diff options
| author |  netblue30 <netblue30@protonmail.com> | 2023-08-22 19:18:18 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2023-08-22 19:18:18 -0400 |
| commit | 96beb3358c430a5e470ce02fd64ffc3f7fc23706 (patch) | |
| tree | eb9cc9ce3be9533ca9bab75905e19a17c0adaf51 /etc/inc/disable-common.inc | |
| parent | Merge branch 'master' of ssh://github.com/netblue30/firejail (diff) | |
| download | firejail-96beb3358c430a5e470ce02fd64ffc3f7fc23706.tar.gz firejail-96beb3358c430a5e470ce02fd64ffc3f7fc23706.tar.zst firejail-96beb3358c430a5e470ce02fd64ffc3f7fc23706.zip | |
a second round of blacklisting in disable-common.inc
Diffstat (limited to 'etc/inc/disable-common.inc')
| -rw-r--r-- | etc/inc/disable-common.inc | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 010cb05b6..bcf90e9ed 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -170,7 +170,7 @@ blacklist ${RUNUSER}/gsconnect | |||
| 170 | blacklist ${HOME}/.config/systemd | 170 | blacklist ${HOME}/.config/systemd |
| 171 | blacklist ${HOME}/.local/share/systemd | 171 | blacklist ${HOME}/.local/share/systemd |
| 172 | blacklist ${PATH}/systemctl | 172 | blacklist ${PATH}/systemctl |
| 173 | blacklist ${PATH}/systemd-run | 173 | blacklist ${PATH}/systemd* |
| 174 | blacklist ${RUNUSER}/systemd | 174 | blacklist ${RUNUSER}/systemd |
| 175 | blacklist /etc/credstore* | 175 | blacklist /etc/credstore* |
| 176 | blacklist /etc/systemd/network | 176 | blacklist /etc/systemd/network |
| @@ -518,7 +518,10 @@ blacklist ${PATH}/kdesudo | |||
| 518 | blacklist ${PATH}/ksu | 518 | blacklist ${PATH}/ksu |
| 519 | blacklist ${PATH}/mount | 519 | blacklist ${PATH}/mount |
| 520 | blacklist ${PATH}/mount.ecryptfs_private | 520 | blacklist ${PATH}/mount.ecryptfs_private |
| 521 | blacklist ${PATH}/mountpoint | ||
| 521 | blacklist ${PATH}/nc | 522 | blacklist ${PATH}/nc |
| 523 | blacklist ${PATH}/nc.traditional | ||
| 524 | blacklist ${PATH}/nc.openbsd | ||
| 522 | blacklist ${PATH}/ncat | 525 | blacklist ${PATH}/ncat |
| 523 | blacklist ${PATH}/nmap | 526 | blacklist ${PATH}/nmap |
| 524 | blacklist ${PATH}/newgidmap | 527 | blacklist ${PATH}/newgidmap |
| @@ -572,7 +575,28 @@ blacklist ${PATH}/nmtui-hostname | |||
| 572 | blacklist ${PATH}/networkctl | 575 | blacklist ${PATH}/networkctl |
| 573 | blacklist ${PATH}/ss | 576 | blacklist ${PATH}/ss |
| 574 | blacklist ${PATH}/traceroute | 577 | blacklist ${PATH}/traceroute |
| 578 | # since firejail version 0.9.73 | ||
| 575 | blacklist ${PATH}/dpkg* | 579 | blacklist ${PATH}/dpkg* |
| 580 | blacklist ${PATH}/fakeroot* | ||
| 581 | blacklist ${PATH}/apt* | ||
| 582 | blacklist ${PATH}/dumpcap | ||
| 583 | blacklist ${PATH}/efibootdump | ||
| 584 | blacklist ${PATH}/efibootmgr | ||
| 585 | blacklist ${PATH}/passmass | ||
| 586 | blacklist ${PATH}/proxy | ||
| 587 | blacklist ${PATH}/aa-* | ||
| 588 | blacklist ${PATH}/airscan-discover | ||
| 589 | blacklist ${PATH}/avahi* | ||
| 590 | blacklist ${PATH}/dbus-* | ||
| 591 | blacklist ${PATH}/debconf* | ||
| 592 | blacklist ${PATH}/grub-* | ||
| 593 | blacklist ${PATH}/kernel-install # from systemd package | ||
| 594 | |||
| 595 | # binaries installed by firejail | ||
| 596 | blacklist ${PATH}/firemon | ||
| 597 | blacklist ${PATH}/firecfg | ||
| 598 | blacklist ${PATH}/jailcheck | ||
| 599 | blacklist ${PATH}/firetools | ||
| 576 | 600 | ||
| 577 | # other SUID binaries | 601 | # other SUID binaries |
| 578 | blacklist /opt/microsoft/msedge*/msedge-sandbox | 602 | blacklist /opt/microsoft/msedge*/msedge-sandbox |
| @@ -653,10 +677,13 @@ blacklist ${HOME}/sent | |||
| 653 | blacklist /proc/config.gz | 677 | blacklist /proc/config.gz |
| 654 | 678 | ||
| 655 | # prevent DNS malware attempting to communicate with the server using regular DNS tools | 679 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
| 680 | blacklist ${PATH}/delv | ||
| 656 | blacklist ${PATH}/dig | 681 | blacklist ${PATH}/dig |
| 657 | blacklist ${PATH}/dlint | 682 | blacklist ${PATH}/dlint |
| 658 | blacklist ${PATH}/dns2tcp | 683 | blacklist ${PATH}/dns2tcp |
| 659 | blacklist ${PATH}/dnssec-* | 684 | blacklist ${PATH}/dnssec-* |
| 685 | blacklist ${PATH}/dnstap-read | ||
| 686 | blacklist ${PATH}/mdig | ||
| 660 | blacklist ${PATH}/dnswalk | 687 | blacklist ${PATH}/dnswalk |
| 661 | blacklist ${PATH}/drill | 688 | blacklist ${PATH}/drill |
| 662 | blacklist ${PATH}/host | 689 | blacklist ${PATH}/host |
| @@ -667,6 +694,8 @@ blacklist ${PATH}/knsupdate | |||
| 667 | blacklist ${PATH}/ldns-* | 694 | blacklist ${PATH}/ldns-* |
| 668 | blacklist ${PATH}/ldnsd | 695 | blacklist ${PATH}/ldnsd |
| 669 | blacklist ${PATH}/nslookup | 696 | blacklist ${PATH}/nslookup |
| 697 | blacklist ${PATH}/nsupdate | ||
| 698 | blacklist ${PATH}/nstat | ||
| 670 | blacklist ${PATH}/resolvectl | 699 | blacklist ${PATH}/resolvectl |
| 671 | blacklist ${PATH}/unbound-host | 700 | blacklist ${PATH}/unbound-host |
| 672 | 701 | ||