diff options
author | netblue30 <netblue30@protonmail.com> | 2023-08-22 19:18:18 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-08-22 19:18:18 -0400 |
commit | 96beb3358c430a5e470ce02fd64ffc3f7fc23706 (patch) | |
tree | eb9cc9ce3be9533ca9bab75905e19a17c0adaf51 /etc/inc | |
parent | Merge branch 'master' of ssh://github.com/netblue30/firejail (diff) | |
download | firejail-96beb3358c430a5e470ce02fd64ffc3f7fc23706.tar.gz firejail-96beb3358c430a5e470ce02fd64ffc3f7fc23706.tar.zst firejail-96beb3358c430a5e470ce02fd64ffc3f7fc23706.zip |
a second round of blacklisting in disable-common.inc
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/disable-common.inc | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 010cb05b6..bcf90e9ed 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -170,7 +170,7 @@ blacklist ${RUNUSER}/gsconnect | |||
170 | blacklist ${HOME}/.config/systemd | 170 | blacklist ${HOME}/.config/systemd |
171 | blacklist ${HOME}/.local/share/systemd | 171 | blacklist ${HOME}/.local/share/systemd |
172 | blacklist ${PATH}/systemctl | 172 | blacklist ${PATH}/systemctl |
173 | blacklist ${PATH}/systemd-run | 173 | blacklist ${PATH}/systemd* |
174 | blacklist ${RUNUSER}/systemd | 174 | blacklist ${RUNUSER}/systemd |
175 | blacklist /etc/credstore* | 175 | blacklist /etc/credstore* |
176 | blacklist /etc/systemd/network | 176 | blacklist /etc/systemd/network |
@@ -518,7 +518,10 @@ blacklist ${PATH}/kdesudo | |||
518 | blacklist ${PATH}/ksu | 518 | blacklist ${PATH}/ksu |
519 | blacklist ${PATH}/mount | 519 | blacklist ${PATH}/mount |
520 | blacklist ${PATH}/mount.ecryptfs_private | 520 | blacklist ${PATH}/mount.ecryptfs_private |
521 | blacklist ${PATH}/mountpoint | ||
521 | blacklist ${PATH}/nc | 522 | blacklist ${PATH}/nc |
523 | blacklist ${PATH}/nc.traditional | ||
524 | blacklist ${PATH}/nc.openbsd | ||
522 | blacklist ${PATH}/ncat | 525 | blacklist ${PATH}/ncat |
523 | blacklist ${PATH}/nmap | 526 | blacklist ${PATH}/nmap |
524 | blacklist ${PATH}/newgidmap | 527 | blacklist ${PATH}/newgidmap |
@@ -572,7 +575,28 @@ blacklist ${PATH}/nmtui-hostname | |||
572 | blacklist ${PATH}/networkctl | 575 | blacklist ${PATH}/networkctl |
573 | blacklist ${PATH}/ss | 576 | blacklist ${PATH}/ss |
574 | blacklist ${PATH}/traceroute | 577 | blacklist ${PATH}/traceroute |
578 | # since firejail version 0.9.73 | ||
575 | blacklist ${PATH}/dpkg* | 579 | blacklist ${PATH}/dpkg* |
580 | blacklist ${PATH}/fakeroot* | ||
581 | blacklist ${PATH}/apt* | ||
582 | blacklist ${PATH}/dumpcap | ||
583 | blacklist ${PATH}/efibootdump | ||
584 | blacklist ${PATH}/efibootmgr | ||
585 | blacklist ${PATH}/passmass | ||
586 | blacklist ${PATH}/proxy | ||
587 | blacklist ${PATH}/aa-* | ||
588 | blacklist ${PATH}/airscan-discover | ||
589 | blacklist ${PATH}/avahi* | ||
590 | blacklist ${PATH}/dbus-* | ||
591 | blacklist ${PATH}/debconf* | ||
592 | blacklist ${PATH}/grub-* | ||
593 | blacklist ${PATH}/kernel-install # from systemd package | ||
594 | |||
595 | # binaries installed by firejail | ||
596 | blacklist ${PATH}/firemon | ||
597 | blacklist ${PATH}/firecfg | ||
598 | blacklist ${PATH}/jailcheck | ||
599 | blacklist ${PATH}/firetools | ||
576 | 600 | ||
577 | # other SUID binaries | 601 | # other SUID binaries |
578 | blacklist /opt/microsoft/msedge*/msedge-sandbox | 602 | blacklist /opt/microsoft/msedge*/msedge-sandbox |
@@ -653,10 +677,13 @@ blacklist ${HOME}/sent | |||
653 | blacklist /proc/config.gz | 677 | blacklist /proc/config.gz |
654 | 678 | ||
655 | # prevent DNS malware attempting to communicate with the server using regular DNS tools | 679 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
680 | blacklist ${PATH}/delv | ||
656 | blacklist ${PATH}/dig | 681 | blacklist ${PATH}/dig |
657 | blacklist ${PATH}/dlint | 682 | blacklist ${PATH}/dlint |
658 | blacklist ${PATH}/dns2tcp | 683 | blacklist ${PATH}/dns2tcp |
659 | blacklist ${PATH}/dnssec-* | 684 | blacklist ${PATH}/dnssec-* |
685 | blacklist ${PATH}/dnstap-read | ||
686 | blacklist ${PATH}/mdig | ||
660 | blacklist ${PATH}/dnswalk | 687 | blacklist ${PATH}/dnswalk |
661 | blacklist ${PATH}/drill | 688 | blacklist ${PATH}/drill |
662 | blacklist ${PATH}/host | 689 | blacklist ${PATH}/host |
@@ -667,6 +694,8 @@ blacklist ${PATH}/knsupdate | |||
667 | blacklist ${PATH}/ldns-* | 694 | blacklist ${PATH}/ldns-* |
668 | blacklist ${PATH}/ldnsd | 695 | blacklist ${PATH}/ldnsd |
669 | blacklist ${PATH}/nslookup | 696 | blacklist ${PATH}/nslookup |
697 | blacklist ${PATH}/nsupdate | ||
698 | blacklist ${PATH}/nstat | ||
670 | blacklist ${PATH}/resolvectl | 699 | blacklist ${PATH}/resolvectl |
671 | blacklist ${PATH}/unbound-host | 700 | blacklist ${PATH}/unbound-host |
672 | 701 | ||