diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-20 11:19:25 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-20 11:19:25 -0500 |
commit | aaa9bcb02fae1eb9ffb765080d6b466f52918285 (patch) | |
tree | 9cca4deb274e5d4270bb2782cd4b69e740ae90f1 | |
parent | Merge pull request #924 from valoq/master (diff) | |
download | firejail-aaa9bcb02fae1eb9ffb765080d6b466f52918285.tar.gz firejail-aaa9bcb02fae1eb9ffb765080d6b466f52918285.tar.zst firejail-aaa9bcb02fae1eb9ffb765080d6b466f52918285.zip |
profiles
-rw-r--r-- | README | 34 | ||||
-rw-r--r-- | etc/default.profile | 7 | ||||
-rw-r--r-- | etc/mupdf.profile | 8 | ||||
-rw-r--r-- | src/fseccomp/main.c | 4 |
4 files changed, 31 insertions, 22 deletions
@@ -80,6 +80,25 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
80 | - evince profile enhancement | 80 | - evince profile enhancement |
81 | - tightened Spotify profile | 81 | - tightened Spotify profile |
82 | - added xiphos and Tor Browser Bundle profiles | 82 | - added xiphos and Tor Browser Bundle profiles |
83 | valoq (https://github.com/valoq) | ||
84 | - lots of profile fixes | ||
85 | - added support for /srv in --whitelist feature | ||
86 | - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles | ||
87 | - blacklist suid binaries in disable-common.inc | ||
88 | - fix man pages | ||
89 | - added keypass2, qemu profiles | ||
90 | - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles | ||
91 | - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles | ||
92 | - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles | ||
93 | - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles | ||
94 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | ||
95 | Vasya Novikov (https://github.com/vn971) | ||
96 | - Wesnoth profile | ||
97 | - Hedegewars profile | ||
98 | - manpage fixes | ||
99 | - fixed firecfg clean/clear issue | ||
100 | - found the ugliest bug so far | ||
101 | - seccomp debug description in man page | ||
83 | curiosity-seeker (https://github.com/curiosity-seeker) | 102 | curiosity-seeker (https://github.com/curiosity-seeker) |
84 | - tightening unbound and dnscrypt-proxy profiles | 103 | - tightening unbound and dnscrypt-proxy profiles |
85 | - dnsmasq profile | 104 | - dnsmasq profile |
@@ -95,15 +114,6 @@ BogDan Vatra (https://github.com/bog-dan-ro) | |||
95 | - zoom profile | 114 | - zoom profile |
96 | Impyy (https://github.com/Impyy) | 115 | Impyy (https://github.com/Impyy) |
97 | - added mumble profile | 116 | - added mumble profile |
98 | valoq (https://github.com/valoq) | ||
99 | - LibreOffice profile fixes | ||
100 | - cherrytree profile fixes | ||
101 | - added support for /srv in --whitelist feature | ||
102 | - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles | ||
103 | - blacklist suid binaries in disable-common.inc | ||
104 | - fix man pages | ||
105 | - various profile improvements | ||
106 | - added keypass2, qemu profiles | ||
107 | Vadim A. Misbakh-Soloviov (https://github.com/msva) | 117 | Vadim A. Misbakh-Soloviov (https://github.com/msva) |
108 | - profile fixes | 118 | - profile fixes |
109 | Rafael Cavalcanti (https://github.com/rccavalcanti) | 119 | Rafael Cavalcanti (https://github.com/rccavalcanti) |
@@ -196,12 +206,6 @@ avoidr (https://github.com/avoidr) | |||
196 | - various other fixes | 206 | - various other fixes |
197 | Ruan (https://github.com/ruany) | 207 | Ruan (https://github.com/ruany) |
198 | - fixed hexchat profile | 208 | - fixed hexchat profile |
199 | Vasya Novikov (https://github.com/vn971) | ||
200 | - Wesnoth profile | ||
201 | - Hedegewars profile | ||
202 | - manpage fixes | ||
203 | - fixed firecfg clean/clear issue | ||
204 | - found the ugliest bug so far | ||
205 | Matthew Gyurgyik (https://github.com/pyther) | 209 | Matthew Gyurgyik (https://github.com/pyther) |
206 | - rpm spec and several fixes | 210 | - rpm spec and several fixes |
207 | Joan Figueras (https://github.com/figue) | 211 | Joan Figueras (https://github.com/figue) |
diff --git a/etc/default.profile b/etc/default.profile index 487e80c64..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -7,13 +7,16 @@ include /etc/firejail/disable-passwdmgr.inc | |||
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | netfilter | 9 | netfilter |
10 | nogroups | ||
11 | nonewprivs | 10 | nonewprivs |
12 | noroot | 11 | noroot |
13 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
14 | seccomp | 13 | seccomp |
15 | shell none | ||
16 | 14 | ||
15 | # | ||
16 | # depending on you usage, you can enable some of the commands below: | ||
17 | # | ||
18 | # nogroups | ||
19 | # shell none | ||
17 | # private-bin program | 20 | # private-bin program |
18 | # private-etc none | 21 | # private-etc none |
19 | # private-dev | 22 | # private-dev |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7116fa1a6..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -16,9 +16,6 @@ net none | |||
16 | shell none | 16 | shell none |
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
20 | |||
21 | private-bin mupdf,sh,tempfile,rm | ||
22 | private-tmp | 19 | private-tmp |
23 | private-dev | 20 | private-dev |
24 | private-etc fonts | 21 | private-etc fonts |
@@ -26,3 +23,8 @@ private-etc fonts | |||
26 | # mupdf will never write anything | 23 | # mupdf will never write anything |
27 | read-only ${HOME} | 24 | read-only ${HOME} |
28 | 25 | ||
26 | # | ||
27 | # Experimental: | ||
28 | # | ||
29 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
30 | # private-bin mupdf,sh,tempfile,rm | ||
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 471e0b193..2f85a786b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -38,7 +38,7 @@ static void usage(void) { | |||
38 | } | 38 | } |
39 | 39 | ||
40 | int main(int argc, char **argv) { | 40 | int main(int argc, char **argv) { |
41 | //#if 0 | 41 | #if 0 |
42 | { | 42 | { |
43 | //system("cat /proc/self/status"); | 43 | //system("cat /proc/self/status"); |
44 | int i; | 44 | int i; |
@@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) | |||
46 | printf("*%s* ", argv[i]); | 46 | printf("*%s* ", argv[i]); |
47 | printf("\n"); | 47 | printf("\n"); |
48 | } | 48 | } |
49 | //#endif | 49 | #endif |
50 | if (argc < 2) { | 50 | if (argc < 2) { |
51 | usage(); | 51 | usage(); |
52 | return 1; | 52 | return 1; |