Commit c6ca22c6 authored by Lorenzo Faletra's avatar Lorenzo Faletra

Import Debian changes 0.9.58.2-3parrot1

firejail (0.9.58.2-3parrot1) testing; urgency=medium

  * Import new Debian release.
  * Update Parrot patches.
parent 0488085c
include: https://nest.parrotsec.org/parrot-organization/ci/raw/master/deb-build.yml
\ No newline at end of file
This diff is collapsed.
#########################################
# Generic Firejail AppArmor profile
#########################################
##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
profile firejail-default flags=(attach_disconnected,mediate_deleted) {
##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
##########
# With ptrace it is possible to inspect and hijack running programs.
# Some browsers are also using ptrace for their sandboxing.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=firejail-default,
##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,
##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
# Allow writing to removable media
owner /{,var/}run/media/** w,
# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,
# Needed for wine
/{,var/}run/firejail/profile/@{PID} w,
# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,
# Needed for firefox sandbox
/proc/[0-9]*/{uid_map,gid_map,setgroups} w,
# Silence noise
deny /proc/@{PID}/oom_adj w,
deny /proc/@{PID}/oom_score_adj w,
# Uncomment to silence all denied write warnings
#deny /proc/** w,
# Uncomment to silence all denied write warnings
#deny /sys/** w,
##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,
# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
##########
# Blacklist specific sensitive paths.
##########
# Common backup directory
deny /**/.snapshots/ rwx,
##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark
network packet,
##########
# There is no equivalent in Firejail for filtering signals.
##########
signal,
##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
#capability audit_write,
#capability audit_control,
capability setfcap,
#capability mac_override,
#capability mac_admin,
##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,
# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-local>
}
This diff is collapsed.
disable-internet-tests.patch
config-hardening.patch
apparmor-include.patch
seccomp-join.patch
truncation.patch
fix-apparmor-profiles.patch
parrot-profiles.patch
disable-profiles.patch
prevent-firecfg-failure-as-root.patch
add-parrot-gitlab-intergration.patch
# This is Firejail system-wide configuration file. The file contains
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.
# Enable AppArmor functionality, default enabled.
# apparmor yes
# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes
# Number of ARP probes sent when assigning an IP address for --net option,
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
# timeout is implemented for each probe. Increase this number to 4 if your
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
# between 1 and 30.
# arp-probes 2
# Enable or disable bind support, default enabled.
# bind yes
# Enable or disable cgroup support, default enabled.
# cgroup yes
# Enable or disable chroot support, default enabled.
# chroot yes
# Enable or disable dbus handling by --nodbus flag, default enabled.
# dbus yes
# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled. Unlike --disable-mnt profile option this
# cannot be overridden by --noblacklist.
# disable-mnt no
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Enable Firejail green prompt in terminal, default disabled
# firejail-prompt no
# Follow symlink as user. While using --whitelist feature,
# symlinks pointing outside home directory are followed only
# if both the link and the real file are owned by the user.
# Enabled by default
# follow-symlink-as-user yes
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Allow sandbox joining as a regular user, default enabled.
# root user can always join sandboxes.
# join yes
# Enable or disable sandbox name change, default enabled.
# name-change yes
# Enable or disable networking features, default enabled.
# network yes
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable or disable private-cache feature, default enabled
# private-cache yes
# Enable or disable private-lib feature, default enabled
# private-lib yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable seccomp support, default enabled.
# seccomp yes
# Enable or disable user namespace support, default enabled.
# userns yes
# Enable or disable whitelisting support, default enabled.
# whitelist yes
# Enable or disable X11 sandboxing support, default enabled.
# x11 yes
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Xephyr command extra parameters. None by default; these are examples.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale
# Xpra server command extra parameters. None by default; this is an example.
# xpra-extra-params --dpi 96
# Enable this option if you have a version of Xpra that supports --attach switch
# for start command, default disabled.
# xpra-attach no
# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
