Hardening compressors (#2594)

* Harden atool * Harden cpio * Fix ordering in private-* options * Harden gzip * Harden tar * Harden bsdtar * Harden+ tar * Harden+ gzip * Harden+ cpio * Create bzip2.profile * Description for bunzip2 * Add bzip2/bunzip2 to firecfg
author: glitsj16 <glitsj16@users.noreply.github.com> 2019-03-14 12:01:43 +0000
committer: GitHub <noreply@github.com> 2019-03-14 12:01:43 +0000
commit: 097aba97d8cb0a848f1f21018f65c58d48ef3cb2 (patch)
tree: bb5159f2651680606ccf7208dd4f48e1add373fe
parent: Fixes for seahorse/seahorse-tool (#2592) (diff)
download: firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.gz
firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.zst
firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.zip
8 files changed, 65 insertions, 3 deletions
diff --git a/etc/atool.profile b/etc/atool.profile
index c82108cef..b17498e9d 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl*
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
-netfilter
+hostname atool
+ipc-namespace
+machine-id
 net none
+netfilter
 no3d
 nodvd
+nodbus
 nogroups
 nonewprivs
 noroot
@@ -39,9 +45,11 @@ seccomp
 shell none
 tracelog
+# private-bin atool,perl
 private-cache
-# private-bin atool
 private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,passwd,group,login.defs
 private-tmp
+memory-deny-write-execute
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index b6b673976..f964438bc 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -10,16 +10,20 @@ blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
 hostname bsdtar
 ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
+nodbus
 nogroups
 nonewprivs
 # noroot
@@ -34,5 +38,8 @@ tracelog
 # support compressed archives
 private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
+memory-deny-write-execute
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile
index 82c0f6ed6..ff86cbdfc 100644
--- a/etc/bunzip2.profile
+++ b/etc/bunzip2.profile
@@ -1,4 +1,5 @@
 # Firejail profile for bunzip2
+# Description: A high-quality data compression program
 # This file is overwritten after every install/update
 # Persistent local customizations
 include bunzip2.local
diff --git a/etc/bzip2.profile b/etc/bzip2.profile
new file mode 100644
index 000000000..0f2fdd35a
--- /dev/null
+++ b/etc/bzip2.profile
@@ -0,0 +1,11 @@
+# Firejail profile for bzip2
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gzip.profile
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f63e0a552..b6f7e7f9f 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -13,14 +13,21 @@ noblacklist /sbin
 noblacklist /usr/sbin
 include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
+hostname cpio
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
 nonewprivs
 nosound
 notv
@@ -30,4 +37,7 @@ seccomp
 shell none
 tracelog
+private-cache
 private-dev
+memory-deny-write-execute
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 49c43a49c..27e262f87 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -9,11 +9,20 @@ include globals.local
 blacklist /tmp/.X11-unix
+include disable-exec.inc
+include disable-interpreters.inc
 ignore noroot
+apparmor
+hostname gzip
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
 nosound
 notv
 nou2f
@@ -21,6 +30,9 @@ novideo
 shell none
 tracelog
+private-cache
 private-dev
+memory-deny-write-execute
 include default.profile
diff --git a/etc/tar.profile b/etc/tar.profile
index e1cfe9c80..14fc00d21 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -10,12 +10,20 @@ include tar.local
 blacklist /tmp/.X11-unix
-hostname tar
+include disable-exec.inc
+include disable-interpreters.inc
 ignore noroot
+apparmor
+hostname tar
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
 nosound
 notv
 nou2f
@@ -25,10 +33,13 @@ tracelog
 # support compressed archives
 private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
 private-lib libfakeroot
+memory-deny-write-execute
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 87c427f72..f1be8bfd9 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -68,6 +68,8 @@ brackets
 brasero
 brave
 brave-browser
+bunzip2
+bzip2
 calibre
 calligra
 calligraauthor
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-03-14 12:01:43 +0000
committer	GitHub <noreply@github.com>	2019-03-14 12:01:43 +0000
commit	097aba97d8cb0a848f1f21018f65c58d48ef3cb2 (patch)
tree	bb5159f2651680606ccf7208dd4f48e1add373fe
parent	Fixes for seahorse/seahorse-tool (#2592) (diff)
download	firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.gz firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.zst firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.zip

diff --git a/etc/atool.profile b/etc/atool.profile index c82108cef..b17498e9d 100644 --- a/etc/atool.profile +++ b/etc/atool.profile
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl*
18		18
19	include disable-common.inc	19	include disable-common.inc
20	# include disable-devel.inc	20	# include disable-devel.inc
		21	include disable-exec.inc
21	include disable-interpreters.inc	22	include disable-interpreters.inc
22	include disable-passwdmgr.inc	23	include disable-passwdmgr.inc
23	include disable-programs.inc	24	include disable-programs.inc
24		25
		26	apparmor
25	caps.drop all	27	caps.drop all
26	netfilter	28	hostname atool
		29	ipc-namespace
		30	machine-id
27	net none	31	net none
		32	netfilter
28	no3d	33	no3d
29	nodvd	34	nodvd
		35	nodbus
30	nogroups	36	nogroups
31	nonewprivs	37	nonewprivs
32	noroot	38	noroot
@@ -39,9 +45,11 @@ seccomp
39	shell none	45	shell none
40	tracelog	46	tracelog
41		47
		48	# private-bin atool,perl
42	private-cache	49	private-cache
43	# private-bin atool
44	private-dev	50	private-dev
45	# without login.defs atool complains and uses UID/GID 1000 by default	51	# without login.defs atool complains and uses UID/GID 1000 by default
46	private-etc alternatives,passwd,group,login.defs	52	private-etc alternatives,passwd,group,login.defs
47	private-tmp	53	private-tmp
		54
		55	memory-deny-write-execute


diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index b6b673976..f964438bc 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile
@@ -10,16 +10,20 @@ blacklist /tmp/.X11-unix
10		10
11	include disable-common.inc	11	include disable-common.inc
12	# include disable-devel.inc	12	# include disable-devel.inc
		13	include disable-exec.inc
13	include disable-interpreters.inc	14	include disable-interpreters.inc
14	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
15	include disable-programs.inc	16	include disable-programs.inc
16		17
		18	apparmor
17	caps.drop all	19	caps.drop all
18	hostname bsdtar	20	hostname bsdtar
19	ipc-namespace	21	ipc-namespace
		22	machine-id
20	netfilter	23	netfilter
21	no3d	24	no3d
22	nodvd	25	nodvd
		26	nodbus
23	nogroups	27	nogroups
24	nonewprivs	28	nonewprivs
25	# noroot	29	# noroot
@@ -34,5 +38,8 @@ tracelog
34		38
35	# support compressed archives	39	# support compressed archives
36	private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive	40	private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
		41	private-cache
37	private-dev	42	private-dev
38	private-etc alternatives,passwd,group,localtime	43	private-etc alternatives,passwd,group,localtime
		44
		45	memory-deny-write-execute


diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile index 82c0f6ed6..ff86cbdfc 100644 --- a/etc/bunzip2.profile +++ b/etc/bunzip2.profile
@@ -1,4 +1,5 @@
1	# Firejail profile for bunzip2	1	# Firejail profile for bunzip2
		2	# Description: A high-quality data compression program
2	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
3	# Persistent local customizations	4	# Persistent local customizations
4	include bunzip2.local	5	include bunzip2.local


diff --git a/etc/bzip2.profile b/etc/bzip2.profile new file mode 100644 index 000000000..0f2fdd35a --- /dev/null +++ b/etc/bzip2.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for bzip2
		2	# Description: A high-quality data compression program
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include bzip2.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	# Redirect
		11	include gzip.profile


diff --git a/etc/cpio.profile b/etc/cpio.profile index f63e0a552..b6f7e7f9f 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile
@@ -13,14 +13,21 @@ noblacklist /sbin
13	noblacklist /usr/sbin	13	noblacklist /usr/sbin
14		14
15	include disable-common.inc	15	include disable-common.inc
		16	# include disable-devel.inc
		17	include disable-exec.inc
16	include disable-passwdmgr.inc	18	include disable-passwdmgr.inc
17	include disable-programs.inc	19	include disable-programs.inc
18		20
		21	apparmor
19	caps.drop all	22	caps.drop all
		23	hostname cpio
		24	ipc-namespace
		25	machine-id
20	net none	26	net none
21	no3d	27	no3d
22	nodbus	28	nodbus
23	nodvd	29	nodvd
		30	nogroups
24	nonewprivs	31	nonewprivs
25	nosound	32	nosound
26	notv	33	notv
@@ -30,4 +37,7 @@ seccomp
30	shell none	37	shell none
31	tracelog	38	tracelog
32		39
		40	private-cache
33	private-dev	41	private-dev
		42
		43	memory-deny-write-execute


diff --git a/etc/gzip.profile b/etc/gzip.profile index 49c43a49c..27e262f87 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile
@@ -9,11 +9,20 @@ include globals.local
9		9
10	blacklist /tmp/.X11-unix	10	blacklist /tmp/.X11-unix
11		11
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14
12	ignore noroot	15	ignore noroot
		16
		17	apparmor
		18	hostname gzip
		19	ipc-namespace
		20	machine-id
13	net none	21	net none
14	no3d	22	no3d
15	nodbus	23	nodbus
16	nodvd	24	nodvd
		25	nogroups
17	nosound	26	nosound
18	notv	27	notv
19	nou2f	28	nou2f
@@ -21,6 +30,9 @@ novideo
21	shell none	30	shell none
22	tracelog	31	tracelog
23		32
		33	private-cache
24	private-dev	34	private-dev
25		35
		36	memory-deny-write-execute
		37
26	include default.profile	38	include default.profile


diff --git a/etc/tar.profile b/etc/tar.profile index e1cfe9c80..14fc00d21 100644 --- a/etc/tar.profile +++ b/etc/tar.profile
@@ -10,12 +10,20 @@ include tar.local
10		10
11	blacklist /tmp/.X11-unix	11	blacklist /tmp/.X11-unix
12		12
13	hostname tar	13	include disable-exec.inc
		14	include disable-interpreters.inc
		15
14	ignore noroot	16	ignore noroot
		17
		18	apparmor
		19	hostname tar
		20	ipc-namespace
		21	machine-id
15	net none	22	net none
16	no3d	23	no3d
17	nodbus	24	nodbus
18	nodvd	25	nodvd
		26	nogroups
19	nosound	27	nosound
20	notv	28	notv
21	nou2f	29	nou2f
@@ -25,10 +33,13 @@ tracelog
25		33
26	# support compressed archives	34	# support compressed archives
27	private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop	35	private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
		36	private-cache
28	private-dev	37	private-dev
29	private-etc alternatives,passwd,group,localtime	38	private-etc alternatives,passwd,group,localtime
30	private-lib libfakeroot	39	private-lib libfakeroot
31		40
		41	memory-deny-write-execute
		42
32	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)	43	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
33	writable-var	44	writable-var
34		45


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 87c427f72..f1be8bfd9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -68,6 +68,8 @@ brackets
68	brasero	68	brasero
69	brave	69	brave
70	brave-browser	70	brave-browser
		71	bunzip2
		72	bzip2
71	calibre	73	calibre
72	calligra	74	calligra
73	calligraauthor	75	calligraauthor