diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-05-30 17:31:25 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-05-30 17:31:25 +0200 |
commit | cb98aea61bf97c8125c2d2df6cb08b9f05355e3a (patch) | |
tree | 493a2a6c030f323a1966cb04d406df7b140d9593 | |
parent | profile housekeeping (diff) | |
download | firejail-cb98aea61bf97c8125c2d2df6cb08b9f05355e3a.tar.gz firejail-cb98aea61bf97c8125c2d2df6cb08b9f05355e3a.tar.zst firejail-cb98aea61bf97c8125c2d2df6cb08b9f05355e3a.zip |
Add profile templates
Create etc/templates
* profile.template
* redirect_alias-profile.template
* syscalls.txt
* Notes
-rw-r--r-- | README | 19 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/templates/Notes | 7 | ||||
-rw-r--r-- | etc/templates/profile.template | 82 | ||||
-rw-r--r-- | etc/templates/redirect_alias-profile.template | 36 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 43 |
6 files changed, 172 insertions, 18 deletions
@@ -566,24 +566,9 @@ rusty-snake (https://github.com/rusty-snake) | |||
566 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap | 566 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap |
567 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk | 567 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk |
568 | - added profiles: ktouch, yelp | 568 | - added profiles: ktouch, yelp |
569 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse | 569 | - many profile fixing and hardening |
570 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool | ||
571 | - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany | ||
572 | - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro | ||
573 | - fixed profiles: default, mpv, authenticator, gramps, webstorm | ||
574 | - fixed profiles: freeoffice-planmaker, freeoffice-presentations | ||
575 | - fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion | ||
576 | - fixed profiles: android-studio, git, gitg, github-desktop, idea.sh | ||
577 | - fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller | ||
578 | - fixed profiles: eog, eom, xiphos, firefox-common, libreoffice | ||
579 | - fixed profiles: ocenaudio, sysprof, exiftool | ||
580 | - hardened profiles: disable-common.inc, disable-programs.inc | ||
581 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox | ||
582 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl | ||
583 | - hardened profiles: bibletime, whois, etr, display, feh, mpv, xiphos | ||
584 | - hardened profiles: gnome-chess | ||
585 | - gnome-mpv was renamed to celluloid | ||
586 | - some typo fixes | 570 | - some typo fixes |
571 | - added profile templates | ||
587 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) | 572 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) |
588 | - fixed ktorrent profile | 573 | - fixed ktorrent profile |
589 | sarneaud (https://github.com/sarneaud) | 574 | sarneaud (https://github.com/sarneaud) |
@@ -1,5 +1,6 @@ | |||
1 | ffirejail (0.9.60) baseline; urgency=low | 1 | firejail (0.9.60) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * profile templates | ||
3 | -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 | 4 | -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 |
4 | 5 | ||
5 | firejail (0.9.60) baseline; urgency=low | 6 | firejail (0.9.60) baseline; urgency=low |
diff --git a/etc/templates/Notes b/etc/templates/Notes new file mode 100644 index 000000000..a4170207b --- /dev/null +++ b/etc/templates/Notes | |||
@@ -0,0 +1,7 @@ | |||
1 | Notes | ||
2 | ===== | ||
3 | |||
4 | * Lines with one # are often used | ||
5 | * Lines with two ## are only in special situation needed | ||
6 | * Add programs specific paths like .config/program to disable-programs.inc | ||
7 | * Add the name of the profile/program to src/firecfg/firecfg.config | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template new file mode 100644 index 000000000..d7da0ed20 --- /dev/null +++ b/etc/templates/profile.template | |||
@@ -0,0 +1,82 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | ##quiet | ||
5 | # Persistent local customizations | ||
6 | #include PROFILE.local | ||
7 | # Persistent global definitions | ||
8 | #include globals.local | ||
9 | |||
10 | ##ignore noexec ${HOME} | ||
11 | |||
12 | ##blacklist PATH | ||
13 | |||
14 | #noblacklist PATH | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | #noblacklist ${PATH}/python2* | ||
18 | #noblacklist ${PATH}/python3* | ||
19 | #noblacklist /usr/lib/python2* | ||
20 | #noblacklist /usr/lib/python3* | ||
21 | #noblacklist /usr/local/lib/python2* | ||
22 | #noblacklist /usr/local/lib/python3* | ||
23 | |||
24 | #include disable-common.inc | ||
25 | #include disable-devel.inc | ||
26 | #include disable-exec.inc | ||
27 | #include disable-interpreters.inc | ||
28 | #include disable-passwdmgr.inc | ||
29 | #include disable-programs.inc | ||
30 | #include disable-xdg.inc | ||
31 | |||
32 | #mkdir PATH | ||
33 | #mkfile PATH | ||
34 | #whitelist PATH | ||
35 | #include whitelist-common.inc | ||
36 | #include whitelist-var-common.inc | ||
37 | |||
38 | #apparmor | ||
39 | #caps.drop all | ||
40 | # CLI only | ||
41 | ##ipc-namespace | ||
42 | #machine-id | ||
43 | # 'net none' or 'netfilter' | ||
44 | #net none | ||
45 | #netfilter | ||
46 | #no3d | ||
47 | #nodbus | ||
48 | #nodvd | ||
49 | #nogroups | ||
50 | #nonewprivs | ||
51 | #noroot | ||
52 | #nosound | ||
53 | #notv | ||
54 | #nou2f | ||
55 | #novideo | ||
56 | #protocol unix,inet,inet6,netlink | ||
57 | #seccomp | ||
58 | ##seccomp.drop SYSCALLS | ||
59 | #shell none | ||
60 | #tracelog | ||
61 | |||
62 | #disable-mnt | ||
63 | ##private | ||
64 | #private-bin PROGRAMS | ||
65 | #private-cache | ||
66 | #private-dev | ||
67 | #private-etc FILES | ||
68 | # private-etc templates (see also #1734) | ||
69 | # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
70 | # Sound: alsa,asound.conf,machine-id,openal,pulse | ||
71 | # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg | ||
72 | # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg | ||
73 | # GUIs: fonts | ||
74 | # Alternatives: alternatives | ||
75 | ##private-lib LIBS | ||
76 | ##private-opt NAME | ||
77 | #private-tmp | ||
78 | |||
79 | ##env VAR=VALUE | ||
80 | #memory-deny-write-execute | ||
81 | ##read-only ${HOME} | ||
82 | ##join-or-start NAME | ||
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template new file mode 100644 index 000000000..56dd43ca4 --- /dev/null +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for PRGOGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include PROFILE.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | #NOTE: let include globals.local commented | ||
10 | |||
11 | # Additional blacklisting (if needed) | ||
12 | #blacklist PATH | ||
13 | |||
14 | # Additional noblacklisting (if needed) | ||
15 | #noblacklist PATH | ||
16 | |||
17 | # Additional whitelisting (if needed) | ||
18 | #mkdir PATH | ||
19 | #mkfile PATH | ||
20 | #whitelist PATH | ||
21 | |||
22 | # Additional options if needed (see firejail-profile.example) | ||
23 | |||
24 | # Add programs to private-bin (if needed) | ||
25 | #private-bin PROGRAMS | ||
26 | # Add files to private-etc (if needed) | ||
27 | #private-etc FILES | ||
28 | |||
29 | # Ignore something that is in the included profile | ||
30 | #ignore net none | ||
31 | #ignore private-bin | ||
32 | #ignore seccomp | ||
33 | #... | ||
34 | |||
35 | # Redirect | ||
36 | include PROFILE.profile | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt new file mode 100644 index 000000000..ec8247517 --- /dev/null +++ b/etc/templates/syscalls.txt | |||
@@ -0,0 +1,43 @@ | |||
1 | Hints for writing seccomp.drop lines | ||
2 | ==================================== | ||
3 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | ||
5 | @module=delete_module,finit_module,init_module | ||
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
7 | @reboot=kexec_load,kexec_file_load,reboot, | ||
8 | @swap=swapon,swapoff | ||
9 | |||
10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
11 | |||
12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | ||
13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | ||
14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
15 | @resources=set_mempolicy,migrate_pages,move_pages,mbind | ||
16 | |||
17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | ||
18 | |||
19 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | ||
20 | |||
21 | @default-keep=execve,prctl | ||
22 | |||
23 | |||
24 | +---------+----------------+---------------+ | ||
25 | | @clock | @cpu-emulation | @default-keep | | ||
26 | | @module | @debug | | | ||
27 | | @raw-io | @obsolete | | | ||
28 | | @reboot | @resources | | | ||
29 | | @swap | | | | ||
30 | +---------+----------------+---------------+ | ||
31 | : : | ||
32 | +-------------+ : | ||
33 | | @privileged | : | ||
34 | +-------------+ : | ||
35 | : : | ||
36 | +----------+ : | ||
37 | | @default |........: | ||
38 | +----------+ | ||
39 | : | ||
40 | +----------------------+ | ||
41 | | @default-nodebuggers | | ||
42 | +----------------------+ | ||
43 | |||