Refactor archivers ii (#3827)

* harden 7z.profile * harden atool.profile * harden bsdtar.profile * harden cpio.profile * harden gzip.profile * harden tar.profile * harden unrar.profile * harden unzip.profile * harden xzdec.profile * harden zstd.profile
author: glitsj16 <glitsj16@users.noreply.github.com> 2020-12-15 20:06:10 +0000
committer: GitHub <noreply@github.com> 2020-12-15 20:06:10 +0000
commit: 95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e (patch)
tree: 7be50ac3107bfa62f0227c7c6ff73528de84a422
parent: Refactor archivers (#3820) (diff)
download: firejail-95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e.tar.gz
firejail-95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e.tar.zst
firejail-95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e.zip
10 files changed, 8 insertions, 20 deletions
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index c7bed93ce..4f9e72a79 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -7,8 +7,8 @@ include 7z.local
 # Persistent global definitions
 include globals.local
-ignore include disable-shell.inc
+noblacklist ${PATH}/bash
-ignore nogroups
+noblacklist ${PATH}/sh
 include archiver-common.inc
-#private-bin 7z,7z*,p7zip
+private-bin 7z,7z*,bash,p7zip,sh
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index d8b6bbaaf..34af47df2 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -9,13 +9,10 @@ include globals.local
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
-ignore include disable-devel.inc
-ignore include disable-shell.inc
 include archiver-common.inc
 noroot
-# private-bin atool,perl
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,group,login.defs,passwd
 private-tmp
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index 75e13e7e8..f2116f4ab 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,8 +6,6 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
-ignore include disable-devel.inc
-ignore include disable-shell.inc
 include archiver-common.inc
 # support compressed archives
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index 5e01952b4..785308ffd 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -10,7 +10,4 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
-ignore include disable-devel.inc
-ignore include disable-interpreters.inc
-ignore include disable-shell.inc
 include archiver-common.inc
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index 96c1743e3..78ecf5116 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -10,5 +10,6 @@ include globals.local
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
-ignore include disable-shell.inc
 include archiver-common.inc
+private-bin gunzip,gzexe,gzip,uncompress,zcat,zcmp,zdiff,zegrep,zfgrep,zforce,zgrep,zless,zmore,znew
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 2ddc82dbb..29fda7e45 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -10,12 +10,13 @@ include globals.local
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
-ignore include disable-shell.inc
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/sh
 include archiver-common.inc
 # support compressed archives
 private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
 private-etc alternatives,group,localtime,login.defs,passwd
-private-lib libfakeroot
+private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index cbf0e8679..9487f8e68 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -7,8 +7,6 @@ include unrar.local
 # Persistent global definitions
 include globals.local
-ignore nogroups
-ignore private-cache
 include archiver-common.inc
 private-bin unrar
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 30ee3ec12..be480923e 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,6 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
-ignore nogroups
 noroot
 include archiver-common.inc
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile
index c21fe16cf..082392a08 100644
--- a/etc/profile-m-z/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@@ -7,6 +7,4 @@ include xzdec.local
 # Persistent global definitions
 include globals.local
-ignore include disable-shell.inc
-ignore nogroups
 include archiver-common.inc
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile
index 5ae38e633..42749ba6d 100644
--- a/etc/profile-m-z/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@@ -7,5 +7,4 @@ include zstd.local
 # Persistent global definitions
 include globals.local
-ignore include disable-shell.inc
 include archiver-common.inc
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-12-15 20:06:10 +0000
committer	GitHub <noreply@github.com>	2020-12-15 20:06:10 +0000
commit	95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e (patch)
tree	7be50ac3107bfa62f0227c7c6ff73528de84a422
parent	Refactor archivers (#3820) (diff)
download	firejail-95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e.tar.gz firejail-95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e.tar.zst firejail-95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e.zip