aboutsummaryrefslogtreecommitdiffstats
path: root/etc/gnome-schedule.profile
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2019-07-18 05:09:33 +0000
committerLibravatar GitHub <noreply@github.com>2019-07-18 05:09:33 +0000
commit319a68af953aa2c382e6849b0ac8c431a211c57a (patch)
treebc9257cb5431c98531951eba6a6145ff9433d478 /etc/gnome-schedule.profile
parenttravis ci: add enable-fatal-warnings (diff)
downloadfirejail-319a68af953aa2c382e6849b0ac8c431a211c57a.tar.gz
firejail-319a68af953aa2c382e6849b0ac8c431a211c57a.tar.zst
firejail-319a68af953aa2c382e6849b0ac8c431a211c57a.zip
Harden gnome-schedule
Let's disable using a terminal for cron job testing by default and make this a whitelist profile.
Diffstat (limited to 'etc/gnome-schedule.profile')
-rw-r--r--etc/gnome-schedule.profile35
1 files changed, 19 insertions, 16 deletions
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 0fca08505..6c9c83e5f 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -13,27 +13,19 @@ noblacklist ${PATH}/at
13noblacklist ${PATH}/crontab 13noblacklist ${PATH}/crontab
14 14
15# Needs access to these files/dirs 15# Needs access to these files/dirs
16noblacklist /etc/at.allow
17noblacklist /etc/at.deny
16noblacklist /etc/cron.allow 18noblacklist /etc/cron.allow
17noblacklist /etc/cron.deny 19noblacklist /etc/cron.deny
20noblacklist /etc/fonts
21noblacklist /etc/ld.so.preload
22noblacklist /etc/pam.d
18noblacklist /etc/shadow 23noblacklist /etc/shadow
24noblacklist /var/spool/at
19noblacklist /var/spool/cron 25noblacklist /var/spool/cron
20 26
21# Needs a terminal for cron job test execution 27# cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
22noblacklist ${PATH}/lxterminal 28# add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
23noblacklist ${PATH}/gnome-terminal
24noblacklist ${PATH}/gnome-terminal.wrapper
25noblacklist ${PATH}/lilyterm
26noblacklist ${PATH}/mate-terminal
27noblacklist ${PATH}/mate-terminal.wrapper
28noblacklist ${PATH}/pantheon-terminal
29noblacklist ${PATH}/roxterm
30noblacklist ${PATH}/roxterm-config
31noblacklist ${PATH}/terminix
32noblacklist ${PATH}/tilix
33noblacklist ${PATH}/urxvtc
34noblacklist ${PATH}/urxvtcd
35noblacklist ${PATH}/xfce4-terminal
36noblacklist ${PATH}/xfce4-terminal.wrapper
37 29
38# Allow python (blacklisted by disable-interpreters.inc) 30# Allow python (blacklisted by disable-interpreters.inc)
39include allow-python2.inc 31include allow-python2.inc
@@ -49,7 +41,18 @@ include disable-xdg.inc
49 41
50mkfile ${HOME}/.gnome/gnome-schedule 42mkfile ${HOME}/.gnome/gnome-schedule
51whitelist ${HOME}/.gnome/gnome-schedule 43whitelist ${HOME}/.gnome/gnome-schedule
44whitelist /etc/at.allow
45whitelist /etc/at.deny
46whitelist /etc/cron.allow
47whitelist /etc/cron.deny
48whitelist /etc/fonts
49whitelist /etc/pam.d
50whitelist /etc/ld.so.preload
51whitelist /etc/shadow
52whitelist /var/spool/atd
53whitelist /var/spool/cron
52include whitelist-common.inc 54include whitelist-common.inc
55include whitelist-var-common.inc
53 56
54apparmor 57apparmor
55caps.keep chown,dac_override,setgid,setuid 58caps.keep chown,dac_override,setgid,setuid
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-04 01:35:40 +0000