fixes

author: netblue30 <netblue30@yahoo.com> 2016-10-25 12:26:17 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-10-25 12:26:17 -0400
commit: b588020b4540480fdd3aaa11da8bd472b2dfdb60 (patch)
tree: f756c69ad1ca949e32037071640b9ae9e15c2538
parent: Merge pull request #871 from Fred-Barclay/alphabetise (diff)
download: firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.tar.gz
firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.tar.zst
firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.zip
2 files changed, 24 insertions, 5 deletions
diff --git a/README b/README
index f4fd52666..6ed82907f 100644
--- a/README
+++ b/README
@@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich)
        - added --join-or-start command
        - CVE-2016-7545
 Fred-Barclay (https://github.com/Fred-Barclay)
+        - lots of profile fixes
        - added Vivaldi, Atril profiles
        - added PaleMoon profile
        - split Icedove and Thunderbird profiles
@@ -83,6 +84,7 @@ valoq (https://github.com/valoq)
        - cherrytree profile fixes
        - added support for /srv in --whitelist feature
        - Eye of GNOME and Evolution profiles
+        - blacklist suid binaries in disable-common.inc
 Rafael Cavalcanti (https://github.com/rccavalcanti)
        - chromium profile fixes for Arch Linux
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 29de8cca9..3c0b2160c 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -137,6 +137,11 @@ blacklist /etc/gshadow+
 blacklist /etc/ssh
 blacklist /var/backup
+# system directories    
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
 # system management
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount
@@ -149,11 +154,23 @@ blacklist ${PATH}/xev
 blacklist ${PATH}/strace
 blacklist ${PATH}/nc
 blacklist ${PATH}/ncat
+blacklist ${PATH}/gpasswd
-# system directories    
+blacklist ${PATH}/newgidmap
-blacklist /sbin
+blacklist ${PATH}/newgrp
-blacklist /usr/sbin
+blacklist ${PATH}/newuidmap
-blacklist /usr/local/sbin
+blacklist ${PATH}/pkexec
+blacklist ${PATH}/sg
+blacklist ${PATH}/rsh
+blacklist ${PATH}/rlogin
+blacklist ${PATH}/rcp
+blacklist ${PATH}/crontab
+blacklist ${PATH}/ksu
+blacklist ${PATH}/chsh
+blacklist ${PATH}/chfn
+blacklist ${PATH}/chage
+blacklist ${PATH}/expiry
+blacklist ${PATH}/ping
+blacklist ${PATH}/unix_chkpwd
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
author	netblue30 <netblue30@yahoo.com>	2016-10-25 12:26:17 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-10-25 12:26:17 -0400
commit	b588020b4540480fdd3aaa11da8bd472b2dfdb60 (patch)
tree	f756c69ad1ca949e32037071640b9ae9e15c2538
parent	Merge pull request #871 from Fred-Barclay/alphabetise (diff)
download	firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.tar.gz firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.tar.zst firejail-b588020b4540480fdd3aaa11da8bd472b2dfdb60.zip

diff --git a/README b/README index f4fd52666..6ed82907f 100644 --- a/README +++ b/README
@@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich)
47	- added --join-or-start command	47	- added --join-or-start command
48	- CVE-2016-7545	48	- CVE-2016-7545
49	Fred-Barclay (https://github.com/Fred-Barclay)	49	Fred-Barclay (https://github.com/Fred-Barclay)
		50	- lots of profile fixes
50	- added Vivaldi, Atril profiles	51	- added Vivaldi, Atril profiles
51	- added PaleMoon profile	52	- added PaleMoon profile
52	- split Icedove and Thunderbird profiles	53	- split Icedove and Thunderbird profiles
@@ -83,6 +84,7 @@ valoq (https://github.com/valoq)
83	- cherrytree profile fixes	84	- cherrytree profile fixes
84	- added support for /srv in --whitelist feature	85	- added support for /srv in --whitelist feature
85	- Eye of GNOME and Evolution profiles	86	- Eye of GNOME and Evolution profiles
		87	- blacklist suid binaries in disable-common.inc
86	Rafael Cavalcanti (https://github.com/rccavalcanti)	88	Rafael Cavalcanti (https://github.com/rccavalcanti)
87	- chromium profile fixes for Arch Linux	89	- chromium profile fixes for Arch Linux
88	Deelvesh Bunjun (https://github.com/DeelveshBunjun)	90	Deelvesh Bunjun (https://github.com/DeelveshBunjun)


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 29de8cca9..3c0b2160c 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -137,6 +137,11 @@ blacklist /etc/gshadow+
137	blacklist /etc/ssh	137	blacklist /etc/ssh
138	blacklist /var/backup	138	blacklist /var/backup
139		139
		140	# system directories
		141	blacklist /sbin
		142	blacklist /usr/sbin
		143	blacklist /usr/local/sbin
		144
140	# system management	145	# system management
141	blacklist ${PATH}/umount	146	blacklist ${PATH}/umount
142	blacklist ${PATH}/mount	147	blacklist ${PATH}/mount
@@ -149,11 +154,23 @@ blacklist ${PATH}/xev
149	blacklist ${PATH}/strace	154	blacklist ${PATH}/strace
150	blacklist ${PATH}/nc	155	blacklist ${PATH}/nc
151	blacklist ${PATH}/ncat	156	blacklist ${PATH}/ncat
152		157	blacklist ${PATH}/gpasswd
153	# system directories	158	blacklist ${PATH}/newgidmap
154	blacklist /sbin	159	blacklist ${PATH}/newgrp
155	blacklist /usr/sbin	160	blacklist ${PATH}/newuidmap
156	blacklist /usr/local/sbin	161	blacklist ${PATH}/pkexec
		162	blacklist ${PATH}/sg
		163	blacklist ${PATH}/rsh
		164	blacklist ${PATH}/rlogin
		165	blacklist ${PATH}/rcp
		166	blacklist ${PATH}/crontab
		167	blacklist ${PATH}/ksu
		168	blacklist ${PATH}/chsh
		169	blacklist ${PATH}/chfn
		170	blacklist ${PATH}/chage
		171	blacklist ${PATH}/expiry
		172	blacklist ${PATH}/ping
		173	blacklist ${PATH}/unix_chkpwd
157		174
158	# prevent lxterminal connecting to an existing lxterminal session	175	# prevent lxterminal connecting to an existing lxterminal session
159	blacklist /tmp/.lxterminal-socket*	176	blacklist /tmp/.lxterminal-socket*