diff options
author | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2018-04-09 19:13:33 -0500 |
---|---|---|
committer | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2018-04-09 19:13:33 -0500 |
commit | de1a38978be7a7ba01b8d7b2d0efa3337b818731 (patch) | |
tree | 3727a6551d0c0f68fcd8b7eca6b6c46f250f8a3c /etc | |
parent | Spotify requires /etc/group when alsa is audio provider (diff) | |
parent | Merge pull request #1875 from glitsj16/sqlitebrowser (diff) | |
download | firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.tar.gz firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.tar.zst firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'etc')
-rw-r--r-- | etc/akonadi_control.profile | 2 | ||||
-rw-r--r-- | etc/akregator.profile | 4 | ||||
-rw-r--r-- | etc/atool.profile | 2 | ||||
-rw-r--r-- | etc/basilisk.profile | 4 | ||||
-rw-r--r-- | etc/bunzip2.profile | 9 | ||||
-rw-r--r-- | etc/disable-programs.inc | 4 | ||||
-rw-r--r-- | etc/firefox-common.profile | 2 | ||||
-rw-r--r-- | etc/firejail-default | 1 | ||||
-rw-r--r-- | etc/gunzip.profile | 9 | ||||
-rw-r--r-- | etc/palemoon.profile | 4 | ||||
-rw-r--r-- | etc/soundconverter.profile | 6 | ||||
-rw-r--r-- | etc/sqlitebrowser.profile | 2 |
12 files changed, 43 insertions, 6 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 11474fdc3..0cbe306e8 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -34,8 +34,8 @@ include /etc/firejail/whitelist-var-common.inc | |||
34 | # apparmor | 34 | # apparmor |
35 | caps.drop all | 35 | caps.drop all |
36 | ipc-namespace | 36 | ipc-namespace |
37 | no3d | ||
38 | netfilter | 37 | netfilter |
38 | no3d | ||
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | # nonewprivs | 41 | # nonewprivs |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 19da62916..1b8807757 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -20,7 +20,6 @@ whitelist ${HOME}/.config/akregatorrc | |||
20 | whitelist ${HOME}/.local/share/akregator | 20 | whitelist ${HOME}/.local/share/akregator |
21 | whitelist ${HOME}/.local/share/kssl | 21 | whitelist ${HOME}/.local/share/kssl |
22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | |||
24 | include /etc/firejail/whitelist-var-common.inc | 23 | include /etc/firejail/whitelist-var-common.inc |
25 | 24 | ||
26 | caps.drop all | 25 | caps.drop all |
@@ -33,7 +32,8 @@ noroot | |||
33 | notv | 32 | notv |
34 | novideo | 33 | novideo |
35 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
36 | seccomp | 35 | # chroot syscalls are needed for setting up the built-in sandbox |
36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
diff --git a/etc/atool.profile b/etc/atool.profile index e21d352b4..83b681437 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -38,5 +38,5 @@ tracelog | |||
38 | 38 | ||
39 | # private-bin atool | 39 | # private-bin atool |
40 | private-dev | 40 | private-dev |
41 | private-etc none | 41 | private-etc passwd,group |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index ac7f30c04..43ba5adcb 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -14,6 +14,10 @@ whitelist ${DOWNLOADS} | |||
14 | whitelist ${HOME}/.cache/moonchild productions/basilisk | 14 | whitelist ${HOME}/.cache/moonchild productions/basilisk |
15 | whitelist ${HOME}/.moonchild productions | 15 | whitelist ${HOME}/.moonchild productions |
16 | 16 | ||
17 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) | ||
18 | ignore seccomp.drop | ||
19 | seccomp | ||
20 | |||
17 | #private-bin basilisk | 21 | #private-bin basilisk |
18 | # private-etc must first be enabled in firefox-common.profile | 22 | # private-etc must first be enabled in firefox-common.profile |
19 | #private-etc basilisk | 23 | #private-etc basilisk |
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile new file mode 100644 index 000000000..f483a1d3d --- /dev/null +++ b/etc/bunzip2.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for bunzip2 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/bunzip2.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f7cc1ce94..b68dde0c4 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -205,6 +205,7 @@ blacklist ${HOME}/.config/smplayer | |||
205 | blacklist ${HOME}/.config/smtube | 205 | blacklist ${HOME}/.config/smtube |
206 | blacklist ${HOME}/.config/specialmailcollectionsrc | 206 | blacklist ${HOME}/.config/specialmailcollectionsrc |
207 | blacklist ${HOME}/.config/spotify | 207 | blacklist ${HOME}/.config/spotify |
