Commit 74d92f26 authored by Lorenzo Faletra's avatar Lorenzo Faletra

Import Upstream version 0.9.58

parent 10e2693a
......@@ -190,7 +190,7 @@ uninstall:
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES"
DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
dist:
......@@ -211,6 +211,9 @@ asc:; ./mkasc.sh $(VERSION)
deb: dist
./mkdeb.sh $(NAME) $(VERSION)
deb-apparmor: dist
./mkdeb-apparmor.sh $(NAME) $(VERSION)
snap: all
cd platform/snap; ./snap.sh
......
......@@ -33,14 +33,16 @@ Maintainer:
- netblue30 (netblue30@yahoo.com)
Committers
- chiraag-nataraj (https://github.com/chiraag-nataraj)
- crass (https://github.com/crass)
- glitsj16 (https://github.com/glitsj16)
- Fred-Barclay (https://github.com/Fred-Barclay)
- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
- smithsohu (https://github.com/smitsohu)
- SkewedZeppelin (https://github.com/SkewedZeppelin)
- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer)
- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
- Topi Miettinen (https://github.com/topimiettinen)
- Vincent43 (https://github.com/Vincent43)
- chiraag-nataraj (https://github.com/chiraag-nataraj)
- netblue30 (netblue30@yahoo.com)
......@@ -62,7 +64,7 @@ Aleksey Manevich (https://github.com/manevich)
- fix double quotes/single quotes problem
- big rework of argument processing subsystem
- --join fixes
- spliting up cmdline.c
- splitting up cmdline.c
- Busybox support
- X11 support rewrite
- gether shell selection code in one place
......@@ -85,6 +87,8 @@ andrew160 (https://github.com/andrew160)
- profile and man pages fixes
announ (https://github.com/announ)
- mpv and youtube-dl profile fixes
- git profile fix
- evince profile fix
Antonio Russo (https://github.com/aerusso)
- enumerate root directories in apparmor profile
- fix join-or-start
......@@ -122,6 +126,8 @@ bn0785ac (https://github.com/bn0785ac)
- fix inox, add snox profile
BogDan Vatra (https://github.com/bog-dan-ro)
- zoom profile
Brad Ackerman
- blacklist Bitwarden config in disable-passwdmgr.inc
Bruno Nova (https://github.com/brunonova)
- whitelist fix
- bash arguments fix
......@@ -147,6 +153,10 @@ Christian Stadelmann (https://github.com/genodeftest)
- evolution profile fix
Clayton Williams (https://github.com/gosre)
- addition of RLIMIT_AS
crass (https://github.com/crass)
- extract_command_name fixes
- update appimage size calculation to newest code from libappimage
- firejail should look for processes with names exactly named
curiosity-seeker (https://github.com/curiosity-seeker)
- tightening unbound and dnscrypt-proxy profiles
- correct and tighten QuiteRss profile
......@@ -158,6 +168,7 @@ curiosity-seeker (https://github.com/curiosity-seeker)
- added VirtualBox.profile
- various other profile fixes
- added digiKam profile
- write-protection for thumbnailer dir
da2x (https://github.com/da2x)
- matched RPM license tag
Daan Bakker (https://github.com/dbakker)
......@@ -268,6 +279,17 @@ glitsj16 (https://github.com/glitsj16)
- spelling fixes
- bitblbee profile fixes
- fix firefox common addons
- many profile fixes
- profile fixes: file, strings, claws-mail,
- new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
- new profiles: devilspie, devilspie2, easystroke, github-desktop, min
- new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
- new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
- new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
- new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
- new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
- new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
- new profiles: masterpdfeditor
graywolf (https://github.com/graywolf)
- spelling fix
greigdp (https://github.com/greigdp)
......@@ -309,7 +331,7 @@ Jaykishan Mutkawoa (https://github.com/jmutkawoa)
- cpio profile
James Elford (https://github.com/jelford)
- pass password manager support
- removed shell none from ssh-agent configuration, fixing the infinit loop
- removed shell none from ssh-agent configuration, fixing the infinite loop
- added gcloud profile
- blacklist sensitive cloud provider files in disable-common
Jean Lucas (https://github.com/flacks)
......@@ -375,6 +397,8 @@ LaurentGH (https://github.com/LaurentGH)
- allow private-bin parameters to be absolute paths
Loïc Damien (https://github.com/dzamlo)
- small fixes
luzpaz (https://github.com/luzpaz)
- code spelling fixes
maces (https://github.com/maces)
- Franz messenger profile
Madura A (https://github.com/manushanga)
......@@ -411,7 +435,8 @@ mustaqimM (https://github.com/mustaqimM)
- added profile for Nylas Mail
n1trux (https://github.com/n1trux)
