diff options
author | SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com> | 2018-03-25 10:28:16 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-25 10:28:16 -0400 |
commit | 2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43 (patch) | |
tree | fd5d4e62ae678dbd8b5bd5a41f6bc6c1fd100df8 | |
parent | Fixup blender-2.8 and thunderbird-beta (diff) | |
parent | various profile hardening (diff) | |
download | firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.tar.gz firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.tar.zst firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.zip |
Merge branch 'master' into master
-rw-r--r-- | README | 3 | ||||
-rw-r--r-- | README.md | 3 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/evince-previewer.profile | 10 | ||||
-rw-r--r-- | etc/evince-thumbnailer.profile | 10 | ||||
-rw-r--r-- | etc/kate.profile | 3 | ||||
-rw-r--r-- | etc/kmail.profile | 3 | ||||
-rw-r--r-- | etc/kwrite.profile | 3 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 |
11 files changed, 40 insertions, 3 deletions
@@ -244,6 +244,9 @@ Gaman Gabriel (https://github.com/stelariusinfinitek) | |||
244 | - inox profile | 244 | - inox profile |
245 | geg2048 (https://github.com/geg2048) | 245 | geg2048 (https://github.com/geg2048) |
246 | - kwallet profile fixes | 246 | - kwallet profile fixes |
247 | glitsj16 (https://github.com/glitsj16) | ||
248 | - evince-previewer, evince-thumbnailer profiles | ||
249 | - gnome-recipes profile | ||
247 | graywolf (https://github.com/graywolf) | 250 | graywolf (https://github.com/graywolf) |
248 | - spelling fix | 251 | - spelling fix |
249 | greigdp (https://github.com/greigdp) | 252 | greigdp (https://github.com/greigdp) |
@@ -293,4 +293,5 @@ firefox-common-addons.inc in firefox-common.profile. | |||
293 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, | 293 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, |
294 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | 294 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
295 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, | 295 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, |
296 | gnome-recipes, akonadi_control, blender-2.8, thunderbird-beta | 296 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, |
297 | thunderbird-beta \ No newline at end of file | ||
@@ -29,7 +29,8 @@ firejail (0.9.53) baseline; urgency=low | |||
29 | * new profiles: discord-canary, pycharm-community, pycharm-professional, | 29 | * new profiles: discord-canary, pycharm-community, pycharm-professional, |
30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, | 30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, |
31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes | 31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes |
32 | * new profiles: akonadi_control, blender-2.8, thunderbird-beta | 32 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, |
33 | * new profiles: blender-2.8, thunderbird-beta | ||
33 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 | 34 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 |
34 | 35 | ||
35 | firejail (0.9.52) baseline; urgency=low | 36 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 19be56f86..e5de0b61f 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | |||
75 | blacklist ${HOME}/.local/share/kglobalaccel | 75 | blacklist ${HOME}/.local/share/kglobalaccel |
76 | blacklist ${HOME}/.local/share/kwin | 76 | blacklist ${HOME}/.local/share/kwin |
77 | blacklist ${HOME}/.local/share/plasma | 77 | blacklist ${HOME}/.local/share/plasma |
78 | blacklist ${HOME}/.local/share/plasmashell | ||
78 | blacklist ${HOME}/.local/share/solid | 79 | blacklist ${HOME}/.local/share/solid |
79 | read-only ${HOME}/.cache/ksycoca5_* | 80 | read-only ${HOME}/.cache/ksycoca5_* |
80 | read-only ${HOME}/.config/*notifyrc | 81 | read-only ${HOME}/.config/*notifyrc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3f0d7b337..de88cbc24 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -363,6 +363,7 @@ blacklist ${HOME}/.local/share/data/MuseScore | |||
