Unverified Commit d4a55ead authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 0.9.58.2-1parrot2



firejail (0.9.58.2-1parrot2) testing; urgency=medium

  * Fix apparmor conflict when compiled on a build node without apparmor.
  * Prevent firecfg from failing when executed as root without sudo.
Signed-off-by: Lorenzo "Palinuro" Faletra's avatarLorenzo Palinuro Faletra <palinuro@parrotsec.org>
parent 4fbf693c
......@@ -134,6 +134,8 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
# install apparmor profile customization file
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;"
endif
# man pages
install -m 0755 -d $(DESTDIR)/$(mandir)/man1
......
firejail (0.9.58.2-1parrot2) testing; urgency=medium
* Fix apparmor conflict when compiled on a build node without apparmor.
* Prevent firecfg from failing when executed as root without sudo.
-- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org> Wed, 03 Apr 2019 06:17:39 +0200
firejail (0.9.58.2-1parrot1) testing; urgency=medium
* Import new Debian release.
......
Description: Fix missing apparmor profiles when compiled on build node without apparmor support.
Author: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Last-Update: 2019-04-03
--- firejail-0.9.58.2.orig/Makefile.in
+++ firejail-0.9.58.2/Makefile.in
@@ -133,7 +133,7 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
# install apparmor profile
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
- sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
+ install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.
endif
# man pages
install -m 0755 -d $(DESTDIR)/$(mandir)/man1
Description: Prevent firecfg from failing when run as root without sudo.
Author: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Last-Update: 2019-04-03
Index: firejail-0.9.58.2/src/firecfg/main.c
===================================================================
--- firejail-0.9.58.2.orig/src/firecfg/main.c
+++ firejail-0.9.58.2/src/firecfg/main.c
@@ -288,8 +288,8 @@ static char *get_user(void) {
if (!user) {
user = getenv("SUDO_USER");
if (!user) {
- fprintf(stderr, "Error: cannot detect login user\n");
- exit(1);
+ fprintf(stderr, "Warning: cannot detect login user\n");
+ return "root";
}
}
@@ -299,9 +299,10 @@ static char *get_user(void) {
static char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
// find home directory
struct passwd *pw = getpwnam(user);
- if (!pw)
+ if (!pw && getuid() != 0)
goto errexit;
+
char *home = pw->pw_dir;
if (!home)
goto errexit;
......@@ -3,3 +3,5 @@ config-hardening.patch
apparmor-include.patch
parrot-profiles.patch
disable-profiles.patch
prevent-firecfg-failure-as-root.patch
fix-apparmor-compilation.patch
src/.vscode/ipch/c65a8497d3eca87a/main.ipch
src/.vscode/ipch/c65a8497d3eca87a/mmap_address.bin
......@@ -15,12 +15,7 @@ mkdir ${DOCUMENTS}
mkdir ${HOME}/Nextcloud/Notes
mkdir ${HOME}.config/PBE
mkdir ${HOME}/.local/share/PBE
whitelist ${DOWNLOADS}
whitelist ${MUSIC}
whitelist ${DESKTOP}
whitelist ${VIDEOS}
whitelist ${DOCUMENTS}
whitelist ${PICTURES}
whitelist ${HOME}/Nextcloud/Notes
whitelist ${HOME}/.config/PBE
whitelist ${HOME}/.local/share/PBE
......@@ -54,7 +49,7 @@ tracelog
disable-mnt
private-bin QOwnNotes,gio
private-dev
private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies,alternatives
private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
private-tmp
noexec ${HOME}
......
......@@ -32,7 +32,7 @@ shell none
disable-mnt
private-bin sh,bash,dig,awk,Viber
private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf,alternatives
private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf
private-tmp
noexec ${HOME}
......
......@@ -41,5 +41,5 @@ private
# private-bin Xvfb,sh,xkbcomp
# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
private-dev
private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,alternatives
private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
private-tmp
......@@ -7,9 +7,6 @@ include amarok.local
include globals.local
noblacklist ${MUSIC}
noblacklist ${DOWNLOADS}
noblacklist ${DESKTOP}
noblacklist ${DOCUMENTS}
include disable-common.inc
include disable-devel.inc
......
......@@ -11,7 +11,6 @@ noblacklist ${HOME}/.lv2
noblacklist ${HOME}/.vst
noblacklist ${DOCUMENTS}
noblacklist ${MUSIC}
noblacklist ${DOWNLOADS}
include disable-common.inc
include disable-devel.inc
......
......@@ -10,8 +10,6 @@ noblacklist ${HOME}/.arduino15
noblacklist ${HOME}/.java
noblacklist ${HOME}/Arduino
noblacklist ${DOCUMENTS}
noblacklist ${DOWNLOADS}
noblacklist ${DDESKTOP}
# Allow access to java
noblacklist ${PATH}/java
......
......@@ -44,7 +44,7 @@ tracelog
disable-mnt
private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig
private-dev
private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies,alternatives
private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies
private-tmp
noexec ${HOME}
......
......@@ -37,5 +37,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
join-or-start atom
......@@ -9,8 +9,6 @@ include globals.local
noblacklist ${HOME}/.cache/atril
noblacklist ${HOME}/.config/atril
noblacklist ${DOCUMENTS}
noblacklist ${DESKTOP}
noblacklist ${DOWNLOADS}
#noblacklist ${HOME}/.local/share
# it seems to use only ${HOME}/.local/share/webkitgtk
......@@ -41,9 +39,9 @@ seccomp
shell none
tracelog
#private-bin atril, atril-previewer, atril-thumbnailer
private-bin atril, atril-previewer, atril-thumbnailer
private-dev
private-etc fonts,ld.so.cache,alternatives
private-etc fonts,ld.so.cache
# atril uses webkit gtk to display epub files
# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
......
......@@ -22,7 +22,7 @@ include whitelist-var-common.inc
apparmor
caps.drop all
netfilter
# nodbus
#nodbus - dbus needed for MPRIS
nogroups
nonewprivs
noroot
......
......@@ -40,7 +40,7 @@ disable-mnt
# private-bin authenticator
private-cache
private-dev
private-etc fonts,ld.so.cache,alternatives
private-etc fonts,ld.so.cache
# private-lib
private-tmp
......
......@@ -44,5 +44,5 @@ shell none
# private-bin bibletime,qt5ct
private-dev
private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies,alternatives
private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
private-tmp
......@@ -12,10 +12,10 @@ noblacklist ${PATH}/python3*
noblacklist /usr/lib/python2*
noblacklist /usr/lib/python3*
#include disable-common.inc
#include disable-devel.inc
#include disable-interpreters.inc
#include disable-passwdmgr.inc
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
# include disable-programs.inc
caps.drop all
......
......@@ -42,5 +42,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
join-or-start blender
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment