diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-01-15 21:51:20 +0100 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-01-16 07:46:45 +0000 |
commit | f18124baa4290e658babc6dd0716232e9a474335 (patch) | |
tree | fe598e1bd6f01c1502b6fabf1a93e8eb764439a3 | |
parent | add realaltffour (diff) | |
download | firejail-f18124baa4290e658babc6dd0716232e9a474335.tar.gz firejail-f18124baa4290e658babc6dd0716232e9a474335.tar.zst firejail-f18124baa4290e658babc6dd0716232e9a474335.zip |
Add new allow include allow-bin-sh.inc
/bin/sh is usually just a symlink to bash. However this is not the case
for every distro, debian for example uses dash. bash,dash and sh have a
blacklist command in disable-shell.inc. An own allow-*.inc for it
enusres usage of all necessary nolacklists.
For private-bin sh is enough because it follows symlinks.
-rw-r--r-- | etc/inc/allow-bin-sh.inc | 7 | ||||
-rw-r--r-- | etc/profile-m-z/mpv.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 4 |
3 files changed, 9 insertions, 4 deletions
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc new file mode 100644 index 000000000..d6c295414 --- /dev/null +++ b/etc/inc/allow-bin-sh.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-bin-sh.local | ||
4 | |||
5 | noblacklist ${PATH}/bash | ||
6 | noblacklist ${PATH}/dash | ||
7 | noblacklist ${PATH}/sh | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 1d87eeb48..7111febc2 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -21,7 +21,7 @@ include globals.local | |||
21 | # - ... | 21 | # - ... |
22 | # | 22 | # |
23 | # Often these scripts require a shell: | 23 | # Often these scripts require a shell: |
24 | #noblacklist ${PATH}/sh | 24 | #include allow-bin-sh.inc |
25 | #private-bin sh | 25 | #private-bin sh |
26 | 26 | ||
27 | noblacklist ${HOME}/.config/mpv | 27 | noblacklist ${HOME}/.config/mpv |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index acef622c2..c12fc9a78 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -12,9 +12,7 @@ blacklist ${RUNUSER} | |||
12 | 12 | ||
13 | ignore noexec ${HOME} | 13 | ignore noexec ${HOME} |
14 | 14 | ||
15 | noblacklist ${PATH}/bash | 15 | include allow-bin-sh.inc |
16 | noblacklist ${PATH}/dash | ||
17 | noblacklist ${PATH}/sh | ||
18 | 16 | ||
19 | include disable-common.inc | 17 | include disable-common.inc |
20 | include disable-exec.inc | 18 | include disable-exec.inc |