diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-25 12:26:17 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-10-25 12:26:17 -0400 |
commit | b588020b4540480fdd3aaa11da8bd472b2dfdb60 (patch) | |
tree | f756c69ad1ca949e32037071640b9ae9e15c2538 | |
parent | Merge pull request #871 from Fred-Barclay/alphabetise (diff) | |
download | firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.tar.gz firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.tar.zst firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.zip |
fixes
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 27 |
2 files changed, 24 insertions, 5 deletions
@@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich) | |||
47 | - added --join-or-start command | 47 | - added --join-or-start command |
48 | - CVE-2016-7545 | 48 | - CVE-2016-7545 |
49 | Fred-Barclay (https://github.com/Fred-Barclay) | 49 | Fred-Barclay (https://github.com/Fred-Barclay) |
50 | - lots of profile fixes | ||
50 | - added Vivaldi, Atril profiles | 51 | - added Vivaldi, Atril profiles |
51 | - added PaleMoon profile | 52 | - added PaleMoon profile |
52 | - split Icedove and Thunderbird profiles | 53 | - split Icedove and Thunderbird profiles |
@@ -83,6 +84,7 @@ valoq (https://github.com/valoq) | |||
83 | - cherrytree profile fixes | 84 | - cherrytree profile fixes |
84 | - added support for /srv in --whitelist feature | 85 | - added support for /srv in --whitelist feature |
85 | - Eye of GNOME and Evolution profiles | 86 | - Eye of GNOME and Evolution profiles |
87 | - blacklist suid binaries in disable-common.inc | ||
86 | Rafael Cavalcanti (https://github.com/rccavalcanti) | 88 | Rafael Cavalcanti (https://github.com/rccavalcanti) |
87 | - chromium profile fixes for Arch Linux | 89 | - chromium profile fixes for Arch Linux |
88 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 90 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 29de8cca9..3c0b2160c 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -137,6 +137,11 @@ blacklist /etc/gshadow+ | |||
137 | blacklist /etc/ssh | 137 | blacklist /etc/ssh |
138 | blacklist /var/backup | 138 | blacklist /var/backup |
139 | 139 | ||
140 | # system directories | ||
141 | blacklist /sbin | ||
142 | blacklist /usr/sbin | ||
143 | blacklist /usr/local/sbin | ||
144 | |||
140 | # system management | 145 | # system management |
141 | blacklist ${PATH}/umount | 146 | blacklist ${PATH}/umount |
142 | blacklist ${PATH}/mount | 147 | blacklist ${PATH}/mount |
@@ -149,11 +154,23 @@ blacklist ${PATH}/xev | |||
149 | blacklist ${PATH}/strace | 154 | blacklist ${PATH}/strace |
150 | blacklist ${PATH}/nc | 155 | blacklist ${PATH}/nc |
151 | blacklist ${PATH}/ncat | 156 | blacklist ${PATH}/ncat |
152 | 157 | blacklist ${PATH}/gpasswd | |
153 | # system directories | 158 | blacklist ${PATH}/newgidmap |
154 | blacklist /sbin | 159 | blacklist ${PATH}/newgrp |
155 | blacklist /usr/sbin | 160 | blacklist ${PATH}/newuidmap |
156 | blacklist /usr/local/sbin | 161 | blacklist ${PATH}/pkexec |
162 | blacklist ${PATH}/sg | ||
163 | blacklist ${PATH}/rsh | ||
164 | blacklist ${PATH}/rlogin | ||
165 | blacklist ${PATH}/rcp | ||
166 | blacklist ${PATH}/crontab | ||
167 | blacklist ${PATH}/ksu | ||
168 | blacklist ${PATH}/chsh | ||
169 | blacklist ${PATH}/chfn | ||
170 | blacklist ${PATH}/chage | ||
171 | blacklist ${PATH}/expiry | ||
172 | blacklist ${PATH}/ping | ||
173 | blacklist ${PATH}/unix_chkpwd | ||
157 | 174 | ||
158 | # prevent lxterminal connecting to an existing lxterminal session | 175 | # prevent lxterminal connecting to an existing lxterminal session |
159 | blacklist /tmp/.lxterminal-socket* | 176 | blacklist /tmp/.lxterminal-socket* |