aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc/disable-programs.inc
diff options
context:
space:
mode:
authorLibravatar rusty-snake <41237666+rusty-snake@users.noreply.github.com>2020-11-09 16:08:48 +0000
committerLibravatar GitHub <noreply@github.com>2020-11-09 16:08:48 +0000
commit594300374dc15bd704bcb1f2a98b17faef80aa79 (patch)
treeac1b6d8c80a94f26c82c17ee30c34a1623f9c064 /etc/inc/disable-programs.inc
parentadding test-profiles to ci test (diff)
downloadfirejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.gz
firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.zst
firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.zip
rework chromium (#3688)
* rework chromium + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709
Diffstat (limited to 'etc/inc/disable-programs.inc')
-rw-r--r--etc/inc/disable-programs.inc2
1 files changed, 2 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 1fba79f43..7e3c0b657 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -391,6 +391,7 @@ blacklist ${HOME}/.config/transmission
391blacklist ${HOME}/.config/truecraft 391blacklist ${HOME}/.config/truecraft
392blacklist ${HOME}/.config/tvbrowser 392blacklist ${HOME}/.config/tvbrowser
393blacklist ${HOME}/.config/uGet 393blacklist ${HOME}/.config/uGet
394blacklist ${HOME}/.config/ungoogled-chromium
394blacklist ${HOME}/.config/uzbl 395blacklist ${HOME}/.config/uzbl
395blacklist ${HOME}/.config/viewnior 396blacklist ${HOME}/.config/viewnior
396blacklist ${HOME}/.config/vivaldi 397blacklist ${HOME}/.config/vivaldi
@@ -977,6 +978,7 @@ blacklist ${HOME}/.cache/telepathy
977blacklist ${HOME}/.cache/thunderbird 978blacklist ${HOME}/.cache/thunderbird
978blacklist ${HOME}/.cache/torbrowser 979blacklist ${HOME}/.cache/torbrowser
979blacklist ${HOME}/.cache/transmission 980blacklist ${HOME}/.cache/transmission
981blacklist ${HOME}/.cache/ungoogled-chromium
980blacklist ${HOME}/.cache/vivaldi 982blacklist ${HOME}/.cache/vivaldi
981blacklist ${HOME}/.cache/vivaldi-snapshot 983blacklist ${HOME}/.cache/vivaldi-snapshot
982blacklist ${HOME}/.cache/vlc 984blacklist ${HOME}/.cache/vlc
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 18:20:23 +0000