diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2020-01-18 23:29:09 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-18 23:29:09 +0000 |
commit | 789c30eb984ea638735726e39f2e65fbc25c989e (patch) | |
tree | 508e45f6a4328304a3ab19d82de1ecb4c155c667 | |
parent | Update SECURITY.md (diff) | |
download | firejail-789c30eb984ea638735726e39f2e65fbc25c989e.tar.gz firejail-789c30eb984ea638735726e39f2e65fbc25c989e.tar.zst firejail-789c30eb984ea638735726e39f2e65fbc25c989e.zip |
fixes for 'blacklist ${RUNUSER}/wayland-*' (#3166)
* unbreak audio-recorder
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their audio-recorder.local.
* unbreak ddgtk
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their ddgtk.local.
* unbreak and harden gconf-editor
Support both X11 and Wayland by default. Also whitelist /usr/share/gconf-editor for wusc.
* unbreak seahorse
Support both X11 and Wayland by default.
* add blacklist ${RUNUSER}/wayland-* to dnscrypt-proxy
-rw-r--r-- | etc/audio-recorder.profile | 3 | ||||
-rw-r--r-- | etc/ddgtk.profile | 3 | ||||
-rw-r--r-- | etc/dnscrypt-proxy.profile | 1 | ||||
-rw-r--r-- | etc/gconf-editor.profile | 4 | ||||
-rw-r--r-- | etc/seahorse.profile | 1 |
5 files changed, 3 insertions, 9 deletions
diff --git a/etc/audio-recorder.profile b/etc/audio-recorder.profile index 799405f1d..b2ed3b030 100644 --- a/etc/audio-recorder.profile +++ b/etc/audio-recorder.profile | |||
@@ -7,8 +7,6 @@ include audio-recorder.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
13 | 11 | ||
14 | include disable-common.inc | 12 | include disable-common.inc |
@@ -42,7 +40,6 @@ protocol unix | |||
42 | seccomp | 40 | seccomp |
43 | shell none | 41 | shell none |
44 | tracelog | 42 | tracelog |
45 | x11 none | ||
46 | 43 | ||
47 | disable-mnt | 44 | disable-mnt |
48 | # private-bin audio-recorder | 45 | # private-bin audio-recorder |
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile index 46386f09e..3dfc657bc 100644 --- a/etc/ddgtk.profile +++ b/etc/ddgtk.profile | |||
@@ -6,8 +6,6 @@ include ddgtk.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | include allow-python2.inc | 10 | include allow-python2.inc |
13 | include allow-python3.inc | 11 | include allow-python3.inc |
@@ -45,7 +43,6 @@ protocol unix | |||
45 | seccomp | 43 | seccomp |
46 | shell none | 44 | shell none |
47 | tracelog | 45 | tracelog |
48 | x11 none | ||
49 | 46 | ||
50 | disable-mnt | 47 | disable-mnt |
51 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | 48 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 65722b3ef..6637b8d02 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -8,6 +8,7 @@ include dnscrypt-proxy.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | ||
11 | 12 | ||
12 | noblacklist /sbin | 13 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 14 | noblacklist /usr/sbin |
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile index 7325bfb4c..cb39174e5 100644 --- a/etc/gconf-editor.profile +++ b/etc/gconf-editor.profile | |||
@@ -8,9 +8,9 @@ include gconf-editor.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | 11 | ||
13 | ignore net none | 12 | whitelist /usr/share/gconf-editor |
13 | |||
14 | ignore x11 none | 14 | ignore x11 none |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 0470dc286..5a742d05f 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -7,7 +7,6 @@ include seahorse.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | 10 | ||
12 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |