misc profiles

- disable-interpreters: blacklist /usr/lib64/libmozjs-* - fdns: - fix .local name - remove server.profile comment (do we need /sbin and /usr/sbin?) - add wusc and wvc (commented because untested) - minimize caps.keep (based on fdns.service) - fix protocol position - add private-etc (based on fdns.service)
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-04-10 18:40:29 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-04-11 10:09:44 +0200
commit: c23fb14420fe964720243d9f27d00d26f7f13780 (patch)
tree: 5cc7e11ef1e85b58132e7473979231c532a091d1
parent: Move autoconfigured lines up in Makefile.in (diff)
download: firejail-c23fb14420fe964720243d9f27d00d26f7f13780.tar.gz
firejail-c23fb14420fe964720243d9f27d00d26f7f13780.tar.zst
firejail-c23fb14420fe964720243d9f27d00d26f7f13780.zip
3 files changed, 11 insertions, 8 deletions
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 495a75a54..59e9c7de3 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -17,6 +17,9 @@ blacklist /usr/lib/liblua*
 blacklist /usr/lib/lua
 blacklist /usr/share/lua*
+# mozjs
+blacklist /usr/lib64/libmozjs-*
 # Node.js
 blacklist ${PATH}/node
 blacklist /usr/include/node
diff --git a/etc/fdns.profile b/etc/fdns.profile
index 4b266f7f8..179540806 100644
--- a/etc/fdns.profile
+++ b/etc/fdns.profile
@@ -1,14 +1,10 @@
 # Firejail profile for server
 # This file is overwritten after every install/update
 # Persistent local customizations
-include server.local
+include fdns.local
 # Persistent global definitions
 include globals.local
-# generic server profile
-# it allows /sbin and /usr/sbin directories - this is where servers are installed
-# depending on your usage, you can enable some of the commands below:
-#
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -23,8 +19,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-caps.keep chown,kill,net_admin,net_bind_service,setgid,setuid,sys_admin,sys_chroot,syslog
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
 # netfilter /etc/firejail/webserver.net
 no3d
@@ -36,6 +34,7 @@ nosound
 notv
 nou2f
 novideo
+protocol unix,inet,inet6
 #seccomp
 #shell none
@@ -44,9 +43,8 @@ private
 private-bin bash,fdns,sh
 # private-cache
 private-dev
-# private-etc alternatives
+private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
-protocol unix,inet,inet6
 memory-deny-write-execute
diff --git a/etc/scorched3d-wrapper.profile b/etc/scorched3d-wrapper.profile
index 3eed8842b..9cbb19bff 100644
--- a/etc/scorched3d-wrapper.profile
+++ b/etc/scorched3d-wrapper.profile
@@ -1,5 +1,7 @@
 # Firejail profile for scorched3d
 # This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d-wrapper.local
 # Redirect
 include scorched3d.profile
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-04-10 18:40:29 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-04-11 10:09:44 +0200
commit	c23fb14420fe964720243d9f27d00d26f7f13780 (patch)
tree	5cc7e11ef1e85b58132e7473979231c532a091d1
parent	Move autoconfigured lines up in Makefile.in (diff)
download	firejail-c23fb14420fe964720243d9f27d00d26f7f13780.tar.gz firejail-c23fb14420fe964720243d9f27d00d26f7f13780.tar.zst firejail-c23fb14420fe964720243d9f27d00d26f7f13780.zip