whitelisting /var

author: netblue30 <netblue30@yahoo.com> 2017-09-17 11:27:51 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-17 11:27:51 -0400
commit: efcda9cb5f9da6f8bed95313b7f7a93b26b390ce (patch)
tree: 7b1853c836759005f4ce73b21c06af0c3ba538ff
parent: README.md description (diff)
download: firejail-efcda9cb5f9da6f8bed95313b7f7a93b26b390ce.tar.gz
firejail-efcda9cb5f9da6f8bed95313b7f7a93b26b390ce.tar.zst
firejail-efcda9cb5f9da6f8bed95313b7f7a93b26b390ce.zip
15 files changed, 34 insertions, 0 deletions
diff --git a/README.md b/README.md
index 1831b6695..ba8ae77ac 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,11 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.51
+## Whitelisting /var
+Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
+send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
 ## Profile build  tool
 `````
 $ firejail --build appname
diff --git a/RELNOTES b/RELNOTES
index 85c554b32..d4302c134 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.51) baseline; urgency=low
  * work in progress!
  * feature: --writable-run-user
+  * feature: profile build tool (--build)
 -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
 firejail (0.9.50~rc1) baseline; urgency=low
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 9be99e68a..0c7058a11 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium
 whitelist ~/.config/chromium-flags.conf
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.keep sys_chroot,sys_admin
 netfilter
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1bd45ebd1..f65b020a9 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64
 whitelist ~/.zotero
 whitelist ~/dwhelper
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 37f147f0f..dbc22a889 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 mkdir ~/.config/galculator
 whitelist ~/.config/galculator
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
diff --git a/etc/gimp.profile b/etc/gimp.profile
index aa77d6105..292c2aac9 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 nodvd
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 1d24f5d7d..3266d8230 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index e7557651b..c9addba21 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 36365fc2f..60205ffda 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 0592751ef..eb8a88a4b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 0bb721c64..6a8d6c679 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -19,6 +19,7 @@ whitelist  ${DOWNLOADS}
 whitelist ~/.cache/transmission
 whitelist ~/.config/transmission
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 08964bbab..4db8e19ce 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -19,6 +19,7 @@ whitelist  ${DOWNLOADS}
 whitelist ~/.cache/transmission
 whitelist ~/.config/transmission
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/vlc.profile b/etc/vlc.profile
index bccde7a3d..c3a4d58d0 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 # nogroups
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc
new file mode 100644
index 000000000..67c2a14c2
--- /dev/null
+++ b/etc/whitelist-var-common.inc
@@ -0,0 +1,10 @@
+# Local customizations come here
+include /etc/firejail/whitelist-var-common.local
+# common /var whitelist for all profiles
+whitelist /var/lib/dbus/machine-id
+whitelist /var/lib/menu-xdg
+whitelist /var/cache/fontconfig
+whitelist /var/tmp
+whitelist /var/run
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index d0e236e61..af6547f7f 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -357,3 +357,4 @@
 /etc/firejail/zoom.profile
 /etc/firejail/yandex-browser.profile
 /etc/firejail/itch.profile
+/etc/firejail/whitelist-var-common.inc
author	netblue30 <netblue30@yahoo.com>	2017-09-17 11:27:51 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-17 11:27:51 -0400
commit	efcda9cb5f9da6f8bed95313b7f7a93b26b390ce (patch)
tree	7b1853c836759005f4ce73b21c06af0c3ba538ff
parent	README.md description (diff)
download	firejail-efcda9cb5f9da6f8bed95313b7f7a93b26b390ce.tar.gz firejail-efcda9cb5f9da6f8bed95313b7f7a93b26b390ce.tar.zst firejail-efcda9cb5f9da6f8bed95313b7f7a93b26b390ce.zip

diff --git a/README.md b/README.md index 1831b6695..ba8ae77ac 100644 --- a/README.md +++ b/README.md
@@ -98,6 +98,11 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98	`````	98	`````
99	# Current development version: 0.9.51	99	# Current development version: 0.9.51
100		100
		101	## Whitelisting /var
		102
		103	Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
		104	send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
		105
101	## Profile build tool	106	## Profile build tool
102	`````	107	`````
103	$ firejail --build appname	108	$ firejail --build appname


diff --git a/RELNOTES b/RELNOTES index 85c554b32..d4302c134 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,6 +1,7 @@
1	firejail (0.9.51) baseline; urgency=low	1	firejail (0.9.51) baseline; urgency=low
2	* work in progress!	2	* work in progress!
