Merge branch 'netblue30:master' into linuxqq

author: glitsj16 <glitsj16@users.noreply.github.com> 2023-01-04 18:51:36 +0000
committer: GitHub <noreply@github.com> 2023-01-04 18:51:36 +0000
commit: 86b4561ffbb27fc943a1ceb95ea7eecf149d36a7 (patch)
tree: f5380e6c00f8ce5a0aa6832f07813bd556304428
parent: linuxqq: drop comment (diff)
parent: Merge pull request #5564 from glitsj16/claws-mail+sylpheed (diff)
download: firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.tar.gz
firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.tar.zst
firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.zip
13 files changed, 154 insertions, 8 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 1ea77495b..7d7f84d4b 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -116,6 +116,7 @@ blacklist ${HOME}/.cache/fossamail
 blacklist ${HOME}/.cache/fractal
 blacklist ${HOME}/.cache/freecol
 blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/gdfuse
 blacklist ${HOME}/.cache/geary
 blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gegl-0.4
@@ -437,6 +438,7 @@ blacklist ${HOME}/.config/gajim
 blacklist ${HOME}/.config/galculator
 blacklist ${HOME}/.config/gallery-dl
 blacklist ${HOME}/.config/gconf
+blacklist ${HOME}/.config/gdfuse
 blacklist ${HOME}/.config/geany
 blacklist ${HOME}/.config/geary
 blacklist ${HOME}/.config/gedit
@@ -709,6 +711,7 @@ blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.funnyboat
 blacklist ${HOME}/.g8
 blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.gdfuse
 blacklist ${HOME}/.geekbench5
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
@@ -877,6 +880,7 @@ blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/calligragemini
 blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
+blacklist ${HOME}/.local/share/chatterino
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
 blacklist ${HOME}/.local/share/contacts
@@ -898,6 +902,7 @@ blacklist ${HOME}/.local/share/feral-interactive
 blacklist ${HOME}/.local/share/five-or-more
 blacklist ${HOME}/.local/share/freecol
 blacklist ${HOME}/.local/share/gajim
+blacklist ${HOME}/.local/share/gdfuse
 blacklist ${HOME}/.local/share/geary
 blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/ghostwriter
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile
new file mode 100644
index 000000000..4dfd85740
--- /dev/null
+++ b/etc/profile-a-l/chatterino.profile
@@ -0,0 +1,92 @@
+# Firejail profile for Chatterino
+# Description: Chat client for https://twitch.tv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chatterino.local
+# Persistent global definitions
+include globals.local
+# To upload images, whitelist/noblacklist their path in chatterino.local.
+#whitelist ${PICTURES}
+# For custom notification sounds, whitelist/noblacklist their path in chatterino.local.
+#whitelist ${MUSIC}
+# Also allow access to mpv/vlc, they're usable via streamlink.
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/pulse
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.local/share/chatterino
+noblacklist ${HOME}/.local/share/vlc
+# Allow Lua for mpv (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+# Also allow read-only access to mpv/VLC, they're usable via streamlink.
+mkdir ${HOME}/.local/share/chatterino
+# VLC preferences will fail to save with read-only set.
+whitelist ${HOME}/.local/share/chatterino
+whitelist-ro ${HOME}/.config/mpv
+whitelist-ro ${HOME}/.config/pulse
+whitelist-ro ${HOME}/.config/vlc
+whitelist-ro ${HOME}/.local/share/vlc
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# Streamlink+VLC doesn't seem to close properly with apparmor enabled.
+#apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+# Netlink is required for streamlink integration.
+protocol unix,inet,inet6,netlink
+# Seccomp may break browser integration.
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+# Add more private-bin lines for browsers or video players to chatterino.local if wanted.
+private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc
+# private-cache may cause issues with mpv (see #2838)
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11
+private-srv none
+private-tmp
+dbus-user filter
+dbus-user.own com.chatterino.*
+# Allow notifications.
+dbus-user.talk org.freedesktop.Notifications
+# For media player integration.
+dbus-user.talk org.freedesktop.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.own org.mpris.MediaPlayer2.chatterino
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
+# Prevents browsers/players from lingering after Chatterino is closed.
+#deterministic-shutdown
+# memory-deny-write-execute may break streamlink and browser integration.
+#memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 691657fa0..ce7b30122 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -1,5 +1,5 @@
 # Firejail profile for claws-mail
-# Description: Fast, lightweight and user-friendly GTK+2 based email client
+# Description: Fast, lightweight and user-friendly GTK based email client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include claws-mail.local
@@ -22,9 +22,15 @@ whitelist /usr/share/doc/claws-mail
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.gnome.keyring.SystemPrompter
 # Add the next line to your claws-mail.local if you use the notification plugin.
 # dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring
+dbus-user.talk org.gnome.keyring.PrivatePrompter
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-user.talk org.gnome.seahorse
+dbus-user.talk org.gnome.seahorse.Application
+dbus-user.talk org.mozilla.*
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/electron-hardened.inc.profile b/etc/profile-a-l/electron-hardened.inc.profile
