diff options
author | Vladimir Schowalter <VladimirSchowalter20@users.noreply.github.com> | 2017-08-06 22:42:24 +0100 |
---|---|---|
committer | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2017-08-06 16:42:24 -0500 |
commit | 20fbc19e57da1c409b139ffb1b211ceb5f8c6050 (patch) | |
tree | ed575e03159767a085c55e42ff54fc46b05bc9fb | |
parent | Seccomp: split @default into more meaningful smaller groups (diff) | |
download | firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.tar.gz firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.tar.zst firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.zip |
various profile fixes (#1433)
* calibre: add netlink protocol (FB note: removed before merge)
calibre started without netlink protocol throws following error in console:
Exception in thread Thread-8:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/calibre/calibre/utils/mdns.py", line 43, in run
_all_ip_addresses = self.get_all_ips()
File "/usr/lib/calibre/calibre/utils/mdns.py", line 27, in get_all_ips
for x in netifaces.interfaces():
OSError: [Errno 95] Operation not supported
* mpv: add nogroups, tracelog, ipc-namespace, private-dev
I used testes all above options and didn't noticed any breakage.
* qbittorrent: add netlink protocol, private-etc
Netlink protocol is needed if user select to bind specific network interface in config. Otherwise it throws an error in qbittorent log:
The network interface defined is invalid: tun0
Example private-etc is added but commented out by default. It's tested but as there are many different system configurations users should enable it manually.
* vlc: disable memory-deny-write-execute
With memory-deny-write-execute vlc freezes after loading video file. According to https://github.com/VladimirSchowalter20/firejail/commit/b18f42ab0236de7eed5888f43ba36cdaf990cbca memory-deny-write-execute is similar to PAX mprotect feature and linked github project explicitly disables that feature for vlc binary, see https://github.com/copperhead/paxd-archive/commit/deb39e0b91996e2e9c7917b3543030880cd476f4
* Update vlc.profile
* wine: add nogroups
Nogroups should be safe addition for wine
* wireshark: allow users to run wireshark as non-root
Wireshark can be run unprivileged when user is part of wireshark group. Unfortunately enabling nogroups,nonewprivs and seccomp will break it with permissions errors.
Also added example private-etc option which is commented out by default for now.
* cosmetic fix
* mpv: comment out ipc-namespace for now
As requested in review https://github.com/netblue30/firejail/pull/1433#discussion_r131550515
* calibre: disable netlink protocol
It throws an error but actual breakage isn't observed for now.
-rw-r--r-- | etc/mpv.profile | 4 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 3 | ||||
-rw-r--r-- | etc/vlc.profile | 2 | ||||
-rw-r--r-- | etc/wine.profile | 1 | ||||
-rw-r--r-- | etc/wireshark.profile | 7 |
5 files changed, 12 insertions, 5 deletions
diff --git a/etc/mpv.profile b/etc/mpv.profile index abf6f1668..0cda3e4e1 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -16,11 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
19 | nogroups | ||
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
22 | seccomp | 23 | seccomp |
24 | tracelog | ||
23 | 25 | ||
24 | # to test | 26 | # to test |
27 | # ipc-namespace | ||
25 | shell none | 28 | shell none |
26 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env | 29 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env |
30 | private-dev | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 5dc0eb4c8..7ae8a22d4 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -34,11 +34,12 @@ nogroups | |||
34 | nonewprivs | 34 | nonewprivs |
35 | noroot | 35 | noroot |
36 | nosound | 36 | nosound |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6,netlink |
38 | seccomp | 38 | seccomp |
39 | 39 | ||
40 | # there are some problems with "Open destination folder", see bug #536 | 40 | # there are some problems with "Open destination folder", see bug #536 |
41 | #shell none | 41 | #shell none |
42 | #private-bin qbittorrent | 42 | #private-bin qbittorrent |
43 | private-dev | 43 | private-dev |
44 | # private-etc X11,fonts,xdg,resolv.conf | ||
44 | private-tmp | 45 | private-tmp |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 34f4aa5ff..6ae8b0d15 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -27,6 +27,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | |||
27 | private-dev | 27 | private-dev |
28 | private-tmp | 28 | private-tmp |
29 | 29 | ||
30 | memory-deny-write-execute | 30 | # memory-deny-write-execute - breaks playing videos |
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/wine.profile b/etc/wine.profile index 8985071f3..5ee8bae38 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -18,6 +18,7 @@ include /etc/firejail/disable-devel.inc | |||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | nogroups | ||
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
23 | seccomp | 24 | seccomp |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 98a4f3a9d..d5f3b8c4b 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -23,14 +23,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
23 | #ipc-namespace | 23 | #ipc-namespace |
24 | netfilter | 24 | netfilter |
25 | no3d | 25 | no3d |
26 | nogroups | 26 | # nogroups - breaks unprivileged wireshark usage |
27 | nonewprivs | 27 | # nonewprivs - breaks unprivileged wireshark usage |
28 | nosound | 28 | nosound |
29 | seccomp | 29 | # seccomp - breaks unprivileged wireshark usage |
30 | shell none | 30 | shell none |
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | #private-bin wireshark | 33 | #private-bin wireshark |
34 | # private-etc fonts,group,hosts,machine-id,passwd | ||
34 | private-dev | 35 | private-dev |
35 | private-tmp | 36 | private-tmp |
36 | 37 | ||