diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-03-31 16:51:02 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-03-31 16:51:02 +0000 |
| commit | 4747e0ed7f1d9e39974a1c5a5900db47ab1423aa (patch) | |
| tree | ad38bf6fc0a3cb78602891f3aa282d0aa7ae1c52 /etc/templates | |
| parent | Mention --seccomp.32 etc in usage (diff) | |
| download | firejail-4747e0ed7f1d9e39974a1c5a5900db47ab1423aa.tar.gz firejail-4747e0ed7f1d9e39974a1c5a5900db47ab1423aa.tar.zst firejail-4747e0ed7f1d9e39974a1c5a5900db47ab1423aa.zip | |
Whitelist runuser common (#3286)
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
Diffstat (limited to 'etc/templates')
| -rw-r--r-- | etc/templates/profile.template | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0362b82af..4cb40027c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
| @@ -27,6 +27,7 @@ | |||
| 27 | # ALLOW INCLUDES | 27 | # ALLOW INCLUDES |
| 28 | # BLACKLISTS | 28 | # BLACKLISTS |
| 29 | # DISABLE INCLUDES | 29 | # DISABLE INCLUDES |
| 30 | # NOWHITELISTS | ||
| 30 | # MKDIRS | 31 | # MKDIRS |
| 31 | # WHITELISTS | 32 | # WHITELISTS |
| 32 | # WHITELIST INCLUDES | 33 | # WHITELIST INCLUDES |
| @@ -62,6 +63,8 @@ include globals.local | |||
| 62 | #blacklist /tmp/.X11-unix | 63 | #blacklist /tmp/.X11-unix |
| 63 | # Disable Wayland | 64 | # Disable Wayland |
| 64 | #blacklist ${RUNUSER}/wayland-* | 65 | #blacklist ${RUNUSER}/wayland-* |
| 66 | # Disable RUNUSER (cli only) | ||
| 67 | #blacklist ${RUNUSER} | ||
| 65 | 68 | ||
| 66 | # It is common practice to add files/dirs containing program-specific configuration | 69 | # It is common practice to add files/dirs containing program-specific configuration |
| 67 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 70 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
| @@ -116,6 +119,7 @@ include globals.local | |||
| 116 | ##mkfile PATH | 119 | ##mkfile PATH |
| 117 | #whitelist PATH | 120 | #whitelist PATH |
| 118 | #include whitelist-common.inc | 121 | #include whitelist-common.inc |
| 122 | #GTK3 only: include whitelist-runuser-common.inc | ||
| 119 | #include whitelist-usr-share-common.inc | 123 | #include whitelist-usr-share-common.inc |
| 120 | #include whitelist-var-common.inc | 124 | #include whitelist-var-common.inc |
| 121 | 125 | ||