misc fixes

remove netfilter from profiles with net none allow Viber to use dig, dig is in its private-bin, so I assume that it need it. blacklist resolvectl which can also be used for dns lookups
author: rusty-snake <print_hello_world+Public@protonmail.com> 2020-03-19 12:05:14 +0100
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2020-03-19 12:05:14 +0100
commit: 4442aac3f24b9ae8b25b6be29354fcb4f4af04ce (patch)
tree: 4a51d29420e526f4b9f33698bd3b3f8c3eed8c22
parent: fix nslookup.profile header (diff)
download: firejail-4442aac3f24b9ae8b25b6be29354fcb4f4af04ce.tar.gz
firejail-4442aac3f24b9ae8b25b6be29354fcb4f4af04ce.tar.zst
firejail-4442aac3f24b9ae8b25b6be29354fcb4f4af04ce.zip
16 files changed, 4 insertions, 15 deletions
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 95d482c22..12268706a 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-netfilter
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/Viber.profile b/etc/Viber.profile
index 925e130de..3195e39fa 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -6,6 +6,7 @@ include Viber.local
 include globals.local
 noblacklist ${HOME}/.ViberPC
+noblacklist ${PATH}/dig
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/atool.profile b/etc/atool.profile
index 0250451fc..ff3c81a80 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -25,7 +25,6 @@ hostname atool
 ipc-namespace
 machine-id
 net none
-netfilter
 no3d
 nodvd
 nodbus
diff --git a/etc/dia.profile b/etc/dia.profile
index 0bfc249fa..3a8651e2e 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -18,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 6ff83964d..815e4b13d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -481,6 +481,4 @@ blacklist ${PATH}/dnswalk
 blacklist ${PATH}/dns2tcp
 blacklist ${PATH}/iodine
 blacklist ${PATH}/knsupdate
+blacklist ${PATH}/resolvectl
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 49cec85c7..af670cee2 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-netfilter
 nodvd
 nonewprivs
 noroot
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 5b51bd03c..add3f407c 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-netfilter
 nodbus
 nogroups
 nonewprivs
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index 1c917b9e7..c456541aa 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-netfilter
 no3d
 nodvd
 nogroups
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index c1135d859..a33ddab78 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -19,7 +19,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-netfilter
 no3d
 nodvd
 nogroups
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 9ba6f6376..868313c40 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-netfilter
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/openclonk.profile b/etc/openclonk.profile
index 8921bc460..20b2a9626 100644
--- a/etc/openclonk.profile
+++ b/etc/openclonk.profile
@@ -25,6 +25,7 @@ apparmor
 caps.drop all
 ipc-namespace
 # net none - networked game
+netfilter
 nodbus
 nodvd
 nogroups
diff --git a/etc/openttd.profile b/etc/openttd.profile
index 507a18e1c..10f2f39c3 100644
--- a/etc/openttd.profile
+++ b/etc/openttd.profile
@@ -25,7 +25,6 @@ apparmor
 caps.drop all
 ipc-namespace
 net none
-netfilter
 nodbus
 nodvd
 nogroups
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 970290002..0b5da661a 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -21,7 +21,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
-netfilter
 net none
 nodbus
 nodvd
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 9a8426435..3324a18be 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -28,7 +28,6 @@ include whitelist-common.inc
 caps.drop all
 ipc-namespace
 net none
-netfilter
 nodbus
 nodvd
 nogroups
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
index e21b74030..b6424f342 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/x-terminal-emulator.profile
@@ -8,7 +8,6 @@ include globals.local
 caps.drop all
 ipc-namespace
 net none
-netfilter
 nodbus
 nogroups
 noroot
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index 0ad423d30..a096f803c 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -17,7 +17,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
-netfilter
 no3d
 nodbus
 nodvd
author	rusty-snake <print_hello_world+Public@protonmail.com>	2020-03-19 12:05:14 +0100
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2020-03-19 12:05:14 +0100
commit	4442aac3f24b9ae8b25b6be29354fcb4f4af04ce (patch)
tree	4a51d29420e526f4b9f33698bd3b3f8c3eed8c22
parent	fix nslookup.profile header (diff)
download	firejail-4442aac3f24b9ae8b25b6be29354fcb4f4af04ce.tar.gz firejail-4442aac3f24b9ae8b25b6be29354fcb4f4af04ce.tar.zst firejail-4442aac3f24b9ae8b25b6be29354fcb4f4af04ce.zip

diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 95d482c22..12268706a 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26	apparmor	26	apparmor
27	caps.drop all	27	caps.drop all
28	net none	28	net none
29	netfilter
30	nodvd	29	nodvd
31	nogroups	30	nogroups
32	nonewprivs	31	nonewprivs


diff --git a/etc/Viber.profile b/etc/Viber.profile index 925e130de..3195e39fa 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile
@@ -6,6 +6,7 @@ include Viber.local
6	include globals.local	6	include globals.local
7		7
8	noblacklist ${HOME}/.ViberPC	8	noblacklist ${HOME}/.ViberPC
		9	noblacklist ${PATH}/dig
9		10
10	include disable-common.inc	11	include disable-common.inc
11	include disable-devel.inc	12	include disable-devel.inc


