profiles: loupe: harden and disable apparmor (#6333)

The profile currently does not include disable-common nor makes `${HOME}` read-only, so the program can simply write to ~/.bashrc directly[1]. disable-common.inc was commented due to it apparently breaking bwrap. As discovered by @glitsj16, it seems that allowing the bwrap binary is enough to make it work (and that apparmor breaks loupe)[2]. So disable apparmor, allow bwrap and include disable-common.inc, plus other hardening by @glitsj16. This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) / PR #6327. [1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865 [2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-05-12 17:45:47 +0000
committer: GitHub <noreply@github.com> 2024-05-12 17:45:47 +0000
commit: 6c91074fc90e774e3b40ad231bb178bea6ec5ae6 (patch)
tree: 084dedffb99f27540a35d5356b399d987bde9d75
parent: landlock: fix misc alignment/newline (diff)
download: firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.gz
firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.zst
firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.zip
1 files changed, 10 insertions, 2 deletions
diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile
index 5d39341f5..9406053fd 100644
--- a/etc/profile-a-l/loupe.profile
+++ b/etc/profile-a-l/loupe.profile
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.local/share/Trash
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
-#include disable-common.inc
+noblacklist ${PATH}/bwrap
+include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
@@ -22,7 +24,7 @@ include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 machine-id
@@ -44,7 +46,13 @@ protocol unix,netlink
 seccomp.block-secondary
 tracelog
+private-bin bwrap,loupe
 private-cache
 private-dev
 private-etc @x11
 private-tmp
+dbus-user none
+dbus-system none
+#read-only ${HOME} # breaks "Move to trash" and "Set as background"
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-05-12 17:45:47 +0000
committer	GitHub <noreply@github.com>	2024-05-12 17:45:47 +0000
commit	6c91074fc90e774e3b40ad231bb178bea6ec5ae6 (patch)
tree	084dedffb99f27540a35d5356b399d987bde9d75
parent	landlock: fix misc alignment/newline (diff)
download	firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.gz firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.zst firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.zip

diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile index 5d39341f5..9406053fd 100644 --- a/etc/profile-a-l/loupe.profile +++ b/etc/profile-a-l/loupe.profile
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.local/share/Trash
10	noblacklist ${HOME}/.Steam	10	noblacklist ${HOME}/.Steam
11	noblacklist ${HOME}/.steam	11	noblacklist ${HOME}/.steam
12		12
13	#include disable-common.inc	13	noblacklist ${PATH}/bwrap
		14
		15	include disable-common.inc
14	include disable-devel.inc	16	include disable-devel.inc
15	include disable-exec.inc	17	include disable-exec.inc
16	include disable-interpreters.inc	18	include disable-interpreters.inc
@@ -22,7 +24,7 @@ include whitelist-runuser-common.inc
22	#include whitelist-usr-share-common.inc	24	#include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc	25	include whitelist-var-common.inc
24		26
25	apparmor	27	#apparmor
26	caps.drop all	28	caps.drop all
27	ipc-namespace	29	ipc-namespace
28	machine-id	30	machine-id
@@ -44,7 +46,13 @@ protocol unix,netlink
44	seccomp.block-secondary	46	seccomp.block-secondary
45	tracelog	47	tracelog
46		48
		49	private-bin bwrap,loupe
47	private-cache	50	private-cache
48	private-dev	51	private-dev
49	private-etc @x11	52	private-etc @x11
50	private-tmp	53	private-tmp
		54
		55	dbus-user none
		56	dbus-system none
		57
		58	#read-only ${HOME} # breaks "Move to trash" and "Set as background"