diff options
author | pirate486743186 <okgomdjgbmoij@gmail.com> | 2021-06-21 14:25:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-21 12:25:19 +0000 |
commit | 1ca9046cf13b1aa161d3983157617e99b1053d63 (patch) | |
tree | 3f5b31c5d1a85a60c168c2a766dda5cc708566e8 | |
parent | testing (diff) | |
download | firejail-1ca9046cf13b1aa161d3983157617e99b1053d63.tar.gz firejail-1ca9046cf13b1aa161d3983157617e99b1053d63.tar.zst firejail-1ca9046cf13b1aa161d3983157617e99b1053d63.zip |
creating alpine.profile (#4350)
* firecfg.config alpine
* Create alpinef.profile
* Create alpine.profile
* disable-programs.inc alpine
* workaround in comment
* Update etc/profile-a-l/alpine.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* deactivating whitelists in ${HOME}
* comment
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
-rw-r--r-- | etc/inc/disable-programs.inc | 10 | ||||
-rw-r--r-- | etc/profile-a-l/alpine.profile | 104 | ||||
-rw-r--r-- | etc/profile-a-l/alpinef.profile | 14 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 |
4 files changed, 130 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 6fb62e017..0e575e5eb 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -39,6 +39,8 @@ blacklist ${HOME}/.WebStorm* | |||
39 | blacklist ${HOME}/.Wolfram Research | 39 | blacklist ${HOME}/.Wolfram Research |
40 | blacklist ${HOME}/.ZAP | 40 | blacklist ${HOME}/.ZAP |
41 | blacklist ${HOME}/.abook | 41 | blacklist ${HOME}/.abook |
42 | blacklist ${HOME}/.addressbook | ||
43 | blacklist ${HOME}/.alpine-smime | ||
42 | blacklist ${HOME}/.aMule | 44 | blacklist ${HOME}/.aMule |
43 | blacklist ${HOME}/.android | 45 | blacklist ${HOME}/.android |
44 | blacklist ${HOME}/.anydesk | 46 | blacklist ${HOME}/.anydesk |
@@ -831,6 +833,14 @@ blacklist ${HOME}/.paradoxinteractive | |||
831 | blacklist ${HOME}/.parallelrealities/blobwars | 833 | blacklist ${HOME}/.parallelrealities/blobwars |
832 | blacklist ${HOME}/.pcsxr | 834 | blacklist ${HOME}/.pcsxr |
833 | blacklist ${HOME}/.penguin-command | 835 | blacklist ${HOME}/.penguin-command |
836 | blacklist ${HOME}/.pine-crash | ||
837 | blacklist ${HOME}/.pine-debug1 | ||
838 | blacklist ${HOME}/.pine-debug2 | ||
839 | blacklist ${HOME}/.pine-debug3 | ||
840 | blacklist ${HOME}/.pine-debug4 | ||
841 | blacklist ${HOME}/.pine-interrupted-mail | ||
842 | blacklist ${HOME}/.pinerc | ||
843 | blacklist ${HOME}/.pinercex | ||
834 | blacklist ${HOME}/.pingus | 844 | blacklist ${HOME}/.pingus |
835 | blacklist ${HOME}/.pioneer | 845 | blacklist ${HOME}/.pioneer |
836 | blacklist ${HOME}/.purple | 846 | blacklist ${HOME}/.purple |
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile new file mode 100644 index 000000000..0b5cf0df0 --- /dev/null +++ b/etc/profile-a-l/alpine.profile | |||
@@ -0,0 +1,104 @@ | |||
1 | # Firejail profile for alpine | ||
2 | # Description: Text-based email and newsgroups reader | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include alpine.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Workaround for bug https://github.com/netblue30/firejail/issues/2747 | ||
11 | # firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)' | ||
12 | |||
13 | noblacklist /var/mail | ||
14 | noblacklist /var/spool/mail | ||
15 | noblacklist ${DOCUMENTS} | ||
16 | noblacklist ${HOME}/.addressbook | ||
17 | noblacklist ${HOME}/.alpine-smime | ||
18 | noblacklist ${HOME}/.mailcap | ||
19 | noblacklist ${HOME}/.mh_profile | ||
20 | noblacklist ${HOME}/.mime.types | ||
21 | noblacklist ${HOME}/.newsrc | ||
