diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-07-18 20:39:14 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-07-18 20:39:14 -0300 |
commit | f43382f1e9707b4fd5e63c7bfe881912aa4ee994 (patch) | |
tree | 499639bb962c8b071b153dcdad1b42af8286521d /etc/inc/disable-common.inc | |
parent | Add MS Edge Beta profile (diff) | |
download | firejail-f43382f1e9707b4fd5e63c7bfe881912aa4ee994.tar.gz firejail-f43382f1e9707b4fd5e63c7bfe881912aa4ee994.tar.zst firejail-f43382f1e9707b4fd5e63c7bfe881912aa4ee994.zip |
Revert "move whitelist/blacklist to allow/deny"
This reverts commit fe0f975f447d59977d90c3226cc8c623b31b20b3.
Note: This only reverts the changes from etc.
The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on [#3447][3447] and in fact only make things more confusing (as has
already been mentioned on [this][4379] and later comments). The main
reason is that the aliases do not meaningfully map to the original
commands. For example, the commands from each pair below seem like they
would do the exact same thing:
* `allow` and `nodeny`
* `deny` and `noallow`
Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.
The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: `git diff` versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert. Note: This is still the case
even if a commit is [ignored by `git blame`][4390].
So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.
How the revert was applied: Despite using the auto-generated message
from `git revert`, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):
# Find out which files have been changed on fe0f975f44, but have not
# been changed afterwards and list them on "filestorevert"
git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
comm -2 -3 allfiles filestoignore >filestorevert
# Note: There are 3 extra files on filestoignore because they were
# added after commit fe0f975f44
wc -l allfiles filestoignore filestorevert | head -n 3
# 797 allfiles
# 8 filestoignore
# 792 filestorevert
# Automatically revert files in "filestorevert"
# See https://stackoverflow.com/a/23401018/10095231
tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
git apply --reverse
printf 'Total files reverted:\n'
git diff --name-only | wc -l
# 792
Secondly, do some search/replace on the rest:
tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
-e 's/allow /whitelist /' -e 's/noallow /nowhitelist /' \
-e 's/deny /blacklist /' -e 's/nodeny /noblacklist /' \
-e 's/deny-nolog /blacklist-nolog /'
find etc -name '*.bak' -print0 | xargs -0 rm
Thirdly, verify the result. The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):
git diff fe0f975f44~1 -- etc
From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.
[3447]: https://github.com/netblue30/firejail/issues/3447
[4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222
[4390]: https://github.com/netblue30/firejail/issues/4390
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r-- | etc/inc/disable-common.inc | 710 |
1 files changed, 355 insertions, 355 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 1283a3a3d..6df0c4990 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -5,63 +5,63 @@ include disable-common.local | |||
5 | # The following block breaks trash functionality in file managers | 5 | # The following block breaks trash functionality in file managers |
6 | #read-only ${HOME}/.local | 6 | #read-only ${HOME}/.local |
7 | #read-write ${HOME}/.local/share | 7 | #read-write ${HOME}/.local/share |
8 | deny ${HOME}/.local/share/Trash | 8 | blacklist ${HOME}/.local/share/Trash |
9 | 9 | ||
10 | # History files in $HOME and clipboard managers | 10 | # History files in $HOME and clipboard managers |
11 | deny-nolog ${HOME}/.*_history | 11 | blacklist-nolog ${HOME}/.*_history |
12 | deny-nolog ${HOME}/.adobe | 12 | blacklist-nolog ${HOME}/.adobe |
13 | deny-nolog ${HOME}/.cache/greenclip* | 13 | blacklist-nolog ${HOME}/.cache/greenclip* |
14 | deny-nolog ${HOME}/.histfile | 14 | blacklist-nolog ${HOME}/.histfile |
15 | deny-nolog ${HOME}/.history | 15 | blacklist-nolog ${HOME}/.history |
16 | deny-nolog ${HOME}/.kde/share/apps/klipper | 16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper |
17 | deny-nolog ${HOME}/.kde4/share/apps/klipper | 17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper |
18 | deny-nolog ${HOME}/.local/share/fish/fish_history | 18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
