diff options
author | smitsohu <smitsohu@gmail.com> | 2017-10-31 02:24:39 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2017-10-31 02:24:39 +0100 |
commit | 871dfe351fd8cf19c8c7f330187c994b911ec995 (patch) | |
tree | fc7839dff34b0b14e92a0cd87d45f56f744d45cd | |
parent | fix --ignore=quiet (diff) | |
download | firejail-871dfe351fd8cf19c8c7f330187c994b911ec995.tar.gz firejail-871dfe351fd8cf19c8c7f330187c994b911ec995.tar.zst firejail-871dfe351fd8cf19c8c7f330187c994b911ec995.zip |
harden kde
and whitelist kioslaverc because we don't know if kdeinit
will run outside or inside the sandbox.
-rw-r--r-- | etc/ark.profile | 3 | ||||
-rw-r--r-- | etc/disable-common.inc | 19 | ||||
-rw-r--r-- | etc/gwenview.profile | 5 | ||||
-rw-r--r-- | etc/kate.profile | 3 | ||||
-rw-r--r-- | etc/kwrite.profile | 3 | ||||
-rw-r--r-- | etc/okular.profile | 7 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 3 |
7 files changed, 35 insertions, 8 deletions
diff --git a/etc/ark.profile b/etc/ark.profile index ba9cb1134..404206992 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/ark.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
8 | noblacklist ~/.config/arkrc | 10 | noblacklist ~/.config/arkrc |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -15,6 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | include /etc/firejail/whitelist-var-common.inc | 17 | include /etc/firejail/whitelist-var-common.inc |
16 | 18 | ||
17 | caps.drop all | 19 | caps.drop all |
20 | # net none | ||
18 | netfilter | 21 | netfilter |
19 | nodvd | 22 | nodvd |
20 | nogroups | 23 | nogroups |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 09ab39968..6c8a68d9e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -47,6 +47,8 @@ blacklist /etc/xdg/autostart | |||
47 | blacklist ${HOME}/.config/*.notifyrc | 47 | blacklist ${HOME}/.config/*.notifyrc |
48 | blacklist ${HOME}/.config/khotkeysrc | 48 | blacklist ${HOME}/.config/khotkeysrc |
49 | blacklist ${HOME}/.config/krunnerrc | 49 | blacklist ${HOME}/.config/krunnerrc |
50 | blacklist ${HOME}/.config/kwinrc | ||
51 | blacklist ${HOME}/.config/kwinrulesrc | ||
50 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 52 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
51 | blacklist ${HOME}/.kde/share/apps/konsole | 53 | blacklist ${HOME}/.kde/share/apps/konsole |
52 | blacklist ${HOME}/.kde/share/apps/kwin | 54 | blacklist ${HOME}/.kde/share/apps/kwin |
@@ -55,25 +57,32 @@ blacklist ${HOME}/.kde/share/apps/solid | |||
55 | blacklist ${HOME}/.kde/share/config/*.notifyrc | 57 | blacklist ${HOME}/.kde/share/config/*.notifyrc |
56 | blacklist ${HOME}/.kde/share/config/khotkeysrc | 58 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
57 | blacklist ${HOME}/.kde/share/config/krunnerrc | 59 | blacklist ${HOME}/.kde/share/config/krunnerrc |
60 | blacklist ${HOME}/.kde/share/config/kwinrc | ||
61 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | ||
58 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 62 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
59 | blacklist ${HOME}/.kde4/share/apps/plasma | ||
60 | blacklist ${HOME}/.kde4/share/apps/konsole | 63 | blacklist ${HOME}/.kde4/share/apps/konsole |
61 | blacklist ${HOME}/.kde4/share/apps/kwin | 64 | blacklist ${HOME}/.kde4/share/apps/kwin |
62 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 65 | blacklist ${HOME}/.kde4/share/apps/plasma |
63 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | ||
64 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | ||
65 | blacklist ${HOME}/.kde4/share/apps/solid | 66 | blacklist ${HOME}/.kde4/share/apps/solid |
66 | blacklist ${HOME}/.kde4/share/config/*.notifyrc | 67 | blacklist ${HOME}/.kde4/share/config/*.notifyrc |
68 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | ||
69 | blacklist ${HOME}/.kde4/share/config/krunnerrc | ||
70 | blacklist ${HOME}/.kde4/share/config/kwinrc | ||
71 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | ||
72 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | ||
67 | blacklist ${HOME}/.local/share/kglobalaccel | 73 | blacklist ${HOME}/.local/share/kglobalaccel |
68 | blacklist ${HOME}/.local/share/konsole | 74 | blacklist ${HOME}/.local/share/konsole |
69 | blacklist ${HOME}/.local/share/kwin | 75 | blacklist ${HOME}/.local/share/kwin |
70 | blacklist ${HOME}/.local/share/plasma | 76 | blacklist ${HOME}/.local/share/plasma |
71 | blacklist ${HOME}/.local/share/solid | 77 | blacklist ${HOME}/.local/share/solid |
72 | read-only ${HOME}/.config/kdeglobals | 78 | read-only ${HOME}/.config/kdeglobals |
79 | read-only ${HOME}/.config/kioslaverc | ||
73 | read-only ${HOME}/.kde/share/config/kdeglobals | 80 | read-only ${HOME}/.kde/share/config/kdeglobals |
81 | read-only ${HOME}/.kde/share/config/kioslaverc | ||
74 | read-only ${HOME}/.kde/share/kde4/services | 82 | read-only ${HOME}/.kde/share/kde4/services |
75 | read-only ${HOME}/.kde4/share/kde4/services | ||
76 | read-only ${HOME}/.kde4/share/config/kdeglobals | 83 | read-only ${HOME}/.kde4/share/config/kdeglobals |
84 | read-only ${HOME}/.kde4/share/config/kioslaverc | ||
85 | read-only ${HOME}/.kde4/share/kde4/services | ||
77 | read-only ${HOME}/.local/share/kservices5 | 86 | read-only ${HOME}/.local/share/kservices5 |
78 | 87 | ||
79 | # kdeinit socket | 88 | # kdeinit socket |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 76b77ef1c..891c9865e 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gwenview.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
8 | noblacklist ~/.config/gwenviewrc | 10 | noblacklist ~/.config/gwenviewrc |
9 | noblacklist ~/.config/org.kde.gwenviewrc | 11 | noblacklist ~/.config/org.kde.gwenviewrc |
10 | noblacklist ~/.gimp* | 12 | noblacklist ~/.gimp* |
@@ -23,6 +25,7 @@ include /etc/firejail/disable-programs.inc | |||
23 | include /etc/firejail/whitelist-var-common.inc | 25 | include /etc/firejail/whitelist-var-common.inc |
24 | 26 | ||
25 | caps.drop all | 27 | caps.drop all |
28 | # net none | ||
26 | nodvd | 29 | nodvd |
27 | nogroups | 30 | nogroups |
28 | nonewprivs | 31 | nonewprivs |
@@ -34,7 +37,7 @@ seccomp | |||
34 | shell none | 37 | shell none |
35 | tracelog | 38 | tracelog |
36 | 39 | ||
37 | private-bin gwenview,kbuildsycoca4,gimp* | 40 | private-bin gwenview,gimp*,kbuildsycoca4 |
38 | private-dev | 41 | private-dev |
39 | # private-etc X11 | 42 | # private-etc X11 |
40 | 43 | ||
diff --git a/etc/kate.profile b/etc/kate.profile index 69100d49d..85a98d67f 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/kate.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
8 | noblacklist ~/.config/katepartrc | 10 | noblacklist ~/.config/katepartrc |
9 | noblacklist ~/.config/katerc | 11 | noblacklist ~/.config/katerc |
10 | noblacklist ~/.config/kateschemarc | 12 | noblacklist ~/.config/kateschemarc |
