diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2020-12-19 23:49:56 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-19 23:49:56 +0000 |
commit | 34f18791cf58afce78a03b91620f4e2a3f18a12a (patch) | |
tree | 37a7de379e6b62f32671cc4c058be6f0f4908d7f /etc/inc/archiver-common.inc | |
parent | Refactor electron.profile and electron based programs (#3807) (diff) | |
download | firejail-34f18791cf58afce78a03b91620f4e2a3f18a12a.tar.gz firejail-34f18791cf58afce78a03b91620f4e2a3f18a12a.tar.zst firejail-34f18791cf58afce78a03b91620f4e2a3f18a12a.zip |
archivers: limiting file system access (#3834)
* limit file system access with comments in archiver-common.inc
* note wording
* Warn against overtightening file system access
Be more explicit about things breaking when archiver profiles are too tight. Thanks for the suggestion by @rusty-snake in #3834.
Diffstat (limited to 'etc/inc/archiver-common.inc')
-rw-r--r-- | etc/inc/archiver-common.inc | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc index 2c5e4d8bf..9812e3ebb 100644 --- a/etc/inc/archiver-common.inc +++ b/etc/inc/archiver-common.inc | |||
@@ -6,12 +6,21 @@ include archiver-common.local | |||
6 | 6 | ||
7 | blacklist ${RUNUSER} | 7 | blacklist ${RUNUSER} |
8 | 8 | ||
9 | include disable-common.inc | 9 | # WARNING: |
10 | # Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed | ||
11 | # include file(s) here or by putting those into archiver-common.local. | ||
12 | # Another option is to do this **per archiver** in the relevant <archiver>.local. | ||
13 | # Just beware that things tend to break when overtightening profiles. For example, because you only | ||
14 | # need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | ||
15 | |||
16 | # Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc. | ||
17 | #include disable-common.inc | ||
10 | include disable-devel.inc | 18 | include disable-devel.inc |
11 | include disable-exec.inc | 19 | include disable-exec.inc |
12 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 22 | # Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc. |
23 | #include disable-programs.inc | ||
15 | include disable-shell.inc | 24 | include disable-shell.inc |
16 | 25 | ||
17 | apparmor | 26 | apparmor |