private-bin conversion

netblue30 · Jun 10, 2016 · 783251e · 783251e
1 parent ecaf0cb
commit 783251e
Show file tree

Hide file tree

Showing 12 changed files with 125 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -65,6 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo
 
 AppImage project home: https://github.com/probonopd/AppImageKit
 
+## Converting profiles to private-bin - work in progress
+
+BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt
+
 ## New security profiles
 
 Gitter, gThumb, mpv, Franz messenger
diff --git a/etc/deluge.profile b/etc/deluge.profile
@@ -1,4 +1,4 @@
-# deluge bittorernt client profile
+# deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 # deluge is using python on Debian
@@ -12,3 +12,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+
+shell none
+private-bin deluge,sh,python,uname
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
@@ -37,8 +37,7 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
 
-# disabled temporarily pending globbing implementation
-# in noblacklist command and firefox profile fix
+# Programs using python: deluge, some firefox addons
 # Python 2
 #blacklist /usr/bin/python2*
 #blacklist /usr/lib/python2*

diff --git a/etc/mpv.profile b/etc/mpv.profile
@@ -12,3 +12,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+
+# to test
+shell none
+private-bin mpv
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
@@ -11,3 +11,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+
+shell none
+private-bin qbittorrent
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
@@ -11,3 +11,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+
+shell none
+private-bin rtorrent
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
@@ -1,4 +1,4 @@
-# transmission-gtk profile
+# transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
 
@@ -15,3 +15,6 @@ nosound
 protocol unix,inet,inet6
 seccomp
 tracelog
+
+shell none
+private-bin transmission-gtk
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
@@ -1,4 +1,4 @@
-# transmission-qt profile
+# transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
 
@@ -15,3 +15,6 @@ nosound
 protocol unix,inet,inet6
 seccomp
 tracelog
+
+shell none
+private-bin transmission-qt
diff --git a/etc/vlc.profile b/etc/vlc.profile
@@ -12,3 +12,8 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+
+
+# to test
+shell none
+private-bin vlc
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -1206,7 +1206,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl and get_kernel_syms.
 .br
 

diff --git a/test/apps/apps.sh b/test/apps/apps.sh
@@ -60,6 +60,15 @@ else
  echo "TESTING SKIP: transmission-qt not found"
 fi
 
+which qbittorrent
+if [ "$?" -eq 0 ];
+then
+ echo "TESTING: qbittorrent"
+ ./qbittorrent.exp
+else
+ echo "TESTING SKIP: qbittorrent not found"
+fi
+
 which evince
 if [ "$?" -eq 0 ];
 then

diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail qbittorrent\r"
+expect {
+ timeout {puts "TESTING ERROR 0\n";exit}
+ "Reading profile /etc/firejail/qbittorrent.profile"
+}
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "Child process initialized"
+}
+sleep 5
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ ":firejail"
+}
+expect {
+ timeout {puts "TESTING ERROR 3.1\n";exit}
+ "qbittorrent"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+ timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+ "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+ "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+ timeout {puts "TESTING ERROR 4\n";exit}
+ "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ ":firejail qbittorrent"
+}
+expect {
+ timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+ "Seccomp: 2"
+}
+expect {
+ timeout {puts "TESTING ERROR 5.1\n";exit}
+ "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ ":firejail qbittorrent"
+}
+expect {
+ timeout {puts "TESTING ERROR 6.1\n";exit}
+ "CapBnd:"
+}
+expect {
+ timeout {puts "TESTING ERROR 6.2\n";exit}
+ "0000000000000000"
+}
+expect {
+ timeout {puts "TESTING ERROR 6.3\n";exit}
+ "name=blablabla"
+}
+sleep 1
+
+puts "\n"
+