19 | deny-nolog ${HOME}/.local/share/klipper | 19 | blacklist-nolog ${HOME}/.local/share/klipper |
20 | deny-nolog ${HOME}/.macromedia | 20 | blacklist-nolog ${HOME}/.macromedia |
21 | deny-nolog ${HOME}/.mupdf.history | 21 | blacklist-nolog ${HOME}/.mupdf.history |
22 | deny-nolog ${HOME}/.python-history | 22 | blacklist-nolog ${HOME}/.python-history |
23 | deny-nolog ${HOME}/.python_history | 23 | blacklist-nolog ${HOME}/.python_history |
24 | deny-nolog ${HOME}/.pythonhist | 24 | blacklist-nolog ${HOME}/.pythonhist |
25 | deny-nolog ${HOME}/.lesshst | 25 | blacklist-nolog ${HOME}/.lesshst |
26 | deny-nolog ${HOME}/.viminfo | 26 | blacklist-nolog ${HOME}/.viminfo |
27 | deny-nolog /tmp/clipmenu* | 27 | blacklist-nolog /tmp/clipmenu* |
28 | 28 | ||
29 | # X11 session autostart | 29 | # X11 session autostart |
30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
31 | deny ${HOME}/.Xsession | 31 | blacklist ${HOME}/.Xsession |
32 | deny ${HOME}/.blackbox | 32 | blacklist ${HOME}/.blackbox |
33 | deny ${HOME}/.config/autostart | 33 | blacklist ${HOME}/.config/autostart |
34 | deny ${HOME}/.config/autostart-scripts | 34 | blacklist ${HOME}/.config/autostart-scripts |
35 | deny ${HOME}/.config/awesome | 35 | blacklist ${HOME}/.config/awesome |
36 | deny ${HOME}/.config/i3 | 36 | blacklist ${HOME}/.config/i3 |
37 | deny ${HOME}/.config/sway | 37 | blacklist ${HOME}/.config/sway |
38 | deny ${HOME}/.config/lxsession/LXDE/autostart | 38 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
39 | deny ${HOME}/.config/openbox | 39 | blacklist ${HOME}/.config/openbox |
40 | deny ${HOME}/.config/plasma-workspace | 40 | blacklist ${HOME}/.config/plasma-workspace |
41 | deny ${HOME}/.config/startupconfig | 41 | blacklist ${HOME}/.config/startupconfig |
42 | deny ${HOME}/.config/startupconfigkeys | 42 | blacklist ${HOME}/.config/startupconfigkeys |
43 | deny ${HOME}/.fluxbox | 43 | blacklist ${HOME}/.fluxbox |
44 | deny ${HOME}/.gnomerc | 44 | blacklist ${HOME}/.gnomerc |
45 | deny ${HOME}/.kde/Autostart | 45 | blacklist ${HOME}/.kde/Autostart |
46 | deny ${HOME}/.kde/env | 46 | blacklist ${HOME}/.kde/env |
47 | deny ${HOME}/.kde/share/autostart | 47 | blacklist ${HOME}/.kde/share/autostart |
48 | deny ${HOME}/.kde/share/config/startupconfig | 48 | blacklist ${HOME}/.kde/share/config/startupconfig |
49 | deny ${HOME}/.kde/share/config/startupconfigkeys | 49 | blacklist ${HOME}/.kde/share/config/startupconfigkeys |
50 | deny ${HOME}/.kde/shutdown | 50 | blacklist ${HOME}/.kde/shutdown |
51 | deny ${HOME}/.kde4/env | 51 | blacklist ${HOME}/.kde4/env |
52 | deny ${HOME}/.kde4/Autostart | 52 | blacklist ${HOME}/.kde4/Autostart |
53 | deny ${HOME}/.kde4/share/autostart | 53 | blacklist ${HOME}/.kde4/share/autostart |
54 | deny ${HOME}/.kde4/shutdown | 54 | blacklist ${HOME}/.kde4/shutdown |
55 | deny ${HOME}/.kde4/share/config/startupconfig | 55 | blacklist ${HOME}/.kde4/share/config/startupconfig |
56 | deny ${HOME}/.kde4/share/config/startupconfigkeys | 56 | blacklist ${HOME}/.kde4/share/config/startupconfigkeys |
57 | deny ${HOME}/.local/share/autostart | 57 | blacklist ${HOME}/.local/share/autostart |
58 | deny ${HOME}/.xinitrc | 58 | blacklist ${HOME}/.xinitrc |
59 | deny ${HOME}/.xprofile | 59 | blacklist ${HOME}/.xprofile |
60 | deny ${HOME}/.xserverrc | 60 | blacklist ${HOME}/.xserverrc |
61 | deny ${HOME}/.xsession | 61 | blacklist ${HOME}/.xsession |
62 | deny ${HOME}/.xsessionrc | 62 | blacklist ${HOME}/.xsessionrc |
63 | deny /etc/X11/Xsession.d | 63 | blacklist /etc/X11/Xsession.d |
64 | deny /etc/xdg/autostart | 64 | blacklist /etc/xdg/autostart |
65 | read-only ${HOME}/.Xauthority | 65 | read-only ${HOME}/.Xauthority |
66 | 66 | ||
67 | # Session manager | 67 | # Session manager |
@@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority | |||
70 | #?HAS_X11: blacklist /tmp/.ICE-unix | 70 | #?HAS_X11: blacklist /tmp/.ICE-unix |
71 | 71 | ||
72 | # KDE config | 72 | # KDE config |
73 | deny ${HOME}/.cache/konsole | 73 | blacklist ${HOME}/.cache/konsole |
74 | deny ${HOME}/.config/khotkeysrc | 74 | blacklist ${HOME}/.config/khotkeysrc |
75 | deny ${HOME}/.config/krunnerrc | 75 | blacklist ${HOME}/.config/krunnerrc |
76 | deny ${HOME}/.config/kscreenlockerrc | 76 | blacklist ${HOME}/.config/kscreenlockerrc |
77 | deny ${HOME}/.config/ksslcertificatemanager | 77 | blacklist ${HOME}/.config/ksslcertificatemanager |
78 | deny ${HOME}/.config/kwalletrc | 78 | blacklist ${HOME}/.config/kwalletrc |
