aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2019-06-18 18:52:18 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2019-06-18 18:52:18 +0200
commitb59225f5d987d0467c659b0b5c0630009d519e98 (patch)
tree35f672dda1ceb649c0689c9c069a021156d8c4c9
parentfix logical OR in disable_file (diff)
downloadfirejail-b59225f5d987d0467c659b0b5c0630009d519e98.tar.gz
firejail-b59225f5d987d0467c659b0b5c0630009d519e98.tar.zst
firejail-b59225f5d987d0467c659b0b5c0630009d519e98.zip
use 'x11 none' option
... instead of just blacklisting the X11 socket. Systematically added to all profiles with 'net none' and 'blacklist /tmp/.X11-unix', and a few more
Diffstat
-rw-r--r--etc/7z.profile3
-rw-r--r--etc/atool.profile3
-rw-r--r--etc/cpio.profile3
-rw-r--r--etc/exiftool.profile3
-rw-r--r--etc/gzip.profile3
-rw-r--r--etc/highlight.profile3
-rw-r--r--etc/less.profile3
-rw-r--r--etc/mediainfo.profile3
-rw-r--r--etc/odt2txt.profile3
-rw-r--r--etc/patch.profile1
-rw-r--r--etc/pdftotext.profile3
-rw-r--r--etc/shellcheck.profile1
-rw-r--r--etc/strings.profile3
-rw-r--r--etc/tar.profile3
-rw-r--r--etc/unrar.profile3
-rw-r--r--etc/unzip.profile3
-rw-r--r--etc/uudeview.profile1
-rw-r--r--etc/xzdec.profile3
18 files changed, 18 insertions, 30 deletions
diff --git a/etc/7z.profile b/etc/7z.profile
index ee2b493f8..15e99e936 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -6,8 +6,6 @@ include 7z.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9blacklist /tmp/.X11-unix
10
11include disable-common.inc 9include disable-common.inc
12include disable-devel.inc 10include disable-devel.inc
13include disable-exec.inc 11include disable-exec.inc
@@ -33,5 +31,6 @@ protocol unix
33seccomp 31seccomp
34shell none 32shell none
35tracelog 33tracelog
34x11 none
36 35
37private-dev 36private-dev
diff --git a/etc/atool.profile b/etc/atool.profile
index 7bcfdb935..c9d950259 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -10,8 +10,6 @@ include globals.local
10# Allow perl (blacklisted by disable-interpreters.inc) 10# Allow perl (blacklisted by disable-interpreters.inc)
11include allow-perl.inc 11include allow-perl.inc
12 12
13blacklist /tmp/.X11-unix
14
15include disable-common.inc 13include disable-common.inc
16# include disable-devel.inc 14# include disable-devel.inc
17include disable-exec.inc 15include disable-exec.inc
@@ -40,6 +38,7 @@ protocol unix
40seccomp 38seccomp
41shell none 39shell none
42tracelog 40tracelog
41x11 none
43 42
44# private-bin atool,perl 43# private-bin atool,perl
45private-cache 44private-cache
diff --git a/etc/cpio.profile b/etc/cpio.profile
index 0bb45f5cd..17a765700 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -10,8 +10,6 @@ include globals.local
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12 12
13blacklist /tmp/.X11-unix
14
15include disable-common.inc 13include disable-common.inc
16# include disable-devel.inc 14# include disable-devel.inc
17include disable-exec.inc 15include disable-exec.inc
@@ -36,6 +34,7 @@ novideo
36seccomp 34seccomp
37shell none 35shell none
38tracelog 36tracelog
37x11 none
39 38
40private-cache 39private-cache
41private-dev 40private-dev
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 52e090b89..e76a4ca4c 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -9,8 +9,6 @@ include globals.local
9# Allow perl (blacklisted by disable-interpreters.inc) 9# Allow perl (blacklisted by disable-interpreters.inc)
10include allow-perl.inc 10include allow-perl.inc
11 11
12blacklist /tmp/.X11-unix
13
14include disable-common.inc 12include disable-common.inc
15include disable-devel.inc 13include disable-devel.inc
16include disable-exec.inc 14include disable-exec.inc
@@ -37,6 +35,7 @@ protocol unix
37seccomp 35seccomp
38shell none 36shell none
39tracelog 37tracelog
38x11 none
40 39
41# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. 40# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
42# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. 41# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 810684eae..38f6ee65e 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -7,8 +7,6 @@ include gzip.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10blacklist /tmp/.X11-unix
11
12include disable-common.inc 10include disable-common.inc
13include disable-devel.inc 11include disable-devel.inc
14include disable-exec.inc 12include disable-exec.inc
@@ -36,6 +34,7 @@ protocol unix
36seccomp 34seccomp
37shell none 35shell none
38tracelog 36tracelog
37x11 none
39 38
40private-cache 39private-cache
41private-dev 40private-dev
diff --git a/etc/highlight.profile b/etc/highlight.profile
index cae8e29d7..249d5cd17 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -6,8 +6,6 @@ include highlight.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9blacklist /tmp/.X11-unix
10
11include disable-common.inc 9include disable-common.inc
12include disable-devel.inc 10include disable-devel.inc
13include disable-interpreters.inc 11include disable-interpreters.inc
@@ -30,6 +28,7 @@ protocol unix
30seccomp 28seccomp
31shell none 29shell none
32tracelog 30tracelog
31x11 none
33 32
34private-bin highlight 33private-bin highlight
35private-cache 34private-cache
diff --git a/etc/less.profile b/etc/less.profile
index 720950432..e6366ad28 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -9,8 +9,6 @@ include globals.local
9 9
10noblacklist ${HOME}/.lesshst 10noblacklist ${HOME}/.lesshst
11 11
12blacklist /tmp/.X11-unix
13
14include disable-common.inc 12include disable-common.inc
15include disable-devel.inc 13include disable-devel.inc
16include disable-exec.inc 14include disable-exec.inc
@@ -36,6 +34,7 @@ protocol unix
36seccomp 34seccomp
37shell none 35shell none
38tracelog 36tracelog
37x11 none
39 38
40# The user can have a custom coloring script configured in ${HOME}/.lessfilter. 39# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
41# Enable private-bin and private-lib if you are not using any filter. 40# Enable private-bin and private-lib if you are not using any filter.
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index d2681f32d..02d4a937c 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -6,8 +6,6 @@ include mediainfo.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9blacklist /tmp/.X11-unix
10
11include disable-common.inc 9include disable-common.inc
12include disable-devel.inc 10include disable-devel.inc
13include disable-exec.inc 11include disable-exec.inc
@@ -34,6 +32,7 @@ protocol unix
34seccomp 32seccomp
35shell none 33shell none
36tracelog 34tracelog
35x11 none
37 36
38private-bin mediainfo 37private-bin mediainfo
39private-cache 38private-cache
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 3e1739bf9..719753c87 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -8,8 +8,6 @@ include globals.local
8 8
9noblacklist ${DOCUMENTS} 9noblacklist ${DOCUMENTS}
10 10
11blacklist /tmp/.X11-unix
12
13include disable-common.inc 11include disable-common.inc
14include disable-devel.inc 12include disable-devel.inc
15include disable-interpreters.inc 13include disable-interpreters.inc
@@ -33,6 +31,7 @@ protocol unix
33seccomp 31seccomp
34shell none 32shell none
35tracelog 33tracelog
34x11 none
36 35
37private-bin odt2txt 36private-bin odt2txt
38private-cache 37private-cache
diff --git a/etc/patch.profile b/etc/patch.profile
index 9515bffdf..60cc1adbe 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -34,6 +34,7 @@ novideo
34protocol unix 34protocol unix
35seccomp 35seccomp
36shell none 36shell none
37x11 none
37 38
38private-bin patch,red 39private-bin patch,red
39private-dev 40private-dev
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 87d7a87f1..c5016201d 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -7,8 +7,6 @@ include globals.local
7 7
8noblacklist ${DOCUMENTS} 8noblacklist ${DOCUMENTS}
9 9
10blacklist /tmp/.X11-unix
11
12include disable-common.inc 10include disable-common.inc
13include disable-devel.inc 11include disable-devel.inc
14include disable-interpreters.inc 12include disable-interpreters.inc
@@ -37,6 +35,7 @@ protocol unix
37seccomp 35seccomp
