Add profiles for build-systems (/package-managers)

Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip All redirect to build-systems-common.profile Other fixes: - blacklist ${HOME}/.bundle - blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo - blacklist /usr/lib64/ruby
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-09-08 23:21:07 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-09-08 23:21:07 +0200
commit: d452e45a9196aa2f4d34706fcfb7907707a19ff9 (patch)
tree: 1bc43ac88064e688a32e580a8e4512837f685733 /etc/profile-a-l
parent: Fix #4509 -- Nextcloud profile broken - needs 3D and system tray access (diff)
download: firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.gz
firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.zst
firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.zip
4 files changed, 111 insertions, 54 deletions
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..159593eb7
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,65 @@
+# Firejail profile for build-systems-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include build-systems-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+ignore noexec ${HOME}
+ignore noexec /tmp
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+whitelist ${HOME}/Projects
+whitelist /usr/share/pkgconfig
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..269bfd130
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,24 @@
+# Firejail profile for bundle
+# Description: Ruby Dependency Management
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bundle.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.bundle
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+mkdir ${HOME}/.bundle
+whitelist ${HOME}/.bundle
+whitelist /usr/share/gems
+whitelist /usr/share/ruby
+whitelist /usr/share/rubygems
+private-bin bundle,bundler,ruby,ruby-mri
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..af188e7f9 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,19 @@ include cargo.local
 # Persistent global definitions
 include globals.local
-ignore noexec ${HOME}
+ignore read-only ${HOME}/.cargo/bin
-ignore noexec /tmp
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
 noblacklist ${HOME}/.cargo/credentials
 noblacklist ${HOME}/.cargo/credentials.toml
-# Allows files commonly used by IDEs
+mkdir ${HOME}/.cargo
-include allow-common-devel.inc
+whitelist ${HOME}/.cargo
+whitelist ${HOME}/.rustup
-# Allow ssh (blacklisted by disable-common.inc)
-#include allow-ssh.inc
-include disable-common.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-#mkdir ${HOME}/.cargo
-#whitelist ${HOME}/YOUR_CARGO_PROJECTS
-#whitelist ${HOME}/.cargo
-#whitelist ${HOME}/.rustup
-#include whitelist-common.inc
-whitelist /usr/share/pkgconfig
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-shell none
-tracelog
-disable-mnt
 #private-bin cargo,rustc
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
-private-tmp
-dbus-user none
-dbus-system none
 memory-deny-write-execute
-read-write ${HOME}/.cargo/bin
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..1fb893f86
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,15 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+private-bin cmake
+memory-deny-write-execute
+# Redirect
+include build-systems-common.profile
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-09-08 23:21:07 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-09-08 23:21:07 +0200
commit	d452e45a9196aa2f4d34706fcfb7907707a19ff9 (patch)
tree	1bc43ac88064e688a32e580a8e4512837f685733 /etc/profile-a-l
parent	Fix #4509 -- Nextcloud profile broken - needs 3D and system tray access (diff)
download	firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.gz firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.tar.zst firejail-d452e45a9196aa2f4d34706fcfb7907707a19ff9.zip

diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile new file mode 100644 index 000000000..159593eb7 --- /dev/null +++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,65 @@
		1	# Firejail profile for build-systems-common
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include build-systems-common.local
		5	# Persistent global definitions
		6	# added by caller profile
		7	#include globals.local
		8
		9	ignore noexec ${HOME}
		10	ignore noexec /tmp
		11
		12	# Allow /bin/sh (blacklisted by disable-shell.inc)
		13	include allow-bin-sh.inc
		14
		15	# Allows files commonly used by IDEs
		16	include allow-common-devel.inc
		17
		18	# Allow ssh (blacklisted by disable-common.inc)
		19	#include allow-ssh.inc
		20
		21	blacklist ${RUNUSER}
		22
		23	include disable-common.inc
		24	include disable-exec.inc
		25	include disable-interpreters.inc
		26	include disable-programs.inc
		27	include disable-shell.inc
		28	include disable-X11.inc
		29	include disable-xdg.inc
		30
		31	whitelist ${HOME}/Projects
		32	whitelist /usr/share/pkgconfig
		33	include whitelist-common.inc
		34	include whitelist-run-common.inc
		35	include whitelist-usr-share-common.inc
		36	include whitelist-var-common.inc
		37
		38	caps.drop all
		39	ipc-namespace
		40	machine-id
		41	# net none
		42	netfilter
		43	no3d
		44	nodvd
		45	nogroups
		46	noinput
		47	nonewprivs
		48	noroot
		49	nosound
		50	notv
		51	nou2f
		52	novideo
		53	protocol unix,inet,inet6
		54	seccomp
		55	seccomp.block-secondary
		56	shell none
		57	tracelog
		58
		59	disable-mnt
		60	private-cache
		61	private-dev
		62	private-tmp
		63
		64	dbus-user none
		65	dbus-system none


diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile new file mode 100644 index 000000000..269bfd130 --- /dev/null +++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,24 @@
		1	# Firejail profile for bundle
		2	# Description: Ruby Dependency Management
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include bundle.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${HOME}/.bundle
		11
		12	# Allow ruby (blacklisted by disable-interpreters.inc)
		13	include allow-ruby.inc
		14
		15	mkdir ${HOME}/.bundle
		16	whitelist ${HOME}/.bundle
		17	whitelist /usr/share/gems
		18	whitelist /usr/share/ruby
		19	whitelist /usr/share/rubygems
		20
		21	private-bin bundle,bundler,ruby,ruby-mri
		22
		23	# Redirect
		24	include build-systems-common.profile


diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..af188e7f9 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,19 @@ include cargo.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
10	ignore noexec ${HOME}	10	ignore read-only ${HOME}/.cargo/bin
11	ignore noexec /tmp
12
13	blacklist /tmp/.X11-unix
14	blacklist ${RUNUSER}
15		11
16	noblacklist ${HOME}/.cargo/credentials	12	noblacklist ${HOME}/.cargo/credentials
17	noblacklist ${HOME}/.cargo/credentials.toml	13	noblacklist ${HOME}/.cargo/credentials.toml
18		14
19	# Allows files commonly used by IDEs	15	mkdir ${HOME}/.cargo
20	include allow-common-devel.inc	16	whitelist ${HOME}/.cargo
21		17	whitelist ${HOME}/.rustup
22	# Allow ssh (blacklisted by disable-common.inc)
23	#include allow-ssh.inc
24
25	include disable-common.inc
26	include disable-exec.inc
27	include disable-interpreters.inc
28	include disable-programs.inc
29	include disable-xdg.inc
30
31	#mkdir ${HOME}/.cargo
32	#whitelist ${HOME}/YOUR_CARGO_PROJECTS
33	#whitelist ${HOME}/.cargo
34	#whitelist ${HOME}/.rustup
35	#include whitelist-common.inc
36	whitelist /usr/share/pkgconfig
37	include whitelist-runuser-common.inc
38	include whitelist-usr-share-common.inc
39	include whitelist-var-common.inc
40		18
41	caps.drop all
42	ipc-namespace
43	machine-id
44	netfilter
45	no3d
46	nodvd
47	nogroups
48	noinput
49	nonewprivs
50	noroot
51	nosound
52	notv
53	nou2f
54	novideo
55	protocol unix,inet,inet6
56	seccomp
57	seccomp.block-secondary
58	shell none
59	tracelog
60
61	disable-mnt
62	#private-bin cargo,rustc	19	#private-bin cargo,rustc
63	private-cache
64	private-dev
65	private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl	20	private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
66	private-tmp
67
68	dbus-user none
69	dbus-system none
70		21
71	memory-deny-write-execute	22	memory-deny-write-execute
72	read-write ${HOME}/.cargo/bin	23
		24	# Redirect
		25	include build-systems-common.profile


diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile new file mode 100644 index 000000000..1fb893f86 --- /dev/null +++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,15 @@
		1	# Firejail profile for cargo
		2	# Description: The Rust package manager
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include cargo.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	private-bin cmake
		11
		12	memory-deny-write-execute
		13
		14	# Redirect
		15	include build-systems-common.profile