diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2023-08-11 03:54:39 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-11 03:54:39 +0000 |
commit | a3a41b8fff7763862b07db00b0357f20774687f5 (patch) | |
tree | 9a6bebb77b42aeea30539077032f856a595681f2 | |
parent | 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed (#5944) (diff) | |
download | firejail-a3a41b8fff7763862b07db00b0357f20774687f5.tar.gz firejail-a3a41b8fff7763862b07db00b0357f20774687f5.tar.zst firejail-a3a41b8fff7763862b07db00b0357f20774687f5.zip |
profiles: improvements to profiles using private (#5946)
Changes:
* comment `include whitelist-common.inc` when using `private`
* drop `private` on profiles that access files in `${HOME}`
* use `#` in comments
Relates to #903.
-rw-r--r-- | etc/profile-a-l/daisy.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/dbus-send.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/drill.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/gapplication.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-calendar.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/gnubik.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/ipcalc.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/Xephyr.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/Xvfb.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/mirrormagic.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/notify-send.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/ping.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/reader.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/seahorse-adventures.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/wordwarvi.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/xbill.profile | 2 |
17 files changed, 16 insertions, 20 deletions
diff --git a/etc/profile-a-l/daisy.profile b/etc/profile-a-l/daisy.profile index 4f1c80f23..40b29a1f5 100644 --- a/etc/profile-a-l/daisy.profile +++ b/etc/profile-a-l/daisy.profile | |||
@@ -15,7 +15,7 @@ include disable-interpreters.inc | |||
15 | include disable-proc.inc | 15 | include disable-proc.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | #include disable-X11.inc - x11 none | 18 | #include disable-X11.inc # x11 none |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
@@ -47,7 +47,6 @@ tracelog | |||
47 | x11 none | 47 | x11 none |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | private | ||
51 | private-bin daisy | 50 | private-bin daisy |
52 | private-cache | 51 | private-cache |
53 | private-dev | 52 | private-dev |
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 80790bb0c..70bd7370d 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -19,7 +19,7 @@ include disable-shell.inc | |||
19 | include disable-write-mnt.inc | 19 | include disable-write-mnt.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include whitelist-common.inc | 22 | #include whitelist-common.inc # see #903 |
23 | include whitelist-runuser-common.inc | 23 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
@@ -28,8 +28,7 @@ apparmor | |||
28 | caps.drop all | 28 | caps.drop all |
29 | ipc-namespace | 29 | ipc-namespace |
30 | machine-id | 30 | machine-id |
31 | # Breaks abstract sockets | 31 | #net none # breaks abstract sockets |
32 | #net none | ||
33 | netfilter | 32 | netfilter |
34 | no3d | 33 | no3d |
35 | nodvd | 34 | nodvd |
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index bd6fb6dcc..bea114dd6 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile | |||
@@ -19,7 +19,7 @@ include disable-exec.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include whitelist-common.inc | 22 | #include whitelist-common.inc # see #903 |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index baf8f614e..2d0511cf6 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -17,7 +17,7 @@ include disable-programs.inc | |||
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-common.inc | 20 | #include whitelist-common.inc # see #903 |
21 | include whitelist-runuser-common.inc | 21 | include whitelist-runuser-common.inc |
22 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index ddfe57879..e6fe27774 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -15,7 +15,7 @@ include disable-shell.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | whitelist /usr/share/libgweather | 17 | whitelist /usr/share/libgweather |
18 | include whitelist-common.inc | 18 | #include whitelist-common.inc # see #903 |
19 | include whitelist-runuser-common.inc | 19 | include whitelist-runuser-common.inc |
20 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index 025cb74b6..0c4ca35ac 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile | |||
@@ -15,7 +15,7 @@ include disable-shell.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | whitelist /usr/share/gnubik | 17 | whitelist /usr/share/gnubik |
18 | include whitelist-common.inc | 18 | #include whitelist-common.inc # see #903 |
19 | include whitelist-runuser-common.inc | 19 | include whitelist-runuser-common.inc |
