diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-10-15 12:00:03 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-15 12:00:03 +0000 |
commit | 61d8d14ab7cc9f67fd7d148fa96e8ac64a0aeafe (patch) | |
tree | 91bb5a7125e7e66ac00a7fd1ca76c69e8ea31bfe /etc/inc/disable-common.inc | |
parent | pavucontrol-qt: fix broken whitelisting in ${HOME} (#6045) (diff) | |
parent | disable-common.inc: add more suid programs (diff) | |
download | firejail-61d8d14ab7cc9f67fd7d148fa96e8ac64a0aeafe.tar.gz firejail-61d8d14ab7cc9f67fd7d148fa96e8ac64a0aeafe.tar.zst firejail-61d8d14ab7cc9f67fd7d148fa96e8ac64a0aeafe.zip |
Merge pull request #6049 from kmk3/dc-add-more-suid
disable-common.inc: add more suid programs
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r-- | etc/inc/disable-common.inc | 75 |
1 files changed, 39 insertions, 36 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 8dae97fe9..021c5bd20 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -504,6 +504,7 @@ blacklist /usr/sbin | |||
504 | 504 | ||
505 | # system management and various SUID executables | 505 | # system management and various SUID executables |
506 | blacklist ${PATH}/at | 506 | blacklist ${PATH}/at |
507 | blacklist ${PATH}/bmon | ||
507 | blacklist ${PATH}/busybox | 508 | blacklist ${PATH}/busybox |
508 | blacklist ${PATH}/chage | 509 | blacklist ${PATH}/chage |
509 | blacklist ${PATH}/chfn | 510 | blacklist ${PATH}/chfn |
@@ -512,71 +513,73 @@ blacklist ${PATH}/crontab | |||
512 | blacklist ${PATH}/doas | 513 | blacklist ${PATH}/doas |
513 | blacklist ${PATH}/evtest | 514 | blacklist ${PATH}/evtest |
514 | blacklist ${PATH}/expiry | 515 | blacklist ${PATH}/expiry |
515 | blacklist ${PATH}/fusermount | 516 | blacklist ${PATH}/fping |
517 | blacklist ${PATH}/fping6 | ||
518 | blacklist ${PATH}/fusermount* | ||
516 | blacklist ${PATH}/gksu | 519 | blacklist ${PATH}/gksu |
517 | blacklist ${PATH}/gksudo | 520 | blacklist ${PATH}/gksudo |
518 | blacklist ${PATH}/gpasswd | 521 | blacklist ${PATH}/gpasswd |
522 | blacklist ${PATH}/groupmems | ||
523 | blacklist ${PATH}/hostname | ||
524 | #blacklist ${PATH}/ip # breaks --ip=dhcp | ||
519 | blacklist ${PATH}/kdesudo | 525 | blacklist ${PATH}/kdesudo |
520 | blacklist ${PATH}/ksu | 526 | blacklist ${PATH}/ksu |
521 | blacklist ${PATH}/mount | 527 | blacklist ${PATH}/mount |
522 | blacklist ${PATH}/mount.ecryptfs_private | 528 | blacklist ${PATH}/mount.* |
523 | blacklist ${PATH}/mountpoint | 529 | blacklist ${PATH}/mountpoint |
530 | blacklist ${PATH}/mtr | ||
531 | blacklist ${PATH}/mtr-packet | ||
524 | blacklist ${PATH}/nc | 532 | blacklist ${PATH}/nc |
525 | blacklist ${PATH}/nc.traditional | ||
526 | blacklist ${PATH}/nc.openbsd | 533 | blacklist ${PATH}/nc.openbsd |
534 | blacklist ${PATH}/nc.traditional | ||
527 | blacklist ${PATH}/ncat | 535 | blacklist ${PATH}/ncat |
528 | blacklist ${PATH}/nmap | 536 | blacklist ${PATH}/netstat |
537 | blacklist ${PATH}/networkctl | ||
529 | blacklist ${PATH}/newgidmap | 538 | blacklist ${PATH}/newgidmap |
530 | blacklist ${PATH}/newgrp | 539 | blacklist ${PATH}/newgrp |
531 | blacklist ${PATH}/newuidmap | 540 | blacklist ${PATH}/newuidmap |
541 | blacklist ${PATH}/nm-online | ||
542 | blacklist ${PATH}/nmap | ||
543 | blacklist ${PATH}/nmcli | ||
544 | blacklist ${PATH}/nmtui | ||
545 | blacklist ${PATH}/nmtui-connect | ||
546 | blacklist ${PATH}/nmtui-edit | ||
547 | blacklist ${PATH}/nmtui-hostname | ||
532 | blacklist ${PATH}/ntfs-3g | 548 | blacklist ${PATH}/ntfs-3g |
549 | blacklist ${PATH}/passwd | ||
550 | blacklist ${PATH}/physlock | ||
533 | blacklist ${PATH}/pkexec | 551 | blacklist ${PATH}/pkexec |
552 | blacklist ${PATH}/pmount | ||
534 | blacklist ${PATH}/procmail | 553 | blacklist ${PATH}/procmail |
554 | blacklist ${PATH}/pumount | ||
555 | blacklist ${PATH}/schroot | ||
535 | blacklist ${PATH}/sg | 556 | blacklist ${PATH}/sg |
557 | blacklist ${PATH}/slock | ||
558 | blacklist ${PATH}/ss | ||
536 | blacklist ${PATH}/strace | 559 | blacklist ${PATH}/strace |
537 | blacklist ${PATH}/su | 560 | blacklist ${PATH}/su |
538 | blacklist ${PATH}/sudo | 561 | blacklist ${PATH}/sudo |
562 | blacklist ${PATH}/suexec | ||
539 | blacklist ${PATH}/tcpdump | 563 | blacklist ${PATH}/tcpdump |
564 | blacklist ${PATH}/traceroute | ||
540 | blacklist ${PATH}/umount | 565 | blacklist ${PATH}/umount |
541 | blacklist ${PATH}/unix_chkpwd | 566 | blacklist ${PATH}/unix_chkpwd |
567 | blacklist ${PATH}/wall | ||
568 | blacklist ${PATH}/write | ||
569 | blacklist ${PATH}/wshowkeys | ||
542 | blacklist ${PATH}/xev | 570 | blacklist ${PATH}/xev |
543 | blacklist ${PATH}/xinput | 571 | blacklist ${PATH}/xinput |
544 | blacklist /usr/lib/openssh | 572 | blacklist /usr/lib/chromium/chrome-sandbox |
545 | blacklist /usr/lib/ssh | ||
546 | blacklist /usr/libexec/openssh | ||
547 | blacklist ${PATH}/passwd | ||
548 | blacklist /usr/lib/xorg/Xorg.wrap | ||
549 | blacklist /usr/lib/policykit-1/polkit-agent-helper-1 | ||
550 | blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper | 573 | blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper |
551 | blacklist /usr/lib/eject/dmcrypt-get-device | 574 | blacklist /usr/lib/eject/dmcrypt-get-device |
552 | blacklist /usr/lib/chromium/chrome-sandbox | 575 | blacklist /usr/lib/openssh |
553 | blacklist /usr/lib/opera/opera_sandbox | 576 | blacklist /usr/lib/opera/opera_sandbox |
554 | blacklist /usr/lib/vmware | 577 | blacklist /usr/lib/policykit-1/polkit-agent-helper-1 |
555 | blacklist ${PATH}/suexec | ||
556 | blacklist /usr/lib/squid/basic_pam_auth | 578 | blacklist /usr/lib/squid/basic_pam_auth |
557 | blacklist ${PATH}/slock | 579 | blacklist /usr/lib/ssh |
558 | blacklist ${PATH}/physlock | 580 | blacklist /usr/lib/vmware |
559 | blacklist ${PATH}/schroot | 581 | blacklist /usr/lib/xorg/Xorg.wrap |
560 | blacklist ${PATH}/wshowkeys | 582 | blacklist /usr/libexec/openssh |
561 | blacklist ${PATH}/pmount | ||
562 | blacklist ${PATH}/pumount | ||
563 | blacklist ${PATH}/bmon | ||
564 | blacklist ${PATH}/fping | ||
565 | blacklist ${PATH}/fping6 | ||
566 | blacklist ${PATH}/hostname | ||
567 | #blacklist ${PATH}/ip # breaks --ip=dhcp | ||
568 | blacklist ${PATH}/mtr | ||
569 | blacklist ${PATH}/mtr-packet | ||
570 | blacklist ${PATH}/netstat | ||
571 | blacklist ${PATH}/nm-online | ||
572 | blacklist ${PATH}/nmcli | ||
573 | blacklist ${PATH}/nmtui | ||
574 | blacklist ${PATH}/nmtui-connect | ||
575 | blacklist ${PATH}/nmtui-edit | ||
576 | blacklist ${PATH}/nmtui-hostname | ||
577 | blacklist ${PATH}/networkctl | ||
578 | blacklist ${PATH}/ss | ||
579 | blacklist ${PATH}/traceroute | ||
580 | # since firejail version 0.9.73 | 583 | # since firejail version 0.9.73 |
581 | blacklist ${PATH}/dpkg* | 584 | blacklist ${PATH}/dpkg* |
582 | blacklist ${PATH}/apt* | 585 | blacklist ${PATH}/apt* |