Merge branch 'master' of https://github.com/netblue30/firejail

author: smitsohu <smitsohu@gmail.com> 2018-03-05 14:08:32 +0100
committer: smitsohu <smitsohu@gmail.com> 2018-03-05 14:08:32 +0100
commit: b12589f30c1cb6b5b214ee12dcdb4dd847d7da41 (patch)
tree: b436b71e6ac6400e3eb64116e1209c1d05a17851
parent: blacklist smartgit password file - #1796 (diff)
parent: Add VS Code profile - see request in #1139 (diff)
download: firejail-b12589f30c1cb6b5b214ee12dcdb4dd847d7da41.tar.gz
firejail-b12589f30c1cb6b5b214ee12dcdb4dd847d7da41.tar.zst
firejail-b12589f30c1cb6b5b214ee12dcdb4dd847d7da41.zip
6 files changed, 43 insertions, 4 deletions
diff --git a/README.md b/README.md
index 2fe11be06..fe3a4f1f5 100644
--- a/README.md
+++ b/README.md
@@ -244,4 +244,4 @@ firefox-common-addons.inc in firefox-common.profile.
 Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
 pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
-tilp, vivaldi-snapshot, bitcoin-qt
+tilp, vivaldi-snapshot, bitcoin-qt, VS Code
diff --git a/RELNOTES b/RELNOTES
index 3868da924..b05d88e2d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -25,7 +25,7 @@ firejail (0.9.53) baseline; urgency=low
  * private-tmp support for overlay and chroot sandboxes
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
  * new profiles: discord-canary, pycharm-community, pycharm-professional,
-  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
+  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, VS Code
 -- netblue30 <netblue30@yahoo.com>  Thu, 1 Mar 2018 08:00:00 -0500
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/brackets.profile b/etc/brackets.profile
index a5a06f9f3..22a8dffea 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -22,8 +22,8 @@ noroot
 nosound
 notv
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
-seccomp
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplic
 shell none
 private-dev
diff --git a/etc/code.profile b/etc/code.profile
new file mode 100644
index 000000000..af7d379ed
--- /dev/null
+++ b/etc/code.profile
@@ -0,0 +1,36 @@
+# Firejail profile for Visual Studio Code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/code.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.vscode
+noblacklist ${HOME}/.config/Code
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
+# Disabling noexec ${HOME} for now since it will
+# probably interfere with running some programmes
+# in VS Code
+# noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c6cf453e5..a78355031 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -40,6 +40,7 @@ blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/Clementine
+blacklist ${HOME}/.config/Code
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
@@ -461,6 +462,7 @@ blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknown-horizons
 blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
+blacklist ${HOME}/.vscode
 blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 82da8e32b..8d5f2066f 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -72,6 +72,7 @@ clementine
 clipit
 cliqz
 cmus
+code
 conkeror
 conky
 corebird
author	smitsohu <smitsohu@gmail.com>	2018-03-05 14:08:32 +0100
committer	smitsohu <smitsohu@gmail.com>	2018-03-05 14:08:32 +0100
commit	b12589f30c1cb6b5b214ee12dcdb4dd847d7da41 (patch)
tree	b436b71e6ac6400e3eb64116e1209c1d05a17851
parent	blacklist smartgit password file - #1796 (diff)
parent	Add VS Code profile - see request in #1139 (diff)
download	firejail-b12589f30c1cb6b5b214ee12dcdb4dd847d7da41.tar.gz firejail-b12589f30c1cb6b5b214ee12dcdb4dd847d7da41.tar.zst firejail-b12589f30c1cb6b5b214ee12dcdb4dd847d7da41.zip

diff --git a/README.md b/README.md index 2fe11be06..fe3a4f1f5 100644 --- a/README.md +++ b/README.md
@@ -244,4 +244,4 @@ firefox-common-addons.inc in firefox-common.profile.
244		244
245	Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,	245	Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
246	pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,	246	pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
247	tilp, vivaldi-snapshot, bitcoin-qt	247	tilp, vivaldi-snapshot, bitcoin-qt, VS Code


