diff options
author | smitsohu <smitsohu@gmail.com> | 2017-09-25 15:57:50 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2017-09-25 15:57:50 +0200 |
commit | 9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2 (patch) | |
tree | 632cecd6b845ecc93c5024170671a9894c2cda49 | |
parent | fix nginx and apache2, possible fix for #1534 (diff) | |
download | firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.gz firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.zst firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.zip |
various profile enhancements
* okular needs kdeinit4 for open file dialog since recently
* memory-deny-write-execute should be a safe addition for
desktop use of dnscrypt and unbound
* cleanup works
-rw-r--r-- | etc/baloo_file.profile | 4 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/dnscrypt-proxy.profile | 3 | ||||
-rw-r--r-- | etc/dnsmasq.profile | 1 | ||||
-rw-r--r-- | etc/evince.profile | 2 | ||||
-rw-r--r-- | etc/ffmpeg.profile | 12 | ||||
-rw-r--r-- | etc/okular.profile | 2 | ||||
-rw-r--r-- | etc/unbound.profile | 3 |
8 files changed, 16 insertions, 12 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 4e603971f..2c2d70c00 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | no3d | 23 | no3d |
22 | nodvd | 24 | nodvd |
@@ -29,8 +31,10 @@ novideo | |||
29 | protocol unix | 31 | protocol unix |
30 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 32 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
31 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 33 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
34 | shell none | ||
32 | x11 xorg | 35 | x11 xorg |
33 | 36 | ||
37 | private-bin baloo_file,baloo_file_extractor,kbuildsycoca4 | ||
34 | private-dev | 38 | private-dev |
35 | private-tmp | 39 | private-tmp |
36 | 40 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ad589890c..4779b0aae 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -378,6 +378,7 @@ blacklist ${HOME}/.synfig | |||
378 | blacklist ${HOME}/.tconn | 378 | blacklist ${HOME}/.tconn |
379 | blacklist ${HOME}/.thunderbird | 379 | blacklist ${HOME}/.thunderbird |
380 | blacklist ${HOME}/.tooling | 380 | blacklist ${HOME}/.tooling |
381 | blacklist ${HOME}/.tor-browser-en | ||
381 | blacklist ${HOME}/.ts3client | 382 | blacklist ${HOME}/.ts3client |
382 | blacklist ${HOME}/.tuxguitar* | 383 | blacklist ${HOME}/.tuxguitar* |
383 | blacklist ${HOME}/.unknow-horizons | 384 | blacklist ${HOME}/.unknow-horizons |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 86af9c7b3..6d4f6349a 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -31,4 +30,4 @@ private | |||
31 | private-dev | 30 | private-dev |
32 | 31 | ||
33 | # mdwe can break modules/plugins | 32 | # mdwe can break modules/plugins |
34 | # memory-deny-write-execute | 33 | memory-deny-write-execute |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index d4cd0530e..2a1302adb 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/evince.profile b/etc/evince.profile index 2c7c754d8..466260c49 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include /etc/firejail/whitelist-var-common.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | # net none breaks AppArmor on Ubuntu systems | ||
18 | netfilter | 19 | netfilter |
19 | no3d | 20 | no3d |
20 | nodvd | 21 | nodvd |
@@ -28,7 +29,6 @@ protocol unix | |||
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
30 | tracelog | 31 | tracelog |
31 | # net none breaks AppArmor on Ubuntu systems | ||
32 | 32 | ||
33 | private-bin evince,evince-previewer,evince-thumbnailer | 33 | private-bin evince,evince-previewer,evince-thumbnailer |
34 | private-dev | 34 | private-dev |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index e098c95e3..5db39cf61 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile for default | 1 | # Firejail profile for ffmpeg |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | net none | 17 | net none |
16 | no3d | 18 | no3d |
@@ -23,11 +25,11 @@ noroot | |||
23 | # protocol none - needs to be implemented! | 25 | # protocol none - needs to be implemented! |
24 | seccomp | 26 | seccomp |
25 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | 27 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom |
26 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
27 | shell none | 28 | shell none |
28 | tracelog | 29 | tracelog |
29 | 30 | ||
30 | private-tmp | ||
31 | private-dev | ||
32 | private-bin ffmpeg | 31 | private-bin ffmpeg |
33 | include /etc/firejail/whitelist-var-common.inc | 32 | private-dev |
33 | private-tmp | ||
34 | |||
35 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 94736fbae..60390e4d8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin okular,kbuildsycoca4,lpr | 39 | # private-bin okular,kbuildsycoca4,kdeinit4,lpr |
40 | private-dev | 40 | private-dev |
41 | # private-etc fonts,X11 | 41 | # private-etc fonts,X11 |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 2a38aa7c6..d380b5698 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -31,4 +30,4 @@ private | |||
31 | private-dev | 30 | private-dev |
32 | 31 | ||
33 | # mdwe can break modules/plugins | 32 | # mdwe can break modules/plugins |
34 | # memory-deny-write-execute | 33 | memory-deny-write-execute |