diff options
author | smitsohu <smitsohu@gmail.com> | 2019-03-16 19:16:16 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-03-16 19:16:16 +0100 |
commit | cb46b1fdc2419fb8379188a50752c0d51f54cbfc (patch) | |
tree | 42c73d7dfbaf5307da1a19a966ad95176ecf1805 | |
parent | hardening: replace setuid/setgid calls with setresuid/setresgid (diff) | |
parent | Follow-up on flatpak/snap support (#2601) (diff) | |
download | firejail-cb46b1fdc2419fb8379188a50752c0d51f54cbfc.tar.gz firejail-cb46b1fdc2419fb8379188a50752c0d51f54cbfc.tar.zst firejail-cb46b1fdc2419fb8379188a50752c0d51f54cbfc.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/pycharm-community.profile | 1 | ||||
-rw-r--r-- | etc/seahorse-daemon.profile | 15 | ||||
-rw-r--r-- | etc/seahorse-tool.profile | 13 | ||||
-rw-r--r-- | etc/seahorse.profile | 45 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
8 files changed, 63 insertions, 18 deletions
@@ -8,6 +8,7 @@ firejail (0.9.59) baseline; urgency=low | |||
8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings | 8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings |
9 | * new profiles: code-oss, pragha | 9 | * new profiles: code-oss, pragha |
10 | * memory-deny-write-execute now also blocks memfd_create | 10 | * memory-deny-write-execute now also blocks memfd_create |
11 | * drop support for flatpak/snap packages | ||
11 | 12 | ||
12 | firejail (0.9.58,2) baseline; urgency=low | 13 | firejail (0.9.58,2) baseline; urgency=low |
13 | * cgroup flag in /etc/firejail/firejail.config file | 14 | * cgroup flag in /etc/firejail/firejail.config file |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e2eaea38b..976c3610e 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -6,7 +6,6 @@ blacklist ${HOME}/Arduino | |||
6 | blacklist ${HOME}/Monero/wallets | 6 | blacklist ${HOME}/Monero/wallets |
7 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/Standard Notes Backups | 8 | blacklist ${HOME}/Standard Notes Backups |
9 | blacklist ${HOME}/snap | ||
10 | blacklist ${HOME}/wallet.dat | 9 | blacklist ${HOME}/wallet.dat |
11 | blacklist ${HOME}/.*coin | 10 | blacklist ${HOME}/.*coin |
12 | blacklist ${HOME}/.8pecxstudios | 11 | blacklist ${HOME}/.8pecxstudios |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index bfe8b614e..3caaacf09 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -5,7 +5,6 @@ include pycharm-community.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/snap | ||
9 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
10 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
11 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile new file mode 100644 index 000000000..1beb0edc6 --- /dev/null +++ b/etc/seahorse-daemon.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for seahorse-daemon | ||
2 | # Description: PGP encryption and signing | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seahorse-daemon.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | memory-deny-write-execute | ||
13 | |||
14 | # Redirect | ||
15 | include seahorse.profile | ||
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index 2e792c8e0..96f365a4b 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile | |||
@@ -7,20 +7,11 @@ include seahorse-tool.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # dconf | 10 | noblacklist ${DOWNLOADS} |
11 | noblacklist ${HOME}/.config/dconf | ||
12 | 11 | ||
13 | include disable-exec.inc | ||
14 | include disable-xdg.inc | ||
15 | include whitelist-var-common.inc | ||
16 | |||
17 | apparmor | ||
18 | ipc-namespace | ||
19 | |||
20 | disable-mnt | ||
21 | private-tmp | 12 | private-tmp |
22 | 13 | ||
23 | memory-deny-write-execute | 14 | memory-deny-write-execute |
24 | 15 | ||
25 | # Redirect | 16 | # Redirect |
26 | include gpg.profile | 17 | include seahorse.profile |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 83aeb6aec..cd9f6c767 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -4,22 +4,57 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include seahorse.local | 5 | include seahorse.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | # dconf | 9 | # dconf |
11 | noblacklist ${HOME}/.config/dconf | 10 | noblacklist ${HOME}/.config/dconf |
11 | whitelist ${HOME}/.config/dconf | ||
12 | |||
13 | # gpg | ||
14 | mkdir ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.gnupg | ||
16 | whitelist ${HOME}/.gnupg | ||
12 | 17 | ||
13 | # ssh | 18 | # ssh |
19 | whitelist /etc/ld.so.preload | ||
14 | noblacklist /etc/ssh | 20 | noblacklist /etc/ssh |
21 | whitelist /etc/ssh | ||
15 | noblacklist /tmp/ssh-* | 22 | noblacklist /tmp/ssh-* |
23 | whitelist /tmp/ssh-* | ||
24 | mkdir ${HOME}/.ssh | ||
16 | noblacklist ${HOME}/.ssh | 25 | noblacklist ${HOME}/.ssh |
26 | whitelist ${HOME}/.ssh | ||
17 | 27 | ||
28 | include disable-common.inc | ||
29 | include disable-devel.inc | ||
18 | include disable-exec.inc | 30 | include disable-exec.inc |
31 | include disable-interpreters.inc | ||
32 | include disable-passwdmgr.inc | ||
33 | include disable-programs.inc | ||
34 | include disable-xdg.inc | ||
35 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
20 | 37 | ||
21 | apparmor | 38 | apparmor |
22 | ipc-namespace | 39 | caps.drop all |
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix,inet,inet6 | ||
52 | seccomp | ||
53 | # shell none - causes gpg to hang | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | private-cache | ||
58 | private-dev | ||
23 | 59 | ||
24 | # Redirect | 60 | writable-run-user |
25 | include gpg.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f1be8bfd9..7531206f5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -432,6 +432,7 @@ scallion | |||
432 | scribus | 432 | scribus |
433 | sdat2img | 433 | sdat2img |
434 | seahorse | 434 | seahorse |
435 | seahorse-daemon | ||
435 | seahorse-tool | 436 | seahorse-tool |
436 | seamonkey | 437 | seamonkey |
437 | seamonkey-bin | 438 | seamonkey-bin |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8146d1a2e..048db098c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -48,6 +48,10 @@ Firejail allows the user to manage application security using security profiles. | |||
48 | Each profile defines a set of permissions for a specific application or group | 48 | Each profile defines a set of permissions for a specific application or group |
49 | of applications. The software includes security profiles for a number of more common | 49 | of applications. The software includes security profiles for a number of more common |
50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
51 | .PP | ||
52 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | ||
53 | are not supported. Snap and flatpak packages have their own native management tools and will | ||
54 | not work when sandboxed with Firejail. | ||
51 | 55 | ||
52 | .SH USAGE | 56 | .SH USAGE |
53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, | 57 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |