Commit 10e2693a authored by Lorenzo Faletra's avatar Lorenzo Faletra

Import Upstream version 0.9.56

parent 31f7c85c
......@@ -22,16 +22,14 @@ HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
HAVE_SUID=@HAVE_SUID@
uids.h:; ./mkuid.sh
.PHONY: mylibs $(MYLIBS)
mylibs: $(MYLIBS)
$(MYLIBS): uids.h
$(MYLIBS):
$(MAKE) -C $@
.PHONY: apps $(APPS)
apps: $(APPS)
$(APPS): $(MYLIBS) uids.h
$(APPS): $(MYLIBS)
$(MAKE) -C $@
$(MANPAGES): $(wildcard src/man/*.txt)
......@@ -73,7 +71,7 @@ distclean: clean
for dir in $(APPS) $(MYLIBS); do \
$(MAKE) -C $$dir distclean; \
done
rm -fr Makefile autom4te.cache config.log config.status config.h uids.h dummy.o src/common.mk
rm -fr Makefile autom4te.cache config.log config.status config.h dummy.o src/common.mk
realinstall:
# firejail executable
......@@ -192,7 +190,7 @@ uninstall:
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES"
DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
dist:
......
......@@ -9,7 +9,7 @@ Pidgin, Quassel, and XChat.
Firejail also expands the restricted shell facility found in bash by adding
Linux namespace support. It supports sandboxing specific users upon login.
Download: http://sourceforge.net/projects/firejail/files/
Download: https://sourceforge.net/projects/firejail/files/
Build and install: ./configure && make && sudo make install
Documentation and support: https://firejail.wordpress.com/
Development: https://github.com/netblue30/firejail
......@@ -47,6 +47,8 @@ Committers
Firejail Authors (alphabetical order)
1dnrr (https://github.com/1dnrr)
- add pybitmessage profile
Aidan Gauland (https://github.com/aidalgol)
- added electron and riot-web profiles
Akhil Hans Maulloo (https://github.com/kouul)
......@@ -117,11 +119,15 @@ bn0785ac (https://github.com/bn0785ac)
- chromium canary (inox-family) fixes
- allow multithreading for cin and natron
- fix dbus access for libreoffice on KDE
- fix inox, add snox profile
BogDan Vatra (https://github.com/bog-dan-ro)
- zoom profile
Bruno Nova (https://github.com/brunonova)
- whitelist fix
- bash arguments fix
Bundy01 (https://github.com/Bundy01)
- fixup geary
- add gradio profile
BytesTuner (https://github.com/BytesTuner)
- provided keepassxc profile
caoliver (https://github.com/caoliver)
......@@ -239,9 +245,11 @@ Fred-Barclay (https://github.com/Fred-Barclay)
- added BibleTime profile
- added caja and galculator profiles
- added Catfish profile
Frederik Olesen (https://github.com/Freso)
- added many vim profiles
g3ngr33n (https://github.com/g3ngr33n)
- fix musl compilation
G4JC (http://sourceforge.net/u/gaming4jc/profile/)
G4JC (https://sourceforge.net/u/gaming4jc/profile/)
- ARM support
- profile fixes
Gaman Gabriel (https://github.com/stelariusinfinitek)
......@@ -310,6 +318,12 @@ Jean Lucas (https://github.com/flacks)
- add WebStorm profile
- add XMind profile
- add nvm to list of disabled interpreters
- fixes for tor-browser-* profiles
- alias for riot-desktop
- add gnome-mpv profile
- fix wire profile
- add Beaker profile
- fixes for gnome-music
Jericho (https://github.com/attritionorg)
- spelling
Jesse Smith (https://github.com/slicer69)
......@@ -380,6 +394,8 @@ Mattias Wadman (https://github.com/wader)
- seccomp errno filter support
Matthew Gyurgyik (https://github.com/pyther)
- rpm spec and several fixes
matu3ba (https://github.com/matu3ba)
- evince hardening, dbus removed
maxice8 (https://github.com/maxice8)
- fixed missing header
Melvin Vermeeren (https://github.com/melvinvermeeren)
......@@ -404,7 +420,7 @@ Ondra Nekola (https://github.com/satai)
- allow firefox theming with non-global themes
Panzerfather (https://github.com/Panzerfather)
- allow eog to access user's trash
Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
- user namespace implementation
Paul Moore <pmoore@redhat.com>
-src/fsec-print/print.c extracted from libseccomp software package
......@@ -479,6 +495,8 @@ rogshdo (https://github.com/rogshdo)
- BitlBee profile
Ruan (https://github.com/ruany)
- fixed hexchat profile
Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
- fixed ktorrent profile
sarneaud (https://github.com/sarneaud)
- rewrite globbing code to fix various minor issues
- added noblacklist command for profile files
......@@ -544,7 +562,7 @@ SkewedZeppelin (https://github.com/SkewedZeppelin)
- hardern /var
- profile standard layout
- Spotify and itch.io profile fixes
sshirokov (http://sourceforge.net/u/yshirokov/profile/)
sshirokov (https://sourceforge.net/u/yshirokov/profile/)
- Patch to output "Reading profile" to stderr instead of stdout
SYN-cook (https://github.com/SYN-cook)
- keepass/keepassx browser fixes
......@@ -638,6 +656,10 @@ Vasya Novikov (https://github.com/vn971)
- seccomp syscall list update for glibc 2.26-10
Veeti Paananen (https://github.com/veeti)
- fixed Spotify profile
veloute (https://github.com/veloute)
- added standardnotes profile
- added flameshot profile
- added jdownloader profile
Vincent43 (https://github.com/Vincent43)
- apparmor enhancements
vismir2 (https://github.com/vismir2)
......
firejail (0.9.56) baseline; urgency=low
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
-- netblue30 <netblue30@yahoo.com> Tue, 18 Sep 2018 08:00:00 -0500
firejail (0.9.54) baseline; urgency=low
* modif: --force removed
* modif: --csh, --zsh removed
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for firejail 0.9.54.
# Generated by GNU Autoconf 2.69 for firejail 0.9.56.
#
# Report bugs to <netblue30@yahoo.com>.
#
......@@ -580,10 +580,10 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='firejail'
PACKAGE_TARNAME='firejail'
PACKAGE_VERSION='0.9.54'
PACKAGE_STRING='firejail 0.9.54'
PACKAGE_VERSION='0.9.56'
PACKAGE_STRING='firejail 0.9.56'
PACKAGE_BUGREPORT='netblue30@yahoo.com'
PACKAGE_URL='http://firejail.wordpress.com'
PACKAGE_URL='https://firejail.wordpress.com'
ac_unique_file="src/firejail/main.c"
# Factoring default headers for most tests.
......@@ -636,7 +636,6 @@ HAVE_X11
HAVE_USERNS
HAVE_NETWORK
HAVE_GLOBALCFG
HAVE_BIND
HAVE_CHROOT
HAVE_SECCOMP
HAVE_PRIVATE_HOME
......@@ -705,7 +704,6 @@ enable_overlayfs
enable_private_home
enable_seccomp
enable_chroot
enable_bind
enable_globalcfg
enable_network
enable_userns
......@@ -1277,7 +1275,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures firejail 0.9.54 to adapt to many kinds of systems.
\`configure' configures firejail 0.9.56 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1339,7 +1337,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of firejail 0.9.54:";;
short | recursive ) echo "Configuration of firejail 0.9.56:";;
esac
cat <<\_ACEOF
......@@ -1352,12 +1350,9 @@ Optional Features:
--disable-private-home disable private home feature
--disable-seccomp disable seccomp
--disable-chroot disable chroot
--disable-bind disable bind
--disable-globalcfg if the global config file firejail.cfg is not
present, continue the program using defaults
--disable-network disable network
--enable-network=restricted
restrict --net= to root only
--disable-userns disable user namespace
--disable-x11 disable X11 sandboxing support
--disable-file-transfer disable file transfer
......@@ -1384,7 +1379,7 @@ Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <netblue30@yahoo.com>.
firejail home page: <http://firejail.wordpress.com>.
firejail home page: <https://firejail.wordpress.com>.
