diff options
author | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2020-08-15 17:27:10 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-15 17:27:10 -0500 |
commit | 5d741795c3bb2060730e282a8f512b999418e098 (patch) | |
tree | 8ff4e8937c10e995b54869ff82effbc73b888fca | |
parent | Merge pull request #3559 from smitsohu/smitsohu-bandwidth (diff) | |
download | firejail-5d741795c3bb2060730e282a8f512b999418e098.tar.gz firejail-5d741795c3bb2060730e282a8f512b999418e098.tar.zst firejail-5d741795c3bb2060730e282a8f512b999418e098.zip |
Use whitelisting for video players (#3472)
* Use whitelisting for video players
See https://github.com/netblue30/firejail/pull/3469
* Update media player whitelists
See reviews at https://github.com/netblue30/firejail/pull/3472
Block $DOCUMENTS
Make $DESKTOP read-only
* Review fixes: include read-only Desktop in whitelist
-rw-r--r-- | etc/profile-a-l/celluloid.profile | 16 | ||||
-rw-r--r-- | etc/profile-m-z/mplayer.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/mpv.profile | 22 | ||||
-rw-r--r-- | etc/profile-m-z/totem.profile | 15 | ||||
-rw-r--r-- | etc/profile-m-z/vlc.profile | 16 | ||||
-rw-r--r-- | etc/profile-m-z/xplayer.profile | 14 |
6 files changed, 74 insertions, 22 deletions
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 567bd912a..54d3f742f 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -9,8 +9,6 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/celluloid | 9 | noblacklist ${HOME}/.config/celluloid |
10 | noblacklist ${HOME}/.config/gnome-mpv | 10 | noblacklist ${HOME}/.config/gnome-mpv |
11 | noblacklist ${HOME}/.config/youtube-dl | 11 | noblacklist ${HOME}/.config/youtube-dl |
12 | noblacklist ${MUSIC} | ||
13 | noblacklist ${VIDEOS} | ||
14 | 12 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | include allow-python2.inc | 14 | include allow-python2.inc |
@@ -22,8 +20,20 @@ include disable-exec.inc | |||
22 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 22 | include disable-programs.inc |
25 | include disable-xdg.inc | ||
26 | 23 | ||
24 | read-only ${DESKTOP} | ||
25 | mkdir ${HOME}/.config/celluloid | ||
26 | mkdir ${HOME}/.config/gnome-mpv | ||
27 | mkdir ${HOME}/.config/youtube-dl | ||
28 | whitelist ${HOME}/.config/celluloid | ||
29 | whitelist ${HOME}/.config/gnome-mpv | ||
30 | whitelist ${HOME}/.config/youtube-dl | ||
31 | whitelist ${DESKTOP} | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ${MUSIC} | ||
34 | whitelist ${PICTURES} | ||
35 | whitelist ${VIDEOS} | ||
36 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | 37 | include whitelist-runuser-common.inc |
28 | include whitelist-usr-share-common.inc | 38 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 39 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index cd25d6c0b..f4f862cb9 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -7,8 +7,6 @@ include mplayer.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.mplayer | 9 | noblacklist ${HOME}/.mplayer |
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | 10 | ||
13 | include disable-common.inc | 11 | include disable-common.inc |
14 | include disable-devel.inc | 12 | include disable-devel.inc |
@@ -16,8 +14,16 @@ include disable-exec.inc | |||
16 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 16 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
20 | 17 | ||
18 | read-only ${DESKTOP} | ||
19 | mkdir ${HOME}/.mplayer | ||
20 | whitelist ${HOME}/.mplayer | ||
21 | whitelist ${DESKTOP} | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${MUSIC} | ||
24 | whitelist ${PICTURES} | ||
25 | whitelist ${VIDEOS} | ||
26 | include whitelist-common.inc | ||
21 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
23 | 29 | ||
@@ -36,4 +42,3 @@ shell none | |||
36 | private-bin mplayer | 42 | private-bin mplayer |
37 | private-dev | 43 | private-dev |
38 | private-tmp | 44 | private-tmp |
39 | |||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 2fc027257..8f99e4b74 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -7,6 +7,10 @@ include mpv.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # In order to save screenshots to a persistent location, | ||
11 | # edit ~/.config/mpv/foobar.conf: | ||
12 | # screenshot-directory=~/Pictures | ||
13 | |||
10 | noblacklist ${HOME}/.config/mpv | 14 | noblacklist ${HOME}/.config/mpv |
11 | noblacklist ${HOME}/.config/youtube-dl | 15 | noblacklist ${HOME}/.config/youtube-dl |
12 | noblacklist ${HOME}/.netrc | 16 | noblacklist ${HOME}/.netrc |
@@ -17,10 +21,6 @@ include allow-lua.inc | |||
17 | include allow-python2.inc | 21 | include allow-python2.inc |
18 | include allow-python3.inc | 22 | include allow-python3.inc |
19 | 23 | ||
20 | noblacklist ${MUSIC} | ||
21 | noblacklist ${PICTURES} | ||
22 | noblacklist ${VIDEOS} | ||
23 | |||
24 | include disable-common.inc | 24 | include disable-common.inc |
25 | include disable-devel.inc | 25 | include disable-devel.inc |
26 | include disable-exec.inc | 26 | include disable-exec.inc |
