diff options
author | Tad <tad@spotco.us> | 2018-07-04 15:48:02 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2018-07-04 15:48:02 -0400 |
commit | e91e7b2b8165450e695c7f45492cca2ae6927678 (patch) | |
tree | a9379cc4330adfa679cdae89f64741c6f23df679 | |
parent | Merge pull request #2025 from Bundy01/master (diff) | |
download | firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.gz firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.zst firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.zip |
Merges + misc fixes
- Change some links in README to HTTPS
- Fixup some typos in firejail-profile manpage
- Cleanup dash from private-etc
- Fixup gradio
- Synchronize server profile with default profile
-rw-r--r-- | README | 11 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/ark.profile | 2 | ||||
-rw-r--r-- | etc/bsdtar.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/gradio.profile | 8 | ||||
-rw-r--r-- | etc/server.profile | 10 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 |
11 files changed, 30 insertions, 16 deletions
@@ -9,7 +9,7 @@ Pidgin, Quassel, and XChat. | |||
9 | Firejail also expands the restricted shell facility found in bash by adding | 9 | Firejail also expands the restricted shell facility found in bash by adding |
10 | Linux namespace support. It supports sandboxing specific users upon login. | 10 | Linux namespace support. It supports sandboxing specific users upon login. |
11 | 11 | ||
12 | Download: http://sourceforge.net/projects/firejail/files/ | 12 | Download: https://sourceforge.net/projects/firejail/files/ |
13 | Build and install: ./configure && make && sudo make install | 13 | Build and install: ./configure && make && sudo make install |
14 | Documentation and support: https://firejail.wordpress.com/ | 14 | Documentation and support: https://firejail.wordpress.com/ |
15 | Development: https://github.com/netblue30/firejail | 15 | Development: https://github.com/netblue30/firejail |
@@ -123,6 +123,9 @@ BogDan Vatra (https://github.com/bog-dan-ro) | |||
123 | Bruno Nova (https://github.com/brunonova) | 123 | Bruno Nova (https://github.com/brunonova) |
124 | - whitelist fix | 124 | - whitelist fix |
125 | - bash arguments fix | 125 | - bash arguments fix |
126 | Bundy01 (https://github.com/Bundy01) | ||
127 | - fixup geary | ||
128 | - add gradio profile | ||
126 | BytesTuner (https://github.com/BytesTuner) | 129 | BytesTuner (https://github.com/BytesTuner) |
127 | - provided keepassxc profile | 130 | - provided keepassxc profile |
128 | caoliver (https://github.com/caoliver) | 131 | caoliver (https://github.com/caoliver) |
@@ -242,7 +245,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
242 | - added Catfish profile | 245 | - added Catfish profile |
243 | g3ngr33n (https://github.com/g3ngr33n) | 246 | g3ngr33n (https://github.com/g3ngr33n) |
244 | - fix musl compilation | 247 | - fix musl compilation |
245 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) | 248 | G4JC (https://sourceforge.net/u/gaming4jc/profile/) |
246 | - ARM support | 249 | - ARM support |
247 | - profile fixes | 250 | - profile fixes |
248 | Gaman Gabriel (https://github.com/stelariusinfinitek) | 251 | Gaman Gabriel (https://github.com/stelariusinfinitek) |
@@ -409,7 +412,7 @@ Ondra Nekola (https://github.com/satai) | |||
409 | - allow firefox theming with non-global themes | 412 | - allow firefox theming with non-global themes |
410 | Panzerfather (https://github.com/Panzerfather) | 413 | Panzerfather (https://github.com/Panzerfather) |
411 | - allow eog to access user's trash | 414 | - allow eog to access user's trash |
412 | Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) | 415 | Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) |
413 | - user namespace implementation | 416 | - user namespace implementation |
414 | Paul Moore <pmoore@redhat.com> | 417 | Paul Moore <pmoore@redhat.com> |
415 | -src/fsec-print/print.c extracted from libseccomp software package | 418 | -src/fsec-print/print.c extracted from libseccomp software package |