diff --git a/etc/atool.profile b/etc/atool.profile index 0250451fc..ff3c81a80 100644 --- a/etc/atool.profile +++ b/etc/atool.profile
@@ -25,7 +25,6 @@ hostname atool
25	ipc-namespace	25	ipc-namespace
26	machine-id	26	machine-id
27	net none	27	net none
28	netfilter
29	no3d	28	no3d
30	nodvd	29	nodvd
31	nodbus	30	nodbus


diff --git a/etc/dia.profile b/etc/dia.profile index 0bfc249fa..3a8651e2e 100644 --- a/etc/dia.profile +++ b/etc/dia.profile
@@ -18,6 +18,7 @@ include disable-interpreters.inc
18	include disable-passwdmgr.inc	18	include disable-passwdmgr.inc
19	include disable-programs.inc	19	include disable-programs.inc
20	include disable-xdg.inc	20	include disable-xdg.inc
		21
21	include whitelist-var-common.inc	22	include whitelist-var-common.inc
22		23
23	apparmor	24	apparmor


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 6ff83964d..815e4b13d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -481,6 +481,4 @@ blacklist ${PATH}/dnswalk
481	blacklist ${PATH}/dns2tcp	481	blacklist ${PATH}/dns2tcp
482	blacklist ${PATH}/iodine	482	blacklist ${PATH}/iodine
483	blacklist ${PATH}/knsupdate	483	blacklist ${PATH}/knsupdate
484		484	blacklist ${PATH}/resolvectl
485
486


diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 49cec85c7..af670cee2 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22	apparmor	22	apparmor
23	caps.drop all	23	caps.drop all
24	net none	24	net none
25	netfilter
26	nodvd	25	nodvd
27	nonewprivs	26	nonewprivs
28	noroot	27	noroot


diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 5b51bd03c..add3f407c 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23	apparmor	23	apparmor
24	caps.drop all	24	caps.drop all
25	net none	25	net none
26	netfilter
27	nodbus	26	nodbus
28	nogroups	27	nogroups
29	nonewprivs	28	nonewprivs


diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 1c917b9e7..c456541aa 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
20	apparmor	20	apparmor
21	caps.drop all	21	caps.drop all
22	net none	22	net none
23	netfilter
24	no3d	23	no3d
25	nodvd	24	nodvd
26	nogroups	25	nogroups


diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index c1135d859..a33ddab78 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile
@@ -19,7 +19,6 @@ include whitelist-var-common.inc
19	apparmor	19	apparmor
20	caps.drop all	20	caps.drop all
21	net none	21	net none
22	netfilter
23	no3d	22	no3d
24	nodvd	23	nodvd
25	nogroups	24	nogroups


diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 9ba6f6376..868313c40 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
20	apparmor	20	apparmor
21	caps.drop all	21	caps.drop all
22	net none	22	net none
23	netfilter
24	nodvd	23	nodvd
25	nogroups	24	nogroups
26	nonewprivs	25	nonewprivs


diff --git a/etc/openclonk.profile b/etc/openclonk.profile index 8921bc460..20b2a9626 100644 --- a/etc/openclonk.profile +++ b/etc/openclonk.profile
@@ -25,6 +25,7 @@ apparmor
25	caps.drop all	25	caps.drop all
26	ipc-namespace	26	ipc-namespace
27	# net none - networked game	27	# net none - networked game
		28	netfilter
28	nodbus	29	nodbus
29	nodvd	30	nodvd
30	nogroups	31	nogroups


diff --git a/etc/openttd.profile b/etc/openttd.profile index 507a18e1c..10f2f39c3 100644 --- a/etc/openttd.profile +++ b/etc/openttd.profile
@@ -25,7 +25,6 @@ apparmor
25	caps.drop all	25	caps.drop all
26	ipc-namespace	26	ipc-namespace
27	net none	27	net none
28	netfilter
29	nodbus	28	nodbus
30	nodvd	29	nodvd
31	nogroups	30	nogroups


diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 970290002..0b5da661a 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile
@@ -21,7 +21,6 @@ include whitelist-var-common.inc
21		21
22	caps.drop all	22	caps.drop all
23	ipc-namespace	23	ipc-namespace
24	netfilter
25	net none	24	net none
26	nodbus	25	nodbus
27	nodvd	26	nodvd


diff --git a/etc/terasology.profile b/etc/terasology.profile index 9a8426435..3324a18be 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile
@@ -28,7 +28,6 @@ include whitelist-common.inc
28	caps.drop all	28	caps.drop all
29	ipc-namespace	29	ipc-namespace
30	net none	30	net none
31	netfilter
32	nodbus	31	nodbus
33	nodvd	32	nodvd
34	nogroups	33	nogroups


diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index e21b74030..b6424f342 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile
@@ -8,7 +8,6 @@ include globals.local
8	caps.drop all	8	caps.drop all
9	ipc-namespace	9	ipc-namespace
10	net none	10	net none
11	netfilter
12	nodbus	11	nodbus
13	nogroups	12	nogroups
14	noroot	13	noroot


diff --git a/etc/xcalc.profile b/etc/xcalc.profile index 0ad423d30..a096f803c 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile
@@ -17,7 +17,6 @@ include whitelist-var-common.inc
17		17
18	caps.drop all	18	caps.drop all
19	net none	19	net none
20	netfilter
21	no3d	20	no3d
22	nodbus	21	nodbus
23	nodvd	22	nodvd