diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-05-02 17:58:02 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-02 17:58:02 +0000 |
commit | 49280197ccf830b708b1b7c4d6fb8b3590f44da2 (patch) | |
tree | 76ae21d4faa96a2970738aedc693b6b9ed3183c8 /etc/inc | |
parent | fixes for zeal.profile (diff) | |
download | firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.gz firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.zst firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.zip |
various hardening (#3394)
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/allow-common-devel.inc | 6 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 10 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 30 | ||||
-rw-r--r-- | etc/inc/whitelist-common.inc | 1 |
4 files changed, 43 insertions, 4 deletions
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 63174eda6..7cd087b14 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc | |||
@@ -12,10 +12,16 @@ noblacklist ${HOME}/.gradle | |||
12 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
13 | 13 | ||
14 | # Python | 14 | # Python |
15 | noblacklist ${HOME}/.pylint.d | ||
15 | noblacklist ${HOME}/.python-history | 16 | noblacklist ${HOME}/.python-history |
16 | noblacklist ${HOME}/.python_history | 17 | noblacklist ${HOME}/.python_history |
17 | noblacklist ${HOME}/.pythonhist | 18 | noblacklist ${HOME}/.pythonhist |
18 | 19 | ||
19 | # Rust | 20 | # Rust |
21 | noblacklist ${HOME}/.cargo/advisory-db | ||
20 | noblacklist ${HOME}/.cargo/config | 22 | noblacklist ${HOME}/.cargo/config |
23 | noblacklist ${HOME}/.cargo/git | ||
21 | noblacklist ${HOME}/.cargo/registry | 24 | noblacklist ${HOME}/.cargo/registry |
25 | noblacklist ${HOME}/.cargo/.crates.toml | ||
26 | noblacklist ${HOME}/.cargo/.crates2.json | ||
27 | noblacklist ${HOME}/.cargo/.package-cache | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 92c6cd2a8..3fd3cc7b2 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -149,8 +149,9 @@ read-only ${HOME}/.config/dconf | |||
149 | blacklist ${HOME}/.config/systemd | 149 | blacklist ${HOME}/.config/systemd |
150 | blacklist ${HOME}/.local/share/systemd | 150 | blacklist ${HOME}/.local/share/systemd |
151 | blacklist /var/lib/systemd | 151 | blacklist /var/lib/systemd |
152 | # blacklist /var/run/systemd | 152 | blacklist ${PATH}/systemd-run |
153 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 153 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
154 | #blacklist /var/run/systemd | ||
154 | 155 | ||
155 | # openrc | 156 | # openrc |
156 | blacklist /etc/runlevels/ | 157 | blacklist /etc/runlevels/ |
@@ -308,13 +309,17 @@ read-only ${HOME}/bin | |||
308 | read-only ${HOME}/.bin | 309 | read-only ${HOME}/.bin |
309 | read-only ${HOME}/.local/bin | 310 | read-only ${HOME}/.local/bin |
310 | read-only ${HOME}/.cargo/bin | 311 | read-only ${HOME}/.cargo/bin |
311 | read-only ${HOME}/.cargo/env | ||
312 | 312 | ||
313 | # Write-protection for desktop entries | 313 | # Write-protection for desktop entries |
314 | read-only ${HOME}/.config/menus | 314 | read-only ${HOME}/.config/menus |
315 | read-only ${HOME}/.gnome/apps | 315 | read-only ${HOME}/.gnome/apps |
316 | read-only ${HOME}/.local/share/applications | 316 | read-only ${HOME}/.local/share/applications |
317 | 317 | ||
318 | read-only ${HOME}/.config/mimeapps.list | ||
319 | read-only ${HOME}/.config/user-dirs.dirs | ||
320 | read-only ${HOME}/.config/user-dirs.locale | ||
321 | read-only ${HOME}/.local/share/mime | ||
322 | |||
318 | # Write-protection for thumbnailer dir | 323 | # Write-protection for thumbnailer dir |
319 | read-only ${HOME}/.local/share/thumbnailers | 324 | read-only ${HOME}/.local/share/thumbnailers |
320 | 325 | ||
@@ -451,6 +456,7 @@ blacklist /vmlinuz* | |||
451 | blacklist /.snapshots | 456 | blacklist /.snapshots |
452 | 457 | ||
453 | # flatpak | 458 | # flatpak |
459 | blacklist ${HOME}/.cache/flatpak | ||
454 | blacklist ${HOME}/.config/flatpak | 460 | blacklist ${HOME}/.config/flatpak |
455 | blacklist ${HOME}/.local/share/flatpak/app | 461 | blacklist ${HOME}/.local/share/flatpak/app |
456 | blacklist ${HOME}/.local/share/flatpak/appstream | 462 | blacklist ${HOME}/.local/share/flatpak/appstream |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 9e6af8785..89189b533 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -54,8 +54,13 @@ blacklist ${HOME}/.bibletime | |||
54 | blacklist ${HOME}/.bitcoin | 54 | blacklist ${HOME}/.bitcoin |
55 | blacklist ${HOME}/.bogofilter | 55 | blacklist ${HOME}/.bogofilter |
56 | blacklist ${HOME}/.bzf | 56 | blacklist ${HOME}/.bzf |
57 | blacklist ${HOME}/.cargo/registry | 57 | blacklist ${HOME}/.cargo/advisory-db |
58 | blacklist ${HOME}/.cargo/config | 58 | blacklist ${HOME}/.cargo/config |
59 | blacklist ${HOME}/.cargo/git | ||
60 | blacklist ${HOME}/.cargo/registry | ||
61 | blacklist ${HOME}/.cargo/.crates.toml | ||
62 | blacklist ${HOME}/.cargo/.crates2.json | ||
63 | blacklist ${HOME}/.cargo/.package-cache | ||
59 | blacklist ${HOME}/.claws-mail | 64 | blacklist ${HOME}/.claws-mail |
60 | blacklist ${HOME}/.cliqz | 65 | blacklist ${HOME}/.cliqz |
61 | blacklist ${HOME}/.clonk | 66 | blacklist ${HOME}/.clonk |
@@ -75,6 +80,7 @@ blacklist ${HOME}/.config/Code - OSS | |||
75 | blacklist ${HOME}/.config/Code Industry | 80 | blacklist ${HOME}/.config/Code Industry |
76 | blacklist ${HOME}/.config/Cryptocat | 81 | blacklist ${HOME}/.config/Cryptocat |
77 | blacklist ${HOME}/.config/Debauchee/Barrier.conf | 82 | blacklist ${HOME}/.config/Debauchee/Barrier.conf |
83 | blacklist ${HOME}/.config/Dharkael | ||
78 | blacklist ${HOME}/.config/Enox | 84 | blacklist ${HOME}/.config/Enox |
79 | blacklist ${HOME}/.config/Ferdi | 85 | blacklist ${HOME}/.config/Ferdi |
80 | blacklist ${HOME}/.config/Franz | 86 | blacklist ${HOME}/.config/Franz |
@@ -118,6 +124,7 @@ blacklist ${HOME}/.config/Slack | |||
118 | blacklist ${HOME}/.config/Standard Notes | 124 | blacklist ${HOME}/.config/Standard Notes |
119 | blacklist ${HOME}/.config/SubDownloader | 125 | blacklist ${HOME}/.config/SubDownloader |
120 | blacklist ${HOME}/.config/Thunar | 126 | blacklist ${HOME}/.config/Thunar |
127 | blacklist ${HOME}/.config/Unknown Organization | ||
121 | blacklist ${HOME}/.config/VirtualBox | 128 | blacklist ${HOME}/.config/VirtualBox |
122 | blacklist ${HOME}/.config/Wire | 129 | blacklist ${HOME}/.config/Wire |
123 | blacklist ${HOME}/.config/Zeal | 130 | blacklist ${HOME}/.config/Zeal |
@@ -125,6 +132,7 @@ blacklist ${HOME}/.config/abiword | |||
125 | blacklist ${HOME}/.config/agenda | 132 | blacklist ${HOME}/.config/agenda |
126 | blacklist ${HOME}/.config/akonadi* | 133 | blacklist ${HOME}/.config/akonadi* |
127 | blacklist ${HOME}/.config/akregatorrc | 134 | blacklist ${HOME}/.config/akregatorrc |
135 | blacklist ${HOME}/.config/alacritty | ||
128 | blacklist ${HOME}/.config/ardour4 | 136 | blacklist ${HOME}/.config/ardour4 |
129 | blacklist ${HOME}/.config/ardour5 | 137 | blacklist ${HOME}/.config/ardour5 |
130 | blacklist ${HOME}/.config/aria2 | 138 | blacklist ${HOME}/.config/aria2 |
@@ -136,6 +144,7 @@ blacklist ${HOME}/.config/atril | |||
136 | blacklist ${HOME}/.config/audacious | 144 | blacklist ${HOME}/.config/audacious |
137 | blacklist ${HOME}/.config/autokey | 145 | blacklist ${HOME}/.config/autokey |
138 | blacklist ${HOME}/.config/aweather | 146 | blacklist ${HOME}/.config/aweather |
147 | blacklist ${HOME}/.config/backintime | ||
139 | blacklist ${HOME}/.config/baloofilerc | 148 | blacklist ${HOME}/.config/baloofilerc |
140 | blacklist ${HOME}/.config/baloorc | 149 | blacklist ${HOME}/.config/baloorc |
141 | blacklist ${HOME}/.config/blender | 150 | blacklist ${HOME}/.config/blender |
@@ -195,14 +204,18 @@ blacklist ${HOME}/.config/geeqie | |||
195 | blacklist ${HOME}/.config/ghb | 204 | blacklist ${HOME}/.config/ghb |
196 | blacklist ${HOME}/.config/ghostwriter | 205 | blacklist ${HOME}/.config/ghostwriter |
197 | blacklist ${HOME}/.config/git | 206 | blacklist ${HOME}/.config/git |
207 | blacklist ${HOME}/.config/glade.conf | ||
198 | blacklist ${HOME}/.config/globaltime | 208 | blacklist ${HOME}/.config/globaltime |
199 | blacklist ${HOME}/.config/gmpc | 209 | blacklist ${HOME}/.config/gmpc |
200 | blacklist ${HOME}/.config/gnome-builder | 210 | blacklist ${HOME}/.config/gnome-builder |
201 | blacklist ${HOME}/.config/gnome-chess | 211 | blacklist ${HOME}/.config/gnome-chess |
212 | blacklist ${HOME}/.config/gnome-control-center | ||
213 | blacklist ${HOME}/.config/gnome-initial-setup-done | ||
202 | blacklist ${HOME}/.config/gnome-latex | 214 | blacklist ${HOME}/.config/gnome-latex |
203 | blacklist ${HOME}/.config/gnome-mplayer | 215 | blacklist ${HOME}/.config/gnome-mplayer |
204 | blacklist ${HOME}/.config/gnome-mpv | 216 | blacklist ${HOME}/.config/gnome-mpv |
205 | blacklist ${HOME}/.config/gnome-pie | 217 | blacklist ${HOME}/.config/gnome-pie |
218 | blacklist ${HOME}/.config/gnome-session | ||
206 | blacklist ${HOME}/.config/godot | 219 | blacklist ${HOME}/.config/godot |
207 | blacklist ${HOME}/.config/google-chrome | 220 | blacklist ${HOME}/.config/google-chrome |
208 | blacklist ${HOME}/.config/google-chrome-beta | 221 | blacklist ${HOME}/.config/google-chrome-beta |
@@ -255,6 +268,7 @@ blacklist ${HOME}/.config/mate/eom | |||
255 | blacklist ${HOME}/.config/mate/mate-dictionary | 268 | blacklist ${HOME}/.config/mate/mate-dictionary |
256 | blacklist ${HOME}/.config/meld | 269 | blacklist ${HOME}/.config/meld |
257 | blacklist ${HOME}/.config/meteo-qt | 270 | blacklist ${HOME}/.config/meteo-qt |
271 | blacklist ${HOME}/.config/menulibre.cfg | ||
258 | blacklist ${HOME}/.config/mfusion | 272 | blacklist ${HOME}/.config/mfusion |
259 | blacklist ${HOME}/.config/Microsoft | 273 | blacklist ${HOME}/.config/Microsoft |
260 | blacklist ${HOME}/.config/midori | 274 | blacklist ${HOME}/.config/midori |
@@ -264,6 +278,7 @@ blacklist ${HOME}/.config/mpd | |||
264 | blacklist ${HOME}/.config/mps-youtube | 278 | blacklist ${HOME}/.config/mps-youtube |
265 | blacklist ${HOME}/.config/mpv | 279 | blacklist ${HOME}/.config/mpv |
266 | blacklist ${HOME}/.config/mupen64plus | 280 | blacklist ${HOME}/.config/mupen64plus |
281 | blacklist ${HOME}/.config/mutter | ||
267 | blacklist ${HOME}/.config/mypaint | 282 | blacklist ${HOME}/.config/mypaint |
