diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-09 07:18:31 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-07-09 07:18:31 -0400 |
commit | ad300e841813b8204bd1ade430682dca945521a7 (patch) | |
tree | 16ae4dc19d44b813a3ebeede9908b93deaf2af05 | |
parent | added mkfile profile command (diff) | |
parent | Extra files (the mouse forgot a few crumbs). (diff) | |
download | firejail-ad300e841813b8204bd1ade430682dca945521a7.tar.gz firejail-ad300e841813b8204bd1ade430682dca945521a7.tar.zst firejail-ad300e841813b8204bd1ade430682dca945521a7.zip |
Merge pull request #622 from Fred-Barclay/Fixes
correction no. 2
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | etc/0ad.profile | 26 | ||||
-rw-r--r-- | etc/atril.profile | 8 | ||||
-rw-r--r-- | etc/evince.profile | 3 | ||||
-rw-r--r-- | etc/gthumb.profile | 9 | ||||
-rw-r--r-- | etc/pix.profile | 9 | ||||
-rw-r--r-- | etc/qtox.profile | 3 | ||||
-rw-r--r-- | etc/xreader.profile | 8 | ||||
-rw-r--r-- | platform/debian/conffiles | 2 |
10 files changed, 45 insertions, 28 deletions
@@ -55,6 +55,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
55 | - added audacity profile | 55 | - added audacity profile |
56 | - fixed Telegram and qtox profiles | 56 | - fixed Telegram and qtox profiles |
57 | - added Atom Beta and Atom profiles | 57 | - added Atom Beta and Atom profiles |
58 | - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. | ||
58 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) | 59 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) |
59 | - cpio profile | 60 | - cpio profile |
60 | Paupiah Yash (https://github.com/CaffeinatedStud) | 61 | Paupiah Yash (https://github.com/CaffeinatedStud) |
@@ -98,7 +98,9 @@ File transfer: filezilla | |||
98 | 98 | ||
99 | Media: vlc, mpv, gnome-mplayer | 99 | Media: vlc, mpv, gnome-mplayer |
100 | 100 | ||
101 | Office: evince, gthumb, fbreader, pix | 101 | Office: evince, gthumb, fbreader, pix, atril, xreader |
102 | |||
103 | Chat/messaging: qtox | ||
102 | 104 | ||
103 | ## New security profiles | 105 | ## New security profiles |
104 | 106 | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index 3797ae5cd..11fb45463 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -1,21 +1,13 @@ | |||
1 | # Firejail profile for 0ad. | 1 | # Firejail profile for 0ad. |
2 | noblacklist ~/.cache/0ad | ||
2 | noblacklist ~/.config/0ad | 3 | noblacklist ~/.config/0ad |
4 | noblacklist ~/.local/share/0ad | ||
3 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
6 | include /etc/firejail/disable-programs.inc | 8 | include /etc/firejail/disable-programs.inc |
7 | 9 | ||
8 | # Call these options | ||
9 | caps.drop all | ||
10 | netfilter | ||
11 | noroot | ||
12 | nonewprivs | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | # Whitelists | 10 | # Whitelists |
18 | noblacklist ~/.cache/0ad | ||
19 | mkdir ~/.cache | 11 | mkdir ~/.cache |
20 | mkdir ~/.cache/0ad | 12 | mkdir ~/.cache/0ad |
21 | whitelist ~/.cache/0ad | 13 | whitelist ~/.cache/0ad |
@@ -24,8 +16,20 @@ mkdir ~/.config | |||
24 | mkdir ~/.config/0ad | 16 | mkdir ~/.config/0ad |
25 | whitelist ~/.config/0ad | 17 | whitelist ~/.config/0ad |
26 | 18 | ||
27 | noblacklist ~/.local/share/0ad | ||
28 | mkdir ~/.local | 19 | mkdir ~/.local |
29 | mkdir ~/.local/share | 20 | mkdir ~/.local/share |
30 | mkdir ~/.local/share/0ad | 21 | mkdir ~/.local/share/0ad |
31 | whitelist ~/.local/share/0ad | 22 | whitelist ~/.local/share/0ad |
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nonewprivs | ||
27 | nogroups | ||
28 | noroot | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | private-dev | ||
35 | |||
diff --git a/etc/atril.profile b/etc/atril.profile index 8ee7da173..bfe731bec 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -7,10 +7,14 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | ||
11 | nonewprivs | 10 | nonewprivs |