- fix flashpeak-slimjet profile typos
netblue30 (netblue30@yahoo.com)
NickMolloy (https://github.com/NickMolloy)
- ARP address length fix
Niklas Haas (https://github.com/haasn)
- blacklisting for keybase.io's client
nyancat18 (https://github.com/nyancat18)
......@@ -426,6 +451,8 @@ Paul Moore <pmoore@redhat.com>
-src/fsec-print/print.c extracted from libseccomp software package
Paupiah Yash (https://github.com/CaffeinatedStud)
- gzip profile
Pawel (https://github.com/grimskies)
- make --join return exit code of the invoked program
Peter Millerchip (https://github.com/pmillerchip)
- memory allocation fix
- --private.keep to --private-home transition
......@@ -446,6 +473,9 @@ PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
- added profile for gnome-ring
pirate486743186 (https://github.com/pirate486743186)
- KMail profile
- mpsyt profile
- fix youtube-dl and mpv
- fix gnome-mpv profile
Pixel Fairy (https://github.com/xahare)
- added fjclip.py, fjdisplay.py and fjresize.py in contrib section
PizzaDude (https://github.com/pizzadude)
......@@ -495,6 +525,15 @@ rogshdo (https://github.com/rogshdo)
- BitlBee profile
Ruan (https://github.com/ruany)
- fixed hexchat profile
rusty-snake (https://github.com/rusty-snake)
- fixed kdenlive profile
- added thunderbird-wayland and supertuxkart profiles
- fix bible-time, rhythmbox profiles
- more blacklists in disable-common.inc
- fixed some missing paths in disable-programs.inc
- added ghostwriter profle
- fix gajim profile, added gajim-history-manager profile
- updates for ~/.cargo
Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
- fixed ktorrent profile
sarneaud (https://github.com/sarneaud)
......@@ -611,6 +650,8 @@ Thomas Jarosch (https://github.com/thomasjfox)
- added lstat() / lstat64() support to libtrace
- include mkuid.sh in make dist
- cppcheck bugfixes
tinmanx (https://github.com/tinmanx)
- remove network access from cherrytree.profile
Tom Mellor (https://github.com/kalegrill)
- mupen64plus profile
Tomasz Jan Góralczyk (https://github.com/tjg)
......@@ -660,6 +701,9 @@ veloute (https://github.com/veloute)
- added standardnotes profile
- added flameshot profile
- added jdownloader profile
- fixed discord profile
- fixes for various profiles
- removed vim and ranger from firecfg
Vincent43 (https://github.com/Vincent43)
- apparmor enhancements
vismir2 (https://github.com/vismir2)
......
firejail (0.9.58) baseline; urgency=low
* --disable-mnt rework
* --net.print command
* GitLab CI/CD integration: disto specific builds
* profile parser enhancements and conditional handling support
for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F
* profile name support
* added explicit nonewprivs support to join option
* new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
* new profiles: devilspie, devilspie2, easystroke, github-desktop, min
* new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
* new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
* new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
* new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
* new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
* new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
* new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
* new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland
* new profiles: supertuxkart, ghostwriter, gajim-history-manager
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 26 Jan 2019 08:00:00 -0500
firejail (0.9.56) baseline; urgency=low
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
......@@ -132,7 +154,7 @@ firejail (0.9.50) baseline; urgency=low
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assingment for --net options
* enhancement: rework IP address assignment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
......@@ -166,7 +188,7 @@ firejail (0.9.50~rc1) baseline; urgency=low
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assingment for --net options
* enhancement: rework IP address assignment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for firejail 0.9.56.
# Generated by GNU Autoconf 2.69 for firejail 0.9.58.
#
# Report bugs to <netblue30@yahoo.com>.
#
......@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='firejail'
PACKAGE_TARNAME='firejail'
PACKAGE_VERSION='0.9.56'
PACKAGE_STRING='firejail 0.9.56'
PACKAGE_VERSION='0.9.58'
PACKAGE_STRING='firejail 0.9.58'
PACKAGE_BUGREPORT='netblue30@yahoo.com'
PACKAGE_URL='https://firejail.wordpress.com'
......@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures firejail 0.9.56 to adapt to many kinds of systems.