@@ -549,7 +552,7 @@ SkewedZeppelin (https://github.com/SkewedZeppelin) | |||
549 | - hardern /var | 552 | - hardern /var |
550 | - profile standard layout | 553 | - profile standard layout |
551 | - Spotify and itch.io profile fixes | 554 | - Spotify and itch.io profile fixes |
552 | sshirokov (http://sourceforge.net/u/yshirokov/profile/) | 555 | sshirokov (https://sourceforge.net/u/yshirokov/profile/) |
553 | - Patch to output "Reading profile" to stderr instead of stdout | 556 | - Patch to output "Reading profile" to stderr instead of stdout |
554 | SYN-cook (https://github.com/SYN-cook) | 557 | SYN-cook (https://github.com/SYN-cook) |
555 | - keepass/keepassx browser fixes | 558 | - keepass/keepassx browser fixes |
@@ -134,4 +134,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
134 | ````` | 134 | ````` |
135 | 135 | ||
136 | ## New profiles | 136 | ## New profiles |
137 | Microsoft Office Online, riot-desktop, gnome-mpv, snox, | 137 | Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio |
@@ -5,7 +5,7 @@ firejail (0.9.55) baseline; urgency=low | |||
5 | * support full paths in private-lib | 5 | * support full paths in private-lib |
6 | * globbing support in private-lib | 6 | * globbing support in private-lib |
7 | * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint | 7 | * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint |
8 | * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox | 8 | * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio |
9 | -- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500 | 9 | -- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500 |
10 | 10 | ||
11 | firejail (0.9.54) baseline; urgency=low | 11 | firejail (0.9.54) baseline; urgency=low |
diff --git a/etc/ark.profile b/etc/ark.profile index 0c7ef3dae..12675b30b 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -31,7 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh | 34 | private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh |
35 | #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg | 35 | #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg |
36 | 36 | ||
37 | private-dev | 37 | private-dev |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index a49fc023a..d3bc76ba5 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # support compressed archives | 36 | # support compressed archives |
37 | private-bin sh,bash,dash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 37 | private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive |
38 | private-dev | 38 | private-dev |
39 | private-etc passwd,group,localtime | 39 | private-etc passwd,group,localtime |
40 | 40 | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 56121809a..b2357716a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -391,4 +391,4 @@ blacklist ${HOME}/*.local/share/flatpak | |||
391 | blacklist /var/lib/flatpak | 391 | blacklist /var/lib/flatpak |
392 | blacklist /usr/share/flatpak | 392 | blacklist /usr/share/flatpak |
393 | # most of the time bwrap is SUID binary | 393 | # most of the time bwrap is SUID binary |
394 | blacklist /usr/bin/bwrap \ No newline at end of file | 394 | blacklist ${PATH}/bwrap |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f72b5a5c3..1dee73078 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -393,6 +393,7 @@ blacklist ${HOME}/.local/share/gnome-photos | |||
393 | blacklist ${HOME}/.local/share/gnome-recipes | 393 | blacklist ${HOME}/.local/share/gnome-recipes |
394 | blacklist ${HOME}/.local/share/gnome-ring | 394 | blacklist ${HOME}/.local/share/gnome-ring |
395 | blacklist ${HOME}/.local/share/gnome-twitch | 395 | blacklist ${HOME}/.local/share/gnome-twitch |
396 | blacklist ${HOME}/.local/share/gradio | ||
396 | blacklist ${HOME}/.local/share/gwenview | 397 | blacklist ${HOME}/.local/share/gwenview |
397 | blacklist ${HOME}/.local/share/kaffeine | 398 | blacklist ${HOME}/.local/share/kaffeine |
