Unverified Commit 0488085c authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

import new release

parent b62be1c9
include: https://nest.parrotsec.org/parrot-organization/ci/raw/master/deb-build.yml
\ No newline at end of file
debian/patches
all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
prefix=@prefix@
exec_prefix=@exec_prefix@
bindir=@bindir@
libdir=@libdir@
datarootdir=@datarootdir@
mandir=@mandir@
sysconfdir=@sysconfdir@
VERSION=@PACKAGE_VERSION@
NAME=@PACKAGE_NAME@
PACKAGE_TARNAME=@PACKAGE_TARNAME@
DOCDIR=@docdir@
HAVE_SECCOMP=@HAVE_SECCOMP@
HAVE_APPARMOR=@HAVE_APPARMOR@
HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
HAVE_SUID=@HAVE_SUID@
.PHONY: mylibs $(MYLIBS)
mylibs: $(MYLIBS)
$(MYLIBS):
$(MAKE) -C $@
.PHONY: apps $(APPS)
apps: $(APPS)
$(APPS): $(MYLIBS)
$(MAKE) -C $@
$(MANPAGES): $(wildcard src/man/*.txt)
./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
man: $(MANPAGES)
filters: src/fseccomp
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
src/fsec-optimize/fsec-optimize seccomp.debug
src/fseccomp/fseccomp secondary 32 seccomp.32
src/fsec-optimize/fsec-optimize seccomp.32
src/fseccomp/fseccomp secondary block seccomp.block_secondary
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
endif
clean:
for dir in $(APPS) $(MYLIBS); do \
$(MAKE) -C $$dir clean; \
done
rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
rm -f $(SECCOMP_FILTERS)
rm -f test/utils/index.html*
rm -f test/utils/wget-log
rm -f test/utils/lstesting
rm -f test/environment/index.html*
rm -f test/environment/wget-log*
rm -fr test/environment/-testdir
rm -f test/environment/logfile*
rm -f test/environment/index.html
rm -f test/environment/wget-log
rm -f test/sysutils/firejail_t*
cd test/compile; ./compile.sh --clean; cd ../..
distclean: clean
for dir in $(APPS) $(MYLIBS); do \
$(MAKE) -C $$dir distclean; \
done
rm -fr Makefile autom4te.cache config.log config.status config.h dummy.o src/common.mk
realinstall:
# firejail executable
install -m 0755 -d $(DESTDIR)/$(bindir)
install -c -m 0755 src/firejail/firejail $(DESTDIR)/$(bindir)/.
ifeq ($(HAVE_SUID),yes)
chmod u+s $(DESTDIR)/$(bindir)/firejail
endif
# firemon executable
install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/.
# firecfg executable
install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/.
# libraries and plugins
install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/libpostexecseccomp/libpostexecseccomp.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
endif
ifeq ($(HAVE_CONTRIB_INSTALL),yes)
install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.
endif
# documents
install -m 0755 -d $(DESTDIR)/$(DOCDIR)
install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
# etc files
./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
for file in .etc/* etc/firejail.config; do \
install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
done
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
rm -fr .etc
ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
# install apparmor profile
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
# install apparmor profile customization file
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;"
endif
# man pages
install -m 0755 -d $(DESTDIR)/$(mandir)/man1
install -m 0755 -d $(DESTDIR)/$(mandir)/man5
for man in $(MANPAGES); do \
rm -f $$man.gz; \
gzip -9n $$man; \
case "$$man" in \
*.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \
*.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \
esac; \
done
rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
# bash completion
install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
install: all
$(MAKE) realinstall
install-strip: all
strip src/firejail/firejail
strip src/firemon/firemon
strip src/firecfg/firecfg
strip src/libtrace/libtrace.so
strip src/libtracelog/libtracelog.so
strip src/libpostexecseccomp/libpostexecseccomp.so
strip src/ftee/ftee
strip src/faudit/faudit
strip src/fnet/fnet
strip src/fnetfilter/fnetfilter
strip src/fseccomp/fseccomp
strip src/fsec-print/fsec-print
strip src/fsec-optimize/fsec-optimize
strip src/fcopy/fcopy
strip src/fldd/fldd
strip src/fbuilder/fbuilder
$(MAKE) realinstall
uninstall:
rm -f $(DESTDIR)/$(bindir)/firejail
rm -f $(DESTDIR)/$(bindir)/firemon
rm -f $(DESTDIR)/$(bindir)/firecfg
rm -fr $(DESTDIR)/$(libdir)/firejail
rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail
for man in $(MANPAGES); do \
rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \
rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \
done
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
dist:
mv config.status config.status.old
make distclean
mv config.status.old config.status
rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
mkdir -p $(NAME)-$(VERSION)/test
cp -a "$(DISTFILES)" $(NAME)-$(VERSION)
cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test
rm -rf $(NAME)-$(VERSION)/src/tools
find $(NAME)-$(VERSION) -name .svn -delete
tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION)
rm -fr $(NAME)-$(VERSION)
asc:; ./mkasc.sh $(VERSION)
deb: dist
./mkdeb.sh $(NAME) $(VERSION)
deb-apparmor: dist
./mkdeb-apparmor.sh $(NAME) $(VERSION)
snap: all
cd platform/snap; ./snap.sh
install-snap: snap
sudo snap remove faudit; sudo snap install faudit*.snap
test-compile: dist
cd test/compile; ./compile.sh $(NAME)-$(VERSION)
.PHONY: rpms
rpms:
./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
extras: all
$(MAKE) -C extras/firetools
cppcheck: clean
cppcheck --force .
scan-build: clean
scan-build make
#
# make test
#
test-profiles:
cd test/profiles; ./profiles.sh | grep TESTING
test-private-lib:
cd test/private-lib; ./private-lib.sh | grep TESTING
test-apps:
cd test/apps; ./apps.sh | grep TESTING
test-apps-x11:
cd test/apps-x11; ./apps-x11.sh | grep TESTING
test-apps-x11-xorg:
cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
test-sysutils:
cd test/sysutils; ./sysutils.sh | grep TESTING
test-utils:
cd test/utils; ./utils.sh | grep TESTING
test-environment:
cd test/environment; ./environment.sh | grep TESTING
test-filters:
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
cd test/filters; ./filters.sh | grep TESTING
endif
test-arguments:
cd test/arguments; ./arguments.sh | grep TESTING
test-fs:
cd test/fs; ./fs.sh | grep TESTING
test-fcopy:
cd test/fcopy; ./fcopy.sh | grep TESTING
test-fnetfilter:
cd test/fnetfilter; ./fnetfilter.sh | grep TESTING
test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
echo "TEST COMPLETE"
test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments
echo "TEST COMPLETE"
##########################################
# Individual tests, some of them require root access
# The tests are very intrussive, by the time you are done
# with them you will need to restart your computer.
##########################################
# a firejail-test account is required, public/private key setup
test-ssh:
cd test/ssh; ./ssh.sh | grep TESTING
# requires root access
test-chroot:
cd test/chroot; ./chroot.sh | grep testing
# Huge appimage files, not included in "make dist" archive
test-appimage:
cd test/appimage; ./appimage.sh | grep TESTING
# Root access, network devices are created before the test
# restart your computer to get rid of these devices
test-network:
cd test/network; ./network.sh | grep TESTING
# requires the same setup as test-network
test-stress:
cd test/stress; ./stress.sh | grep TESTING
# Tesets running a root user
test-root:
cd test/root; su -c ./root.sh | grep TESTING
# OverlayFS is not available on all platforms
test-overlay:
cd test/overlay; ./overlay.sh | grep TESTING
# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
test-all: test-root test-chroot test-network test-appimage test-overlay
echo "TEST COMPLETE"
#########################################
# Generic Firejail AppArmor profile
#########################################
##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
profile firejail-default flags=(attach_disconnected,mediate_deleted) {
##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
##########
# With ptrace it is possible to inspect and hijack running programs.
# Some browsers are also using ptrace for their sandboxing.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=firejail-default,
##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,
##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
# Allow writing to removable media
owner /{,var/}run/media/** w,
# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,
# Needed for wine
/{,var/}run/firejail/profile/@{PID} w,
# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,
# Needed for firefox sandbox
/proc/[0-9]*/{uid_map,gid_map,setgroups} w,
# Silence noise
deny /proc/@{PID}/oom_adj w,
deny /proc/@{PID}/oom_score_adj w,
# Uncomment to silence all denied write warnings
#deny /proc/** w,
# Uncomment to silence all denied write warnings
#deny /sys/** w,
##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,
# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
##########
# Blacklist specific sensitive paths.
##########
# Common backup directory
deny /**/.snapshots/ rwx,
##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark
network packet,
##########
# There is no equivalent in Firejail for filtering signals.
##########
signal,
##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
#capability audit_write,
#capability audit_control,
capability setfcap,
#capability mac_override,
#capability mac_admin,
##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,
# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-local>
}
This diff is collapsed.
disable-internet-tests.patch
config-hardening.patch
apparmor-include.patch
seccomp-join.patch
truncation.patch
fix-apparmor-profiles.patch
parrot-profiles.patch
disable-profiles.patch
prevent-firecfg-failure-as-root.patch
add-parrot-gitlab-intergration.patch
# This is Firejail system-wide configuration file. The file contains
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.
# Enable AppArmor functionality, default enabled.
# apparmor yes
# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes
# Number of ARP probes sent when assigning an IP address for --net option,
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
# timeout is implemented for each probe. Increase this number to 4 if your
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
# between 1 and 30.
# arp-probes 2
# Enable or disable bind support, default enabled.
# bind yes
# Enable or disable cgroup support, default enabled.
# cgroup yes
# Enable or disable chroot support, default enabled.
# chroot yes
# Enable or disable dbus handling by --nodbus flag, default enabled.
# dbus yes
# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled. Unlike --disable-mnt profile option this
# cannot be overridden by --noblacklist.
# disable-mnt no
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Enable Firejail green prompt in terminal, default disabled
# firejail-prompt no
# Follow symlink as user. While using --whitelist feature,
# symlinks pointing outside home directory are followed only
# if both the link and the real file are owned by the user.
# Enabled by default
# follow-symlink-as-user yes
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Allow sandbox joining as a regular user, default enabled.
# root user can always join sandboxes.
# join yes
# Enable or disable sandbox name change, default enabled.
# name-change yes
# Enable or disable networking features, default enabled.
# network yes
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable or disable private-cache feature, default enabled
# private-cache yes
# Enable or disable private-lib feature, default enabled
# private-lib yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable seccomp support, default enabled.
# seccomp yes