aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2023-03-23 02:44:12 -0300
committerLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2023-03-28 11:49:51 -0300
commit7e1a5834b1e062fd7e259b22e6bcb07290e89d66 (patch)
tree94d887c661afc2db2caf90cb4eb88b6d7bed2bc4
parentcower: move blacklist from disable-programs to dc (diff)
downloadfirejail-7e1a5834b1e062fd7e259b22e6bcb07290e89d66.tar.gz
firejail-7e1a5834b1e062fd7e259b22e6bcb07290e89d66.tar.zst
firejail-7e1a5834b1e062fd7e259b22e6bcb07290e89d66.zip
profiles: move read-only config entries to dc
Command used to search for entries: $ git grep '^read-only ${HOME}/' -- 'etc/profile*' Note for gpg: ~/.gnupg/gpg.conf is apparently only managed by gpgconf(1) rather than through gpg(1) itself, in which case it does not need to be made read-write in gpg.profile.
Diffstat
-rw-r--r--etc/inc/disable-common.inc10
-rw-r--r--etc/profile-a-l/awesome.profile1
-rw-r--r--etc/profile-a-l/cower.profile1
-rw-r--r--etc/profile-m-z/makepkg.profile1
-rw-r--r--etc/profile-m-z/openbox.profile2
-rw-r--r--etc/profile-m-z/steam.profile1
6 files changed, 10 insertions, 6 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 18e94bb80..cf712a07e 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc
69blacklist /etc/X11/Xsession.d 69blacklist /etc/X11/Xsession.d
70blacklist /etc/xdg/autostart 70blacklist /etc/xdg/autostart
71read-only ${HOME}/.Xauthority 71read-only ${HOME}/.Xauthority
72read-only ${HOME}/.config/awesome/autorun.sh
73read-only ${HOME}/.config/openbox/autostart
74read-only ${HOME}/.config/openbox/environment
72 75
73# Session manager 76# Session manager
74# see #3358 77# see #3358
@@ -338,6 +341,7 @@ read-only ${HOME}/.elinks
338read-only ${HOME}/.emacs 341read-only ${HOME}/.emacs
339read-only ${HOME}/.emacs.d 342read-only ${HOME}/.emacs.d
340read-only ${HOME}/.exrc 343read-only ${HOME}/.exrc
344read-only ${HOME}/.gnupg/gpg.conf
341read-only ${HOME}/.gvimrc 345read-only ${HOME}/.gvimrc
342read-only ${HOME}/.homesick 346read-only ${HOME}/.homesick
343read-only ${HOME}/.iscreenrc 347read-only ${HOME}/.iscreenrc
@@ -370,6 +374,7 @@ read-only ${HOME}/dotfiles
370 374
371# System package managers and AUR helpers 375# System package managers and AUR helpers
372blacklist ${HOME}/.config/cower 376blacklist ${HOME}/.config/cower
377read-only ${HOME}/.config/cower/config
373 378
374# Make directories commonly found in $PATH read-only 379# Make directories commonly found in $PATH read-only
375read-only ${HOME}/.bin 380read-only ${HOME}/.bin
@@ -396,6 +401,11 @@ read-only ${HOME}/.config/user-dirs.dirs
396read-only ${HOME}/.config/user-dirs.locale 401read-only ${HOME}/.config/user-dirs.locale
397read-only ${HOME}/.local/share/mime 402read-only ${HOME}/.local/share/mime
398 403
404# Configuration files that do not allow arbitrary command execution but that
405# are intended to be modified manually (in a text editor and/or by a program
406# dedicated to managing them)
407read-only ${HOME}/.config/MangoHud
408
399# Write-protection for thumbnailer dir 409# Write-protection for thumbnailer dir
400read-only ${HOME}/.local/share/thumbnailers 410read-only ${HOME}/.local/share/thumbnailers
401 411
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index d8c073c8d..910dd8a91 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -16,5 +16,4 @@ noroot
16protocol unix,inet,inet6 16protocol unix,inet,inet6
17seccomp !chroot 17seccomp !chroot
18 18
19read-only ${HOME}/.config/awesome/autorun.sh
20#restrict-namespaces 19#restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index e896f3537..9b05b4416 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -45,5 +45,4 @@ private-dev
45private-tmp 45private-tmp
46 46
47memory-deny-write-execute 47memory-deny-write-execute
48read-only ${HOME}/.config/cower/config
49restrict-namespaces 48restrict-namespaces
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index e9d245a6d..266d00395 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-*
19 19
20# Enable severely restricted access to ${HOME}/.gnupg 20# Enable severely restricted access to ${HOME}/.gnupg
21noblacklist ${HOME}/.gnupg 21noblacklist ${HOME}/.gnupg
22read-only ${HOME}/.gnupg/gpg.conf
23read-only ${HOME}/.gnupg/trustdb.gpg 22read-only ${HOME}/.gnupg/trustdb.gpg
24read-only ${HOME}/.gnupg/pubring.kbx 23read-only ${HOME}/.gnupg/pubring.kbx
25blacklist ${HOME}/.gnupg/random_seed 24blacklist ${HOME}/.gnupg/random_seed
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 2da867dec..9b566a42b 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -16,6 +16,4 @@ noroot
16protocol unix,inet,inet6 16protocol unix,inet,inet6
17seccomp !chroot 17seccomp !chroot
18 18
19read-only ${HOME}/.config/openbox/autostart
20read-only ${HOME}/.config/openbox/environment
21#restrict-namespaces 19#restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index a5b4d5d87..63d629a32 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -181,5 +181,4 @@ private-tmp
181#dbus-user none 181#dbus-user none
182#dbus-system none 182#dbus-system none
183 183
184read-only ${HOME}/.config/MangoHud
185#restrict-namespaces 184#restrict-namespaces
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 23:25:44 +0000