diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-05-12 17:45:47 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-12 17:45:47 +0000 |
commit | 6c91074fc90e774e3b40ad231bb178bea6ec5ae6 (patch) | |
tree | 084dedffb99f27540a35d5356b399d987bde9d75 /etc/profile-a-l | |
parent | landlock: fix misc alignment/newline (diff) | |
download | firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.gz firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.zst firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.zip |
profiles: loupe: harden and disable apparmor (#6333)
The profile currently does not include disable-common nor makes
`${HOME}` read-only, so the program can simply write to ~/.bashrc
directly[1].
disable-common.inc was commented due to it apparently breaking bwrap.
As discovered by @glitsj16, it seems that allowing the bwrap binary is
enough to make it work (and that apparmor breaks loupe)[2].
So disable apparmor, allow bwrap and include disable-common.inc, plus
other hardening by @glitsj16.
This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) /
PR #6327.
[1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865
[2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480
Diffstat (limited to 'etc/profile-a-l')
-rw-r--r-- | etc/profile-a-l/loupe.profile | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile index 5d39341f5..9406053fd 100644 --- a/etc/profile-a-l/loupe.profile +++ b/etc/profile-a-l/loupe.profile | |||
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.local/share/Trash | |||
10 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
12 | 12 | ||
13 | #include disable-common.inc | 13 | noblacklist ${PATH}/bwrap |
14 | |||
15 | include disable-common.inc | ||
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
16 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
@@ -22,7 +24,7 @@ include whitelist-runuser-common.inc | |||
22 | #include whitelist-usr-share-common.inc | 24 | #include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
24 | 26 | ||
25 | apparmor | 27 | #apparmor |
26 | caps.drop all | 28 | caps.drop all |
27 | ipc-namespace | 29 | ipc-namespace |
28 | machine-id | 30 | machine-id |
@@ -44,7 +46,13 @@ protocol unix,netlink | |||
44 | seccomp.block-secondary | 46 | seccomp.block-secondary |
45 | tracelog | 47 | tracelog |
46 | 48 | ||
49 | private-bin bwrap,loupe | ||
47 | private-cache | 50 | private-cache |
48 | private-dev | 51 | private-dev |
49 | private-etc @x11 | 52 | private-etc @x11 |
50 | private-tmp | 53 | private-tmp |
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | #read-only ${HOME} # breaks "Move to trash" and "Set as background" | ||