aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2021-07-28 19:06:15 +0000
committerLibravatar GitHub <noreply@github.com>2021-07-28 19:06:15 +0000
commitbc99ba2e1d1d834607cf20533c74dfb1ae029066 (patch)
tree8017a1031ad34f0ba953e5eaa95c71f5104cd7be
parentMerge pull request #4407 from 0x6a61/master (diff)
parentdrop trailing slashes from openrc items (diff)
downloadfirejail-bc99ba2e1d1d834607cf20533c74dfb1ae029066.tar.gz
firejail-bc99ba2e1d1d834607cf20533c74dfb1ae029066.tar.zst
firejail-bc99ba2e1d1d834607cf20533c74dfb1ae029066.zip
Merge pull request #4420 from glitsj16/dci
ordering and additions
Diffstat
-rw-r--r--etc/inc/disable-common.inc100
1 files changed, 51 insertions, 49 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 6df0c4990..05349d52d 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -159,23 +159,23 @@ blacklist ${RUNUSER}/gsconnect
159# systemd 159# systemd
160blacklist ${HOME}/.config/systemd 160blacklist ${HOME}/.config/systemd
161blacklist ${HOME}/.local/share/systemd 161blacklist ${HOME}/.local/share/systemd
162blacklist /var/lib/systemd 162blacklist ${PATH}/systemctl
163blacklist ${PATH}/systemd-run 163blacklist ${PATH}/systemd-run
164blacklist ${RUNUSER}/systemd 164blacklist ${RUNUSER}/systemd
165blacklist ${PATH}/systemctl
166blacklist /etc/systemd/system
167blacklist /etc/systemd/network 165blacklist /etc/systemd/network
166blacklist /etc/systemd/system
167blacklist /var/lib/systemd
168# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf 168# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
169#blacklist /var/run/systemd 169#blacklist /var/run/systemd
170 170
171# openrc 171# openrc
172blacklist /etc/runlevels/ 172blacklist /etc/init.d
173blacklist /etc/init.d/
174blacklist /etc/rc.conf 173blacklist /etc/rc.conf
174blacklist /etc/runlevels
175 175
176# VirtualBox 176# VirtualBox
177blacklist ${HOME}/.VirtualBox
178blacklist ${HOME}/.config/VirtualBox 177blacklist ${HOME}/.config/VirtualBox
178blacklist ${HOME}/.VirtualBox
179blacklist ${HOME}/VirtualBox VMs 179blacklist ${HOME}/VirtualBox VMs
180 180
181# GNOME Boxes 181# GNOME Boxes
@@ -245,32 +245,34 @@ blacklist /var/spool/cron
245blacklist /var/spool/mail 245blacklist /var/spool/mail
246 246
247# etc 247# etc
248blacklist /etc/adduser.conf
248blacklist /etc/anacrontab 249blacklist /etc/anacrontab
250blacklist /etc/apparmor*
249blacklist /etc/cron* 251blacklist /etc/cron*
252blacklist /etc/default
253blacklist /etc/dkms
254blacklist /etc/grub*
255blacklist /etc/kernel*
256blacklist /etc/logrotate*
257blacklist /etc/modules*
250blacklist /etc/profile.d 258blacklist /etc/profile.d
251blacklist /etc/rc.local 259blacklist /etc/rc.local
252# rc1.d, rc2.d, ... 260# rc1.d, rc2.d, ...
253blacklist /etc/rc?.d 261blacklist /etc/rc?.d
254blacklist /etc/kernel* 262blacklist /etc/sysconfig
255blacklist /etc/grub*
256blacklist /etc/dkms
257blacklist /etc/apparmor*
258blacklist /etc/selinux
259blacklist /etc/modules*
260blacklist /etc/logrotate*
261blacklist /etc/adduser.conf
262 263
263# hide config for various intrusion detection systems 264# hide config for various intrusion detection systems
264blacklist /etc/rkhunter.conf
265blacklist /var/lib/rkhunter
266blacklist /etc/chkrootkit.conf
267blacklist /etc/lynis
268blacklist /etc/aide 265blacklist /etc/aide
266blacklist /etc/aide.conf
267blacklist /etc/chkrootkit.conf
268blacklist /etc/fail2ban.conf
269blacklist /etc/logcheck 269blacklist /etc/logcheck
270blacklist /etc/tripwire 270blacklist /etc/lynis
271blacklist /etc/rkhunter.*
271blacklist /etc/snort 272blacklist /etc/snort
272blacklist /etc/fail2ban.conf
273blacklist /etc/suricata 273blacklist /etc/suricata
274blacklist /etc/tripwire
275blacklist /var/lib/rkhunter
274 276
275# Startup files 277# Startup files
276read-only ${HOME}/.antigen 278read-only ${HOME}/.antigen
@@ -350,15 +352,15 @@ read-only ${HOME}/_vimrc
350read-only ${HOME}/dotfiles 352read-only ${HOME}/dotfiles
351 353
352# Make directories commonly found in $PATH read-only 354# Make directories commonly found in $PATH read-only
355read-only ${HOME}/.bin
356read-only ${HOME}/.cargo/bin
353read-only ${HOME}/.gem 357read-only ${HOME}/.gem
358read-only ${HOME}/.local/bin
354read-only ${HOME}/.luarocks 359read-only ${HOME}/.luarocks
355read-only ${HOME}/.npm-packages 360read-only ${HOME}/.npm-packages
356read-only ${HOME}/.nvm 361read-only ${HOME}/.nvm
357read-only ${HOME}/bin
358read-only ${HOME}/.bin
359read-only ${HOME}/.local/bin
360read-only ${HOME}/.cargo/bin
361read-only ${HOME}/.rustup 362read-only ${HOME}/.rustup
363read-only ${HOME}/bin
362 364
363# Write-protection for desktop entries 365# Write-protection for desktop entries
364read-only ${HOME}/.config/menus 366read-only ${HOME}/.config/menus
@@ -377,6 +379,22 @@ read-only ${HOME}/.local/share/thumbnailers
377blacklist /tmp/ssh-* 379blacklist /tmp/ssh-*
378 380
379# top secret 381# top secret
382blacklist /.fscrypt
383blacklist /etc/davfs2/secrets
384blacklist /etc/group+
385blacklist /etc/group-
386blacklist /etc/gshadow
387blacklist /etc/gshadow+
388blacklist /etc/gshadow-
389blacklist /etc/passwd+
390blacklist /etc/passwd-
391blacklist /etc/shadow
392blacklist /etc/shadow+
393blacklist /etc/shadow-
394blacklist /etc/ssh
395blacklist /etc/ssh/*
396blacklist /home/.ecryptfs
397blacklist /home/.fscrypt
380blacklist ${HOME}/*.kdb 398blacklist ${HOME}/*.kdb
381blacklist ${HOME}/*.kdbx 399blacklist ${HOME}/*.kdbx
382blacklist ${HOME}/*.key 400blacklist ${HOME}/*.key
@@ -385,6 +403,7 @@ blacklist ${HOME}/.caff
385blacklist ${HOME}/.cargo/credentials 403blacklist ${HOME}/.cargo/credentials
386blacklist ${HOME}/.cargo/credentials.toml 404blacklist ${HOME}/.cargo/credentials.toml
387blacklist ${HOME}/.cert 405blacklist ${HOME}/.cert
406blacklist ${HOME}/.config/hub
388blacklist ${HOME}/.config/keybase 407blacklist ${HOME}/.config/keybase
389blacklist ${HOME}/.davfs2/secrets 408blacklist ${HOME}/.davfs2/secrets
390blacklist ${HOME}/.ecryptfs 409blacklist ${HOME}/.ecryptfs
@@ -394,11 +413,11 @@ blacklist ${HOME}/.git-credential-cache
394blacklist ${HOME}/.git-credentials 413blacklist ${HOME}/.git-credentials
395blacklist ${HOME}/.gnome2/keyrings 414blacklist ${HOME}/.gnome2/keyrings
396blacklist ${HOME}/.gnupg 415blacklist ${HOME}/.gnupg
397blacklist ${HOME}/.config/hub
398blacklist ${HOME}/.kde/share/apps/kwallet 416blacklist ${HOME}/.kde/share/apps/kwallet
399blacklist ${HOME}/.kde4/share/apps/kwallet 417blacklist ${HOME}/.kde4/share/apps/kwallet
400blacklist ${HOME}/.local/share/keyrings 418blacklist ${HOME}/.local/share/keyrings
401blacklist ${HOME}/.local/share/kwalletd 419blacklist ${HOME}/.local/share/kwalletd
420blacklist ${HOME}/.local/share/pki
402blacklist ${HOME}/.local/share/plasma-vault 421blacklist ${HOME}/.local/share/plasma-vault
403blacklist ${HOME}/.msmtprc 422blacklist ${HOME}/.msmtprc
404blacklist ${HOME}/.mutt 423blacklist ${HOME}/.mutt
@@ -406,26 +425,9 @@ blacklist ${HOME}/.muttrc
406blacklist ${HOME}/.netrc 425blacklist ${HOME}/.netrc
407blacklist ${HOME}/.nyx 426blacklist ${HOME}/.nyx
408blacklist ${HOME}/.pki 427blacklist ${HOME}/.pki
409blacklist ${HOME}/.local/share/pki
410blacklist ${HOME}/.smbcredentials 428blacklist ${HOME}/.smbcredentials
411blacklist ${HOME}/.ssh 429blacklist ${HOME}/.ssh
412blacklist ${HOME}/.vaults 430blacklist ${HOME}/.vaults
413blacklist /.fscrypt
414blacklist /etc/davfs2/secrets
415blacklist /etc/group+
416blacklist /etc/group-
417blacklist /etc/gshadow
418blacklist /etc/gshadow+
419blacklist /etc/gshadow-
420blacklist /etc/passwd+
421blacklist /etc/passwd-
422blacklist /etc/shadow
423blacklist /etc/shadow+
424blacklist /etc/shadow-
425blacklist /etc/ssh
426blacklist /etc/ssh/*
427blacklist /home/.ecryptfs
428blacklist /home/.fscrypt
429blacklist /var/backup 431blacklist /var/backup
430 432
431# cloud provider configuration 433# cloud provider configuration
@@ -488,10 +490,12 @@ blacklist /tmp/.lxterminal-socket*
488blacklist /tmp/tmux-* 490blacklist /tmp/tmux-*
489 491
490# disable terminals running as server resulting in sandbox escape 492# disable terminals running as server resulting in sandbox escape
491blacklist ${PATH}/lxterminal
492blacklist ${PATH}/gnome-terminal 493blacklist ${PATH}/gnome-terminal
493blacklist ${PATH}/gnome-terminal.wrapper 494blacklist ${PATH}/gnome-terminal.wrapper
495# blacklist ${PATH}/konsole
496# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
494blacklist ${PATH}/lilyterm 497blacklist ${PATH}/lilyterm
498blacklist ${PATH}/lxterminal
495blacklist ${PATH}/mate-terminal 499blacklist ${PATH}/mate-terminal
496blacklist ${PATH}/mate-terminal.wrapper 500blacklist ${PATH}/mate-terminal.wrapper
497blacklist ${PATH}/pantheon-terminal 501blacklist ${PATH}/pantheon-terminal
@@ -503,8 +507,6 @@ blacklist ${PATH}/urxvtc
503blacklist ${PATH}/urxvtcd 507blacklist ${PATH}/urxvtcd
504blacklist ${PATH}/xfce4-terminal 508blacklist ${PATH}/xfce4-terminal
505blacklist ${PATH}/xfce4-terminal.wrapper 509blacklist ${PATH}/xfce4-terminal.wrapper
506# blacklist ${PATH}/konsole
507# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
508 510
509# kernel files 511# kernel files
510blacklist /initrd* 512blacklist /initrd*
@@ -520,17 +522,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports
520read-only ${HOME}/.local/share/flatpak/exports 522read-only ${HOME}/.local/share/flatpak/exports
521blacklist ${HOME}/.local/share/flatpak/* 523blacklist ${HOME}/.local/share/flatpak/*
522blacklist ${HOME}/.var 524blacklist ${HOME}/.var
523blacklist ${RUNUSER}/app 525# most of the time bwrap is SUID binary
524blacklist ${RUNUSER}/doc 526blacklist ${PATH}/bwrap
525blacklist ${RUNUSER}/.dbus-proxy 527blacklist ${RUNUSER}/.dbus-proxy
526blacklist ${RUNUSER}/.flatpak 528blacklist ${RUNUSER}/.flatpak
527blacklist ${RUNUSER}/.flatpak-cache 529blacklist ${RUNUSER}/.flatpak-cache
528blacklist ${RUNUSER}/.flatpak-helper 530blacklist ${RUNUSER}/.flatpak-helper
531blacklist ${RUNUSER}/app
532blacklist ${RUNUSER}/doc
529blacklist /usr/share/flatpak 533blacklist /usr/share/flatpak
530noblacklist /var/lib/flatpak/exports 534noblacklist /var/lib/flatpak/exports
531blacklist /var/lib/flatpak/* 535blacklist /var/lib/flatpak/*
532# most of the time bwrap is SUID binary
533blacklist ${PATH}/bwrap
534 536
535# snap 537# snap
536blacklist ${RUNUSER}/snapd-session-agent.socket 538blacklist ${RUNUSER}/snapd-session-agent.socket
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-05 12:06:35 +0000