merges, disable sort.py in profile checks temporarely, two more private-etc profiles

author: netblue30 <netblue30@protonmail.com> 2023-02-14 09:17:00 -0500
committer: netblue30 <netblue30@protonmail.com> 2023-02-14 09:17:00 -0500
commit: df6ea884f1d6d971f160cad98ede4047478e8f4e (patch)
tree: 24dbf91cebf0c8637e964171550271395580aacb
parent: Merge pull request #5653 from slowpeek/master (diff)
download: firejail-df6ea884f.tar.gz
firejail-df6ea884f.tar.zst
firejail-df6ea884f.zip
5 files changed, 9 insertions, 3 deletions
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 66bba61f5..ad4f86b53 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -34,8 +34,8 @@ jobs:
          github.com:443
    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-    - name: sort.py
+#   - name: sort.py
-      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+#      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
 # Currently broken (see #5610)
 #    - name: private-etc-always-required.sh
 #      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
diff --git a/README b/README
index 13331d2f4..2d0ddb513 100644
--- a/README
+++ b/README
@@ -774,6 +774,8 @@ Neo00001 (https://github.com/Neo00001)
        - update telegram profile
        - add spectacle profile
        - add kdiff3 profile
+netcarver (https://github.com/netcarver)
+        - prevent access to LUKS keyfile
 NetSysFire (https://github.com/NetSysFire)
        - update weechat profile
        - update megaglest profile
@@ -996,6 +998,7 @@ slowpeek (https://github.com/slowpeek)
        - allow access to avahi-daemon in apparmor/firejail-default
        - make appimage examples consistent with --appimage option short description
        - blacklist google-drive-ocamlfuse config
+        - blacklist sendgmail config
 smitsohu (https://github.com/smitsohu)
        - read-only kde4 services directory
        - enhanced mediathekview profile
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 1edbb7ca0..882709808 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -37,6 +37,7 @@ tracelog
 private-bin dosbox
 private-dev
+private-etc @games
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 7d27f12c9..5b9892af3 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -49,6 +49,7 @@ private-bin etr
 private-cache
 private-dev
 # private-etc alternatives,drirc,machine-id,openal,passwd
+private-etc @games,@x11
 private-tmp
 dbus-user none
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index d1182a33d..dca767934 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -75,7 +75,8 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
        "ca-certificates",
        "crypto-policies",
-        "gcrypt", // GNU crypto library (GPG)
+        "gcrypt", // GNU crypto library - contains hardware config for various encryption schemes
+                // and random number generators. The file is not installed by Debian.
        "pki",
        "ssl",
        NULL
author	netblue30 <netblue30@protonmail.com>	2023-02-14 09:17:00 -0500
committer	netblue30 <netblue30@protonmail.com>	2023-02-14 09:17:00 -0500
commit	df6ea884f1d6d971f160cad98ede4047478e8f4e (patch)
tree	24dbf91cebf0c8637e964171550271395580aacb
parent	Merge pull request #5653 from slowpeek/master (diff)
download	firejail-df6ea884f.tar.gz firejail-df6ea884f.tar.zst firejail-df6ea884f.zip