diff options
author | Thomas Jarosch <thomas.jarosch@intra2net.com> | 2016-07-30 23:10:50 +0200 |
---|---|---|
committer | Thomas Jarosch <thomas.jarosch@intra2net.com> | 2016-07-30 23:55:16 +0200 |
commit | 2d60937932a44ed5dfe3afecdae846386275a25a (patch) | |
tree | 7c73bb02ca722174ef5387fdbb2988f6b193b5a2 | |
parent | fixes (diff) | |
download | firejail-2d60937932a44ed5dfe3afecdae846386275a25a.tar.gz firejail-2d60937932a44ed5dfe3afecdae846386275a25a.tar.zst firejail-2d60937932a44ed5dfe3afecdae846386275a25a.zip |
Add profiles for tar (gtar), unzip and unrar
I've tested compression and uncompression of
various tar formats and also straced unzip/unrar
regarding their file access in /etc.
-> should be fine.
If you want to unpack files in /usr/bin,
then use the --ignore=private-bin switch.
Same for /etc: --ignore=private-etc
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 1 | ||||
-rw-r--r-- | etc/gtar.profile | 1 | ||||
-rw-r--r-- | etc/tar.profile | 13 | ||||
-rw-r--r-- | etc/unrar.profile | 11 | ||||
-rw-r--r-- | etc/unzip.profile | 11 | ||||
-rw-r--r-- | platform/debian/conffiles | 4 |
8 files changed, 46 insertions, 0 deletions
diff --git a/Makefile.in b/Makefile.in index 44833021e..50210fcd9 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -144,6 +144,7 @@ realinstall: | |||
144 | install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 144 | install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
145 | install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 145 | install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
146 | install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 146 | install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
147 | install -c -m 0644 .etc/gtar.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
147 | install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 148 | install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
148 | install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 149 | install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
149 | install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 150 | install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
@@ -201,6 +202,7 @@ realinstall: | |||
201 | install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 202 | install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
202 | install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 203 | install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
203 | install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 204 | install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
205 | install -c -m 0644 .etc/tar.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
204 | install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 206 | install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
205 | install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 207 | install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
206 | install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 208 | install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
@@ -208,6 +210,8 @@ realinstall: | |||
208 | install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 210 | install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
209 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 211 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
210 | install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 212 | install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
213 | install -c -m 0644 .etc/unrar.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
214 | install -c -m 0644 .etc/unzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
211 | install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 215 | install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
212 | install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 216 | install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
213 | install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 217 | install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
@@ -34,6 +34,7 @@ Peter Hogg (https://github.com/pigmonkey) | |||
34 | Thomas Jarosch (https://github.com/thomasjfox) | 34 | Thomas Jarosch (https://github.com/thomasjfox) |
35 | - disable keepassx in disable-passwdmgr.inc | 35 | - disable keepassx in disable-passwdmgr.inc |
36 | - added uudeview profile | 36 | - added uudeview profile |
37 | - added tar (gtar), unzip and unrar profile | ||
37 | - improved profile list | 38 | - improved profile list |
38 | Niklas Haas (https://github.com/haasn) | 39 | Niklas Haas (https://github.com/haasn) |
39 | - blacklisting for keybase.io's client | 40 | - blacklisting for keybase.io's client |
@@ -156,4 +156,5 @@ Browsers: Palemoon | |||
156 | ## New security profiles | 156 | ## New security profiles |
157 | 157 | ||
158 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview | 158 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview |
159 | tar (gtar), unzip, unrar | ||
159 | 160 | ||
diff --git a/etc/gtar.profile b/etc/gtar.profile new file mode 100644 index 000000000..5dbc550f6 --- /dev/null +++ b/etc/gtar.profile | |||
@@ -0,0 +1 @@ | |||
include /etc/firejail/tar.profile | |||
diff --git a/etc/tar.profile b/etc/tar.profile new file mode 100644 index 000000000..4ce3e59f0 --- /dev/null +++ b/etc/tar.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # tar profile | ||
2 | include /etc/firejail/default.profile | ||
3 | |||
4 | tracelog | ||
5 | net none | ||
6 | shell none | ||
7 | |||
8 | # support compressed archives | ||
9 | private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | ||
10 | private-dev | ||
11 | private-etc passwd,group,localtime | ||
12 | hostname tar | ||
13 | nosound | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile new file mode 100644 index 000000000..ccd144699 --- /dev/null +++ b/etc/unrar.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # unrar profile | ||
2 | include /etc/firejail/default.profile | ||
3 | |||
4 | tracelog | ||
5 | net none | ||
6 | shell none | ||
7 | private-bin unrar | ||
8 | private-dev | ||
9 | private-etc passwd,group,localtime | ||
10 | hostname unrar | ||
11 | nosound | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile new file mode 100644 index 000000000..d4862004c --- /dev/null +++ b/etc/unzip.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # unzip profile | ||
2 | include /etc/firejail/default.profile | ||
3 | |||
4 | tracelog | ||
5 | net none | ||
6 | shell none | ||
7 | private-bin unzip | ||
8 | private-dev | ||
9 | private-etc passwd,group,localtime | ||
10 | hostname unzip | ||
11 | nosound | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5367edfe5..d302c5732 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -50,6 +50,7 @@ | |||
50 | /etc/firejail/google-chrome.profile | 50 | /etc/firejail/google-chrome.profile |
51 | /etc/firejail/google-play-music-desktop-player.profile | 51 | /etc/firejail/google-play-music-desktop-player.profile |
52 | /etc/firejail/gpredict.profile | 52 | /etc/firejail/gpredict.profile |
53 | /etc/firejail/gtar.profile | ||
53 | /etc/firejail/gthumb.profile | 54 | /etc/firejail/gthumb.profile |
54 | /etc/firejail/gwenview.profile | 55 | /etc/firejail/gwenview.profile |
55 | /etc/firejail/gzip.profile | 56 | /etc/firejail/gzip.profile |
@@ -108,6 +109,7 @@ | |||
108 | /etc/firejail/steam.profile | 109 | /etc/firejail/steam.profile |
109 | /etc/firejail/stellarium.profile | 110 | /etc/firejail/stellarium.profile |
110 | /etc/firejail/strings.profile | 111 | /etc/firejail/strings.profile |
112 | /etc/firejail/tar.profile | ||
111 | /etc/firejail/telegram.profile | 113 | /etc/firejail/telegram.profile |
112 | /etc/firejail/thunderbird.profile | 114 | /etc/firejail/thunderbird.profile |
113 | /etc/firejail/totem.profile | 115 | /etc/firejail/totem.profile |
@@ -115,6 +117,8 @@ | |||
115 | /etc/firejail/transmission-qt.profile | 117 | /etc/firejail/transmission-qt.profile |
116 | /etc/firejail/uget-gtk.profile | 118 | /etc/firejail/uget-gtk.profile |
117 | /etc/firejail/unbound.profile | 119 | /etc/firejail/unbound.profile |
120 | /etc/firejail/unrar.profile | ||
121 | /etc/firejail/unzip.profile | ||
118 | /etc/firejail/uudeview.profile | 122 | /etc/firejail/uudeview.profile |
119 | /etc/firejail/vivaldi-beta.profile | 123 | /etc/firejail/vivaldi-beta.profile |
120 | /etc/firejail/vivaldi.profile | 124 | /etc/firejail/vivaldi.profile |