398 | blacklist ${HOME}/.local/share/kate | 399 | blacklist ${HOME}/.local/share/kate |
@@ -550,6 +551,7 @@ blacklist ${HOME}/.cache/google-chrome | |||
550 | blacklist ${HOME}/.cache/google-chrome-beta | 551 | blacklist ${HOME}/.cache/google-chrome-beta |
551 | blacklist ${HOME}/.cache/google-chrome-unstable | 552 | blacklist ${HOME}/.cache/google-chrome-unstable |
552 | blacklist ${HOME}/.cache/gnome-twitch | 553 | blacklist ${HOME}/.cache/gnome-twitch |
554 | blacklist ${HOME}/.cache/gradio | ||
553 | blacklist ${HOME}/.cache/icedove | 555 | blacklist ${HOME}/.cache/icedove |
554 | blacklist ${HOME}/.cache/INRIA/Natron | 556 | blacklist ${HOME}/.cache/INRIA/Natron |
555 | blacklist ${HOME}/.cache/inkscape | 557 | blacklist ${HOME}/.cache/inkscape |
diff --git a/etc/gradio.profile b/etc/gradio.profile index 1a7ff60ed..bba92a0bc 100644 --- a/etc/gradio.profile +++ b/etc/gradio.profile | |||
@@ -5,10 +5,8 @@ include /etc/firejail/gradio.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/gradio | ||
8 | noblacklist ${HOME}/.local/share/gradio | 9 | noblacklist ${HOME}/.local/share/gradio |
9 | mkdir ${HOME}/.local/share/gradio | ||
10 | whitelist ${HOME}/.local/share/gradio | ||
11 | whitelist ${HOME}/.cache/gradio | ||
12 | 10 | ||
13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
@@ -16,6 +14,10 @@ include /etc/firejail/disable-interpreters.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
18 | 16 | ||
17 | mkdir ${HOME}/.cache/gradio | ||
18 | mkdir ${HOME}/.local/share/gradio | ||
19 | whitelist ${HOME}/.cache/gradio | ||
20 | whitelist ${HOME}/.local/share/gradio | ||
19 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 22 | include /etc/firejail/whitelist-var-common.inc |
21 | 23 | ||
diff --git a/etc/server.profile b/etc/server.profile index 9cc906e55..94e2d5da9 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -22,18 +22,24 @@ include /etc/firejail/disable-passwdmgr.inc | |||
22 | include /etc/firejail/disable-programs.inc | 22 | include /etc/firejail/disable-programs.inc |
23 | 23 | ||
24 | caps | 24 | caps |
25 | # ipc-namespace | ||
26 | # netfilter /etc/firejail/webserver.net | ||
25 | no3d | 27 | no3d |
28 | # nodbus | ||
26 | nodvd | 29 | nodvd |
30 | # nogroups | ||
31 | # nonewprivs | ||
32 | # noroot | ||
27 | nosound | 33 | nosound |
28 | notv | 34 | notv |
29 | novideo | 35 | novideo |
30 | seccomp | 36 | seccomp |
31 | 37 | # shell none | |
32 | # netfilter /etc/firejail/webserver.net | ||
33 | 38 | ||
34 | # disable-mnt | 39 | # disable-mnt |
35 | private | 40 | private |
36 | # private-bin program | 41 | # private-bin program |
42 | # private-cache | ||
37 | private-dev | 43 | private-dev |
38 | # private-etc none | 44 | # private-etc none |
39 | # private-lib | 45 | # private-lib |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 718c2f973..5e5a5a967 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -188,6 +188,7 @@ google-play-music-desktop-player | |||
188 | gpa | 188 | gpa |
189 | gpicview | 189 | gpicview |
190 | gpredict | 190 | gpredict |
191 | gradio | ||
191 | gthumb | 192 | gthumb |
192 | guayadeque | 193 | guayadeque |
193 | gucharmap | 194 | gucharmap |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 851eb1026..59f15f75c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -391,10 +391,10 @@ Examples: | |||
391 | 391 | ||
392 | .TP | 392 | .TP |
393 | \fBrlimit-as 123456789012 | 393 | \fBrlimit-as 123456789012 |
394 | Set he maximum size of the process's virtual memory to 123456789012 bytes. | 394 | Set the maximum size of the process's virtual memory to 123456789012 bytes. |
395 | .TP | 395 | .TP |
396 | \fBrlimit-cpu 123 | 396 | \fBrlimit-cpu 123 |
397 | Set he maximum CPU time in seconds. | 397 | Set the maximum CPU time in seconds. |
398 | .TP | 398 | .TP |
399 | \fBrlimit-fsize 1024 | 399 | \fBrlimit-fsize 1024 |
400 | Set the maximum file size that can be created by a process to 1024 bytes. | 400 | Set the maximum file size that can be created by a process to 1024 bytes. |