208 | blacklist ${HOME}/.config/sqlitebrowser | ||
208 | blacklist ${HOME}/.config/stellarium | 209 | blacklist ${HOME}/.config/stellarium |
209 | blacklist ${HOME}/.config/synfig | 210 | blacklist ${HOME}/.config/synfig |
210 | blacklist ${HOME}/.config/telepathy-account-widgets | 211 | blacklist ${HOME}/.config/telepathy-account-widgets |
@@ -440,6 +441,8 @@ blacklist ${HOME}/.mcabber | |||
440 | blacklist ${HOME}/.mcabberrc | 441 | blacklist ${HOME}/.mcabberrc |
441 | blacklist ${HOME}/.mediathek3 | 442 | blacklist ${HOME}/.mediathek3 |
442 | blacklist ${HOME}/.minetest | 443 | blacklist ${HOME}/.minetest |
444 | blacklist ${HOME}/.moonchild productions/basilisk | ||
445 | blacklist ${HOME}/.moonchild productions/pale moon | ||
443 | blacklist ${HOME}/.mozilla | 446 | blacklist ${HOME}/.mozilla |
444 | blacklist ${HOME}/.mpd | 447 | blacklist ${HOME}/.mpd |
445 | blacklist ${HOME}/.mpdconf | 448 | blacklist ${HOME}/.mpdconf |
@@ -555,6 +558,7 @@ blacklist ${HOME}/.cache/kwin | |||
555 | blacklist ${HOME}/.cache/libgweather | 558 | blacklist ${HOME}/.cache/libgweather |
556 | blacklist ${HOME}/.cache/liferea | 559 | blacklist ${HOME}/.cache/liferea |
557 | blacklist ${HOME}/.cache/midori | 560 | blacklist ${HOME}/.cache/midori |
561 | blacklist ${HOME}/.cache/moonchild productions/basilisk | ||
558 | blacklist ${HOME}/.cache/moonchild productions/pale moon | 562 | blacklist ${HOME}/.cache/moonchild productions/pale moon |
559 | blacklist ${HOME}/.cache/mozilla | 563 | blacklist ${HOME}/.cache/mozilla |
560 | blacklist ${HOME}/.cache/mutt | 564 | blacklist ${HOME}/.cache/mutt |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 3fe83eda0..9ebcdba6c 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -33,7 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | notv | 34 | notv |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp | 36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
37 | shell none | 37 | shell none |
38 | tracelog | 38 | tracelog |
39 | 39 | ||
diff --git a/etc/firejail-default b/etc/firejail-default index 5d116fbbc..ad3fdd718 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -72,6 +72,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
72 | ########## | 72 | ########## |
73 | /proc/ r, | 73 | /proc/ r, |
74 | /proc/** r, | 74 | /proc/** r, |
75 | owner /proc/[0-9]*/{uid_map,gid_map,setgroups} w, | ||
75 | # Uncomment to silence all denied write warnings | 76 | # Uncomment to silence all denied write warnings |
76 | #deny /proc/** w, | 77 | #deny /proc/** w, |
77 | deny /proc/@{PID}/oom_adj w, | 78 | deny /proc/@{PID}/oom_adj w, |
diff --git a/etc/gunzip.profile b/etc/gunzip.profile new file mode 100644 index 000000000..8ea523df7 --- /dev/null +++ b/etc/gunzip.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for gunzip | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gunzip.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index ff7087e55..1104acff4 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -13,6 +13,10 @@ mkdir ${HOME}/.moonchild productions | |||
13 | whitelist ${HOME}/.cache/moonchild productions/pale moon | 13 | whitelist ${HOME}/.cache/moonchild productions/pale moon |
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | ||
17 | ignore seccomp.drop | ||
18 | seccomp | ||
19 | |||
16 | #private-bin palemoon | 20 | #private-bin palemoon |
17 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
18 | #private-etc palemoon | 22 | #private-etc palemoon |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 944417083..3d231cf5b 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -5,6 +5,12 @@ include /etc/firejail/soundconverter.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | noblacklist ${PATH}/python2* | ||
10 | noblacklist ${PATH}/python3* | ||
11 | noblacklist /usr/lib/python2* | ||
12 | noblacklist /usr/lib/python3* | ||
13 | |||
8 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
10 | include /etc/firejail/disable-interpreters.inc | 16 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 4c473a9ad..9711276c8 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -32,6 +32,6 @@ private-bin sqlitebrowser | |||
32 | private-dev | 32 | private-dev |
33 | private-tmp | 33 | private-tmp |
34 | 34 | ||
35 | memory-deny-write-execute | 35 | # memory-deny-write-execute - breaks on Arch |
36 | noexec ${HOME} | 36 | noexec ${HOME} |
37 | noexec /tmp | 37 | noexec /tmp |