some environment variables + env_apply_whitelist_sbox(); + argv[0] = LIBDIR "/firejail/fbuilder"; execvp(argv[0], argv); @@ -954,7 +964,7 @@ static int check_postexec(const char *list) { char *prelist, *postlist; - if (list) { + if (list && list[0]) { syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); if (postlist) return 1; @@ -975,6 +985,14 @@ int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) char **ptr; +#ifndef HAVE_SUID + if (geteuid() != 0) { + fprintf(stderr, "Error: Firejail needs to be SUID.\n"); + fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n"); + fprintf(stderr, " chmod u+s /usr/bin/firejail\n"); + } +#endif + // sanitize the umask orig_umask = umask(022); @@ -994,6 +1012,16 @@ exit(1); } + // Stash environment variables + for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) + env_store(*ptr, SETENV); + + // sanity check for environment variables + if (i >= MAX_ENVS) { + fprintf(stderr, "Error: too many environment variables\n"); + exit(1); + } + // sanity check for arguments for (i = 0; i < argc; i++) { if (*argv[i] == 0) { @@ -1004,30 +1032,17 @@ fprintf(stderr, "Error: too long arguments\n"); exit(1); } - // Also remove requested environment variables - // entirely to avoid tripping the length check below - if (strncmp(argv[i], "--rmenv=", 8) == 0) - unsetenv(argv[i] + 8); } - // sanity check for environment variables - for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) { - if (strlen(*ptr) >= MAX_ENV_LEN) { - fprintf(stderr, "Error: too long environment variables, please use --rmenv\n"); - exit(1); - } - } - if (i >= MAX_ENVS) { - fprintf(stderr, "Error: too many environment variables, please use --rmenv\n"); - exit(1); - } + // Reapply a minimal set of environment variables + env_apply_whitelist(); // check if the user is allowed to use firejail init_cfg(argc, argv); // get starting timestamp, process --quiet timetrace_start(); - char *env_quiet = getenv("FIREJAIL_QUIET"); + const char *env_quiet = env_get("FIREJAIL_QUIET"); if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) arg_quiet = 1; @@ -1037,9 +1052,9 @@ // build /run/firejail directory structure preproc_build_firejail_dir(); - char *container_name = getenv("container"); + const char *container_name = env_get("container"); if (!container_name || strcmp(container_name, "firejail")) { - lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); if (lockfd_directory != -1) { int rv = fchown(lockfd_directory, 0, 0); (void) rv; @@ -1141,7 +1156,7 @@ #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "w"); + FILE *fp = fopen("/firelog", "we"); if (fp) { int i; fprintf(fp, "argc %d: ", argc); @@ -1160,7 +1175,7 @@ strncmp(argv[2], "scp ", 4) == 0) { #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "run without a sandbox\n"); fclose(fp); @@ -1170,6 +1185,9 @@ drop_privs(1); umask(orig_umask); + + // restore original environment variables + env_apply_all(); int rv = system(argv[2]); exit(rv); } @@ -1190,7 +1208,7 @@ #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "fullargc %d: ", fullargc); int i; @@ -1212,7 +1230,7 @@ #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "argc %d: ", argc); int i; @@ -1225,10 +1243,12 @@ #endif } } +#ifdef HAVE_OUTPUT else { // check --output option and execute it; check_output(argc, argv); // the function will not return if --output or --output-stderr option was found } +#endif EUID_ASSERT(); // check for force-nonewprivs in /etc/firejail/firejail.config file @@ -1239,8 +1259,10 @@ for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized - if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) + if (strcmp(argv[i], "--debug") == 0) { arg_debug = 1; + arg_quiet = 0; + } else if (strcmp(argv[i], "--debug-blacklists") == 0) arg_debug_blacklists = 1; else if (strcmp(argv[i], "--debug-whitelists") == 0) @@ -1248,8 +1270,8 @@ else if (strcmp(argv[i], "--debug-private-lib") == 0) arg_debug_private_lib = 1; else if (strcmp(argv[i], "--quiet") == 0) { - arg_quiet = 1; - arg_debug = 0; + if (!arg_debug) + arg_quiet = 1; } else if (strcmp(argv[i], "--allow-debuggers") == 0) { // already handled @@ -1277,15 +1299,10 @@ #endif else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { - if (cfg.protocol) { - fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); - } - else { - // store list - cfg.protocol = strdup(argv[i] + 11); - if (!cfg.protocol) - errExit("strdup"); - } + const char *add = argv[i] + 11; + profile_list_augment(&cfg.protocol, add); + if (arg_debug) + fprintf(stderr, "[option] combined protocol list: \"%s\"\n", cfg.protocol); } else exit_err_feature("seccomp"); @@ -1476,8 +1493,11 @@ arg_rlimit_nproc = 1; } else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) { - check_unsigned(argv[i] + 15, "Error: invalid rlimit"); - sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize); + cfg.rlimit_fsize = parse_arg_size(argv[i] + 15); + if (cfg.rlimit_fsize == 0) { + perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_fsize = 1; } else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) { @@ -1486,8 +1506,11 @@ arg_rlimit_sigpending = 1; } else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) { - check_unsigned(argv[i] + 12, "Error: invalid rlimit"); - sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as); + cfg.rlimit_as = parse_arg_size(argv[i] + 12); + if (cfg.rlimit_as == 0) { + perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_as = 1; } else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) @@ -1581,7 +1604,26 @@ profile_add(line); } #endif - + else if (strncmp(argv[i], "--mkdir=", 8) == 0) { + char *line; + if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) + errExit("asprintf"); + /* Note: Applied both immediately in profile_check_line() + * and later on via fs_blacklist(). + */ + profile_check_line(line, 0, NULL); + profile_add(line); + } + else if (strncmp(argv[i], "--mkfile=", 9) == 0) { + char *line; + if (asprintf(&line, "mkfile %s", argv[i] + 9) == -1) + errExit("asprintf"); + /* Note: Applied both immediately in profile_check_line() + * and later on via fs_blacklist(). + */ + profile_check_line(line, 0, NULL); + profile_add(line); + } else if (strncmp(argv[i], "--read-only=", 12) == 0) { char *line; if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) @@ -1801,6 +1843,8 @@ exit(1); } arg_noprofile = 1; + // force keep-config-pulse in order to keep ~/.config/pulse as is + arg_keep_config_pulse = 1; } else if (strncmp(argv[i], "--ignore=", 9) == 0) { if (custom_profile) { @@ -1851,6 +1895,9 @@ } arg_writable_etc = 1; } + else if (strcmp(argv[i], "--keep-config-pulse") == 0) { + arg_keep_config_pulse = 1; + } else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } @@ -1921,61 +1968,77 @@ arg_keep_dev_shm = 1; } else if (strncmp(argv[i], "--private-etc=", 14) == 0) { - if (arg_writable_etc) { - fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); - exit(1); - } + if (checkcfg(CFG_PRIVATE_ETC)) { + if (arg_writable_etc) { + fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); + exit(1); + } - // extract private etc list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-etc option\n"); - exit(1); + // extract private etc list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-etc option\n"); + exit(1); + } + if (cfg.etc_private_keep) { + if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.etc_private_keep = argv[i] + 14; + arg_private_etc = 1; } - if (cfg.etc_private_keep) { - if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.etc_private_keep = argv[i] + 14; - arg_private_etc = 1; + else + exit_err_feature("private-etc"); } else if (strncmp(argv[i], "--private-opt=", 14) == 0) { - // extract private opt list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-opt option\n"); - exit(1); + if (checkcfg(CFG_PRIVATE_OPT)) { + // extract private opt list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-opt option\n"); + exit(1); + } + if (cfg.opt_private_keep) { + if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.opt_private_keep = argv[i] + 14; + arg_private_opt = 1; } - if (cfg.opt_private_keep) { - if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.opt_private_keep = argv[i] + 14; - arg_private_opt = 1; + else + exit_err_feature("private-opt"); } else if (strncmp(argv[i], "--private-srv=", 14) == 0) { - // extract private srv list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-srv option\n"); - exit(1); + if (checkcfg(CFG_PRIVATE_SRV)) { + // extract private srv list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-srv option\n"); + exit(1); + } + if (cfg.srv_private_keep) { + if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.srv_private_keep = argv[i] + 14; + arg_private_srv = 1; } - if (cfg.srv_private_keep) { - if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.srv_private_keep = argv[i] + 14; - arg_private_srv = 1; + else + exit_err_feature("private-srv"); } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { - // extract private bin list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-bin option\n"); - exit(1); + if (checkcfg(CFG_PRIVATE_BIN)) { + // extract private bin list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-bin option\n"); + exit(1); + } + if (cfg.bin_private_keep) { + if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.bin_private_keep = argv[i] + 14; + arg_private_bin = 1; } - if (cfg.bin_private_keep) { - if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.bin_private_keep = argv[i] + 14; - arg_private_bin = 1; + else + exit_err_feature("private-bin"); } else if (strncmp(argv[i], "--private-lib", 13) == 0) { if (checkcfg(CFG_PRIVATE_LIB)) { @@ -2053,7 +2116,7 @@ else if (strcmp(argv[i], "--nosound") == 0) arg_nosound = 1; else if (strcmp(argv[i], "--noautopulse") == 0) - arg_noautopulse = 1; + arg_keep_config_pulse = 1; else if (strcmp(argv[i], "--novideo") == 0) arg_novideo = 1; else if (strcmp(argv[i], "--no3d") == 0) @@ -2064,6 +2127,8 @@ arg_nodvd = 1; else if (strcmp(argv[i], "--nou2f") == 0) arg_nou2f = 1; + else if (strcmp(argv[i], "--noinput") == 0) + arg_noinput = 1; else if (strcmp(argv[i], "--nodbus") == 0) { arg_dbus_user = DBUS_POLICY_BLOCK; arg_dbus_system = DBUS_POLICY_BLOCK; @@ -2584,28 +2649,6 @@ //************************************* else if (strncmp(argv[i], "--timeout=", 10) == 0) cfg.timeout = extract_timeout(argv[i] + 10); - else if (strcmp(argv[i], "--audit") == 0) { - arg_audit_prog = LIBDIR "/firejail/faudit"; - profile_add_ignore("shell none"); - arg_audit = 1; - } - else if (strncmp(argv[i], "--audit=", 8) == 0) { - if (strlen(argv[i] + 8) == 0) { - fprintf(stderr, "Error: invalid audit program\n"); - exit(1); - } - arg_audit_prog = strdup(argv[i] + 8); - if (!arg_audit_prog) - errExit("strdup"); - - struct stat s; - if (stat(arg_audit_prog, &s) != 0) { - fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); - exit(1); - } - profile_add_ignore("shell none"); - arg_audit = 1; - } else if (strcmp(argv[i], "--appimage") == 0) arg_appimage = 1; else if (strcmp(argv[i], "--shell=none") == 0) { @@ -2783,6 +2826,11 @@ // build the sandbox command if (prog_index == -1 && cfg.shell) { assert(cfg.command_line == NULL); // runs cfg.shell + if (arg_appimage) { + fprintf(stderr, "Error: no appimage archive specified\n"); + exit(1); + } + cfg.window_title = cfg.shell; cfg.command_name = cfg.shell; } @@ -2790,10 +2838,11 @@ if (arg_debug) printf("Configuring appimage environment\n"); appimage_set(cfg.command_name); - build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line); + build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true); } else { - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); + // Only add extra quotes if we were not launched by sshd. + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, !parent_sshd); } /* else { fprintf(stderr, "Error: command must be specified when --shell=none used.\n"); @@ -2807,7 +2856,13 @@ // load the profile if (!arg_noprofile && !custom_profile) { - custom_profile = profile_find_firejail(cfg.command_name, 1); + if (arg_appimage) { + custom_profile = appimage_find_profile(cfg.command_name); + // disable shell=* for appimages + arg_shell_none = 0; + } + else + custom_profile = profile_find_firejail(cfg.command_name, 1); } // use default.profile as the default @@ -2821,7 +2876,7 @@ custom_profile = profile_find_firejail(profile_name, 1); if (!custom_profile) { - fprintf(stderr, "Error: no default.profile installed\n"); + fprintf(stderr, "Error: no %s installed\n", profile_name); exit(1); } @@ -2837,6 +2892,15 @@ // check network configuration options - it will exit if anything went wrong net_check_cfg(); + // customization of default seccomp filter + if (config_seccomp_filter_add) { + if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop) + profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add); + + if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32) + profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add); + } + if (arg_seccomp) arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); @@ -2847,7 +2911,7 @@ // check and assign an IP address - for macvlan it will be done again in the sandbox! if (any_bridge_configured()) { EUID_ROOT(); - lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); if (lockfd_network != -1) { int rv = fchown(lockfd_network, 0, 0); (void) rv; @@ -2869,12 +2933,6 @@ } EUID_ASSERT(); - // create the parent-child communication pipe - if (pipe(parent_to_child_fds) < 0) - errExit("pipe"); - if (pipe(child_to_parent_fds) < 0) - errExit("pipe"); - if (arg_noroot && arg_overlay) { fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n"); arg_noroot = 0; @@ -2887,7 +2945,7 @@ // set name and x11 run files EUID_ROOT(); - lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); if (lockfd_directory != -1) { int rv = fchown(lockfd_directory, 0, 0); (void) rv; @@ -2916,6 +2974,12 @@ } #endif + // create the parent-child communication pipe + if (pipe2(parent_to_child_fds, O_CLOEXEC) < 0) + errExit("pipe"); + if (pipe2(child_to_parent_fds, O_CLOEXEC) < 0) + errExit("pipe"); + // clone environment int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; @@ -2972,9 +3036,9 @@ network_main(child); if (arg_debug) printf("Host network configured\n"); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } diff -Nru firejail-0.9.64.4/src/firejail/Makefile.in firejail-0.9.66/src/firejail/Makefile.in --- firejail-0.9.64.4/src/firejail/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: firejail include ../common.mk @@ -8,7 +9,9 @@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/firejail/mountinfo.c firejail-0.9.66/src/firejail/mountinfo.c --- firejail-0.9.64.4/src/firejail/mountinfo.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/mountinfo.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -22,7 +22,7 @@ #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif #define MAX_BUF 4096 @@ -153,6 +153,7 @@ // Extract the mount id from /proc/self/fdinfo and return it. int get_mount_id(const char *path) { + EUID_ASSERT(); assert(path); int fd = open(path, O_PATH|O_CLOEXEC); @@ -162,7 +163,9 @@ char *fdinfo; if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) errExit("asprintf"); + EUID_ROOT(); FILE *fp = fopen(fdinfo, "re"); + EUID_USER(); free(fdinfo); if (!fp) goto errexit; diff -Nru firejail-0.9.64.4/src/firejail/netfilter.c firejail-0.9.66/src/firejail/netfilter.c --- firejail-0.9.64.4/src/firejail/netfilter.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/netfilter.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firejail/netns.c firejail-0.9.66/src/firejail/netns.c --- firejail-0.9.64.4/src/firejail/netns.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/netns.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020 Firejail Authors + * Copyright (C) 2020-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firejail/network.c firejail-0.9.66/src/firejail/network.c --- firejail-0.9.64.4/src/firejail/network.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/network.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -217,7 +217,7 @@ #define BUFSIZE 1024 uint32_t network_get_defaultgw(void) { - FILE *fp = fopen("/proc/self/net/route", "r"); + FILE *fp = fopen("/proc/self/net/route", "re"); if (!fp) errExit("fopen"); diff -Nru firejail-0.9.64.4/src/firejail/network_main.c firejail-0.9.66/src/firejail/network_main.c --- firejail-0.9.64.4/src/firejail/network_main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/network_main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -120,7 +120,7 @@ // check network range char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); if (rv) { - fprintf(stderr, "%s", rv); + fprintf(stderr, "%s\n", rv); exit(1); } // send an ARP request and check if there is anybody on this IP address @@ -292,7 +292,7 @@ errExit("chdir"); // access /etc/resolv.conf - FILE *fp = fopen("/etc/resolv.conf", "r"); + FILE *fp = fopen("/etc/resolv.conf", "re"); if (!fp) { fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); exit(1); diff -Nru firejail-0.9.64.4/src/firejail/no_sandbox.c firejail-0.9.66/src/firejail/no_sandbox.c --- firejail-0.9.64.4/src/firejail/no_sandbox.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/no_sandbox.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "firejail.h" #include #include +#include #include #include @@ -41,13 +42,13 @@ EUID_ASSERT(); // check container environment variable - char *str = getenv("container"); + const char *str = env_get("container"); if (str && is_container(str)) return 1; // check PID 1 container environment variable EUID_ROOT(); - FILE *fp = fopen("/proc/1/environ", "r"); + FILE *fp = fopen("/proc/1/environ", "re"); if (fp) { int c = 0; while (c != EOF) { @@ -105,20 +106,15 @@ // look at the first 10 processes // if a kernel process is found, return 1 for (i = 1; i <= 10; i++) { - struct stat s; char *fname; if (asprintf(&fname, "/proc/%d/comm", i) == -1) errExit("asprintf"); - if (stat(fname, &s) == -1) { - free(fname); - continue; - } // open file - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { - fwarning("cannot open %s\n", fname); + if (errno != ENOENT) + fwarning("cannot open %s\n", fname); free(fname); continue; } @@ -168,29 +164,17 @@ errExit("setresuid"); // process limited subset of options + // and find first non option arg: + // - first argument not starting with --, + // - whatever follows after -c (example: firejail -c ls) + int prog_index = 0; int i; - for (i = 0; i < argc; i++) { + for (i = 1; i < argc; i++) { if (strcmp(argv[i], "--debug") == 0) arg_debug = 1; else if (strncmp(argv[i], "--shell=", 8) == 0) - fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); - } - - // use $SHELL to get shell used in sandbox, guess shell otherwise - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); - exit(1); - } - else if (arg_debug) - printf("Selecting %s as shell\n", cfg.shell); - - int prog_index = 0; - // find first non option arg: - // - first argument not starting with --, - // - whatever follows after -c (example: firejail -c ls) - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-c") == 0) { + fwarning("shell-related command line options are disregarded\n"); + else if (strcmp(argv[i], "-c") == 0) { prog_index = i + 1; if (prog_index == argc) { fprintf(stderr, "Error: option -c requires an argument\n"); @@ -199,36 +183,36 @@ break; } // check first argument not starting with -- - if (strncmp(argv[i],"--",2) != 0) { + else if (strncmp(argv[i],"--",2) != 0) { prog_index = i; break; } } -// if shell is /usr/bin/firejail, replace it with /bin/bash -// if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { -// cfg.shell = "/bin/bash"; -// prog_index = 0; -// } - if (prog_index == 0) { - assert(cfg.command_line == NULL); // runs cfg.shell + // got no command, require a shell and try to execute it + cfg.shell = guess_shell(); + if (!cfg.shell) { + fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); + exit(1); + } + + assert(cfg.command_line == NULL); cfg.window_title = cfg.shell; } else { - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); + // this sandbox might not allow execution of a shell + // force --shell=none in order to not break firecfg symbolic links + arg_shell_none = 1; + + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true); } + fwarning("an existing sandbox was detected. " + "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell); + cfg.original_argv = argv; cfg.original_program_index = prog_index; - char *command; - if (prog_index == 0) - command = cfg.shell; - else - command = argv[prog_index]; - fwarning("an existing sandbox was detected. " - "%s will run without any additional sandboxing features\n", command); - arg_quiet = 1; start_application(1, -1, NULL); diff -Nru firejail-0.9.64.4/src/firejail/output.c firejail-0.9.66/src/firejail/output.c --- firejail-0.9.64.4/src/firejail/output.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/output.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include #include +#ifdef HAVE_OUTPUT void check_output(int argc, char **argv) { EUID_ASSERT(); @@ -95,6 +96,9 @@ close(pipefd[0]); } + // restore some environment variables + env_apply_whitelist_sbox(); + char *args[3]; args[0] = LIBDIR "/firejail/ftee"; args[1] = outfile; @@ -137,8 +141,13 @@ } args[j++] = argv[i]; } + + // restore original environment variables + env_apply_all(); + execvp(args[0], args); perror("execvp"); exit(1); } +#endif diff -Nru firejail-0.9.64.4/src/firejail/paths.c firejail-0.9.66/src/firejail/paths.c --- firejail-0.9.64.4/src/firejail/paths.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/paths.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -26,13 +26,13 @@ static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning static void init_paths(void) { - char *path = getenv("PATH"); + const char *env_path = env_get("PATH"); char *p; - if (!path) { - path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; - setenv("PATH", path, 1); + if (!env_path) { + env_path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; + env_store_name_val("PATH", env_path, SETENV); } - path = strdup(path); + char *path = strdup(env_path); if (!path) errExit("strdup"); @@ -136,7 +136,7 @@ // ('x' permission means something different for directories). // exec follows symlinks, so use stat, not lstat. struct stat st; - if (stat(scratch, &st)) { + if (stat_as_user(scratch, &st)) { perror(scratch); exit(1); } diff -Nru firejail-0.9.64.4/src/firejail/preproc.c firejail-0.9.66/src/firejail/preproc.c --- firejail-0.9.64.4/src/firejail/preproc.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/preproc.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -164,7 +164,7 @@ int max_pids=32769; int start_pid = 100; // extract real max_pids - FILE *fp = fopen("/proc/sys/kernel/pid_max", "r"); + FILE *fp = fopen("/proc/sys/kernel/pid_max", "re"); if (fp) { int val; if (fscanf(fp, "%d", &val) == 1) { diff -Nru firejail-0.9.64.4/src/firejail/profile.c firejail-0.9.66/src/firejail/profile.c --- firejail-0.9.64.4/src/firejail/profile.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/profile.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,10 +18,12 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include "../include/seccomp.h" #include "../include/syscall.h" #include #include + extern char *xephyr_screen; #define MAX_READ 8192 // line buffer for profile files @@ -157,8 +159,12 @@ return arg_nosound != 0; } +static int check_private(void) { + return arg_private; +} + static int check_x11(void) { - return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11")); + return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11")); } static int check_disable_u2f(void) { @@ -174,6 +180,7 @@ {"HAS_NET", check_netoptions}, {"HAS_NODBUS", check_nodbus}, {"HAS_NOSOUND", check_nosound}, + {"HAS_PRIVATE", check_private}, {"HAS_X11", check_x11}, {"BROWSER_DISABLE_U2F", check_disable_u2f}, {"BROWSER_ALLOW_DRM", check_allow_drm}, @@ -418,7 +425,7 @@ return 0; } else if (strcmp(ptr, "noautopulse") == 0) { - arg_noautopulse = 1; + arg_keep_config_pulse = 1; return 0; } else if (strcmp(ptr, "notv") == 0) { @@ -437,6 +444,10 @@ arg_no3d = 1; return 0; } + else if (strcmp(ptr, "noinput") == 0) { + arg_noinput = 1; + return 0; + } else if (strcmp(ptr, "nodbus") == 0) { #ifdef HAVE_DBUSPROXY arg_dbus_user = DBUS_POLICY_BLOCK; @@ -911,15 +922,10 @@ if (strncmp(ptr, "protocol ", 9) == 0) { if (checkcfg(CFG_SECCOMP)) { - if (cfg.protocol) { - fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); - return 0; - } - - // store list - cfg.protocol = strdup(ptr + 9); - if (!cfg.protocol) - errExit("strdup"); + const char *add = ptr + 9; + profile_list_augment(&cfg.protocol, add); + if (arg_debug) + fprintf(stderr, "[profile] combined protocol list: \"%s\"\n", cfg.protocol); } else warning_feature_disabled("seccomp"); @@ -931,7 +937,6 @@ return 0; } if (strncmp(ptr, "rmenv ", 6) == 0) { - unsetenv(ptr + 6); // Remove also immediately from Firejail itself env_store(ptr + 6, RMENV); return 0; } @@ -1140,6 +1145,12 @@ arg_machineid = 1; return 0; } + + if (strcmp(ptr, "keep-config-pulse") == 0) { + arg_keep_config_pulse = 1; + return 0; + } + // writable-var if (strcmp(ptr, "writable-var") == 0) { arg_writable_var = 1; @@ -1181,7 +1192,7 @@ if (strcmp(ptr, "x11 xephyr") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1210,7 +1221,7 @@ if (strcmp(ptr, "x11 xpra") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1229,7 +1240,7 @@ if (strcmp(ptr, "x11 xvfb") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1248,7 +1259,7 @@ if (strcmp(ptr, "x11") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1266,56 +1277,69 @@ // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { - if (arg_writable_etc) { - fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); - exit(1); - } - if (cfg.etc_private_keep) { - if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.etc_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_ETC)) { + if (arg_writable_etc) { + fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); + exit(1); + } + if (cfg.etc_private_keep) { + if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.etc_private_keep = ptr + 12; + } + arg_private_etc = 1; } - arg_private_etc = 1; - + else + warning_feature_disabled("private-etc"); return 0; } // private /opt list of files and directories if (strncmp(ptr, "private-opt ", 12) == 0) { - if (cfg.opt_private_keep) { - if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.opt_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_OPT)) { + if (cfg.opt_private_keep) { + if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.opt_private_keep = ptr + 12; + } + arg_private_opt = 1; } - arg_private_opt = 1; - + else + warning_feature_disabled("private-opt"); return 0; } // private /srv list of files and directories if (strncmp(ptr, "private-srv ", 12) == 0) { - if (cfg.srv_private_keep) { - if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.srv_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_SRV)) { + if (cfg.srv_private_keep) { + if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.srv_private_keep = ptr + 12; + } + arg_private_srv = 1; } - arg_private_srv = 1; - + else + warning_feature_disabled("private-srv"); return 0; } // private /bin list of files if (strncmp(ptr, "private-bin ", 12) == 0) { - if (cfg.bin_private_keep) { - if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.bin_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_BIN)) { + if (cfg.bin_private_keep) { + if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.bin_private_keep = ptr + 12; + } + arg_private_bin = 1; } - arg_private_bin = 1; + else + warning_feature_disabled("private-bin"); return 0; } @@ -1483,8 +1507,11 @@ arg_rlimit_nproc = 1; } else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) { - check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); - sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize); + cfg.rlimit_fsize = parse_arg_size(ptr + 13); + if (cfg.rlimit_fsize == 0) { + perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_fsize = 1; } else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) { @@ -1493,8 +1520,11 @@ arg_rlimit_sigpending = 1; } else if (strncmp(ptr, "rlimit-as ", 10) == 0) { - check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: "); - sscanf(ptr + 10, "%llu", &cfg.rlimit_as); + cfg.rlimit_as = parse_arg_size(ptr + 10); + if (cfg.rlimit_as == 0) { + perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_as = 1; } else { @@ -1688,7 +1718,7 @@ } // open profile file: - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp == NULL) { fprintf(stderr, "Error: cannot open profile file %s\n", fname); exit(1); @@ -1705,13 +1735,17 @@ int lineno = 0; while (fgets(buf, MAX_READ, fp)) { ++lineno; + + // remove comments + char *ptr = strchr(buf, '#'); + if (ptr) + *ptr = '\0'; + // remove empty space - ptr in allocated memory - char *ptr = line_remove_spaces(buf); + ptr = line_remove_spaces(buf); if (ptr == NULL) continue; - - // comments - if (*ptr == '#' || *ptr == '\0') { + if (*ptr == '\0') { free(ptr); continue; } @@ -1721,7 +1755,7 @@ if (strcmp(ptr, "quiet") == 0) { if (is_in_ignore_list(ptr)) arg_quiet = 0; - else + else if (!arg_debug) arg_quiet = 1; free(ptr); continue; @@ -1768,9 +1802,148 @@ // else { // free(ptr); // } -#ifdef HAVE_GCOV + __gcov_flush(); -#endif } fclose(fp); } + +char *profile_list_normalize(char *list) +{ + /* Remove redundant commas. + * + * As result is always shorter than original, + * in-place copying can be used. + */ + size_t i = 0; + size_t j = 0; + int c; + while (list[i] == ',') + ++i; + while ((c = list[i++])) { + if (c == ',') { + while (list[i] == ',') + ++i; + if (list[i] == 0) + break; + } + list[j++] = c; + } + list[j] = 0; + return list; +} + +char *profile_list_compress(char *list) +{ + size_t i; + + /* Comma separated list is processed so that: + * "item" -> adds item to list + * "-item" -> removes item from list + * "+item" -> adds item to list + * "=item" -> clear list, add item + * + * For example: + * ,a,,,b,,,c, -> a,b,c + * a,,b,,,c,a -> a,b,c + * a,b,c,-a -> b,c + * a,b,c,-a,a -> b,c,a + * a,+b,c -> a,b,c + * a,b,=c,d -> c,d + * a,b,c,= -> + */ + profile_list_normalize(list); + + /* Count items: comma count + 1 */ + size_t count = 1; + for (i = 0; list[i]; ++i) { + if (list[i] == ',') + ++count; + } + + /* Collect items in an array */ + char *in[count]; + count = 0; + in[count++] = list; + for (i = 0; list[i]; ++i) { + if (list[i] != ',') + continue; + list[i] = 0; + in[count++] = list + i + 1; + } + + /* Filter array: add, remove, reset, filter out duplicates */ + for (i = 0; i < count; ++i) { + char *item = in[i]; + assert(item); + + size_t k; + switch (*item) { + case '-': + ++item; + /* Do not include this item */ + in[i] = 0; + /* Remove if already included */ + for (k = 0; k < i; ++k) { + if (in[k] && !strcmp(in[k], item)) { + in[k] = 0; + break; + } + } + break; + case '+': + /* Allow +/- symmetry */ + in[i] = ++item; + /* FALLTHRU */ + default: + /* Adding empty item is a NOP */ + if (!*item) { + in[i] = 0; + break; + } + /* Include item unless it is already included */ + for (k = 0; k < i; ++k) { + if (in[k] && !strcmp(in[k], item)) { + in[i] = 0; + break; + } + } + break; + case '=': + in[i] = ++item; + /* Include non-empty item */ + if (!*item) + in[i] = 0; + /* Remove all allready included items */ + for (k = 0; k < i; ++k) + in[k] = 0; + break; + } + } + + /* Copying back using in-place data works because the + * original order is retained and no item gets longer + * than what it used to be. + */ + char *pos = list; + for (i = 0; i < count; ++i) { + char *item = in[i]; + if (!item) + continue; + if (pos > list) + *pos++ = ','; + while (*item) + *pos++ = *item++; + } + *pos = 0; + return list; +} + +void profile_list_augment(char **list, const char *items) +{ + char *tmp = 0; + if (asprintf(&tmp, "%s,%s", *list ?: "", items ?: "") < 0) + errExit("asprintf"); + free(*list); + *list = profile_list_compress(tmp); +} diff -Nru firejail-0.9.64.4/src/firejail/protocol.c firejail-0.9.66/src/firejail/protocol.c --- firejail-0.9.64.4/src/firejail/protocol.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/protocol.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,7 +23,7 @@ void protocol_filter_save(void) { // save protocol filter configuration in PROTOCOL_CFG - FILE *fp = fopen(RUN_PROTOCOL_CFG, "w"); + FILE *fp = fopen(RUN_PROTOCOL_CFG, "wxe"); if (!fp) errExit("fopen"); fprintf(fp, "%s\n", cfg.protocol); @@ -35,7 +35,7 @@ assert(fname); // read protocol filter configuration from PROTOCOL_CFG - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) return; diff -Nru firejail-0.9.64.4/src/firejail/pulseaudio.c firejail-0.9.66/src/firejail/pulseaudio.c --- firejail-0.9.64.4/src/firejail/pulseaudio.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/pulseaudio.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -42,7 +42,7 @@ // blacklist pulseaudio socket in XDG_RUNTIME_DIR - char *name = getenv("XDG_RUNTIME_DIR"); + const char *name = env_get("XDG_RUNTIME_DIR"); if (name) disable_file_path(name, "pulse/native"); @@ -75,37 +75,41 @@ closedir(dir); } -static void pulseaudio_fallback(const char *path) { - fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); - if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) - errExit("setenv"); -} - // disable shm in pulseaudio (issue #69) void pulseaudio_init(void) { - struct stat s; - // do we have pulseaudio in the system? - if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) { + if (access(PULSE_CLIENT_SYSCONF, R_OK)) { if (arg_debug) - printf("%s not found\n", PULSE_CLIENT_SYSCONF); + printf("Cannot read %s\n", PULSE_CLIENT_SYSCONF); return; } + // create ~/.config/pulse directory if not present + char *homeusercfg = NULL; + if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1) + errExit("asprintf"); + if (create_empty_dir_as_user(homeusercfg, 0700)) + fs_logger2("create", homeusercfg); + + free(homeusercfg); + if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) + errExit("asprintf"); + if (create_empty_dir_as_user(homeusercfg, 0700)) + fs_logger2("create", homeusercfg); + // create the new user pulseaudio directory + // that will be mounted over ~/.config/pulse if (mkdir(RUN_PULSE_DIR, 0700) == -1) errExit("mkdir"); - selinux_relabel_path(RUN_PULSE_DIR, RUN_PULSE_DIR); - // mount it nosuid, noexec, nodev + selinux_relabel_path(RUN_PULSE_DIR, homeusercfg); fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0); - // create the new client.conf file char *pulsecfg = NULL; if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) errExit("asprintf"); if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed errExit("copy_file"); - FILE *fp = fopen(pulsecfg, "a"); + FILE *fp = fopen(pulsecfg, "ae"); if (!fp) errExit("fopen"); fprintf(fp, "%s", "\nenable-shm = no\n"); @@ -115,37 +119,14 @@ if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700)) errExit("set_perms"); - // create ~/.config/pulse directory if not present - char *homeusercfg = NULL; - if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1) - errExit("asprintf"); - if (create_empty_dir_as_user(homeusercfg, 0700)) - fs_logger2("create", homeusercfg); - - free(homeusercfg); - if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) - errExit("asprintf"); - if (create_empty_dir_as_user(homeusercfg, 0700)) - fs_logger2("create", homeusercfg); - // if ~/.config/pulse exists and there are no symbolic links, mount the new directory // else set environment variable - int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + EUID_USER(); + int fd = safer_openat(-1, homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + EUID_ROOT(); if (fd == -1) { - pulseaudio_fallback(pulsecfg); - goto out; - } - // confirm the actual mount destination is owned by the user - if (fstat(fd, &s) == -1) { // FUSE - if (errno != EACCES) - errExit("fstat"); - close(fd); - pulseaudio_fallback(pulsecfg); - goto out; - } - if (s.st_uid != getuid()) { - close(fd); - pulseaudio_fallback(pulsecfg); + fwarning("not mounting tmpfs on %s\n", homeusercfg); + env_store_name_val("PULSE_CLIENTCONFIG", pulsecfg, SETENV); goto out; } // preserve a read-only mount @@ -157,24 +138,19 @@ // mount via the link in /proc/self/fd if (arg_debug) printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0) + if (bind_mount_path_to_fd(RUN_PULSE_DIR, fd)) errExit("mount pulseaudio"); // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) errLogExit("invalid pulseaudio mount"); fs_logger2("tmpfs", homeusercfg); - free(proc); close(fd); char *p; if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) errExit("asprintf"); - if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0) - errExit("setenv"); + env_store_name_val("PULSE_CLIENTCONFIG", p, SETENV); fs_logger2("create", p); free(p); diff -Nru firejail-0.9.64.4/src/firejail/restricted_shell.c firejail-0.9.66/src/firejail/restricted_shell.c --- firejail-0.9.64.4/src/firejail/restricted_shell.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/restricted_shell.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -32,7 +32,7 @@ char *fname; if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); free(fname); if (fp == NULL) return 0; @@ -96,7 +96,7 @@ fullargv[i] = ptr; #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]); fclose(fp); diff -Nru firejail-0.9.64.4/src/firejail/restrict_users.c firejail-0.9.66/src/firejail/restrict_users.c --- firejail-0.9.64.4/src/firejail/restrict_users.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/restrict_users.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -72,8 +72,8 @@ if (arg_debug) printf("Cleaning /home directory\n"); - // keep a copy of the user home directory - int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + // open user home directory in order to keep it around + int fd = safer_openat(-1, cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) goto errout; if (fstat(fd, &s) == -1) { // FUSE @@ -82,47 +82,34 @@ close(fd); goto errout; } - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) - errExit("mkdir"); - if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(proc); - close(fd); - // mount tmpfs in the new home + // mount tmpfs on /home if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mount tmpfs"); selinux_relabel_path("/home", "/home"); fs_logger("tmpfs /home"); - // create user home directory + // create new user home directory if (mkdir(cfg.homedir, 0755) == -1) { - if (mkpath_as_root(cfg.homedir)) + if (mkpath_as_root(cfg.homedir) == -1) errExit("mkpath"); if (mkdir(cfg.homedir, 0755) == -1) errExit("mkdir"); - selinux_relabel_path(cfg.homedir, cfg.homedir); } fs_logger2("mkdir", cfg.homedir); // set mode and ownership if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) errExit("set_perms"); + selinux_relabel_path(cfg.homedir, cfg.homedir); - // mount user home directory - if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) + // bring back real user home directory + if (bind_mount_fd_to_path(fd, cfg.homedir)) errExit("mount bind"); + close(fd); - // mask home dir under /run - if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); if (!arg_private) fs_logger2("whitelist", cfg.homedir); - return; errout: @@ -137,22 +124,15 @@ if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) errExit("asprintf"); - struct stat s; - if (stat(runuser, &s) == -1) { - // cannot find /user/run/$UID directory, just return + // open /run/user/$UID directory in order to keep it around + int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) { if (arg_debug) - printf("Cannot find %s directory\n", runuser); + printf("Cannot open %s directory\n", runuser); free(runuser); return; } - if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) - errExit("mkdir"); - - // keep a copy of the /run/user/$UID directory - if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - // mount tmpfs on /run/user if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mount tmpfs"); @@ -162,22 +142,19 @@ // create new user directory if (mkdir(runuser, 0700) == -1) errExit("mkdir"); - selinux_relabel_path(runuser, runuser); fs_logger2("mkdir", runuser); // set mode and ownership if (set_perms(runuser, getuid(), getgid(), 0700)) errExit("set_perms"); + selinux_relabel_path(runuser, runuser); - // mount /run/user/$UID directory - if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) + // bring back real run/user/$UID directory + if (bind_mount_fd_to_path(fd, runuser)) errExit("mount bind"); + close(fd); - // mask mirrored /run/user/$UID directory - if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); - + fs_logger2("whitelist", runuser); free(runuser); } @@ -198,10 +175,10 @@ // open files /* coverity[toctou] */ - fpin = fopen("/etc/passwd", "r"); + fpin = fopen("/etc/passwd", "re"); if (!fpin) goto errout; - fpout = fopen(RUN_PASSWD_FILE, "w"); + fpout = fopen(RUN_PASSWD_FILE, "we"); if (!fpout) goto errout; @@ -261,6 +238,11 @@ // mount-bind tne new password file if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) errExit("mount"); + + // blacklist RUN_PASSWD_FILE + if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("mount"); + fs_logger("create /etc/passwd"); return; @@ -333,10 +315,10 @@ // open files /* coverity[toctou] */ - fpin = fopen("/etc/group", "r"); + fpin = fopen("/etc/group", "re"); if (!fpin) goto errout; - fpout = fopen(RUN_GROUP_FILE, "w"); + fpout = fopen(RUN_GROUP_FILE, "we"); if (!fpout) goto errout; @@ -391,6 +373,11 @@ // mount-bind tne new group file if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) errExit("mount"); + + // blacklist RUN_GROUP_FILE + if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("mount"); + fs_logger("create /etc/group"); return; diff -Nru firejail-0.9.64.4/src/firejail/rlimit.c firejail-0.9.66/src/firejail/rlimit.c --- firejail-0.9.64.4/src/firejail/rlimit.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/rlimit.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include @@ -33,9 +34,9 @@ // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_cpu; rl.rlim_max = (rlim_t) cfg.rlimit_cpu; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_CPU, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -50,9 +51,10 @@ // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; rl.rlim_max = (rlim_t) cfg.rlimit_nofile; -#ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point + + // gcov-instrumented programs might crash at this point __gcov_dump(); -#endif + if (setrlimit(RLIMIT_NOFILE, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -67,9 +69,9 @@ // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; rl.rlim_max = (rlim_t) cfg.rlimit_nproc; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_NPROC, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -84,9 +86,9 @@ // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; rl.rlim_max = (rlim_t) cfg.rlimit_fsize; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_FSIZE, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -101,9 +103,9 @@ // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -118,9 +120,9 @@ // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_as; rl.rlim_max = (rlim_t) cfg.rlimit_as; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_AS, &rl) == -1) errExit("setrlimit"); if (arg_debug) diff -Nru firejail-0.9.64.4/src/firejail/run_files.c firejail-0.9.66/src/firejail/run_files.c --- firejail-0.9.64.4/src/firejail/run_files.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/run_files.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -101,7 +101,7 @@ errExit("asprintf"); // the file is deleted first - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (!fp) { fprintf(stderr, "Error: cannot create %s\n", fname); exit(1); @@ -120,7 +120,7 @@ errExit("asprintf"); // the file is deleted first - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (!fp) { fprintf(stderr, "Error: cannot create %s\n", fname); exit(1); @@ -139,7 +139,7 @@ EUID_ROOT(); // the file is deleted first - FILE *fp = fopen(runfile, "w"); + FILE *fp = fopen(runfile, "we"); if (!fp) { fprintf(stderr, "Error: cannot create %s\n", runfile); exit(1); diff -Nru firejail-0.9.64.4/src/firejail/run_symlink.c firejail-0.9.66/src/firejail/run_symlink.c --- firejail-0.9.64.4/src/firejail/run_symlink.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/run_symlink.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -42,7 +42,8 @@ errExit("setresuid"); // find the real program by looking in PATH - if (!getenv("PATH")) { + const char *path = env_get("PATH"); + if (!path) { fprintf(stderr, "Error: PATH environment variable not set\n"); exit(1); } @@ -57,6 +58,9 @@ // restore original umask umask(orig_umask); + // restore original environment variables + env_apply_all(); + // desktop integration is not supported for root user; instead, the original program is started if (getuid() == 0 || run_as_is) { argv[0] = program; @@ -73,6 +77,7 @@ a[i + 2] = argv[i + 1]; } a[i + 2] = NULL; + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(a[0], a); diff -Nru firejail-0.9.64.4/src/firejail/sandbox.c firejail-0.9.66/src/firejail/sandbox.c --- firejail-0.9.64.4/src/firejail/sandbox.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/sandbox.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,6 +19,7 @@ */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include "../include/seccomp.h" #include #include @@ -49,7 +50,6 @@ #include #endif - static int force_nonewprivs = 0; static int monitored_pid = 0; @@ -67,7 +67,7 @@ if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1) errExit("asprintf"); while (monsec) { - FILE *fp = fopen(monfile, "r"); + FILE *fp = fopen(monfile, "re"); if (!fp) break; @@ -162,7 +162,7 @@ if (arg_nogroups == 0) return; - FILE *fp = fopen(RUN_GROUPS_CFG, "w"); + FILE *fp = fopen(RUN_GROUPS_CFG, "wxe"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 @@ -227,7 +227,7 @@ if (br->arg_ip_none == 1); // do nothing else if (br->arg_ip_none == 0 && br->macvlan == 0) { if (br->ipsandbox == br->ip) { - fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev); + fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev); exit(1); } @@ -245,13 +245,17 @@ br->ipsandbox = arp_assign(dev, br); //br->ip, br->mask); else { if (br->ipsandbox == br->ip) { - fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev); + fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev); + exit(1); + } + if (br->ipsandbox == cfg.defaultgw) { + fprintf(stderr, "Error: %d.%d.%d.%d is the default gateway, exiting...\n", PRINT_IP(br->ipsandbox)); exit(1); } uint32_t rv = arp_check(dev, br->ipsandbox); if (rv) { - fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use.\n", PRINT_IP(br->ipsandbox)); + fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use, exiting...\n", PRINT_IP(br->ipsandbox)); exit(1); } } @@ -268,8 +272,7 @@ static void chk_chroot(void) { // if we are starting firejail inside some other container technology, we don't care about this - char *mycont = getenv("container"); - if (mycont) + if (env_get("container")) return; // check if this is a regular chroot @@ -419,7 +422,7 @@ return 1; } else { // search $PATH - char *path1 = getenv("PATH"); + const char *path1 = env_get("PATH"); if (path1) { if (arg_debug) printf("Searching $PATH for %s\n", program); @@ -463,10 +466,10 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { // set environment - if (no_sandbox == 0) { + if (no_sandbox == 0) env_defaults(); - env_apply(); - } + env_apply_all(); + // restore original umask umask(orig_umask); @@ -476,23 +479,9 @@ } //**************************************** - // audit - //**************************************** - if (arg_audit) { - assert(arg_audit_prog); - -#ifdef HAVE_GCOV - __gcov_dump(); -#endif - seccomp_install_filters(); - if (set_sandbox_status) - *set_sandbox_status = SANDBOX_DONE; - execl(arg_audit_prog, arg_audit_prog, NULL); - } - //**************************************** // start the program without using a shell //**************************************** - else if (arg_shell_none) { + if (arg_shell_none) { if (arg_debug) { int i; for (i = cfg.original_program_index; i < cfg.original_argc; i++) { @@ -515,9 +504,8 @@ exit(1); } -#ifdef HAVE_GCOV __gcov_dump(); -#endif + seccomp_install_filters(); if (set_sandbox_status) @@ -571,9 +559,8 @@ if (!arg_command && !arg_quiet) print_time(); -#ifdef HAVE_GCOV __gcov_dump(); -#endif + seccomp_install_filters(); if (set_sandbox_status) @@ -590,12 +577,12 @@ } static void enforce_filters(void) { + fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n"); // enforce NO_NEW_PRIVS arg_nonewprivs = 1; force_nonewprivs = 1; // disable all capabilities - fmessage("\n** Warning: dropping all Linux capabilities **\n\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot @@ -796,14 +783,18 @@ exit(rv); } - // need ld.so.preload if tracing or seccomp with any non-default lists - bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; +#ifdef HAVE_FORCE_NONEWPRIVS + bool always_enforce_filters = true; +#else + bool always_enforce_filters = false; +#endif // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS // and drop all capabilities - if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { + if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) enforce_filters(); - need_preload = arg_trace || arg_tracelog; - } + + // need ld.so.preload if tracing or seccomp with any non-default lists + bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; // trace pre-install if (need_preload) @@ -836,9 +827,15 @@ fs_basic_fs(); //**************************** + // appimage + //**************************** + appimage_mount(); + + //**************************** // private mode //**************************** if (arg_private) { + EUID_USER(); if (cfg.home_private) { // --private= if (cfg.chrootdir) fwarning("private=directory feature is disabled in chroot\n"); @@ -857,6 +854,7 @@ } else // --private fs_private(); + EUID_ROOT(); } if (arg_private_dev) @@ -970,11 +968,35 @@ else if (arg_overlay) fwarning("private-etc feature is disabled in overlay\n"); else { - fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); - fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE + /* Current /etc/passwd and /etc/group files are bind + * mounted filtered versions of originals. Leaving + * them underneath private-etc mount causes problems + * in devices with older kernels, e.g. attempts to + * update the real /etc/passwd file yield EBUSY. + * + * As we do want to retain filtered /etc content: + * 1. duplicate /etc content to RUN_ETC_DIR + * 2. unmount bind mounts from /etc + * 3. mount RUN_ETC_DIR at /etc + */ + timetrace_start(); + fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep); + + if (umount2("/etc/group", MNT_DETACH) == -1) + fprintf(stderr, "/etc/group: unmount: %s\n", strerror(errno)); + if (umount2("/etc/passwd", MNT_DETACH) == -1) + fprintf(stderr, "/etc/passwd: unmount: %s\n", strerror(errno)); + + fs_private_dir_mount("/etc", RUN_ETC_DIR); + fmessage("Private /etc installed in %0.2f ms\n", timetrace_end()); + // create /etc/ld.so.preload file again if (need_preload) fs_trace_preload(); + + // openSUSE configuration is split between /etc and /usr/etc + // process private-etc a second time + fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); } } @@ -997,7 +1019,7 @@ // disable /dev/snd fs_dev_disable_sound(); } - else if (!arg_noautopulse) + else if (!arg_keep_config_pulse) pulseaudio_init(); if (arg_no3d) @@ -1015,11 +1037,8 @@ if (arg_novideo) fs_dev_disable_video(); - //**************************** - // install trace - //**************************** - if (need_preload) - fs_trace(); + if (arg_noinput) + fs_dev_disable_input(); //**************************** // set dns @@ -1027,12 +1046,6 @@ fs_resolvconf(); //**************************** - // fs post-processing - //**************************** - fs_logger_print(); - fs_logger_change_owner(); - - //**************************** // start dhcp client //**************************** dhcp_start(); @@ -1081,6 +1094,12 @@ save_umask(); //**************************** + // fs post-processing + //**************************** + fs_logger_print(); + fs_logger_change_owner(); + + //**************************** // set security filters //**************************** // save state of nonewprivs @@ -1137,13 +1156,21 @@ fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); seccomp_debug(); + //**************************** + // install trace - still need capabilities + //**************************** + if (need_preload) + fs_trace(); + + //**************************** + // continue security filters + //**************************** // set capabilities set_caps(); //**************************************** // relay status information to join option //**************************************** - char *set_sandbox_status = create_join_file(); //**************************************** @@ -1204,7 +1231,6 @@ //**************************************** // set cpu affinity //**************************************** - if (cfg.cpus) set_cpu_affinity(); diff -Nru firejail-0.9.64.4/src/firejail/sbox.c firejail-0.9.66/src/firejail/sbox.c --- firejail-0.9.64.4/src/firejail/sbox.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/sbox.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -36,7 +36,7 @@ int env_index = 0; char *new_environment[256] = { NULL }; // preserve firejail-specific env vars - char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); + const char *cl = env_get("FIREJAIL_FILE_COPY_LIMIT"); if (cl) { if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1) errExit("asprintf"); @@ -120,7 +120,7 @@ // handle X32 ABI BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0), BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0), - RETURN_ERRNO(EPERM), + KILL_OR_RETURN_ERRNO, #endif // syscall list @@ -203,15 +203,16 @@ } } - if (filtermask & SBOX_ROOT) { + if (filtermask & SBOX_USER) + drop_privs(1); + else if (filtermask & SBOX_ROOT) { // elevate privileges in order to get grsecurity working if (setreuid(0, 0)) errExit("setreuid"); if (setregid(0, 0)) errExit("setregid"); } - else if (filtermask & SBOX_USER) - drop_privs(1); + else assert(0); if (arg[0]) { // get rid of scan-build warning int fd = open(arg[0], O_PATH | O_CLOEXEC); @@ -247,7 +248,9 @@ va_start(valist, num); // build argument list - char **arg = malloc((num + 1) * sizeof(char *)); + char **arg = calloc(num + 1, sizeof(char *)); + if (!arg) + errExit("calloc"); int i; for (i = 0; i < num; i++) arg[i] = va_arg(valist, char *); @@ -262,7 +265,6 @@ } int sbox_run_v(unsigned filtermask, char * const arg[]) { - EUID_ROOT(); assert(arg); if (arg_debug) { @@ -282,6 +284,7 @@ if (child < 0) errExit("fork"); if (child == 0) { + EUID_ROOT(); sbox_do_exec_v(filtermask, arg); } @@ -290,7 +293,7 @@ errExit("waitpid"); } if (WIFEXITED(status) && WEXITSTATUS(status) != 0) { - fprintf(stderr, "Error: failed to run %s\n", arg[0]); + fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); exit(1); } diff -Nru firejail-0.9.64.4/src/firejail/seccomp.c firejail-0.9.66/src/firejail/seccomp.c --- firejail-0.9.64.4/src/firejail/seccomp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/seccomp.c 2021-06-27 18:09:10.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -86,7 +86,7 @@ static void seccomp_save_file_list(const char *fname) { assert(fname); - FILE *fp = fopen(RUN_SECCOMP_LIST, "a+"); + FILE *fp = fopen(RUN_SECCOMP_LIST, "ae"); if (!fp) errExit("fopen"); @@ -99,7 +99,7 @@ #define MAXBUF 4096 static int load_file_list_flag = 0; void seccomp_load_file_list(void) { - FILE *fp = fopen(RUN_SECCOMP_LIST, "r"); + FILE *fp = fopen(RUN_SECCOMP_LIST, "re"); if (!fp) return; // no seccomp configuration whatsoever @@ -122,7 +122,7 @@ assert(fname); // open filter file - int fd = open(fname, O_RDONLY); + int fd = open(fname, O_RDONLY|O_CLOEXEC); if (fd == -1) goto errexit; @@ -208,7 +208,8 @@ // - seccomp if (cfg.seccomp_list_drop == NULL) { // default seccomp if error action is not changed - if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) { + if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0') + && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { if (arg_seccomp_block_secondary) seccomp_filter_block_secondary(); else { @@ -221,11 +222,29 @@ } // default seccomp filter with additional drop list else { // cfg.seccomp_list != NULL - if (arg_seccomp_block_secondary) + int rv; + + if (arg_seccomp_block_secondary) { + if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) { + if (arg_debug) + printf("Rebuild secondary block seccomp filter\n"); + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "secondary", "block", RUN_SECCOMP_BLOCK_SECONDARY); + if (rv) + exit(rv); + } seccomp_filter_block_secondary(); - else { + } else { #if defined(__x86_64__) #if defined(__LP64__) + if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) { + if (arg_debug) + printf("Rebuild 32 bit seccomp filter\n"); + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_32); + if (rv) + exit(rv); + } seccomp_filter_32(); #endif #endif @@ -242,16 +261,22 @@ list = cfg.seccomp_list32; } - if (list == NULL) - list = ""; // build the seccomp filter as a regular user - int rv; - if (arg_allow_debuggers) - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, - PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); + if (list && list[0]) + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, + PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, + PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, - PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, command, filter, "allow-debuggers"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, + PATH_FSECCOMP, command, filter); + if (rv) exit(rv); @@ -414,7 +439,7 @@ if (stat(fname, &s) == -1) goto errexit; - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) goto errexit; free(fname); diff -Nru firejail-0.9.64.4/src/firejail/selinux.c firejail-0.9.66/src/firejail/selinux.c --- firejail-0.9.64.4/src/firejail/selinux.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/selinux.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020 Firejail and systemd authors + * Copyright (C) 2020-2021 Firejail and systemd authors * * This file is part of firejail project, from systemd selinux-util.c * @@ -19,10 +19,13 @@ */ #if HAVE_SELINUX #include "firejail.h" - #include #include + #include +#ifndef O_PATH +#define O_PATH 010000000 +#endif #include #include @@ -52,8 +55,9 @@ if (!label_hnd) errExit("selabel_open"); - /* Open the file as O_PATH, to pin it while we determine and adjust the label */ - fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); + /* Open the file as O_PATH, to pin it while we determine and adjust the label + * Defeat symlink races by not allowing symbolic links */ + fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); if (fd < 0) return; if (fstat(fd, &st) < 0) diff -Nru firejail-0.9.64.4/src/firejail/shutdown.c firejail-0.9.66/src/firejail/shutdown.c --- firejail-0.9.64.4/src/firejail/shutdown.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/shutdown.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -36,8 +36,10 @@ } free(comm); } - else - errExit("/proc/PID/comm"); + else { + fprintf(stderr, "Error: cannot find process %d\n", pid); + exit(1); + } // check privileges for non-root users uid_t uid = getuid(); @@ -64,7 +66,7 @@ monsec--; EUID_ROOT(); - FILE *fp = fopen(monfile, "r"); + FILE *fp = fopen(monfile, "re"); EUID_USER(); if (!fp) { killdone = 1; diff -Nru firejail-0.9.64.4/src/firejail/usage.c firejail-0.9.66/src/firejail/usage.c --- firejail-0.9.64.4/src/firejail/usage.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/usage.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -33,7 +33,6 @@ " --apparmor - enable AppArmor confinement.\n" " --apparmor.print=name|pid - print apparmor status.\n" " --appimage - sandbox an AppImage application.\n" - " --audit[=test-program] - audit the sandbox.\n" #ifdef HAVE_NETWORK " --bandwidth=name|pid - set bandwidth limits.\n" #endif @@ -56,6 +55,7 @@ #endif " --cpu=cpu-number,cpu-number - set cpu affinity.\n" " --cpu.print=name|pid - print the cpus in use.\n" +#ifdef HAVE_DBUSPROXY " --dbus-log=file - set DBus log file location.\n" " --dbus-system=filter|none - set system DBus access policy.\n" " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" @@ -71,6 +71,7 @@ " --dbus-user.own=name - allow ownership of name on the session DBus.\n" " --dbus-user.see=name - allow seeing name on the session DBus.\n" " --dbus-user.talk=name - allow talking to name on the session DBus.\n" +#endif " --debug - print sandbox debug messages.\n" " --debug-blacklists - debug blacklisting.\n" " --debug-caps - print all recognized capabilities.\n" @@ -113,7 +114,8 @@ " --join-network=name|pid - join the network namespace.\n" #endif " --join-or-start=name|pid - join the sandbox or start a new one.\n" - " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" + " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" + " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" " --keep-var-tmp - /var/tmp directory is untouched.\n" " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER @@ -125,6 +127,8 @@ " --machine-id - preserve /etc/machine-id\n" " --memory-deny-write-execute - seccomp filter to block attempts to create\n" "\tmemory mappings that are both writable and executable.\n" + " --mkdir=dirname - create a directory.\n" + " --mkfile=filename - create a file.\n" #ifdef HAVE_NETWORK " --mtu=number - set interface MTU.\n" #endif @@ -151,6 +155,7 @@ " --nodvd - disable DVD and audio CD devices.\n" " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" " --nogroups - disable supplementary groups.\n" + " --noinput - disable input devices.\n" " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" " --noprofile - do not use a security profile.\n" #ifdef HAVE_USERNS @@ -161,14 +166,18 @@ " --novideo - disable video devices.\n" " --nou2f - disable U2F devices.\n" " --nowhitelist=filename - disable whitelist for file or directory.\n" +#ifdef HAVE_OUTPUT " --output=logfile - stdout logging and log rotation.\n" " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" +#endif +#ifdef HAVE_OVERLAYFS " --overlay - mount a filesystem overlay on top of the current filesystem.\n" " --overlay-named=name - mount a filesystem overlay on top of the current\n" "\tfilesystem, and store it in name directory.\n" " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" "\tcurrent filesystem.\n" " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" +#endif " --private - temporary home directory.\n" " --private=directory - use directory as user home.\n" " --private-cache - temporary ~/.cache directory.\n" diff -Nru firejail-0.9.64.4/src/firejail/util.c firejail-0.9.66/src/firejail/util.c --- firejail-0.9.64.4/src/firejail/util.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/util.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,6 +19,7 @@ */ #define _XOPEN_SOURCE 500 #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -31,6 +32,9 @@ #include #include +#include +#include + #include #ifndef O_PATH #define O_PATH 010000000 @@ -46,6 +50,44 @@ #define EMPTY_STRING ("") +long long unsigned parse_arg_size(char *str) { + long long unsigned result = 0; + int len = strlen(str); + sscanf(str, "%llu", &result); + + char suffix = *(str + len - 1); + if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) { + len -= 1; + } + + /* checks for is value valid positive number */ + for (int i = 0; i < len; i++) { + if (!isdigit(*(str+i))) { + return 0; + } + } + + if (isdigit(suffix)) + return result; + + switch (suffix) { + case 'k': + result *= 1024; + break; + case 'm': + result *= 1024 * 1024; + break; + case 'g': + result *= 1024 * 1024 * 1024; + break; + default: + result = 0; + break; + } + + return result; +} + // send the error to /var/log/auth.log and exit after a small delay void errLogExit(char* fmt, ...) { va_list args; @@ -298,14 +340,14 @@ assert(destname); // open source - int src = open(srcname, O_RDONLY); + int src = open(srcname, O_RDONLY|O_CLOEXEC); if (src < 0) { fwarning("cannot open source file %s, file not copied\n", srcname); return -1; } // open destination - int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { fwarning("cannot open destination file %s, file not copied\n", destname); close(src); @@ -325,7 +367,7 @@ } // return -1 if error, 0 if no error -void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { +void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) { pid_t child = fork(); if (child < 0) errExit("fork"); @@ -333,13 +375,13 @@ // drop privileges drop_privs(0); - // copy, set permissions and ownership - int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user + // copy, set permissions + int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user if (rv) fwarning("cannot copy %s\n", srcname); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish @@ -348,7 +390,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { // open destination - int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { fwarning("cannot open destination file %s, file not copied\n", destname); return; @@ -361,7 +403,7 @@ // drop privileges drop_privs(0); - int src = open(srcname, O_RDONLY); + int src = open(srcname, O_RDONLY|O_CLOEXEC); if (src < 0) { fwarning("cannot open source file %s, file not copied\n", srcname); } else { @@ -371,9 +413,9 @@ close(src); } close(dst); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish @@ -394,15 +436,17 @@ // drop privileges drop_privs(0); - FILE *fp = fopen(fname, "wx"); - if (fp) { - fprintf(fp, "\n"); - SET_PERMS_STREAM(fp, -1, -1, mode); - fclose(fp); + int fd = open(fname, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); + if (fd > -1) { + int err = fchmod(fd, mode); + (void) err; + close(fd); } -#ifdef HAVE_GCOV + else + fwarning("cannot create %s\n", fname); + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish @@ -415,6 +459,13 @@ if (*fname == '\0') return 0; + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + // if fname doesn't end in '/', add one int rv; struct stat s; @@ -430,6 +481,9 @@ free(tmp); } + if (called_as_root) + EUID_ROOT(); + if (rv == -1) return 0; @@ -439,35 +493,87 @@ return 0; } - // return 1 if the file is a link int is_link(const char *fname) { assert(fname); if (*fname == '\0') return 0; - char *dup = NULL; - struct stat s; - if (lstat(fname, &s) == 0) { - if (S_ISLNK(s.st_mode)) - return 1; - if (S_ISDIR(s.st_mode)) { - // remove trailing slashes and single dots and try again - dup = strdup(fname); - if (!dup) - errExit("strdup"); - trim_trailing_slash_or_dot(dup); - if (lstat(dup, &s) == 0) { - if (S_ISLNK(s.st_mode)) { - free(dup); - return 1; - } - } - } - } + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; - free(dup); - return 0; + if (called_as_root) + EUID_USER(); + + // remove trailing '/' if any + char *tmp = strdup(fname); + if (!tmp) + errExit("strdup"); + trim_trailing_slash_or_dot(tmp); + + char c; + ssize_t rv = readlink(tmp, &c, 1); + free(tmp); + + if (called_as_root) + EUID_ROOT(); + + return (rv != -1); +} + +char *realpath_as_user(const char *fname) { + assert(fname); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + + char *rv = realpath(fname, NULL); + + if (called_as_root) + EUID_ROOT(); + + return rv; +} + +int stat_as_user(const char *fname, struct stat *s) { + assert(fname); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + + int rv = stat(fname, s); + + if (called_as_root) + EUID_ROOT(); + + return rv; +} + +int lstat_as_user(const char *fname, struct stat *s) { + assert(fname); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + + int rv = lstat(fname, s); + + if (called_as_root) + EUID_ROOT(); + + return rv; } // remove all slashes and single dots from the end of a path @@ -555,11 +661,13 @@ } -// remove consecutive and trailing slashes -// and return allocated memory -// e.g. /home//user/ -> /home/user +// simplify absolute path by removing +// 1) consecutive and trailing slashes, and +// 2) segments with a single dot +// for example /foo//./bar/ -> /foo/bar char *clean_pathname(const char *path) { - assert(path); + assert(path && path[0] == '/'); + size_t len = strlen(path); char *rv = malloc(len + 1); if (!rv) @@ -568,15 +676,23 @@ size_t i = 0; size_t j = 0; while (path[i]) { - while (path[i] == '/' && path[i+1] == '/') - i++; + if (path[i] == '/') { + while (path[i+1] == '/' || + (path[i+1] == '.' && path[i+2] == '/')) + i++; + } + rv[j++] = path[i++]; } rv[j] = '\0'; + // remove a trailing dot + if (j > 1 && rv[j - 1] == '.' && rv[j - 2] == '/') + rv[--j] = '\0'; + // remove a trailing slash if (j > 1 && rv[j - 1] == '/') - rv[j - 1] = '\0'; + rv[--j] = '\0'; return rv; } @@ -627,7 +743,7 @@ perror("asprintf"); exit(1); } - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); if (!fp) { free(file); continue; @@ -648,9 +764,11 @@ if (parent == atoi(ptr)) { // we don't want /usr/bin/xdg-dbus-proxy! char *cmdline = pid_proc_cmdline(pid); - if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) - *child = pid; - free(cmdline); + if (cmdline) { + if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) + *child = pid; + free(cmdline); + } } break; // stop reading the file } @@ -733,7 +851,7 @@ if (mapping[j] == ',') mapping[j] = '\n'; - fd = open(map_file, O_RDWR); + fd = open(map_file, O_RDWR|O_CLOEXEC); if (fd == -1) { fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno)); exit(EXIT_FAILURE); @@ -753,9 +871,9 @@ // wait for the parent to be initialized //**************************** char childstr[BUFLEN + 1]; - int newfd = dup(fd); + int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0); if (newfd == -1) - errExit("dup"); + errExit("fcntl"); FILE* stream; stream = fdopen(newfd, "r"); *childstr = '\0'; @@ -802,9 +920,9 @@ void notify_other(int fd) { FILE* stream; - int newfd = dup(fd); + int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0); if (newfd == -1) - errExit("dup"); + errExit("fcntl"); stream = fdopen(newfd, "w"); fprintf(stream, "arg_noroot=%d\n", arg_noroot); fflush(stream); @@ -822,7 +940,7 @@ exit(1); } EUID_ROOT(); // grsecurity fix - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); if (!fp) { free(file); fprintf(stderr, "Error: cannot open /proc file\n"); @@ -890,35 +1008,37 @@ int remove_overlay_directory(void) { EUID_ASSERT(); - struct stat s; sleep(1); char *path; if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); - if (lstat(path, &s) == 0) { - // deal with obvious problems such as symlinks and root ownership - if (!S_ISDIR(s.st_mode)) { - if (S_ISLNK(s.st_mode)) - fprintf(stderr, "Error: %s is a symbolic link\n", path); - else - fprintf(stderr, "Error: %s is not a directory\n", path); - exit(1); - } - if (s.st_uid != getuid()) { - fprintf(stderr, "Error: %s is not owned by the current user\n", path); - exit(1); - } - + if (access(path, F_OK) == 0) { pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { - // open ~/.firejail, fails if there is any symlink - int fd = safe_fd(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("safe_fd"); + // open ~/.firejail + int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) { + fprintf(stderr, "Error: cannot open %s\n", path); + exit(1); + } + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) + fprintf(stderr, "Error: %s is a symbolic link\n", path); + else + fprintf(stderr, "Error: %s is not a directory\n", path); + exit(1); + } + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: %s is not owned by the current user\n", path); + exit(1); + } // chdir to ~/.firejail if (fchdir(fd) == -1) errExit("fchdir"); @@ -933,15 +1053,15 @@ // remove ~/.firejail if (rmdir(path) == -1) errExit("rmdir"); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); // check if ~/.firejail was deleted - if (stat(path, &s) == 0) + if (access(path, F_OK) == 0) return 1; } return 0; @@ -974,9 +1094,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) { assert(dir); mode &= 07777; - struct stat s; - if (stat(dir, &s)) { + if (access(dir, F_OK) != 0) { if (arg_debug) printf("Creating empty %s directory\n", dir); pid_t child = fork(); @@ -987,18 +1106,18 @@ drop_privs(0); if (mkdir(dir, mode) == 0) { - if (chmod(dir, mode) == -1) - {;} // do nothing + int err = chmod(dir, mode); + (void) err; } else if (arg_debug) printf("Directory %s not created: %s\n", dir, strerror(errno)); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } waitpid(child, NULL, 0); - if (stat(dir, &s) == 0) + if (access(dir, F_OK) == 0) return 1; } return 0; @@ -1031,9 +1150,10 @@ if (stat(fname, &s)) { if (arg_debug) printf("Creating empty %s file\n", fname); - /* coverity[toctou] */ - FILE *fp = fopen(fname, "w"); + // don't fail if file already exists. This can be the case in a race + // condition, when two jails launch at the same time. Compare to #1013 + FILE *fp = fopen(fname, "we"); if (!fp) errExit("fopen"); SET_PERMS_STREAM(fp, 0, 0, mode); @@ -1108,20 +1228,35 @@ } void disable_file_or_dir(const char *fname) { + assert(geteuid() == 0); + assert(fname); + + EUID_USER(); + int fd = open(fname, O_PATH|O_CLOEXEC); + EUID_ROOT(); + if (fd < 0) + return; + struct stat s; - if (stat(fname, &s) != -1) { - if (arg_debug) - printf("blacklist %s\n", fname); - if (is_dir(fname)) { - if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable directory"); - } - else { - if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - } - fs_logger2("blacklist", fname); + if (fstat(fd, &s) < 0) { // FUSE + if (errno != EACCES) + errExit("fstat"); + close(fd); + return; + } + + if (arg_debug) + printf("blacklist %s\n", fname); + if (S_ISDIR(s.st_mode)) { + if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0) + errExit("disable directory"); } + else { + if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0) + errExit("disable file"); + } + close(fd); + fs_logger2("blacklist", fname); } void disable_file_path(const char *path, const char *file) { @@ -1137,13 +1272,13 @@ } // open an existing file without following any symbolic link -int safe_fd(const char *path, int flags) { +// relative paths are interpreted relative to dirfd +// ignore dirfd if path is absolute +// https://web.archive.org/web/20180419120236/https://blogs.gnome.org/jamesh/2018/04/19/secure-mounts +int safer_openat(int dirfd, const char *path, int flags) { + assert(path && path[0]); flags |= O_NOFOLLOW; - assert(path); - if (*path != '/' || strstr(path, "..")) { - fprintf(stderr, "Error: invalid path %s\n", path); - exit(1); - } + int fd = -1; #ifdef __NR_openat2 // kernel 5.6 or better @@ -1151,7 +1286,7 @@ memset(&oh, 0, sizeof(oh)); oh.flags = flags; oh.resolve = RESOLVE_NO_SYMLINKS; - fd = syscall(__NR_openat2, -1, path, &oh, sizeof(struct open_how)); + fd = syscall(__NR_openat2, dirfd, path, &oh, sizeof(struct open_how)); if (fd != -1 || errno != ENOSYS) return fd; #endif @@ -1162,18 +1297,23 @@ if (!dup) errExit("strdup"); char *tok = strtok(dup, "/"); - if (!tok) { // root directory + if (!tok) { // nothing to do, path is the root directory free(dup); - return open("/", flags); + return openat(dirfd, path, flags); } char *last_tok = EMPTY_STRING; - int parentfd = open("/", O_PATH|O_CLOEXEC); + + int parentfd; + if (path[0] == '/') + parentfd = open("/", O_PATH|O_CLOEXEC); + else + parentfd = fcntl(dirfd, F_DUPFD_CLOEXEC, 0); if (parentfd == -1) - errExit("open"); + errExit("open/fcntl"); - while(1) { + while (1) { // open path component, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link - // if token is a single dot, the previous directory is reopened + // if token is a single dot, the directory referred to by parentfd is reopened fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) { // if the following token is NULL, the current token is the final path component @@ -1203,6 +1343,60 @@ return fd; } +int remount_by_fd(int dst, unsigned long mountflags) { + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0) + errExit("asprintf"); + + int rv = mount(NULL, proc, NULL, mountflags|MS_BIND|MS_REMOUNT, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc); + return rv; +} + +int bind_mount_by_fd(int src, int dst) { + char *proc_src, *proc_dst; + if (asprintf(&proc_src, "/proc/self/fd/%d", src) < 0 || + asprintf(&proc_dst, "/proc/self/fd/%d", dst) < 0) + errExit("asprintf"); + + int rv = mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc_src); + free(proc_dst); + return rv; +} + +int bind_mount_fd_to_path(int src, const char *destname) { + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", src) < 0) + errExit("asprintf"); + + int rv = mount(proc, destname, NULL, MS_BIND|MS_REC, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc); + return rv; +} + +int bind_mount_path_to_fd(const char *srcname, int dst) { + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0) + errExit("asprintf"); + + int rv = mount(srcname, proc, NULL, MS_BIND|MS_REC, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc); + return rv; +} + int has_handler(pid_t pid, int signal) { if (signal > 0 && signal <= SIGRTMAX) { char *fname; @@ -1304,24 +1498,22 @@ // return 1 if there is a link somewhere in path of directory static int has_link(const char *dir) { assert(dir); - int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) { - if ((errno == ELOOP || errno == ENOTDIR) && is_dir(dir)) - return 1; - } - else + int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd != -1) close(fd); + else if (errno == ELOOP || (errno == ENOTDIR && is_dir(dir))) + return 1; return 0; } -void check_homedir(void) { - assert(cfg.homedir); - if (cfg.homedir[0] != '/') { +void check_homedir(const char *dir) { + assert(dir); + if (dir[0] != '/') { fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); exit(1); } // symlinks are rejected in many places - if (has_link(cfg.homedir)) { + if (has_link(dir)) { fprintf(stderr, "No full support for symbolic links in path of user directory.\n" "Please provide resolved path in password database (/etc/passwd).\n\n"); } diff -Nru firejail-0.9.64.4/src/firejail/x11.c firejail-0.9.66/src/firejail/x11.c --- firejail-0.9.64.4/src/firejail/x11.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firejail/x11.c 2021-06-27 18:09:10.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -41,7 +41,7 @@ // Parse the DISPLAY environment variable and return a display number. // Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. int x11_display(void) { - const char *display_str = getenv("DISPLAY"); + const char *display_str = env_get("DISPLAY"); char *endp; unsigned long display; @@ -84,7 +84,7 @@ static int x11_abstract_sockets_present(void) { EUID_ROOT(); // grsecurity fix - FILE *fp = fopen("/proc/net/unix", "r"); + FILE *fp = fopen("/proc/net/unix", "re"); if (!fp) errExit("fopen"); EUID_USER(); @@ -204,11 +204,10 @@ void x11_start_xvfb(int argc, char **argv) { EUID_ASSERT(); int i; - struct stat s; pid_t jail = 0; pid_t server = 0; - setenv("FIREJAIL_X11", "yes", 1); + env_store_name_val("FIREJAIL_X11", "yes", SETENV); // never try to run X servers as root!!! if (getuid() == 0) { @@ -326,7 +325,11 @@ if (arg_debug) printf("Starting xvfb...\n"); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -344,7 +347,7 @@ // wait for x11 server to start while (++n < 10) { sleep(1); - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) break; }; @@ -355,7 +358,7 @@ free(fname); assert(display_str); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); // run attach command jail = fork(); if (jail < 0) @@ -363,7 +366,11 @@ if (jail == 0) { fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(jail_argv[0], jail_argv); perror("execvp"); @@ -419,7 +426,6 @@ void x11_start_xephyr(int argc, char **argv) { EUID_ASSERT(); int i; - struct stat s; pid_t jail = 0; pid_t server = 0; @@ -428,7 +434,7 @@ if (newscreen) xephyr_screen = newscreen; - setenv("FIREJAIL_X11", "yes", 1); + env_store_name_val("FIREJAIL_X11", "yes", SETENV); // unfortunately, xephyr does a number of weird things when started by root user!!! if (getuid() == 0) { @@ -556,7 +562,11 @@ if (arg_debug) printf("Starting xephyr...\n"); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -574,7 +584,7 @@ // wait for x11 server to start while (++n < 10) { sleep(1); - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) break; }; @@ -585,7 +595,7 @@ free(fname); assert(display_str); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); // run attach command jail = fork(); if (jail < 0) @@ -594,8 +604,12 @@ if (!arg_quiet) printf("\n*** Attaching to Xephyr display %d ***\n\n", display); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); + assert(env_get("LD_PRELOAD") == NULL); execvp(jail_argv[0], jail_argv); perror("execvp"); _exit(1); @@ -685,7 +699,6 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { EUID_ASSERT(); int i; - struct stat s; pid_t client = 0; pid_t server = 0; @@ -780,8 +793,12 @@ dup2(fd_null,2); } + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); + assert(env_get("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -798,7 +815,7 @@ // wait for x11 server to start while (++n < 10) { sleep(1); - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) break; } @@ -827,7 +844,11 @@ fmessage("\n*** Attaching to xpra display %d ***\n\n", display); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(attach_argv[0], attach_argv); perror("execvp"); @@ -835,7 +856,7 @@ } assert(display_str); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); // build jail command char *firejail_argv[argc+2]; @@ -857,7 +878,12 @@ errExit("fork"); if (jail == 0) { // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); + + // restore original environment variables + env_apply_all(); + if (firejail_argv[0]) // shut up llvm scan-build execvp(firejail_argv[0], firejail_argv); perror("execvp"); @@ -883,7 +909,12 @@ dup2(fd_null,1); dup2(fd_null,2); } + + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(stop_argv[0], stop_argv); perror("execvp"); @@ -1051,7 +1082,11 @@ dup2(fd_null,2); } + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -1072,7 +1107,7 @@ void x11_start_xpra(int argc, char **argv) { EUID_ASSERT(); - setenv("FIREJAIL_X11", "yes", 1); + env_store_name_val("FIREJAIL_X11", "yes", SETENV); // unfortunately, xpra does a number of weird things when started by root user!!! if (getuid() == 0) { @@ -1134,7 +1169,7 @@ #ifdef HAVE_X11 // get DISPLAY env - char *display = getenv("DISPLAY"); + const char *display = env_get("DISPLAY"); if (!display) { fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); exit(1); @@ -1169,14 +1204,13 @@ fmessage("Generating a new .Xauthority file\n"); mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR + EUID_USER(); char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX"; int fd = mkstemp(tmpfname); if (fd == -1) { fprintf(stderr, "Error: cannot create .Xauthority file\n"); exit(1); } - if (fchown(fd, getuid(), getgid()) == -1) - errExit("chown"); close(fd); // run xauth @@ -1186,24 +1220,22 @@ else sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted"); - // remove xauth copy - unlink(RUN_XAUTH_FILE); // ensure there is already a file ~/.Xauthority, so that bind-mount below will work. char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); - if (lstat(dest, &s) == -1) { + if (access(dest, F_OK) == -1) { touch_file_as_user(dest, 0600); - if (stat(dest, &s) == -1) { + if (access(dest, F_OK) == -1) { fprintf(stderr, "Error: cannot create %s\n", dest); exit(1); } } // get a file descriptor for ~/.Xauthority - int dst = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); + int dst = safer_openat(-1, dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); if (dst == -1) - errExit("safe_fd"); + errExit("safer_openat"); // check if the actual mount destination is a user owned regular file if (fstat(dst, &s) == -1) errExit("fstat"); @@ -1225,9 +1257,9 @@ fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_NOEXEC, 0); // get a file descriptor for the new Xauthority file - int src = safe_fd(tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC); + int src = safer_openat(-1, tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC); if (src == -1) - errExit("safe_fd"); + errExit("safer_openat"); if (fstat(src, &s) == -1) errExit("fstat"); if (!S_ISREG(s.st_mode)) { @@ -1238,45 +1270,46 @@ // mount via the link in /proc/self/fd if (arg_debug) printf("Mounting %s on %s\n", tmpfname, dest); - char *proc_src, *proc_dst; - if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) - errExit("asprintf"); - if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) - errExit("asprintf"); - if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) { + EUID_ROOT(); + if (bind_mount_by_fd(src, dst)) { fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); exit(1); } + EUID_USER(); // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) errLogExit("invalid .Xauthority mount"); - free(proc_src); - free(proc_dst); close(src); close(dst); ASSERT_PERMS(dest, getuid(), getgid(), 0600); // blacklist user .Xauthority file if it is not masked already - char *envar = getenv("XAUTHORITY"); + const char *envar = env_get("XAUTHORITY"); if (envar) { char *rp = realpath(envar, NULL); if (rp) { - if (strcmp(rp, dest) != 0) + if (strcmp(rp, dest) != 0) { + EUID_ROOT(); disable_file_or_dir(rp); + EUID_USER(); + } free(rp); } } // set environment variable - if (setenv("XAUTHORITY", dest, 1) < 0) - errExit("setenv"); + env_store_name_val("XAUTHORITY", dest, SETENV); free(dest); // mask RUN_XAUTHORITY_SEC_DIR + EUID_ROOT(); if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs"); fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR); + + // cleanup + unlink(RUN_XAUTH_FILE); #endif } @@ -1290,7 +1323,7 @@ struct stat s1, s2; if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0) return; - if ((s1.st_mode & S_ISVTX) == 0) { + if ((s1.st_mode & S_ISVTX) != S_ISVTX) { fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n"); return; } @@ -1298,68 +1331,46 @@ fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n"); return; } + + // the mount source is under control of the user, so be careful and + // mount without following symbolic links, using a file descriptor char *x11file; if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) errExit("asprintf"); - struct stat x11stat; - if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) { + int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (src < 0) { + free(x11file); + return; + } + struct stat s3; + if (fstat(src, &s3) < 0) + errExit("fstat"); + if (!S_ISSOCK(s3.st_mode)) { + close(src); free(x11file); return; } if (arg_debug || arg_debug_whitelists) fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); - - // Move the real /tmp/.X11-unix to a scratch location - // so we can still access x11file after we mount a - // tmpfs over /tmp/.X11-unix. - if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1) - errExit("mkdir"); - if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) - errExit("mount bind"); - // This directory must be mode 1777 if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, "mode=1777,uid=0,gid=0") < 0) errExit("mounting tmpfs on /tmp/.X11-unix"); + selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix"); fs_logger("tmpfs /tmp/.X11-unix"); // create an empty root-owned file which will have the desired socket bind-mounted over it - int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR); - if (fd < 0) - errExit(x11file); - close(fd); + int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); + if (dst < 0) + errExit("open"); - // the mount source is under control of the user, so be careful and - // mount without following symbolic links, using a file descriptor - char *wx11file; - if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) - errExit("asprintf"); - fd = safe_fd(wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("opening X11 socket"); - // confirm once more we are mounting a socket - if (fstat(fd, &x11stat) == -1) - errExit("fstat"); - if (!S_ISSOCK(x11stat.st_mode)) { - errno = ENOTSOCK; - errExit("mounting X11 socket"); - } - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_by_fd(src, dst)) errExit("mount bind"); + close(src); + close(dst); fs_logger2("whitelist", x11file); - close(fd); - free(proc); - - // block access to RUN_WHITELIST_X11_DIR - if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) - errExit("mount"); - fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); - free(wx11file); free(x11file); #endif } @@ -1391,7 +1402,7 @@ errExit("strdup"); profile_check_line(cmd, 0, NULL); profile_add(cmd); - char *xauthority = getenv("XAUTHORITY"); + const char *xauthority = env_get("XAUTHORITY"); if (xauthority) { char *line; if (asprintf(&line, "blacklist %s", xauthority) == -1) diff -Nru firejail-0.9.64.4/src/firemon/apparmor.c firejail-0.9.66/src/firemon/apparmor.c --- firejail-0.9.64.4/src/firemon/apparmor.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/apparmor.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/arp.c firejail-0.9.66/src/firemon/arp.c --- firejail-0.9.64.4/src/firemon/arp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/arp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/caps.c firejail-0.9.66/src/firemon/caps.c --- firejail-0.9.64.4/src/firemon/caps.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/caps.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/cgroup.c firejail-0.9.66/src/firemon/cgroup.c --- firejail-0.9.64.4/src/firemon/cgroup.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/cgroup.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/cpu.c firejail-0.9.66/src/firemon/cpu.c --- firejail-0.9.64.4/src/firemon/cpu.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/cpu.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/firemon.c firejail-0.9.66/src/firemon/firemon.c --- firejail-0.9.64.4/src/firemon/firemon.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/firemon.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -52,7 +52,7 @@ if (terminal_set) tcsetattr(0, TCSANOW, &tlocal); - exit(0); + _exit(0); } // find the second child process for the specified pid diff -Nru firejail-0.9.64.4/src/firemon/firemon.h firejail-0.9.66/src/firemon/firemon.h --- firejail-0.9.64.4/src/firemon/firemon.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/firemon.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/interface.c firejail-0.9.66/src/firemon/interface.c --- firejail-0.9.64.4/src/firemon/interface.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/interface.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -145,9 +146,9 @@ if (rv) return; net_ifprint(); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } diff -Nru firejail-0.9.64.4/src/firemon/list.c firejail-0.9.66/src/firemon/list.c --- firejail-0.9.64.4/src/firemon/list.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/list.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/Makefile.in firejail-0.9.66/src/firemon/Makefile.in --- firejail-0.9.64.4/src/firemon/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,14 +1,17 @@ +.PHONY: all all: firemon include ../common.mk -%.o : %.c $(H_FILE_LIST) +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ firemon: $(OBJS) ../lib/common.o ../lib/pid.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/firemon/netstats.c firejail-0.9.66/src/firemon/netstats.c --- firejail-0.9.64.4/src/firemon/netstats.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/netstats.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -242,8 +243,7 @@ print_proc(i, itv, col); } } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif + + __gcov_flush(); } } diff -Nru firejail-0.9.64.4/src/firemon/procevent.c firejail-0.9.66/src/firemon/procevent.c --- firejail-0.9.64.4/src/firemon/procevent.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/procevent.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -230,9 +231,7 @@ tv.tv_usec = 0; while (1) { -#ifdef HAVE_GCOV __gcov_flush(); -#endif #define BUFFSIZE 4096 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; diff -Nru firejail-0.9.64.4/src/firemon/route.c firejail-0.9.66/src/firemon/route.c --- firejail-0.9.64.4/src/firemon/route.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/route.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/seccomp.c firejail-0.9.66/src/firemon/seccomp.c --- firejail-0.9.64.4/src/firemon/seccomp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/seccomp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/top.c firejail-0.9.66/src/firemon/top.c --- firejail-0.9.64.4/src/firemon/top.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/top.c 2021-06-28 00:04:09.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -326,8 +327,7 @@ } } head_print(col, row); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif + + __gcov_flush(); } } diff -Nru firejail-0.9.64.4/src/firemon/tree.c firejail-0.9.66/src/firemon/tree.c --- firejail-0.9.64.4/src/firemon/tree.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/tree.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/usage.c firejail-0.9.66/src/firemon/usage.c --- firejail-0.9.64.4/src/firemon/usage.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/usage.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/firemon/x11.c firejail-0.9.66/src/firemon/x11.c --- firejail-0.9.64.4/src/firemon/x11.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/firemon/x11.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fldd/main.c firejail-0.9.66/src/fldd/main.c --- firejail-0.9.64.4/src/fldd/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fldd/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fldd/Makefile.in firejail-0.9.66/src/fldd/Makefile.in --- firejail-0.9.64.4/src/fldd/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fldd/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fldd include ../common.mk @@ -8,7 +9,9 @@ fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/fnet/arp.c firejail-0.9.66/src/fnet/arp.c --- firejail-0.9.64.4/src/fnet/arp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnet/arp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fnet/fnet.h firejail-0.9.66/src/fnet/fnet.h --- firejail-0.9.64.4/src/fnet/fnet.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnet/fnet.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fnet/interface.c firejail-0.9.66/src/fnet/interface.c --- firejail-0.9.64.4/src/fnet/interface.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnet/interface.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fnet/main.c firejail-0.9.66/src/fnet/main.c --- firejail-0.9.64.4/src/fnet/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnet/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fnet/Makefile.in firejail-0.9.66/src/fnet/Makefile.in --- firejail-0.9.64.4/src/fnet/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnet/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fnet include ../common.mk @@ -8,7 +9,9 @@ fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/fnet/veth.c firejail-0.9.66/src/fnet/veth.c --- firejail-0.9.64.4/src/fnet/veth.