Add profiles for build-systems (/package-managers)

Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip All redirect to build-systems-common.profile Other fixes: - blacklist ${HOME}/.bundle - blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo - blacklist /usr/lib64/ruby
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-09-08 23:21:07 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-09-08 23:21:07 +0200
commit: d452e45a9196aa2f4d34706fcfb7907707a19ff9 (patch)
tree: 1bc43ac88064e688a32e580a8e4512837f685733 /etc/profile-a-l/cargo.profile
parent: Fix #4509 -- Nextcloud profile broken - needs 3D and system tray access (diff)
download: firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.gz
firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.zst
firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.zip
1 files changed, 7 insertions, 54 deletions
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..af188e7f9 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,19 @@ include cargo.local
 # Persistent global definitions
 include globals.local
-ignore noexec ${HOME}
+ignore read-only ${HOME}/.cargo/bin
-ignore noexec /tmp
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
 noblacklist ${HOME}/.cargo/credentials
 noblacklist ${HOME}/.cargo/credentials.toml
-# Allows files commonly used by IDEs
+mkdir ${HOME}/.cargo
-include allow-common-devel.inc
+whitelist ${HOME}/.cargo
+whitelist ${HOME}/.rustup
-# Allow ssh (blacklisted by disable-common.inc)
-#include allow-ssh.inc
-include disable-common.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-#mkdir ${HOME}/.cargo
-#whitelist ${HOME}/YOUR_CARGO_PROJECTS
-#whitelist ${HOME}/.cargo
-#whitelist ${HOME}/.rustup
-#include whitelist-common.inc
-whitelist /usr/share/pkgconfig
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-shell none
-tracelog
-disable-mnt
 #private-bin cargo,rustc
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
-private-tmp
-dbus-user none
-dbus-system none
 memory-deny-write-execute
-read-write ${HOME}/.cargo/bin
+# Redirect
+include build-systems-common.profile
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-09-08 23:21:07 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-09-08 23:21:07 +0200
commit	d452e45a9196aa2f4d34706fcfb7907707a19ff9 (patch)
tree	1bc43ac88064e688a32e580a8e4512837f685733 /etc/profile-a-l/cargo.profile
parent	Fix #4509 -- Nextcloud profile broken - needs 3D and system tray access (diff)
download	firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.gz firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.zst firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.zip

diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..af188e7f9 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,19 @@ include cargo.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
10	ignore noexec ${HOME}	10	ignore read-only ${HOME}/.cargo/bin
11	ignore noexec /tmp
12
13	blacklist /tmp/.X11-unix
14	blacklist ${RUNUSER}
15		11
16	noblacklist ${HOME}/.cargo/credentials	12	noblacklist ${HOME}/.cargo/credentials
17	noblacklist ${HOME}/.cargo/credentials.toml	13	noblacklist ${HOME}/.cargo/credentials.toml
18		14
19	# Allows files commonly used by IDEs	15	mkdir ${HOME}/.cargo
20	include allow-common-devel.inc	16	whitelist ${HOME}/.cargo
21		17	whitelist ${HOME}/.rustup
22	# Allow ssh (blacklisted by disable-common.inc)
23	#include allow-ssh.inc
24
25	include disable-common.inc
26	include disable-exec.inc
27	include disable-interpreters.inc
28	include disable-programs.inc
29	include disable-xdg.inc
30
31	#mkdir ${HOME}/.cargo
32	#whitelist ${HOME}/YOUR_CARGO_PROJECTS
33	#whitelist ${HOME}/.cargo
34	#whitelist ${HOME}/.rustup
35	#include whitelist-common.inc
36	whitelist /usr/share/pkgconfig
37	include whitelist-runuser-common.inc
38	include whitelist-usr-share-common.inc
39	include whitelist-var-common.inc
40		18
41	caps.drop all
42	ipc-namespace
43	machine-id
44	netfilter
45	no3d
46	nodvd
47	nogroups
48	noinput
49	nonewprivs
50	noroot
51	nosound
52	notv
53	nou2f
54	novideo
55	protocol unix,inet,inet6
56	seccomp
57	seccomp.block-secondary
58	shell none
59	tracelog
60
61	disable-mnt
62	#private-bin cargo,rustc	19	#private-bin cargo,rustc
63	private-cache
64	private-dev
65	private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl	20	private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
66	private-tmp
67
68	dbus-user none
69	dbus-system none
70		21
71	memory-deny-write-execute	22	memory-deny-write-execute
72	read-write ${HOME}/.cargo/bin	23
		24	# Redirect
		25	include build-systems-common.profile