diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-12-17 08:45:35 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-17 08:45:35 +0000 |
commit | f4f6767458208a127084e4c0103fab88761d9056 (patch) | |
tree | ff349c113ca4f3fc70cd9839a1775bb49092cab3 /etc/profile-a-l | |
parent | Archiver fixes - drop private-bin (#3832) (diff) | |
download | firejail-f4f6767458208a127084e4c0103fab88761d9056.tar.gz firejail-f4f6767458208a127084e4c0103fab88761d9056.tar.zst firejail-f4f6767458208a127084e4c0103fab88761d9056.zip |
Refactor electron.profile and electron based programs (#3807)
* Refactor electron.profile and electron based programs (1)
* Refactor electron.profile and electron based programs (2)
* Refactor electron.profile and electron based programs (3)
* Refactor electron.profile and electron based programs (4)
* Refactor electron.profile and electron based programs (5)
* Refactor electron.profile and electron based programs (6)
* Refactor electron.profile and electron based programs (7)
* Refactor electron.profile and electron based programs (8)
Diffstat (limited to 'etc/profile-a-l')
-rw-r--r-- | etc/profile-a-l/atom.profile | 32 | ||||
-rw-r--r-- | etc/profile-a-l/beaker.profile | 21 | ||||
-rw-r--r-- | etc/profile-a-l/discord-common.profile | 37 | ||||
-rw-r--r-- | etc/profile-a-l/electron.profile | 28 | ||||
-rw-r--r-- | etc/profile-a-l/freetube.profile | 11 | ||||
-rw-r--r-- | etc/profile-a-l/github-desktop.profile | 46 | ||||
-rw-r--r-- | etc/profile-a-l/jitsi-meet-desktop.profile | 22 |
7 files changed, 88 insertions, 109 deletions
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index cf0a5a42b..f21a5febf 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile | |||
@@ -6,31 +6,27 @@ include atom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-devel.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore whitelist ${DOWNLOADS} | ||
14 | ignore include whitelist-common.inc | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | ignore include whitelist-var-common.inc | ||
18 | ignore apparmor | ||
19 | ignore disable-mnt | ||
20 | |||
9 | noblacklist ${HOME}/.atom | 21 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 22 | noblacklist ${HOME}/.config/Atom |
11 | 23 | ||
12 | # Allows files commonly used by IDEs | 24 | # Allows files commonly used by IDEs |
13 | include allow-common-devel.inc | 25 | include allow-common-devel.inc |
14 | 26 | ||
15 | include disable-common.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.keep sys_admin,sys_chroot | ||
21 | # net none | 27 | # net none |
22 | netfilter | 28 | netfilter |
23 | nodvd | ||
24 | nogroups | ||
25 | nosound | 29 | nosound |
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | |||
31 | private-cache | ||
32 | private-dev | ||
33 | private-tmp | ||
34 | 30 | ||
35 | dbus-user none | 31 | # Redirect |
36 | dbus-system none | 32 | include electron.profile |
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index cc1886a49..f3a9568bd 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile | |||
@@ -3,17 +3,26 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include beaker.local | 4 | include beaker.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | include globals.local |
7 | #include globals.local | ||
8 | 7 | ||
9 | noblacklist ${HOME}/.config/Beaker Browser | 8 | # Disabled until someone reported positive feedback |
9 | ignore include disable-exec.inc | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore include whitelist-var-common.inc | ||
14 | ignore nou2f | ||
15 | ignore novideo | ||
16 | ignore shell none | ||
17 | ignore disable-mnt | ||
18 | ignore private-cache | ||
19 | ignore private-dev | ||
20 | ignore private-tmp | ||
10 | 21 | ||
11 | include disable-devel.inc | 22 | noblacklist ${HOME}/.config/Beaker Browser |
12 | include disable-interpreters.inc | ||
13 | 23 | ||
14 | mkdir ${HOME}/.config/Beaker Browser | 24 | mkdir ${HOME}/.config/Beaker Browser |
15 | whitelist ${HOME}/.config/Beaker Browser | 25 | whitelist ${HOME}/.config/Beaker Browser |
16 | include whitelist-common.inc | ||
17 | 26 | ||
18 | # Redirect | 27 | # Redirect |
19 | include electron.profile | 28 | include electron.profile |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 35bea4aaa..e6edbd7eb 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -6,33 +6,24 @@ include discord-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | 9 | # Disabled until someone reported positive feedback |
10 | ignore include disable-interpreters.inc | ||
11 | ignore include disable-xdg.inc | ||
12 | ignore include whitelist-runuser-common.inc | ||
13 | ignore include whitelist-usr-share-common.inc | ||
14 | ignore apparmor | ||
15 | ignore disable-mnt | ||
16 | ignore private-cache | ||
17 | ignore dbus-user none | ||
18 | ignore dbus-system none | ||
10 | 19 | ||
11 | include disable-common.inc | 20 | ignore noexec ${HOME} |
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | 21 | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/BetterDiscord | 22 | whitelist ${HOME}/.config/BetterDiscord |
19 | whitelist ${HOME}/.local/share/betterdiscordctl | 23 | whitelist ${HOME}/.local/share/betterdiscordctl |
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 24 | ||
35 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
36 | private-dev | ||
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
38 | private-tmp | 27 | |
28 | # Redirect | ||