_ACEOF
ac_status=$?
fi
......@@ -1447,7 +1442,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
firejail configure 0.9.54
firejail configure 0.9.56
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1749,7 +1744,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by firejail $as_me 0.9.54, which was
It was created by firejail $as_me 0.9.56, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -3626,19 +3621,6 @@ if test "x$enable_chroot" != "xno"; then :
HAVE_CHROOT="-DHAVE_CHROOT"
fi
HAVE_BIND=""
# Check whether --enable-bind was given.
if test "${enable_bind+set}" = set; then :
enableval=$enable_bind;
fi
if test "x$enable_bind" != "xno"; then :
HAVE_BIND="-DHAVE_BIND"
fi
HAVE_GLOBALCFG=""
......@@ -3660,19 +3642,9 @@ if test "${enable_network+set}" = set; then :
enableval=$enable_network;
fi
# Check whether --enable-network was given.
if test "${enable_network+set}" = set; then :
enableval=$enable_network;
fi
if test "x$enable_network" != "xno"; then :
HAVE_NETWORK="-DHAVE_NETWORK"
if test "x$enable_network" = "xrestricted"; then :
HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
fi
fi
......@@ -4407,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by firejail $as_me 0.9.54, which was
This file was extended by firejail $as_me 0.9.56, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -4455,13 +4427,13 @@ Configuration files:
$config_files
Report bugs to <netblue30@yahoo.com>.
firejail home page: <http://firejail.wordpress.com>."
firejail home page: <https://firejail.wordpress.com>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
firejail config.status 0.9.54
firejail config.status 0.9.56
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......@@ -5055,7 +5027,6 @@ echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
echo " apparmor: $HAVE_APPARMOR"
echo " global config: $HAVE_GLOBALCFG"
echo " chroot: $HAVE_CHROOT"
echo " bind: $HAVE_BIND"
echo " network: $HAVE_NETWORK"
echo " user namespace: $HAVE_USERNS"
echo " X11 sandboxing support: $HAVE_X11"
......
AC_PREREQ([2.68])
AC_INIT(firejail, 0.9.54, netblue30@yahoo.com, , http://firejail.wordpress.com)
AC_INIT(firejail, 0.9.56, netblue30@yahoo.com, , https://firejail.wordpress.com)
AC_CONFIG_SRCDIR([src/firejail/main.c])
#AC_CONFIG_HEADERS([config.h])
......@@ -83,14 +83,6 @@ AS_IF([test "x$enable_chroot" != "xno"], [
AC_SUBST(HAVE_CHROOT)
])
HAVE_BIND=""
AC_ARG_ENABLE([bind],
AS_HELP_STRING([--disable-bind], [disable bind]))
AS_IF([test "x$enable_bind" != "xno"], [
HAVE_BIND="-DHAVE_BIND"
AC_SUBST(HAVE_BIND)
])
HAVE_GLOBALCFG=""
AC_ARG_ENABLE([globalcfg],
AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
......@@ -102,13 +94,8 @@ AS_IF([test "x$enable_globalcfg" != "xno"], [
HAVE_NETWORK=""
AC_ARG_ENABLE([network],
AS_HELP_STRING([--disable-network], [disable network]))
AC_ARG_ENABLE([network],
AS_HELP_STRING([--enable-network=restricted], [ restrict --net= to root only]))
AS_IF([test "x$enable_network" != "xno"], [
HAVE_NETWORK="-DHAVE_NETWORK"
AS_IF([test "x$enable_network" = "xrestricted"], [
HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
])
AC_SUBST(HAVE_NETWORK)
])
......@@ -212,7 +199,6 @@ echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
echo " apparmor: $HAVE_APPARMOR"
echo " global config: $HAVE_GLOBALCFG"
echo " chroot: $HAVE_CHROOT"
echo " bind: $HAVE_BIND"
echo " network: $HAVE_NETWORK"
echo " user namespace: $HAVE_USERNS"
echo " X11 sandboxing support: $HAVE_X11"
......
......@@ -24,7 +24,7 @@ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
For more information, please refer to <http://unlicense.org/>"""
For more information, please refer to <https://unlicense.org/>"""
__license__ = "Unlicense"
import sys, os, glob, re
......