79 | deny ${HOME}/.config/kwinrc | 79 | blacklist ${HOME}/.config/kwinrc |
80 | deny ${HOME}/.config/kwinrulesrc | 80 | blacklist ${HOME}/.config/kwinrulesrc |
81 | deny ${HOME}/.config/plasma-locale-settings.sh | 81 | blacklist ${HOME}/.config/plasma-locale-settings.sh |
82 | deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 82 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
83 | deny ${HOME}/.config/plasmashellrc | 83 | blacklist ${HOME}/.config/plasmashellrc |
84 | deny ${HOME}/.config/plasmavaultrc | 84 | blacklist ${HOME}/.config/plasmavaultrc |
85 | deny ${HOME}/.kde/share/apps/kwin | 85 | blacklist ${HOME}/.kde/share/apps/kwin |
86 | deny ${HOME}/.kde/share/apps/plasma | 86 | blacklist ${HOME}/.kde/share/apps/plasma |
87 | deny ${HOME}/.kde/share/apps/solid | 87 | blacklist ${HOME}/.kde/share/apps/solid |
88 | deny ${HOME}/.kde/share/config/khotkeysrc | 88 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
89 | deny ${HOME}/.kde/share/config/krunnerrc | 89 | blacklist ${HOME}/.kde/share/config/krunnerrc |
90 | deny ${HOME}/.kde/share/config/kscreensaverrc | 90 | blacklist ${HOME}/.kde/share/config/kscreensaverrc |
91 | deny ${HOME}/.kde/share/config/ksslcertificatemanager | 91 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager |
92 | deny ${HOME}/.kde/share/config/kwalletrc | 92 | blacklist ${HOME}/.kde/share/config/kwalletrc |
93 | deny ${HOME}/.kde/share/config/kwinrc | 93 | blacklist ${HOME}/.kde/share/config/kwinrc |
94 | deny ${HOME}/.kde/share/config/kwinrulesrc | 94 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
95 | deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 95 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
96 | deny ${HOME}/.kde4/share/apps/kwin | 96 | blacklist ${HOME}/.kde4/share/apps/kwin |
97 | deny ${HOME}/.kde4/share/apps/plasma | 97 | blacklist ${HOME}/.kde4/share/apps/plasma |
98 | deny ${HOME}/.kde4/share/apps/solid | 98 | blacklist ${HOME}/.kde4/share/apps/solid |
99 | deny ${HOME}/.kde4/share/config/khotkeysrc | 99 | blacklist ${HOME}/.kde4/share/config/khotkeysrc |
100 | deny ${HOME}/.kde4/share/config/krunnerrc | 100 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
101 | deny ${HOME}/.kde4/share/config/kscreensaverrc | 101 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc |
102 | deny ${HOME}/.kde4/share/config/ksslcertificatemanager | 102 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager |
103 | deny ${HOME}/.kde4/share/config/kwalletrc | 103 | blacklist ${HOME}/.kde4/share/config/kwalletrc |
104 | deny ${HOME}/.kde4/share/config/kwinrc | 104 | blacklist ${HOME}/.kde4/share/config/kwinrc |
105 | deny ${HOME}/.kde4/share/config/kwinrulesrc | 105 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
106 | deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 106 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
107 | deny ${HOME}/.local/share/kglobalaccel | 107 | blacklist ${HOME}/.local/share/kglobalaccel |
108 | deny ${HOME}/.local/share/kwin | 108 | blacklist ${HOME}/.local/share/kwin |
109 | deny ${HOME}/.local/share/plasma | 109 | blacklist ${HOME}/.local/share/plasma |
110 | deny ${HOME}/.local/share/plasmashell | 110 | blacklist ${HOME}/.local/share/plasmashell |
111 | deny ${HOME}/.local/share/solid | 111 | blacklist ${HOME}/.local/share/solid |
112 | deny /tmp/konsole-*.history | 112 | blacklist /tmp/konsole-*.history |
113 | read-only ${HOME}/.cache/ksycoca5_* | 113 | read-only ${HOME}/.cache/ksycoca5_* |
114 | read-only ${HOME}/.config/*notifyrc | 114 | read-only ${HOME}/.config/*notifyrc |
115 | read-only ${HOME}/.config/kdeglobals | 115 | read-only ${HOME}/.config/kdeglobals |
@@ -138,139 +138,139 @@ read-only ${HOME}/.local/share/kservices5 | |||
138 | read-only ${HOME}/.local/share/kssl | 138 | read-only ${HOME}/.local/share/kssl |
139 | 139 | ||
140 | # KDE sockets | 140 | # KDE sockets |
141 | deny ${RUNUSER}/*.slave-socket | 141 | blacklist ${RUNUSER}/*.slave-socket |
142 | deny ${RUNUSER}/kdeinit5__* | 142 | blacklist ${RUNUSER}/kdeinit5__* |
143 | deny ${RUNUSER}/kdesud_* | 143 | blacklist ${RUNUSER}/kdesud_* |
144 | # see #3358 | 144 | # see #3358 |
145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* | 145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* |
146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* | 146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* |