11 | nogroups | ||
12 | noroot | 12 | noroot |
13 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | 14 | protocol unix |
15 | seccomp | 15 | seccomp |
16 | shell none | ||
16 | tracelog | 17 | tracelog |
18 | |||
19 | private-bin atril, atril-previewer, atril-thumbnailer | ||
20 | private-dev | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 9899da84d..530ce959a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -6,9 +6,10 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | nonewprivs | 8 | nonewprivs |
9 | nogroups | ||
9 | noroot | 10 | noroot |
10 | nosound | 11 | nosound |
11 | protocol unix,inet,inet6 | 12 | protocol unix |
12 | seccomp | 13 | seccomp |
13 | 14 | ||
14 | shell none | 15 | shell none |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index c673a1297..3c02576aa 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | ||
11 | nonewprivs | 10 | nonewprivs |
11 | nogroups | ||
12 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6 | 13 | nosound |
14 | protocol unix | ||
14 | seccomp | 15 | seccomp |
15 | |||
16 | shell none | 16 | shell none |
17 | tracelog | ||
18 | |||
17 | private-bin gthumb | 19 | private-bin gthumb |
18 | whitelist /tmp/.X11-unix | 20 | whitelist /tmp/.X11-unix |
19 | private-dev | 21 | private-dev |
20 | nosound | ||
diff --git a/etc/pix.profile b/etc/pix.profile index 81ab7486f..80c05fd09 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -8,15 +8,16 @@ include /etc/firejail/disable-devel.inc | |||
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | ||
12 | nonewprivs | 11 | nonewprivs |
12 | nogroups | ||
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | 14 | nosound |
15 | protocol unix | ||
15 | seccomp | 16 | seccomp |
16 | |||
17 | shell none | 17 | shell none |
18 | tracelog | ||
19 | |||
18 | private-bin pix | 20 | private-bin pix |
19 | whitelist /tmp/.X11-unix | 21 | whitelist /tmp/.X11-unix |
20 | private-dev | 22 | private-dev |
21 | nosound | ||
22 | 23 | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 39f900748..0cac18573 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -8,14 +8,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | mkdir ${HOME}/.config/tox | 8 | mkdir ${HOME}/.config/tox |
9 | whitelist ${HOME}/.config/tox | 9 | whitelist ${HOME}/.config/tox |
10 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
11 | include /etc/firejail/whitelist-common.inc | ||
12 | 11 | ||
13 | caps.drop all | 12 | caps.drop all |
14 | netfilter | 13 | netfilter |
15 | nonewprivs | 14 | nonewprivs |
15 | nogroups | ||
16 | noroot | 16 | noroot |
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | seccomp | 18 | seccomp |
19 | shell none | 19 | shell none |
20 | tracelog | 20 | tracelog |
21 | 21 | ||
22 | private-bin qtox | ||
diff --git a/etc/xreader.profile b/etc/xreader.profile index 2cf109f09..fed9d4db5 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -9,10 +9,14 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | netfilter | ||
13 | nonewprivs | 12 | nonewprivs |
13 | nogroups | ||
14 | noroot | 14 | noroot |
15 | nosound | 15 | nosound |
16 | protocol unix,inet,inet6 | 16 | protocol unix |
17 | seccomp | 17 | seccomp |
18 | shell none | ||
18 | tracelog | 19 | tracelog |
20 | |||
21 | private-bin xreader, xreader-previewer, xreader-thumbnailer | ||
22 | private-dev | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3ae366541..ae495ec6d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -1,5 +1,3 @@ | |||
1 | # Do not have a new/empty line on the end of this file or dpkg-deb will warn | ||
2 | # that "conffile '' is not a plain file." | ||
3 | /etc/firejail/evince.profile | 1 | /etc/firejail/evince.profile |
4 | /etc/firejail/chromium.profile | 2 | /etc/firejail/chromium.profile |
5 | /etc/firejail/chromium-browser.profile | 3 | /etc/firejail/chromium-browser.profile |