22 | noblacklist ${HOME}/.pine-crash | ||
23 | noblacklist ${HOME}/.pine-debug1 | ||
24 | noblacklist ${HOME}/.pine-debug2 | ||
25 | noblacklist ${HOME}/.pine-debug3 | ||
26 | noblacklist ${HOME}/.pine-debug4 | ||
27 | noblacklist ${HOME}/.pine-interrupted-mail | ||
28 | noblacklist ${HOME}/.pinerc | ||
29 | noblacklist ${HOME}/.pinercex | ||
30 | noblacklist ${HOME}/.signature | ||
31 | noblacklist ${HOME}/mail | ||
32 | |||
33 | blacklist /tmp/.X11-unix | ||
34 | blacklist ${RUNUSER}/wayland-* | ||
35 | |||
36 | include disable-common.inc | ||
37 | include disable-devel.inc | ||
38 | include disable-exec.inc | ||
39 | include disable-interpreters.inc | ||
40 | include disable-passwdmgr.inc | ||
41 | include disable-programs.inc | ||
42 | include disable-shell.inc | ||
43 | include disable-xdg.inc | ||
44 | |||
45 | #whitelist ${DOCUMENTS} | ||
46 | #whitelist ${DOWNLOADS} | ||
47 | #whitelist ${HOME}/.addressbook | ||
48 | #whitelist ${HOME}/.alpine-smime | ||
49 | #whitelist ${HOME}/.mailcap | ||
50 | #whitelist ${HOME}/.mh_profile | ||
51 | #whitelist ${HOME}/.mime.types | ||
52 | #whitelist ${HOME}/.newsrc | ||
53 | #whitelist ${HOME}/.pine-crash | ||
54 | #whitelist ${HOME}/.pine-interrupted-mail | ||
55 | #whitelist ${HOME}/.pinerc | ||
56 | #whitelist ${HOME}/.pinercex | ||
57 | #whitelist ${HOME}/.pine-debug1 | ||
58 | #whitelist ${HOME}/.pine-debug2 | ||
59 | #whitelist ${HOME}/.pine-debug3 | ||
60 | #whitelist ${HOME}/.pine-debug4 | ||
61 | #whitelist ${HOME}/.signature | ||
62 | #whitelist ${HOME}/mail | ||
63 | whitelist /var/mail | ||
64 | whitelist /var/spool/mail | ||
65 | #include whitelist-common.inc | ||
66 | include whitelist-runuser-common.inc | ||
67 | include whitelist-usr-share-common.inc | ||
68 | include whitelist-var-common.inc | ||
69 | |||
70 | apparmor | ||
71 | caps.drop all | ||
72 | ipc-namespace | ||
73 | machine-id | ||
74 | netfilter | ||
75 | no3d | ||
76 | nodvd | ||
77 | nogroups | ||
78 | noinput | ||
79 | nonewprivs | ||
80 | noroot | ||
81 | nosound | ||
82 | notv | ||
83 | nou2f | ||
84 | novideo | ||
85 | protocol unix,inet,inet6 | ||
86 | seccomp | ||
87 | seccomp.block-secondary | ||
88 | shell none | ||
89 | tracelog | ||
90 | |||
91 | disable-mnt | ||
92 | private-bin alpine | ||
93 | private-cache | ||
94 | private-dev | ||
95 | private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg | ||
96 | private-tmp | ||
97 | writable-run-user | ||
98 | writable-var | ||
99 | |||
100 | dbus-user none | ||
101 | dbus-system none | ||
102 | |||
103 | memory-deny-write-execute | ||
104 | read-only ${HOME}/.signature | ||
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile new file mode 100644 index 000000000..97b97fe5f --- /dev/null +++ b/etc/profile-a-l/alpinef.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for alpinef | ||
2 | # Description: Text-based email and newsgroups reader using function keys | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include alpinef.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | private-bin alpinef | ||
12 | |||
13 | # Redirect | ||
14 | include alpine.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f23488e20..e58fe39ec 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -38,6 +38,8 @@ abrowser | |||
38 | akonadi_control | 38 | akonadi_control |
39 | akregator | 39 | akregator |
40 | alacarte | 40 | alacarte |
41 | alpine | ||
42 | alpinef | ||
41 | amarok | 43 | amarok |
42 | amule | 44 | amule |
43 | amuled | 45 | amuled |