new file mode 100644
index 000000000..eacf5cebe
--- /dev/null
+++ b/etc/profile-a-l/electron-hardened.inc.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for chrome-common-hardened.inc
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron-hardened.inc.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+# Redirect
+include chrome-common-hardened.inc.profile
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index c1d337abd..c15e43399 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -22,8 +22,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
+# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
-#include chromium-common-hardened.inc.profile
+#include electron-hardened.inc.profile
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 13313cb67..60d64736e 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -35,6 +35,8 @@ include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 apparmor
+# Fixme!
+apparmor-replace
 caps.drop all
 # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
 #machine-id
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 328812b04..483ff39a8 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -17,10 +17,11 @@ whitelist /usr/share/sylpheed
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
-dbus-user.talk org.gnome.keyring.SystemPrompter
 # Add the next line to your sylpheed.local to enable notifications.
 # dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-user.talk org.mozilla.*
 # Redirect
 include email-common.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index 59b6e2543..aa466871c 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -1,5 +1,5 @@
 # Firejail profile for ytmdesktop
-# Description: Unofficial electron based desktop warpper for YouTube Music
+# Description: Unofficial electron based desktop wrapper for YouTube Music
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 788c150be..793ec9a52 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -130,6 +130,7 @@ catfish
 cawbird
 celluloid
 chafa
+chatterino
 checkbashisms
 cheese
 cherrytree
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 776649131..4fe3a5974 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
 extern int arg_apparmor;        // apparmor
 extern char *apparmor_profile;  // apparmor profile
+extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior)
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
 extern int arg_x11_xorg;        // use X11 security extension
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c95964503..18e9ae651 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -134,6 +134,7 @@ int arg_writable_var_log = 0;		// writable /var/log
 int arg_appimage = 0;                           // appimage
 int arg_apparmor = 0;                           // apparmor
 char *apparmor_profile = NULL;  // apparmor profile
+bool apparmor_replace = false;  // apparmor profile
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
 int arg_x11_xorg = 0;                           // use X11 security extension
@@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) {
                        arg_apparmor = 1;
                        apparmor_profile = argv[i] + 11;
                }
+                else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) {
+                        arg_apparmor = 1;
+                        apparmor_replace = true;
+                }
 #endif
                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4e6ebdbca..acf206da6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -966,6 +966,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "apparmor-replace") == 0) {
+#ifdef HAVE_APPARMOR
+                arg_apparmor = 1;
+                apparmor_replace = true;
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "apparmor-stack") == 0) {
+#ifdef HAVE_APPARMOR
+                arg_apparmor = 1;
+                apparmor_replace = false;
+#endif
+                return 0;
+        }
        if (strncmp(ptr, "protocol ", 9) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        const char *add = ptr + 9;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index bae189a0d..77fe73174 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -130,7 +130,14 @@ static void set_caps(void) {
 static void set_apparmor(void) {
        EUID_ASSERT();
        if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
-                if (aa_stack_onexec(apparmor_profile)) {
+                int res = 0;
+                if(apparmor_replace){
+                        fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n");
+                        res = aa_change_onexec(apparmor_profile);
+                } else {
+                        res = aa_stack_onexec(apparmor_profile);
+                }
+                if (res) {
                        fwarning("Cannot confine the application using AppArmor.\n"
                                "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
                                "As root, run \"aa-enforce firejail-default\" to load it.\n");
author	glitsj16 <glitsj16@users.noreply.github.com>	2023-01-04 18:51:36 +0000
committer	GitHub <noreply@github.com>	2023-01-04 18:51:36 +0000
commit	86b4561ffbb27fc943a1ceb95ea7eecf149d36a7 (patch)
tree	f5380e6c00f8ce5a0aa6832f07813bd556304428
parent	linuxqq: drop comment (diff)
parent	Merge pull request #5564 from glitsj16/claws-mail+sylpheed (diff)
download	firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.tar.gz firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.tar.zst firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.zip