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnet/veth.c 2021-06-22 15:51:28.000000000 +0000 @@ -26,7 +26,7 @@ * */ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fnetfilter/main.c firejail-0.9.66/src/fnetfilter/main.c --- firejail-0.9.64.4/src/fnetfilter/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnetfilter/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fnetfilter/Makefile.in firejail-0.9.66/src/fnetfilter/Makefile.in --- firejail-0.9.64.4/src/fnetfilter/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fnetfilter/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fnetfilter include ../common.mk @@ -8,7 +9,9 @@ fnetfilter: $(OBJS) ../lib/common.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/fseccomp/fseccomp.h firejail-0.9.66/src/fseccomp/fseccomp.h --- firejail-0.9.64.4/src/fseccomp/fseccomp.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fseccomp/fseccomp.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fseccomp/main.c firejail-0.9.66/src/fseccomp/main.c --- firejail-0.9.64.4/src/fseccomp/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fseccomp/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,7 +20,7 @@ #include "fseccomp.h" #include "../include/seccomp.h" int arg_quiet = 0; -int arg_seccomp_error_action = EPERM; // error action: errno, log or kill +int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill static void usage(void) { printf("Usage:\n"); diff -Nru firejail-0.9.64.4/src/fseccomp/Makefile.in firejail-0.9.66/src/fseccomp/Makefile.in --- firejail-0.9.64.4/src/fseccomp/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fseccomp/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fseccomp include ../common.mk @@ -8,7 +9,9 @@ fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/fseccomp/protocol.c firejail-0.9.66/src/fseccomp/protocol.c --- firejail-0.9.64.4/src/fseccomp/protocol.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fseccomp/protocol.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fseccomp/seccomp.c firejail-0.9.66/src/fseccomp/seccomp.c --- firejail-0.9.64.4/src/fseccomp/seccomp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fseccomp/seccomp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fseccomp/seccomp_file.c firejail-0.9.66/src/fseccomp/seccomp_file.c --- firejail-0.9.64.4/src/fseccomp/seccomp_file.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fseccomp/seccomp_file.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fseccomp/seccomp_secondary.c firejail-0.9.66/src/fseccomp/seccomp_secondary.c --- firejail-0.9.64.4/src/fseccomp/seccomp_secondary.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fseccomp/seccomp_secondary.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -126,7 +126,7 @@ EXAMINE_SYSCALL, #if defined(__x86_64__) // block x32 - HANDLE_X32_KILL, + HANDLE_X32, #endif // block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality) // 0: if personality(2), continue to 1, else goto 7 (allow) diff -Nru firejail-0.9.64.4/src/fsec-optimize/fsec_optimize.h firejail-0.9.66/src/fsec-optimize/fsec_optimize.h --- firejail-0.9.64.4/src/fsec-optimize/fsec_optimize.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-optimize/fsec_optimize.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fsec-optimize/main.c firejail-0.9.66/src/fsec-optimize/main.c --- firejail-0.9.64.4/src/fsec-optimize/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-optimize/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,9 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "fsec_optimize.h" +#include "../include/syscall.h" + +int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill static void usage(void) { printf("Usage:\n"); @@ -46,6 +49,20 @@ warn_dumpable(); + char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION"); + if (error_action) { + if (strcmp(error_action, "kill") == 0) + arg_seccomp_error_action = SECCOMP_RET_KILL; + else if (strcmp(error_action, "log") == 0) + arg_seccomp_error_action = SECCOMP_RET_LOG; + else { + arg_seccomp_error_action = errno_find_name(error_action); + if (arg_seccomp_error_action == -1) + errExit("seccomp-error-action: unknown errno"); + arg_seccomp_error_action |= SECCOMP_RET_ERRNO; + } + } + char *fname = argv[1]; // open input file diff -Nru firejail-0.9.64.4/src/fsec-optimize/Makefile.in firejail-0.9.66/src/fsec-optimize/Makefile.in --- firejail-0.9.64.4/src/fsec-optimize/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-optimize/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fsec-optimize include ../common.mk @@ -6,9 +7,11 @@ $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/fsec-optimize/optimizer.c firejail-0.9.66/src/fsec-optimize/optimizer.c --- firejail-0.9.64.4/src/fsec-optimize/optimizer.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-optimize/optimizer.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -33,7 +33,7 @@ static inline int is_blacklist(struct sock_filter *bpf) { if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && (bpf + 1)->code == BPF_RET + BPF_K && - (bpf + 1)->k == SECCOMP_RET_KILL ) + (bpf + 1)->k == (__u32)arg_seccomp_error_action) return 1; return 0; } @@ -89,9 +89,9 @@ } } - // step 3: add the new ret KILL, and recalculate entries + // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries filter_step2[j].code = BPF_RET + BPF_K; - filter_step2[j].k = SECCOMP_RET_KILL; + filter_step2[j].k = arg_seccomp_error_action; entries = j + 1; // step 4: recalculate jumps diff -Nru firejail-0.9.64.4/src/fsec-print/fsec_print.h firejail-0.9.66/src/fsec-print/fsec_print.h --- firejail-0.9.64.4/src/fsec-print/fsec_print.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-print/fsec_print.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fsec-print/main.c firejail-0.9.66/src/fsec-print/main.c --- firejail-0.9.64.4/src/fsec-print/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-print/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fsec-print/Makefile.in firejail-0.9.66/src/fsec-print/Makefile.in --- firejail-0.9.64.4/src/fsec-print/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-print/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: fsec-print include ../common.mk @@ -8,7 +9,9 @@ fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/fsec-print/print.c firejail-0.9.66/src/fsec-print/print.c --- firejail-0.9.64.4/src/fsec-print/print.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fsec-print/print.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/fshaper/fshaper.sh firejail-0.9.66/src/fshaper/fshaper.sh --- firejail-0.9.64.4/src/fshaper/fshaper.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/fshaper/fshaper.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 TCFILE="" diff -Nru firejail-0.9.64.4/src/ftee/ftee.h firejail-0.9.66/src/ftee/ftee.h --- firejail-0.9.64.4/src/ftee/ftee.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/ftee/ftee.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/ftee/main.c firejail-0.9.66/src/ftee/main.c --- firejail-0.9.64.4/src/ftee/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/ftee/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/ftee/Makefile.in firejail-0.9.66/src/ftee/Makefile.in --- firejail-0.9.64.4/src/ftee/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/ftee/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: ftee include ../common.mk @@ -8,7 +9,9 @@ ftee: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/include/common.h firejail-0.9.66/src/include/common.h --- firejail-0.9.64.4/src/include/common.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/common.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/include/euid_common.h firejail-0.9.66/src/include/euid_common.h --- firejail-0.9.64.4/src/include/euid_common.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/euid_common.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/include/firejail_user.h firejail-0.9.66/src/include/firejail_user.h --- firejail-0.9.64.4/src/include/firejail_user.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/firejail_user.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/include/gcov_wrapper.h firejail-0.9.66/src/include/gcov_wrapper.h --- firejail-0.9.64.4/src/include/gcov_wrapper.h 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/include/gcov_wrapper.h 2021-06-28 00:04:09.000000000 +0000 @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef GCOV_WRAPPER_H +#define GCOV_WRAPPER_H + +#ifdef HAS_GCOV +#include + +/* + * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it + * appears to be the safe/"correct" way to do things on previous versions (as + * it ensured proper locking, which is now done elsewhere). Thus, keep using + * it in the code and ensure that it exists, in order to support gcc <11.1.0 + * and gcc >=11.1.0, respectively. + */ +#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1) +static void __gcov_flush(void) { + __gcov_dump(); + __gcov_reset(); +} +#endif +#else +#define __gcov_dump() ((void)0) +#define __gcov_reset() ((void)0) +#define __gcov_flush() ((void)0) +#endif /* HAS_GCOV */ + +#endif /* GCOV_WRAPPER_H */ diff -Nru firejail-0.9.64.4/src/include/ldd_utils.h firejail-0.9.66/src/include/ldd_utils.h --- firejail-0.9.64.4/src/include/ldd_utils.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/ldd_utils.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/include/pid.h firejail-0.9.66/src/include/pid.h --- firejail-0.9.64.4/src/include/pid.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/pid.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/include/rundefs.h firejail-0.9.66/src/include/rundefs.h --- firejail-0.9.64.4/src/include/rundefs.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/rundefs.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -79,26 +79,8 @@ #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make - #define RUN_DEV_DIR RUN_MNT_DIR "/dev" #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" - -#define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" -#define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking -#define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking -#define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting -#define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting -#define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" -#define RUN_WHITELIST_MEDIA_DIR RUN_MNT_DIR "/orig-media" -#define RUN_WHITELIST_MNT_DIR RUN_MNT_DIR "/orig-mnt" -#define RUN_WHITELIST_VAR_DIR RUN_MNT_DIR "/orig-var" -#define RUN_WHITELIST_DEV_DIR RUN_MNT_DIR "/orig-dev" -#define RUN_WHITELIST_OPT_DIR RUN_MNT_DIR "/orig-opt" -#define RUN_WHITELIST_SRV_DIR RUN_MNT_DIR "/orig-srv" -#define RUN_WHITELIST_ETC_DIR RUN_MNT_DIR "/orig-etc" -#define RUN_WHITELIST_SHARE_DIR RUN_MNT_DIR "/orig-share" -#define RUN_WHITELIST_MODULE_DIR RUN_MNT_DIR "/orig-module" - #define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" // private options #define RUN_XAUTH_FILE RUN_MNT_DIR "/xauth" // x11=xorg #define RUN_XAUTHORITY_SEC_DIR RUN_MNT_DIR "/.sec.Xauthority" // x11=xorg diff -Nru firejail-0.9.64.4/src/include/seccomp.h firejail-0.9.66/src/include/seccomp.h --- firejail-0.9.64.4/src/include/seccomp.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/seccomp.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -201,7 +201,7 @@ #define VALIDATE_ARCHITECTURE_KILL \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + KILL_OR_RETURN_ERRNO #define VALIDATE_ARCHITECTURE_64 \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ @@ -222,11 +222,7 @@ #define HANDLE_X32 \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ - RETURN_ERRNO(EPERM) -#define HANDLE_X32_KILL \ - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + KILL_OR_RETURN_ERRNO #endif #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ @@ -258,6 +254,8 @@ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) extern int arg_seccomp_error_action; // error action: errno, log or kill +#define DEFAULT_SECCOMP_ERROR_ACTION EPERM + #define KILL_OR_RETURN_ERRNO \ BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) diff -Nru firejail-0.9.64.4/src/include/syscall_armeabi.h firejail-0.9.66/src/include/syscall_armeabi.h --- firejail-0.9.64.4/src/include/syscall_armeabi.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/syscall_armeabi.h 2021-06-22 15:51:28.000000000 +0000 @@ -42,6 +42,7 @@ { "exit", 1 }, { "exit_group", 248 }, { "faccessat", 334 }, +{ "faccessat2", 439 }, { "fallocate", 352 }, { "fanotify_init", 367 }, { "fanotify_mark", 368 }, diff -Nru firejail-0.9.64.4/src/include/syscall.h firejail-0.9.66/src/include/syscall.h --- firejail-0.9.64.4/src/include/syscall.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/syscall.h 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/include/syscall_i386.h firejail-0.9.66/src/include/syscall_i386.h --- firejail-0.9.64.4/src/include/syscall_i386.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/syscall_i386.h 2021-06-22 15:51:28.000000000 +0000 @@ -54,6 +54,7 @@ { "exit", 1 }, { "exit_group", 252 }, { "faccessat", 307 }, +{ "faccessat2", 439 }, { "fadvise64", 250 }, { "fadvise64_64", 272 }, { "fallocate", 324 }, diff -Nru firejail-0.9.64.4/src/include/syscall_x86_64.h firejail-0.9.66/src/include/syscall_x86_64.h --- firejail-0.9.64.4/src/include/syscall_x86_64.h 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/include/syscall_x86_64.h 2021-06-22 15:51:28.000000000 +0000 @@ -47,6 +47,7 @@ { "exit", 60 }, { "exit_group", 231 }, { "faccessat", 269 }, +{ "faccessat2", 439 }, { "fadvise64", 221 }, { "fallocate", 285 }, { "fanotify_init", 300 }, diff -Nru firejail-0.9.64.4/src/jailcheck/access.c firejail-0.9.66/src/jailcheck/access.c --- firejail-0.9.64.4/src/jailcheck/access.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/access.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,143 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include + +typedef struct { + char *tfile; + char *tdir; +} TestDir; + +#define MAX_TEST_FILES 16 +TestDir td[MAX_TEST_FILES]; +static int files_cnt = 0; + +void access_setup(const char *directory) { + // I am root! + assert(directory); + assert(user_home_dir); + + if (files_cnt >= MAX_TEST_FILES) { + fprintf(stderr, "Error: maximum number of test directories exceeded\n"); + exit(1); + } + + char *fname = strdup(directory); + if (!fname) + errExit("strdup"); + if (strncmp(fname, "~/", 2) == 0) { + free(fname); + if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1) + errExit("asprintf"); + } + + char *path = realpath(fname, NULL); + free(fname); + if (path == NULL) { + fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory); + return; + } + + // file in home directory + if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) { + fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory); + free(path); + return; + } + + // try to open the dir as root + DIR *dir = opendir(path); + if (!dir) { + fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); + free(path); + return; + } + closedir(dir); + + // create a test file + char *test_file; + if (asprintf(&test_file, "%s/jailcheck-access-%d", path, getpid()) == -1) + errExit("asprintf"); + + FILE *fp = fopen(test_file, "w"); + if (!fp) { + printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); + return; + } + fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); + fclose(fp); + int rv = chown(test_file, user_uid, user_gid); + if (rv) + errExit("chown"); + + char *dname = strdup(directory); + if (!dname) + errExit("strdup"); + td[files_cnt].tdir = dname; + td[files_cnt].tfile = test_file; + files_cnt++; +} + +void access_destroy(void) { + // remove test files + int i; + + for (i = 0; i < files_cnt; i++) { + int rv = unlink(td[i].tfile); + (void) rv; + } + files_cnt = 0; +} + +void access_test(void) { + // I am root in sandbox mount namespace + assert(user_uid); + int i; + + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + + for (i = 0; i < files_cnt; i++) { + assert(td[i].tfile); + + // try to open the file for reading + FILE *fp = fopen(td[i].tfile, "r"); + if (fp) { + + printf(" Warning: I can read %s\n", td[i].tdir); + fclose(fp); + } + } + exit(0); + } + + // wait for the child to finish + int status; + wait(&status); +} diff -Nru firejail-0.9.64.4/src/jailcheck/apparmor.c firejail-0.9.66/src/jailcheck/apparmor.c --- firejail-0.9.64.4/src/jailcheck/apparmor.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/apparmor.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" + +#ifdef HAVE_APPARMOR +#include + +void apparmor_test(pid_t pid) { + char *label = NULL; + char *mode = NULL; + int rv = aa_gettaskcon(pid, &label, &mode); + if (rv == -1 || mode == NULL) + printf(" Warning: AppArmor not enabled\n"); +} + + +#else +void apparmor_test(pid_t pid) { + (void) pid; + return; +} +#endif + diff -Nru firejail-0.9.64.4/src/jailcheck/jailcheck.h firejail-0.9.66/src/jailcheck/jailcheck.h --- firejail-0.9.64.4/src/jailcheck/jailcheck.h 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/jailcheck.h 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#ifndef JAILCHECK_H +#define JAILCHECK_H + +#include "../include/common.h" + +// main.c +extern uid_t user_uid; +extern gid_t user_gid; +extern char *user_name; +extern char *user_home_dir; +extern char *user_run_dir; + +// access.c +void access_setup(const char *directory); +void access_test(void); +void access_destroy(void); + +// noexec.c +void noexec_setup(void); +void noexec_test(const char *msg); + +// sysfiles.c +void sysfiles_setup(const char *file); +void sysfiles_test(void); + +// virtual.c +void virtual_setup(const char *directory); +void virtual_destroy(void); +void virtual_test(void); + +// apparmor.c +void apparmor_test(pid_t pid); + +// seccomp.c +void seccomp_test(pid_t pid); + +// network.c +void network_test(void); +// utils.c +char *get_sudo_user(void); +char *get_homedir(const char *user, uid_t *uid, gid_t *gid); +int find_child(pid_t pid); +pid_t switch_to_child(pid_t pid); + +#endif \ No newline at end of file diff -Nru firejail-0.9.64.4/src/jailcheck/main.c firejail-0.9.66/src/jailcheck/main.c --- firejail-0.9.64.4/src/jailcheck/main.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,215 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include "../include/firejail_user.h" +#include "../include/pid.h" +#include + +uid_t user_uid = 0; +gid_t user_gid = 0; +char *user_name = NULL; +char *user_home_dir = NULL; +char *user_run_dir = NULL; +int arg_debug = 0; + +static char *usage_str = + "Usage: jailcheck [options] directory [directory]\n\n" + "Options:\n" + " --debug - print debug messages.\n" + " --help, -? - this help screen.\n" + " --version - print program version and exit.\n"; + + +static void usage(void) { + printf("firetest - version %s\n\n", VERSION); + puts(usage_str); +} + +static void cleanup(void) { + // running only as root + if (getuid() == 0) { + if (arg_debug) + printf("cleaning up!\n"); + access_destroy(); + virtual_destroy(); + } +} + +int main(int argc, char **argv) { + int i; + int findex = 0; + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) { + usage(); + return 0; + } + else if (strcmp(argv[i], "--version") == 0) { + printf("firetest version %s\n\n", VERSION); + return 0; + } + else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test + printf(" Warning: I can run programs in %s\n", argv[i] + 8); + return 0; + } + else if (strcmp(argv[i], "--debug") == 0) + arg_debug = 1; + else if (strncmp(argv[i], "--", 2) == 0) { + fprintf(stderr, "Error: invalid option\n"); + return 1; + } + else { + findex = i; + break; + } + } + + // user setup + if (getuid() != 0) { + fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); + exit(1); + } + user_name = get_sudo_user(); + assert(user_name); + user_home_dir = get_homedir(user_name, &user_uid, &user_gid); + if (user_uid == 0) { + fprintf(stderr, "Error: root user not supported\n"); + exit(1); + } + if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1) + errExit("asprintf"); + + // test setup + atexit(cleanup); + access_setup("~/.ssh"); + access_setup("~/.gnupg"); + if (findex > 0) { + for (i = findex; i < argc; i++) + access_setup(argv[i]); + } + + noexec_setup(); + virtual_setup(user_home_dir); + virtual_setup("/tmp"); + virtual_setup("/var/tmp"); + virtual_setup("/dev"); + virtual_setup("/etc"); + virtual_setup("/bin"); + virtual_setup("/usr/share"); + virtual_setup(user_run_dir); + // basic sysfiles + sysfiles_setup("/etc/shadow"); + sysfiles_setup("/etc/gshadow"); + sysfiles_setup("/usr/bin/mount"); + sysfiles_setup("/usr/bin/su"); + sysfiles_setup("/usr/bin/ksu"); + sysfiles_setup("/usr/bin/sudo"); + sysfiles_setup("/usr/bin/strace"); + // X11 + sysfiles_setup("/usr/bin/xev"); + sysfiles_setup("/usr/bin/xinput"); + // compilers + sysfiles_setup("/usr/bin/gcc"); + sysfiles_setup("/usr/bin/clang"); + // networking + sysfiles_setup("/usr/bin/dig"); + sysfiles_setup("/usr/bin/nslookup"); + sysfiles_setup("/usr/bin/resolvectl"); + sysfiles_setup("/usr/bin/nc"); + sysfiles_setup("/usr/bin/ncat"); + sysfiles_setup("/usr/bin/nmap"); + sysfiles_setup("/usr/sbin/tcpdump"); + // terminals + sysfiles_setup("/usr/bin/gnome-terminal"); + sysfiles_setup("/usr/bin/xfce4-terminal"); + sysfiles_setup("/usr/bin/lxterminal"); + + // print processes + pid_read(0); + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 1) { + uid_t uid = pid_get_uid(i); + if (uid != user_uid) // not interested in other user sandboxes + continue; + + // in case the pid is that of a firejail process, use the pid of the first child process + uid_t pid = find_child(i); + printf("\n"); + pid_print_list(i, 0); // no wrapping + apparmor_test(pid); + seccomp_test(pid); + fflush(0); + + // filesystem tests + pid_t child = fork(); + if (child == -1) + errExit("fork"); + if (child == 0) { + int rv = join_namespace(pid, "mnt"); + if (rv == 0) { + virtual_test(); + noexec_test(user_home_dir); + noexec_test("/tmp"); + noexec_test("/var/tmp"); + noexec_test(user_run_dir); + access_test(); + sysfiles_test(); + } + else { + printf(" Error: I cannot join the process mount space\n"); + exit(1); + } + + // drop privileges in order not to trigger cleanup() + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + return 0; + } + int status; + wait(&status); + + // network test + child = fork(); + if (child == -1) + errExit("fork"); + if (child == 0) { + int rv = join_namespace(pid, "net"); + if (rv == 0) + network_test(); + else { + printf(" Error: I cannot join the process network stack\n"); + exit(1); + } + + // drop privileges in order not to trigger cleanup() + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + return 0; + } + wait(&status); + } + } + + return 0; +} diff -Nru firejail-0.9.64.4/src/jailcheck/Makefile.in firejail-0.9.66/src/jailcheck/Makefile.in --- firejail-0.9.64.4/src/jailcheck/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,17 @@ +.PHONY: all +all: jailcheck + +include ../common.mk + +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h + $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ + +jailcheck: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) + +.PHONY: clean +clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff -Nru firejail-0.9.64.4/src/jailcheck/network.c firejail-0.9.66/src/jailcheck/network.c --- firejail-0.9.64.4/src/jailcheck/network.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/network.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +void network_test(void) { + // I am root running in a network namespace + struct ifaddrs *ifaddr, *ifa; + int found = 0; + + // walk through the linked list + if (getifaddrs(&ifaddr) == -1) + errExit("getifaddrs"); + for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { + if (strcmp(ifa->ifa_name, "lo") == 0) + continue; + found = 1; + break; + } + + freeifaddrs(ifaddr); + + if (found) + printf(" Networking: enabled\n"); + else + printf(" Networking: disabled\n"); +} + + + diff -Nru firejail-0.9.64.4/src/jailcheck/noexec.c firejail-0.9.66/src/jailcheck/noexec.c --- firejail-0.9.64.4/src/jailcheck/noexec.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/noexec.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include +#include + +static unsigned char *execfile = NULL; +static int execfile_len = 0; + +void noexec_setup(void) { + // grab a copy of myself + char *self = realpath("/proc/self/exe", NULL); + if (self) { + struct stat s; + if (access(self, X_OK) == 0 && stat(self, &s) == 0) { + assert(s.st_size); + execfile = malloc(s.st_size); + + int fd = open(self, O_RDONLY); + if (fd == -1) + errExit("open"); + int len = 0; + do { + int rv = read(fd, execfile + len, s.st_size - len); + if (rv == -1) + errExit("read"); + if (rv == 0) { + // something went wrong! + free(execfile); + execfile = NULL; + printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n"); + break; + } + len += rv; + } + while (len < s.st_size); + execfile_len = s.st_size; + close(fd); + } + } +} + + +void noexec_test(const char *path) { + assert(user_uid); + + // I am root in sandbox mount namespace + if (!execfile) + return; + + char *fname; + if (asprintf(&fname, "%s/jailcheck-noexec-%d", path, getpid()) == -1) + errExit("asprintf"); + + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700); + if (fd == -1) { + printf(" I cannot create files in %s, skipping noexec...\n", path); + exit(1); + } + + int len = 0; + while (len < execfile_len) { + int rv = write(fd, execfile + len, execfile_len - len); + if (rv == -1 || rv == 0) { + printf(" I cannot create files in %s, skipping noexec....\n", path); + exit(1); + } + len += rv; + } + fchmod(fd, 0700); + close(fd); + + char *arg; + if (asprintf(&arg, "--hello=%s", path) == -1) + errExit("asprintf"); + int rv = execl(fname, fname, arg, NULL); + (void) rv; // if we get here execl failed + exit(0); + } + + int status; + wait(&status); + int rv = unlink(fname); + (void) rv; +} \ No newline at end of file diff -Nru firejail-0.9.64.4/src/jailcheck/seccomp.c firejail-0.9.66/src/jailcheck/seccomp.c --- firejail-0.9.64.4/src/jailcheck/seccomp.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/seccomp.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#define MAXBUF 4096 + +void seccomp_test(pid_t pid) { + char *file; + if (asprintf(&file, "/proc/%d/status", pid) == -1) + errExit("asprintf"); + + FILE *fp = fopen(file, "r"); + if (!fp) { + printf(" Error: cannot open %s\n", file); + free(file); + return; + } + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "Seccomp:", 8) == 0) { + int val = -1; + int rv = sscanf(buf + 8, "\t%d", &val); + if (rv != 1 || val == 0) + printf(" Warning: seccomp not enabled\n"); + break; + } + } + fclose(fp); + free(file); +} diff -Nru firejail-0.9.64.4/src/jailcheck/sysfiles.c firejail-0.9.66/src/jailcheck/sysfiles.c --- firejail-0.9.64.4/src/jailcheck/sysfiles.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/sysfiles.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include + +typedef struct { + char *tfile; +} TestFile; + +#define MAX_TEST_FILES 32 +TestFile tf[MAX_TEST_FILES]; +static int files_cnt = 0; + +void sysfiles_setup(const char *file) { + // I am root! + assert(file); + + if (files_cnt >= MAX_TEST_FILES) { + fprintf(stderr, "Error: maximum number of system test files exceeded\n"); + exit(1); + } + + if (access(file, F_OK)) { + // no such file + return; + } + + + char *fname = strdup(file); + if (!fname) + errExit("strdup"); + + tf[files_cnt].tfile = fname; + files_cnt++; +} + +void sysfiles_test(void) { + // I am root in sandbox mount namespace + assert(user_uid); + int i; + + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + + for (i = 0; i < files_cnt; i++) { + assert(tf[i].tfile); + + // try to open the file for reading + FILE *fp = fopen(tf[i].tfile, "r"); + if (fp) { + + printf(" Warning: I can access %s\n", tf[i].tfile); + fclose(fp); + } + } + exit(0); + } + + // wait for the child to finish + int status; + wait(&status); +} diff -Nru firejail-0.9.64.4/src/jailcheck/utils.c firejail-0.9.66/src/jailcheck/utils.c --- firejail-0.9.64.4/src/jailcheck/utils.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/utils.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include "../include/pid.h" +#include +#include +#include + +#define BUFLEN 4096 + +char *get_sudo_user(void) { + char *user = getenv("SUDO_USER"); + if (!user) { + user = getpwuid(getuid())->pw_name; + if (!user) { + fprintf(stderr, "Error: cannot detect login user\n"); + exit(1); + } + } + + return user; +} + +char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { + // find home directory + struct passwd *pw = getpwnam(user); + if (!pw) + goto errexit; + + char *home = pw->pw_dir; + if (!home) + goto errexit; + + *uid = pw->pw_uid; + *gid = pw->pw_gid; + + return home; + +errexit: + fprintf(stderr, "Error: cannot find home directory for user %s\n", user); + exit(1); +} + +// find the second child process for the specified pid +// return -1 if not found +// +// Example: +//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt +// 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt +// 14792:netblue:/usr/bin/transmission-qt +// We need 14792, the first real sandboxed process +// duplicate from src/firemon/main.c +int find_child(int id) { + int i; + int first_child = -1; + + // find the first child + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 2 && pids[i].parent == id) { + // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) + char *cmdline = pid_proc_cmdline(i); + if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { + free(cmdline); + continue; + } + free(cmdline); + first_child = i; + break; + } + } + + if (first_child == -1) + return -1; + + // find the second-level child + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 3 && pids[i].parent == first_child) + return i; + } + + // if a second child is not found, return the first child pid + // this happens for processes sandboxed with --join + return first_child; +} + diff -Nru firejail-0.9.64.4/src/jailcheck/virtual.c firejail-0.9.66/src/jailcheck/virtual.c --- firejail-0.9.64.4/src/jailcheck/virtual.c 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/jailcheck/virtual.c 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,125 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include + + +#define MAX_TEST_FILES 16 +static char *dirs[MAX_TEST_FILES]; +static char *files[MAX_TEST_FILES]; +static int files_cnt = 0; + +void virtual_setup(const char *directory) { + // I am root! + assert(directory); + assert(*directory == '/'); + assert(files_cnt < MAX_TEST_FILES); + + // try to open the dir as root + DIR *dir = opendir(directory); + if (!dir) { + fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); + return; + } + closedir(dir); + + // create a test file + char *test_file; + if (asprintf(&test_file, "%s/jailcheck-private-%d", directory, getpid()) == -1) + errExit("asprintf"); + + FILE *fp = fopen(test_file, "w"); + if (!fp) { + printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); + return; + } + fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); + fclose(fp); + if (strcmp(directory, user_home_dir) == 0) { + int rv = chown(test_file, user_uid, user_gid); + if (rv) + errExit("chown"); + } + + char *dname = strdup(directory); + if (!dname) + errExit("strdup"); + dirs[files_cnt] = dname; + files[files_cnt] = test_file; + files_cnt++; +} + +void virtual_destroy(void) { + // remove test files + int i; + + for (i = 0; i < files_cnt; i++) { + int rv = unlink(files[i]); + (void) rv; + } + files_cnt = 0; +} + +void virtual_test(void) { + // I am root in sandbox mount namespace + assert(user_uid); + int i; + + int cnt = 0; + cnt += printf(" Virtual dirs: "); fflush(0); + + for (i = 0; i < files_cnt; i++) { + assert(files[i]); + + // I am root! + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + + // try to open the file for reading + FILE *fp = fopen(files[i], "r"); + if (fp) + fclose(fp); + else { + if (cnt == 0) + cnt += printf("\n "); + cnt += printf("%s, ", dirs[i]); + if (cnt > 60) + cnt = 0; + } + fflush(0); + exit(cnt); + } + + // wait for the child to finish + int status; + wait(&status); + cnt = WEXITSTATUS(status); + } + printf("\n"); +} diff -Nru firejail-0.9.64.4/src/lib/common.c firejail-0.9.66/src/lib/common.c --- firejail-0.9.64.4/src/lib/common.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/lib/common.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/lib/errno.c firejail-0.9.66/src/lib/errno.c --- firejail-0.9.64.4/src/lib/errno.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/lib/errno.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/lib/firejail_user.c firejail-0.9.66/src/lib/firejail_user.c --- firejail-0.9.64.4/src/lib/firejail_user.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/lib/firejail_user.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/lib/ldd_utils.c firejail-0.9.66/src/lib/ldd_utils.c --- firejail-0.9.64.4/src/lib/ldd_utils.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/lib/ldd_utils.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,13 +23,16 @@ #include #include +// todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c const char * const default_lib_paths[] = { "/usr/lib/x86_64-linux-gnu", // Debian & friends "/lib/x86_64-linux-gnu", // CentOS, Fedora + "/usr/lib64", + "/lib64", "/usr/lib", "/lib", - "/lib64", LIBDIR, + "/usr/local/lib64", "/usr/local/lib", "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory @@ -47,7 +50,7 @@ unsigned char buf[EI_NIDENT]; ssize_t len = 0; while (len < EI_NIDENT) { - ssize_t sz = read(fd, buf, EI_NIDENT); + ssize_t sz = read(fd, buf + len, EI_NIDENT - len); if (sz <= 0) goto doexit; len += sz; diff -Nru firejail-0.9.64.4/src/lib/Makefile.in firejail-0.9.66/src/lib/Makefile.in --- firejail-0.9.64.4/src/lib/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/lib/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,11 +1,14 @@ include ../common.mk +.PHONY: all all: $(OBJS) %.o : %.c $(H_FILE_LIST) $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ +.PHONY: clean clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/lib/pid.c firejail-0.9.66/src/lib/pid.c --- firejail-0.9.64.4/src/lib/pid.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/lib/pid.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/lib/syscall.c firejail-0.9.66/src/lib/syscall.c --- firejail-0.9.64.4/src/lib/syscall.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/lib/syscall.c 2021-06-28 17:04:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -253,9 +253,6 @@ #ifdef SYS_fanotify_init "fanotify_init," #endif -#ifdef SYS_kcmp - "kcmp," -#endif #ifdef SYS_add_key "add_key," #endif @@ -359,6 +356,9 @@ #ifdef SYS_faccessat "faccessat," #endif +#ifdef SYS_faccessat2 + "faccessat2," +#endif #ifdef SYS_fallocate "fallocate," #endif diff -Nru firejail-0.9.64.4/src/libpostexecseccomp/libpostexecseccomp.c firejail-0.9.66/src/libpostexecseccomp/libpostexecseccomp.c --- firejail-0.9.64.4/src/libpostexecseccomp/libpostexecseccomp.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/libpostexecseccomp/libpostexecseccomp.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/libpostexecseccomp/Makefile.in firejail-0.9.66/src/libpostexecseccomp/Makefile.in --- firejail-0.9.64.4/src/libpostexecseccomp/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/libpostexecseccomp/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -4,13 +4,14 @@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now +.PHONY: all all: libpostexecseccomp.so %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h @@ -19,7 +20,9 @@ libpostexecseccomp.so: $(OBJS) $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl +.PHONY: clean clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/libtrace/libtrace.c firejail-0.9.66/src/libtrace/libtrace.c --- firejail-0.9.64.4/src/libtrace/libtrace.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/libtrace/libtrace.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/libtrace/Makefile.in firejail-0.9.66/src/libtrace/Makefile.in --- firejail-0.9.64.4/src/libtrace/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/libtrace/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -4,13 +4,14 @@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now +.PHONY: all all: libtrace.so %.o : %.c $(H_FILE_LIST) @@ -19,8 +20,9 @@ libtrace.so: $(OBJS) $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - +.PHONY: clean clean:; rm -fr $(OBJS) libtrace.so *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/libtracelog/libtracelog.c firejail-0.9.66/src/libtracelog/libtracelog.c --- firejail-0.9.64.4/src/libtracelog/libtracelog.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/libtracelog/libtracelog.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/src/libtracelog/Makefile.in firejail-0.9.66/src/libtracelog/Makefile.in --- firejail-0.9.64.4/src/libtracelog/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/libtracelog/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -4,13 +4,14 @@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now +.PHONY: all all: libtracelog.so %.o : %.c $(H_FILE_LIST) ../include/rundefs.h @@ -19,8 +20,9 @@ libtracelog.so: $(OBJS) $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - +.PHONY: clean clean:; rm -fr $(OBJS) libtracelog.so *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/man/firecfg.txt firejail-0.9.66/src/man/firecfg.txt --- firejail-0.9.64.4/src/man/firecfg.txt 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/firecfg.txt 2021-06-22 15:51:28.000000000 +0000 @@ -130,8 +130,9 @@ .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) diff -Nru firejail-0.9.64.4/src/man/firejail-login.txt firejail-0.9.66/src/man/firejail-login.txt --- firejail-0.9.64.4/src/man/firejail-login.txt 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/firejail-login.txt 2021-06-22 15:51:28.000000000 +0000 @@ -3,7 +3,7 @@ login.users \- Login file syntax for Firejail .SH DESCRIPTION -/etc/firejail/login.users file describes additional arguments passed to firejail executable +/etc/firejail/login.users file describes additional arguments passed to the firejail executable upon user logging into a Firejail restricted shell. Each user entry in the file consists of a user name followed by the arguments passed to firejail. The format is as follows: @@ -19,8 +19,8 @@ .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in -/etc/passwd file for each user that needs to be restricted. Alternatively, -you can specify /usr/bin/firejail using adduser or usermod commands: +the /etc/passwd file for each user that needs to be restricted. Alternatively, +you can specify /usr/bin/firejail using the `adduser` or `usermod` commands: adduser \-\-shell /usr/bin/firejail username .br @@ -34,8 +34,9 @@ .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-users (5), +.BR jailcheck (1) diff -Nru firejail-0.9.64.4/src/man/firejail-profile.txt firejail-0.9.66/src/man/firejail-profile.txt --- firejail-0.9.64.4/src/man/firejail-profile.txt 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/firejail-profile.txt 2021-06-22 15:51:28.000000000 +0000 @@ -1,12 +1,78 @@ .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" .SH NAME -profile \- Security profile file syntax for Firejail +profile \- Security profile file syntax, and information about building new application profiles. -.SH USAGE +.SH SYNOPSIS + +Using a specific profile: +.PP +.RS +.TP +\fBfirejail \-\-profile=filename.profile +.br + +.br +Example: +.br +$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage +.br + +.br +.TP +\fBfirejail \-\-profile=profile_name +.br + +.br +Example: +.br +$ firejail --profile=kdenlive --appimage kdenlive.appimage +.br + +.br +.RE +.PP + + + +Building a profile manually: +.PP +.RS +Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor. +To integrate the program in your desktop environment copy the profile file in ~/.config/firejail +directory and run "sudo firecfg". +.RE +.PP + +Aliases and redirections: +.PP +.RS +In some cases the same profile can be used for several applications. +One such example is LibreOffice. +Build a regular profile for the main application, and for the rest use +/usr/share/doc/firejail/redirect_alias-profile.template. +.RE +.PP + +Running the profile builder: +.PP +.RS .TP -firejail \-\-profile=filename.profile +\fBfirejail \-\-build=appname.profile appname +.br + +.br +Example: +.br +$ firejail --build=blobby.profile blobby +.br + +.br +Run the program in "firejail \-\-build" and try to exercise as many program features as possible. +The profile is extracted and saved in the current directory. Open it in a text editor and add or remove +sandboxing options as necessary. Test again after modifying the profile. To integrate the program +in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg". .RE -firejail \-\-profile=profile_name +.PP .SH DESCRIPTION Several command line options can be passed to the program using @@ -94,6 +160,11 @@ .TP \fB# this is a comment +Example: + +# disable networking +.br +net none # this command creates an empty network namespace .TP \fB?CONDITIONAL: profile line @@ -103,7 +174,7 @@ This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM +Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM can be enabled or disabled globally in Firejail's configuration file. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. @@ -205,6 +276,10 @@ \fBdisable-mnt Disable /mnt, /media, /run/mount and /run/media access. .TP +\fBkeep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.TP \fBkeep-dev-shm /dev/shm directory is untouched (even with private-dev). .TP @@ -295,7 +370,9 @@ Build a new /etc in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to -the /etc directory. +the /etc directory, and must not contain the / character +(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- +expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed. #ifdef HAVE_PRIVATE_HOME .TP @@ -319,14 +396,18 @@ Build a new /opt in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to -the /opt directory. +the /opt directory, and must not contain the / character +(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- +expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed. .TP \fBprivate-srv file,directory Build a new /srv in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to -the /srv directory. +the /srv directory, and must not contain the / character +(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- +expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed. .TP \fBprivate-tmp @@ -339,7 +420,7 @@ Make directory or file read-write. .TP \fBtmpfs directory -Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. +Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. .TP \fBtracelog Blacklist violations logged to syslog. @@ -347,8 +428,9 @@ \fBwhitelist file_or_directory Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, -everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp. +everything else is discarded when the sandbox is closed. The top directory can be +all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and +all directories in /usr. .br .br @@ -646,9 +728,8 @@ \fBno3d Disable 3D hardware acceleration. .TP -\fBnoautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. +\fBnoautopulse \fR(deprecated) +See keep-config-pulse. .TP \fBnodvd Disable DVD and audio CD devices. @@ -656,6 +737,9 @@ \fBnogroups Disable supplementary user groups .TP +\fBnoinput +Disable input devices. +.TP \fBnosound Disable sound system. .TP @@ -666,7 +750,7 @@ Disable U2F devices. .TP \fBnovideo -Disable video devices. +Disable video capture devices. .TP \fBshell none Run the program directly, without a shell. @@ -882,17 +966,33 @@ Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". .SH FILES -/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile +.TP +\fB/etc/firejail/appname.profile +Global Firejail configuration consisting mainly of profiles for each application supported by default. + +.TP +\fB$HOME/.config/firejail/appname.profile +User application profiles, will take precedence over the global profiles. + +.TP +\fB/usr/share/doc/firejail/profile.template +Template for building new profiles. + +.TP +\fB/usr/share/doc/firejail/redirect_alias-profile.template +Template for aliasing/redirecting profiles. .SH LICENSE Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-login\fR\|(5), -\&\flfirejail-users\fR\|(5), +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) + .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles .UE diff -Nru firejail-0.9.64.4/src/man/firejail.txt firejail-0.9.66/src/man/firejail.txt --- firejail-0.9.64.4/src/man/firejail.txt 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/firejail.txt 2021-06-27 18:09:10.000000000 +0000 @@ -42,6 +42,15 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} .RE .SH DESCRIPTION +#ifdef HAVE_LTS +This is Firejail long-term support (LTS), an enterprise focused version of the software, +LTS is usually supported for two or three years. +During this time only bugs and the occasional documentation problems are fixed. +The attack surface of the SUID executable was greatly reduced by removing some of the features. +.br + +.br +#endif Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. @@ -138,22 +147,18 @@ .br Example: .br -$ firejail --appimage krita-3.0-x86_64.appimage +$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage .br -$ firejail --appimage --private krita-3.0-x86_64.appimage +$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage .br #ifdef HAVE_X11 -$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage +$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage #endif .TP -\fB\-\-audit -Audit the sandbox, see \fBAUDIT\fR section for more details. -.TP -\fB\-\-audit=test-program -Audit the sandbox, see \fBAUDIT\fR section for more details. -.TP +#ifdef HAVE_NETWORK \fB\-\-bandwidth=name|pid Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. +#endif .TP \fB\-\-bind=filename1,filename2 Mount-bind filename1 on top of filename2. This option is only available when running as root. @@ -345,7 +350,7 @@ .br The log file contains events for both the system and session buses if both of -the --dbus-sysem.log and --dbus-user.log options are specified. If no log file +the --dbus-system.log and --dbus-user.log options are specified. If no log file path is given, logs are written to the standard output instead. .br @@ -430,7 +435,7 @@ .TP \fB\-\-dbus-system.log -Turn on DBus logging for the system DBus. This option requires --dbus-system=log. +Turn on DBus logging for the system DBus. This option requires --dbus-system=filter. .br Example: @@ -557,7 +562,7 @@ .TP \fB\-\-dbus-user.log -Turn on DBus logging for the session DBus. This option requires --dbus-user=log. +Turn on DBus logging for the session DBus. This option requires --dbus-user=filter. .br Example: @@ -693,6 +698,10 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox #endif .TP +\fB\-\-deterministic-exit-code +Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. +.br +.TP \fB\-\-disable-mnt Blacklist /mnt, /media, /run/mount and /run/media access. .br @@ -703,10 +712,6 @@ $ firejail \-\-disable-mnt firefox .TP -\fB\-\-deterministic-exit-code -Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. - -.TP \fB\-\-dns=address Set a DNS server for the sandbox. Up to three DNS servers can be defined. Use this option if you don't trust the DNS setup on your network. @@ -818,6 +823,16 @@ $ firejail \-\-ignore="net eth0" firefox #endif +.TP +\fB\-\-\include=file.profile +Include a profile file before the regular profiles are used. +.br + +.br +Example: +.br +$ firejail --include=/etc/firejail/disable-devel.inc gedit + #ifdef HAVE_NETWORK .TP \fB\-\-interface=interface @@ -1037,6 +1052,17 @@ Note that in contrary to other join options there is respective profile option. .TP +\fB\-\-keep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.br + +.br +Example: +.br +$ firejail \-\-keep-config-pulse firefox + +.TP \fB\-\-keep-dev-shm /dev/shm directory is untouched (even with --private-dev) .br @@ -1105,6 +1131,26 @@ $ firejail \-\-machine-id .TP +\fB\-\-mkdir=dirname +Create a directory in user home. Parent directories are created as needed. +.br + +.br +Example: +.br +$ firejail --mkdir=~/work/project + +.TP +\fB\-\-mkfile=filename +Create an empty file in user home. +.br + +.br +Example: +.br +$ firejail --mkfile=~/work/project/readme + +.TP \fB\-\-memory-deny-write-execute Install a seccomp filter to block attempts to create memory mappings that are both writable and executable, to change mappings to be @@ -1425,15 +1471,8 @@ $ firejail --no3d firefox .TP -\fB\-\-noautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. -.br - -.br -Example: -.br -$ firejail \-\-noautopulse firefox +\fB\-\-noautopulse \fR(deprecated) +See --keep-config-pulse. .TP \fB\-\-noblacklist=dirname_or_filename @@ -1480,6 +1519,15 @@ .br $ firejail \-\-nodvd .TP +\fB\-\-noinput +Disable input devices. +.br + +.br +Example: +.br +$ firejail \-\-noinput +.TP \fB\-\-noexec=dirname_or_filename Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br @@ -1622,6 +1670,7 @@ \fB\-\-nowhitelist=dirname_or_filename Disable whitelist for this directory or file. +#ifdef HAVE_OUTPUT .TP \fB\-\-output=logfile stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log @@ -1652,6 +1701,7 @@ .TP \fB\-\-output-stderr=logfile Similar to \-\-output, but stderr is also stored. +#endif #ifdef HAVE_OVERLAYFS .TP @@ -1846,7 +1896,7 @@ Build a new /etc in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to -the /etc directory. +the /etc directory (e.g., /etc/foo must be expressed as foo). If no listed file is found, /etc directory will be empty. All modifications are discarded when the sandbox is closed. .br @@ -1856,7 +1906,7 @@ .br $ firejail --private-etc=group,hostname,localtime, \\ .br -nsswitch.conf,passwd,resolv.conf,default/motd-news +nsswitch.conf,passwd,resolv.conf #ifdef HAVE_PRIVATE_HOME .TP \fB\-\-private-home=file,directory @@ -1931,7 +1981,9 @@ Build a new /opt in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to -the /opt directory. +the /opt directory, and must not contain the / character +(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- +expressed as foo/bar -- is disallowed). If no listed file is found, /opt directory will be empty. All modifications are discarded when the sandbox is closed. .br @@ -1946,7 +1998,9 @@ Build a new /srv in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to -the /srv directory. +the /srv directory, and must not contain the / character +(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- +expressed as srv/bar -- is disallowed). If no listed file is found, /srv directory will be empty. All modifications are discarded when the sandbox is closed. .br @@ -2075,6 +2129,7 @@ .TP \fB\-\-rlimit-as=number Set the maximum size of the process's virtual memory (address space) in bytes. +Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). .TP \fB\-\-rlimit-cpu=number @@ -2088,6 +2143,7 @@ .TP \fB\-\-rlimit-fsize=number Set the maximum file size that can be created by a process. +Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). .TP \fB\-\-rlimit-nofile=number Set the maximum number of files that can be opened by a process. @@ -2122,7 +2178,7 @@ .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list, -which is @default-nodebuggers unless allow-debuggers is specified, +which is @default-nodebuggers unless \-\-allow-debuggers is specified, then it is @default. .br @@ -2133,18 +2189,13 @@ @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync, @system-service and @timer. More information about groups can be found in /usr/share/doc/firejail/syscalls.txt - -In addition, a system call can be specified by its number instead of -name with prefix $, so for example $165 would be equal to mount on i386. -Exceptions can be allowed with prefix !. +.br .br System architecture is strictly imposed only if flag \-\-seccomp.block-secondary is used. The filter is applied at run time only if the correct architecture was detected. For the case of I386 -and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit -architecture, an additional filter for 32 bit system calls can be -installed with \-\-seccomp.32. +and AMD64 both 32-bit and 64-bit filters are installed. .br .br @@ -2155,11 +2206,18 @@ Example: .br $ firejail \-\-seccomp +.br + +.br +The default list can be customized, see \-\-seccomp= for a description. It can be customized +also globally in /etc/firejail/firejail.config file. + .TP \fB\-\-seccomp=syscall,@group,!syscall2 -Enable seccomp filter, whitelist "syscall2", but blacklist the default -list and the syscalls or syscall groups specified by the -command. +Enable seccomp filter, blacklist the default list and the syscalls or syscall groups +specified by the command, but don't blacklist "syscall2". On a 64 bit +architecture, an additional filter for 32 bit system calls can be +installed with \-\-seccomp.32. .br .br @@ -2169,6 +2227,13 @@ .br $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk .br +$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious +.br + +.br +Syscalls can be specified by their number if prefix $ is added, +so for example $165 would be equal to mount on i386. +.br .br Instead of dropping the syscall by returning EPERM, another error @@ -2181,6 +2246,7 @@ .br Example: +.br $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes .br Parent pid 10662, child pid 10663 @@ -2189,9 +2255,13 @@ .br $ touch testfile .br +$ ls testfile +.br +testfile +.br $ rm testfile .br -rm: cannot remove `testfile': Operation not permitted +rm: cannot remove `testfile': No such file or directory .br .br @@ -2204,7 +2274,7 @@ .br Example: .br -$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash +$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh .br Parent pid 32751, child pid 32752 .br @@ -2216,8 +2286,7 @@ .br $ ls .br -Bad system call -.br +Operation not permitted .TP \fB\-\-seccomp.block-secondary @@ -2261,15 +2330,15 @@ .br $ touch testfile .br +$ ls testfile +.br +testfile +.br $ rm testfile .br -rm: cannot remove `testfile': Operation not permitted +rm: cannot remove `testfile': No such file or directory .br - - - - .TP \fB\-\-seccomp.keep=syscall,@group,!syscall2 Enable seccomp filter, blacklist all syscall not listed and "syscall2". @@ -2451,7 +2520,7 @@ $ .TP -\fB\-\-seccomp-error-action= kill | ERRNO +\fB\-\-seccomp-error-action= kill | ERRNO | log By default, if a seccomp filter blocks a system call, the process gets EPERM as the error. With \-\-seccomp-error-action=error, another error number can be returned, for example ENOSYS or EACCES. The process can @@ -2512,14 +2581,13 @@ $ firejail \-\-timeout=01:30:00 firefox .TP \fB\-\-tmpfs=dirname -Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. -File globbing is supported, see \fBFILE GLOBBING\fR section for more details. +Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br .br Example: .br -# firejail \-\-tmpfs=/var +$ firejail \-\-tmpfs=~/.local/share .TP \fB\-\-top Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. @@ -2669,8 +2737,9 @@ \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, -everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. +everything else is discarded when the sandbox is closed. The top directory can be +all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and +all directories in /usr. .br .br @@ -2941,30 +3010,6 @@ $ firejail --apparmor firefox #endif -.SH AUDIT -Audit feature allows the user to point out gaps in security profiles. The -implementation replaces the program to be sandboxed with a test program. By -default, we use faudit program distributed with Firejail. A custom test program -can also be supplied by the user. Examples: - -Running the default audit program: -.br - $ firejail --audit transmission-gtk - -Running a custom audit program: -.br - $ firejail --audit=~/sandbox-test transmission-gtk - -In the examples above, the sandbox configures transmission-gtk profile and -starts the test program. The real program, transmission-gtk, will not be -started. - -You can also audit a specific profile without specifying a program. -.br - $ firejail --audit --profile=/etc/firejail/zoom.profile - -Limitations: audit feature is not implemented for --x11 commands. - .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place @@ -3332,11 +3377,13 @@ .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5), -\&\flfirejail-users\fR\|(5), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) + .UR https://github.com/netblue30/firejail/wiki .UE , .UR https://github.com/netblue30/firejail diff -Nru firejail-0.9.64.4/src/man/firejail-users.txt firejail-0.9.66/src/man/firejail-users.txt --- firejail-0.9.64.4/src/man/firejail-users.txt 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/firejail-users.txt 2021-06-22 15:51:28.000000000 +0000 @@ -54,8 +54,9 @@ .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5) -\&\flfirejail-login\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR jailcheck (1) diff -Nru firejail-0.9.64.4/src/man/firemon.txt firejail-0.9.66/src/man/firemon.txt --- firejail-0.9.64.4/src/man/firemon.txt 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/firemon.txt 2021-06-22 15:51:28.000000000 +0000 @@ -115,8 +115,9 @@ .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) diff -Nru firejail-0.9.64.4/src/man/jailcheck.txt firejail-0.9.66/src/man/jailcheck.txt --- firejail-0.9.64.4/src/man/jailcheck.txt 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/man/jailcheck.txt 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,117 @@ +.TH JAILCHECK 1 "MONTH YEAR" "VERSION" "JAILCHECK man page" +.SH NAME +jailcheck \- Simple utility program to test running sandboxes +.SH SYNOPSIS +sudo jailcheck [OPTIONS] [directory] +.SH DESCRIPTION +jailcheck attaches itself to all sandboxes started by the user and performs some basic tests +on the sandbox filesystem: +.TP +\fB1. Virtual directories +jailcheck extracts a list with the main virtual directories installed by the sandbox. +These directories are build by firejail at startup using --private* and --whitelist commands. +.TP +\fB2. Noexec test +jailcheck inserts executable programs in /home/username, /tmp, and /var/tmp directories +and tries to run them from inside the sandbox, thus testing if the directory is executable or not. +.TP +\fB3. Read access test +jailcheck creates test files in the directories specified by the user and tries to read +them from inside the sandbox. +.TP +\fB4. AppArmor test +.TP +\fB5. Seccomp test +.TP +\fB6. Networking test +.TP +The program is started as root using sudo. + +.SH OPTIONS +.TP +\fB\-\-debug +Print debug messages. +.TP +\fB\-?\fR, \fB\-\-help\fR +Print options and exit. +.TP +\fB\-\-version +Print program version and exit. +.TP +\fB[directory] +One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default. + +.SH OUTPUT +For each sandbox detected we print the following line: + + PID:USER:Sandbox Name:Command + +It is followed by relevant sandbox information, such as the virtual directories and various warnings. + +.SH EXAMPLE + +$ sudo jailcheck +.br +2014:netblue::firejail /usr/bin/gimp +.br + Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, +.br + Warning: I can run programs in /home/netblue +.br + Networking: disabled +.br + +.br +2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net +.br + Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, +.br + Warning: I can read ~/.ssh +.br + Networking: enabled +.br + +.br +2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage +.br + Virtual dirs: /tmp, /var/tmp, /dev, +.br + Networking: enabled +.br + +.br +26090:netblue::/usr/bin/firejail /opt/firefox/firefox +.br + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, +.br + /run/user/1000, +.br + Networking: enabled +.br + +.br +26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor +.br + Warning: AppArmor not enabled +.br + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, +.br + /usr/share, /run/user/1000, +.br + Warning: I can run programs in /home/netblue +.br + Networking: enabled +.br + + +.SH LICENSE +This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. +.PP +Homepage: https://firejail.wordpress.com +.SH SEE ALSO +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), diff -Nru firejail-0.9.64.4/src/man/Makefile.in firejail-0.9.66/src/man/Makefile.in --- firejail-0.9.64.4/src/man/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,10 +1,14 @@ -all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man +.PHONY: all +all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man + include ../common.mk %.man: %.txt gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ +.PHONY: clean clean:; rm -fr *.man +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/man/preproc.awk firejail-0.9.66/src/man/preproc.awk --- firejail-0.9.64.4/src/man/preproc.awk 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/man/preproc.awk 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/gawk -E -# Copyright (c) 2019,2020 rusty-snake +# Copyright (c) 2019-2021 rusty-snake # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal diff -Nru firejail-0.9.64.4/src/profstats/main.c firejail-0.9.66/src/profstats/main.c --- firejail-0.9.64.4/src/profstats/main.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/profstats/main.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -46,6 +46,7 @@ static int cnt_ssh = 0; static int cnt_mdwx = 0; static int cnt_whitelisthome = 0; +static int cnt_noroot = 0; static int level = 0; static int arg_debug = 0; @@ -65,6 +66,7 @@ static int arg_dbus_system_none = 0; static int arg_dbus_user_none = 0; static int arg_whitelisthome = 0; +static int arg_noroot = 0; static char *profile = NULL; @@ -80,6 +82,7 @@ printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); + printf(" --noroot - print profiles without \"noroot\"\n"); printf(" --private-bin - print profiles without private-bin\n"); printf(" --private-dev - print profiles without private-dev\n"); printf(" --private-etc - print profiles without private-etc\n"); @@ -128,6 +131,8 @@ cnt_caps++; else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) cnt_noexec++; + else if (strncmp(ptr, "noroot", 6) == 0) + cnt_noroot++; else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) cnt_whitelistvar++; else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || @@ -212,6 +217,8 @@ arg_mdwx = 1; else if (strcmp(argv[i], "--noexec") == 0) arg_noexec = 1; + else if (strcmp(argv[i], "--noroot") == 0) + arg_noroot = 1; else if (strcmp(argv[i], "--private-bin") == 0) arg_privatebin = 1; else if (strcmp(argv[i], "--private-dev") == 0) @@ -256,6 +263,7 @@ int caps = cnt_caps; int apparmor = cnt_apparmor; int noexec = cnt_noexec; + int noroot = cnt_noroot; int privatebin = cnt_privatebin; int privatetmp = cnt_privatetmp; int privatedev = cnt_privatedev; @@ -313,6 +321,8 @@ printf("No seccomp found in %s\n", argv[i]); if (arg_noexec && noexec == cnt_noexec) printf("No include disable-exec.inc found in %s\n", argv[i]); + if (arg_noroot && noroot == cnt_noroot) + printf("No noroot found in %s\n", argv[i]); if (arg_privatedev && privatedev == cnt_privatedev) printf("No private-dev found in %s\n", argv[i]); if (arg_privatebin && privatebin == cnt_privatebin) @@ -341,11 +351,12 @@ printf("Stats:\n"); printf(" profiles\t\t\t%d\n", cnt_profiles); printf(" include local profile\t%d (include profile-name.local)\n", cnt_dotlocal); - printf(" include globals\t\t%d (include globals.local)\n", cnt_dotlocal); + printf(" include globals\t\t%d (include globals.local)\n", cnt_globalsdotlocal); printf(" blacklist ~/.ssh\t\t%d (include disable-common.inc)\n", cnt_ssh); printf(" seccomp\t\t\t%d\n", cnt_seccomp); printf(" capabilities\t\t%d\n", cnt_caps); printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); + printf(" noroot\t\t\t%d\n", cnt_noroot); printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); printf(" apparmor\t\t\t%d\n", cnt_apparmor); printf(" private-bin\t\t\t%d\n", cnt_privatebin); diff -Nru firejail-0.9.64.4/src/profstats/Makefile.in firejail-0.9.66/src/profstats/Makefile.in --- firejail-0.9.64.4/src/profstats/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/src/profstats/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,3 +1,4 @@ +.PHONY: all all: profstats include ../common.mk @@ -8,7 +9,9 @@ profstats: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff -Nru firejail-0.9.64.4/src/zsh_completion/_firejail.in firejail-0.9.66/src/zsh_completion/_firejail.in --- firejail-0.9.64.4/src/zsh_completion/_firejail.in 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/zsh_completion/_firejail.in 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,285 @@ +#compdef firejail + +# Documentation: man 1 zshcompsys +# HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org + +_all_firejails() { + local -a _all_firejails_list + for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do + _all_firejails_list+=${jail%% *} + done + _describe 'firejails list' _all_firejails_list +} + +_all_cpus() { + _cpu_count=$(getconf _NPROCESSORS_ONLN) + for i in {0..