hardening some profiles (#3505)

* hardening some profiles - harden and fix flameshot - wruc: frogatto, ghostwriter - harden gnome-latex - add whitelist opt-in note to keepassxc - add comment to minetest - harden openarena, tremulous, xonotic - add profile for xonotic-sdl-wrapper * followup
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-07-09 10:49:17 +0000
committer: GitHub <noreply@github.com> 2020-07-09 10:49:17 +0000
commit: deb6c12454191b7aeff3d259612a00427d1aa6a1 (patch)
tree: bdf4351c170112ded7b076298b2b4bddd7664f2b /etc/profile-a-l
parent: Update disable-common.inc (#3499) (diff)
download: firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.gz
firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.zst
firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.zip
5 files changed, 27 insertions, 3 deletions
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 207f87074..7c41417ec 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -8,6 +8,7 @@ include flameshot.local
 include globals.local
 noblacklist ${PICTURES}
+noblacklist ${HOME}/.config/Dharkael
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +19,13 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+#whitelist ${PICTURES}
+#whitelist ${HOME}/.config/Dharkael
+whitelist /usr/share/flameshot
+#include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
@@ -35,13 +42,15 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
 private-dev
 private-tmp
-# dbus-user none
+dbus-user filter
-# dbus-system none
+dbus-user.own org.dharkael.Flameshot
+dbus-system none
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 06f13e8c6..653272499 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -20,6 +20,7 @@ mkdir ${HOME}/.frogatto
 whitelist ${HOME}/.frogatto
 whitelist /usr/share/frogatto
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index d7b46263d..5bb410278 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -24,6 +24,7 @@ whitelist /usr/share/ghostwriter
 whitelist /usr/share/mozilla-dicts
 whitelist /usr/share/texlive
 whitelist /usr/share/pandoc*
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 apparmor
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index ea4151137..eb5e9ec40 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -49,3 +49,5 @@ private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+dbus-system none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index d1893e412..6e35299be 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -23,6 +23,17 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
+# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
+#mkdir ${HOME}/Documents/KeePassXC
+#whitelist ${HOME}/Documents/KeePassXC
+# Needed for KeePassXC-Browser
+#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.config/keepassxc
+#include whitelist-common.inc
 whitelist /usr/share/keepassxc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-07-09 10:49:17 +0000
committer	GitHub <noreply@github.com>	2020-07-09 10:49:17 +0000
commit	deb6c12454191b7aeff3d259612a00427d1aa6a1 (patch)
tree	bdf4351c170112ded7b076298b2b4bddd7664f2b /etc/profile-a-l
parent	Update disable-common.inc (#3499) (diff)
download	firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.gz firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.zst firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.zip

diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 207f87074..7c41417ec 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile
@@ -8,6 +8,7 @@ include flameshot.local
8	include globals.local	8	include globals.local
9		9
10	noblacklist ${PICTURES}	10	noblacklist ${PICTURES}
		11	noblacklist ${HOME}/.config/Dharkael
11		12
12	include disable-common.inc	13	include disable-common.inc
13	include disable-devel.inc	14	include disable-devel.inc
@@ -18,7 +19,13 @@ include disable-programs.inc
18	include disable-shell.inc	19	include disable-shell.inc
19	include disable-xdg.inc	20	include disable-xdg.inc
20		21
		22	#whitelist ${PICTURES}
		23	#whitelist ${HOME}/.config/Dharkael
		24	whitelist /usr/share/flameshot
		25	#include whitelist-common.inc
21	include whitelist-runuser-common.inc	26	include whitelist-runuser-common.inc
		27	include whitelist-usr-share-common.inc
		28	include whitelist-var-common.inc
22		29
23	caps.drop all	30	caps.drop all
24	ipc-namespace	31	ipc-namespace
@@ -35,13 +42,15 @@ novideo
35	protocol unix,inet,inet6	42	protocol unix,inet,inet6
36	seccomp	43	seccomp
37	shell none	44	shell none
		45	tracelog
38		46
39	disable-mnt	47	disable-mnt
40	private-bin flameshot	48	private-bin flameshot
41	private-cache	49	private-cache
42	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl	50	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
43	private-dev	51	private-dev
44	private-tmp	52	private-tmp
45		53
46	# dbus-user none	54	dbus-user filter
47	# dbus-system none	55	dbus-user.own org.dharkael.Flameshot
		56	dbus-system none


diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 06f13e8c6..653272499 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile
@@ -20,6 +20,7 @@ mkdir ${HOME}/.frogatto
20	whitelist ${HOME}/.frogatto	20	whitelist ${HOME}/.frogatto
21	whitelist /usr/share/frogatto	21	whitelist /usr/share/frogatto
22	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
23	include whitelist-usr-share-common.inc	24	include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	25	include whitelist-var-common.inc
25		26


diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index d7b46263d..5bb410278 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile
@@ -24,6 +24,7 @@ whitelist /usr/share/ghostwriter
24	whitelist /usr/share/mozilla-dicts	24	whitelist /usr/share/mozilla-dicts
25	whitelist /usr/share/texlive	25	whitelist /usr/share/texlive
26	whitelist /usr/share/pandoc*	26	whitelist /usr/share/pandoc*
		27	include whitelist-runuser-common.inc
27	include whitelist-usr-share-common.inc	28	include whitelist-usr-share-common.inc
28		29
29	apparmor	30	apparmor


diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index ea4151137..eb5e9ec40 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile
@@ -49,3 +49,5 @@ private-cache
49	private-dev	49	private-dev
50	# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed	50	# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
51	private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive	51	private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
		52
		53	dbus-system none


diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index d1893e412..6e35299be 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile
@@ -23,6 +23,17 @@ include disable-programs.inc
23	include disable-shell.inc	23	include disable-shell.inc
24	include disable-xdg.inc	24	include disable-xdg.inc
25		25
		26	# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
		27	# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
		28	#mkdir ${HOME}/Documents/KeePassXC
		29	#whitelist ${HOME}/Documents/KeePassXC
		30	# Needed for KeePassXC-Browser
		31	#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
		32	#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
		33	#mkdir ${HOME}/.config/keepassxc
		34	#whitelist ${HOME}/.config/keepassxc
		35	#include whitelist-common.inc
		36
26	whitelist /usr/share/keepassxc	37	whitelist /usr/share/keepassxc
27	include whitelist-usr-share-common.inc	38	include whitelist-usr-share-common.inc
28	include whitelist-var-common.inc	39	include whitelist-var-common.inc