etc: add allow-ssh.inc

And move the scattered `noblacklist ${HOME}/.ssh` entries into it. Command used to find the relevant files: $ grep -Fnr 'noblacklist ${HOME}/.ssh' etc Also, add it to profile.template, as reminded by @rusty-snake at https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2021-01-09 21:41:43 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2021-01-27 18:18:38 -0300
commit: 83ac0239722f85ffed15e3b6b6088bfff547ac1b (patch)
tree: bab7befdd0200dac19366bdb3fcf290487e1c761 /etc/profile-m-z
parent: git-cola.profile: add missing python template comment (diff)
download: firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.tar.gz
firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.tar.zst
firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.zip
7 files changed, 21 insertions, 7 deletions
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 6ceeb867f..a5c74047a 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -18,7 +18,6 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.local/share/meld
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -27,6 +26,9 @@ include allow-python3.inc
 # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.
 #include allow-python2.inc
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 6311c91df..d4c7bdf31 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -9,7 +9,9 @@ include globals.local
 noblacklist ${HOME}/.remmina
 noblacklist ${HOME}/.config/remmina
 noblacklist ${HOME}/.local/share/remmina
-noblacklist ${HOME}/.ssh
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 8bb1f53a7..0f91c79ec 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -9,9 +9,11 @@ include globals.local
 blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.ssh
 noblacklist /tmp/ssh-*
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 01b63d3ce..d2e2b3408 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -8,7 +8,9 @@ include globals.local
 noblacklist /etc/ssh
 noblacklist /tmp/ssh-*
-noblacklist ${HOME}/.ssh
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index e3e2b4541..efdf63976 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -9,11 +9,13 @@ include globals.local
 noblacklist /etc/ssh
 noblacklist /tmp/ssh-*
-noblacklist ${HOME}/.ssh
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
 noblacklist ${PATH}/ncat
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index fc4e8e571..a4adf2896 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -8,12 +8,14 @@ include globals.local
 noblacklist ${HOME}/.WebStorm*
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index bc9603835..6146016b2 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -6,10 +6,12 @@ include x2goclient.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.x2go
 noblacklist ${HOME}/.x2goclient
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2021-01-09 21:41:43 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2021-01-27 18:18:38 -0300
commit	83ac0239722f85ffed15e3b6b6088bfff547ac1b (patch)
tree	bab7befdd0200dac19366bdb3fcf290487e1c761 /etc/profile-m-z
parent	git-cola.profile: add missing python template comment (diff)
download	firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.tar.gz firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.tar.zst firejail-83ac0239722f85ffed15e3b6b6088bfff547ac1b.zip

diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 6ceeb867f..a5c74047a 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile
@@ -18,7 +18,6 @@ noblacklist ${HOME}/.config/git
18	noblacklist ${HOME}/.gitconfig	18	noblacklist ${HOME}/.gitconfig
19	noblacklist ${HOME}/.git-credentials	19	noblacklist ${HOME}/.git-credentials
20	noblacklist ${HOME}/.local/share/meld	20	noblacklist ${HOME}/.local/share/meld
21	noblacklist ${HOME}/.ssh
22	noblacklist ${HOME}/.subversion	21	noblacklist ${HOME}/.subversion
23		22
24	# Allow python (blacklisted by disable-interpreters.inc)	23	# Allow python (blacklisted by disable-interpreters.inc)
@@ -27,6 +26,9 @@ include allow-python3.inc
27	# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.	26	# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.
28	#include allow-python2.inc	27	#include allow-python2.inc
29		28
		29	# Allow ssh (blacklisted by disable-common.inc)
		30	include allow-ssh.inc
		31
30	# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.	32	# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
31	#include disable-common.inc	33	#include disable-common.inc
32	include disable-devel.inc	34	include disable-devel.inc


diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 6311c91df..d4c7bdf31 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile
@@ -9,7 +9,9 @@ include globals.local
9	noblacklist ${HOME}/.remmina	9	noblacklist ${HOME}/.remmina
10	noblacklist ${HOME}/.config/remmina	10	noblacklist ${HOME}/.config/remmina
11	noblacklist ${HOME}/.local/share/remmina	11	noblacklist ${HOME}/.local/share/remmina
12	noblacklist ${HOME}/.ssh	12
		13	# Allow ssh (blacklisted by disable-common.inc)
		14	include allow-ssh.inc
13		15
14	include disable-common.inc	16	include disable-common.inc
15	include disable-devel.inc	17	include disable-devel.inc


diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 8bb1f53a7..0f91c79ec 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile
@@ -9,9 +9,11 @@ include globals.local
9	blacklist /tmp/.X11-unix	9	blacklist /tmp/.X11-unix
10		10
11	noblacklist ${HOME}/.gnupg	11	noblacklist ${HOME}/.gnupg
12	noblacklist ${HOME}/.ssh
13	noblacklist /tmp/ssh-*	12	noblacklist /tmp/ssh-*
14		13
		14	# Allow ssh (blacklisted by disable-common.inc)
		15	include allow-ssh.inc
		16
15	include disable-common.inc	17	include disable-common.inc
16	include disable-devel.inc	18	include disable-devel.inc
17	include disable-exec.inc	19	include disable-exec.inc


diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 01b63d3ce..d2e2b3408 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile
@@ -8,7 +8,9 @@ include globals.local
8		8
9	noblacklist /etc/ssh	9	noblacklist /etc/ssh
10	noblacklist /tmp/ssh-*	10	noblacklist /tmp/ssh-*
11	noblacklist ${HOME}/.ssh	11
		12	# Allow ssh (blacklisted by disable-common.inc)
		13	include allow-ssh.inc
12		14
13	blacklist /tmp/.X11-unix	15	blacklist /tmp/.X11-unix
14	blacklist ${RUNUSER}/wayland-*	16	blacklist ${RUNUSER}/wayland-*


diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index e3e2b4541..efdf63976 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile
@@ -9,11 +9,13 @@ include globals.local
9		9
10	noblacklist /etc/ssh	10	noblacklist /etc/ssh
11	noblacklist /tmp/ssh-*	11	noblacklist /tmp/ssh-*
12	noblacklist ${HOME}/.ssh
13	# nc can be used as ProxyCommand, e.g. when using tor	12	# nc can be used as ProxyCommand, e.g. when using tor
14	noblacklist ${PATH}/nc	13	noblacklist ${PATH}/nc
15	noblacklist ${PATH}/ncat	14	noblacklist ${PATH}/ncat
16		15
		16	# Allow ssh (blacklisted by disable-common.inc)
		17	include allow-ssh.inc
		18
17	include disable-common.inc	19	include disable-common.inc
18	include disable-exec.inc	20	include disable-exec.inc
19	include disable-passwdmgr.inc	21	include disable-passwdmgr.inc


diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index fc4e8e571..a4adf2896 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile
@@ -8,12 +8,14 @@ include globals.local
8	noblacklist ${HOME}/.WebStorm*	8	noblacklist ${HOME}/.WebStorm*
9	noblacklist ${HOME}/.android	9	noblacklist ${HOME}/.android
10	noblacklist ${HOME}/.local/share/JetBrains	10	noblacklist ${HOME}/.local/share/JetBrains
11	noblacklist ${HOME}/.ssh
12	noblacklist ${HOME}/.tooling	11	noblacklist ${HOME}/.tooling
13		12
14	# Allows files commonly used by IDEs	13	# Allows files commonly used by IDEs
15	include allow-common-devel.inc	14	include allow-common-devel.inc
16		15
		16	# Allow ssh (blacklisted by disable-common.inc)
		17	include allow-ssh.inc
		18
17	noblacklist ${PATH}/node	19	noblacklist ${PATH}/node
18	noblacklist ${HOME}/.nvm	20	noblacklist ${HOME}/.nvm
19		21


diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile index bc9603835..6146016b2 100644 --- a/etc/profile-m-z/x2goclient.profile +++ b/etc/profile-m-z/x2goclient.profile
@@ -6,10 +6,12 @@ include x2goclient.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.ssh
10	noblacklist ${HOME}/.x2go	9	noblacklist ${HOME}/.x2go
11	noblacklist ${HOME}/.x2goclient	10	noblacklist ${HOME}/.x2goclient
12		11
		12	# Allow ssh (blacklisted by disable-common.inc)
		13	include allow-ssh.inc
		14
13	include disable-common.inc	15	include disable-common.inc
14	include disable-devel.inc	16	include disable-devel.inc
15	include disable-exec.inc	17	include disable-exec.inc