$((_cpu_count-1))} ; do + print $i + done +} + +_profiles() { + print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;" +} +_profiles_with_ext() { + print $1/*.profile +} + +_all_profiles() { + _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) +} + +_session_bus_names() { + _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1) + # Alternatives to hack on for non-systemd systems: + # dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames + # ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service +} + +_system_bus_names() { + _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1) +} + +_caps() { + _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}') +} + +_firejail_args=( + '*::arguments:_normal' + + '--appimage[sandbox an AppImage application]' + '--build[build a whitelisted profile for the application and print it on stdout]' + '--build=-[build a whitelisted profile for the application and save it]: :_files' + # Ignore that you can do -? too as it's the only short option + '--help[this help screen]' + '--join=-[join the sandbox name|pid]: :_all_firejails' + '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' + '--list[list all sandboxes]' + '(--profile)--noprofile[do not use a security profile]' + '(--noprofile)--profile=-[use a custom profile]: :_all_profiles' + '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' + '--top[monitor the most CPU-intensive sandboxes]' + '--tree[print a tree of all sandboxed processes]' + '--version[print program version and exit]' + + '--debug[print sandbox debug messages]' + '--debug-blacklists[debug blacklisting]' + '--debug-caps[print all recognized capabilities]' + '--debug-errnos[print all recognized error numbers]' + '--debug-private-lib[debug for --private-lib option]' + '--debug-protocols[print all recognized protocols]' + '--debug-syscalls[print all recognized system calls]' + '--debug-syscalls32[print all recognized 32 bit system calls]' + '--debug-whitelists[debug whitelisting]' + + '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' + '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' + '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' + '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' + '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' + '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' + + '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' + '--allusers[all user home directories are visible inside the sandbox]' + # Should be _files, a comma and files or files -/ + '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' + '*--blacklist=-[blacklist directory or file]: :_files' + '--caps[enable default Linux capabilities filter]' + '--caps.drop=all[drop all capabilities]' + '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' + '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' + '--cgroup=-[place the sandbox in the specified control group]: :' + '--cpu=-[set cpu affinity]: :->cpus' + "--deterministic-exit-code[always exit with first child's status code]" + '*--dns=-[set DNS server]: :' + '*--env=-[set environment variable]: :' + '--hostname=-[set sandbox hostname]: :' + '--hosts-file=-[use file as /etc/hosts]: :_files' + '*--ignore=-[ignore command in profile files]: :' + '--ipc-namespace[enable a new IPC namespace]' + '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' + '--keep-config-pulse[disable automatic ~/.config/pulse init]' + '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' + '--keep-var-tmp[/var/tmp directory is untouched]' + '--machine-id[preserve /etc/machine-id]' + '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' + '*--mkdir=-[create a directory]:' + '*--mkfile=-[create a file]:' + '--name=-[set sandbox name]: :' + '--net=none[enable a new, unconnected network namespace]' + # Sample values as I don't think + # many would enjoy getting a list from -20..20 + '--nice=-[set nice value]: :(1 10 15 20)' + '--no3d[disable 3D hardware acceleration]' + '--noautopulse[disable automatic ~/.config/pulse init]' + '--noblacklist=-[disable blacklist for file or directory]: :_files' + '--nodbus[disable D-Bus access]' + '--nodvd[disable DVD and audio CD devices]' + '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' + '--nogroups[disable supplementary groups]' + '--noinput[disable input devices]' + '--nonewprivs[sets the NO_NEW_PRIVS prctl]' + '--nosound[disable sound system]' + '--nou2f[disable U2F devices]' + '--novideo[disable video devices]' + '--private[temporary home directory]' + '--private=-[use directory as user home]: :_files -/' + '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin' + '--private-cwd[do not inherit working directory inside jail]' + '--private-cwd=-[set working directory inside jail]: :_files -/' + '--private-dev[create a new /dev directory with a small number of common device files]' + '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc' + '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt' + '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv' + '--private-tmp[mount a tmpfs on top of /tmp directory]' + '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth' + "--quiet[turn off Firejail's output.]" + '*--read-only=-[set directory or file read-only]: :_files' + '*--read-write=-[set directory or file read-write]: :_files' + "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :" + '--rlimit-cpu=-[set the maximum CPU time in seconds]: :' + '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :' + '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' + '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' + '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' + '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' + '--seccomp[enable seccomp filter and apply the default blacklist]: :' + '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' + '--seccomp.block-secondary[build only the native architecture filters]' + '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' + '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' + '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' + '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' + # FIXME: Add errnos + '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' + '--shell=none[run the program directly without a user shell]' + '--shell=-[set default user shell]: :_values $(cat /etc/shells)' + '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' + #'(--tracelog)--trace[trace open, access and connect system calls]' + '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' + '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' + '(--private-etc)--writable-etc[/etc directory is mounted read-write]' + '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' + '--writable-var[/var directory is mounted read-write]' + '--writable-var-log[use the real /var/log directory, not a clone]' + +#ifdef HAVE_APPARMOR + '--apparmor[enable AppArmor confinement]' + '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' +#endif + +#ifdef HAVE_CHROOT + '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/' +#endif + +#ifdef HAVE_DBUSPROXY + # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}. + # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl + '--dbus-log=-[set DBus log file location]: :_files' + '--dbus-system=-[set system DBus access policy]: :(filter none)' + '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names' + '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names' + '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names' + '--dbus-user=-[set session DBus access policy or none]: :(filter none)' + '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names' + '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names' + '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names' +#endif + +#ifdef HAVE_FILE_TRANSFER + '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' + '--get=-[get a file from sandbox container name|pid]: :_all_firejails' + # --put=name|pid src-filename dest-filename - put a file in sandbox container. + '--put=-[put a file in sandbox container]: :' + '--ls=-[list files in sandbox container name|pid]: :_all_firejails' +#endif + +#ifdef HAVE_FIRETUNNEL + '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' +#endif + +#ifdef HAVE_NETWORK + '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' + '--defaultgw=[configure default gateway]: :' + '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' + '--join-network=-[join the network namespace name|pid]: :_all_firejails' + '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' + '--mtu=-[set interface MTU]: :' + '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' + '--net.print=-[print network interface configuration name|pid]: :_all_firejails' + '--netfilter=-[enable firewall]: :' + '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' + '--netfilter6=-[enable IPv6 firewall]: :' + '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' + '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' + '--netns=-[Run the program in a named, persistent network namespace]: :' + '--netstats[monitor network statistics]' + '--interface=-[move interface in sandbox]: :' + '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' + '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' + '--iprange=-[configure an IP address in this range]: :' + '--scan[ARP-scan all the networks from inside a network namespace]' + '--veth-name=-[use this name for the interface connected to the bridge]: :' +#endif + +#ifdef HAVE_OUTPUT + '--output=-[stdout logging and log rotation]: :_files' + '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' +#endif + +#ifdef HAVE_OVERLAYFS + '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]' + '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' + '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' + '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' +#endif + +#ifdef HAVE_PRIVATE_HOME + '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' +#endif + +#ifdef HAVE_USERNS + '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]' +#endif + +#ifdef HAVE_USERTMPFS + '--private-cache[temporary ~/.cache directory]' + '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' +#endif + +#ifdef HAVE_WHITELIST + '*--nowhitelist=-[disable whitelist for file or directory]: :_files' + '*--whitelist=-[whitelist directory or file]: :_files' +#endif + +#ifdef HAVE_X11 + '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' + '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' + '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' +#endif +) + + +_firejail() { + _arguments -S $_firejail_args + case "$state" in + cpus) + _values -s "," 'cpus' $(_all_cpus) + ;; + net_or_none) + local netdevs=($(ip link | awk '{print $2}' | grep '^.*:$' | tr -d ':')) + local net_and_none=(none $netdevs) + _values 'net' $net_and_none + ;; + seccomp) + # TODO: syscall groups + _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2) + ;; + esac +} + +# vim: ft=zsh sw=4 ts=4 et sts=4 ai diff -Nru firejail-0.9.64.4/src/zsh_completion/Makefile.in firejail-0.9.66/src/zsh_completion/Makefile.in --- firejail-0.9.64.4/src/zsh_completion/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/src/zsh_completion/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,17 @@ +.PHONY: all +all: _firejail + +include ../common.mk + +_firejail: _firejail.in + gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp + sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ + rm $@.tmp + +.PHONY: clean +clean: + rm -fr _firejail + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff -Nru firejail-0.9.64.4/test/apps/apps.sh firejail-0.9.66/test/apps/apps.sh --- firejail-0.9.64.4/test/apps/apps.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/apps.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/apps/chromium.exp firejail-0.9.66/test/apps/chromium.exp --- firejail-0.9.64.4/test/apps/chromium.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/chromium.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/deluge.exp firejail-0.9.66/test/apps/deluge.exp --- firejail-0.9.64.4/test/apps/deluge.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/deluge.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/fbreader.exp firejail-0.9.66/test/apps/fbreader.exp --- firejail-0.9.64.4/test/apps/fbreader.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/fbreader.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/filezilla.exp firejail-0.9.66/test/apps/filezilla.exp --- firejail-0.9.64.4/test/apps/filezilla.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/filezilla.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/firefox.exp firejail-0.9.66/test/apps/firefox.exp --- firejail-0.9.64.4/test/apps/firefox.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/firefox.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/gnome-mplayer.exp firejail-0.9.66/test/apps/gnome-mplayer.exp --- firejail-0.9.64.4/test/apps/gnome-mplayer.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/gnome-mplayer.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/gthumb.exp firejail-0.9.66/test/apps/gthumb.exp --- firejail-0.9.64.4/test/apps/gthumb.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/gthumb.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/hexchat.exp firejail-0.9.66/test/apps/hexchat.exp --- firejail-0.9.64.4/test/apps/hexchat.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/hexchat.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/kcalc.exp firejail-0.9.66/test/apps/kcalc.exp --- firejail-0.9.64.4/test/apps/kcalc.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/kcalc.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/ktorrent.exp firejail-0.9.66/test/apps/ktorrent.exp --- firejail-0.9.64.4/test/apps/ktorrent.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/ktorrent.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/midori.exp firejail-0.9.66/test/apps/midori.exp --- firejail-0.9.64.4/test/apps/midori.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/midori.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/opera.exp firejail-0.9.66/test/apps/opera.exp --- firejail-0.9.64.4/test/apps/opera.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/opera.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/qbittorrent.exp firejail-0.9.66/test/apps/qbittorrent.exp --- firejail-0.9.64.4/test/apps/qbittorrent.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/qbittorrent.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/thunderbird.exp firejail-0.9.66/test/apps/thunderbird.exp --- firejail-0.9.64.4/test/apps/thunderbird.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/thunderbird.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/transmission-qt.exp firejail-0.9.66/test/apps/transmission-qt.exp --- firejail-0.9.64.4/test/apps/transmission-qt.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/transmission-qt.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/uget-gtk.exp firejail-0.9.66/test/apps/uget-gtk.exp --- firejail-0.9.64.4/test/apps/uget-gtk.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/uget-gtk.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/vlc.exp firejail-0.9.66/test/apps/vlc.exp --- firejail-0.9.64.4/test/apps/vlc.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/vlc.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/wine.exp firejail-0.9.66/test/apps/wine.exp --- firejail-0.9.64.4/test/apps/wine.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/wine.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps/xchat.exp firejail-0.9.66/test/apps/xchat.exp --- firejail-0.9.64.4/test/apps/xchat.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps/xchat.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/apps-x11.sh firejail-0.9.66/test/apps-x11/apps-x11.sh --- firejail-0.9.64.4/test/apps-x11/apps-x11.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/apps-x11.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/apps-x11/chromium.exp firejail-0.9.66/test/apps-x11/chromium.exp --- firejail-0.9.64.4/test/apps-x11/chromium.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/chromium.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/firefox.exp firejail-0.9.66/test/apps-x11/firefox.exp --- firejail-0.9.64.4/test/apps-x11/firefox.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/firefox.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/thunderbird.exp firejail-0.9.66/test/apps-x11/thunderbird.exp --- firejail-0.9.64.4/test/apps-x11/thunderbird.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/thunderbird.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/transmission-gtk.exp firejail-0.9.66/test/apps-x11/transmission-gtk.exp --- firejail-0.9.64.4/test/apps-x11/transmission-gtk.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/transmission-gtk.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/x11-none.exp firejail-0.9.66/test/apps-x11/x11-none.exp --- firejail-0.9.64.4/test/apps-x11/x11-none.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/x11-none.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/x11-xephyr.exp firejail-0.9.66/test/apps-x11/x11-xephyr.exp --- firejail-0.9.64.4/test/apps-x11/x11-xephyr.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/x11-xephyr.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/xterm-xephyr.exp firejail-0.9.66/test/apps-x11/xterm-xephyr.exp --- firejail-0.9.64.4/test/apps-x11/xterm-xephyr.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/xterm-xephyr.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/xterm-xorg.exp firejail-0.9.66/test/apps-x11/xterm-xorg.exp --- firejail-0.9.64.4/test/apps-x11/xterm-xorg.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/xterm-xorg.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11/xterm-xpra.exp firejail-0.9.66/test/apps-x11/xterm-xpra.exp --- firejail-0.9.64.4/test/apps-x11/xterm-xpra.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11/xterm-xpra.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11-xorg/apps-x11-xorg.sh firejail-0.9.66/test/apps-x11-xorg/apps-x11-xorg.sh --- firejail-0.9.64.4/test/apps-x11-xorg/apps-x11-xorg.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11-xorg/apps-x11-xorg.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/apps-x11-xorg/firefox.exp firejail-0.9.66/test/apps-x11-xorg/firefox.exp --- firejail-0.9.64.4/test/apps-x11-xorg/firefox.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11-xorg/firefox.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11-xorg/thunderbird.exp firejail-0.9.66/test/apps-x11-xorg/thunderbird.exp --- firejail-0.9.64.4/test/apps-x11-xorg/thunderbird.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11-xorg/thunderbird.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11-xorg/transmission-gtk.exp firejail-0.9.66/test/apps-x11-xorg/transmission-gtk.exp --- firejail-0.9.64.4/test/apps-x11-xorg/transmission-gtk.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11-xorg/transmission-gtk.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/apps-x11-xorg/transmission-qt.exp firejail-0.9.66/test/apps-x11-xorg/transmission-qt.exp --- firejail-0.9.64.4/test/apps-x11-xorg/transmission-qt.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/apps-x11-xorg/transmission-qt.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/arguments/arguments.sh firejail-0.9.66/test/arguments/arguments.sh --- firejail-0.9.64.4/test/arguments/arguments.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/arguments.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -export LC_ALL=C - -if [ -f /etc/debian_version ]; then - libdir=$(dirname "$(dpkg -L firejail | grep faudit)") - export PATH="$PATH:$libdir" -fi -export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" - -echo "TESTING: 1. regular bash session" -./bashrun.exp -sleep 1 - -echo "TESTING: 2. symbolic link to firejail" -./symrun.exp -rm -fr symtest -sleep 1 - -echo "TESTING: 3. --join option" -./joinrun.exp -sleep 1 - -echo "TESTING: 4. --output option" -./outrun.exp -rm out -rm out.* diff -Nru firejail-0.9.64.4/test/arguments/bashrun.exp firejail-0.9.66/test/arguments/bashrun.exp --- firejail-0.9.64.4/test/arguments/bashrun.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/bashrun.exp 1970-01-01 00:00:00.000000000 +0000 @@ -1,89 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "./bashrun.sh\r" -expect { - timeout {puts "TESTING ERROR 1.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 1.1.3\n";exit} - "#arg2#" -} - -expect { - timeout {puts "TESTING ERROR 1.2.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.2.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 1.2.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 1.3.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 1.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 1.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 1.6.3\n";exit} - "#arg2&tail#" -} - -puts "\nall done\n" diff -Nru firejail-0.9.64.4/test/arguments/bashrun.sh firejail-0.9.66/test/arguments/bashrun.sh --- firejail-0.9.64.4/test/arguments/bashrun.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/bashrun.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -echo "TESTING: 1.1 - simple args" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 1.2 - args with space and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 1.3 - args with space and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 1.4 - args with space and \\" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 1.5 - args with & and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 1.6 - args with & and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail' diff -Nru firejail-0.9.64.4/test/arguments/joinrun.exp firejail-0.9.66/test/arguments/joinrun.exp --- firejail-0.9.64.4/test/arguments/joinrun.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/joinrun.exp 1970-01-01 00:00:00.000000000 +0000 @@ -1,92 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - - -send -- "firejail --name=joinrun\r" -sleep 2 - -spawn $env(SHELL) -send -- "./joinrun.sh\r" -expect { - timeout {puts "TESTING ERROR 3.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 3.1.3\n";exit} - "#arg2#" -} - -expect { - timeout {puts "TESTING ERROR 3.2.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.2.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.2.3\n";exit} - "#arg2 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.3.3\n";exit} - "#arg2 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 3.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 3.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 3.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 3.6.3\n";exit} - "#arg2&tail#" -} - -puts "\nall done\n" diff -Nru firejail-0.9.64.4/test/arguments/joinrun.sh firejail-0.9.66/test/arguments/joinrun.sh --- firejail-0.9.64.4/test/arguments/joinrun.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/joinrun.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -echo "TESTING: 3.1 - simple args" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 3.2 - args with space and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 3.3 - args with space and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 3.4 - args with space and \\" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 3.5 - args with & and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 3.6 - args with & and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail' diff -Nru firejail-0.9.64.4/test/arguments/outrun.exp firejail-0.9.66/test/arguments/outrun.exp --- firejail-0.9.64.4/test/arguments/outrun.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/outrun.exp 1970-01-01 00:00:00.000000000 +0000 @@ -1,93 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "./outrun.sh\r" -expect { - timeout {puts "TESTING ERROR 4.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 4.1.3\n";exit} - "#arg2#" -} - -exit -#*************************************************** -# breaking down from here on - bug to fix -#*************************************************** -expect { - timeout {puts "TESTING ERROR 4.2.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.2.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 4.2.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 4.3.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 4.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 4.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 4.6.3\n";exit} - "#arg2&tail#" -} - -puts "\nall done\n" diff -Nru firejail-0.9.64.4/test/arguments/outrun.sh firejail-0.9.66/test/arguments/outrun.sh --- firejail-0.9.64.4/test/arguments/outrun.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/outrun.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -echo "TESTING: 4.1 - simple args" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 4.2 - args with space and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 4.3 - args with space and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 4.4 - args with space and \\" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 4.5 - args with & and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 4.6 - args with & and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail' diff -Nru firejail-0.9.64.4/test/arguments/symrun.exp firejail-0.9.66/test/arguments/symrun.exp --- firejail-0.9.64.4/test/arguments/symrun.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/symrun.exp 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "./symrun.sh\r" -expect { - timeout {puts "TESTING ERROR 2.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 2.1.3\n";exit} - "#arg2#" -} - -expect { - timeout {puts "TESTING ERROR 2.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 2.3.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 2.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 2.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 2.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 2.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 2.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 2.6.3\n";exit} - "#arg2&tail#" -} diff -Nru firejail-0.9.64.4/test/arguments/symrun.sh firejail-0.9.66/test/arguments/symrun.sh --- firejail-0.9.64.4/test/arguments/symrun.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/arguments/symrun.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -mkdir symtest -ln -s /usr/bin/firejail symtest/faudit - -# search for faudit in current directory -export PATH=$PATH:. -export FIREJAIL_TEST_ARGUMENTS=yes - -echo "TESTING: 2.1 - simple args" -symtest/faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 2.2 - args with space and \"" -symtest/faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 2.3 - args with space and '" -symtest/faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 2.4 - args with space and \\" -symtest/faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 2.5 - args with & and \"" -symtest/faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 2.6 - args with & and '" -symtest/faudit 'arg1&tail' 'arg2&tail' - -rm -fr symtest diff -Nru firejail-0.9.64.4/test/chroot/chroot.sh firejail-0.9.66/test/chroot/chroot.sh --- firejail-0.9.64.4/test/chroot/chroot.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/chroot/chroot.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/chroot/configure firejail-0.9.66/test/chroot/configure --- firejail-0.9.64.4/test/chroot/configure 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/chroot/configure 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # build a very small chroot diff -Nru firejail-0.9.64.4/test/chroot/fs_chroot.exp firejail-0.9.66/test/chroot/fs_chroot.exp --- firejail-0.9.64.4/test/chroot/fs_chroot.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/chroot/fs_chroot.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/chroot/unchroot-as-root.exp firejail-0.9.66/test/chroot/unchroot-as-root.exp --- firejail-0.9.64.4/test/chroot/unchroot-as-root.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/chroot/unchroot-as-root.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/chroot/unchroot.c firejail-0.9.66/test/chroot/unchroot.c --- firejail-0.9.64.4/test/chroot/unchroot.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/chroot/unchroot.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier diff -Nru firejail-0.9.64.4/test/compile/compile.sh firejail-0.9.66/test/compile/compile.sh --- firejail-0.9.64.4/test/compile/compile.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/compile/compile.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # not currently covered diff -Nru firejail-0.9.64.4/test/environment/allow-debuggers.exp firejail-0.9.66/test/environment/allow-debuggers.exp --- firejail-0.9.64.4/test/environment/allow-debuggers.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/allow-debuggers.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/csh.exp firejail-0.9.66/test/environment/csh.exp --- firejail-0.9.64.4/test/environment/csh.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/csh.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/dash.exp firejail-0.9.66/test/environment/dash.exp --- firejail-0.9.64.4/test/environment/dash.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/dash.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/deterministic-exit-code.exp firejail-0.9.66/test/environment/deterministic-exit-code.exp --- firejail-0.9.64.4/test/environment/deterministic-exit-code.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/deterministic-exit-code.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 4 diff -Nru firejail-0.9.64.4/test/environment/dns.exp firejail-0.9.66/test/environment/dns.exp --- firejail-0.9.64.4/test/environment/dns.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/dns.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/doubledash.exp firejail-0.9.66/test/environment/doubledash.exp --- firejail-0.9.64.4/test/environment/doubledash.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/doubledash.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/env.exp firejail-0.9.66/test/environment/env.exp --- firejail-0.9.64.4/test/environment/env.