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 1ea77495b..7d7f84d4b 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -116,6 +116,7 @@ blacklist ${HOME}/.cache/fossamail
116	blacklist ${HOME}/.cache/fractal	116	blacklist ${HOME}/.cache/fractal
117	blacklist ${HOME}/.cache/freecol	117	blacklist ${HOME}/.cache/freecol
118	blacklist ${HOME}/.cache/gajim	118	blacklist ${HOME}/.cache/gajim
		119	blacklist ${HOME}/.cache/gdfuse
119	blacklist ${HOME}/.cache/geary	120	blacklist ${HOME}/.cache/geary
120	blacklist ${HOME}/.cache/geeqie	121	blacklist ${HOME}/.cache/geeqie
121	blacklist ${HOME}/.cache/gegl-0.4	122	blacklist ${HOME}/.cache/gegl-0.4
@@ -437,6 +438,7 @@ blacklist ${HOME}/.config/gajim
437	blacklist ${HOME}/.config/galculator	438	blacklist ${HOME}/.config/galculator
438	blacklist ${HOME}/.config/gallery-dl	439	blacklist ${HOME}/.config/gallery-dl
439	blacklist ${HOME}/.config/gconf	440	blacklist ${HOME}/.config/gconf
		441	blacklist ${HOME}/.config/gdfuse
440	blacklist ${HOME}/.config/geany	442	blacklist ${HOME}/.config/geany
441	blacklist ${HOME}/.config/geary	443	blacklist ${HOME}/.config/geary
442	blacklist ${HOME}/.config/gedit	444	blacklist ${HOME}/.config/gedit
@@ -709,6 +711,7 @@ blacklist ${HOME}/.frozen-bubble
709	blacklist ${HOME}/.funnyboat	711	blacklist ${HOME}/.funnyboat
710	blacklist ${HOME}/.g8	712	blacklist ${HOME}/.g8
711	blacklist ${HOME}/.gallery-dl.conf	713	blacklist ${HOME}/.gallery-dl.conf
		714	blacklist ${HOME}/.gdfuse
712	blacklist ${HOME}/.geekbench5	715	blacklist ${HOME}/.geekbench5
713	blacklist ${HOME}/.gimp*	716	blacklist ${HOME}/.gimp*
714	blacklist ${HOME}/.gist	717	blacklist ${HOME}/.gist
@@ -877,6 +880,7 @@ blacklist ${HOME}/.local/share/caja-python
877	blacklist ${HOME}/.local/share/calligragemini	880	blacklist ${HOME}/.local/share/calligragemini
878	blacklist ${HOME}/.local/share/cantata	881	blacklist ${HOME}/.local/share/cantata
879	blacklist ${HOME}/.local/share/cdprojektred	882	blacklist ${HOME}/.local/share/cdprojektred
		883	blacklist ${HOME}/.local/share/chatterino
880	blacklist ${HOME}/.local/share/clipit	884	blacklist ${HOME}/.local/share/clipit
881	blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate	885	blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
882	blacklist ${HOME}/.local/share/contacts	886	blacklist ${HOME}/.local/share/contacts
@@ -898,6 +902,7 @@ blacklist ${HOME}/.local/share/feral-interactive
898	blacklist ${HOME}/.local/share/five-or-more	902	blacklist ${HOME}/.local/share/five-or-more
899	blacklist ${HOME}/.local/share/freecol	903	blacklist ${HOME}/.local/share/freecol
900	blacklist ${HOME}/.local/share/gajim	904	blacklist ${HOME}/.local/share/gajim
		905	blacklist ${HOME}/.local/share/gdfuse
901	blacklist ${HOME}/.local/share/geary	906	blacklist ${HOME}/.local/share/geary
902	blacklist ${HOME}/.local/share/geeqie	907	blacklist ${HOME}/.local/share/geeqie
903	blacklist ${HOME}/.local/share/ghostwriter	908	blacklist ${HOME}/.local/share/ghostwriter


diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile new file mode 100644 index 000000000..4dfd85740 --- /dev/null +++ b/etc/profile-a-l/chatterino.profile
@@ -0,0 +1,92 @@
		1	# Firejail profile for Chatterino
		2	# Description: Chat client for https://twitch.tv
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include chatterino.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	# To upload images, whitelist/noblacklist their path in chatterino.local.
		10	#whitelist ${PICTURES}
		11	# For custom notification sounds, whitelist/noblacklist their path in chatterino.local.
		12	#whitelist ${MUSIC}
		13
		14	# Also allow access to mpv/vlc, they're usable via streamlink.
		15	noblacklist ${HOME}/.config/mpv
		16	noblacklist ${HOME}/.config/pulse
		17	noblacklist ${HOME}/.config/vlc
		18	noblacklist ${HOME}/.local/share/chatterino
		19	noblacklist ${HOME}/.local/share/vlc
		20
		21	# Allow Lua for mpv (blacklisted by disable-interpreters.inc)
		22	include allow-lua.inc
		23
		24	# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc)
		25	include allow-python3.inc
		26
		27	include disable-common.inc
		28	include disable-devel.inc
		29	include disable-exec.inc
		30	include disable-interpreters.inc
		31	include disable-proc.inc
		32	include disable-programs.inc
		33	include disable-xdg.inc
		34
		35	# Also allow read-only access to mpv/VLC, they're usable via streamlink.
		36	mkdir ${HOME}/.local/share/chatterino
		37	# VLC preferences will fail to save with read-only set.
		38	whitelist ${HOME}/.local/share/chatterino
		39	whitelist-ro ${HOME}/.config/mpv
		40	whitelist-ro ${HOME}/.config/pulse
		41	whitelist-ro ${HOME}/.config/vlc
		42	whitelist-ro ${HOME}/.local/share/vlc
		43	include whitelist-common.inc
		44	include whitelist-run-common.inc
		45	include whitelist-runuser-common.inc
		46	include whitelist-usr-share-common.inc
		47	include whitelist-var-common.inc
		48
		49	# Streamlink+VLC doesn't seem to close properly with apparmor enabled.
		50	#apparmor
		51	caps.drop all
		52	netfilter
		53	nodvd
		54	nogroups
		55	nonewprivs
		56	noprinters
		57	noroot
		58	notv
		59	nou2f
		60	# Netlink is required for streamlink integration.
		61	protocol unix,inet,inet6,netlink
		62	# Seccomp may break browser integration.
		63	seccomp
		64	seccomp.block-secondary
		65	tracelog
		66
		67	disable-mnt
		68	# Add more private-bin lines for browsers or video players to chatterino.local if wanted.
		69	private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc
		70	# private-cache may cause issues with mpv (see #2838)
		71	private-cache
		72	private-dev
		73	private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11
		74	private-srv none
		75	private-tmp
		76
		77	dbus-user filter
		78	dbus-user.own com.chatterino.*
		79	# Allow notifications.
		80	dbus-user.talk org.freedesktop.Notifications
		81	# For media player integration.
		82	dbus-user.talk org.freedesktop.ScreenSaver
		83	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
		84	dbus-user.own org.mpris.MediaPlayer2.chatterino
		85	dbus-user.talk org.mpris.MediaPlayer2.Player
		86	dbus-system none
		87
		88	# Prevents browsers/players from lingering after Chatterino is closed.
		89	#deterministic-shutdown
		90	# memory-deny-write-execute may break streamlink and browser integration.
		91	#memory-deny-write-execute
		92	restrict-namespaces


diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index 691657fa0..ce7b30122 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile
@@ -1,5 +1,5 @@
1	# Firejail profile for claws-mail	1	# Firejail profile for claws-mail
2	# Description: Fast, lightweight and user-friendly GTK+2 based email client	2	# Description: Fast, lightweight and user-friendly GTK based email client
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Persistent local customizations	4	# Persistent local customizations
5	include claws-mail.local	5	include claws-mail.local
@@ -22,9 +22,15 @@ whitelist /usr/share/doc/claws-mail
22		22
23	dbus-user filter	23	dbus-user filter
24	dbus-user.talk ca.desrt.dconf	24	dbus-user.talk ca.desrt.dconf
25	dbus-user.talk org.gnome.keyring.SystemPrompter
26	# Add the next line to your claws-mail.local if you use the notification plugin.	25	# Add the next line to your claws-mail.local if you use the notification plugin.
27	# dbus-user.talk org.freedesktop.Notifications	26	# dbus-user.talk org.freedesktop.Notifications
		27	dbus-user.talk org.freedesktop.secrets
		28	dbus-user.talk org.gnome.keyring
		29	dbus-user.talk org.gnome.keyring.PrivatePrompter
		30	dbus-user.talk org.gnome.keyring.SystemPrompter
		31	dbus-user.talk org.gnome.seahorse
		32	dbus-user.talk org.gnome.seahorse.Application
		33	dbus-user.talk org.mozilla.*
28		34
29	# Redirect	35	# Redirect
30	include email-common.profile	36	include email-common.profile


diff --git a/etc/profile-a-l/electron-hardened.inc.profile b/etc/profile-a-l/electron-hardened.inc.profile new file mode 100644 index 000000000..eacf5cebe --- /dev/null +++ b/etc/profile-a-l/electron-hardened.inc.profile
@@ -0,0 +1,10 @@
		1	# Firejail profile alias for chrome-common-hardened.inc
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include electron-hardened.inc.local
		5	# Persistent global definitions
		6	# added by caller profile
		7	#include globals.local
		8
		9	# Redirect
		10	include chrome-common-hardened.inc.profile


diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index c1d337abd..c15e43399 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile
@@ -22,8 +22,8 @@ include whitelist-runuser-common.inc
22	include whitelist-usr-share-common.inc	22	include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc	23	include whitelist-var-common.inc
24		24
25	# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.	25	# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
26	#include chromium-common-hardened.inc.profile	26	#include electron-hardened.inc.profile
27		27
28	apparmor	28	apparmor
29	caps.keep sys_admin,sys_chroot	29	caps.keep sys_admin,sys_chroot


diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 13313cb67..60d64736e 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile
@@ -35,6 +35,8 @@ include whitelist-runuser-common.inc
35	include whitelist-var-common.inc	35	include whitelist-var-common.inc
36		36
37	apparmor	37	apparmor
		38	# Fixme!
		39	apparmor-replace
38	caps.drop all	40	caps.drop all
39	# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.	41	# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
40	#machine-id	42	#machine-id


diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 328812b04..483ff39a8 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile
@@ -17,10 +17,11 @@ whitelist /usr/share/sylpheed
17		17
18	dbus-user filter	18	dbus-user filter
19	dbus-user.talk ca.desrt.dconf	19	dbus-user.talk ca.desrt.dconf
20	dbus-user.talk org.freedesktop.secrets
21	dbus-user.talk org.gnome.keyring.SystemPrompter
22	# Add the next line to your sylpheed.local to enable notifications.	20	# Add the next line to your sylpheed.local to enable notifications.
23	# dbus-user.talk org.freedesktop.Notifications	21	# dbus-user.talk org.freedesktop.Notifications
		22	dbus-user.talk org.freedesktop.secrets
		23	dbus-user.talk org.gnome.keyring.SystemPrompter
		24	dbus-user.talk org.mozilla.*
24		25
25	# Redirect	26	# Redirect
26	include email-common.profile	27	include email-common.profile


diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index 59b6e2543..aa466871c 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile
@@ -1,5 +1,5 @@
1	# Firejail profile for ytmdesktop	1	# Firejail profile for ytmdesktop
2	# Description: Unofficial electron based desktop warpper for YouTube Music	2	# Description: Unofficial electron based desktop wrapper for YouTube Music
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Persistent local customizations	4	# Persistent local customizations
5	include youtube.local	5	include youtube.local


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 788c150be..793ec9a52 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -130,6 +130,7 @@ catfish
130	cawbird	130	cawbird
131	celluloid	131	celluloid
132	chafa	132	chafa
		133	chatterino
133	checkbashisms	134	checkbashisms
134	cheese	135	cheese
135	cherrytree	136	cherrytree