363 | blacklist ${HOME}/.local/share/data/qBittorrent | 363 | blacklist ${HOME}/.local/share/data/qBittorrent |
364 | blacklist ${HOME}/.local/share/dino | 364 | blacklist ${HOME}/.local/share/dino |
365 | blacklist ${HOME}/.local/share/dolphin | 365 | blacklist ${HOME}/.local/share/dolphin |
366 | blacklist ${HOME}/.local/share/emailidentities | ||
366 | blacklist ${HOME}/.local/share/epiphany | 367 | blacklist ${HOME}/.local/share/epiphany |
367 | blacklist ${HOME}/.local/share/evolution | 368 | blacklist ${HOME}/.local/share/evolution |
368 | blacklist ${HOME}/.local/share/feral-interactive | 369 | blacklist ${HOME}/.local/share/feral-interactive |
@@ -405,6 +406,7 @@ blacklist ${HOME}/.local/share/okular | |||
405 | blacklist ${HOME}/.local/share/orage | 406 | blacklist ${HOME}/.local/share/orage |
406 | blacklist ${HOME}/.local/share/org.kde.gwenview | 407 | blacklist ${HOME}/.local/share/org.kde.gwenview |
407 | blacklist ${HOME}/.local/share/pix | 408 | blacklist ${HOME}/.local/share/pix |
409 | blacklist ${HOME}/.local/share/plasma_notes | ||
408 | blacklist ${HOME}/.local/share/psi+ | 410 | blacklist ${HOME}/.local/share/psi+ |
409 | blacklist ${HOME}/.local/share/qpdfview | 411 | blacklist ${HOME}/.local/share/qpdfview |
410 | blacklist ${HOME}/.local/share/qutebrowser | 412 | blacklist ${HOME}/.local/share/qutebrowser |
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile new file mode 100644 index 000000000..d5bc6db33 --- /dev/null +++ b/etc/evince-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-previewer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile new file mode 100644 index 000000000..abc21632d --- /dev/null +++ b/etc/evince-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/kate.profile b/etc/kate.profile index a3d2be6b2..5042077e5 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -42,4 +42,7 @@ private-dev | |||
42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
45 | join-or-start kate | 48 | join-or-start kate |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 3ee8370cb..952af55c8 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -5,7 +5,7 @@ include /etc/firejail/kmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # if akonadi has a mysql backend, starting it inside this sandbox will fail | 8 | # if akonadi has a mysql backend, starting it inside this sandbox will fail. |
9 | # one solution is to have akonadi already running when kmail is launched | 9 | # one solution is to have akonadi already running when kmail is launched |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/akonadi* | 11 | noblacklist ${HOME}/.cache/akonadi* |
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/emailidentities | |||
15 | noblacklist ${HOME}/.config/kmail2rc | 15 | noblacklist ${HOME}/.config/kmail2rc |
16 | noblacklist ${HOME}/.local/share/akonadi/* | 16 | noblacklist ${HOME}/.local/share/akonadi/* |
17 | noblacklist ${HOME}/.local/share/contacts | 17 | noblacklist ${HOME}/.local/share/contacts |
18 | noblacklist ${HOME}/.local/share/emailidentities | ||
18 | noblacklist ${HOME}/.local/share/kmail2 | 19 | noblacklist ${HOME}/.local/share/kmail2 |
19 | noblacklist ${HOME}/.local/share/local-mail | 20 | noblacklist ${HOME}/.local/share/local-mail |
20 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index a785f3541..1c4e50b77 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -43,4 +43,7 @@ private-dev | |||
43 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 43 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
48 | |||
46 | join-or-start kwrite | 49 | join-or-start kwrite |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index fafbc83d9..f2409d67b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -110,6 +110,8 @@ eom | |||
110 | epiphany | 110 | epiphany |
111 | etr | 111 | etr |
112 | evince | 112 | evince |
113 | evince-previewer | ||
114 | evince-thumbnailer | ||
113 | evolution | 115 | evolution |
114 | exiftool | 116 | exiftool |
115 | falkon | 117 | falkon |