268 | blacklist ${HOME}/.config/nano | 283 | blacklist ${HOME}/.config/nano |
269 | blacklist ${HOME}/.config/nautilus | 284 | blacklist ${HOME}/.config/nautilus |
@@ -362,6 +377,7 @@ blacklist ${HOME}/.config/zoomus.conf | |||
362 | blacklist ${HOME}/.config/Zulip | 377 | blacklist ${HOME}/.config/Zulip |
363 | blacklist ${HOME}/.conkeror.mozdev.org | 378 | blacklist ${HOME}/.conkeror.mozdev.org |
364 | blacklist ${HOME}/.crawl | 379 | blacklist ${HOME}/.crawl |
380 | blacklist ${HOME}/.cups | ||
365 | blacklist ${HOME}/.curlrc | 381 | blacklist ${HOME}/.curlrc |
366 | blacklist ${HOME}/.dashcore | 382 | blacklist ${HOME}/.dashcore |
367 | blacklist ${HOME}/.devilspie | 383 | blacklist ${HOME}/.devilspie |
@@ -400,6 +416,7 @@ blacklist ${HOME}/.gradle | |||
400 | blacklist ${HOME}/.gramps | 416 | blacklist ${HOME}/.gramps |
401 | blacklist ${HOME}/.guayadeque | 417 | blacklist ${HOME}/.guayadeque |
402 | blacklist ${HOME}/.hashcat | 418 | blacklist ${HOME}/.hashcat |
419 | blacklist ${HOME}/.hex-a-hop | ||
403 | blacklist ${HOME}/.hedgewars | 420 | blacklist ${HOME}/.hedgewars |
404 | blacklist ${HOME}/.hugin | 421 | blacklist ${HOME}/.hugin |
405 | blacklist ${HOME}/.i2p | 422 | blacklist ${HOME}/.i2p |
@@ -515,6 +532,7 @@ blacklist ${HOME}/.local/share/agenda | |||
515 | blacklist ${HOME}/.local/share/apps/korganizer | 532 | blacklist ${HOME}/.local/share/apps/korganizer |
516 | blacklist ${HOME}/.local/share/aspyr-media | 533 | blacklist ${HOME}/.local/share/aspyr-media |
517 | blacklist ${HOME}/.local/share/autokey | 534 | blacklist ${HOME}/.local/share/autokey |
535 | blacklist ${HOME}/.local/share/backintime | ||
518 | blacklist ${HOME}/.local/share/baloo | 536 | blacklist ${HOME}/.local/share/baloo |
519 | blacklist ${HOME}/.local/share/barrier | 537 | blacklist ${HOME}/.local/share/barrier |
520 | blacklist ${HOME}/.local/share/bibletime | 538 | blacklist ${HOME}/.local/share/bibletime |
@@ -545,8 +563,9 @@ blacklist ${HOME}/.local/share/geeqie | |||
545 | blacklist ${HOME}/.local/share/ghostwriter | 563 | blacklist ${HOME}/.local/share/ghostwriter |
546 | blacklist ${HOME}/.local/share/gitg | 564 | blacklist ${HOME}/.local/share/gitg |
547 | blacklist ${HOME}/.local/share/gnome-2048 | 565 | blacklist ${HOME}/.local/share/gnome-2048 |
548 | blacklist ${HOME}/.local/share/gnome-chess | 566 | blacklist ${HOME}/.local/share/gnome-boxes |
549 | blacklist ${HOME}/.local/share/gnome-builder | 567 | blacklist ${HOME}/.local/share/gnome-builder |
568 | blacklist ${HOME}/.local/share/gnome-chess | ||
550 | blacklist ${HOME}/.local/share/gnome-klotski | 569 | blacklist ${HOME}/.local/share/gnome-klotski |
551 | blacklist ${HOME}/.local/share/gnome-latex | 570 | blacklist ${HOME}/.local/share/gnome-latex |
552 | blacklist ${HOME}/.local/share/gnome-mines | 571 | blacklist ${HOME}/.local/share/gnome-mines |
@@ -672,6 +691,7 @@ blacklist ${HOME}/.penguin-command | |||
672 | blacklist ${HOME}/.pingus | 691 | blacklist ${HOME}/.pingus |
673 | blacklist ${HOME}/.pioneer | 692 | blacklist ${HOME}/.pioneer |
674 | blacklist ${HOME}/.purple | 693 | blacklist ${HOME}/.purple |
694 | blacklist ${HOME}/.pylint.d | ||
675 | blacklist ${HOME}/.qemu-launcher | 695 | blacklist ${HOME}/.qemu-launcher |
676 | blacklist ${HOME}/.qgis2 | 696 | blacklist ${HOME}/.qgis2 |
677 | blacklist ${HOME}/.qmmp | 697 | blacklist ${HOME}/.qmmp |