\`configure' configures firejail 0.9.58 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1337,7 +1337,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of firejail 0.9.56:";;
short | recursive ) echo "Configuration of firejail 0.9.58:";;
esac
cat <<\_ACEOF
......@@ -1442,7 +1442,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
firejail configure 0.9.56
firejail configure 0.9.58
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by firejail $as_me 0.9.56, which was
It was created by firejail $as_me 0.9.58, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -3832,7 +3832,7 @@ fi
# set sysconfdir
if test "$prefix" = /usr; then
sysconfdir="/etc"
test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
fi
ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"
......@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by firejail $as_me 0.9.56, which was
This file was extended by firejail $as_me 0.9.58, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -4433,7 +4433,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
firejail config.status 0.9.56
firejail config.status 0.9.58
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
AC_PREREQ([2.68])
AC_INIT(firejail, 0.9.56, netblue30@yahoo.com, , https://firejail.wordpress.com)
AC_INIT(firejail, 0.9.58, netblue30@yahoo.com, , https://firejail.wordpress.com)
AC_CONFIG_SRCDIR([src/firejail/main.c])
#AC_CONFIG_HEADERS([config.h])
......@@ -183,7 +183,7 @@ AC_SUBST(HAVE_SECCOMP_H)
# set sysconfdir
if test "$prefix" = /usr; then
sysconfdir="/etc"
test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
fi
AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
......
......@@ -29,80 +29,84 @@ __license__ = "Unlicense"
import sys, os, glob, re
privRx=re.compile("^(?:#\s*)?private-bin")
privRx = re.compile("^(?:#\s*)?private-bin")
def fixSymlinkedBins(files, replMap):
"""
"""
Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap
replMap is a dict where key is the marker filename and value is the filename to add
"""
rxs=dict()
for (old,new) in replMap.items():
rxs[old]=re.compile("\\b"+old+"\\b")
rxs[new]=re.compile("\\b"+new+"\\b")
#print(rxs)
for filename in files:
lines=None
with open(filename,"r") as file:
lines=file.readlines()
shouldUpdate=False
for (i,line) in enumerate(lines):
if privRx.search(line):
for (old,new) in replMap.items():
if rxs[old].search(line) and not rxs[new].search(line):
lines[i]=rxs[old].sub(old+","+new, line)
shouldUpdate=True
print(lines[i])
if shouldUpdate:
with open(filename,"w") as file:
file.writelines(lines)
pass
rxs = dict()
for (old, new) in replMap.items():
rxs[old] = re.compile("\\b" + old + "\\b")
rxs[new] = re.compile("\\b" + new + "\\b")
#print(rxs)
for filename in files:
lines = None
with open(filename, "r") as file:
lines = file.readlines()
shouldUpdate = False
for (i, line) in enumerate(lines):
if privRx.search(line):
for (old, new) in replMap.items():
if rxs[old].search(line) and not rxs[new].search(line):
lines[i] = rxs[old].sub(old + "," + new, line)
shouldUpdate = True
print(lines[i])
if shouldUpdate:
with open(filename, "w") as file:
file.writelines(lines)
pass
def createSetOfBinaries(files):
"""
"""
Creates a set of binaries mentioned in private-bin directives of files.
"""
s=set()
for filename in files:
lines=None
with open(filename,"r") as file:
for line in file:
if privRx.search(line):
bins=line.split(",")
bins[0]=bins[0].split(" ")[-1]
bins = [n.strip() for n in bins]
s=s|set(bins)
return s
s = set()
for filename in files:
lines = None
with open(filename, "r") as file:
for line in file:
if privRx.search(line):
bins = line.split(",")
bins[0] = bins[0].split(" ")[-1]
bins = [n.strip() for n in bins]
s = s | set(bins)
return s
def createSymlinkTable(binDirs, binariesSet):
"""
"""
creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary.
binDirs are folders to look into for binaries symlinks
binariesSet is a set of binaries to be checked if they are actually a symlinks
"""
m=dict()
toProcess=binariesSet
while len(toProcess)!=0:
additional=set()
for sh in toProcess:
for bD in binDirs:
p=bD+os.path.sep+sh
if os.path.exists(p):
if os.path.islink(p):
m[sh]=os.readlink(p)
additional.add(m[sh].split(" ")[0])
else:
pass
break
toProcess=additional
return m
m = dict()
toProcess = binariesSet
while len(toProcess) != 0:
additional = set()
for sh in toProcess:
for bD in binDirs:
p = bD + os.path.sep + sh
if os.path.exists(p):
if os.path.islink(p):
m[sh] = os.readlink(p)
additional.ad