@@ -20,6 +22,7 @@ include /etc/firejail/disable-programs.inc | |||
20 | include /etc/firejail/whitelist-var-common.inc | 22 | include /etc/firejail/whitelist-var-common.inc |
21 | 23 | ||
22 | caps.drop all | 24 | caps.drop all |
25 | # net none | ||
23 | netfilter | 26 | netfilter |
24 | nodvd | 27 | nodvd |
25 | nogroups | 28 | nogroups |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 6b458ede3..af1fa179b 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/kwrite.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
8 | noblacklist ~/.config/katepartrc | 10 | noblacklist ~/.config/katepartrc |
9 | noblacklist ~/.config/katerc | 11 | noblacklist ~/.config/katerc |
10 | noblacklist ~/.config/kateschemarc | 12 | noblacklist ~/.config/kateschemarc |
@@ -20,6 +22,7 @@ include /etc/firejail/disable-programs.inc | |||
20 | include /etc/firejail/whitelist-var-common.inc | 22 | include /etc/firejail/whitelist-var-common.inc |
21 | 23 | ||
22 | caps.drop all | 24 | caps.drop all |
25 | # net none | ||
23 | netfilter | 26 | netfilter |
24 | nodvd | 27 | nodvd |
25 | nogroups | 28 | nogroups |
diff --git a/etc/okular.profile b/etc/okular.profile index 53148add5..89f76cda1 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/okular.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
8 | noblacklist ~/.config/okularpartrc | 10 | noblacklist ~/.config/okularpartrc |
9 | noblacklist ~/.config/okularrc | 11 | noblacklist ~/.config/okularrc |
10 | noblacklist ~/.kde/share/apps/okular | 12 | noblacklist ~/.kde/share/apps/okular |
@@ -23,6 +25,7 @@ include /etc/firejail/disable-programs.inc | |||
23 | include /etc/firejail/whitelist-var-common.inc | 25 | include /etc/firejail/whitelist-var-common.inc |
24 | 26 | ||
25 | caps.drop all | 27 | caps.drop all |
28 | # net none | ||
26 | netfilter | 29 | netfilter |
27 | nodvd | 30 | nodvd |
28 | nogroups | 31 | nogroups |
@@ -36,9 +39,9 @@ seccomp | |||
36 | shell none | 39 | shell none |
37 | tracelog | 40 | tracelog |
38 | 41 | ||
39 | # private-bin okular,kbuildsycoca4,kdeinit4,lpr | 42 | private-bin okular,kbuildsycoca4,kdeinit4,lpr |
40 | private-dev | 43 | private-dev |
41 | # private-etc fonts,X11 | 44 | private-etc cups,fonts |
42 | # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird | 45 | # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird |
43 | 46 | ||
44 | # memory-deny-write-execute | 47 | # memory-deny-write-execute |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 310149ecd..0a8bc4685 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -52,9 +52,12 @@ whitelist ~/.config/dconf | |||
52 | 52 | ||
53 | # qt/kde | 53 | # qt/kde |
54 | whitelist ~/.config/kdeglobals | 54 | whitelist ~/.config/kdeglobals |
55 | whitelist ~/.config/kioslaverc | ||
55 | whitelist ~/.kde/share/config/oxygenrc | 56 | whitelist ~/.kde/share/config/oxygenrc |
56 | whitelist ~/.kde/share/config/kdeglobals | 57 | whitelist ~/.kde/share/config/kdeglobals |
58 | whitelist ~/.kde/share/config/kioslaverc | ||
57 | whitelist ~/.kde/share/icons | 59 | whitelist ~/.kde/share/icons |
58 | whitelist ~/.kde4/share/config/oxygenrc | 60 | whitelist ~/.kde4/share/config/oxygenrc |
59 | whitelist ~/.kde4/share/config/kdeglobals | 61 | whitelist ~/.kde4/share/config/kdeglobals |
62 | whitelist ~/.kde4/share/config/kioslaverc | ||
60 | whitelist ~/.kde4/share/icons | 63 | whitelist ~/.kde4/share/icons |