#!/usr/bin/env python3
"""
Figure out which profile options may be causing a particular program to break
when run in firejail.
Instead of having to comment out each line in a profile by hand, and then
enable each line individually until the bad line or lines are found, this
largely automates the process. Users only have to provide the path to the
profile, program name, and answer 'y' for yes or 'n' for no when prompted.
After completion, you'll be provided with some information to copy and then
paste into a GitHub issue in the Firejail project repository:
https://github.com/netblue30/firejail/issues
Paths to the profile should be absolute. If the program is in your path, then
you only have to type the profile name. Else, you'll need to provide the
absolute path to the profile.
Examples:
python jail_prober.py /etc/firejail/spotify.profile spotify
python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox
"""
import sys
import os
import subprocess
def check_params(profilePath):
"""
Ensure the path to the profile is valid and that an actual profile has been
passed (as opposed to a config or .local file).
:params profilePath: The absolute path to the problematic profile.
"""
if not os.path.isfile(profilePath):
raise FileNotFoundError(
'The path %s is not a valid system path.' % profilePath)
if not profilePath.endswith('.profile'):
raise ValueError('%s is not a valid Firejail profile.' % profilePath)
def get_args(profilePath):
"""
Read the profile, stripping out comments and newlines
:params profilePath: The absolute path to the problematic profile.
:returns profile: A list containing all active profile arguments
"""
with open(profilePath, 'r') as f:
profile = f.readlines()
profile = [
arg.strip() for arg in profile
if not arg.startswith('#') and arg.strip() != ''
]
return profile
def arg_converter(argList, style):
"""
Convert between firejail command-line arguments (--example=something) and
profile arguments (example something)
:params argList: A list of firejail arguments
:params style: Whether to convert arguments to command-line form or profile
form
"""
if style == 'to_profile':
oldSep = '='
newSep = ' '
prefix = ''
elif style == 'to_commandline':
oldSep = ' '
newSep = '='
prefix = '--'
newArgs = [prefix + word.replace(oldSep, newSep) for word in argList]
# Additional strip of '--' if converting to profile form
if style == 'to_profile':
newArgs = [word[2:] for word in newArgs]
# Remove invalid '--include' args if converting to command-line form
elif style == 'to_commandline':
newArgs = [word for word in newArgs if 'include' not in word]
return newArgs
def run_firejail(program, allArgs):
"""
Attempt to run the program in firejail, incrementally adding to the number
of firejail arguments. Initial run has no additional params besides
noprofile.
:params program: The program name. If it doesn't exist in the user's path
then the full path should be provided.
:params allArgs: A list of all Firejail arguments to try, in command-line
format.
:returns goodArgs: A list of arguments that the user has reported to not
affect the program
:returns badArgs: A list of arguments that the user has reported to break
the program when sandboxing with Firejail
"""
goodArgs = ['firejail', '--noprofile', program]
badArgs = []
print('Attempting to run %s in Firejail' % program)
for arg in allArgs:
print('Running with', arg)
subprocess.call(goodArgs)
ans = input('Did %s run correctly? [y]/n ' % program)
if ans == 'n' or ans == 'N':
badArgs.append(arg)
else:
goodArgs.insert(-1, arg)
print('\n')
# Don't include 'firejail', '--noprofile', or program name in arguments
goodArgs = goodArgs[2:-1]
return goodArgs, badArgs
def main():
profilePath = sys.argv[1]
program = sys.argv[2]
# Quick error check and extract arguments
check_params(profilePath)
profile = get_args(profilePath)
allArgs = arg_converter(profile, 'to_commandline')
# Find out which profile options break the program when running in firejail
goodArgs, badArgs = run_firejail(program, allArgs)
goodArgs = arg_converter(goodArgs, 'to_profile')
badArgs = arg_converter(badArgs, 'to_profile')
print('\n###########################')
print('Debugging completed.')
print(
'Please copy the following and report it to the Firejail development',
'team on GitHub at %s \n\n' %
'https://github.com/netblue30/firejail/issues')
subprocess.call(['firejail', '--version'])
print('Th