20 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 19af7c0b9..5ccce8447 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
@@ -15,7 +15,7 @@ include disable-shell.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | whitelist /usr/share/gravity-beams-and-evaporating-stars | 17 | whitelist /usr/share/gravity-beams-and-evaporating-stars |
18 | include whitelist-common.inc | 18 | #include whitelist-common.inc # see #903 |
19 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index 7eabbca84..e73ca44a8 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -18,7 +18,7 @@ include disable-programs.inc | |||
18 | include disable-write-mnt.inc | 18 | include disable-write-mnt.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | # include whitelist-common.inc | 21 | #include whitelist-common.inc # see #903 |
22 | include whitelist-runuser-common.inc | 22 | include whitelist-runuser-common.inc |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile index 2fc1d1b8a..0c3d4c1da 100644 --- a/etc/profile-m-z/Xephyr.profile +++ b/etc/profile-m-z/Xephyr.profile | |||
@@ -16,7 +16,7 @@ include globals.local | |||
16 | # | 16 | # |
17 | 17 | ||
18 | whitelist /var/lib/xkb | 18 | whitelist /var/lib/xkb |
19 | include whitelist-common.inc | 19 | #include whitelist-common.inc # see #903 |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index ee19fa3b0..2bb9f171a 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile | |||
@@ -19,7 +19,7 @@ include globals.local | |||
19 | # | 19 | # |
20 | 20 | ||
21 | whitelist /var/lib/xkb | 21 | whitelist /var/lib/xkb |
22 | include whitelist-common.inc | 22 | #include whitelist-common.inc # see #903 |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | 25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. |
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index 4943a80af..a8c6e3533 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile | |||
@@ -39,7 +39,6 @@ seccomp | |||
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | disable-mnt | 41 | disable-mnt |
42 | private | ||
43 | private-bin mirrormagic | 42 | private-bin mirrormagic |
44 | private-cache | 43 | private-cache |
45 | private-dev | 44 | private-dev |
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index f0f2cca2e..5ec81c2ac 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile | |||
@@ -18,7 +18,7 @@ include disable-shell.inc | |||
18 | include disable-write-mnt.inc | 18 | include disable-write-mnt.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-common.inc | 21 | #include whitelist-common.inc # see #903 |
22 | include whitelist-runuser-common.inc | 22 | include whitelist-runuser-common.inc |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index 4520ac2fa..d563064e1 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -18,7 +18,7 @@ include disable-programs.inc | |||
18 | include disable-X11.inc | 18 | include disable-X11.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-common.inc | 21 | #include whitelist-common.inc # see #903 |
22 | include whitelist-run-common.inc | 22 | include whitelist-run-common.inc |
23 | include whitelist-runuser-common.inc | 23 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/reader.profile b/etc/profile-m-z/reader.profile index 050c46d53..31c45fe84 100644 --- a/etc/profile-m-z/reader.profile +++ b/etc/profile-m-z/reader.profile | |||
@@ -17,7 +17,7 @@ include disable-programs.inc | |||
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-common.inc | 20 | #include whitelist-common.inc # see #903 |
21 | include whitelist-run-common.inc | 21 | include whitelist-run-common.inc |
22 | include whitelist-runuser-common.inc | 22 | include whitelist-runuser-common.inc |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index 5985e0da3..49d98d9f5 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -23,7 +23,7 @@ include disable-xdg.inc | |||
23 | 23 | ||
24 | whitelist /usr/share/seahorse-adventures | 24 | whitelist /usr/share/seahorse-adventures |
25 | whitelist /usr/share/games/seahorse-adventures | 25 | whitelist /usr/share/games/seahorse-adventures |
26 | include whitelist-common.inc | 26 | #include whitelist-common.inc # see #903 |
27 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index 310e8b470..970063f93 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile | |||
@@ -40,7 +40,6 @@ seccomp | |||
40 | tracelog | 40 | tracelog |
41 | 41 | ||
42 | disable-mnt | 42 | disable-mnt |
43 | private | ||
44 | private-bin wordwarvi | 43 | private-bin wordwarvi |
45 | private-cache | 44 | private-cache |
46 | private-dev | 45 | private-dev |
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index e85bb9f18..46e3e81bc 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile | |||
@@ -16,7 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist /usr/share/xbill | 17 | whitelist /usr/share/xbill |
18 | whitelist /var/games/xbill/scores | 18 | whitelist /var/games/xbill/scores |
19 | include whitelist-common.inc | 19 | #include whitelist-common.inc # see #903 |
20 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||