29 | include electron.profile | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 9b99c7ffb..d3be07c9d 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -3,25 +3,39 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include electron.local | 5 | include electron.local |
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | 6 | ||
9 | include disable-common.inc | 7 | include disable-common.inc |
8 | include disable-devel.inc | ||
9 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | ||
10 | include disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
11 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | include disable-xdg.inc | ||
12 | 14 | ||
13 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | include whitelist-common.inc | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | # Uncomment the next line (or add it to your chromium-common.local) | ||
22 | # if your kernel allows unprivileged userns clone. | ||
23 | #include chromium-common-hardened.inc | ||
14 | 24 | ||
15 | apparmor | 25 | apparmor |
16 | caps.drop all | 26 | caps.keep sys_admin,sys_chroot |
17 | netfilter | 27 | netfilter |
18 | nodvd | 28 | nodvd |
19 | nogroups | 29 | nogroups |
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | 30 | notv |
23 | protocol unix,inet,inet6,netlink | 31 | nou2f |
24 | seccomp | 32 | novideo |
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
25 | 39 | ||
26 | dbus-user none | 40 | dbus-user none |
27 | dbus-system none | 41 | dbus-system none |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 91f0caf87..20a5d609e 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -8,24 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/FreeTube | 9 | noblacklist ${HOME}/.config/FreeTube |
10 | 10 | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | 11 | include disable-shell.inc |
15 | include disable-xdg.inc | ||
16 | 12 | ||
17 | mkdir ${HOME}/.config/FreeTube | 13 | mkdir ${HOME}/.config/FreeTube |
18 | whitelist ${HOME}/.config/FreeTube | 14 | whitelist ${HOME}/.config/FreeTube |
19 | 15 | ||
20 | seccomp !chroot | ||
21 | shell none | ||
22 | |||
23 | disable-mnt | ||
24 | private-bin freetube | 16 | private-bin freetube |
25 | private-cache | ||
26 | private-dev | ||
27 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
28 | private-tmp | ||
29 | 18 | ||
30 | # Redirect | 19 | # Redirect |
31 | include electron.profile | 20 | include electron.profile |
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index 152396553..325c54ced 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile | |||
@@ -6,43 +6,35 @@ include github-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: On debian-based distributions the binary might be located in | ||
10 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
11 | # If that's the case you can start GitHub Desktop with firejail via | ||
12 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
13 | |||
14 | # Disabled until someone reported positive feedback | ||
15 | ignore include disable-xdg.inc | ||
16 | ignore whitelist ${DOWNLOADS} | ||
17 | ignore include whitelist-common.inc | ||
18 | ignore include whitelist-runuser-common.inc | ||
19 | ignore include whitelist-usr-share-common.inc | ||
20 | ignore include whitelist-var-common.inc | ||
21 | ignore apparmor | ||
22 | ignore dbus-user none | ||
23 | ignore dbus-system none | ||
24 | |||
9 | noblacklist ${HOME}/.config/GitHub Desktop | 25 | noblacklist ${HOME}/.config/GitHub Desktop |
10 | noblacklist ${HOME}/.config/git | 26 | noblacklist ${HOME}/.config/git |
11 | noblacklist ${HOME}/.gitconfig | 27 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 28 | noblacklist ${HOME}/.git-credentials |
13 | 29 | ||
14 | include disable-common.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | # no3d | 30 | # no3d |
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | 31 | nosound |
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 32 | ||
35 | # Note: On debian-based distributions the binary might be located in | ||
36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
37 | # If that's the case you can start GitHub Desktop with firejail via | ||
38 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
39 | |||
40 | disable-mnt | ||
41 | # private-bin github-desktop | 33 | # private-bin github-desktop |
42 | private-cache | ||
43 | ?HAS_APPIMAGE: ignore private-dev | 34 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | ||
45 | # private-lib | 35 | # private-lib |
46 | private-tmp | ||
47 | 36 | ||
48 | # memory-deny-write-execute | 37 | # memory-deny-write-execute |
38 | |||
39 | # Redirect | ||
40 | include electron.profile | ||
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index c4121d835..e5beb741a 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | ignore novideo | ||
12 | ignore shell none | ||
13 | |||
9 | ignore noexec /tmp | 14 | ignore noexec /tmp |
10 | 15 | ||
11 | noblacklist ${HOME}/.config/Jitsi Meet | 16 | noblacklist ${HOME}/.config/Jitsi Meet |
12 | 17 | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | nowhitelist ${DOWNLOADS} | 18 | nowhitelist ${DOWNLOADS} |
19 | 19 | ||
20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
21 | |||
22 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
23 | 22 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | seccomp !chroot | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,jitsi-meet-desktop |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | ||
37 | 25 | ||
38 | # Redirect | 26 | # Redirect |
39 | include electron.profile | 27 | include electron.profile |