profiles: improvements to profiles using private (#5946)

Changes: * comment `include whitelist-common.inc` when using `private` * drop `private` on profiles that access files in `${HOME}` * use `#` in comments Relates to #903.
author: glitsj16 <glitsj16@users.noreply.github.com> 2023-08-11 03:54:39 +0000
committer: GitHub <noreply@github.com> 2023-08-11 03:54:39 +0000
commit: a3a41b8fff7763862b07db00b0357f20774687f5 (patch)
tree: 9a6bebb77b42aeea30539077032f856a595681f2 /etc/profile-a-l
parent: 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed (#5944) (diff)
download: firejail-a3a41b8fff7763862b07db00b0357f20774687f5.tar.gz
firejail-a3a41b8fff7763862b07db00b0357f20774687f5.tar.zst
firejail-a3a41b8fff7763862b07db00b0357f20774687f5.zip
8 files changed, 9 insertions, 11 deletions
diff --git a/etc/profile-a-l/daisy.profile b/etc/profile-a-l/daisy.profile
index 4f1c80f23..40b29a1f5 100644
--- a/etc/profile-a-l/daisy.profile
+++ b/etc/profile-a-l/daisy.profile
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
-#include disable-X11.inc - x11 none
+#include disable-X11.inc # x11 none
 include disable-xdg.inc
 include whitelist-common.inc
@@ -47,7 +47,6 @@ tracelog
 x11 none
 disable-mnt
-private
 private-bin daisy
 private-cache
 private-dev
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 80790bb0c..70bd7370d 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -19,7 +19,7 @@ include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,8 +28,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# Breaks abstract sockets
+#net none # breaks abstract sockets
-#net none
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index bd6fb6dcc..bea114dd6 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index baf8f614e..2d0511cf6 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index ddfe57879..e6fe27774 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/libgweather
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 025cb74b6..0c4ca35ac 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/gnubik
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 19af7c0b9..5ccce8447 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/gravity-beams-and-evaporating-stars
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index 7eabbca84..e73ca44a8 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
-# include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
author	glitsj16 <glitsj16@users.noreply.github.com>	2023-08-11 03:54:39 +0000
committer	GitHub <noreply@github.com>	2023-08-11 03:54:39 +0000
commit	a3a41b8fff7763862b07db00b0357f20774687f5 (patch)
tree	9a6bebb77b42aeea30539077032f856a595681f2 /etc/profile-a-l
parent	0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed (#5944) (diff)
download	firejail-a3a41b8fff7763862b07db00b0357f20774687f5.tar.gz firejail-a3a41b8fff7763862b07db00b0357f20774687f5.tar.zst firejail-a3a41b8fff7763862b07db00b0357f20774687f5.zip

diff --git a/etc/profile-a-l/daisy.profile b/etc/profile-a-l/daisy.profile index 4f1c80f23..40b29a1f5 100644 --- a/etc/profile-a-l/daisy.profile +++ b/etc/profile-a-l/daisy.profile
@@ -15,7 +15,7 @@ include disable-interpreters.inc
15	include disable-proc.inc	15	include disable-proc.inc
16	include disable-programs.inc	16	include disable-programs.inc
17	include disable-shell.inc	17	include disable-shell.inc
18	#include disable-X11.inc - x11 none	18	#include disable-X11.inc # x11 none
19	include disable-xdg.inc	19	include disable-xdg.inc
20		20
21	include whitelist-common.inc	21	include whitelist-common.inc
@@ -47,7 +47,6 @@ tracelog
47	x11 none	47	x11 none
48		48
49	disable-mnt	49	disable-mnt
50	private
51	private-bin daisy	50	private-bin daisy
52	private-cache	51	private-cache
53	private-dev	52	private-dev


diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 80790bb0c..70bd7370d 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile
@@ -19,7 +19,7 @@ include disable-shell.inc
19	include disable-write-mnt.inc	19	include disable-write-mnt.inc
20	include disable-xdg.inc	20	include disable-xdg.inc
21		21
22	include whitelist-common.inc	22	#include whitelist-common.inc # see #903
23	include whitelist-runuser-common.inc	23	include whitelist-runuser-common.inc
24	include whitelist-usr-share-common.inc	24	include whitelist-usr-share-common.inc
25	include whitelist-var-common.inc	25	include whitelist-var-common.inc
@@ -28,8 +28,7 @@ apparmor
28	caps.drop all	28	caps.drop all
29	ipc-namespace	29	ipc-namespace
30	machine-id	30	machine-id
31	# Breaks abstract sockets	31	#net none # breaks abstract sockets
32	#net none
33	netfilter	32	netfilter
34	no3d	33	no3d
35	nodvd	34	nodvd


diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index bd6fb6dcc..bea114dd6 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
19	include disable-programs.inc	19	include disable-programs.inc
20	include disable-xdg.inc	20	include disable-xdg.inc
21		21
22	include whitelist-common.inc	22	#include whitelist-common.inc # see #903
23	include whitelist-usr-share-common.inc	23	include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	24	include whitelist-var-common.inc
25		25


diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index baf8f614e..2d0511cf6 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile
@@ -17,7 +17,7 @@ include disable-programs.inc
17	include disable-shell.inc	17	include disable-shell.inc
18	include disable-xdg.inc	18	include disable-xdg.inc
19		19
20	include whitelist-common.inc	20	#include whitelist-common.inc # see #903
21	include whitelist-runuser-common.inc	21	include whitelist-runuser-common.inc
22	include whitelist-usr-share-common.inc	22	include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc	23	include whitelist-var-common.inc


diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index ddfe57879..e6fe27774 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
15	include disable-xdg.inc	15	include disable-xdg.inc
16		16
17	whitelist /usr/share/libgweather	17	whitelist /usr/share/libgweather
18	include whitelist-common.inc	18	#include whitelist-common.inc # see #903
19	include whitelist-runuser-common.inc	19	include whitelist-runuser-common.inc
20	include whitelist-usr-share-common.inc	20	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc	21	include whitelist-var-common.inc


diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index 025cb74b6..0c4ca35ac 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
15	include disable-xdg.inc	15	include disable-xdg.inc
16		16
17	whitelist /usr/share/gnubik	17	whitelist /usr/share/gnubik
18	include whitelist-common.inc	18	#include whitelist-common.inc # see #903
19	include whitelist-runuser-common.inc	19	include whitelist-runuser-common.inc
20	include whitelist-usr-share-common.inc	20	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc	21	include whitelist-var-common.inc


diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 19af7c0b9..5ccce8447 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
15	include disable-xdg.inc	15	include disable-xdg.inc
16		16
17	whitelist /usr/share/gravity-beams-and-evaporating-stars	17	whitelist /usr/share/gravity-beams-and-evaporating-stars
18	include whitelist-common.inc	18	#include whitelist-common.inc # see #903
19	include whitelist-usr-share-common.inc	19	include whitelist-usr-share-common.inc
20	include whitelist-var-common.inc	20	include whitelist-var-common.inc
21		21


diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index 7eabbca84..e73ca44a8 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
18	include disable-write-mnt.inc	18	include disable-write-mnt.inc
19	include disable-xdg.inc	19	include disable-xdg.inc
20		20
21	# include whitelist-common.inc	21	#include whitelist-common.inc # see #903
22	include whitelist-runuser-common.inc	22	include whitelist-runuser-common.inc
23	include whitelist-usr-share-common.inc	23	include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	24	include whitelist-var-common.inc