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/env.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/environment.sh firejail-0.9.66/test/environment/environment.sh --- firejail-0.9.64.4/test/environment/environment.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/environment.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/environment/extract_command.exp firejail-0.9.66/test/environment/extract_command.exp --- firejail-0.9.64.4/test/environment/extract_command.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/extract_command.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/firejail-in-firejail.exp firejail-0.9.66/test/environment/firejail-in-firejail.exp --- firejail-0.9.64.4/test/environment/firejail-in-firejail.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/firejail-in-firejail.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/hostfile.exp firejail-0.9.66/test/environment/hostfile.exp --- firejail-0.9.64.4/test/environment/hostfile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/hostfile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 diff -Nru firejail-0.9.64.4/test/environment/ibus.exp firejail-0.9.66/test/environment/ibus.exp --- firejail-0.9.64.4/test/environment/ibus.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/ibus.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/machineid.exp firejail-0.9.66/test/environment/machineid.exp --- firejail-0.9.64.4/test/environment/machineid.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/machineid.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 diff -Nru firejail-0.9.64.4/test/environment/nice.exp firejail-0.9.66/test/environment/nice.exp --- firejail-0.9.64.4/test/environment/nice.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/nice.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/output.exp firejail-0.9.66/test/environment/output.exp --- firejail-0.9.64.4/test/environment/output.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/output.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/output.sh firejail-0.9.66/test/environment/output.sh --- firejail-0.9.64.4/test/environment/output.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/output.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 i="0" diff -Nru firejail-0.9.64.4/test/environment/quiet.exp firejail-0.9.66/test/environment/quiet.exp --- firejail-0.9.64.4/test/environment/quiet.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/quiet.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 4 diff -Nru firejail-0.9.64.4/test/environment/rlimit-bad.exp firejail-0.9.66/test/environment/rlimit-bad.exp --- firejail-0.9.64.4/test/environment/rlimit-bad.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/rlimit-bad.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ send -- "firejail --rlimit-fsize=-1024\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "invalid rlimit" + "invalid rlimit-fsize. Only use positive numbers and k, m or g suffix." } after 100 diff -Nru firejail-0.9.64.4/test/environment/rlimit-bad-profile.exp firejail-0.9.66/test/environment/rlimit-bad-profile.exp --- firejail-0.9.64.4/test/environment/rlimit-bad-profile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/rlimit-bad-profile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ send -- "firejail --profile=rlimit-bad1.profile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "invalid rlimit" + "invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix." } after 100 diff -Nru firejail-0.9.64.4/test/environment/rlimit.exp firejail-0.9.66/test/environment/rlimit.exp --- firejail-0.9.64.4/test/environment/rlimit.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/rlimit.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/rlimit-profile.exp firejail-0.9.66/test/environment/rlimit-profile.exp --- firejail-0.9.64.4/test/environment/rlimit-profile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/rlimit-profile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/shell-none.exp firejail-0.9.66/test/environment/shell-none.exp --- firejail-0.9.64.4/test/environment/shell-none.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/shell-none.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/sound.exp firejail-0.9.66/test/environment/sound.exp --- firejail-0.9.64.4/test/environment/sound.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/sound.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 diff -Nru firejail-0.9.64.4/test/environment/timeout.exp firejail-0.9.66/test/environment/timeout.exp --- firejail-0.9.64.4/test/environment/timeout.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/timeout.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/umask.exp firejail-0.9.66/test/environment/umask.exp --- firejail-0.9.64.4/test/environment/umask.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/umask.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/environment/zsh.exp firejail-0.9.66/test/environment/zsh.exp --- firejail-0.9.64.4/test/environment/zsh.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/environment/zsh.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fcopy/cmdline.exp firejail-0.9.66/test/fcopy/cmdline.exp --- firejail-0.9.64.4/test/fcopy/cmdline.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fcopy/cmdline.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fcopy/dircopy.exp firejail-0.9.66/test/fcopy/dircopy.exp --- firejail-0.9.64.4/test/fcopy/dircopy.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fcopy/dircopy.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # diff -Nru firejail-0.9.64.4/test/fcopy/fcopy.sh firejail-0.9.66/test/fcopy/fcopy.sh --- firejail-0.9.64.4/test/fcopy/fcopy.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fcopy/fcopy.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/fcopy/filecopy.exp firejail-0.9.66/test/fcopy/filecopy.exp --- firejail-0.9.64.4/test/fcopy/filecopy.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fcopy/filecopy.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # diff -Nru firejail-0.9.64.4/test/fcopy/linkcopy.exp firejail-0.9.66/test/fcopy/linkcopy.exp --- firejail-0.9.64.4/test/fcopy/linkcopy.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fcopy/linkcopy.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # diff -Nru firejail-0.9.64.4/test/fcopy/src/dircopy.exp firejail-0.9.66/test/fcopy/src/dircopy.exp --- firejail-0.9.64.4/test/fcopy/src/dircopy.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fcopy/src/dircopy.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # diff -Nru firejail-0.9.64.4/test/filters/apparmor.exp firejail-0.9.66/test/filters/apparmor.exp --- firejail-0.9.64.4/test/filters/apparmor.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/apparmor.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/caps.exp firejail-0.9.66/test/filters/caps.exp --- firejail-0.9.64.4/test/filters/caps.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/caps.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/caps-join.exp firejail-0.9.66/test/filters/caps-join.exp --- firejail-0.9.64.4/test/filters/caps-join.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/caps-join.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/caps-print.exp firejail-0.9.66/test/filters/caps-print.exp --- firejail-0.9.64.4/test/filters/caps-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/caps-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/debug.exp firejail-0.9.66/test/filters/debug.exp --- firejail-0.9.64.4/test/filters/debug.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/debug.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/filters.sh firejail-0.9.66/test/filters/filters.sh --- firejail-0.9.64.4/test/filters/filters.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/filters.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/filters/fseccomp.exp firejail-0.9.66/test/filters/fseccomp.exp --- firejail-0.9.64.4/test/filters/fseccomp.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/fseccomp.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/memwrexe-32.exp firejail-0.9.66/test/filters/memwrexe-32.exp --- firejail-0.9.64.4/test/filters/memwrexe-32.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/memwrexe-32.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/memwrexe.c firejail-0.9.66/test/filters/memwrexe.c --- firejail-0.9.64.4/test/filters/memwrexe.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/memwrexe.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 #include diff -Nru firejail-0.9.64.4/test/filters/memwrexe.exp firejail-0.9.66/test/filters/memwrexe.exp --- firejail-0.9.64.4/test/filters/memwrexe.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/memwrexe.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/noroot.exp firejail-0.9.66/test/filters/noroot.exp --- firejail-0.9.64.4/test/filters/noroot.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/noroot.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/protocol.exp firejail-0.9.66/test/filters/protocol.exp --- firejail-0.9.64.4/test/filters/protocol.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/protocol.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-bad-empty.exp firejail-0.9.66/test/filters/seccomp-bad-empty.exp --- firejail-0.9.64.4/test/filters/seccomp-bad-empty.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-bad-empty.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-chmod.exp firejail-0.9.66/test/filters/seccomp-chmod.exp --- firejail-0.9.64.4/test/filters/seccomp-chmod.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-chmod.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-chmod-profile.exp firejail-0.9.66/test/filters/seccomp-chmod-profile.exp --- firejail-0.9.64.4/test/filters/seccomp-chmod-profile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-chmod-profile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-chown.exp firejail-0.9.66/test/filters/seccomp-chown.exp --- firejail-0.9.64.4/test/filters/seccomp-chown.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-chown.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-debug-32.exp firejail-0.9.66/test/filters/seccomp-debug-32.exp --- firejail-0.9.64.4/test/filters/seccomp-debug-32.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-debug-32.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-debug.exp firejail-0.9.66/test/filters/seccomp-debug.exp --- firejail-0.9.64.4/test/filters/seccomp-debug.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-debug.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-dualfilter.exp firejail-0.9.66/test/filters/seccomp-dualfilter.exp --- firejail-0.9.64.4/test/filters/seccomp-dualfilter.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-dualfilter.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 1 diff -Nru firejail-0.9.64.4/test/filters/seccomp-empty.exp firejail-0.9.66/test/filters/seccomp-empty.exp --- firejail-0.9.64.4/test/filters/seccomp-empty.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-empty.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-errno.exp firejail-0.9.66/test/filters/seccomp-errno.exp --- firejail-0.9.64.4/test/filters/seccomp-errno.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-errno.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-join.exp firejail-0.9.66/test/filters/seccomp-join.exp --- firejail-0.9.64.4/test/filters/seccomp-join.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-join.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-numeric.exp firejail-0.9.66/test/filters/seccomp-numeric.exp --- firejail-0.9.64.4/test/filters/seccomp-numeric.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-numeric.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-postexec.exp firejail-0.9.66/test/filters/seccomp-postexec.exp --- firejail-0.9.64.4/test/filters/seccomp-postexec.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-postexec.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-ptrace.exp firejail-0.9.66/test/filters/seccomp-ptrace.exp --- firejail-0.9.64.4/test/filters/seccomp-ptrace.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-ptrace.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-run-files.exp firejail-0.9.66/test/filters/seccomp-run-files.exp --- firejail-0.9.64.4/test/filters/seccomp-run-files.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-run-files.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/seccomp-su.exp firejail-0.9.66/test/filters/seccomp-su.exp --- firejail-0.9.64.4/test/filters/seccomp-su.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/seccomp-su.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/filters/syscall_test.c firejail-0.9.66/test/filters/syscall_test.c --- firejail-0.9.64.4/test/filters/syscall_test.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/filters/syscall_test.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 #include diff -Nru firejail-0.9.64.4/test/fnetfilter/cmdline.exp firejail-0.9.66/test/fnetfilter/cmdline.exp --- firejail-0.9.64.4/test/fnetfilter/cmdline.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fnetfilter/cmdline.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fnetfilter/copy.exp firejail-0.9.66/test/fnetfilter/copy.exp --- firejail-0.9.64.4/test/fnetfilter/copy.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fnetfilter/copy.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fnetfilter/default.exp firejail-0.9.66/test/fnetfilter/default.exp --- firejail-0.9.64.4/test/fnetfilter/default.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fnetfilter/default.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fnetfilter/fnetfilter.sh firejail-0.9.66/test/fnetfilter/fnetfilter.sh --- firejail-0.9.64.4/test/fnetfilter/fnetfilter.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fnetfilter/fnetfilter.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/fnetfilter/template.exp firejail-0.9.66/test/fnetfilter/template.exp --- firejail-0.9.64.4/test/fnetfilter/template.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fnetfilter/template.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/fscheck-bindnoroot.exp firejail-0.9.66/test/fs/fscheck-bindnoroot.exp --- firejail-0.9.64.4/test/fs/fscheck-bindnoroot.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fscheck-bindnoroot.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/fscheck-private.exp firejail-0.9.66/test/fs/fscheck-private.exp --- firejail-0.9.64.4/test/fs/fscheck-private.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fscheck-private.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/fscheck-readonly.exp firejail-0.9.66/test/fs/fscheck-readonly.exp --- firejail-0.9.64.4/test/fs/fscheck-readonly.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fscheck-readonly.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/fscheck-tmpfs.exp firejail-0.9.66/test/fs/fscheck-tmpfs.exp --- firejail-0.9.64.4/test/fs/fscheck-tmpfs.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fscheck-tmpfs.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -41,7 +41,7 @@ send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Error" + "Warning: you are not allowed to mount a tmpfs" } after 500 diff -Nru firejail-0.9.64.4/test/fs/fs_dev_shm.exp firejail-0.9.66/test/fs/fs_dev_shm.exp --- firejail-0.9.64.4/test/fs/fs_dev_shm.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fs_dev_shm.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/fs.sh firejail-0.9.66/test/fs/fs.sh --- firejail-0.9.64.4/test/fs/fs.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fs.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/fs/fs_var_lock.exp firejail-0.9.66/test/fs/fs_var_lock.exp --- firejail-0.9.64.4/test/fs/fs_var_lock.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fs_var_lock.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/fs_var_tmp.exp firejail-0.9.66/test/fs/fs_var_tmp.exp --- firejail-0.9.64.4/test/fs/fs_var_tmp.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/fs_var_tmp.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/invalid_filename.exp firejail-0.9.66/test/fs/invalid_filename.exp --- firejail-0.9.64.4/test/fs/invalid_filename.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/invalid_filename.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/kmsg.exp firejail-0.9.66/test/fs/kmsg.exp --- firejail-0.9.64.4/test/fs/kmsg.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/kmsg.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/macro.exp firejail-0.9.66/test/fs/macro.exp --- firejail-0.9.64.4/test/fs/macro.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/macro.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/mkdir.exp firejail-0.9.66/test/fs/mkdir.exp --- firejail-0.9.64.4/test/fs/mkdir.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/mkdir.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 3 diff -Nru firejail-0.9.64.4/test/fs/mkdir_mkfile.exp firejail-0.9.66/test/fs/mkdir_mkfile.exp --- firejail-0.9.64.4/test/fs/mkdir_mkfile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/mkdir_mkfile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/noblacklist-blacklist-noexec.exp firejail-0.9.66/test/fs/noblacklist-blacklist-noexec.exp --- firejail-0.9.64.4/test/fs/noblacklist-blacklist-noexec.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/noblacklist-blacklist-noexec.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/noblacklist-blacklist-readonly.exp firejail-0.9.66/test/fs/noblacklist-blacklist-readonly.exp --- firejail-0.9.64.4/test/fs/noblacklist-blacklist-readonly.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/noblacklist-blacklist-readonly.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/option_bind_user.exp firejail-0.9.66/test/fs/option_bind_user.exp --- firejail-0.9.64.4/test/fs/option_bind_user.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/option_bind_user.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/option_blacklist.exp firejail-0.9.66/test/fs/option_blacklist.exp --- firejail-0.9.64.4/test/fs/option_blacklist.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/option_blacklist.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/option_blacklist_file.exp firejail-0.9.66/test/fs/option_blacklist_file.exp --- firejail-0.9.64.4/test/fs/option_blacklist_file.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/option_blacklist_file.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/option_blacklist_glob.exp firejail-0.9.66/test/fs/option_blacklist_glob.exp --- firejail-0.9.64.4/test/fs/option_blacklist_glob.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/option_blacklist_glob.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-bin.exp firejail-0.9.66/test/fs/private-bin.exp --- firejail-0.9.64.4/test/fs/private-bin.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-bin.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-cache.exp firejail-0.9.66/test/fs/private-cache.exp --- firejail-0.9.64.4/test/fs/private-cache.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-cache.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-cwd.exp firejail-0.9.66/test/fs/private-cwd.exp --- firejail-0.9.64.4/test/fs/private-cwd.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-cwd.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-etc-empty.exp firejail-0.9.66/test/fs/private-etc-empty.exp --- firejail-0.9.64.4/test/fs/private-etc-empty.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-etc-empty.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-etc.exp firejail-0.9.66/test/fs/private-etc.exp --- firejail-0.9.64.4/test/fs/private-etc.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-etc.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private.exp firejail-0.9.66/test/fs/private.exp --- firejail-0.9.64.4/test/fs/private.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-home-dir.exp firejail-0.9.66/test/fs/private-home-dir.exp --- firejail-0.9.64.4/test/fs/private-home-dir.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-home-dir.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-homedir.exp firejail-0.9.66/test/fs/private-homedir.exp --- firejail-0.9.64.4/test/fs/private-homedir.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-homedir.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-home.exp firejail-0.9.66/test/fs/private-home.exp --- firejail-0.9.64.4/test/fs/private-home.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-home.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/private-lib.exp firejail-0.9.66/test/fs/private-lib.exp --- firejail-0.9.64.4/test/fs/private-lib.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-lib.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 diff -Nru firejail-0.9.64.4/test/fs/private-whitelist.exp firejail-0.9.66/test/fs/private-whitelist.exp --- firejail-0.9.64.4/test/fs/private-whitelist.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/private-whitelist.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/read-write.exp firejail-0.9.66/test/fs/read-write.exp --- firejail-0.9.64.4/test/fs/read-write.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/read-write.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/sys_fs.exp firejail-0.9.66/test/fs/sys_fs.exp --- firejail-0.9.64.4/test/fs/sys_fs.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/sys_fs.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/whitelist-dev.exp firejail-0.9.66/test/fs/whitelist-dev.exp --- firejail-0.9.64.4/test/fs/whitelist-dev.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/whitelist-dev.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/whitelist-double.exp firejail-0.9.66/test/fs/whitelist-double.exp --- firejail-0.9.64.4/test/fs/whitelist-double.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/whitelist-double.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/whitelist-empty.exp firejail-0.9.66/test/fs/whitelist-empty.exp --- firejail-0.9.64.4/test/fs/whitelist-empty.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/whitelist-empty.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 30 diff -Nru firejail-0.9.64.4/test/fs/whitelist.exp firejail-0.9.66/test/fs/whitelist.exp --- firejail-0.9.64.4/test/fs/whitelist.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/whitelist.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -16,10 +16,7 @@ after 200 send -- "rm ~/fjtest-file-lnk\r" after 200 -send -- "rm /tmp/fjtest-file\r" -after 200 -send -- "rm -fr /tmp/fjtest-dir\r" -after 200 + # simple files and directories @@ -149,63 +146,7 @@ send -- "exit\r" sleep 1 -# symlinks outside home to a file we don't own -send -- "rm ~/fjtest-file-lnk\r" -after 200 -send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r" -after 200 -send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" -expect { - timeout {puts "TESTING ERROR 30\n";exit} - "invalid whitelist path" -} -expect { - timeout {puts "TESTING ERROR 31\n";exit} - "cannot sync with peer" -} -sleep 1 - -# symlinks outside home to a file we own -send -- "rm -fr ~/fjtest-dir-lnk\r" -after 200 -send -- "rm ~/fjtest-file-lnk\r" -after 200 -send -- "echo 123 > /tmp/fjtest-file\r" -after 200 -send -- "mkdir /tmp/fjtest-dir\r" -after 200 -send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r" -after 200 -send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r" -after 200 -send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r" -after 200 -send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" -expect { - timeout {puts "TESTING ERROR 40\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -l ~/ | grep -v total | wc -l\r" -expect { - timeout {puts "TESTING ERROR 41\n";exit} - "2" -} -send -- "cat ~/fjtest-file-lnk\r" -expect { - timeout {puts "TESTING ERROR 42\n";exit} - "123" -} - -send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" -expect { - timeout {puts "TESTING ERROR 43\n";exit} - "123" -} -send -- "exit\r" -sleep 1 # cleanup send -- "rm -fr ~/fjtest-dir\r" @@ -216,10 +157,5 @@ after 200 send -- "rm ~/fjtest-file-lnk\r" after 200 -send -- "rm /tmp/fjtest-file\r" -after 200 -send -- "rm -fr /tmp/fjtest-dir\r" -after 200 - puts "\nall done\n" diff -Nru firejail-0.9.64.4/test/fs/whitelist-noexec.exp firejail-0.9.66/test/fs/whitelist-noexec.exp --- firejail-0.9.64.4/test/fs/whitelist-noexec.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/whitelist-noexec.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/whitelist-readonly.exp firejail-0.9.66/test/fs/whitelist-readonly.exp --- firejail-0.9.64.4/test/fs/whitelist-readonly.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/whitelist-readonly.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/fs/whitelist-whitespace.exp firejail-0.9.66/test/fs/whitelist-whitespace.exp --- firejail-0.9.64.4/test/fs/whitelist-whitespace.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/fs/whitelist-whitespace.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/Makefile.in firejail-0.9.66/test/Makefile.in --- firejail-0.9.64.4/test/Makefile.in 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/Makefile.in 2021-06-22 15:51:28.000000000 +0000 @@ -1,13 +1,14 @@ TESTS=$(patsubst %/,%,$(wildcard */)) .PHONY: $(TESTS) - $(TESTS): cd $@ && ./$@.sh 2>&1 | tee $@.log cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log +.PHONY: clean clean: for test in $(TESTS); do rm -f "$$test/$$test.log"; done +.PHONY: distclean distclean: clean rm -f Makefile diff -Nru firejail-0.9.64.4/test/network/4bridges_arp.exp firejail-0.9.66/test/network/4bridges_arp.exp --- firejail-0.9.64.4/test/network/4bridges_arp.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/4bridges_arp.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/4bridges_ip.exp firejail-0.9.66/test/network/4bridges_ip.exp --- firejail-0.9.64.4/test/network/4bridges_ip.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/4bridges_ip.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/bandwidth.exp firejail-0.9.66/test/network/bandwidth.exp --- firejail-0.9.64.4/test/network/bandwidth.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/bandwidth.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/configure firejail-0.9.66/test/network/configure --- firejail-0.9.64.4/test/network/configure 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/configure 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 brctl addbr br0 diff -Nru firejail-0.9.64.4/test/network/dns-print.exp firejail-0.9.66/test/network/dns-print.exp --- firejail-0.9.64.4/test/network/dns-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/dns-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/firemon-arp.exp firejail-0.9.66/test/network/firemon-arp.exp --- firejail-0.9.64.4/test/network/firemon-arp.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/firemon-arp.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/firemon-interfaces.exp firejail-0.9.66/test/network/firemon-interfaces.exp --- firejail-0.9.64.4/test/network/firemon-interfaces.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/firemon-interfaces.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/firemon-route.exp firejail-0.9.66/test/network/firemon-route.exp --- firejail-0.9.64.4/test/network/firemon-route.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/firemon-route.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/hostname.exp firejail-0.9.66/test/network/hostname.exp --- firejail-0.9.64.4/test/network/hostname.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/hostname.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/interface.exp firejail-0.9.66/test/network/interface.exp --- firejail-0.9.64.4/test/network/interface.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/interface.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # interface diff -Nru firejail-0.9.64.4/test/network/ip6.exp firejail-0.9.66/test/network/ip6.exp --- firejail-0.9.64.4/test/network/ip6.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/ip6.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/iprange.exp firejail-0.9.66/test/network/iprange.exp --- firejail-0.9.64.4/test/network/iprange.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/iprange.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_arp.exp firejail-0.9.66/test/network/net_arp.exp --- firejail-0.9.64.4/test/network/net_arp.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_arp.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_badip.exp firejail-0.9.66/test/network/net_badip.exp --- firejail-0.9.64.4/test/network/net_badip.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_badip.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_defaultgw2.exp firejail-0.9.66/test/network/net_defaultgw2.exp --- firejail-0.9.64.4/test/network/net_defaultgw2.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_defaultgw2.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_defaultgw3.exp firejail-0.9.66/test/network/net_defaultgw3.exp --- firejail-0.9.64.4/test/network/net_defaultgw3.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_defaultgw3.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_defaultgw.exp firejail-0.9.66/test/network/net_defaultgw.exp --- firejail-0.9.64.4/test/network/net_defaultgw.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_defaultgw.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/netfilter-template.exp firejail-0.9.66/test/network/netfilter-template.exp --- firejail-0.9.64.4/test/network/netfilter-template.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/netfilter-template.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_ip.exp firejail-0.9.66/test/network/net_ip.exp --- firejail-0.9.64.4/test/network/net_ip.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_ip.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_local.exp firejail-0.9.66/test/network/net_local.exp --- firejail-0.9.64.4/test/network/net_local.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_local.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_mac.exp firejail-0.9.66/test/network/net_mac.exp --- firejail-0.9.64.4/test/network/net_mac.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_mac.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_macvlan2.exp firejail-0.9.66/test/network/net_macvlan2.exp --- firejail-0.9.64.4/test/network/net_macvlan2.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_macvlan2.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_mtu.exp firejail-0.9.66/test/network/net_mtu.exp --- firejail-0.9.64.4/test/network/net_mtu.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_mtu.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_netfilter.exp firejail-0.9.66/test/network/net_netfilter.exp --- firejail-0.9.64.4/test/network/net_netfilter.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_netfilter.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_noip2.exp firejail-0.9.66/test/network/net_noip2.exp --- firejail-0.9.64.4/test/network/net_noip2.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_noip2.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_noip.exp firejail-0.9.66/test/network/net_noip.exp --- firejail-0.9.64.4/test/network/net_noip.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_noip.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_none.exp firejail-0.9.66/test/network/net_none.exp --- firejail-0.9.64.4/test/network/net_none.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_none.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/netns.exp firejail-0.9.66/test/network/netns.exp --- firejail-0.9.64.4/test/network/netns.