aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com>2018-03-25 10:28:16 -0400
committerLibravatar GitHub <noreply@github.com>2018-03-25 10:28:16 -0400
commit2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43 (patch)
treefd5d4e62ae678dbd8b5bd5a41f6bc6c1fd100df8
parentFixup blender-2.8 and thunderbird-beta (diff)
parentvarious profile hardening (diff)
downloadfirejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.tar.gz
firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.tar.zst
firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.zip
Merge branch 'master' into master
Diffstat
-rw-r--r--README3
-rw-r--r--README.md3
-rw-r--r--RELNOTES3
-rw-r--r--etc/disable-common.inc1
-rw-r--r--etc/disable-programs.inc2
-rw-r--r--etc/evince-previewer.profile10
-rw-r--r--etc/evince-thumbnailer.profile10
-rw-r--r--etc/kate.profile3
-rw-r--r--etc/kmail.profile3
-rw-r--r--etc/kwrite.profile3
-rw-r--r--src/firecfg/firecfg.config2
11 files changed, 40 insertions, 3 deletions
diff --git a/README b/README
index 6aacf8131..ff0500504 100644
--- a/README
+++ b/README
@@ -244,6 +244,9 @@ Gaman Gabriel (https://github.com/stelariusinfinitek)
244 - inox profile 244 - inox profile
245geg2048 (https://github.com/geg2048) 245geg2048 (https://github.com/geg2048)
246 - kwallet profile fixes 246 - kwallet profile fixes
247glitsj16 (https://github.com/glitsj16)
248 - evince-previewer, evince-thumbnailer profiles
249 - gnome-recipes profile
247graywolf (https://github.com/graywolf) 250graywolf (https://github.com/graywolf)
248 - spelling fix 251 - spelling fix
249greigdp (https://github.com/greigdp) 252greigdp (https://github.com/greigdp)
diff --git a/README.md b/README.md
index 73d9390d9..0c466a5e5 100644
--- a/README.md
+++ b/README.md
@@ -293,4 +293,5 @@ firefox-common-addons.inc in firefox-common.profile.
293Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, 293Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
294pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, 294pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
295tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, 295tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
296gnome-recipes, akonadi_control, blender-2.8, thunderbird-beta 296gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
297thunderbird-beta \ No newline at end of file
diff --git a/RELNOTES b/RELNOTES
index 18a4bf346..b299c5b9b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -29,7 +29,8 @@ firejail (0.9.53) baseline; urgency=low
29 * new profiles: discord-canary, pycharm-community, pycharm-professional, 29 * new profiles: discord-canary, pycharm-community, pycharm-professional,
30 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, 30 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
31 * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes 31 * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes
32 * new profiles: akonadi_control, blender-2.8, thunderbird-beta 32 * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
33 * new profiles: blender-2.8, thunderbird-beta
33 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 34 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500
34 35
35firejail (0.9.52) baseline; urgency=low 36firejail (0.9.52) baseline; urgency=low
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 19be56f86..e5de0b61f 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
75blacklist ${HOME}/.local/share/kglobalaccel 75blacklist ${HOME}/.local/share/kglobalaccel
76blacklist ${HOME}/.local/share/kwin 76blacklist ${HOME}/.local/share/kwin
77blacklist ${HOME}/.local/share/plasma 77blacklist ${HOME}/.local/share/plasma
78blacklist ${HOME}/.local/share/plasmashell
78blacklist ${HOME}/.local/share/solid 79blacklist ${HOME}/.local/share/solid
79read-only ${HOME}/.cache/ksycoca5_* 80read-only ${HOME}/.cache/ksycoca5_*
80read-only ${HOME}/.config/*notifyrc 81read-only ${HOME}/.config/*notifyrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 3f0d7b337..de88cbc24 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -363,6 +363,7 @@ blacklist ${HOME}/.local/share/data/MuseScore
363blacklist ${HOME}/.local/share/data/qBittorrent 363blacklist ${HOME}/.local/share/data/qBittorrent
