diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2019-07-18 05:09:33 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-07-18 05:09:33 +0000 |
commit | 319a68af953aa2c382e6849b0ac8c431a211c57a (patch) | |
tree | bc9257cb5431c98531951eba6a6145ff9433d478 /etc/gnome-schedule.profile | |
parent | travis ci: add enable-fatal-warnings (diff) | |
download | firejail-319a68af953aa2c382e6849b0ac8c431a211c57a.tar.gz firejail-319a68af953aa2c382e6849b0ac8c431a211c57a.tar.zst firejail-319a68af953aa2c382e6849b0ac8c431a211c57a.zip |
Harden gnome-schedule
Let's disable using a terminal for cron job testing by default and make this a whitelist profile.
Diffstat (limited to 'etc/gnome-schedule.profile')
-rw-r--r-- | etc/gnome-schedule.profile | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 0fca08505..6c9c83e5f 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -13,27 +13,19 @@ noblacklist ${PATH}/at | |||
13 | noblacklist ${PATH}/crontab | 13 | noblacklist ${PATH}/crontab |
14 | 14 | ||
15 | # Needs access to these files/dirs | 15 | # Needs access to these files/dirs |
16 | noblacklist /etc/at.allow | ||
17 | noblacklist /etc/at.deny | ||
16 | noblacklist /etc/cron.allow | 18 | noblacklist /etc/cron.allow |
17 | noblacklist /etc/cron.deny | 19 | noblacklist /etc/cron.deny |
20 | noblacklist /etc/fonts | ||
21 | noblacklist /etc/ld.so.preload | ||
22 | noblacklist /etc/pam.d | ||
18 | noblacklist /etc/shadow | 23 | noblacklist /etc/shadow |
24 | noblacklist /var/spool/at | ||
19 | noblacklist /var/spool/cron | 25 | noblacklist /var/spool/cron |
20 | 26 | ||
21 | # Needs a terminal for cron job test execution | 27 | # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc) |
22 | noblacklist ${PATH}/lxterminal | 28 | # add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality |
23 | noblacklist ${PATH}/gnome-terminal | ||
24 | noblacklist ${PATH}/gnome-terminal.wrapper | ||
25 | noblacklist ${PATH}/lilyterm | ||
26 | noblacklist ${PATH}/mate-terminal | ||
27 | noblacklist ${PATH}/mate-terminal.wrapper | ||
28 | noblacklist ${PATH}/pantheon-terminal | ||
29 | noblacklist ${PATH}/roxterm | ||
30 | noblacklist ${PATH}/roxterm-config | ||
31 | noblacklist ${PATH}/terminix | ||
32 | noblacklist ${PATH}/tilix | ||
33 | noblacklist ${PATH}/urxvtc | ||
34 | noblacklist ${PATH}/urxvtcd | ||
35 | noblacklist ${PATH}/xfce4-terminal | ||
36 | noblacklist ${PATH}/xfce4-terminal.wrapper | ||
37 | 29 | ||
38 | # Allow python (blacklisted by disable-interpreters.inc) | 30 | # Allow python (blacklisted by disable-interpreters.inc) |
39 | include allow-python2.inc | 31 | include allow-python2.inc |
@@ -49,7 +41,18 @@ include disable-xdg.inc | |||
49 | 41 | ||
50 | mkfile ${HOME}/.gnome/gnome-schedule | 42 | mkfile ${HOME}/.gnome/gnome-schedule |
51 | whitelist ${HOME}/.gnome/gnome-schedule | 43 | whitelist ${HOME}/.gnome/gnome-schedule |
44 | whitelist /etc/at.allow | ||
45 | whitelist /etc/at.deny | ||
46 | whitelist /etc/cron.allow | ||
47 | whitelist /etc/cron.deny | ||
48 | whitelist /etc/fonts | ||
49 | whitelist /etc/pam.d | ||
50 | whitelist /etc/ld.so.preload | ||
51 | whitelist /etc/shadow | ||
52 | whitelist /var/spool/atd | ||
53 | whitelist /var/spool/cron | ||
52 | include whitelist-common.inc | 54 | include whitelist-common.inc |
55 | include whitelist-var-common.inc | ||
53 | 56 | ||
54 | apparmor | 57 | apparmor |
55 | caps.keep chown,dac_override,setgid,setuid | 58 | caps.keep chown,dac_override,setgid,setuid |