38shell none 36shell none
39tracelog 37tracelog
38x11 none
40 39
41private-bin pdftotext 40private-bin pdftotext
42private-dev 41private-dev
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index b8974e416..da5b4258b 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -35,6 +35,7 @@ novideo
35protocol unix 35protocol unix
36seccomp 36seccomp
37shell none 37shell none
38x11 none
38 39
39private-dev 40private-dev
40private-tmp 41private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index ace0d9351..621e8e177 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -6,8 +6,6 @@ include strings.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9blacklist /tmp/.X11-unix
10
11include disable-common.inc 9include disable-common.inc
12include disable-devel.inc 10include disable-devel.inc
13include disable-exec.inc 11include disable-exec.inc
@@ -34,6 +32,7 @@ protocol unix
34seccomp 32seccomp
35shell none 33shell none
36tracelog 34tracelog
35x11 none
37 36
38#private 37#private
39private-bin strings 38private-bin strings
diff --git a/etc/tar.profile b/etc/tar.profile
index 7e1fa8b92..1232bb372 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -7,8 +7,6 @@ include tar.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10blacklist /tmp/.X11-unix
11
12include disable-common.inc 10include disable-common.inc
13include disable-devel.inc 11include disable-devel.inc
14include disable-exec.inc 12include disable-exec.inc
@@ -36,6 +34,7 @@ protocol unix
36seccomp 34seccomp
37shell none 35shell none
38tracelog 36tracelog
37x11 none
39 38
40# support compressed archives 39# support compressed archives
41private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz 40private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
diff --git a/etc/unrar.profile b/etc/unrar.profile
index a2e101a58..428173e7d 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -7,8 +7,6 @@ include unrar.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10blacklist /tmp/.X11-unix
11
12include disable-common.inc 10include disable-common.inc
13include disable-devel.inc 11include disable-devel.inc
14include disable-exec.inc 12include disable-exec.inc
@@ -35,6 +33,7 @@ protocol unix
35seccomp 33seccomp
36shell none 34shell none
37tracelog 35tracelog
36x11 none
38 37
39private-bin unrar 38private-bin unrar
40private-dev 39private-dev
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 875fa6f98..94aee724d 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -10,8 +10,6 @@ include globals.local
10# GNOME Shell integration (chrome-gnome-shell) 10# GNOME Shell integration (chrome-gnome-shell)
11noblacklist ${HOME}/.local/share/gnome-shell 11noblacklist ${HOME}/.local/share/gnome-shell
12 12
13blacklist /tmp/.X11-unix
14
15include disable-common.inc 13include disable-common.inc
16include disable-devel.inc 14include disable-devel.inc
17include disable-exec.inc 15include disable-exec.inc
@@ -38,6 +36,7 @@ protocol unix
38seccomp 36seccomp
39shell none 37shell none
40tracelog 38tracelog
39x11 none
41 40
42private-bin unzip 41private-bin unzip
43private-cache 42private-cache
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 53fad0ba5..af6cd620f 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -32,6 +32,7 @@ protocol unix
32seccomp 32seccomp
33shell none 33shell none
34tracelog 34tracelog
35x11 none
35 36
36private-bin uudeview 37private-bin uudeview
37private-cache 38private-cache
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 3adaa557c..93c288d6e 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -7,8 +7,6 @@ include xzdec.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10blacklist /tmp/.X11-unix
11
12include disable-common.inc 10include disable-common.inc
13include disable-devel.inc 11include disable-devel.inc
14include disable-exec.inc 12include disable-exec.inc
@@ -34,5 +32,6 @@ protocol unix
34seccomp 32seccomp
35shell none 33shell none
36tracelog 34tracelog
35x11 none
37 36
38private-dev 37private-dev
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-30 13:00:23 +0000