Merge branch 'release-0.9.62' of https://github.com/netblue30/firejail into release-0.9.62

author: smitsohu <smitsohu@gmail.com> 2020-08-09 19:21:33 +0200
committer: smitsohu <smitsohu@gmail.com> 2020-08-09 19:21:33 +0200
commit: 93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7 (patch)
tree: 326a37edcb6f1cf23246fb4cf6df6c074c72c559
parent: mount sandbox lib directory ro,nosuid,nodev (diff)
parent: profile fixes (1) (diff)
download: firejail-93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7.tar.gz
firejail-93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7.tar.zst
firejail-93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7.zip
6 files changed, 5 insertions, 4 deletions
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 6b7db6b44..d06eb7a65 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -29,7 +29,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
+# nodbus -- uses dconf
 nogroups
 nonewprivs
 noroot
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 16f231108..f50e10a00 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -230,6 +230,7 @@ read-only ${HOME}/.bash_login
 read-only ${HOME}/.bash_logout
 read-only ${HOME}/.bash_profile
 read-only ${HOME}/.bashrc
+read-only ${HOME}/.config/environment.d
 read-only ${HOME}/.config/fish
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.cshrc
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 837396654..6d575e850 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -42,6 +42,6 @@ tracelog
 # private-bin gedit
 private-dev
-private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*
+private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-3.0.so.*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index 726a74089..eaf48931d 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -31,5 +31,4 @@ protocol unix,inet,inet6
 seccomp
 shell none
-private-cache
 private-dev
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index a625db948..78f5ddc3a 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/maps-places.json
 whitelist ${DOWNLOADS}
 whitelist ${PICTURES}
 whitelist /usr/share/gnome-maps
+whitelist /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -55,4 +56,3 @@ private-bin gjs,gnome-maps
 private-dev
 private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc
index be0a29d94..78b947750 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/whitelist-usr-share-common.inc
@@ -42,6 +42,7 @@ whitelist /usr/share/p11-kit
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
+whitelist /usr/share/publicsuffix
 whitelist /usr/share/qt
 whitelist /usr/share/qt4
 whitelist /usr/share/qt5
author	smitsohu <smitsohu@gmail.com>	2020-08-09 19:21:33 +0200
committer	smitsohu <smitsohu@gmail.com>	2020-08-09 19:21:33 +0200
commit	93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7 (patch)
tree	326a37edcb6f1cf23246fb4cf6df6c074c72c559
parent	mount sandbox lib directory ro,nosuid,nodev (diff)
parent	profile fixes (1) (diff)
download	firejail-93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7.tar.gz firejail-93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7.tar.zst firejail-93a45e11495cc2652ac2e11bc1a2ac1c3ad9cde7.zip

diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 6b7db6b44..d06eb7a65 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile
@@ -29,7 +29,7 @@ include whitelist-var-common.inc
29	apparmor	29	apparmor
30	caps.drop all	30	caps.drop all
31	netfilter	31	netfilter
32	nodbus	32	# nodbus -- uses dconf
33	nogroups	33	nogroups
34	nonewprivs	34	nonewprivs
35	noroot	35	noroot


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 16f231108..f50e10a00 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -230,6 +230,7 @@ read-only ${HOME}/.bash_login
230	read-only ${HOME}/.bash_logout	230	read-only ${HOME}/.bash_logout
231	read-only ${HOME}/.bash_profile	231	read-only ${HOME}/.bash_profile
232	read-only ${HOME}/.bashrc	232	read-only ${HOME}/.bashrc
		233	read-only ${HOME}/.config/environment.d
233	read-only ${HOME}/.config/fish	234	read-only ${HOME}/.config/fish
234	read-only ${HOME}/.csh_files	235	read-only ${HOME}/.csh_files
235	read-only ${HOME}/.cshrc	236	read-only ${HOME}/.cshrc


diff --git a/etc/gedit.profile b/etc/gedit.profile index 837396654..6d575e850 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile
@@ -42,6 +42,6 @@ tracelog
42		42
43	# private-bin gedit	43	# private-bin gedit
44	private-dev	44	private-dev
45	private-lib aspell,gconv,gedit,libgspell-1.so.,libreadline.so.,libtinfo.so.*	45	private-lib aspell,gconv,gedit,libgspell-1.so.,libgtksourceview-3.0.so.,libpeas-gtk-1.0.so.,libreadline.so.,libtinfo.so.*
46	private-tmp	46	private-tmp
47		47


diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index 726a74089..eaf48931d 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile
@@ -31,5 +31,4 @@ protocol unix,inet,inet6
31	seccomp	31	seccomp
32	shell none	32	shell none
33		33
34	private-cache
35	private-dev	34	private-dev


diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index a625db948..78f5ddc3a 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/maps-places.json
28	whitelist ${DOWNLOADS}	28	whitelist ${DOWNLOADS}
29	whitelist ${PICTURES}	29	whitelist ${PICTURES}
30	whitelist /usr/share/gnome-maps	30	whitelist /usr/share/gnome-maps
		31	whitelist /usr/share/libgweather
31	include whitelist-common.inc	32	include whitelist-common.inc
32	include whitelist-usr-share-common.inc	33	include whitelist-usr-share-common.inc
33	include whitelist-var-common.inc	34	include whitelist-var-common.inc
@@ -55,4 +56,3 @@ private-bin gjs,gnome-maps
55	private-dev	56	private-dev
56	private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg	57	private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
57	private-tmp	58	private-tmp
58


diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index be0a29d94..78b947750 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc
@@ -42,6 +42,7 @@ whitelist /usr/share/p11-kit
42	whitelist /usr/share/pixmaps	42	whitelist /usr/share/pixmaps
43	whitelist /usr/share/pki	43	whitelist /usr/share/pki
44	whitelist /usr/share/plasma	44	whitelist /usr/share/plasma
		45	whitelist /usr/share/publicsuffix
45	whitelist /usr/share/qt	46	whitelist /usr/share/qt
46	whitelist /usr/share/qt4	47	whitelist /usr/share/qt4
47	whitelist /usr/share/qt5	48	whitelist /usr/share/qt5