364blacklist ${HOME}/.local/share/dino 364blacklist ${HOME}/.local/share/dino
365blacklist ${HOME}/.local/share/dolphin 365blacklist ${HOME}/.local/share/dolphin
366blacklist ${HOME}/.local/share/emailidentities
366blacklist ${HOME}/.local/share/epiphany 367blacklist ${HOME}/.local/share/epiphany
367blacklist ${HOME}/.local/share/evolution 368blacklist ${HOME}/.local/share/evolution
368blacklist ${HOME}/.local/share/feral-interactive 369blacklist ${HOME}/.local/share/feral-interactive
@@ -405,6 +406,7 @@ blacklist ${HOME}/.local/share/okular
405blacklist ${HOME}/.local/share/orage 406blacklist ${HOME}/.local/share/orage
406blacklist ${HOME}/.local/share/org.kde.gwenview 407blacklist ${HOME}/.local/share/org.kde.gwenview
407blacklist ${HOME}/.local/share/pix 408blacklist ${HOME}/.local/share/pix
409blacklist ${HOME}/.local/share/plasma_notes
408blacklist ${HOME}/.local/share/psi+ 410blacklist ${HOME}/.local/share/psi+
409blacklist ${HOME}/.local/share/qpdfview 411blacklist ${HOME}/.local/share/qpdfview
410blacklist ${HOME}/.local/share/qutebrowser 412blacklist ${HOME}/.local/share/qutebrowser
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile
new file mode 100644
index 000000000..d5bc6db33
--- /dev/null
+++ b/etc/evince-previewer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for evince-previewer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/evince-previewer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/evince.profile
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile
new file mode 100644
index 000000000..abc21632d
--- /dev/null
+++ b/etc/evince-thumbnailer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for evince-thumbnailer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/evince-thumbnailer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/evince.profile
diff --git a/etc/kate.profile b/etc/kate.profile
index a3d2be6b2..5042077e5 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -42,4 +42,7 @@ private-dev
42# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg 42# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
43private-tmp 43private-tmp
44 44
45# noexec ${HOME}
46noexec /tmp
47
45join-or-start kate 48join-or-start kate
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 3ee8370cb..952af55c8 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,7 +5,7 @@ include /etc/firejail/kmail.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# if akonadi has a mysql backend, starting it inside this sandbox will fail 8# if akonadi has a mysql backend, starting it inside this sandbox will fail.
9# one solution is to have akonadi already running when kmail is launched 9# one solution is to have akonadi already running when kmail is launched
10 10
11noblacklist ${HOME}/.cache/akonadi* 11noblacklist ${HOME}/.cache/akonadi*
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/emailidentities
15noblacklist ${HOME}/.config/kmail2rc 15noblacklist ${HOME}/.config/kmail2rc
16noblacklist ${HOME}/.local/share/akonadi/* 16noblacklist ${HOME}/.local/share/akonadi/*
17noblacklist ${HOME}/.local/share/contacts 17noblacklist ${HOME}/.local/share/contacts
18noblacklist ${HOME}/.local/share/emailidentities
18noblacklist ${HOME}/.local/share/kmail2 19noblacklist ${HOME}/.local/share/kmail2
19noblacklist ${HOME}/.local/share/local-mail 20noblacklist ${HOME}/.local/share/local-mail
20noblacklist ${HOME}/.gnupg 21noblacklist ${HOME}/.gnupg
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index a785f3541..1c4e50b77 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -43,4 +43,7 @@ private-dev
43private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg 43private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
44private-tmp 44private-tmp
45 45
46noexec ${HOME}
47noexec /tmp
48
46join-or-start kwrite 49join-or-start kwrite
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index fafbc83d9..f2409d67b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -110,6 +110,8 @@ eom
110epiphany 110epiphany
111etr 111etr
112evince 112evince
113evince-previewer
114evince-thumbnailer
113evolution 115evolution
114exiftool 116exiftool
115falkon 117falkon
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-05-27 17:41:20 +0000