@@ -702,6 +722,7 @@ blacklist ${HOME}/.config/teams-for-linux | |||
702 | blacklist ${HOME}/.tb | 722 | blacklist ${HOME}/.tb |
703 | blacklist ${HOME}/.tconn | 723 | blacklist ${HOME}/.tconn |
704 | blacklist ${HOME}/.teeworlds | 724 | blacklist ${HOME}/.teeworlds |
725 | blacklist ${HOME}/.texlive2018 | ||
705 | blacklist ${HOME}/.thunderbird | 726 | blacklist ${HOME}/.thunderbird |
706 | blacklist ${HOME}/.tilp | 727 | blacklist ${HOME}/.tilp |
707 | blacklist ${HOME}/.tooling | 728 | blacklist ${HOME}/.tooling |
@@ -779,6 +800,7 @@ blacklist ${HOME}/.cache/chromium-dev | |||
779 | blacklist ${HOME}/.cache/cliqz | 800 | blacklist ${HOME}/.cache/cliqz |
780 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | 801 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate |
781 | blacklist ${HOME}/.cache/darktable | 802 | blacklist ${HOME}/.cache/darktable |
803 | blacklist ${HOME}/.cache/deja-dup | ||
782 | blacklist ${HOME}/.cache/discover | 804 | blacklist ${HOME}/.cache/discover |
783 | blacklist ${HOME}/.cache/dnox | 805 | blacklist ${HOME}/.cache/dnox |
784 | blacklist ${HOME}/.cache/dolphin | 806 | blacklist ${HOME}/.cache/dolphin |
@@ -795,9 +817,12 @@ blacklist ${HOME}/.cache/gegl-0.4 | |||
795 | blacklist ${HOME}/.cache/geeqie | 817 | blacklist ${HOME}/.cache/geeqie |
796 | blacklist ${HOME}/.cache/gfeeds | 818 | blacklist ${HOME}/.cache/gfeeds |
797 | blacklist ${HOME}/.cache/gimp | 819 | blacklist ${HOME}/.cache/gimp |
820 | blacklist ${HOME}/.cache/gnome-boxes | ||
798 | blacklist ${HOME}/.cache/gnome-builder | 821 | blacklist ${HOME}/.cache/gnome-builder |
822 | blacklist ${HOME}/.cache/gnome-control-center | ||
799 | blacklist ${HOME}/.cache/gnome-recipes | 823 | blacklist ${HOME}/.cache/gnome-recipes |
800 | blacklist ${HOME}/.cache/gnome-screenshot | 824 | blacklist ${HOME}/.cache/gnome-screenshot |
825 | blacklist ${HOME}/.cache/gnome-software | ||
801 | blacklist ${HOME}/.cache/gnome-twitch | 826 | blacklist ${HOME}/.cache/gnome-twitch |
802 | blacklist ${HOME}/.cache/godot | 827 | blacklist ${HOME}/.cache/godot |
803 | blacklist ${HOME}/.cache/google-chrome | 828 | blacklist ${HOME}/.cache/google-chrome |
@@ -848,6 +873,7 @@ blacklist ${HOME}/.cache/org.gnome.Books | |||
848 | blacklist ${HOME}/.cache/org.gnome.Maps | 873 | blacklist ${HOME}/.cache/org.gnome.Maps |
849 | blacklist ${HOME}/.cache/pdfmod | 874 | blacklist ${HOME}/.cache/pdfmod |
850 | blacklist ${HOME}/.cache/peek | 875 | blacklist ${HOME}/.cache/peek |
876 | blacklist ${HOME}/.cache/pip | ||
851 | blacklist ${HOME}/.cache/plasmashell | 877 | blacklist ${HOME}/.cache/plasmashell |
852 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | 878 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* |
853 | blacklist ${HOME}/.cache/qBittorrent | 879 | blacklist ${HOME}/.cache/qBittorrent |
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index 9c1b7b92c..a691b306c 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -38,6 +38,7 @@ whitelist ${HOME}/.pangorc | |||
38 | # gtk | 38 | # gtk |
39 | whitelist ${HOME}/.config/gtk-2.0 | 39 | whitelist ${HOME}/.config/gtk-2.0 |
40 | whitelist ${HOME}/.config/gtk-3.0 | 40 | whitelist ${HOME}/.config/gtk-3.0 |
41 | whitelist ${HOME}/.config/gtk-4.0 | ||
41 | whitelist ${HOME}/.config/gtkrc | 42 | whitelist ${HOME}/.config/gtkrc |
42 | whitelist ${HOME}/.config/gtkrc-2.0 | 43 | whitelist ${HOME}/.config/gtkrc-2.0 |
43 | whitelist ${HOME}/.gnome2 | 44 | whitelist ${HOME}/.gnome2 |