diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-03-22 13:44:53 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-03-24 03:42:59 -0300 |
commit | 04efbb27631e2f4abb5f1c0a915612e8cc98397c (patch) | |
tree | 3b0c5d360a796880024a1c14e251522fb36ea5d7 /etc/profile-m-z/rsync-download_only.profile | |
parent | sstmp.profile: sort disable includes (diff) | |
download | firejail-04efbb27631e2f4abb5f1c0a915612e8cc98397c.tar.gz firejail-04efbb27631e2f4abb5f1c0a915612e8cc98397c.tar.zst firejail-04efbb27631e2f4abb5f1c0a915612e8cc98397c.zip |
profiles: replace x11 socket blacklist with disable-X11.inc
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to #4462 #4854.
Diffstat (limited to 'etc/profile-m-z/rsync-download_only.profile')
-rw-r--r-- | etc/profile-m-z/rsync-download_only.profile | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index ce90012e3..52ccb4309 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -11,7 +11,6 @@ include globals.local | |||
11 | # not as a daemon (rsync --daemon) nor to create backups. | 11 | # not as a daemon (rsync --daemon) nor to create backups. |
12 | # Usage: firejail --profile=rsync-download_only rsync | 12 | # Usage: firejail --profile=rsync-download_only rsync |
13 | 13 | ||
14 | blacklist /tmp/.X11-unix | ||
15 | blacklist ${RUNUSER} | 14 | blacklist ${RUNUSER} |
16 | 15 | ||
17 | include disable-common.inc | 16 | include disable-common.inc |
@@ -20,6 +19,7 @@ include disable-exec.inc | |||
20 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
21 | include disable-programs.inc | 20 | include disable-programs.inc |
22 | include disable-shell.inc | 21 | include disable-shell.inc |
22 | include disable-X11.inc | ||
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | # Add the next line to your rsync-download_only.local to enable extra hardening. | 25 | # Add the next line to your rsync-download_only.local to enable extra hardening. |