seccomp and brave profile merges

author: netblue30 <netblue30@yahoo.com> 2017-04-03 09:33:46 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-04-03 09:33:46 -0400
commit: ccc2ed781742057205e5df6aea296a12c2043ef2 (patch)
tree: 4798cd27253910530dbc278e104a7c25b6ef0ba4
parent: updated for Go, Rust, and OpenSSL blacklist: #1186 (diff)
download: firejail-ccc2ed781742057205e5df6aea296a12c2043ef2.tar.gz
firejail-ccc2ed781742057205e5df6aea296a12c2043ef2.tar.zst
firejail-ccc2ed781742057205e5df6aea296a12c2043ef2.zip
3 files changed, 24 insertions, 6 deletions
diff --git a/README b/README
index 8d85fcd5a..fcde0c6b9 100644
--- a/README
+++ b/README
@@ -363,6 +363,8 @@ SYN-cook (https://github.com/SYN-cook)
        - blacklist nautilus and nemo in ~/.local/share/
 startx2017 (https://github.com/startx2017)
        - syscall list update
+        - updated default seccomp filters - added  bpf, clock_settime, personality, process_vm_writev, query_module,
+                      settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
        - enable/disable join support in /etc/firejail/firejail.config
        - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
        - firejail.config cleanup
diff --git a/etc/brave.profile b/etc/brave.profile
index d7678d5d5..a65a3adc8 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -4,18 +4,32 @@ include /etc/firejail/brave.local
 # Profile for Brave browser
 noblacklist ~/.config/brave
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-caps.drop all
+#caps.drop all
 netfilter
-nonewprivs
+#nonewprivs
-noroot
+#noroot
-protocol unix,inet,inet6,netlink
+#protocol unix,inet,inet6,netlink
-seccomp
+#seccomp
 whitelist ${DOWNLOADS}
 mkdir ~/.config/brave
 whitelist ~/.config/brave
+mkdir ~/.pki
+whitelist ~/.pki
+# lastpass, keepass
+# for keepass we additionally need to whitelist our .kdbx password database
+whitelist ~/.keepass
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+include /etc/firejail/whitelist-common.inc
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f603daecb..3deeda960 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1430,7 +1430,9 @@ add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
 migrate_pages, move_pages, vmsplice, chroot,
-tuxcall, reboot, mfsservctl and get_kernel_syms.
+tuxcall, reboot, mfsservctl, get_kernel_syms,
+bpf, clock_settime, personality, process_vm_writev, query_module,
+settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2017-04-03 09:33:46 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-04-03 09:33:46 -0400
commit	ccc2ed781742057205e5df6aea296a12c2043ef2 (patch)
tree	4798cd27253910530dbc278e104a7c25b6ef0ba4
parent	updated for Go, Rust, and OpenSSL blacklist: #1186 (diff)
download	firejail-ccc2ed781742057205e5df6aea296a12c2043ef2.tar.gz firejail-ccc2ed781742057205e5df6aea296a12c2043ef2.tar.zst firejail-ccc2ed781742057205e5df6aea296a12c2043ef2.zip