profile fixes

author: netblue30 <netblue30@yahoo.com> 2020-04-04 22:30:06 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-04-04 22:30:06 -0400
commit: 062e21d65096640be11f63c69e950f0b97c7498e (patch)
tree: 25c5c91d4902bccbe29f6c474d78df4c4219df4d /etc
parent: fix alphabetical ordering of caps.keep in slack.profile (diff)
download: firejail-062e21d65096640be11f63c69e950f0b97c7498e.tar.gz
firejail-062e21d65096640be11f63c69e950f0b97c7498e.tar.zst
firejail-062e21d65096640be11f63c69e950f0b97c7498e.zip
4 files changed, 11 insertions, 2 deletions
diff --git a/etc/dig.profile b/etc/dig.profile
index 270a95c05..f283db962 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -25,6 +25,7 @@ include disable-xdg.inc
 #mkfile ${HOME}/.digrc -- see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -32,6 +33,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+memory-deny-write-execute
 netfilter
 no3d
 nodbus
@@ -49,7 +51,6 @@ shell none
 tracelog
 disable-mnt
-private
 private-bin bash,dig,sh
 private-dev
 # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
index 4aa1cfcbf..9ed6ef1e9 100644
--- a/etc/nslookup.profile
+++ b/etc/nslookup.profile
@@ -21,6 +21,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${HOME}/.nslookuprc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,6 +31,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+memory-deny-write-execute
 netfilter
 no3d
 nodbus
@@ -45,7 +49,6 @@ shell none
 tracelog
 disable-mnt
-private
 private-bin bash,nslookup,sh
 private-dev
 private-tmp
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 1e623f9ce..489de67bb 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -16,10 +16,14 @@ include disable-programs.inc
 mkdir ${HOME}/.unknown-horizons
 whitelist ${HOME}/.unknown-horizons
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/unknown-horizons
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
+# memory-deny-write-execute - doesn't work
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc
index 8a0f6774a..193b00a2a 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/whitelist-usr-share-common.inc
@@ -50,6 +50,7 @@ whitelist /usr/share/qt4
 whitelist /usr/share/qt5
 whitelist /usr/share/sounds
 whitelist /usr/share/tcl8.6
+whitelist /usr/share/tcltk
 whitelist /usr/share/terminfo
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
author	netblue30 <netblue30@yahoo.com>	2020-04-04 22:30:06 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-04-04 22:30:06 -0400
commit	062e21d65096640be11f63c69e950f0b97c7498e (patch)
tree	25c5c91d4902bccbe29f6c474d78df4c4219df4d /etc
parent	fix alphabetical ordering of caps.keep in slack.profile (diff)
download	firejail-062e21d65096640be11f63c69e950f0b97c7498e.tar.gz firejail-062e21d65096640be11f63c69e950f0b97c7498e.tar.zst firejail-062e21d65096640be11f63c69e950f0b97c7498e.zip

diff --git a/etc/dig.profile b/etc/dig.profile index 270a95c05..f283db962 100644 --- a/etc/dig.profile +++ b/etc/dig.profile
@@ -25,6 +25,7 @@ include disable-xdg.inc
25	#mkfile ${HOME}/.digrc -- see #903	25	#mkfile ${HOME}/.digrc -- see #903
26	whitelist ${HOME}/.digrc	26	whitelist ${HOME}/.digrc
27	include whitelist-common.inc	27	include whitelist-common.inc
		28	include whitelist-runuser-common.inc
28	include whitelist-usr-share-common.inc	29	include whitelist-usr-share-common.inc
29	include whitelist-var-common.inc	30	include whitelist-var-common.inc
30		31
@@ -32,6 +33,7 @@ apparmor
32	caps.drop all	33	caps.drop all
33	ipc-namespace	34	ipc-namespace
34	machine-id	35	machine-id
		36	memory-deny-write-execute
35	netfilter	37	netfilter
36	no3d	38	no3d
37	nodbus	39	nodbus
@@ -49,7 +51,6 @@ shell none
49	tracelog	51	tracelog
50		52
51	disable-mnt	53	disable-mnt
52	private
53	private-bin bash,dig,sh	54	private-bin bash,dig,sh
54	private-dev	55	private-dev
55	# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)	56	# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)


diff --git a/etc/nslookup.profile b/etc/nslookup.profile index 4aa1cfcbf..9ed6ef1e9 100644 --- a/etc/nslookup.profile +++ b/etc/nslookup.profile
@@ -21,6 +21,9 @@ include disable-passwdmgr.inc
21	include disable-programs.inc	21	include disable-programs.inc
22	include disable-xdg.inc	22	include disable-xdg.inc
23		23
		24	whitelist ${HOME}/.nslookuprc
		25	include whitelist-common.inc
		26	include whitelist-runuser-common.inc
24	include whitelist-usr-share-common.inc	27	include whitelist-usr-share-common.inc
25	include whitelist-var-common.inc	28	include whitelist-var-common.inc
26		29
@@ -28,6 +31,7 @@ apparmor
28	caps.drop all	31	caps.drop all
29	ipc-namespace	32	ipc-namespace
30	machine-id	33	machine-id
		34	memory-deny-write-execute
31	netfilter	35	netfilter
32	no3d	36	no3d
33	nodbus	37	nodbus
@@ -45,7 +49,6 @@ shell none
45	tracelog	49	tracelog
46		50
47	disable-mnt	51	disable-mnt
48	private
49	private-bin bash,nslookup,sh	52	private-bin bash,nslookup,sh
50	private-dev	53	private-dev
51	private-tmp	54	private-tmp


diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 1e623f9ce..489de67bb 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile
@@ -16,10 +16,14 @@ include disable-programs.inc
16	mkdir ${HOME}/.unknown-horizons	16	mkdir ${HOME}/.unknown-horizons
17	whitelist ${HOME}/.unknown-horizons	17	whitelist ${HOME}/.unknown-horizons
18	include whitelist-common.inc	18	include whitelist-common.inc
		19	include whitelist-runuser-common.inc
		20	whitelist /usr/share/unknown-horizons
		21	include whitelist-usr-share-common.inc
19	include whitelist-var-common.inc	22	include whitelist-var-common.inc
20		23
21	apparmor	24	apparmor
22	caps.drop all	25	caps.drop all
		26	# memory-deny-write-execute - doesn't work
23	nodvd	27	nodvd
24	nogroups	28	nogroups
25	nonewprivs	29	nonewprivs


diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index 8a0f6774a..193b00a2a 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc
@@ -50,6 +50,7 @@ whitelist /usr/share/qt4
50	whitelist /usr/share/qt5	50	whitelist /usr/share/qt5
51	whitelist /usr/share/sounds	51	whitelist /usr/share/sounds
52	whitelist /usr/share/tcl8.6	52	whitelist /usr/share/tcl8.6
		53	whitelist /usr/share/tcltk
53	whitelist /usr/share/terminfo	54	whitelist /usr/share/terminfo
54	whitelist /usr/share/texlive	55	whitelist /usr/share/texlive
55	whitelist /usr/share/texmf	56	whitelist /usr/share/texmf