More fixes for #3464

Backporting fixes for Atom 1.48 to firejail 0.9.52, 0.9.58, and 0.9.60 Summary: - remove nonewprivs, noroot, protocol, and seccomp - update caps filter to keep sys_admin and sys_chroot Without these changes Atom 1.48 breaks and refuses to start (due to Electron sandboxing)
author: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2020-06-13 12:02:53 -0500
committer: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2020-06-13 12:05:17 -0500
commit: 55906959a9cbf6a9d53273c5bd875174ab1a6d51 (patch)
tree: c36b520f3f6846c398e1a6b9947eb9690277063e /etc-fixes
parent: Fix #3464 (diff)
download: firejail-55906959a9cbf6a9d53273c5bd875174ab1a6d51.tar.gz
firejail-55906959a9cbf6a9d53273c5bd875174ab1a6d51.tar.zst
firejail-55906959a9cbf6a9d53273c5bd875174ab1a6d51.zip
3 files changed, 104 insertions, 0 deletions
diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile
new file mode 100644
index 000000000..87ffdced9
--- /dev/null
+++ b/etc-fixes/0.9.52/atom.profile
@@ -0,0 +1,31 @@
+# Firejail profile for atom
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/atom.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# blacklist /run/user/*/bus
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodvd
+nogroups
+nosound
+notv
+novideo
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
new file mode 100644
index 000000000..9bc35da5a
--- /dev/null
+++ b/etc-fixes/0.9.58/atom.profile
@@ -0,0 +1,36 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+private-cache
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile
new file mode 100644
index 000000000..c8929127b
--- /dev/null
+++ b/etc-fixes/0.9.60/atom.profile
@@ -0,0 +1,37 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.pythonrc.py
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+private-cache
+private-dev
+private-tmp
author	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2020-06-13 12:02:53 -0500
committer	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2020-06-13 12:05:17 -0500
commit	55906959a9cbf6a9d53273c5bd875174ab1a6d51 (patch)
tree	c36b520f3f6846c398e1a6b9947eb9690277063e /etc-fixes
parent	Fix #3464 (diff)
download	firejail-55906959a9cbf6a9d53273c5bd875174ab1a6d51.tar.gz firejail-55906959a9cbf6a9d53273c5bd875174ab1a6d51.tar.zst firejail-55906959a9cbf6a9d53273c5bd875174ab1a6d51.zip

diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile new file mode 100644 index 000000000..87ffdced9 --- /dev/null +++ b/etc-fixes/0.9.52/atom.profile
@@ -0,0 +1,31 @@
	1	# Firejail profile for atom
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/atom.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	# blacklist /run/user/*/bus
	9
	10	noblacklist ${HOME}/.atom
	11	noblacklist ${HOME}/.config/Atom
	12
	13	include /etc/firejail/disable-common.inc
	14	include /etc/firejail/disable-passwdmgr.inc
	15	include /etc/firejail/disable-programs.inc
	16
	17	caps.keep sys_admin,sys_chroot
	18	# net none
	19	netfilter
	20	nodvd
	21	nogroups
	22	nosound
	23	notv
	24	novideo
	25	shell none
	26
	27	private-dev
	28	private-tmp
	29
	30	noexec ${HOME}
	31	noexec /tmp


diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile new file mode 100644 index 000000000..9bc35da5a --- /dev/null +++ b/etc-fixes/0.9.58/atom.profile
@@ -0,0 +1,36 @@
	1
	2	# Firejail profile for atom
	3	# Description: A hackable text editor for the 21st Century
	4	# This file is overwritten after every install/update
	5	# Persistent local customizations
	6	include atom.local
	7	# Persistent global definitions
	8	include globals.local
	9
	10	noblacklist ${HOME}/.atom
	11	noblacklist ${HOME}/.config/Atom
	12	noblacklist ${HOME}/.cargo/config
	13	noblacklist ${HOME}/.cargo/registry
	14
	15	include disable-common.inc
	16	include disable-passwdmgr.inc
	17	include disable-programs.inc
	18
	19	caps.keep sys_admin,sys_chroot
	20	# net none
	21	netfilter
	22	nodbus
	23	nodvd
	24	nogroups
	25	nosound
	26	notv
	27	nou2f
	28	novideo
	29	shell none
	30
	31	private-cache
	32	private-dev
	33	private-tmp
	34
	35	noexec ${HOME}
	36	noexec /tmp


diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile new file mode 100644 index 000000000..c8929127b --- /dev/null +++ b/etc-fixes/0.9.60/atom.profile
@@ -0,0 +1,37 @@
	1	# Firejail profile for atom
	2	# Description: A hackable text editor for the 21st Century
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include atom.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.atom
	10	noblacklist ${HOME}/.config/Atom
	11	noblacklist ${HOME}/.config/git
	12	noblacklist ${HOME}/.cargo/config
	13	noblacklist ${HOME}/.cargo/registry
	14	noblacklist ${HOME}/.gitconfig
	15	noblacklist ${HOME}/.git-credentials
	16	noblacklist ${HOME}/.pythonrc.py
	17
	18	include disable-common.inc
	19	include disable-exec.inc
	20	include disable-passwdmgr.inc
	21	include disable-programs.inc
	22
	23	caps.keep sys_admin,sys_chroot
	24	# net none
	25	netfilter
	26	nodbus
	27	nodvd
	28	nogroups
	29	nosound
	30	notv
	31	nou2f
	32	novideo
	33	shell none
	34
	35	private-cache
	36	private-dev
	37	private-tmp