147 | 147 | ||
148 | # gnome | 148 | # gnome |
149 | # contains extensions, last used times of applications, and notifications | 149 | # contains extensions, last used times of applications, and notifications |
150 | deny ${HOME}/.local/share/gnome-shell | 150 | blacklist ${HOME}/.local/share/gnome-shell |
151 | # contains recently used files and serials of static/removable storage | 151 | # contains recently used files and serials of static/removable storage |
152 | deny ${HOME}/.local/share/gvfs-metadata | 152 | blacklist ${HOME}/.local/share/gvfs-metadata |
153 | # no direct modification of dconf database | 153 | # no direct modification of dconf database |
154 | read-only ${HOME}/.config/dconf | 154 | read-only ${HOME}/.config/dconf |
155 | deny ${RUNUSER}/gnome-session-leader-fifo | 155 | blacklist ${RUNUSER}/gnome-session-leader-fifo |
156 | deny ${RUNUSER}/gnome-shell | 156 | blacklist ${RUNUSER}/gnome-shell |
157 | deny ${RUNUSER}/gsconnect | 157 | blacklist ${RUNUSER}/gsconnect |
158 | 158 | ||
159 | # systemd | 159 | # systemd |
160 | deny ${HOME}/.config/systemd | 160 | blacklist ${HOME}/.config/systemd |
161 | deny ${HOME}/.local/share/systemd | 161 | blacklist ${HOME}/.local/share/systemd |
162 | deny /var/lib/systemd | 162 | blacklist /var/lib/systemd |
163 | deny ${PATH}/systemd-run | 163 | blacklist ${PATH}/systemd-run |
164 | deny ${RUNUSER}/systemd | 164 | blacklist ${RUNUSER}/systemd |
165 | deny ${PATH}/systemctl | 165 | blacklist ${PATH}/systemctl |
166 | deny /etc/systemd/system | 166 | blacklist /etc/systemd/system |
167 | deny /etc/systemd/network | 167 | blacklist /etc/systemd/network |
168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
169 | #blacklist /var/run/systemd | 169 | #blacklist /var/run/systemd |
170 | 170 | ||
171 | # openrc | 171 | # openrc |
172 | deny /etc/runlevels/ | 172 | blacklist /etc/runlevels/ |
173 | deny /etc/init.d/ | 173 | blacklist /etc/init.d/ |
174 | deny /etc/rc.conf | 174 | blacklist /etc/rc.conf |
175 | 175 | ||
176 | # VirtualBox | 176 | # VirtualBox |
177 | deny ${HOME}/.VirtualBox | 177 | blacklist ${HOME}/.VirtualBox |
178 | deny ${HOME}/.config/VirtualBox | 178 | blacklist ${HOME}/.config/VirtualBox |
179 | deny ${HOME}/VirtualBox VMs | 179 | blacklist ${HOME}/VirtualBox VMs |
180 | 180 | ||
181 | # GNOME Boxes | 181 | # GNOME Boxes |
182 | deny ${HOME}/.config/gnome-boxes | 182 | blacklist ${HOME}/.config/gnome-boxes |
183 | deny ${HOME}/.local/share/gnome-boxes | 183 | blacklist ${HOME}/.local/share/gnome-boxes |
184 | 184 | ||
185 | # libvirt | 185 | # libvirt |
186 | deny ${HOME}/.cache/libvirt | 186 | blacklist ${HOME}/.cache/libvirt |
187 | deny ${HOME}/.config/libvirt | 187 | blacklist ${HOME}/.config/libvirt |
188 | deny ${RUNUSER}/libvirt | 188 | blacklist ${RUNUSER}/libvirt |
189 | deny /var/cache/libvirt | 189 | blacklist /var/cache/libvirt |
190 | deny /var/lib/libvirt | 190 | blacklist /var/lib/libvirt |
191 | deny /var/log/libvirt | 191 | blacklist /var/log/libvirt |
192 | 192 | ||
193 | # OCI-Containers / Podman | 193 | # OCI-Containers / Podman |
194 | deny ${RUNUSER}/containers | 194 | blacklist ${RUNUSER}/containers |
195 | deny ${RUNUSER}/crun | 195 | blacklist ${RUNUSER}/crun |
196 | deny ${RUNUSER}/libpod | 196 | blacklist ${RUNUSER}/libpod |
197 | deny ${RUNUSER}/runc | 197 | blacklist ${RUNUSER}/runc |
198 | deny ${RUNUSER}/toolbox | 198 | blacklist ${RUNUSER}/toolbox |
199 | 199 | ||
200 | # VeraCrypt | 200 | # VeraCrypt |
201 | deny ${HOME}/.VeraCrypt | 201 | blacklist ${HOME}/.VeraCrypt |
202 | deny ${PATH}/veracrypt | 202 | blacklist ${PATH}/veracrypt |
203 | deny ${PATH}/veracrypt-uninstall.sh | 203 | blacklist ${PATH}/veracrypt-uninstall.sh |
204 | deny /usr/share/applications/veracrypt.* | 204 | blacklist /usr/share/applications/veracrypt.* |
205 | deny /usr/share/pixmaps/veracrypt.* | 205 | blacklist /usr/share/pixmaps/veracrypt.* |
206 | deny /usr/share/veracrypt | 206 | blacklist /usr/share/veracrypt |
207 | 207 | ||
208 | # TrueCrypt | 208 | # TrueCrypt |
209 | deny ${HOME}/.TrueCrypt | 209 | blacklist ${HOME}/.TrueCrypt |
210 | deny ${PATH}/truecrypt | 210 | blacklist ${PATH}/truecrypt |
211 | deny ${PATH}/truecrypt-uninstall.sh | 211 | blacklist ${PATH}/truecrypt-uninstall.sh |
212 | deny /usr/share/applications/truecrypt.* | 212 | blacklist /usr/share/applications/truecrypt.* |
213 | deny /usr/share/pixmaps/truecrypt.* | 213 | blacklist /usr/share/pixmaps/truecrypt.* |
214 | deny /usr/share/truecrypt | 214 | blacklist /usr/share/truecrypt |
215 | 215 | ||
216 | # zuluCrypt | 216 | # zuluCrypt |
217 | deny ${HOME}/.zuluCrypt | 217 | blacklist ${HOME}/.zuluCrypt |
218 | deny ${HOME}/.zuluCrypt-socket | 218 | blacklist ${HOME}/.zuluCrypt-socket |
219 | deny ${PATH}/zuluCrypt-cli | 219 | blacklist ${PATH}/zuluCrypt-cli |
220 | deny ${PATH}/zuluMount-cli | 220 | blacklist ${PATH}/zuluMount-cli |
221 | 221 | ||
222 | # var | 222 | # var |
223 | deny /var/cache/apt | 223 | blacklist /var/cache/apt |
224 | deny /var/cache/pacman | 224 | blacklist /var/cache/pacman |
225 | deny /var/lib/apt | 225 | blacklist /var/lib/apt |
226 | deny /var/lib/clamav | 226 | blacklist /var/lib/clamav |
227 | deny /var/lib/dkms | 227 | blacklist /var/lib/dkms |
228 | deny /var/lib/mysql/mysql.sock | 228 | blacklist /var/lib/mysql/mysql.sock |
229 | deny /var/lib/mysqld/mysql.sock | 229 | blacklist /var/lib/mysqld/mysql.sock |
230 | deny /var/lib/pacman | 230 | blacklist /var/lib/pacman |
231 | deny /var/lib/upower | 231 | blacklist /var/lib/upower |
232 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 232 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
233 | # every sandbox, unless --writable-var-log switch is activated | 233 | # every sandbox, unless --writable-var-log switch is activated |
234 | deny /var/mail | 234 | blacklist /var/mail |
235 | deny /var/opt | 235 | blacklist /var/opt |
236 | deny /var/run/acpid.socket | 236 | blacklist /var/run/acpid.socket |
237 | deny /var/run/docker.sock | 237 | blacklist /var/run/docker.sock |
238 | deny /var/run/minissdpd.sock | 238 | blacklist /var/run/minissdpd.sock |
239 | deny /var/run/mysql/mysqld.sock | 239 | blacklist /var/run/mysql/mysqld.sock |
240 | deny /var/run/mysqld/mysqld.sock | 240 | blacklist /var/run/mysqld/mysqld.sock |
241 | deny /var/run/rpcbind.sock | 241 | blacklist /var/run/rpcbind.sock |
242 | deny /var/run/screens | 242 | blacklist /var/run/screens |
243 | deny /var/spool/anacron | 243 | blacklist /var/spool/anacron |
244 | deny /var/spool/cron | 244 | blacklist /var/spool/cron |
245 | deny /var/spool/mail | 245 | blacklist /var/spool/mail |
246 | 246 | ||
247 | # etc | 247 | # etc |
248 | deny /etc/anacrontab | 248 | blacklist /etc/anacrontab |
249 | deny /etc/cron* | 249 | blacklist /etc/cron* |
250 | deny /etc/profile.d | 250 | blacklist /etc/profile.d |
251 | deny /etc/rc.local | 251 | blacklist /etc/rc.local |
252 | # rc1.d, rc2.d, ... | 252 | # rc1.d, rc2.d, ... |
253 | deny /etc/rc?.d | 253 | blacklist /etc/rc?.d |
254 | deny /etc/kernel* | 254 | blacklist /etc/kernel* |
255 | deny /etc/grub* | 255 | blacklist /etc/grub* |
256 | deny /etc/dkms | 256 | blacklist /etc/dkms |
257 | deny /etc/apparmor* | 257 | blacklist /etc/apparmor* |
258 | deny /etc/selinux | 258 | blacklist /etc/selinux |
259 | deny /etc/modules* | 259 | blacklist /etc/modules* |
260 | deny /etc/logrotate* | 260 | blacklist /etc/logrotate* |
261 | deny /etc/adduser.conf | 261 | blacklist /etc/adduser.conf |
262 | 262 | ||
263 | # hide config for various intrusion detection systems | 263 | # hide config for various intrusion detection systems |
264 | deny /etc/rkhunter.conf | 264 | blacklist /etc/rkhunter.conf |
265 | deny /var/lib/rkhunter | 265 | blacklist /var/lib/rkhunter |
266 | deny /etc/chkrootkit.conf | 266 | blacklist /etc/chkrootkit.conf |
267 | deny /etc/lynis | 267 | blacklist /etc/lynis |
268 | deny /etc/aide | 268 | blacklist /etc/aide |
269 | deny /etc/logcheck | 269 | blacklist /etc/logcheck |
270 | deny /etc/tripwire | 270 | blacklist /etc/tripwire |
271 | deny /etc/snort | 271 | blacklist /etc/snort |
272 | deny /etc/fail2ban.conf | 272 | blacklist /etc/fail2ban.conf |
273 | deny /etc/suricata | 273 | blacklist /etc/suricata |
274 | 274 | ||
275 | # Startup files | 275 | # Startup files |
276 | read-only ${HOME}/.antigen | 276 | read-only ${HOME}/.antigen |
@@ -307,13 +307,13 @@ read-only ${HOME}/.zshrc | |||
307 | read-only ${HOME}/.zshrc.local | 307 | read-only ${HOME}/.zshrc.local |
308 | 308 | ||
309 | # Remote access | 309 | # Remote access |
310 | deny ${HOME}/.rhosts | 310 | blacklist ${HOME}/.rhosts |
311 | deny ${HOME}/.shosts | 311 | blacklist ${HOME}/.shosts |
312 | deny ${HOME}/.ssh/authorized_keys | 312 | blacklist ${HOME}/.ssh/authorized_keys |
313 | deny ${HOME}/.ssh/authorized_keys2 | 313 | blacklist ${HOME}/.ssh/authorized_keys2 |
314 | deny ${HOME}/.ssh/environment | 314 | blacklist ${HOME}/.ssh/environment |
315 | deny ${HOME}/.ssh/rc | 315 | blacklist ${HOME}/.ssh/rc |
316 | deny /etc/hosts.equiv | 316 | blacklist /etc/hosts.equiv |
317 | read-only ${HOME}/.ssh/config | 317 | read-only ${HOME}/.ssh/config |
318 | read-only ${HOME}/.ssh/config.d | 318 | read-only ${HOME}/.ssh/config.d |
319 | 319 | ||
@@ -374,200 +374,200 @@ read-only ${HOME}/.local/share/mime | |||
374 | read-only ${HOME}/.local/share/thumbnailers | 374 | read-only ${HOME}/.local/share/thumbnailers |
375 | 375 | ||
376 | # prevent access to ssh-agent | 376 | # prevent access to ssh-agent |
377 | deny /tmp/ssh-* | 377 | blacklist /tmp/ssh-* |
378 | 378 | ||
379 | # top secret | 379 | # top secret |
380 | deny ${HOME}/*.kdb | 380 | blacklist ${HOME}/*.kdb |
381 | deny ${HOME}/*.kdbx | 381 | blacklist ${HOME}/*.kdbx |
382 | deny ${HOME}/*.key | 382 | blacklist ${HOME}/*.key |
383 | deny ${HOME}/.Private | 383 | blacklist ${HOME}/.Private |
384 | deny ${HOME}/.caff | 384 | blacklist ${HOME}/.caff |
385 | deny ${HOME}/.cargo/credentials | 385 | blacklist ${HOME}/.cargo/credentials |
386 | deny ${HOME}/.cargo/credentials.toml | 386 | blacklist ${HOME}/.cargo/credentials.toml |
387 | deny ${HOME}/.cert | 387 | blacklist ${HOME}/.cert |
388 | deny ${HOME}/.config/keybase | 388 | blacklist ${HOME}/.config/keybase |
389 | deny ${HOME}/.davfs2/secrets | 389 | blacklist ${HOME}/.davfs2/secrets |
390 | deny ${HOME}/.ecryptfs | 390 | blacklist ${HOME}/.ecryptfs |
391 | deny ${HOME}/.fetchmailrc | 391 | blacklist ${HOME}/.fetchmailrc |
392 | deny ${HOME}/.fscrypt | 392 | blacklist ${HOME}/.fscrypt |
393 | deny ${HOME}/.git-credential-cache | 393 | blacklist ${HOME}/.git-credential-cache |
394 | deny ${HOME}/.git-credentials | 394 | blacklist ${HOME}/.git-credentials |
395 | deny ${HOME}/.gnome2/keyrings | 395 | blacklist ${HOME}/.gnome2/keyrings |
396 | deny ${HOME}/.gnupg | 396 | blacklist ${HOME}/.gnupg |
397 | deny ${HOME}/.config/hub | 397 | blacklist ${HOME}/.config/hub |
398 | deny ${HOME}/.kde/share/apps/kwallet | 398 | blacklist ${HOME}/.kde/share/apps/kwallet |
399 | deny ${HOME}/.kde4/share/apps/kwallet | 399 | blacklist ${HOME}/.kde4/share/apps/kwallet |
400 | deny ${HOME}/.local/share/keyrings | 400 | blacklist ${HOME}/.local/share/keyrings |
401 | deny ${HOME}/.local/share/kwalletd | 401 | blacklist ${HOME}/.local/share/kwalletd |
402 | deny ${HOME}/.local/share/plasma-vault | 402 | blacklist ${HOME}/.local/share/plasma-vault |
403 | deny ${HOME}/.msmtprc | 403 | blacklist ${HOME}/.msmtprc |
404 | deny ${HOME}/.mutt | 404 | blacklist ${HOME}/.mutt |
405 | deny ${HOME}/.muttrc | 405 | blacklist ${HOME}/.muttrc |
406 | deny ${HOME}/.netrc | 406 | blacklist ${HOME}/.netrc |
407 | deny ${HOME}/.nyx | 407 | blacklist ${HOME}/.nyx |
408 | deny ${HOME}/.pki | 408 | blacklist ${HOME}/.pki |
409 | deny ${HOME}/.local/share/pki | 409 | blacklist ${HOME}/.local/share/pki |
410 | deny ${HOME}/.smbcredentials | 410 | blacklist ${HOME}/.smbcredentials |
411 | deny ${HOME}/.ssh | 411 | blacklist ${HOME}/.ssh |
412 | deny ${HOME}/.vaults | 412 | blacklist ${HOME}/.vaults |
413 | deny /.fscrypt | 413 | blacklist /.fscrypt |
414 | deny /etc/davfs2/secrets | 414 | blacklist /etc/davfs2/secrets |
415 | deny /etc/group+ | 415 | blacklist /etc/group+ |
416 | deny /etc/group- | 416 | blacklist /etc/group- |
417 | deny /etc/gshadow | 417 | blacklist /etc/gshadow |
418 | deny /etc/gshadow+ | 418 | blacklist /etc/gshadow+ |
419 | deny /etc/gshadow- | 419 | blacklist /etc/gshadow- |
420 | deny /etc/passwd+ | 420 | blacklist /etc/passwd+ |
421 | deny /etc/passwd- | 421 | blacklist /etc/passwd- |
422 | deny /etc/shadow | 422 | blacklist /etc/shadow |
423 | deny /etc/shadow+ | 423 | blacklist /etc/shadow+ |
424 | deny /etc/shadow- | 424 | blacklist /etc/shadow- |
425 | deny /etc/ssh | 425 | blacklist /etc/ssh |
426 | deny /etc/ssh/* | 426 | blacklist /etc/ssh/* |
427 | deny /home/.ecryptfs | 427 | blacklist /home/.ecryptfs |
428 | deny /home/.fscrypt | 428 | blacklist /home/.fscrypt |
429 | deny /var/backup | 429 | blacklist /var/backup |
430 | 430 | ||
431 | # cloud provider configuration | 431 | # cloud provider configuration |
432 | deny ${HOME}/.aws | 432 | blacklist ${HOME}/.aws |
433 | deny ${HOME}/.boto | 433 | blacklist ${HOME}/.boto |
434 | deny ${HOME}/.config/gcloud | 434 | blacklist ${HOME}/.config/gcloud |
435 | deny ${HOME}/.kube | 435 | blacklist ${HOME}/.kube |
436 | deny ${HOME}/.passwd-s3fs | 436 | blacklist ${HOME}/.passwd-s3fs |
437 | deny ${HOME}/.s3cmd | 437 | blacklist ${HOME}/.s3cmd |
438 | deny /etc/boto.cfg | 438 | blacklist /etc/boto.cfg |
439 | 439 | ||
440 | # system directories | 440 | # system directories |
441 | deny /sbin | 441 | blacklist /sbin |
442 | deny /usr/local/sbin | 442 | blacklist /usr/local/sbin |
443 | deny /usr/sbin | 443 | blacklist /usr/sbin |
444 | 444 | ||
445 | # system management | 445 | # system management |
446 | deny ${PATH}/at | 446 | blacklist ${PATH}/at |
447 | deny ${PATH}/busybox | 447 | blacklist ${PATH}/busybox |
448 | deny ${PATH}/chage | 448 | blacklist ${PATH}/chage |
449 | deny ${PATH}/chfn | 449 | blacklist ${PATH}/chfn |
450 | deny ${PATH}/chsh | 450 | blacklist ${PATH}/chsh |
451 | deny ${PATH}/crontab | 451 | blacklist ${PATH}/crontab |
452 | deny ${PATH}/evtest | 452 | blacklist ${PATH}/evtest |
453 | deny ${PATH}/expiry | 453 | blacklist ${PATH}/expiry |
454 | deny ${PATH}/fusermount | 454 | blacklist ${PATH}/fusermount |
455 | deny ${PATH}/gksu | 455 | blacklist ${PATH}/gksu |
456 | deny ${PATH}/gksudo | 456 | blacklist ${PATH}/gksudo |
457 | deny ${PATH}/gpasswd | 457 | blacklist ${PATH}/gpasswd |
458 | deny ${PATH}/kdesudo | 458 | blacklist ${PATH}/kdesudo |
459 | deny ${PATH}/ksu | 459 | blacklist ${PATH}/ksu |
460 | deny ${PATH}/mount | 460 | blacklist ${PATH}/mount |
461 | deny ${PATH}/mount.ecryptfs_private | 461 | blacklist ${PATH}/mount.ecryptfs_private |
462 | deny ${PATH}/nc | 462 | blacklist ${PATH}/nc |
463 | deny ${PATH}/ncat | 463 | blacklist ${PATH}/ncat |
464 | deny ${PATH}/nmap | 464 | blacklist ${PATH}/nmap |
465 | deny ${PATH}/newgidmap | 465 | blacklist ${PATH}/newgidmap |
466 | deny ${PATH}/newgrp | 466 | blacklist ${PATH}/newgrp |
467 | deny ${PATH}/newuidmap | 467 | blacklist ${PATH}/newuidmap |
468 | deny ${PATH}/ntfs-3g | 468 | blacklist ${PATH}/ntfs-3g |
469 | deny ${PATH}/pkexec | 469 | blacklist ${PATH}/pkexec |
470 | deny ${PATH}/procmail | 470 | blacklist ${PATH}/procmail |
471 | deny ${PATH}/sg | 471 | blacklist ${PATH}/sg |
472 | deny ${PATH}/strace | 472 | blacklist ${PATH}/strace |
473 | deny ${PATH}/su | 473 | blacklist ${PATH}/su |
474 | deny ${PATH}/sudo | 474 | blacklist ${PATH}/sudo |
475 | deny ${PATH}/tcpdump | 475 | blacklist ${PATH}/tcpdump |
476 | deny ${PATH}/umount | 476 | blacklist ${PATH}/umount |
477 | deny ${PATH}/unix_chkpwd | 477 | blacklist ${PATH}/unix_chkpwd |
478 | deny ${PATH}/xev | 478 | blacklist ${PATH}/xev |
479 | deny ${PATH}/xinput | 479 | blacklist ${PATH}/xinput |
480 | 480 | ||
481 | # other SUID binaries | 481 | # other SUID binaries |
482 | deny /usr/lib/virtualbox | 482 | blacklist /usr/lib/virtualbox |
483 | deny /usr/lib64/virtualbox | 483 | blacklist /usr/lib64/virtualbox |
484 | 484 | ||
485 | # prevent lxterminal connecting to an existing lxterminal session | 485 | # prevent lxterminal connecting to an existing lxterminal session |
486 | deny /tmp/.lxterminal-socket* | 486 | blacklist /tmp/.lxterminal-socket* |
487 | # prevent tmux connecting to an existing session | 487 | # prevent tmux connecting to an existing session |
488 | deny /tmp/tmux-* | 488 | blacklist /tmp/tmux-* |
489 | 489 | ||
490 | # disable terminals running as server resulting in sandbox escape | 490 | # disable terminals running as server resulting in sandbox escape |
491 | deny ${PATH}/lxterminal | 491 | blacklist ${PATH}/lxterminal |
492 | deny ${PATH}/gnome-terminal | 492 | blacklist ${PATH}/gnome-terminal |
493 | deny ${PATH}/gnome-terminal.wrapper | 493 | blacklist ${PATH}/gnome-terminal.wrapper |
494 | deny ${PATH}/lilyterm | 494 | blacklist ${PATH}/lilyterm |
495 | deny ${PATH}/mate-terminal | 495 | blacklist ${PATH}/mate-terminal |
496 | deny ${PATH}/mate-terminal.wrapper | 496 | blacklist ${PATH}/mate-terminal.wrapper |
497 | deny ${PATH}/pantheon-terminal | 497 | blacklist ${PATH}/pantheon-terminal |
498 | deny ${PATH}/roxterm | 498 | blacklist ${PATH}/roxterm |
499 | deny ${PATH}/roxterm-config | 499 | blacklist ${PATH}/roxterm-config |
500 | deny ${PATH}/terminix | 500 | blacklist ${PATH}/terminix |
501 | deny ${PATH}/tilix | 501 | blacklist ${PATH}/tilix |
502 | deny ${PATH}/urxvtc | 502 | blacklist ${PATH}/urxvtc |
503 | deny ${PATH}/urxvtcd | 503 | blacklist ${PATH}/urxvtcd |
504 | deny ${PATH}/xfce4-terminal | 504 | blacklist ${PATH}/xfce4-terminal |
505 | deny ${PATH}/xfce4-terminal.wrapper | 505 | blacklist ${PATH}/xfce4-terminal.wrapper |
506 | # blacklist ${PATH}/konsole | 506 | # blacklist ${PATH}/konsole |
507 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 507 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
508 | 508 | ||
509 | # kernel files | 509 | # kernel files |
510 | deny /initrd* | 510 | blacklist /initrd* |
511 | deny /vmlinuz* | 511 | blacklist /vmlinuz* |
512 | 512 | ||
513 | # snapshot files | 513 | # snapshot files |
514 | deny /.snapshots | 514 | blacklist /.snapshots |
515 | 515 | ||
516 | # flatpak | 516 | # flatpak |
517 | deny ${HOME}/.cache/flatpak | 517 | blacklist ${HOME}/.cache/flatpak |
518 | deny ${HOME}/.config/flatpak | 518 | blacklist ${HOME}/.config/flatpak |
519 | nodeny ${HOME}/.local/share/flatpak/exports | 519 | noblacklist ${HOME}/.local/share/flatpak/exports |
520 | read-only ${HOME}/.local/share/flatpak/exports | 520 | read-only ${HOME}/.local/share/flatpak/exports |
521 | deny ${HOME}/.local/share/flatpak/* | 521 | blacklist ${HOME}/.local/share/flatpak/* |
522 | deny ${HOME}/.var | 522 | blacklist ${HOME}/.var |
523 | deny ${RUNUSER}/app | 523 | blacklist ${RUNUSER}/app |
524 | deny ${RUNUSER}/doc | 524 | blacklist ${RUNUSER}/doc |
525 | deny ${RUNUSER}/.dbus-proxy | 525 | blacklist ${RUNUSER}/.dbus-proxy |
526 | deny ${RUNUSER}/.flatpak | 526 | blacklist ${RUNUSER}/.flatpak |
527 | deny ${RUNUSER}/.flatpak-cache | 527 | blacklist ${RUNUSER}/.flatpak-cache |
528 | deny ${RUNUSER}/.flatpak-helper | 528 | blacklist ${RUNUSER}/.flatpak-helper |
529 | deny /usr/share/flatpak | 529 | blacklist /usr/share/flatpak |
530 | nodeny /var/lib/flatpak/exports | 530 | noblacklist /var/lib/flatpak/exports |
531 | deny /var/lib/flatpak/* | 531 | blacklist /var/lib/flatpak/* |
532 | # most of the time bwrap is SUID binary | 532 | # most of the time bwrap is SUID binary |
533 | deny ${PATH}/bwrap | 533 | blacklist ${PATH}/bwrap |
534 | 534 | ||
535 | # snap | 535 | # snap |
536 | deny ${RUNUSER}/snapd-session-agent.socket | 536 | blacklist ${RUNUSER}/snapd-session-agent.socket |
537 | 537 | ||
538 | # mail directories used by mutt | 538 | # mail directories used by mutt |
539 | deny ${HOME}/.Mail | 539 | blacklist ${HOME}/.Mail |
540 | deny ${HOME}/.mail | 540 | blacklist ${HOME}/.mail |
541 | deny ${HOME}/.signature | 541 | blacklist ${HOME}/.signature |
542 | deny ${HOME}/Mail | 542 | blacklist ${HOME}/Mail |
543 | deny ${HOME}/mail | 543 | blacklist ${HOME}/mail |
544 | deny ${HOME}/postponed | 544 | blacklist ${HOME}/postponed |
545 | deny ${HOME}/sent | 545 | blacklist ${HOME}/sent |
546 | 546 | ||
547 | # kernel configuration | 547 | # kernel configuration |
548 | deny /proc/config.gz | 548 | blacklist /proc/config.gz |
549 | 549 | ||
550 | # prevent DNS malware attempting to communicate with the server | 550 | # prevent DNS malware attempting to communicate with the server |
551 | # using regular DNS tools | 551 | # using regular DNS tools |
552 | deny ${PATH}/dig | 552 | blacklist ${PATH}/dig |
553 | deny ${PATH}/dlint | 553 | blacklist ${PATH}/dlint |
554 | deny ${PATH}/dns2tcp | 554 | blacklist ${PATH}/dns2tcp |
555 | deny ${PATH}/dnssec-* | 555 | blacklist ${PATH}/dnssec-* |
556 | deny ${PATH}/dnswalk | 556 | blacklist ${PATH}/dnswalk |
557 | deny ${PATH}/drill | 557 | blacklist ${PATH}/drill |
558 | deny ${PATH}/host | 558 | blacklist ${PATH}/host |
559 | deny ${PATH}/iodine | 559 | blacklist ${PATH}/iodine |
560 | deny ${PATH}/kdig | 560 | blacklist ${PATH}/kdig |
561 | deny ${PATH}/khost | 561 | blacklist ${PATH}/khost |
562 | deny ${PATH}/knsupdate | 562 | blacklist ${PATH}/knsupdate |
563 | deny ${PATH}/ldns-* | 563 | blacklist ${PATH}/ldns-* |
564 | deny ${PATH}/ldnsd | 564 | blacklist ${PATH}/ldnsd |
565 | deny ${PATH}/nslookup | 565 | blacklist ${PATH}/nslookup |
566 | deny ${PATH}/resolvectl | 566 | blacklist ${PATH}/resolvectl |
567 | deny ${PATH}/unbound-host | 567 | blacklist ${PATH}/unbound-host |
568 | 568 | ||
569 | # rest of ${RUNUSER} | 569 | # rest of ${RUNUSER} |
570 | deny ${RUNUSER}/*.lock | 570 | blacklist ${RUNUSER}/*.lock |
571 | deny ${RUNUSER}/inaccessible | 571 | blacklist ${RUNUSER}/inaccessible |
572 | deny ${RUNUSER}/pk-debconf-socket | 572 | blacklist ${RUNUSER}/pk-debconf-socket |
573 | deny ${RUNUSER}/update-notifier.pid | 573 | blacklist ${RUNUSER}/update-notifier.pid |