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/netns.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_profile.exp firejail-0.9.66/test/network/net_profile.exp --- firejail-0.9.64.4/test/network/net_profile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_profile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_scan.exp firejail-0.9.66/test/network/net_scan.exp --- firejail-0.9.64.4/test/network/net_scan.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_scan.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/netstats.exp firejail-0.9.66/test/network/netstats.exp --- firejail-0.9.64.4/test/network/netstats.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/netstats.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_unconfigured.exp firejail-0.9.66/test/network/net_unconfigured.exp --- firejail-0.9.64.4/test/network/net_unconfigured.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_unconfigured.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/net_veth.exp firejail-0.9.66/test/network/net_veth.exp --- firejail-0.9.64.4/test/network/net_veth.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/net_veth.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/network/network.sh firejail-0.9.66/test/network/network.sh --- firejail-0.9.64.4/test/network/network.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/network.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/network/tcpserver.c firejail-0.9.66/test/network/tcpserver.c --- firejail-0.9.64.4/test/network/tcpserver.c 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/tcpserver.c 2021-06-22 15:51:28.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff -Nru firejail-0.9.64.4/test/network/veth-name.exp firejail-0.9.66/test/network/veth-name.exp --- firejail-0.9.64.4/test/network/veth-name.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/network/veth-name.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/atril.exp firejail-0.9.66/test/private-lib/atril.exp --- firejail-0.9.64.4/test/private-lib/atril.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/atril.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/dig.exp firejail-0.9.66/test/private-lib/dig.exp --- firejail-0.9.64.4/test/private-lib/dig.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/dig.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/eog.exp firejail-0.9.66/test/private-lib/eog.exp --- firejail-0.9.64.4/test/private-lib/eog.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/eog.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/eom.exp firejail-0.9.66/test/private-lib/eom.exp --- firejail-0.9.64.4/test/private-lib/eom.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/eom.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/evince.exp firejail-0.9.66/test/private-lib/evince.exp --- firejail-0.9.64.4/test/private-lib/evince.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/evince.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/galculator.exp firejail-0.9.66/test/private-lib/galculator.exp --- firejail-0.9.64.4/test/private-lib/galculator.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/galculator.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/gedit.exp firejail-0.9.66/test/private-lib/gedit.exp --- firejail-0.9.64.4/test/private-lib/gedit.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/gedit.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/gnome-calculator.exp firejail-0.9.66/test/private-lib/gnome-calculator.exp --- firejail-0.9.64.4/test/private-lib/gnome-calculator.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/gnome-calculator.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/gnome-logs.exp firejail-0.9.66/test/private-lib/gnome-logs.exp --- firejail-0.9.64.4/test/private-lib/gnome-logs.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/gnome-logs.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/gnome-nettool.exp firejail-0.9.66/test/private-lib/gnome-nettool.exp --- firejail-0.9.64.4/test/private-lib/gnome-nettool.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/gnome-nettool.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/gnome-system-log.exp firejail-0.9.66/test/private-lib/gnome-system-log.exp --- firejail-0.9.64.4/test/private-lib/gnome-system-log.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/gnome-system-log.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/gpicview.exp firejail-0.9.66/test/private-lib/gpicview.exp --- firejail-0.9.64.4/test/private-lib/gpicview.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/gpicview.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/leafpad.exp firejail-0.9.66/test/private-lib/leafpad.exp --- firejail-0.9.64.4/test/private-lib/leafpad.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/leafpad.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/mousepad.exp firejail-0.9.66/test/private-lib/mousepad.exp --- firejail-0.9.64.4/test/private-lib/mousepad.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/mousepad.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/pavucontrol.exp firejail-0.9.66/test/private-lib/pavucontrol.exp --- firejail-0.9.64.4/test/private-lib/pavucontrol.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/pavucontrol.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/pluma.exp firejail-0.9.66/test/private-lib/pluma.exp --- firejail-0.9.64.4/test/private-lib/pluma.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/pluma.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/private-lib.sh firejail-0.9.66/test/private-lib/private-lib.sh --- firejail-0.9.64.4/test/private-lib/private-lib.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/private-lib.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3g diff -Nru firejail-0.9.64.4/test/private-lib/transmission-gtk.exp firejail-0.9.66/test/private-lib/transmission-gtk.exp --- firejail-0.9.64.4/test/private-lib/transmission-gtk.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/transmission-gtk.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/whois.exp firejail-0.9.66/test/private-lib/whois.exp --- firejail-0.9.64.4/test/private-lib/whois.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/whois.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/private-lib/xcalc.exp firejail-0.9.66/test/private-lib/xcalc.exp --- firejail-0.9.64.4/test/private-lib/xcalc.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/private-lib/xcalc.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/comment.profile firejail-0.9.66/test/profiles/comment.profile --- firejail-0.9.64.4/test/profiles/comment.profile 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/test/profiles/comment.profile 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,3 @@ +# this is a comment +net none # this is another comment +private # some other comment diff -Nru firejail-0.9.64.4/test/profiles/conditional.exp firejail-0.9.66/test/profiles/conditional.exp --- firejail-0.9.64.4/test/profiles/conditional.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/conditional.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/ignore.exp firejail-0.9.66/test/profiles/ignore.exp --- firejail-0.9.64.4/test/profiles/ignore.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/ignore.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/profile_appname.exp firejail-0.9.66/test/profiles/profile_appname.exp --- firejail-0.9.64.4/test/profiles/profile_appname.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_appname.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/profile_comment.exp firejail-0.9.66/test/profiles/profile_comment.exp --- firejail-0.9.64.4/test/profiles/profile_comment.exp 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_comment.exp 2021-06-22 15:51:28.000000000 +0000 @@ -0,0 +1,52 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2021 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -fr /tmp/firejailtest*\r" +send -- "rm -fr /tmp/firejail-strace*\r" +send -- "rm -fr /tmp/firejail-trace*\r" +sleep 1 + +send -- "firejail --profile=comment.profile /usr/bin/true\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Parent is shutting down" +} +sleep 2 + +send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r" +sleep 1 + +send -- "cat /tmp/firejailtest.profile\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "seccomp" +} +after 100 + +send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Parent is shutting down" +} +after 100 + +send -- "rm -fr /tmp/firejailtest*\r" +send -- "rm -fr /tmp/firejail-strace*\r" +send -- "rm -fr /tmp/firejail-trace*\r" +after 100 + +puts "\nall done\n" diff -Nru firejail-0.9.64.4/test/profiles/profile_followlnk.exp firejail-0.9.66/test/profiles/profile_followlnk.exp --- firejail-0.9.64.4/test/profiles/profile_followlnk.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_followlnk.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/profile_noperm.exp firejail-0.9.66/test/profiles/profile_noperm.exp --- firejail-0.9.64.4/test/profiles/profile_noperm.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_noperm.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/profile_readonly.exp firejail-0.9.66/test/profiles/profile_readonly.exp --- firejail-0.9.64.4/test/profiles/profile_readonly.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_readonly.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/profile_recursivity.exp firejail-0.9.66/test/profiles/profile_recursivity.exp --- firejail-0.9.64.4/test/profiles/profile_recursivity.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_recursivity.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/profiles.sh firejail-0.9.66/test/profiles/profiles.sh --- firejail-0.9.64.4/test/profiles/profiles.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profiles.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,12 +1,15 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C +echo "TESTING: profile comments (test/profiles/profilecomment.exp)" +./profile_comment.exp + echo "TESTING: profile conditional (test/profiles/conditional.exp)" ./conditional.exp @@ -34,10 +37,6 @@ echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" ./profile_noperm.exp -# problems with testing full list of profiles -# disabled in 0.9.64.2, to be brought back in the release after -exit 0 - # GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles. UID=`id -u` if [ -d "/run/user/$UID" ]; then diff -Nru firejail-0.9.64.4/test/profiles/profile_syntax2.exp firejail-0.9.66/test/profiles/profile_syntax2.exp --- firejail-0.9.64.4/test/profiles/profile_syntax2.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_syntax2.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/profile_syntax.exp firejail-0.9.66/test/profiles/profile_syntax.exp --- firejail-0.9.64.4/test/profiles/profile_syntax.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/profile_syntax.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/profiles/test-profile.exp firejail-0.9.66/test/profiles/test-profile.exp --- firejail-0.9.64.4/test/profiles/test-profile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/profiles/test-profile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/apache2.exp firejail-0.9.66/test/root/apache2.exp --- firejail-0.9.64.4/test/root/apache2.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/apache2.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff -Nru firejail-0.9.64.4/test/root/cgroup.exp firejail-0.9.66/test/root/cgroup.exp --- firejail-0.9.64.4/test/root/cgroup.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/cgroup.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/checkcfg.exp firejail-0.9.66/test/root/checkcfg.exp --- firejail-0.9.64.4/test/root/checkcfg.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/checkcfg.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/firecfg.exp firejail-0.9.66/test/root/firecfg.exp --- firejail-0.9.64.4/test/root/firecfg.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/firecfg.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/firemon-events.exp firejail-0.9.66/test/root/firemon-events.exp --- firejail-0.9.64.4/test/root/firemon-events.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/firemon-events.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/isc-dhcp.exp firejail-0.9.66/test/root/isc-dhcp.exp --- firejail-0.9.64.4/test/root/isc-dhcp.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/isc-dhcp.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff -Nru firejail-0.9.64.4/test/root/join.exp firejail-0.9.66/test/root/join.exp --- firejail-0.9.64.4/test/root/join.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/join.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/login_nobody.exp firejail-0.9.66/test/root/login_nobody.exp --- firejail-0.9.64.4/test/root/login_nobody.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/login_nobody.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/nginx.exp firejail-0.9.66/test/root/nginx.exp --- firejail-0.9.64.4/test/root/nginx.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/nginx.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff -Nru firejail-0.9.64.4/test/root/option_bind_directory.exp firejail-0.9.66/test/root/option_bind_directory.exp --- firejail-0.9.64.4/test/root/option_bind_directory.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/option_bind_directory.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/option_bind_file.exp firejail-0.9.66/test/root/option_bind_file.exp --- firejail-0.9.64.4/test/root/option_bind_file.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/option_bind_file.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/option_tmpfs.exp firejail-0.9.66/test/root/option_tmpfs.exp --- firejail-0.9.64.4/test/root/option_tmpfs.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/option_tmpfs.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/private.exp firejail-0.9.66/test/root/private.exp --- firejail-0.9.64.4/test/root/private.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/private.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/profile_tmpfs.exp firejail-0.9.66/test/root/profile_tmpfs.exp --- firejail-0.9.64.4/test/root/profile_tmpfs.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/profile_tmpfs.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/root.sh firejail-0.9.66/test/root/root.sh --- firejail-0.9.64.4/test/root/root.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/root.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # set a new firejail config file diff -Nru firejail-0.9.64.4/test/root/seccomp-chmod.exp firejail-0.9.66/test/root/seccomp-chmod.exp --- firejail-0.9.64.4/test/root/seccomp-chmod.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/seccomp-chmod.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/seccomp-chown.exp firejail-0.9.66/test/root/seccomp-chown.exp --- firejail-0.9.64.4/test/root/seccomp-chown.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/seccomp-chown.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/seccomp-umount.exp firejail-0.9.66/test/root/seccomp-umount.exp --- firejail-0.9.64.4/test/root/seccomp-umount.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/seccomp-umount.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/root/snmpd.exp firejail-0.9.66/test/root/snmpd.exp --- firejail-0.9.64.4/test/root/snmpd.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/snmpd.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff -Nru firejail-0.9.64.4/test/root/unbound.exp firejail-0.9.66/test/root/unbound.exp --- firejail-0.9.64.4/test/root/unbound.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/unbound.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff -Nru firejail-0.9.64.4/test/root/whitelist.exp firejail-0.9.66/test/root/whitelist.exp --- firejail-0.9.64.4/test/root/whitelist.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/root/whitelist.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/cpio.exp firejail-0.9.66/test/sysutils/cpio.exp --- firejail-0.9.64.4/test/sysutils/cpio.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/cpio.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/file.exp firejail-0.9.66/test/sysutils/file.exp --- firejail-0.9.64.4/test/sysutils/file.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/file.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/gzip.exp firejail-0.9.66/test/sysutils/gzip.exp --- firejail-0.9.64.4/test/sysutils/gzip.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/gzip.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/less.exp firejail-0.9.66/test/sysutils/less.exp --- firejail-0.9.64.4/test/sysutils/less.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/less.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/ping.exp firejail-0.9.66/test/sysutils/ping.exp --- firejail-0.9.64.4/test/sysutils/ping.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/ping.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/strings.exp firejail-0.9.66/test/sysutils/strings.exp --- firejail-0.9.64.4/test/sysutils/strings.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/strings.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/sysutils.sh firejail-0.9.66/test/sysutils/sysutils.sh --- firejail-0.9.64.4/test/sysutils/sysutils.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/sysutils.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff -Nru firejail-0.9.64.4/test/sysutils/tar.exp firejail-0.9.66/test/sysutils/tar.exp --- firejail-0.9.64.4/test/sysutils/tar.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/tar.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/xzdec.exp firejail-0.9.66/test/sysutils/xzdec.exp --- firejail-0.9.64.4/test/sysutils/xzdec.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/xzdec.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/sysutils/xz.exp firejail-0.9.66/test/sysutils/xz.exp --- firejail-0.9.64.4/test/sysutils/xz.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/sysutils/xz.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 60 diff -Nru firejail-0.9.64.4/test/utils/audit.exp firejail-0.9.66/test/utils/audit.exp --- firejail-0.9.64.4/test/utils/audit.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/audit.exp 1970-01-01 00:00:00.000000000 +0000 @@ -1,167 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --audit\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "is running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "container/sandbox firejail" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "all capabilities are disabled" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "dev directory seems to be fully populated" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Parent is shutting down, bye..." -} -after 100 - - -send -- "firejail --audit\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "is running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "container/sandbox firejail" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "all capabilities are disabled" -} -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "dev directory seems to be fully populated" -} -expect { - timeout {puts "TESTING ERROR 11.1\n";exit} - "Parent is shutting down, bye..." -} -after 100 - -send -- "firejail --audit=blablabla\r" -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "cannot find the audit program" -} -after 100 - -send -- "firejail --audit=\r" -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "invalid audit program" -} -after 100 - -# run audit executable without a sandbox -send -- "faudit\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "is not running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "BAD: seccomp disabled" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "BAD: the capability map is" -} -expect { - timeout {puts "TESTING ERROR 16\n";exit} - "MAYBE: /dev directory seems to be fully populated" -} -after 100 - -# test seccomp -send -- "firejail --seccomp.drop=mkdir --audit\r" -expect { - timeout {puts "TESTING ERROR 17\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 18\n";exit} - "GOOD: seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 19\n";exit} - "UGLY: mount syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 20\n";exit} - "UGLY: umount2 syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 21\n";exit} - "UGLY: ptrace syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 22\n";exit} - "UGLY: swapon syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 23\n";exit} - "UGLY: swapoff syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 24\n";exit} - "UGLY: init_module syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 25\n";exit} - "UGLY: delete_module syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 26\n";exit} - "UGLY: chroot syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 27\n";exit} - "UGLY: pivot_root syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 28\n";exit} - "UGLY: iopl syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 29\n";exit} - "UGLY: ioperm syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 30\n";exit} - "GOOD: all capabilities are disabled" -} -after 100 - -puts "\nall done\n" diff -Nru firejail-0.9.64.4/test/utils/build.exp firejail-0.9.66/test/utils/build.exp --- firejail-0.9.64.4/test/utils/build.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/build.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -21,35 +21,35 @@ } expect { timeout {puts "TESTING ERROR 2\n";exit} - "blacklist /usr/share" + "include whitelist-usr-share-common.inc" } expect { timeout {puts "TESTING ERROR 3\n";exit} - "blacklist /var" + "include whitelist-var-common.inc" } expect { timeout {puts "TESTING ERROR 4\n";exit} - "private-bin cat," + "caps.drop all" } expect { timeout {puts "TESTING ERROR 5\n";exit} - "private-dev" + "ipc-namespace" } expect { timeout {puts "TESTING ERROR 6\n";exit} - "private-etc" + "netfilter" } expect { timeout {puts "TESTING ERROR 7\n";exit} - "private-tmp" + "nonewprivs" } expect { timeout {puts "TESTING ERROR 8\n";exit} - "caps.drop all" + "noroot" } expect { timeout {puts "TESTING ERROR 9\n";exit} - "nonewprivs" + "net none" } expect { timeout {puts "TESTING ERROR 10\n";exit} @@ -57,11 +57,23 @@ } expect { timeout {puts "TESTING ERROR 11\n";exit} - "net none" + "shell none" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "private-bin cat," } expect { timeout {puts "TESTING ERROR 12\n";exit} - "shell none" + "private-dev" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "private-etc none" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "private-tmp" } after 100 diff -Nru firejail-0.9.64.4/test/utils/caps-print.exp firejail-0.9.66/test/utils/caps-print.exp --- firejail-0.9.64.4/test/utils/caps-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/caps-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/catchsignal2.sh firejail-0.9.66/test/utils/catchsignal2.sh --- firejail-0.9.64.4/test/utils/catchsignal2.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/catchsignal2.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 _term() { diff -Nru firejail-0.9.64.4/test/utils/catchsignal-master.sh firejail-0.9.66/test/utils/catchsignal-master.sh --- firejail-0.9.64.4/test/utils/catchsignal-master.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/catchsignal-master.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 ./catchsignal.sh & diff -Nru firejail-0.9.64.4/test/utils/catchsignal.sh firejail-0.9.66/test/utils/catchsignal.sh --- firejail-0.9.64.4/test/utils/catchsignal.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/catchsignal.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 _term() { diff -Nru firejail-0.9.64.4/test/utils/command.exp firejail-0.9.66/test/utils/command.exp --- firejail-0.9.64.4/test/utils/command.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/command.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/cpu-print.exp firejail-0.9.66/test/utils/cpu-print.exp --- firejail-0.9.64.4/test/utils/cpu-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/cpu-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/dns-print.exp firejail-0.9.66/test/utils/dns-print.exp --- firejail-0.9.64.4/test/utils/dns-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/dns-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/firemon-caps.exp firejail-0.9.66/test/utils/firemon-caps.exp --- firejail-0.9.64.4/test/utils/firemon-caps.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/firemon-caps.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/firemon-cgroup.exp firejail-0.9.66/test/utils/firemon-cgroup.exp --- firejail-0.9.64.4/test/utils/firemon-cgroup.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/firemon-cgroup.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/firemon-cpu.exp firejail-0.9.66/test/utils/firemon-cpu.exp --- firejail-0.9.64.4/test/utils/firemon-cpu.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/firemon-cpu.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/firemon-interface.exp firejail-0.9.66/test/utils/firemon-interface.exp --- firejail-0.9.64.4/test/utils/firemon-interface.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/firemon-interface.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/firemon-name.exp firejail-0.9.66/test/utils/firemon-name.exp --- firejail-0.9.64.4/test/utils/firemon-name.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/firemon-name.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/firemon-seccomp.exp firejail-0.9.66/test/utils/firemon-seccomp.exp --- firejail-0.9.64.4/test/utils/firemon-seccomp.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/firemon-seccomp.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/firemon-version.exp firejail-0.9.66/test/utils/firemon-version.exp --- firejail-0.9.64.4/test/utils/firemon-version.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/firemon-version.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/fs-print.exp firejail-0.9.66/test/utils/fs-print.exp --- firejail-0.9.64.4/test/utils/fs-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/fs-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/help.exp firejail-0.9.66/test/utils/help.exp --- firejail-0.9.64.4/test/utils/help.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/help.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/join2.exp firejail-0.9.66/test/utils/join2.exp --- firejail-0.9.64.4/test/utils/join2.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/join2.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/join3.exp firejail-0.9.66/test/utils/join3.exp --- firejail-0.9.64.4/test/utils/join3.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/join3.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/join4.exp firejail-0.9.66/test/utils/join4.exp --- firejail-0.9.64.4/test/utils/join4.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/join4.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/join5.exp firejail-0.9.66/test/utils/join5.exp --- firejail-0.9.64.4/test/utils/join5.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/join5.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/join.exp firejail-0.9.66/test/utils/join.exp --- firejail-0.9.64.4/test/utils/join.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/join.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/join-profile.exp firejail-0.9.66/test/utils/join-profile.exp --- firejail-0.9.64.4/test/utils/join-profile.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/join-profile.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/list.exp firejail-0.9.66/test/utils/list.exp --- firejail-0.9.64.4/test/utils/list.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/list.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/ls.exp firejail-0.9.66/test/utils/ls.exp --- firejail-0.9.64.4/test/utils/ls.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/ls.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/man.exp firejail-0.9.66/test/utils/man.exp --- firejail-0.9.64.4/test/utils/man.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/man.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/name.exp firejail-0.9.66/test/utils/name.exp --- firejail-0.9.64.4/test/utils/name.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/name.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/profile_print.exp firejail-0.9.66/test/utils/profile_print.exp --- firejail-0.9.64.4/test/utils/profile_print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/profile_print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/protocol-print.exp firejail-0.9.66/test/utils/protocol-print.exp --- firejail-0.9.64.4/test/utils/protocol-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/protocol-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/seccomp-print.exp firejail-0.9.66/test/utils/seccomp-print.exp --- firejail-0.9.64.4/test/utils/seccomp-print.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/seccomp-print.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/shutdown2.exp firejail-0.9.66/test/utils/shutdown2.exp --- firejail-0.9.64.4/test/utils/shutdown2.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/shutdown2.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/shutdown3.exp firejail-0.9.66/test/utils/shutdown3.exp --- firejail-0.9.64.4/test/utils/shutdown3.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/shutdown3.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/shutdown4.exp firejail-0.9.66/test/utils/shutdown4.exp --- firejail-0.9.64.4/test/utils/shutdown4.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/shutdown4.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/shutdown.exp firejail-0.9.66/test/utils/shutdown.exp --- firejail-0.9.64.4/test/utils/shutdown.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/shutdown.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 15 diff -Nru firejail-0.9.64.4/test/utils/top.exp firejail-0.9.66/test/utils/top.exp --- firejail-0.9.64.4/test/utils/top.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/top.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/trace.exp firejail-0.9.66/test/utils/trace.exp --- firejail-0.9.64.4/test/utils/trace.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/trace.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 30 diff -Nru firejail-0.9.64.4/test/utils/tree.exp firejail-0.9.66/test/utils/tree.exp --- firejail-0.9.64.4/test/utils/tree.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/tree.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff -Nru firejail-0.9.64.4/test/utils/utils.sh firejail-0.9.66/test/utils/utils.sh --- firejail-0.9.64.4/test/utils/utils.sh 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/utils.sh 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -8,7 +8,7 @@ export LC_ALL=C if [ -f /etc/debian_version ]; then - libdir=$(dirname "$(dpkg -L firejail | grep faudit)") + libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") export PATH="$PATH:$libdir" fi export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" @@ -18,13 +18,6 @@ rm -f ~/firejail-test-file-7699 rm -f firejail-test-file-4388 -if [ $(faudit | grep -c "is running in a PID namespace.") -gt 0 ]; then - echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)" -else - echo "TESTING: audit (test/utils/audit.exp)" - ./audit.exp -fi - echo "TESTING: name (test/utils/name.exp)" ./name.exp diff -Nru firejail-0.9.64.4/test/utils/version.exp firejail-0.9.66/test/utils/version.exp --- firejail-0.9.64.4/test/utils/version.exp 2021-02-04 15:29:49.000000000 +0000 +++ firejail-0.9.66/test/utils/version.exp 2021-06-22 15:51:28.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10