3	* feature: --writable-run-user	3	* feature: --writable-run-user
		4	* feature: profile build tool (--build)
4	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500	5	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500
5		6
6	firejail (0.9.50~rc1) baseline; urgency=low	7	firejail (0.9.50~rc1) baseline; urgency=low


diff --git a/etc/chromium.profile b/etc/chromium.profile index 9be99e68a..0c7058a11 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium
23	whitelist ~/.config/chromium-flags.conf	23	whitelist ~/.config/chromium-flags.conf
24	whitelist ~/.pki	24	whitelist ~/.pki
25	include /etc/firejail/whitelist-common.inc	25	include /etc/firejail/whitelist-common.inc
		26	include /etc/firejail/whitelist-var-common.inc
26		27
27	caps.keep sys_chroot,sys_admin	28	caps.keep sys_chroot,sys_admin
28	netfilter	29	netfilter


diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bd45ebd1..f65b020a9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64
59	whitelist ~/.zotero	59	whitelist ~/.zotero
60	whitelist ~/dwhelper	60	whitelist ~/dwhelper
61	include /etc/firejail/whitelist-common.inc	61	include /etc/firejail/whitelist-common.inc
		62	include /etc/firejail/whitelist-var-common.inc
62		63
63	caps.drop all	64	caps.drop all
64	netfilter	65	netfilter


diff --git a/etc/galculator.profile b/etc/galculator.profile index 37f147f0f..dbc22a889 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15	mkdir ~/.config/galculator	15	mkdir ~/.config/galculator
16	whitelist ~/.config/galculator	16	whitelist ~/.config/galculator
17	include /etc/firejail/whitelist-common.inc	17	include /etc/firejail/whitelist-common.inc
		18	include /etc/firejail/whitelist-var-common.inc
18		19
19	caps.drop all	20	caps.drop all
20	net none	21	net none


diff --git a/etc/gimp.profile b/etc/gimp.profile index aa77d6105..292c2aac9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
		14	include /etc/firejail/whitelist-var-common.inc
		15
14	caps.drop all	16	caps.drop all
15	net none	17	net none
16	nodvd	18	nodvd


diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 1d24f5d7d..3266d8230 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	nodvd	19	nodvd


diff --git a/etc/leafpad.profile b/etc/leafpad.profile index e7557651b..c9addba21 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	no3d	19	no3d


diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 36365fc2f..60205ffda 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	nodvd	19	nodvd


diff --git a/etc/mpv.profile b/etc/mpv.profile index 0592751ef..eb8a88a4b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
16	caps.drop all	18	caps.drop all
17	netfilter	19	netfilter
18	nogroups	20	nogroups


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0bb721c64..6a8d6c679 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS}
19	whitelist ~/.cache/transmission	19	whitelist ~/.cache/transmission
20	whitelist ~/.config/transmission	20	whitelist ~/.config/transmission
21	include /etc/firejail/whitelist-common.inc	21	include /etc/firejail/whitelist-common.inc
		22	include /etc/firejail/whitelist-var-common.inc
22		23
23	caps.drop all	24	caps.drop all
24	netfilter	25	netfilter


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 08964bbab..4db8e19ce 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS}
19	whitelist ~/.cache/transmission	19	whitelist ~/.cache/transmission
20	whitelist ~/.config/transmission	20	whitelist ~/.config/transmission
21	include /etc/firejail/whitelist-common.inc	21	include /etc/firejail/whitelist-common.inc
		22	include /etc/firejail/whitelist-var-common.inc
22		23
23	caps.drop all	24	caps.drop all
24	netfilter	25	netfilter


diff --git a/etc/vlc.profile b/etc/vlc.profile index bccde7a3d..c3a4d58d0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	# nogroups	19	# nogroups


diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc new file mode 100644 index 000000000..67c2a14c2 --- /dev/null +++ b/etc/whitelist-var-common.inc
@@ -0,0 +1,10 @@
		1	# Local customizations come here
		2	include /etc/firejail/whitelist-var-common.local
		3
		4	# common /var whitelist for all profiles
		5
		6	whitelist /var/lib/dbus/machine-id
		7	whitelist /var/lib/menu-xdg
		8	whitelist /var/cache/fontconfig
		9	whitelist /var/tmp
		10	whitelist /var/run


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d0e236e61..af6547f7f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -357,3 +357,4 @@
357	/etc/firejail/zoom.profile	357	/etc/firejail/zoom.profile
358	/etc/firejail/yandex-browser.profile	358	/etc/firejail/yandex-browser.profile
359	/etc/firejail/itch.profile	359	/etc/firejail/itch.profile
		360	/etc/firejail/whitelist-var-common.inc