diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-09 21:41:43 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:38 -0300 |
commit | 83ac0239722f85ffed15e3b6b6088bfff547ac1b (patch) | |
tree | bab7befdd0200dac19366bdb3fcf290487e1c761 | |
parent | git-cola.profile: add missing python template comment (diff) | |
download | firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.tar.gz firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.tar.zst firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.zip |
etc: add allow-ssh.inc
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
-rw-r--r-- | etc/inc/allow-ssh.inc | 5 | ||||
-rw-r--r-- | etc/profile-a-l/android-studio.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/aosp.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/clion.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/filezilla.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/git-cola.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/git.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/gitg.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/idea.sh.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/meld.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/remmina.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/seahorse.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/ssh-agent.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/ssh.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/webstorm.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/x2goclient.profile | 4 | ||||
-rw-r--r-- | etc/templates/profile.template | 3 |
17 files changed, 53 insertions, 15 deletions
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc new file mode 100644 index 000000000..2e864ad64 --- /dev/null +++ b/etc/inc/allow-ssh.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-ssh.local | ||
4 | |||
5 | noblacklist ${HOME}/.ssh | ||
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index 2e4e564dd..2cdd3a90c 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile | |||
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android | |||
10 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
11 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
12 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
13 | noblacklist ${HOME}/.ssh | ||
14 | noblacklist ${HOME}/.tooling | 13 | noblacklist ${HOME}/.tooling |
15 | 14 | ||
16 | # Allows files commonly used by IDEs | 15 | # Allows files commonly used by IDEs |
17 | include allow-common-devel.inc | 16 | include allow-common-devel.inc |
18 | 17 | ||
18 | # Allow ssh (blacklisted by disable-common.inc) | ||
19 | include allow-ssh.inc | ||
20 | |||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 23 | include disable-programs.inc |
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile index a5b1ba9f1..e7b09283e 100644 --- a/etc/profile-a-l/aosp.profile +++ b/etc/profile-a-l/aosp.profile | |||
@@ -11,12 +11,14 @@ noblacklist ${HOME}/.jack-server | |||
11 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
12 | noblacklist ${HOME}/.repo_.gitconfig.json | 12 | noblacklist ${HOME}/.repo_.gitconfig.json |
13 | noblacklist ${HOME}/.repoconfig | 13 | noblacklist ${HOME}/.repoconfig |
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
16 | 15 | ||
17 | # Allows files commonly used by IDEs | 16 | # Allows files commonly used by IDEs |
18 | include allow-common-devel.inc | 17 | include allow-common-devel.inc |
19 | 18 | ||
19 | # Allow ssh (blacklisted by disable-common.inc) | ||
20 | include allow-ssh.inc | ||
21 | |||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 24 | include disable-programs.inc |
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile index b27d93684..09246ccbc 100644 --- a/etc/profile-a-l/clion.profile +++ b/etc/profile-a-l/clion.profile | |||
@@ -11,9 +11,11 @@ noblacklist ${HOME}/.gitconfig | |||
11 | noblacklist ${HOME}/.git-credentials | 11 | noblacklist ${HOME}/.git-credentials |
12 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
13 | noblacklist ${HOME}/.local/share/JetBrains | 13 | noblacklist ${HOME}/.local/share/JetBrains |
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
16 | 15 | ||
16 | # Allow ssh (blacklisted by disable-common.inc) | ||
17 | include allow-ssh.inc | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 21 | include disable-programs.inc |
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 43e877fd0..728929638 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile | |||
@@ -8,12 +8,14 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/filezilla | 9 | noblacklist ${HOME}/.config/filezilla |
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
11 | noblacklist ${HOME}/.ssh | ||