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 776649131..4fe3a5974 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log
339	extern int arg_appimage; // appimage	339	extern int arg_appimage; // appimage
340	extern int arg_apparmor; // apparmor	340	extern int arg_apparmor; // apparmor
341	extern char *apparmor_profile; // apparmor profile	341	extern char *apparmor_profile; // apparmor profile
		342	extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior)
342	extern int arg_allow_debuggers; // allow debuggers	343	extern int arg_allow_debuggers; // allow debuggers
343	extern int arg_x11_block; // block X11	344	extern int arg_x11_block; // block X11
344	extern int arg_x11_xorg; // use X11 security extension	345	extern int arg_x11_xorg; // use X11 security extension


diff --git a/src/firejail/main.c b/src/firejail/main.c index c95964503..18e9ae651 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log
134	int arg_appimage = 0; // appimage	134	int arg_appimage = 0; // appimage
135	int arg_apparmor = 0; // apparmor	135	int arg_apparmor = 0; // apparmor
136	char *apparmor_profile = NULL; // apparmor profile	136	char *apparmor_profile = NULL; // apparmor profile
		137	bool apparmor_replace = false; // apparmor profile
137	int arg_allow_debuggers = 0; // allow debuggers	138	int arg_allow_debuggers = 0; // allow debuggers
138	int arg_x11_block = 0; // block X11	139	int arg_x11_block = 0; // block X11
139	int arg_x11_xorg = 0; // use X11 security extension	140	int arg_x11_xorg = 0; // use X11 security extension
@@ -1383,6 +1384,10 @@ int main(int argc, char argv, char envp) {
1383	arg_apparmor = 1;	1384	arg_apparmor = 1;
1384	apparmor_profile = argv[i] + 11;	1385	apparmor_profile = argv[i] + 11;
1385	}	1386	}
		1387	else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) {
		1388	arg_apparmor = 1;
		1389	apparmor_replace = true;
		1390	}
1386	#endif	1391	#endif
1387	else if (strncmp(argv[i], "--protocol=", 11) == 0) {	1392	else if (strncmp(argv[i], "--protocol=", 11) == 0) {
1388	if (checkcfg(CFG_SECCOMP)) {	1393	if (checkcfg(CFG_SECCOMP)) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4e6ebdbca..acf206da6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -966,6 +966,22 @@ int profile_check_line(char ptr, int lineno, const char fname) {
966	return 0;	966	return 0;
967	}	967	}
968		968
		969	if (strcmp(ptr, "apparmor-replace") == 0) {
		970	#ifdef HAVE_APPARMOR
		971	arg_apparmor = 1;
		972	apparmor_replace = true;
		973	#endif
		974	return 0;
		975	}
		976
		977	if (strcmp(ptr, "apparmor-stack") == 0) {
		978	#ifdef HAVE_APPARMOR
		979	arg_apparmor = 1;
		980	apparmor_replace = false;
		981	#endif
		982	return 0;
		983	}
		984
969	if (strncmp(ptr, "protocol ", 9) == 0) {	985	if (strncmp(ptr, "protocol ", 9) == 0) {
970	if (checkcfg(CFG_SECCOMP)) {	986	if (checkcfg(CFG_SECCOMP)) {
971	const char *add = ptr + 9;	987	const char *add = ptr + 9;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index bae189a0d..77fe73174 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -130,7 +130,14 @@ static void set_caps(void) {
130	static void set_apparmor(void) {	130	static void set_apparmor(void) {
131	EUID_ASSERT();	131	EUID_ASSERT();
132	if (checkcfg(CFG_APPARMOR) && arg_apparmor) {	132	if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
133	if (aa_stack_onexec(apparmor_profile)) {	133	int res = 0;
		134	if(apparmor_replace){
		135	fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n");
		136	res = aa_change_onexec(apparmor_profile);
		137	} else {
		138	res = aa_stack_onexec(apparmor_profile);
		139	}
		140	if (res) {
134	fwarning("Cannot confine the application using AppArmor.\n"	141	fwarning("Cannot confine the application using AppArmor.\n"
135	"Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"	142	"Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
136	"As root, run \"aa-enforce firejail-default\" to load it.\n");	143	"As root, run \"aa-enforce firejail-default\" to load it.\n");