@@ -28,8 +28,20 @@ include disable-interpreters.inc | |||
28 | include disable-passwdmgr.inc | 28 | include disable-passwdmgr.inc |
29 | include disable-programs.inc | 29 | include disable-programs.inc |
30 | include disable-shell.inc | 30 | include disable-shell.inc |
31 | include disable-xdg.inc | ||
32 | 31 | ||
32 | read-only ${DESKTOP} | ||
33 | mkdir ${HOME}/.config/mpv | ||
34 | mkdir ${HOME}/.config/youtube-dl | ||
35 | mkdir ${HOME}/.netrc | ||
36 | whitelist ${HOME}/.config/mpv | ||
37 | whitelist ${HOME}/.config/youtube-dl | ||
38 | whitelist ${HOME}/.netrc | ||
39 | whitelist ${DESKTOP} | ||
40 | whitelist ${DOWNLOADS} | ||
41 | whitelist ${MUSIC} | ||
42 | whitelist ${PICTURES} | ||
43 | whitelist ${VIDEOS} | ||
44 | include whitelist-common.inc | ||
33 | whitelist /usr/share/lua | 45 | whitelist /usr/share/lua |
34 | whitelist /usr/share/lua* | 46 | whitelist /usr/share/lua* |
35 | whitelist /usr/share/vulkan | 47 | whitelist /usr/share/vulkan |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index b8f4ca765..abbbba6c3 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -14,9 +14,6 @@ include allow-python3.inc | |||
14 | 14 | ||
15 | noblacklist ${HOME}/.config/totem | 15 | noblacklist ${HOME}/.config/totem |
16 | noblacklist ${HOME}/.local/share/totem | 16 | noblacklist ${HOME}/.local/share/totem |
17 | noblacklist ${MUSIC} | ||
18 | noblacklist ${PICTURES} | ||
19 | noblacklist ${VIDEOS} | ||
20 | 17 | ||
21 | include disable-common.inc | 18 | include disable-common.inc |
22 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -25,8 +22,18 @@ include disable-interpreters.inc | |||
25 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 23 | include disable-programs.inc |
27 | include disable-shell.inc | 24 | include disable-shell.inc |
28 | include disable-xdg.inc | ||
29 | 25 | ||
26 | read-only ${DESKTOP} | ||
27 | mkdir ${HOME}/.config/totem | ||
28 | mkdir ${HOME}/.local/share/totem | ||
29 | whitelist ${HOME}/.config/totem | ||
30 | whitelist ${HOME}/.local/share/totem | ||
31 | whitelist ${DESKTOP} | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ${MUSIC} | ||
34 | whitelist ${PICTURES} | ||
35 | whitelist ${VIDEOS} | ||
36 | include whitelist-common.inc | ||
30 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
31 | 38 | ||
32 | # apparmor - makes settings immutable | 39 | # apparmor - makes settings immutable |
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 0069ebeae..07a1b5fc0 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
@@ -9,8 +9,6 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/vlc | 9 | noblacklist ${HOME}/.cache/vlc |
10 | noblacklist ${HOME}/.config/vlc | 10 | noblacklist ${HOME}/.config/vlc |
11 | noblacklist ${HOME}/.local/share/vlc | 11 | noblacklist ${HOME}/.local/share/vlc |
12 | noblacklist ${MUSIC} | ||
13 | noblacklist ${VIDEOS} | ||
14 | 12 | ||
15 | include disable-common.inc | 13 | include disable-common.inc |
16 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -18,8 +16,20 @@ include disable-exec.inc | |||
18 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 18 | include disable-programs.inc |
21 | include disable-xdg.inc | ||
22 | 19 | ||
20 | read-only ${DESKTOP} | ||
21 | mkdir ${HOME}/.cache/vlc | ||
22 | mkdir ${HOME}/.config/vlc | ||
23 | mkdir ${HOME}/.local/share/vlc | ||
24 | whitelist ${HOME}/.cache/vlc | ||
25 | whitelist ${HOME}/.config/vlc | ||
26 | whitelist ${HOME}/.local/share/vlc | ||
27 | whitelist ${DESKTOP} | ||
28 | whitelist ${DOWNLOADS} | ||
29 | whitelist ${MUSIC} | ||
30 | whitelist ${PICTURES} | ||
31 | whitelist ${VIDEOS} | ||
32 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
24 | 34 | ||
25 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access | 35 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access |
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index 28df73ea5..555d8e9a4 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile | |||
@@ -7,8 +7,6 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/xplayer | 8 | noblacklist ${HOME}/.config/xplayer |
9 | noblacklist ${HOME}/.local/share/xplayer | 9 | noblacklist ${HOME}/.local/share/xplayer |
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | 10 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 12 | include allow-python2.inc |
@@ -20,8 +18,18 @@ include disable-exec.inc | |||
20 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 20 | include disable-programs.inc |
23 | include disable-xdg.inc | ||
24 | 21 | ||
22 | read-only ${DESKTOP} | ||
23 | mkdir ${HOME}/.config/xplayer | ||
24 | mkdir ${HOME}/.local/share/xplayer | ||
25 | whitelist ${HOME}/.config/xplayer | ||
26 | whitelist ${HOME}/.local/share/xplayer | ||
27 | whitelist ${DESKTOP} | ||
28 | whitelist ${DOWNLOADS} | ||
29 | whitelist ${MUSIC} | ||
30 | whitelist ${PICTURES} | ||
31 | whitelist ${VIDEOS} | ||
32 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
26 | 34 | ||
27 | # apparmor - makes settings immutable | 35 | # apparmor - makes settings immutable |