12 | 11 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 13 | include allow-python2.inc |
15 | include allow-python3.inc | 14 | include allow-python3.inc |
16 | 15 | ||
16 | # Allow ssh (blacklisted by disable-common.inc) | ||
17 | include allow-ssh.inc | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
19 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 84e6fc486..312655b9b 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -11,7 +11,6 @@ ignore noexec ${HOME} | |||
11 | noblacklist ${HOME}/.gitconfig | 11 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.gnupg | 13 | noblacklist ${HOME}/.gnupg |
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.subversion | 14 | noblacklist ${HOME}/.subversion |
16 | noblacklist ${HOME}/.config/git | 15 | noblacklist ${HOME}/.config/git |
17 | noblacklist ${HOME}/.config/git-cola | 16 | noblacklist ${HOME}/.config/git-cola |
@@ -22,6 +21,9 @@ noblacklist ${HOME}/.config/git-cola | |||
22 | include allow-python2.inc | 21 | include allow-python2.inc |
23 | include allow-python3.inc | 22 | include allow-python3.inc |
24 | 23 | ||
24 | # Allow ssh (blacklisted by disable-common.inc) | ||
25 | include allow-ssh.inc | ||
26 | |||
25 | include disable-common.inc | 27 | include disable-common.inc |
26 | include disable-devel.inc | 28 | include disable-devel.inc |
27 | include disable-exec.inc | 29 | include disable-exec.inc |
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index e5a2f3985..aefb2917d 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile | |||
@@ -15,10 +15,12 @@ noblacklist ${HOME}/.gitconfig | |||
15 | noblacklist ${HOME}/.git-credentials | 15 | noblacklist ${HOME}/.git-credentials |
16 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
17 | noblacklist ${HOME}/.nanorc | 17 | noblacklist ${HOME}/.nanorc |
18 | noblacklist ${HOME}/.ssh | ||
19 | noblacklist ${HOME}/.vim | 18 | noblacklist ${HOME}/.vim |
20 | noblacklist ${HOME}/.viminfo | 19 | noblacklist ${HOME}/.viminfo |
21 | 20 | ||
21 | # Allow ssh (blacklisted by disable-common.inc) | ||
22 | include allow-ssh.inc | ||
23 | |||
22 | blacklist /tmp/.X11-unix | 24 | blacklist /tmp/.X11-unix |
23 | blacklist ${RUNUSER}/wayland-* | 25 | blacklist ${RUNUSER}/wayland-* |
24 | 26 | ||
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 3d80c1ed2..93b90eb9e 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.config/git | |||
10 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
11 | noblacklist ${HOME}/.git-credentials | 11 | noblacklist ${HOME}/.git-credentials |
12 | noblacklist ${HOME}/.local/share/gitg | 12 | noblacklist ${HOME}/.local/share/gitg |
13 | noblacklist ${HOME}/.ssh | 13 | |
14 | # Allow ssh (blacklisted by disable-common.inc) | ||
15 | include allow-ssh.inc | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile index a7d0d531f..0a048a38a 100644 --- a/etc/profile-a-l/idea.sh.profile +++ b/etc/profile-a-l/idea.sh.profile | |||
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android | |||
10 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
11 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
12 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
13 | noblacklist ${HOME}/.ssh | ||
14 | noblacklist ${HOME}/.tooling | 13 | noblacklist ${HOME}/.tooling |
15 | 14 | ||
16 | # Allows files commonly used by IDEs | 15 | # Allows files commonly used by IDEs |
17 | include allow-common-devel.inc | 16 | include allow-common-devel.inc |
18 | 17 | ||
18 | # Allow ssh (blacklisted by disable-common.inc) | ||
19 | include allow-ssh.inc | ||
20 | |||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 23 | include disable-programs.inc |
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 6ceeb867f..a5c74047a 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -18,7 +18,6 @@ noblacklist ${HOME}/.config/git | |||
18 | noblacklist ${HOME}/.gitconfig | 18 | noblacklist ${HOME}/.gitconfig |
19 | noblacklist ${HOME}/.git-credentials | 19 | noblacklist ${HOME}/.git-credentials |
20 | noblacklist ${HOME}/.local/share/meld | 20 | noblacklist ${HOME}/.local/share/meld |
21 | noblacklist ${HOME}/.ssh | ||
22 | noblacklist ${HOME}/.subversion | 21 | noblacklist ${HOME}/.subversion |
23 | 22 | ||
24 | # Allow python (blacklisted by disable-interpreters.inc) | 23 | # Allow python (blacklisted by disable-interpreters.inc) |
@@ -27,6 +26,9 @@ include allow-python3.inc | |||
27 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. | 26 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. |
28 | #include allow-python2.inc | 27 | #include allow-python2.inc |
29 | 28 | ||
29 | # Allow ssh (blacklisted by disable-common.inc) | ||
30 | include allow-ssh.inc | ||
31 | |||
30 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | 32 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. |