diff --git a/RELNOTES b/RELNOTES index 3868da924..b05d88e2d 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -25,7 +25,7 @@ firejail (0.9.53) baseline; urgency=low
25	* private-tmp support for overlay and chroot sandboxes	25	* private-tmp support for overlay and chroot sandboxes
26	* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,	26	* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
27	* new profiles: discord-canary, pycharm-community, pycharm-professional,	27	* new profiles: discord-canary, pycharm-community, pycharm-professional,
28	* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,	28	* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, VS Code
29	-- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500	29	-- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500
30		30
31	firejail (0.9.52) baseline; urgency=low	31	firejail (0.9.52) baseline; urgency=low


diff --git a/etc/brackets.profile b/etc/brackets.profile index a5a06f9f3..22a8dffea 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile
@@ -22,8 +22,8 @@ noroot
22	nosound	22	nosound
23	notv	23	notv
24	novideo	24	novideo
25	protocol unix,inet,inet6	25	protocol unix,inet,inet6,netlink
26	seccomp	26	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplic
27	shell none	27	shell none
28		28
29	private-dev	29	private-dev


diff --git a/etc/code.profile b/etc/code.profile new file mode 100644 index 000000000..af7d379ed --- /dev/null +++ b/etc/code.profile
@@ -0,0 +1,36 @@
		1	# Firejail profile for Visual Studio Code
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/code.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.vscode
		9	noblacklist ${HOME}/.config/Code
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	net none
		17	netfilter
		18	nodvd
		19	nogroups
		20	nonewprivs
		21	noroot
		22	nosound
		23	notv
		24	novideo
		25	protocol unix,inet,inet6,netlink
		26	seccomp
		27	shell none
		28
		29	private-dev
		30	private-tmp
		31
		32	# Disabling noexec ${HOME} for now since it will
		33	# probably interfere with running some programmes
		34	# in VS Code
		35	# noexec ${HOME}
		36	noexec /tmp


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c6cf453e5..a78355031 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -40,6 +40,7 @@ blacklist ${HOME}/.config/Atom
40	blacklist ${HOME}/.config/Audaciousrc	40	blacklist ${HOME}/.config/Audaciousrc
41	blacklist ${HOME}/.config/Brackets	41	blacklist ${HOME}/.config/Brackets
42	blacklist ${HOME}/.config/Clementine	42	blacklist ${HOME}/.config/Clementine
		43	blacklist ${HOME}/.config/Code
43	blacklist ${HOME}/.config/Cryptocat	44	blacklist ${HOME}/.config/Cryptocat
44	blacklist ${HOME}/.config/Franz	45	blacklist ${HOME}/.config/Franz
45	blacklist ${HOME}/.config/FreeCAD	46	blacklist ${HOME}/.config/FreeCAD
@@ -461,6 +462,7 @@ blacklist ${HOME}/.tuxguitar*
461	blacklist ${HOME}/.unknown-horizons	462	blacklist ${HOME}/.unknown-horizons
462	blacklist ${HOME}/.viking	463	blacklist ${HOME}/.viking
463	blacklist ${HOME}/.viking-maps	464	blacklist ${HOME}/.viking-maps
		465	blacklist ${HOME}/.vscode
464	blacklist ${HOME}/.vst	466	blacklist ${HOME}/.vst
465	blacklist ${HOME}/.w3m	467	blacklist ${HOME}/.w3m
466	blacklist ${HOME}/.warzone2100-3.*	468	blacklist ${HOME}/.warzone2100-3.*


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 82da8e32b..8d5f2066f 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -72,6 +72,7 @@ clementine
72	clipit	72	clipit
73	cliqz	73	cliqz
74	cmus	74	cmus
		75	code
75	conkeror	76	conkeror
76	conky	77	conky
77	corebird	78	corebird