# color depth; use 24 unless you know exactly what you're doing.
# xvfb-screen 640x480x24
# xvfb-screen 800x600x24
# xvfb-screen 1024x768x24
# xvfb-screen 1280x1024x24
# Xvfb command extra parameters. None by default; this is an example.
# xvfb-extra-params -pixdepths 8 24 32
#!/usr/bin/expect -f
set timeout 30
spawn $env(SHELL)
match_max 100000
send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2\r"
expect {
timeout {puts "TESTING ERROR 2.1\n";exit}
"Child process initialized"
}
sleep 1
send -- "cat /etc/resolv.conf\r"
expect {
timeout {puts "TESTING ERROR 2.2\n";exit}
"nameserver 8.8.4.4"
}
expect {
timeout {puts "TESTING ERROR 2.3\n";exit}
"nameserver 8.8.8.8"
}
expect {
timeout {puts "TESTING ERROR 2.4\n";exit}
"nameserver 4.2.2.1"
}
expect {
timeout {puts "TESTING ERROR 2.5\n";exit}
"nameserver ::2"
}
after 100
send -- "exit\r"
sleep 1
send -- "firejail --profile=dns.profile\r"
expect {
timeout {puts "TESTING ERROR 12.1\n";exit}
"Child process initialized"
}
sleep 1
send -- "cat /etc/resolv.conf\r"
expect {
timeout {puts "TESTING ERROR 12.2\n";exit}
"nameserver 8.8.4.4"
}
expect {
timeout {puts "TESTING ERROR 12.3\n";exit}
"nameserver 8.8.8.8"
}
expect {
timeout {puts "TESTING ERROR 12.4\n";exit}
"nameserver 4.2.2.1"
}
after 100
expect {
timeout {puts "TESTING ERROR 12.5\n";exit}
"nameserver ::2"
}
send -- "exit\r"
sleep 1
send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
expect {
timeout {puts "TESTING ERROR 1.2\n";exit}
"connect"
}
expect {
timeout {puts "TESTING ERROR 1.2\n";exit}
"208.67.222.222"
}
expect {
timeout {puts "TESTING ERROR 1.2\n";exit}
"53"
}
after 100
send -- "rm index.html\r"
after 100
send -- "exit\r"
sleep 1
puts "\nall done\n"
#!/bin/bash
# This file is part of Firejail project
# Copyright (C) 2014-2019 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
which cpio 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: cpio"
./cpio.exp
else
echo "TESTING SKIP: cpio not found"
fi
#which strings
#if [ "$?" -eq 0 ];
#then
# echo "TESTING: strings"
# ./strings.exp
#else
# echo "TESTING SKIP: strings not found"
#fi
which gzip 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: gzip"
./gzip.exp
else
echo "TESTING SKIP: gzip not found"
fi
which xzdec 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: xzdec"
./xzdec.exp
else
echo "TESTING SKIP: xzdec not found"
fi
which xz 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: xz"
./xz.exp
else
echo "TESTING SKIP: xz not found"
fi
which less 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: less"
./less.exp
else
echo "TESTING SKIP: less not found"
fi
which file 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: file"
./file.exp
else
echo "TESTING SKIP: file not found"
fi
which tar 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: tar"
./tar.exp
else
echo "TESTING SKIP: tar not found"
fi
which ping 2>/dev/null
if [ "$?" -eq 0 ];
then
echo "TESTING: ping"
./ping.exp
else
echo "TESTING SKIP: ping not found"
fi
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2019 Firejail Authors
# License GPL v2
set timeout 30
spawn $env(SHELL)
match_max 100000
send -- "firejail --trace mkdir ttt\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"mkdir:mkdir ttt"
}
sleep 1
send -- "firejail --trace rmdir ttt\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"rmdir:rmdir ttt"
}
sleep 1
send -- "firejail --trace touch ttt\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"touch:open ttt" {puts "OK\n";}
"touch:open64 ttt" {puts "OK\n";}
}
sleep 1
send -- "firejail --trace rm ttt\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"rm:unlinkat ttt"
}
sleep 1
send -- "firejail --trace wget -q debian.org\r"
#expect {
# timeout {puts "TESTING ERROR 8.1\n";exit}
# "Child process initialized"
#}
#expect {
# timeout {puts "TESTING ERROR 8.2\n";exit}
# "bash:open /dev/tty" {puts "OK\n";}
# "bash:open64 /dev/tty" {puts "OK\n";}
#}
expect {
timeout {puts "TESTING ERROR 8.3\n";exit}
"wget:fopen64 /etc/wgetrc" {puts "OK\n";}
"wget:fopen /etc/wgetrc" {puts "OK\n";}
}
expect {
timeout {puts "TESTING ERROR 8.4\n";exit}
"wget:fopen /etc/hosts"
}
expect {
timeout {puts "TESTING ERROR 8.5\n";exit}
"wget:connect"
}
expect {
timeout {puts "TESTING ERROR 8.6\n";exit}
"wget:fopen64 index.html" {puts "OK\n";}
"wget:fopen index.html" {puts "OK\n";}
"Parent is shutting down" {puts "OK\n";}
}
sleep 1
send -- "firejail --trace rm index.html\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"rm:unlinkat index.html" {puts "OK\n";}
"Parent is shutting down" {puts "OK\n";}
}
sleep 1
send -- "firejail --trace\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"bash:open /dev/tty" {puts "64bit\n"}
"bash:open64 /dev/tty" {puts "32bit\n"}
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"bash:access /etc/terminfo/" {puts "debian\n"}
"bash:access /usr/share/terminfo/" {puts "arch\n"}
}
after 100
puts "\nall done\n"