31 | #include disable-common.inc | 33 | #include disable-common.inc |
32 | include disable-devel.inc | 34 | include disable-devel.inc |
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 6311c91df..d4c7bdf31 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile | |||
@@ -9,7 +9,9 @@ include globals.local | |||
9 | noblacklist ${HOME}/.remmina | 9 | noblacklist ${HOME}/.remmina |
10 | noblacklist ${HOME}/.config/remmina | 10 | noblacklist ${HOME}/.config/remmina |
11 | noblacklist ${HOME}/.local/share/remmina | 11 | noblacklist ${HOME}/.local/share/remmina |
12 | noblacklist ${HOME}/.ssh | 12 | |
13 | # Allow ssh (blacklisted by disable-common.inc) | ||
14 | include allow-ssh.inc | ||
13 | 15 | ||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 8bb1f53a7..0f91c79ec 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -9,9 +9,11 @@ include globals.local | |||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
12 | noblacklist ${HOME}/.ssh | ||
13 | noblacklist /tmp/ssh-* | 12 | noblacklist /tmp/ssh-* |
14 | 13 | ||
14 | # Allow ssh (blacklisted by disable-common.inc) | ||
15 | include allow-ssh.inc | ||
16 | |||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
17 | include disable-exec.inc | 19 | include disable-exec.inc |
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 01b63d3ce..d2e2b3408 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile | |||
@@ -8,7 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist /etc/ssh | 9 | noblacklist /etc/ssh |
10 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
11 | noblacklist ${HOME}/.ssh | 11 | |
12 | # Allow ssh (blacklisted by disable-common.inc) | ||
13 | include allow-ssh.inc | ||
12 | 14 | ||
13 | blacklist /tmp/.X11-unix | 15 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | 16 | blacklist ${RUNUSER}/wayland-* |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index e3e2b4541..efdf63976 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -9,11 +9,13 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist /etc/ssh | 10 | noblacklist /etc/ssh |
11 | noblacklist /tmp/ssh-* | 11 | noblacklist /tmp/ssh-* |
12 | noblacklist ${HOME}/.ssh | ||
13 | # nc can be used as ProxyCommand, e.g. when using tor | 12 | # nc can be used as ProxyCommand, e.g. when using tor |
14 | noblacklist ${PATH}/nc | 13 | noblacklist ${PATH}/nc |
15 | noblacklist ${PATH}/ncat | 14 | noblacklist ${PATH}/ncat |
16 | 15 | ||
16 | # Allow ssh (blacklisted by disable-common.inc) | ||
17 | include allow-ssh.inc | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
19 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index fc4e8e571..a4adf2896 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile | |||
@@ -8,12 +8,14 @@ include globals.local | |||
8 | noblacklist ${HOME}/.WebStorm* | 8 | noblacklist ${HOME}/.WebStorm* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.local/share/JetBrains | 10 | noblacklist ${HOME}/.local/share/JetBrains |
11 | noblacklist ${HOME}/.ssh | ||
12 | noblacklist ${HOME}/.tooling | 11 | noblacklist ${HOME}/.tooling |
13 | 12 | ||
14 | # Allows files commonly used by IDEs | 13 | # Allows files commonly used by IDEs |
15 | include allow-common-devel.inc | 14 | include allow-common-devel.inc |
16 | 15 | ||
16 | # Allow ssh (blacklisted by disable-common.inc) | ||
17 | include allow-ssh.inc | ||
18 | |||
17 | noblacklist ${PATH}/node | 19 | noblacklist ${PATH}/node |
18 | noblacklist ${HOME}/.nvm | 20 | noblacklist ${HOME}/.nvm |
19 | 21 | ||
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile index bc9603835..6146016b2 100644 --- a/etc/profile-m-z/x2goclient.profile +++ b/etc/profile-m-z/x2goclient.profile | |||
@@ -6,10 +6,12 @@ include x2goclient.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.ssh | ||
10 | noblacklist ${HOME}/.x2go | 9 | noblacklist ${HOME}/.x2go |
11 | noblacklist ${HOME}/.x2goclient | 10 | noblacklist ${HOME}/.x2goclient |
12 | 11 | ||
12 | # Allow ssh (blacklisted by disable-common.inc) | ||
13 | include allow-ssh.inc | ||
14 | |||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 3d37fc827..9435fffae 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -103,6 +103,9 @@ include globals.local | |||
103 | # Allows files commonly used by IDEs | 103 | # Allows files commonly used by IDEs |
104 | #include allow-common-devel.inc | 104 | #include allow-common-devel.inc |
105 | 105 | ||
106 | # Allow ssh (blacklisted by disable-common.inc) | ||
107 | #include allow-ssh.inc | ||
108 | |||
106 | #include disable-common.inc | 109 | #include disable-common.inc |
107 | #include disable-devel.inc | 110 | #include disable-devel.inc |
108 | #include disable-exec.inc | 111 | #include disable-exec.inc |