aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2017-10-29 13:06:19 +0100
committerLibravatar smitsohu <smitsohu@gmail.com>2017-10-29 13:06:19 +0100
commit8ef2c87931fa83c2d1fd6b35f23ac650adee6355 (patch)
treead154ca76315d658334fb06b587e1df835fb137a
parentfix for #1614 (--timeout) (diff)
downloadfirejail-8ef2c87931fa83c2d1fd6b35f23ac650adee6355.tar.gz
firejail-8ef2c87931fa83c2d1fd6b35f23ac650adee6355.tar.zst
firejail-8ef2c87931fa83c2d1fd6b35f23ac650adee6355.zip
fix and harden various profiles
Diffstat
-rw-r--r--etc/atril.profile3
-rw-r--r--etc/calligra.profile8
-rw-r--r--etc/disable-common.inc9
-rw-r--r--etc/evince.profile3
-rw-r--r--etc/inox.profile8
-rw-r--r--etc/iridium.profile10
-rw-r--r--etc/kdenlive.profile10
-rw-r--r--etc/krita.profile4
-rw-r--r--etc/okular.profile2
-rw-r--r--etc/thunderbird.profile1
-rw-r--r--etc/vivaldi.profile1
-rw-r--r--etc/xreader.profile3
12 files changed, 39 insertions, 23 deletions
diff --git a/etc/atril.profile b/etc/atril.profile
index 8c5bdc6fb..98142012c 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -35,8 +35,7 @@ private-etc fonts,ld.so.cache
35# atril uses webkit gtk to display epub files 35# atril uses webkit gtk to display epub files
36# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 36# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
37private-lib webkit2gtk-4.0 37private-lib webkit2gtk-4.0
38# atril needs access to /tmp/mozilla* to work in firefox 38private-tmp
39# private-tmp
40 39
41# webkit gtk killed by memory-deny-write-execute 40# webkit gtk killed by memory-deny-write-execute
42#memory-deny-write-execute 41#memory-deny-write-execute
diff --git a/etc/calligra.profile b/etc/calligra.profile
index a57694752..f09716bc3 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -5,7 +5,7 @@ include /etc/firejail/calligra.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus 8# blacklist /run/user/*/bus
9 9
10include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 11include /etc/firejail/disable-devel.inc
@@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16ipc-namespace 16ipc-namespace
17net none 17# net none
18nodvd 18nodvd
19nogroups 19nogroups
20nonewprivs 20nonewprivs
@@ -25,8 +25,8 @@ protocol unix
25seccomp 25seccomp
26shell none 26shell none
27 27
28private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch 28private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
29private-dev 29private-dev
30 30
31#noexec ${HOME} 31# noexec ${HOME}
32noexec /tmp 32noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f01953ed4..09ab39968 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -76,10 +76,11 @@ read-only ${HOME}/.kde4/share/kde4/services
76read-only ${HOME}/.kde4/share/config/kdeglobals 76read-only ${HOME}/.kde4/share/config/kdeglobals
77read-only ${HOME}/.local/share/kservices5 77read-only ${HOME}/.local/share/kservices5
78 78
79# kdeinit sockets 79# kdeinit socket
80blacklist /run/user/*/kdeinit* 80blacklist /run/user/*/kdeinit5__*
81blacklist /run/user/*/ksocket-*/kdeinit* 81# blacklist /run/user/*/ksocket-*/kdeinit4__*
82blacklist /tmp/ksocket-*/kdeinit* 82# blacklist /tmp/ksocket-*/kdeinit4__*
83# - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
83 84
84# systemd 85# systemd
85blacklist ${HOME}/.config/systemd 86blacklist ${HOME}/.config/systemd
diff --git a/etc/evince.profile b/etc/evince.profile
index acca8878f..b68d272df 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -36,8 +36,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
36private-dev 36private-dev
37private-etc fonts 37private-etc fonts
38private-lib 38private-lib
39# evince needs access to /tmp/mozilla* to work in firefox 39private-tmp
40# private-tmp
41 40
42memory-deny-write-execute 41memory-deny-write-execute
43noexec ${HOME} 42noexec ${HOME}
diff --git a/etc/inox.profile b/etc/inox.profile
index de4d6205b..221acd309 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -20,11 +20,17 @@ whitelist ~/.cache/inox
20whitelist ~/.config/inox 20whitelist ~/.config/inox
21whitelist ~/.pki 21whitelist ~/.pki
22include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
23include /etc/firejail/whitelist-var-common.inc
23 24
24caps.keep sys_chroot,sys_admin 25caps.keep sys_chroot,sys_admin
25netfilter 26netfilter
26nodvd 27nodvd
27nogroups 28nogroups
28noroot
29notv 29notv
30shell none 30shell none
31
32private-dev
33# private-tmp - problems with multiple browser sessions
34
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/iridium.profile b/etc/iridium.profile
index db9c5c7cf..5b1268f4e 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -21,7 +21,17 @@ whitelist ~/.cache/iridium
21whitelist ~/.config/iridium 21whitelist ~/.config/iridium
22whitelist ~/.pki 22whitelist ~/.pki
23include /etc/firejail/whitelist-common.inc 23include /etc/firejail/whitelist-common.inc
24include /etc/firejail/whitelist-var-common.inc
24 25
26caps.keep sys_chroot,sys_admin
25netfilter 27netfilter
26nodvd 28nodvd
29nogroups
27notv 30notv
31shell none
32
33private-dev
34# private-tmp - problems with multiple browser sessions
35
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index e42e5920a..871706b02 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -5,7 +5,7 @@ include /etc/firejail/kdenlive.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus 8# blacklist /run/user/*/bus
9 9
10include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 11include /etc/firejail/disable-devel.inc
@@ -13,19 +13,19 @@ include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16net none 16# net none
17nodvd 17nodvd
18nogroups 18nogroups
19nonewprivs 19nonewprivs
20noroot 20noroot
21notv 21notv
22protocol unix,inet,inet6 22protocol unix,netlink
23seccomp 23seccomp
24shell none 24shell none
25 25
26private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper 26private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
27private-dev 27private-dev
28#private-etc fonts,alternatives,X11,pulse,passwd 28# private-etc fonts,alternatives,X11,pulse,passwd
29 29
30#noexec ${HOME} 30# noexec ${HOME}
31noexec /tmp 31noexec /tmp
diff --git a/etc/krita.profile b/etc/krita.profile
index ac723f303..52329eaab 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -5,7 +5,7 @@ include /etc/firejail/krita.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus 8# blacklist /run/user/*/bus
9 9
10include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 11include /etc/firejail/disable-devel.inc
@@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16ipc-namespace 16ipc-namespace
17net none 17# net none
18nodvd 18nodvd
19nogroups 19nogroups
20nonewprivs 20nonewprivs
diff --git a/etc/okular.profile b/etc/okular.profile
index 60390e4d8..53148add5 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -39,7 +39,7 @@ tracelog
39# private-bin okular,kbuildsycoca4,kdeinit4,lpr 39# private-bin okular,kbuildsycoca4,kdeinit4,lpr
40private-dev 40private-dev
41# private-etc fonts,X11 41# private-etc fonts,X11
42private-tmp 42# private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird
43 43
44# memory-deny-write-execute 44# memory-deny-write-execute
45noexec ${HOME} 45noexec ${HOME}
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index db944a2c0..52965cf90 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -24,6 +24,7 @@ whitelist ~/.thunderbird
24include /etc/firejail/whitelist-common.inc 24include /etc/firejail/whitelist-common.inc
25include /etc/firejail/whitelist-var-common.inc 25include /etc/firejail/whitelist-var-common.inc
26 26
27# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
27ignore private-tmp 28ignore private-tmp
28machine-id 29machine-id
29disable-mnt 30disable-mnt
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 503916b26..3cbc5b45c 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -18,6 +18,7 @@ whitelist ${DOWNLOADS}
18whitelist ~/.cache/vivaldi 18whitelist ~/.cache/vivaldi
19whitelist ~/.config/vivaldi 19whitelist ~/.config/vivaldi
20include /etc/firejail/whitelist-common.inc 20include /etc/firejail/whitelist-common.inc
21include /etc/firejail/whitelist-var-common.inc
21 22
22caps.keep sys_chroot,sys_admin 23caps.keep sys_chroot,sys_admin
23netfilter 24netfilter
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 11e5d1102..9583b6ee1 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -33,8 +33,7 @@ tracelog
33private-bin xreader,xreader-previewer,xreader-thumbnailer 33private-bin xreader,xreader-previewer,xreader-thumbnailer
34private-dev 34private-dev
35private-etc fonts,ld.so.cache 35private-etc fonts,ld.so.cache
36# xreader needs access to /tmp/mozilla* to work in firefox 36private-tmp
37# private-tmp
38 37
39memory-deny-write-execute 38memory-deny-write-execute
40noexec ${HOME} 39noexec ${HOME}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-01 06:17:39 +0000